FINAL-MS Security Baseline Windows Server 2022

General Information
This workbook displays all available Group Policy settings for Windows Server 2022 and the corresp
Microsoft-recommended configuration of those settings for well-managed enterprise systems.
Settings contained are as of Build 20348.169
Last modified: September 6, 2021
Legend:
Delta between Member Server and Domain Controller
Setting that should be removed for non-Domain joined systems
Note:
All the settings are present in the Windows group policy and security template editors, except for L
Guide and MSS (Legacy). LAPS can be downloaded with the LAPS solution from
https://www.microsoft.com/en-us/download/details.aspx?id=46899. The MS Security Guide and
be implemented using a custom ADMX that is included with this security guidance
General Information
plays all available Group Policy settings for Windows Server 2022 and the corresponding
mended configuration of those settings for well-managed enterprise systems.
Settings contained are as of Build 20348.169
Last modified: September 6, 2021
Legend:
etween Member Server and Domain Controller
that should be removed for non-Domain joined systems
Note:
e present in the Windows group policy and security template editors, except for LAPS, MS Security
Guide and MSS (Legacy). LAPS can be downloaded with the LAPS solution from
rosoft.com/en-us/download/details.aspx?id=46899. The MS Security Guide and MSS (Legacy) can
be implemented using a custom ADMX that is included with this security guidance.
Policy Path Policy Setting Name
Account Lockout Account lockout duration
Account Lockout Account lockout threshold
Account Lockout Reset account lockout counter after
Audit Policy Audit account logon events
Audit Policy Audit account management
Audit Policy Audit directory service access
Audit Policy Audit logon events
Audit Policy Audit object access
Audit Policy Audit policy change
Audit Policy Audit privilege use
Audit Policy Audit process tracking
Audit Policy Audit system events
Event Log Maximum application log size
Event Log Maximum security log size
Event Log Maximum system log size
Event Log Prevent local guests group from accessing application log
Event Log Prevent local guests group from accessing security log
Event Log Prevent local guests group from accessing system log
Event Log Retain application log
Event Log Retain security log
Event Log Retain system log
Event Log Retention method for application log
Event Log Retention method for security log
Event Log Retention method for system log
Kerberos Policy Enforce user logon restrictions
Kerberos Policy Maximum lifetime for service ticket
Kerberos Policy Maximum lifetime for user ticket
Kerberos Policy Maximum lifetime for user ticket renewal
Kerberos Policy Maximum tolerance for computer clock synchronization
Password Policy Enforce password history
Password Policy Maximum password age
Password Policy Minimum password age
Password Policy Minimum password length
Password Policy Minimum password length audit
Password Policy Password must meet complexity requirements
Password Policy Relax minimum password length limits
Password Policy Store passwords using reversible encryption
Security Options Accounts: Administrator account status
Security Options Accounts: Block Microsoft accounts
Security Options Accounts: Guest account status
Security Options Accounts: Limit local account use of blank passwords to console logon only
Security Options Accounts: Rename administrator account
Security Options Accounts: Rename guest account
Security Options Audit: Audit the access of global system objects
Security Options Audit: Audit the use of Backup and Restore privilege
Security Options Audit: Force audit policy subcategory settings (Windows Vista or later) to overrid
Security Options Audit: Shut down system immediately if unable to log security audits
Security Options DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
Security Options DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Security Options Devices: Allow undock without having to log on
Security Options Devices: Allowed to format and eject removable media
Security Options Devices: Prevent users from installing printer drivers
Security Options Devices: Restrict CD-ROM access to locally logged-on user only
Security Options Devices: Restrict floppy access to locally logged-on user only
Security Options Domain controller: Allow server operators to schedule tasks
Security Options Domain controller: Allow vulnerable Netlogon secure channel connections
Security Options Domain controller: LDAP server channel binding token requirements
Security Options Domain controller: LDAP server signing requirements
Security Options Domain controller: Refuse machine account password changes
Security Options Domain member: Digitally encrypt or sign secure channel data (always)
Security Options Domain member: Digitally encrypt secure channel data (when possible)
Security Options Domain member: Digitally sign secure channel data (when possible)
Security Options Domain member: Disable machine account password changes
Security Options Domain member: Maximum machine account password age
Security Options Domain member: Require strong (Windows 2000 or later) session key
Security Options Interactive logon: Display user information when the session is locked
Security Options Interactive logon: Do not require CTRL+ALT+DEL
Security Options Interactive logon: Don't display last signed-in
Security Options Interactive logon: Don't display username at sign-in
Security Options Interactive logon: Machine account lockout threshold
Security Options Interactive logon: Machine inactivity limit
Security Options Interactive logon: Message text for users attempting to log on
Security Options Interactive logon: Message title for users attempting to log on
Security Options Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Security Options Interactive logon: Prompt user to change password before expiration
Security Options Interactive logon: Require Domain Controller authentication to unlock workstation
Security Options Interactive logon: Require Windows Hello for Business or smart card
Security Options Interactive logon: Smart card removal behavior
Security Options Microsoft network client: Digitally sign communications (always)
Security Options Microsoft network client: Digitally sign communications (if server agrees)
Security Options Microsoft network client: Send unencrypted password to third-party SMB server
Security Options Microsoft network server: Amount of idle time required before suspending session
Security Options Microsoft network server: Attempt S4U2Self to obtain claim information
Security Options Microsoft network server: Digitally sign communications (always)
Security Options Microsoft network server: Digitally sign communications (if client agrees)
Security Options Microsoft network server: Disconnect clients when logon hours expire
Security Options Microsoft network server: Server SPN target name validation level
Security Options Network access: Allow anonymous SID/Name translation
Security Options Network access: Do not allow anonymous enumeration of SAM accounts
Security Options Network access: Do not allow anonymous enumeration of SAM accounts and sha
Security Options Network access: Do not allow storage of passwords and credentials for network authentication
Security Options Network access: Let Everyone permissions apply to anonymous users
Security Options Network access: Named Pipes that can be accessed anonymously
Security Options Network access: Remotely accessible registry paths
Security Options Network access: Remotely accessible registry paths and sub-paths
Security Options Network access: Restrict anonymous access to Named Pipes and Shares
Security Options Network access: Restrict clients allowed to make remote calls to SAM
Security Options Network access: Shares that can be accessed anonymously
Security Options Network access: Sharing and security model for local accounts
Security Options Network security: Allow Local System to use computer identity for NTLM
Security Options Network security: Allow LocalSystem NULL session fallback
Security Options Network security: Allow PKU2U authentication requests to this computer to use online identities.
Security Options Network security: Configure encryption types allowed for Kerberos
Security Options Network security: Do not store LAN Manager hash value on next password chan
Security Options Network security: Force logoff when logon hours expire
Security Options Network security: LAN Manager authentication level
Security Options Network security: LDAP client signing requirements
Security Options Network security: Minimum session security for NTLM SSP based (including secur
Security Options Network security: Minimum session security for NTLM SSP based (including secur
Security Options Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Security Options Network security: Restrict NTLM: Add server exceptions in this domain
Security Options Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Security Options Network security: Restrict NTLM: Audit NTLM authentication in this domain
Security Options Network security: Restrict NTLM: Incoming NTLM traffic
Security Options Network security: Restrict NTLM: NTLM authentication in this domain
Security Options Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Security Options Recovery console: Allow automatic administrative logon
Security Options Recovery console: Allow floppy copy and access to all drives and all folders
Security Options Shutdown: Allow system to be shut down without having to log on
Security Options Shutdown: Clear virtual memory pagefile
Security Options System cryptography: Force strong key protection for user keys stored on the computer
Security Options System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
Security Options System objects: Require case insensitivity for non-Windows subsystems
Security Options System objects: Strengthen default permissions of internal system objects (e.g. S
Security Options System settings: Optional subsystems
Security Options System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
Security Options User Account Control: Admin Approval Mode for the Built-in Administrator acco
Security Options User Account Control: Allow UIAccess applications to prompt for elevation without using the secu
Security Options User Account Control: Behavior of the elevation prompt for administrators in
Security Options User Account Control: Behavior of the elevation prompt for standard users
Security Options User Account Control: Detect application installations and prompt for elevation
Security Options User Account Control: Only elevate executables that are signed and validated
Security Options User Account Control: Only elevate UIAccess applications that are installed in se
Security Options User Account Control: Run all administrators in Admin Approval Mode
Security Options User Account Control: Switch to the secure desktop when prompting for elevation
Security Options User Account Control: Virtualize file and registry write failures to per-user locati
User Rights Assignments Access Credential Manager as a trusted caller
User Rights Assignments Access this computer from the network
User Rights Assignments Act as part of the operating system
User Rights Assignments Add workstations to domain
User Rights Assignments Adjust memory quotas for a process
User Rights Assignments Allow log on locally
User Rights Assignments Allow log on through Remote Desktop Services
User Rights Assignments Back up files and directories
User Rights Assignments Bypass traverse checking
User Rights Assignments Change the system time
User Rights Assignments Change the time zone
User Rights Assignments Create a pagefile
User Rights Assignments Create a token object
User Rights Assignments Create global objects
User Rights Assignments Create permanent shared objects
User Rights Assignments Create symbolic links
User Rights Assignments Debug programs
User Rights Assignments Deny access to this computer from the network
User Rights Assignments Deny log on as a batch job
User Rights Assignments Deny log on as a service
User Rights Assignments Deny log on locally
User Rights Assignments Deny log on through Remote Desktop Services
User Rights Assignments Enable computer and user accounts to be trusted for delegation
User Rights Assignments Force shutdown from a remote system
User Rights Assignments Generate security audits
User Rights Assignments Impersonate a client after authentication
User Rights Assignments Increase a process working set
User Rights Assignments Increase scheduling priority
User Rights Assignments Load and unload device drivers
User Rights Assignments Lock pages in memory
User Rights Assignments Log on as a batch job
User Rights Assignments Log on as a service
User Rights Assignments Manage auditing and security log
User Rights Assignments Modify an object label
User Rights Assignments Modify firmware environment values
User Rights Assignments Obtain an impersonation token for another user in the same session
User Rights Assignments Perform volume maintenance tasks
User Rights Assignments Profile single process
User Rights Assignments Profile system performance
User Rights Assignments Remove computer from docking station
User Rights Assignments Replace a process level token
User Rights Assignments Restore files and directories
User Rights Assignments Shut down the system
User Rights Assignments Synchronize directory service data
User Rights Assignments Take ownership of files or other objects
Member Server Domain Controller
15 15
10 10
15 15
24 24
14 14
Enabled Enabled
Disabled Disabled
Enabled Enabled
Enabled Enabled
Language (SDDL) syntax
Language (SDDL) syntax
Always
Require signing
Enabled Enabled
Enabled Enabled
Enabled Enabled
Disabled
30 30
Enabled Enabled
900 900
in controller is not available)
k workstation
Lock Workstation Lock Workstation

Enabled Enabled
Disabled Disabled
ending session
Enabled Enabled
Disabled Disabled
Enabled Enabled
Enabled Enabled
or network authentication
Enabled Enabled
O:BAG:BAD:(A;;RC;;;BA)
Disabled Disabled
uter to use online identities.
Enabled Enabled
Send NTLMv2 Responses onlySend NTLMv2 Responses only, Refuse LM and

Negotiate Signing Negotiate Signing
Require NTLMv2 session secur
Require NTLMv2 session security, Require 128b
Require NTLMv2 session secur
Require NTLMv2 session security, Require 128b
NTLM authentication
d on the computer
hashing, and signing
Enabled Enabled
oftware Restriction Policies

Enabled Enabled
vation without using the secure desktop
Prompt for consent on the sePrompt for consent on the secure desktop
Automatically deny elevationAutomatically deny elevation requests
Enabled Enabled
Enabled Enabled
Enabled Enabled
for elevation
Enabled Enabled
No One (blank) No One (blank)
Authenticated Users, AdminisAuthenticated Users, Administrators, ENTE
Administrators Administrators
Administrators
Administrators, LOCAL SERV Administrators, LOCAL SERVICE, NETWORK SER
NT AUTHORITY\Local account and member of Administrators group
NT AUTHORITY\Local Account
No One (blank) Administrators
Administrators, SERVICE, LocaAdministrators, SERVICE, Local Service, Networ
Administrators
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Default: 0.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Default: Success.
Default: on
Success Nodomain
auditing.
controllers.
No auditing on member servers.
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up a
Success on domain controllers.
No auditing on member servers.
Default: Enabled
Default: Enabled for
for Windows
Windows XP,
XP, Disabled
Disabled for
for Windows
Windows 2000
2000
Default: Enabled for Windows XP, Disabled for Windows 2000
Default: None.
Default: None.
Default: Enabled.
Default: 600 minutes (10 hours).
Default: 10 hours.
Default: 7 days.
Default:
Note: By5default,
minutes.
member computers follow the configuration of their domain controllers.
To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were jus
Default: 42.
Note: By default, member computers follow the configuration of their domain controllers.
Note: By default,
For more member
information computers follow the configuration of their domain controllers.
see https://go.microsoft.com/fwlink/?LinkId=2097191.
Note: By default, member computers follow the configuration of their domain controllers.
For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.
Default: Disabled.
Default: Disabled.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts i
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
Default: Administrator.
Default: Disabled.
Default: Disabled
This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections
This policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.
When the Create Vulnerable Connections list (allow list) is configured:
- Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC.
Domain controller:
- Given Allow server
deny permission, operators
the domain to schedule
controller tasks accounts to use a Netlogon secure channel with secure RPC whi
will require
This security
setting
Warning! setting
does
Enabling notdetermines
thisaffect willifexpose
Server Operators
Administrators.
policy are allowed
your domain-joined to submit
devices and canjobsexpose
by means
yourofActive
the ATDirectory
scheduleforest
facility.
to risk. This
account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring account
Note: This security setting only affects the AT schedule facility; it does not affect the Task Scheduler facility.
Default:
Default: This
This policy
policy is
is not
not defined,
configured.which
No means thatorthe
machines system
trust treats
accounts areit explicitly
as disabled.
exempt from secure RPC with Netlogon secu
This policy is supported on at least Windows Server 2008 R2.
Notes: The When Supported option only protects those clients that do support Extended Protection for Authentication; clients
This security setting should not be enabled. Computer account passwords are used to establish secure channel communication
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you want
Interactive Logon: Display user information when session is locked
The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please
Default: not enforced.
Default: No message.
Default: No message.
Default: 25
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
Default: Disabled.
Default: Automatic.
All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affe
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure t
Network access: Restrict clients allowed to make remote calls to SAM

This policy will have no impact on computers running Windows 2000.
When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in Windows Explorer to
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
The default is TRUE up to Windows Vista and FALSE in Windows 7.
This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to auth
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Windows Server 2003: Send NTLM response only

Windows Vista and Windows Server 2008: Send NTLMv2 response only
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used b
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used b
Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Audit and block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Servic
Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptograph
Default: Disabled
If you plan to enable this setting, you should also review the effect of the "User Account Control: Behavior of the elevation pro
This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned
Everyone
Pre-Windows 2000 Compatible Access
Default: None.
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
Default: Administrators, Users
Network Service
Service
Default:
Note None.
This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to c
Default: Administrators
Default: Guest
Default: None.
Default: None.
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
On workstations on domain
and servers: controllers.
Administrators.
On domain controllers:
Default: Local Service Administrators, Server Operators.
Network Service.
If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
Warning: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the sy
Default: Administrators.
Administrators
Print Operators
Default:
Default: None.
Administrators
Backup Operators.
Default setting: None.
Default: None
If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
Default: Administrators, Power users.
Default: Administrators, Power Users, Users

Default: Network
Workstations and Service,
servers:Local Service. Backup Operators.
Administrators,
Domain controllers: Administrators, Backup Operators, Server Operators.
Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.
Defaults: None.
Registry Information
Account Lockout Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Event Log security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
MACHINE\System\CurrentControlSet\Control\SAM\MinimumPasswordLengthAudit
MACHINE\System\CurrentControlSet\Control\SAM\RelaxMinimumPasswordLengthLimits
Not a registry key
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Not a registry key
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System, value=DontDisplayLockedUserId
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableS4U2SelfForClaims
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
User Rights security settings are not registry keys

Note:
Note: This
This setting
setting does
does not
not appear
appear in
in the
the Local
Local Computer
Computer Policy
Policy object.
object.
Important: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility informatio
Note:
Notes:This
Thissetting
settingdoes
doesnot
notappear
appearininthe
theLocal
LocalComputer
ComputerPolicy
Policyobject.
object.
This security
This security setting
setting affects
affects only
only computers
computers running
running Windows
Windows 2000,
2000, Windows
Windows Server
Server 2003,
2003, and
and Windows
Windows XP.
XP.
A user must possess the Manage auditing and security log user right
Note: This setting does not appear in the Local Computer Policy object. to acces
This security
Notes: settingdoes
This setting affects
notonly computers
appear running
in the Local Windows
Computer 2000,
Policy Windows Server 2003, and Windows XP.
object.
A user must possess the Manage auditing and security log user right to access the security log.
Notes: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
For the policy change to take effect, the spooler service needs to be stopped/restarted, but the system does not have to be re
Restart of service might be sufficient
Important: In order to take advantage of this policy on member workstations and servers, all domain controllers that constitut
In order to take advantage of this policy on doma
Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manage
Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manage
Important: This setting will apply to any computers running Windows 2000 through changes in the registry, but the security se
Only LogOff is required for W2K, XP and W2K3 computers. In Vista, start/restart the scpolicysvc will work or LogOff
Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled
Important: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled
Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions"
Important: The Network access: Remotely accessible registry paths security setting that appears on computers running Windo
Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you config
This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be
Important: This setting only affects computers running Windows XP Professional which are not joined to a domain.
This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descr
Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Wind
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Pr
Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Window
Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setti
Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setti
Require restart of recovery console

Require restart of recovery console
Requires logoff
Vista does NOT require reboot
Requires reboot with CNG on Vista; Does not require reboot with CAPI on Vista; Does not require reboot on XP, 2003 with CAP
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family, t
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Policy Path Policy Setting Name Member Server
Account Logon Audit Credential Validation Success and Failure
Account Logon Audit Kerberos Authentication Service
Account Logon Audit Kerberos Service Ticket Operations
Account Logon Audit Other Account Logon Events
Account Management Audit Application Group Management
Account Management Audit Computer Account Management
Account Management Audit Distribution Group Management
Account Management Audit Other Account Management Events
Account Management Audit Security Group Management Success
Account Management Audit User Account Management Success and Failure
Detailed Tracking Audit DPAPI Activity
Detailed Tracking Audit PNP Activity Success
Detailed Tracking Audit Process Creation Success
Detailed Tracking Audit Process Termination
Detailed Tracking Audit RPC Events
Detailed Tracking Audit Token Right Adjusted
DS Access Audit Detailed Directory Service Replication
DS Access Audit Directory Service Access
DS Access Audit Directory Service Changes
DS Access Audit Directory Service Replication
Global Object Access Auditing File system
Global Object Access Auditing Registry
Logon/Logoff Audit Account Lockout Failure
Logon/Logoff Audit Group Membership Success
Logon/Logoff Audit IPsec Extended Mode
Logon/Logoff Audit IPsec Main Mode
Logon/Logoff Audit IPsec Quick Mode
Logon/Logoff Audit Logoff
Logon/Logoff Audit Logon Success and Failure
Logon/Logoff Audit Network Policy Server
Logon/Logoff Audit Other Logon/Logoff Events Success and Failure
Logon/Logoff Audit Special Logon Success
Logon/Logoff Audit User / Device Claims
Object Access Audit Application Generated
Object Access Audit Central Access Policy Staging
Object Access Audit Certification Services
Object Access Audit Detailed File Share Failure
Object Access Audit File Share Success and Failure
Object Access Audit File System
Object Access Audit Filtering Platform Connection
Object Access Audit Filtering Platform Packet Drop
Object Access Audit Handle Manipulation
Object Access Audit Kernel Object
Object Access Audit Other Object Access Events Success and Failure
Object Access Audit Registry
Object Access Audit Removable Storage Success and Failure
Object Access Audit SAM
Policy Change Audit Audit Policy Change Success
Policy Change Audit Authentication Policy Change Success
Policy Change Audit Authorization Policy Change
Policy Change Audit Filtering Platform Policy Change
Policy Change Audit MPSSVC Rule-Level Policy Change Success and Failure
Policy Change Audit Other Policy Change Events Failure
Privilege Use Audit Non Sensitive Privilege Use
Privilege Use Audit Other Privilege Use Events
Privilege Use Audit Sensitive Privilege Use Success and Failure
System Audit IPsec Driver
System Audit Other System Events Success and Failure
System Audit Security State Change Success
System Audit Security System Extension Success
System Audit System Integrity Success and Failure
Domain Controller
Failure
Success and Failure
Failure
Success
Success
Success
Success and Failure
Success
Success
Failure
Success
Failure
Success
Success and Failure
Success and Failure

Success
Failure
Success and Failure
Success and Failure
Success and Failure

Success
Success
Success and Failure

Failure
Success and Failure
Success and Failure

Success
Success
Success and Failure
Policy Path Policy Setting Name Member Server
Domain Profile\State Firewall State On
Domain Profile\State Inbound Connections Block
Domain Profile\State Outbound Connections Allow
Domain Profile\State Protected network connections
Domain Profile\Settings Display a notification
Domain Profile\Settings Allow unicast response
Domain Profile\Settings Apply local firewall rules
Domain Profile\Settings Apply local connection security rules
Domain Profile\Logging Name
Domain Profile\Logging Size limit
Domain Profile\Logging Log dropped packets
Domain Profile\Logging Log successful connections
Private Profile\State Firewall State On
Private Profile\State Inbound Connections Block
Private Profile\State Outbound Connections Allow
Private Profile\State Protected network connections
Private Profile\Settings Display a notification
Private Profile\Settings Allow unicast response
Private Profile\Settings Apply local firewall rules
Private Profile\Settings Apply local connection security rules
Private Profile\Logging Name
Private Profile\Logging Size limit
Private Profile\Logging Log dropped packets
Private Profile\Logging Log successful connections
Public Profile\State Firewall State On
Public Profile\State Inbound Connections Block
Public Profile\State Outbound Connections Allow
Public Profile\State Protected network connections
Public Profile\Settings Display a notification
Public Profile\Settings Allow unicast response
Public Profile\Settings Apply local firewall rules
Public Profile\Settings Apply local connection security rules
Public Profile\Logging Name
Public Profile\Logging Size limit
Public Profile\Logging Log dropped packets
Public Profile\Logging Log successful connections
IPSec Settings\Ipsec defaults Key exchange
IPSec Settings\Ipsec defaults Data protection
IPSec Settings\Ipsec defaults Authentication method
IPSec Settings\Ipsec exemptions Exempt ICMP from Ipsec
IPSec Settings Ipsec tunnel authorization
Domain Controller
On
Block
Allow
On
Block
Allow
On
Block
Allow
Policy Path
Control Panel
Control Panel
Control Panel\Personalization
Control Panel\Regional and Language Options
Control Panel\Regional and Language Options\Handwriting personalization
Control Panel\User Accounts
LAPS
LAPS
LAPS
LAPS
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
Network
Network\Background Intelligent Transfer Service (BITS)
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\DirectAccess Client Experience Settings
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\Fonts
Network\Hotspot Authentication
Network\Lanman Server
Network\Lanman Workstation
Network\Link-Layer Topology Discovery
Network\Link-Layer Topology Discovery
Network\Microsoft Peer-to-Peer Networking Services
Network\Microsoft Peer-to-Peer Networking Services
Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds
Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds
Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds
Network\Network Connections
Network\Network Connections\Windows Defender Firewall
Network\Network Connections\Windows Defender Firewall\Domain Profile
Network\Network Connections\Windows Defender Firewall\Standard Profile
Network\Network Connectivity Status Indicator
Network\Network Isolation
Network\Network Provider
Network\Offline Files
Network\QoS Packet Scheduler
Network\QoS Packet Scheduler\DSCP value of conforming packets
Network\QoS Packet Scheduler\DSCP value of non-conforming packets
Network\QoS Packet Scheduler\Layer-2 priority value
Network\SNMP
Network\SNMP
Network\SNMP
Network\SSL Configuration Settings
Network\SSL Configuration Settings
Network\TCPIP Settings\IPv6 Transition Technologies
Network\TCPIP Settings\Parameters
Network\TCPIP Settings\Parameters
Network\Windows Connect Now
Network\Windows Connection Manager
Network\Wireless Display
Network\Wireless Display
Network\WLAN Service\WLAN Media Cost
Network\WLAN Service\WLAN Settings
Network\WWAN Service\Cellular Data Access
Network\WWAN Service\WWAN Media Cost
Network\WWAN Service\WWAN Media Cost
Network\WWAN Service\WWAN UI Settings
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Start Menu and Taskbar
Start Menu and Taskbar\Notifications
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System\Access-Denied Assistance
System\Access-Denied Assistance
System\App-V
System\App-V\CEIP
System\App-V\Client Coexistence
System\App-V\Integration
System\App-V\PackageManagement
System\App-V\PowerManagement
System\App-V\Publishing
System\App-V\Reporting
System\App-V\Scripting
System\App-V\Streaming
System\App-V\Virtualization
System\App-V\Virtualization
System\Audit Process Creation
System\Credentials Delegation
System\Device Guard
System\Device Guard
System\Device Health Attestation Service
System\Device Installation
System\Device Installation\Device Installation Restrictions
System\Disk NV Cache
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Display
System\Display
System\Display
System\Distributed COM\Application Compatibility Settings
System\Distributed COM\Application Compatibility Settings
System\Driver Installation
System\Early Launch Antimalware
System\Enhanced Storage Access
System\File Classification Infrastructure
System\File Classification Infrastructure
System\File Share Shadow Copy Provider
System\Filesystem
System\Filesystem
System\Filesystem
System\Filesystem\NTFS
System\Folder Redirection
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy\Logging and tracing
System\Internet Communication Management
System\Internet Communication Management\Internet Communication settings
System\iSCSI\General iSCSI
System\iSCSI\General iSCSI
System\iSCSI\iSCSI Security
System\iSCSI\iSCSI Target Discovery
System\KDC
System\KDC
System\KDC
System\KDC
System\KDC
System\KDC
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kernel DMA Protection
System\Locale Services
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Mitigation Options
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon\DC Locator DNS Records
System\OS Policies
System\OS Policies
System\OS Policies
System\OS Policies
System\OS Policies
System\PIN Complexity
System\Power Management
System\Power Management\Button Settings
System\Power Management\Energy Saver Settings
System\Power Management\Energy Saver Settings
System\Power Management\Hard Disk Settings
System\Power Management\Hard Disk Settings
System\Power Management\Notification Settings
System\Power Management\Power Throttling Settings
System\Power Management\Sleep Settings
System\Power Management\Video and Display Settings
System\Recovery
System\Remote Assistance
System\Remote Procedure Call
System\Removable Storage Access
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Security Account Manager
System\Server Manager
System\Service Control Manager Settings\Security Settings
System\Shutdown
System\Shutdown Options
System\Storage Health
System\Storage Sense
System\System Restore
System\System Restore
System\Troubleshooting and Diagnostics
System\Troubleshooting and Diagnostics
System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics
System\Troubleshooting and Diagnostics\Corrupted File Recovery
System\Troubleshooting and Diagnostics\Disk Diagnostic
System\Troubleshooting and Diagnostics\Disk Diagnostic
System\Troubleshooting and Diagnostics\Fault Tolerant Heap
System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool
System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery
System\Troubleshooting and Diagnostics\Scheduled Maintenance
System\Troubleshooting and Diagnostics\Scripted Diagnostics
System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics
System\Troubleshooting and Diagnostics\Windows Memory Leak Diagnosis
System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution
System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics
System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics
System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics
System\Trusted Platform Module Services
System\User Profiles
System\Windows File Protection
System\Windows Time Service
System\Windows Time Service\Time Providers
Windows Components\ActiveX Installer Service
Windows Components\ActiveX Installer Service
Windows Components\Add features to Windows 10
Windows Components\App Package Deployment
Windows Components\App Privacy
Windows Components\App runtime
Windows Components\Application Compatibility
Windows Components\AutoPlay Policies
Windows Components\Backup\Server
Windows Components\Biometrics
Windows Components\Biometrics\Facial Features
Windows Components\BitLocker Drive Encryption
Windows Components\BitLocker Drive Encryption\Fixed Data Drives
Windows Components\BitLocker Drive Encryption\Operating System Drives
Windows Components\BitLocker Drive Encryption\Removable Data Drives
Windows Components\Camera
Windows Components\Cloud Content
Windows Components\Connect
Windows Components\Connect
Windows Components\Credential User Interface
Windows Components\Data Collection and Preview Builds
Windows Components\Delivery Optimization
Windows Components\Desktop Gadgets
Windows Components\Desktop Window Manager
Windows Components\Desktop Window Manager\Window Frame Coloring
Windows Components\Device and Driver Compatibility
Windows Components\Device and Driver Compatibility
Windows Components\Device Registration
Windows Components\Digital Locker
Windows Components\Edge UI
Windows Components\Event Forwarding
Windows Components\Event Forwarding
Windows Components\Event Log Service\Application
Windows Components\Event Log Service\Security
Windows Components\Event Log Service\Setup
Windows Components\Event Log Service\System
Windows Components\Event Logging
Windows Components\Event Viewer
Windows Components\File Explorer

Windows Components\File Explorer\Previous Versions
Windows Components\File History
Windows Components\Find My Device
Windows Components\Handwriting
Windows Components\HomeGroup
Windows Components\Internet Explorer
Windows Components\Internet Explorer\Accelerators
Windows Components\Internet Explorer\Application Compatibility\Clipboard access
Windows Components\Internet Explorer\Browser menus
Windows Components\Internet Explorer\Compatibility View
Windows Components\Internet Explorer\Corporate Settings\Code Download
Windows Components\Internet Explorer\Delete Browsing History
Windows Components\Internet Explorer\Internet Control Panel
Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Windows Components\Internet Explorer\Internet Control Panel\Content Page
Windows Components\Internet Explorer\Internet Control Panel\General Page
Windows Components\Internet Explorer\Internet Control Panel\General Page\Browsing History
Windows Components\Internet Explorer\Internet Control Panel\Security Page
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Windows Components\Internet Explorer\Internet Settings
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Multimedia
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching
Windows Components\Internet Explorer\Internet Settings\AutoComplete
Windows Components\Internet Explorer\Internet Settings\Component Updates\Help Menu > About Internet Explorer
Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Internet Explor
Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Internet Explor
Windows Components\Internet Explorer\Privacy
Windows Components\Internet Explorer\Security Features
Windows Components\Internet Explorer\Security Features\Add-on Management
Windows Components\Internet Explorer\Security Features\AJAX
Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction
Windows Components\Internet Explorer\Security Features\Consistent Mime Handling

Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security
Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature

Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction

Windows Components\Internet Explorer\Security Features\Network Protocol Lockdown
Windows Components\Internet Explorer\Security Features\Network Protocol Lockdown\Restricted Protocols Per Security Z
Windows Components\Internet Explorer\Security Features\Notification bar

Windows Components\Internet Explorer\Security Features\Object Caching Protection
Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation

Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Windows Components\Internet Explorer\Security Features\Restrict File Download

Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions
Windows Components\Internet Explorer\Toolbars
Windows Components\Internet Information Services
Windows Components\Location and Sensors
Windows Components\Location and Sensors\Windows Location Provider
Windows Components\Maintenance Scheduler
Windows Components\Maps
Windows Components\Maps
Windows Components\MDM
Windows Components\MDM
Windows Components\Messaging
Windows Components\Microsoft account
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus\Client Interface
Windows Components\Microsoft Defender Antivirus\Exclusions
Windows Components\Microsoft Defender Antivirus\MAPS
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction

Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\MpEngine
Windows Components\Microsoft Defender Antivirus\Network Inspection System
Windows Components\Microsoft Defender Antivirus\Quarantine
Windows Components\Microsoft Defender Antivirus\Quarantine
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Remediation
Windows Components\Microsoft Defender Antivirus\Reporting
Windows Components\Microsoft Defender Antivirus\Scan
Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates
Windows Components\Microsoft Defender Antivirus\Threats
Windows Components\Microsoft Defender Antivirus\Threats
Windows Components\Microsoft Defender Exploit Guard\Exploit Protection
Windows Components\Microsoft Secondary Authentication Factor
Windows Components\Microsoft User Experience Virtualization
Windows Components\Microsoft User Experience Virtualization\Applications
Windows Components\Microsoft User Experience Virtualization\Windows Apps
Windows Components\NetMeeting
Windows Components\OneDrive
Windows Components\Online Assistance
Windows Components\OOBE
Windows Components\Portable Operating System
Windows Components\Presentation Settings
Windows Components\Push To Install
Windows Components\Remote Desktop Services\RD Licensing
Windows Components\Remote Desktop Services\RD Licensing
Windows Components\Remote Desktop Services\Remote Desktop Connection Client
Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirection
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Application Compatibility
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles
Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\RemoteFX for
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders
Windows Components\RSS Feeds
Windows Components\Search
Windows Components\Security Center
Windows Components\Shutdown Options
Windows Components\Shutdown Options
Windows Components\Smart Card
Windows Components\Software Protection Platform
Windows Components\Software Protection Platform
Windows Components\Sound Recorder
Windows Components\Speech
Windows Components\Store
Windows Components\Sync your settings
Windows Components\Tablet PC\Accessories
Windows Components\Tablet PC\Cursors
Windows Components\Tablet PC\Hardware Buttons
Windows Components\Tablet PC\Input Panel
Windows Components\Tablet PC\Pen Flicks Learning
Windows Components\Tablet PC\Pen UX Behaviors
Windows Components\Tablet PC\Tablet PC Pen Training
Windows Components\Tablet PC\Touch Input
Windows Components\Task Scheduler
Windows Components\Text Input
Windows Components\Text Input
Windows Components\Windows Calendar
Windows Components\Windows Color System
Windows Components\Windows Customer Experience Improvement Program
Windows Components\Windows Customer Experience Improvement Program
Windows Components\Windows Defender SmartScreen\Explorer
Windows Components\Windows Defender SmartScreen\Explorer

Windows Components\Windows Defender SmartScreen\Microsoft Edge
Windows Components\Windows Error Reporting
Windows Components\Windows Error Reporting\Advanced Error Reporting Settings
Windows Components\Windows Error Reporting\Consent
Windows Components\Windows Hello for Business
Windows Components\Windows Ink Workspace
Windows Components\Windows Ink Workspace
Windows Components\Windows Installer
Windows Components\Windows Logon Options
Windows Components\Windows Media Digital Rights Management
Windows Components\Windows Media Player
Windows Components\Windows Messenger
Windows Components\Windows Mobility Center
Windows Components\Windows PowerShell

Windows Components\Windows Reliability Analysis
Windows Components\Windows Remote Management (WinRM)\WinRM Client
Windows Components\Windows Remote Management (WinRM)\WinRM Service
Windows Components\Windows Remote Shell
Windows Components\Windows Sandbox
Windows Components\Windows Security\Account protection
Windows Components\Windows Security\App and browser protection
Windows Components\Windows Security\App and browser protection
Windows Components\Windows Security\Device performance and health
Windows Components\Windows Security\Device security
Windows Components\Windows Security\Enterprise Customization
Windows Components\Windows Security\Family options
Windows Components\Windows Security\Firewall and network protection
Windows Components\Windows Security\Notifications
Windows Components\Windows Security\Notifications
Windows Components\Windows Security\Systray
Windows Components\Windows Security\Virus and threat protection
Windows Components\Windows Security\Virus and threat protection
Windows Components\Windows Update
Windows Components\Windows Update\Windows Update for Business
Windows Components\Work Folders
Policy Setting Name
Allow Online Tips
Settings Page Visibility
Do not display the lock screen
Force a specific background and accent color
Force a specific default lock screen and logon image
Force a specific Start background
Prevent changing lock screen and logon image
Prevent changing start menu background
Prevent enabling lock screen camera
Prevent enabling lock screen slide show
Allow users to enable online speech recognition services
Block clean-up of unused language packs
Force selected system UI language to overwrite the user UI language
Restrict Language Pack and Language Feature Installation
Restricts the UI language Windows uses for all logged users
Turn off automatic learning
Apply the default account picture to all users
Do not allow password expiration time longer than required by policy
Enable local admin password management
Name of administrator account to manage
Password Settings
Apply UAC restrictions to local accounts on network logons
Block Flash activation in Office documents
Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)
Configure SMB v1 client driver
Configure SMB v1 server
Enable Structured Exception Handling Overwrite Protection (SEHOP)
Extended Protection for LDAP Authentication (Domain Controllers only) (DEPRECATED)
Limits print driver installation to Administrators
LSA Protection
Lsass.exe audit mode
NetBT NodeType configuration
Remove "Run As Different User" from context menus
Restrict legacy JScript execution for Office
Turn on Windows Defender protection against Potentially Unwanted Applications (DEPRECATED)
WDigest Authentication (disabling may require KB2871997)
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure envir
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended 5 is defaul
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Configure how often a DFS client discovers domain controllers
Allow BITS Peercaching
Do not allow the BITS client to use Windows Branch Cache
Do not allow the computer to act as a BITS Peercaching client
Do not allow the computer to act as a BITS Peercaching server
Limit the age of files in the BITS Peercache
Limit the BITS Peercache size
Limit the maximum BITS job download time
Limit the maximum network bandwidth for BITS background transfers
Limit the maximum network bandwidth used for Peercaching
Limit the maximum number of BITS jobs for each user
Limit the maximum number of BITS jobs for this computer
Limit the maximum number of files allowed in a BITS job
Limit the maximum number of ranges that can be added to the file in a BITS job
Set default download behavior for BITS jobs on costed networks
Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers
Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers
Timeout for inactive BITS jobs
Configure BranchCache for network files
Configure Client BranchCache Version Support
Configure Hosted Cache Servers
Enable Automatic Hosted Cache Discovery by Service Connection Point
Set age for segments in the data cache
Set BranchCache Distributed Cache mode
Set BranchCache Hosted Cache mode
Set percentage of disk space used for client computer cache
Turn on BranchCache
Corporate Resources
Custom Commands
DirectAccess Passive Mode
Friendly Name
IPsec Tunnel Endpoints
Prefer Local Names Allowed
Support Email Address
User Interface
Allow DNS suffix appending to unqualified multi-label name queries
Allow NetBT queries for fully qualified domain names
Configure DNS over HTTPS (DoH) name resolution
Connection-specific DNS suffix
DNS servers
DNS suffix search list
Dynamic update
IDN mapping
Prefer link local responses over DNS when received over a network with higher precedence
Primary DNS suffix
Primary DNS suffix devolution
Primary DNS suffix devolution level
Register DNS records with connection-specific DNS suffix
Register PTR records
Registration refresh interval
Replace addresses in conflicts
TTL value for A and PTR records
Turn off IDN encoding
Turn off multicast name resolution
Turn off smart multi-homed name resolution
Turn off smart protocol reordering
Update security level
Update top level domain zones
Enable Font Providers
Enable Hotspot Authentication
Cipher suite order
Hash Publication for BranchCache
Hash Version support for BranchCache
Honor cipher suite order
Cipher suite order
Enable insecure guest logons
Handle Caching on Continuous Availability Shares
Offline Files Availability on Continuous Availability Shares
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
Disable password strength validation for Peer Grouping
Turn off Microsoft Peer-to-Peer Networking Services
Set PNRP cloud to resolve only
Set the Seed Server
Turn off Multicast Bootstrap
Turn off PNRP cloud creation
Set the Seed Server
Set the Seed Server
Do not show the "local access only" network icon
Prohibit installation and configuration of Network Bridge on your DNS domain network
Prohibit use of Internet Connection Firewall on your DNS domain network
Prohibit use of Internet Connection Sharing on your DNS domain network
Require domain users to elevate when setting a network's location
Route all traffic through the internal network
Windows Defender Firewall: Allow authenticated IPsec bypass
Windows Defender Firewall: Allow ICMP exceptions
Windows Defender Firewall: Allow inbound file and printer sharing exception
Windows Defender Firewall: Allow inbound remote administration exception
Windows Defender Firewall: Allow inbound Remote Desktop exceptions
Windows Defender Firewall: Allow inbound UPnP framework exceptions
Windows Defender Firewall: Allow local port exceptions
Windows Defender Firewall: Allow local program exceptions
Windows Defender Firewall: Allow logging
Windows Defender Firewall: Define inbound port exceptions
Windows Defender Firewall: Define inbound program exceptions
Windows Defender Firewall: Do not allow exceptions
Windows Defender Firewall: Prohibit notifications
Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Defender Firewall: Protect all network connections
Windows Defender Firewall: Allow ICMP exceptions
Windows Defender Firewall: Allow inbound file and printer sharing exception
Windows Defender Firewall: Allow inbound remote administration exception
Windows Defender Firewall: Allow inbound Remote Desktop exceptions
Windows Defender Firewall: Allow inbound UPnP framework exceptions
Windows Defender Firewall: Allow local port exceptions
Windows Defender Firewall: Allow local program exceptions
Windows Defender Firewall: Allow logging
Windows Defender Firewall: Define inbound port exceptions
Windows Defender Firewall: Define inbound program exceptions
Windows Defender Firewall: Do not allow exceptions
Windows Defender Firewall: Prohibit notifications
Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Defender Firewall: Protect all network connections
Specify corporate DNS probe host address
Specify corporate DNS probe host name
Specify corporate site prefix list
Specify corporate Website probe URL
Specify domain location determination URL
Specify global DNS
Specify passive polling
Domains categorized as both work and personal
Enterprise resource domains hosted in the cloud
Internet proxy servers for apps
Intranet proxy servers for apps
Private network ranges for apps
Proxy definitions are authoritative
Subnet definitions are authoritative
Hardened UNC Paths

Action on server disconnect
Allow or Disallow use of the Offline Files feature
At logoff delete local copy of userâ€™s offline files
Configure Background Sync
Configure Slow link speed
Configure slow-link mode
Default cache size
Enable file screens
Enable file synchronization on costed networks
Enable Transparent Caching
Encrypt the Offline Files cache
Event logging level
Files not cached
Initial reminder balloon lifetime
Limit disk space used by Offline Files
Non-default server disconnect actions
Prevent use of Offline Files folder
Prohibit user configuration of Offline Files
Reminder balloon frequency
Reminder balloon lifetime
Remove "Make Available Offline" command
Remove "Make Available Offline" for these files and folders
Remove "Work offline" command
Specify administratively assigned Offline Files
Subfolders always available offline
Synchronize all offline files before logging off
Synchronize all offline files when logging on
Synchronize offline files before suspend
Turn off reminder balloons
Turn on economical application of administratively assigned Offline Files
Limit outstanding packets
Limit reservable bandwidth
Set timer resolution
Best effort service type
Controlled load service type
Guaranteed service type
Network control service type
Qualitative service type
Non-conforming packets
Specify communities
Specify permitted managers
Specify traps for public community
ECC Curve Order
SSL Cipher Suite Order
Set 6to4 Relay Name
Set 6to4 Relay Name Resolution Interval
Set 6to4 State
Set IP-HTTPS State
Set ISATAP Router Name
Set ISATAP State
Set Teredo Client Port
Set Teredo Default Qualified
Set Teredo Refresh Rate
Set Teredo Server Name
Set Teredo State
Set IP Stateless Autoconfiguration Limits State
Set Window Scaling Heuristics State
Configuration of wireless settings using Windows Connect Now
Prohibit access of the Windows Connect Now wizards
Disable power management in connected standby mode
Enable Windows to soft-disconnect a computer from a network
Minimize the number of simultaneous connections to the Internet or a Windows Domain
Prohibit connection to non-domain networks when connected to domain authenticated network
Prohibit connection to roaming Mobile Broadband networks
Prefer PIN pairing
Require PIN pairing
Set Cost
Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts and to hotspots offering
Let Windows apps access cellular data
Set 3G Cost
Set 4G Cost
Set Per-App Cellular Access UI Visibility
Activate Internet printing
Add Printer wizard - Network scan page (Managed network)
Add Printer wizard - Network scan page (Unmanaged network)
Allow job name in event logs
Allow Print Spooler to accept client connections
Allow printers to be published
Allow pruning of published printers
Always rasterize content to be printed using a software rasterizer
Always render print jobs on the server
Automatically publish new printers in Active Directory
Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)
Check published state
Computer location
Custom support URL in the Printers folder's left pane
Directory pruning interval
Directory pruning priority
Directory pruning retry
Disallow installation of printers using kernel-mode drivers
Do not allow v4 printer drivers to show printer extensions
Enable Device Control Printing Restrictions
Execute print drivers in isolated processes
Extend Point and Print connection to search Windows Update
Isolate print drivers from applications
List of Approved USB-connected print devices
Log directory pruning retry events
Only use Package Point and print
Override print driver execution compatibility setting reported by print driver
Package Point and print - Approved servers
Point and Print Restrictions
Pre-populate printer search location text
Printer browsing
Prune printers that are not automatically republished
Disable context menus in the Start Menu
Do not keep history of recently opened documents
Force Start to be either full screen size or menu size
Pin Apps to Start when installed
Remove "Recently added" list from Start Menu
Remove All Programs list from the Start menu
Remove and prevent access to the Shut Down Restart Sleep and Hibernate commands
Remove frequent programs list from the Start Menu
Show or hide "Most used" list from Start menu
Start Layout
Enables group policy for the WNS FQDN
Turn off notifications network usage
Activate Shutdown Event Tracker System State Data feature
Allow Distributed Link Tracking clients to use domain resources
Display highly detailed status messages
Display Shutdown Event Tracker
Do not automatically encrypt files moved to encrypted folders
Do not display Manage Your Server page at logon
Do not turn off system power after a Windows system shutdown has occurred.
Download missing COM components
Enable Persistent Time Stamp
Remove Boot / Shutdown / Logon / Logoff status messages
Restrict potentially unsafe HTML Help functions to specified folders
Restrict these programs from being launched from Help
Specify settings for optional component installation and component repair
Specify Windows installation file location
Specify Windows Service Pack installation file location
Turn off Data Execution Prevention for HTML Help Executible
Customize message for Access Denied errors
Enable access-denied assistance on client for all file types
Enable App-V Client
Microsoft Customer Experience Improvement Program (CEIP)
Enable Migration Mode
Integration Root Global
Integration Root User
Roaming File Exclusions
Roaming Registry Exclusions
Enable automatic cleanup of unused appv packages
Enable background sync to server when on battery power
Enable Publishing Refresh UX
Publishing Server 1 Settings
Reporting Server
Enable Package Scripts
Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
Certificate Filter For Client SSL
Enable Support for BranchCache
Location Provider
Package Installation Root
Package Source Root
Reestablishment Interval
Reestablishment Retries
Require Publish As Admin
Shared Content Store (SCS) mode
Specify what to load in background (aka AutoLoad)
Verify certificate revocation list
Enable Dynamic Virtualization
Virtual Component Process Allow List
Include command line in process creation events
Allow delegating default credentials
Allow delegating default credentials with NTLM-only server authentication
Allow delegating fresh credentials
Allow delegating fresh credentials with NTLM-only server authentication
Allow delegating saved credentials
Allow delegating saved credentials with NTLM-only server authentication
Deny delegating default credentials
Deny delegating fresh credentials
Deny delegating saved credentials
Encryption Oracle Remediation
Remote host allows delegation of non-exportable credentials
Restrict delegation of credentials to remote servers
Deploy Windows Defender Application Control
Turn On Virtualization Based Security

Enable Device Health Attestation Monitoring and Reporting
Allow remote access to the Plug and Play interface
Configure device installation time-out
Do not send a Windows error report when a generic driver is installed on a device
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
Prevent device metadata retrieval from the Internet
Prevent Windows from sending an error report when a device driver requests additional software during installation
Prioritize all digitally signed drivers equally during the driver ranking and selection process
Specify search order for device driver source locations
Specify the search server for device driver updates
Turn off "Found New Hardware" balloons during device installation
Allow administrators to override Device Installation Restriction policies
Allow installation of devices that match any of these device IDs
Allow installation of devices that match any of these device instance IDs
Allow installation of devices using drivers that match these device setup classes
Display a custom message title when device installation is prevented by a policy setting
Display a custom message when installation is prevented by a policy setting
Prevent installation of devices not described by other policy settings
Prevent installation of devices that match any of these device IDs
Prevent installation of devices that match any of these device instance IDs
Prevent installation of devices using drivers that match these device setup classes
Prevent installation of removable devices
Time (in seconds) to force reboot when required for policy changes to take effect
Turn off boot and resume optimizations
Turn off cache power mode
Turn off non-volatile cache feature
Turn off solid state mode
Apply policy to removable media
Enable disk quotas
Enforce disk quota limit
Log event when quota limit is exceeded
Log event when quota warning level is exceeded
Specify default quota limit and warning level
Configure Per-Process System DPI settings
Turn off GdiDPIScaling for applications
Turn on GdiDPIScaling for applications
Allow local activation security check exemptions
Define Activation Security Check exemptions
Allow non-administrators to install drivers for these device setup classes
Turn off Windows Update device driver search prompt
Boot-Start Driver Initialization Policy
Allow only USB root hub connected Enhanced Storage devices
Configure list of Enhanced Storage devices usable on your computer
Configure list of IEEE 1667 silos usable on your computer
Do not allow non-Enhanced Storage removable devices
Do not allow password authentication of Enhanced Storage devices
Do not allow Windows to activate Enhanced Storage devices
Lock Enhanced Storage when the computer is locked
File Classification Infrastructure: Display Classification tab in File Explorer
File Classification Infrastructure: Specify classification properties list
Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running o
Disable delete notifications on all volumes
Enable Win32 long paths
Selectively allow the evaluation of a symbolic link
Do not allow compression on all NTFS volumes
Do not allow encryption on all NTFS volumes
Enable / disable TXF deprecated features
Enable NTFS non-paged pool usage
Enable NTFS pagefile encryption
NTFS default tier
NTFS parallel flush threshold
NTFS parallel flush worker threads
Short name creation options
Redirect folders on primary computers only
Use localized subfolder names when redirecting Start Menu and My Documents
Allow asynchronous user Group Policy processing when logging on through Remote Desktop Services
Allow cross-forest user policy and roaming user profiles
Always use local ADM files for Group Policy Object Editor
Change Group Policy processing to run asynchronously when a slow network connection is detected.
Configure Applications preference extension policy processing
Configure Data Sources preference extension policy processing
Configure Devices preference extension policy processing
Configure Direct Access connections as a fast network connection
Configure disk quota policy processing
Configure Drive Maps preference extension policy processing
Configure EFS recovery policy processing
Configure Environment preference extension policy processing
Configure Files preference extension policy processing
Configure Folder Options preference extension policy processing
Configure folder redirection policy processing
Configure Folders preference extension policy processing
Configure Group Policy Caching
Configure Group Policy slow link detection
Configure Ini Files preference extension policy processing
Configure Internet Explorer Maintenance policy processing
Configure Internet Settings preference extension policy processing
Configure IP security policy processing
Configure Local Users and Groups preference extension policy processing
Configure Logon Script Delay
Configure Network Options preference extension policy processing
Configure Network Shares preference extension policy processing
Configure Power Options preference extension policy processing
Configure Printers preference extension policy processing
Configure Regional Options preference extension policy processing
Configure registry policy processing

Configure Registry preference extension policy processing
Configure Scheduled Tasks preference extension policy processing
Configure scripts policy processing
Configure security policy processing
Configure Services preference extension policy processing
Configure Shortcuts preference extension policy processing
Configure software Installation policy processing
Configure Start Menu preference extension policy processing
Configure user Group Policy loopback processing mode
Configure web-to-app linking with app URI handlers
Configure wired policy processing
Configure wireless policy processing
Continue experiences on this device
Determine if interactive users can generate Resultant Set of Policy data
Enable AD/DFS domain controller synchronization during policy refresh
Enable Group Policy Caching for Servers
Phone-PC linking on this device
Remove users' ability to invoke machine policy refresh
Set Group Policy refresh interval for computers
Set Group Policy refresh interval for domain controllers
Specify startup policy processing wait time
Specify workplace connectivity wait time for policy processing
Turn off background refresh of Group Policy
Turn off Group Policy Client Service AOAC optimization
Turn off Local Group Policy Objects processing
Turn off Resultant Set of Policy logging
Configure Applications preference logging and tracing
Configure Data Sources preference logging and tracing
Configure Devices preference logging and tracing
Configure Drive Maps preference logging and tracing
Configure Environment preference logging and tracing
Configure Files preference logging and tracing
Configure Folder Options preference logging and tracing
Configure Folders preference logging and tracing
Configure Ini Files preference logging and tracing
Configure Internet Settings preference logging and tracing
Configure Local Users and Groups preference logging and tracing
Configure Network Options preference logging and tracing
Configure Network Shares preference logging and tracing
Configure Power Options preference logging and tracing
Configure Printers preference logging and tracing
Configure Regional Options preference logging and tracing
Configure Registry preference logging and tracing
Configure Scheduled Tasks preference logging and tracing
Configure Services preference logging and tracing
Configure Shortcuts preference logging and tracing
Configure Start Menu preference logging and tracing
Restrict Internet communication
Turn off access to all Windows Update features
Turn off access to the Store
Turn off Automatic Root Certificates Update
Turn off downloading of print drivers over HTTP
Turn off Event Viewer "Events.asp" links
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Help and Support Center "Did you know?" content
Turn off Help and Support Center Microsoft Knowledge Base search
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off Registration if URL connection is referring to Microsoft.com
Turn off Search Companion content file updates
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting
Turn off Windows Network Connectivity Status Indicator active tests
Turn off Windows Update device driver searching
Do not allow additional session logins
Do not allow changes to initiator iqn name
Do not allow changes to initiator CHAP secret
Do not allow connections without IPSec
Do not allow sessions without mutual CHAP
Do not allow sessions without one way CHAP
Do not allow adding new targets via manual configuration
Do not allow manual configuration of discovered targets
Do not allow manual configuration of iSNS servers
Do not allow manual configuration of target portals
KDC support for claims compound authentication and Kerberos armoring
KDC support for PKInit Freshness Extension
Provide information about previous logons to client computers
Request compound authentication
Use forest search order
Warning for large Kerberos tickets
Allow retrieving the cloud kerberos ticket during the logon
Always send compound authentication first
Define host name-to-Kerberos realm mappings
Define interoperable Kerberos V5 realm settings
Disable revocation checking for the SSL certificate of KDC proxy servers
Fail authentication requests when Kerberos armoring is not available
Kerberos client support for claims compound authentication and Kerberos armoring
Require strict KDC validation
Require strict target SPN match on remote procedure calls
Set maximum Kerberos SSPI context token buffer size
Specify KDC proxy servers for Kerberos clients
Support compound authentication
Support device authentication using certificate
Use forest search order
Enumeration policy for external devices incompatible with Kernel DMA Protection
Disallow changing of geographic location
Disallow copying of user input methods to the system account for sign-in
Disallow selection of Custom Locales
Disallow user override of locale settings
Restrict system locales
Restrict user locales
Allow users to select when a password is required when resuming from connected standby
Always use classic logon
Always use custom logon background
Always wait for the network at computer startup and logon
Assign a default credential provider
Assign a default domain for logon
Block user from showing account details on sign-in
Do not display network selection UI
Do not display the Getting Started welcome screen at logon
Do not enumerate connected users on domain-joined computers
Do not process the legacy run list
Do not process the run once list
Enumerate local users on domain-joined computers
Exclude credential providers
Hide entry points for Fast User Switching
Run these programs at user logon
Show clear logon background
Show first sign-in animation
Turn off app notifications on the lock screen
Turn off picture password sign-in
Turn off Windows Startup sound
Turn on convenience PIN sign-in
Turn on security key sign-in
Process Mitigation Options
Untrusted Font Blocking
Allow cryptography algorithms compatible with Windows NT 4.0
Contact PDC on logon failure
Set Netlogon share compatibility
Set scavenge interval
Set SYSVOL share compatibility
Specify expected dial-up delay on logon
Specify log file debug output level
Specify maximum log file size
Specify negative DC Discovery cache setting
Specify positive periodic DC Cache refresh for non-background callers
Specify site name
Use final DC discovery retry setting for background callers
Use initial DC discovery retry setting for background callers
Use maximum DC discovery retry interval setting for background callers
Use positive periodic DC cache refresh for background callers
Use urgent mode when pinging domain controllers
Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names
Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails
Force Rediscovery Interval
Return domain controller address type
Set Priority in the DC Locator DNS SRV records
Set TTL in the DC Locator DNS Records
Set Weight in the DC Locator DNS SRV records
Specify address lookup behavior for DC locator ping
Specify DC Locator DNS records not registered by the DCs
Specify dynamic registration of the DC Locator DNS Records
Specify Refresh Interval of the DC Locator DNS records
Specify sites covered by the application directory partition DC Locator DNS SRV records
Specify sites covered by the DC Locator DNS SRV records
Specify sites covered by the GC Locator DNS SRV Records
Try Next Closest Site
Use automated site coverage by the DC Locator DNS SRV Records
Use DNS name resolution when a single-label domain name is used by appending different registered DNS suffixes if the Allow
Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC
Use lowercase DNS host names when registering domain controller SRV records
Allow Clipboard History
Allow Clipboard synchronization across devices
Allow publishing of User Activities
Allow upload of User Activities
Enables Activity Feed
Expiration
History
Maximum PIN length
Minimum PIN length
Require digits
Require lowercase letters
Require special characters
Require uppercase letters
Select an active power plan
Specify a custom active power plan
Select the lid switch action (on battery)
Select the lid switch action (plugged in)
Select the Power button action (on battery)
Select the Power button action (plugged in)
Select the Sleep button action (on battery)
Select the Sleep button action (plugged in)
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Energy Saver Battery Threshold (on battery)
Energy Saver Battery Threshold (plugged in)
Turn Off the hard disk (on battery)
Turn Off the hard disk (plugged in)
Critical battery notification action
Critical battery notification level
Low battery notification action
Low battery notification level
Reserve battery notification level
Turn off low battery user notification
Turn off Power Throttling
Allow applications to prevent automatic sleep (on battery)
Allow applications to prevent automatic sleep (plugged in)
Allow automatic sleep with Open Network Files (on battery)
Allow automatic sleep with Open Network Files (plugged in)
Allow network connectivity during connected-standby (on battery)
Allow network connectivity during connected-standby (plugged in)
Allow standby states (S1-S3) when sleeping (on battery)
Allow standby states (S1-S3) when sleeping (plugged in)
Require a password when a computer wakes (on battery)
Require a password when a computer wakes (plugged in)
Specify the system hibernate timeout (on battery)
Specify the system hibernate timeout (plugged in)
Specify the system sleep timeout (on battery)
Specify the system sleep timeout (plugged in)
Specify the unattended sleep timeout (on battery)
Specify the unattended sleep timeout (plugged in)
Turn off hybrid sleep (on battery)
Turn off hybrid sleep (plugged in)
Turn on the ability for applications to prevent sleep transitions (on battery)
Turn on the ability for applications to prevent sleep transitions (plugged in)
Reduce display brightness (on battery)
Reduce display brightness (plugged in)
Specify the display dim brightness (on battery)
Specify the display dim brightness (plugged in)
Turn off adaptive display timeout (on battery)
Turn off adaptive display timeout (plugged in)
Turn off the display (on battery)
Turn off the display (plugged in)
Turn on desktop background slideshow (on battery)
Turn on desktop background slideshow (plugged in)
Allow restore of system to default state
Allow only Windows Vista or later connections
Configure Offer Remote Assistance
Configure Solicited Remote Assistance
Customize warning messages
Turn on bandwidth optimization
Turn on session logging
Enable RPC Endpoint Mapper Client Authentication
Ignore Delegation Failure
Maintain RPC Troubleshooting State Information
Propagate extended error information
Restrict Unauthenticated RPC clients
Set Minimum Idle Connection Timeout for RPC/HTTP connections
All Removable Storage classes: Deny all access
All Removable Storage: Allow direct access in remote sessions
CD and DVD: Deny execute access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny execute access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access
Set time (in seconds) to force reboot
Tape Drives: Deny execute access
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
Allow logon scripts when NetBIOS or WINS is disabled
Display instructions in shutdown scripts as they run
Display instructions in startup scripts as they run
Run logon scripts synchronously
Run startup scripts asynchronously
Run Windows PowerShell scripts first at computer startup shutdown
Run Windows PowerShell scripts first at user logon logoff
Specify maximum wait time for Group Policy scripts
Configure validation of ROCA-vulnerable WHfB keys during authentication
Configure the refresh interval for Server Manager
Do not display Initial Configuration Tasks window automatically at logon
Do not display Server Manager automatically at logon
Enable svchost.exe mitigation options
Require use of fast startup
Turn off automatic termination of applications that block or cancel shutdown
Allow downloading updates to the Disk Failure Prediction Model
Allow Storage Sense
Allow Storage Sense Temporary Files cleanup
Configure Storage Sense cadence
Configure Storage Sense Cloud Content dehydration threshold
Configure Storage Sense Recycle Bin cleanup threshold
Configure Storage Storage Downloads cleanup threshold
Turn off Configuration
Turn off System Restore
Diagnostics: Configure scenario execution level
Diagnostics: Configure scenario retention
Detect application failures caused by deprecated COM objects
Detect application failures caused by deprecated Windows DLLs
Detect application install failures
Detect application installers that need to be run as administrator
Detect applications unable to launch installers under UAC
Detect compatibility issues for applications and drivers
Notify blocked drivers
Configure Corrupted File Recovery behavior
Disk Diagnostic: Configure custom alert text
Disk Diagnostic: Configure execution level
Configure Scenario Execution Level
Microsoft Support Diagnostic Tool: Configure execution level
Microsoft Support Diagnostic Tool: Restrict tool download
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
Troubleshooting: Allow users to access recommended troubleshooting for known problems
Configure MSI Corrupted File Recovery behavior
Configure Scheduled Maintenance Behavior
Configure Security Policy for Scripted Diagnostics
Troubleshooting: Allow users to access and run Troubleshooting Wizards
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control
Configure the level of TPM owner authorization information available to the operating system
Configure the list of blocked TPM commands
Configure the system to clear the TPM if it is not in a ready state.
Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
Ignore the default list of blocked TPM commands
Ignore the local list of blocked TPM commands
Standard User Individual Lockout Threshold
Standard User Lockout Duration
Standard User Total Lockout Threshold
Add the Administrators security group to roaming user profiles
Control slow network connection timeout for user profiles
Delete cached copies of roaming profiles
Delete user profiles older than a specified number of days on system restart
Disable detection of slow network connections
Do not check for user ownership of Roaming Profile Folders
Do not forcefully unload the users registry at user logoff
Do not log users on with temporary profiles
Download roaming profiles on primary computers only
Establish timeout value for dialog boxes
Leave Windows Installer and Group Policy Software Installation Data
Maximum retries to unload and update user profile
Only allow local user profiles
Prevent Roaming Profile changes from propagating to the server
Prompt user when a slow network connection is detected
Set maximum wait time for the network if a user has a roaming user profile or remote home directory
Set roaming profile path for all users logging onto this computer
Set the schedule for background upload of a roaming user profile's registry file while user is logged on
Set user home folder
Turn off the advertising ID
User management of sharing user name account picture and domain information with apps (not desktop apps)
Wait for remote user profile
Hide the file scan progress window
Limit Windows File Protection cache size
Set Windows File Protection scanning
Specify Windows File Protection cache location
Global Configuration Settings
Configure Windows NTP Client
Enable Windows NTP Client
Enable Windows NTP Server
Approved Installation Sites for ActiveX Controls
Establish ActiveX installation policy for sites in Trusted zones
Prevent the wizard from running.
Allow a Windows app to share application data between users
Allow all trusted apps to install
Allow deployment operations in special profiles
Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
Archive infrequently used apps
Disable installing Windows apps on non-system volumes
Prevent non-admin users from installing packaged Windows apps
Prevent users' app data from being stored on non-system volumes
Let Windows apps access account information
Let Windows apps access an eye tracker device
Let Windows apps access call history
Let Windows apps access contacts
Let Windows apps access diagnostic information about other apps
Let Windows apps access email
Let Windows apps access location
Let Windows apps access messaging
Let Windows apps access motion
Let Windows apps access notifications
Let Windows apps access Tasks
Let Windows apps access the calendar
Let Windows apps access the camera
Let Windows apps access the microphone
Let Windows apps access trusted devices
Let Windows apps access user movements while running in the background
Let Windows apps activate with voice
Let Windows apps activate with voice while the system is locked
Let Windows apps communicate with unpaired devices
Let Windows apps control radios
Let Windows apps make phone calls
Let Windows apps run in the background
Let Windows apps take screenshots of various windows or displays
Let Windows apps turn off the screenshot border
Allow Microsoft accounts to be optional
Block launching desktop apps associated with a file.
Block launching desktop apps associated with a URI scheme
Block launching Universal Windows apps with Windows Runtime API access from hosted content.
Turn on dynamic Content URI Rules for Windows store apps
Prevent access to 16-bit applications
Remove Program Compatibility Property Page
Turn off Application Compatibility Engine
Turn off Application Telemetry
Turn off Inventory Collector
Turn off Program Compatibility Assistant
Turn off Steps Recorder
Turn off SwitchBack Compatibility Engine
Disallow Autoplay for non-volume devices
Prevent AutoPlay from remembering user choices.
Set the default behavior for AutoRun
Turn off Autoplay
Allow only system backup
Disallow locally attached storage as backup target
Disallow network as backup target
Disallow optical media as backup target
Disallow run-once backups
Allow domain users to log on using biometrics
Allow the use of biometrics
Allow users to log on using biometrics
Specify timeout for fast user switching events
Configure enhanced anti-spoofing
Choose default folder for recovery password
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Choose drive encryption method and cipher strength (Windows 8 Windows Server 2012 Windows 8.1 Windows Server 2012 R
Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7 Windows Server 2008
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
Disable new DMA devices when this computer is locked
Prevent memory overwrite on restart
Provide the unique identifiers for your organization
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
Validate smart card certificate usage rule compliance
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
Choose how BitLocker-protected fixed drives can be recovered
Configure use of hardware-based encryption for fixed data drives
Configure use of passwords for fixed data drives
Configure use of smart cards on fixed data drives
Deny write access to fixed drives not protected by BitLocker
Enforce drive encryption type on fixed data drives
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Allow enhanced PINs for startup
Allow network unlock at startup
Allow Secure Boot for integrity validation
Choose how BitLocker-protected operating system drives can be recovered
Configure minimum PIN length for startup
Configure pre-boot recovery message and URL
Configure TPM platform validation profile (Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2)
Configure TPM platform validation profile for BIOS-based firmware configurations
Configure TPM platform validation profile for native UEFI firmware configurations
Configure use of hardware-based encryption for operating system drives
Configure use of passwords for operating system drives
Disallow standard users from changing the PIN or password
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Enforce drive encryption type on operating system drives
Require additional authentication at startup
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
Reset platform validation data after BitLocker recovery
Use enhanced Boot Configuration Data validation profile
Allow access to BitLocker-protected removable data drives from earlier versions of Windows
Choose how BitLocker-protected removable drives can be recovered
Configure use of hardware-based encryption for removable data drives
Configure use of passwords for removable data drives
Configure use of smart cards on removable data drives
Control use of BitLocker on removable drives
Deny write access to removable drives not protected by BitLocker
Enforce drive encryption type on removable data drives
Allow Use of Camera
Do not show Windows tips
Turn off cloud optimized content
Turn off Microsoft consumer experiences
Don't allow this PC to be projected to
Require pin for pairing
Do not display the password reveal button
Enumerate administrator accounts on elevation
Prevent the use of security questions for local accounts
Require trusted path for credential entry
Allow commercial data pipeline
Allow Desktop Analytics Processing
Allow device name to be sent in Windows diagnostic data
Allow Diagnostic Data
Allow Update Compliance Processing
Allow WUfB Cloud Processing
Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Configure Connected User Experiences and Telemetry
Configure diagnostic data opt-in change notifications
Configure diagnostic data opt-in settings user interface
Configure diagnostic data upload endpoint for Desktop Analytics
Configure the Commercial ID
Disable deleting diagnostic data
Disable diagnostic data viewer
Disable OneSettings Downloads
Do not show feedback notifications
Enable OneSettings Auditing
Limit Diagnostic Log Collection
Limit Dump Collection
Limit optional diagnostic data for Desktop Analytics
Toggle user control over Insider builds
Absolute Max Cache Size (in GB)
Allow uploads while the device is on battery while under set Battery level (percentage)
Cache Server Hostname
Cache Server Hostname Source
Delay Background download Cache Server fallback (in seconds)
Delay background download from http (in secs)
Delay Foreground download Cache Server fallback (in seconds)
Delay Foreground download from http (in secs)
Download Mode
Enable Peer Caching while the device connects via VPN
Group ID
Max Cache Age (in seconds)
Max Cache Size (percentage)
Maximum Background Download Bandwidth (in KB/s)
Maximum Background Download Bandwidth (percentage)
Maximum Foreground Download Bandwidth (in KB/s)
Maximum Foreground Download Bandwidth (percentage)
Minimum Background QoS (in KB/s)
Minimum disk size allowed to use Peer Caching (in GB)
Minimum Peer Caching Content File Size (in MB)
Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
Modify Cache Drive
Monthly Upload Data Cap (in GB)
Select a method to restrict Peer Selection
Select the source of Group IDs
Set Business Hours to Limit Background Download Bandwidth
Set Business Hours to Limit Foreground Download Bandwidth
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
Do not allow Flip3D invocation
Do not allow window animations
Use solid color for Start background
Do not allow color changes
Specify a default color
Device compatibility settings
Driver compatibility settings
Register domain joined computers as devices
Do not allow Digital Locker to run
Allow edge swipe
Disable help tips
Configure forwarder resource usage
Configure target Subscription Manager
Back up log automatically when full
Configure log access
Configure log access (legacy)
Control Event Log behavior when the log file reaches its maximum size
Control the location of the log file
Specify the maximum log file size (KB)
Turn on logging
Enable Protected Event Logging
Events.asp program
Events.asp program command line parameters
Events.asp URL
Allow the use of remote paths in file shortcut icons
Configure Windows Defender SmartScreen

Disable binding directly to IPropertySetStorage without intermediate layers.
Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time
Do not show the 'new application installed' notification
Location where all default Library definition files for users/machines reside.
Set a default associations configuration file
Set a support web page link
Show hibernate in the power options menu
Show lock in the user tile menu
Show sleep in the power options menu
Start File Explorer with ribbon minimized
Turn off Data Execution Prevention for Explorer
Turn off heap termination on corruption
Turn off numerical sorting in File Explorer
Turn off shell protocol protected mode
Verify old and new Folder Redirection targets point to the same share before redirecting
Hide previous versions list for local files
Hide previous versions list for remote files
Hide previous versions of files on backup location
Prevent restoring local previous versions
Prevent restoring previous versions from backups
Prevent restoring remote previous versions
Turn off File History
Turn On/Off Find My Device
Handwriting Panel Default Mode Docked
Prevent the computer from joining a homegroup
Add a specific list of search providers to the user's list of search providers
Allow "Save Target As" in Internet Explorer mode
Allow Internet Explorer 8 shutdown behavior
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Automatically activate newly installed add-ons
Configure which channel of Microsoft Edge to use for opening redirected sites
Customize user agent string
Disable Automatic Install of Internet Explorer components
Disable changing Automatic Configuration settings
Disable changing connection settings
Disable changing secondary home page settings
Disable Import/Export Settings wizard
Disable Internet Explorer 11 as a standalone browser
Disable Periodic Check for Internet Explorer software updates
Disable showing the splash screen
Disable software update shell notifications on program launch
Do not allow users to enable or disable add-ons
Enable extended hot keys in Internet Explorer mode
Enforce full-screen mode
Install new versions of Internet Explorer automatically
Keep all intranet sites in Internet Explorer
Let users turn on and use Enterprise Mode from the Tools menu
Limit Site Discovery output by Domain
Limit Site Discovery output by Zone
Make proxy settings per-machine (rather than per-user)
Pop-up allow list
Prevent "Fix settings" functionality
Prevent access to Internet Explorer Help
Prevent bypassing SmartScreen Filter warnings
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Prevent changing pop-up filter level
Prevent changing proxy settings
Prevent changing the default search provider
Prevent configuration of how windows open
Prevent configuration of new tab creation
Prevent Internet Explorer Search box from appearing
Prevent managing pop-up exception list
Prevent managing SmartScreen Filter
Prevent managing the phishing filter
Prevent participation in the Customer Experience Improvement Program
Prevent per-user installation of ActiveX controls
Prevent running First Run wizard
Restrict search providers to a specific list
Security Zones: Do not allow users to add/delete sites
Security Zones: Do not allow users to change policies
Security Zones: Use only machine settings
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.
Set tab process growth
Show message when opening sites in Microsoft Edge using Enterprise Mode
Specify default behavior for a new tab
Specify use of ActiveX Installer Service for installation of ActiveX controls
Turn off ability to pin sites in Internet Explorer on the desktop
Turn off ActiveX Opt-In prompt
Turn off add-on performance notifications
Turn off Automatic Crash Recovery
Turn off browser geolocation
Turn off configuration of pop-up windows in tabbed browsing
Turn off Crash Detection
Turn off Favorites bar
Turn off Managing SmartScreen Filter for Internet Explorer 8
Turn off page-zooming functionality
Turn off pop-up management
Turn off Quick Tabs functionality
Turn off Reopen Last Browsing Session
Turn off suggestions for all user-installed providers
Turn off tabbed browsing
Turn off the auto-complete feature for web addresses
Turn off the quick pick menu
Turn off the Security Settings Check feature
Turn on ActiveX Filtering
Turn on compatibility logging
Turn on menu bar by default
Turn on Site Discovery WMI output
Turn on Site Discovery XML output
Turn on Suggested Sites
Use the Enterprise Mode IE website list
Add default Accelerators
Add non-default Accelerators
Restrict Accelerators to those deployed through Group Policy
Turn off Accelerators
Bypass prompting for Clipboard access for scripts running in any process
Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
Define applications and processes that can access the Clipboard without prompting
Turn off Print Menu
Turn off the ability to launch report site problems using a menu option
Include updated website lists from Microsoft
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for local intranet
Use Policy List of Internet Explorer 7 sites
Use Policy List of Quirks Mode sites
Prevent specifying the code download path for each computer
Allow deleting browsing history on exit
Disable "Configuring History"
Prevent access to Delete Browsing History
Prevent deleting ActiveX Filtering Tracking Protection and Do Not Track data
Prevent deleting cookies
Prevent deleting download history
Prevent deleting favorites site data
Prevent deleting form data
Prevent deleting InPrivate Filtering data
Prevent deleting passwords
Prevent deleting temporary Internet files
Prevent deleting websites that the user has visited
Prevent the deletion of temporary Internet files and cookies
Disable the Advanced page
Disable the Connections page
Disable the Content page
Disable the General page
Disable the Privacy page
Disable the Programs page
Disable the Security page
Prevent ignoring certificate errors
Send internationalized domain names
Use UTF-8 for mailto links
Allow active content from CDs to run on user machines
Allow Install On Demand (except Internet Explorer)
Allow Install On Demand (Internet Explorer)
Allow Internet Explorer to use the HTTP2 network protocol
Allow Internet Explorer to use the SPDY/3 network protocol
Allow software to run or install even if the signature is invalid
Allow third-party browser extensions
Always send Do Not Track header
Automatically check for Internet Explorer updates
Check for server certificate revocation
Check for signatures on downloaded programs
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Do not allow resetting Internet Explorer settings
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Play animations in web pages
Play sounds in web pages
Play videos in web pages
Turn off ClearType
Turn off encryption support
Turn off loading websites and content in the background to optimize performance
Turn off Profile Assistant
Turn off sending UTF-8 query strings for URLs
Turn off the flip ahead with page prediction feature
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Turn on Caret Browsing support
Turn on Enhanced Protected Mode
Use HTTP 1.1
Use HTTP 1.1 through proxy connections
Show Content Advisor on Internet Options
Start Internet Explorer with tabs from last browsing session
Allow websites to store application caches on client computers
Allow websites to store indexed databases on client computers
Set application cache storage limits for individual domains
Set application caches expiration time limit for individual domains
Set default storage limits for websites
Set indexed database storage limits for individual domains
Set maximum application cache individual resource size
Set maximum application cache resource list size
Set maximum application caches storage limit for all domains
Set maximum indexed database storage limit for all domains
Internet Zone Template
Intranet Sites: Include all local (intranet) sites not listed in other zones
Intranet Sites: Include all network paths (UNCs)
Intranet Sites: Include all sites that bypass the proxy server
Intranet Zone Template
Local Machine Zone Template
Locked-Down Internet Zone Template
Locked-Down Intranet Zone Template
Locked-Down Local Machine Zone Template
Locked-Down Restricted Sites Zone Template
Locked-Down Trusted Sites Zone Template
Restricted Sites Zone Template
Site to Zone Assignment List
Trusted Sites Zone Template
Turn on automatic detection of intranet
Turn on certificate address mismatch warning
Turn on Notification bar notification for intranet content
Access data sources across domains
Allow active content over restricted protocols to access my computer
Allow active scripting
Allow binary and script behaviors
Allow cut copy or paste operations from the clipboard via script
Allow drag and drop or copy and paste files
Allow file downloads
Allow font downloads
Allow installation of desktop items
Allow loading of XAML Browser Applications
Allow loading of XAML files
Allow loading of XPS files
Allow META REFRESH
Allow only approved domains to use ActiveX controls without prompt
Allow only approved domains to use the TDC ActiveX control
Allow OpenSearch queries in File Explorer
Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
Allow scripting of Internet Explorer WebBrowser controls
Allow script-initiated windows without size or position constraints
Allow scriptlets
Allow updates to status bar via script
Allow VBScript to run in Internet Explorer
Allow video and animation on a webpage that uses an older media player
Allow websites to open windows without status bar or Address bar
Allow websites to prompt for information by using scripted windows
Automatic prompting for ActiveX controls
Automatic prompting for file downloads
Display mixed content
Do not prompt for client certificate selection when no certificates or only one certificate exists.
Don't run antimalware programs against ActiveX controls
Download signed ActiveX controls
Download unsigned ActiveX controls
Enable dragging of content from different domains across windows
Enable dragging of content from different domains within a window
Enable MIME Sniffing
Include local path when user is uploading files to a server
Initialize and script ActiveX controls not marked as safe
Java permissions
Launching applications and files in an IFRAME
Logon options
Navigate windows and frames across different domains
Render legacy filters
Run .NET Framework-reliant components not signed with Authenticode
Run .NET Framework-reliant components signed with Authenticode
Run ActiveX controls and plugins
Script ActiveX controls marked safe for scripting
Scripting of Java applets
Show security warning for potentially unsafe files
Software channel permissions
Submit non-encrypted form data
Turn off .NET Framework Setup
Turn off first-run prompt
Turn on Cross-Site Scripting Filter
Turn on Protected Mode
Turn on SmartScreen Filter scan
Use Pop-up Blocker
Userdata persistence
Web sites in less privileged Web content zones can navigate into this zone
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Open Internet Explorer tiles on the desktop
Set how links are opened in Internet Explorer
Go to an intranet site for a one-word entry in the Address bar
Hide the button (next to the New Tab button) that opens Microsoft Edge
Turn off phone number detection
Allow Internet Explorer to play media files that use alternative codecs
Prevent configuration of search on Address bar
Prevent configuration of top-result search on Address bar
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Prevent specifying cipher strength update information URLs
Prevent changing the URL for checking updates to Internet Explorer and Internet Tools
Prevent specifying the update check interval (in days)
Establish InPrivate Filtering threshold
Establish Tracking Protection threshold
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
Turn off collection of InPrivate Filtering data
Turn off InPrivate Browsing
Turn off InPrivate Filtering
Turn off Tracking Protection
Allow fallback to SSL 3.0 (Internet Explorer)
Do not display the reveal password button
Turn off Data Execution Prevention
Turn off Data URI support
Add-on List
All Processes
Deny all add-ons unless specifically allowed in the Add-on List
Process List
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Turn off blocking of outdated ActiveX controls for Internet Explorer
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
Turn on ActiveX control logging in Internet Explorer
Allow native XMLHTTP support
Change the maximum number of connections per host (HTTP 1.1)
Maximum number of connections per server (HTTP 1.0)
Set the maximum number of WebSocket connections per server
Turn off cross-document messaging
Turn off the WebSocket Object
Turn off the XDomainRequest object
Admin-approved behaviors
All Processes
Install binaries signed by MD2 and MD4 signing technologies
Internet Explorer Processes
Process List
All Processes

Process List
All Processes
Process List
All Processes

Process List
All Processes

Process List
All Processes
Process List
Internet Zone Restricted Protocols
Intranet Zone Restricted Protocols
Local Machine Zone Restricted Protocols
Restricted Sites Zone Restricted Protocols
Trusted Sites Zone Restricted Protocols
All Processes

Process List
All Processes
Process List
All Processes

Process List
All Processes

Process List
All Processes

Process List
All Processes
Process List
Customize command labels
Display tabs on a separate row
Hide the Command bar
Hide the status bar
Lock all toolbars
Lock location of Stop and Refresh buttons
Turn off Developer Tools
Turn off toolbar upgrade tool
Use large icons for command buttons
Prevent IIS installation
Turn off location
Turn off location scripting
Turn off sensors
Turn off Windows Location Provider
Automatic Maintenance Activation Boundary
Automatic Maintenance Random Delay
Automatic Maintenance WakeUp Policy
Turn off Automatic Download and Update of Map Data
Turn off unsolicited network traffic on the Offline Maps settings page
Disable MDM Enrollment
Enable automatic MDM enrollment using default Azure AD credentials
Allow Message Service Cloud Sync
Block all consumer Microsoft account user authentication
Allow antimalware service to remain running always
Allow antimalware service to startup with normal priority
Configure detection for potentially unwanted applications
Configure local administrator merge behavior for lists
Define addresses to bypass proxy server
Define proxy auto-config (.pac) for connecting to the network
Define proxy server for connecting to the network
Define the directory path to copy support log files
Randomize scheduled task times
Turn off Microsoft Defender Antivirus
Turn off routine remediation
Display additional text to clients when they need to perform an action
Enable headless UI mode
Suppress all notifications
Suppresses reboot notifications
Extension Exclusions
Ip Address Exclusions
Path Exclusions
Process Exclusions
Turn off Auto Exclusions
Configure local setting override for reporting to Microsoft MAPS
Configure the 'Block at First Sight' feature
Join Microsoft MAPS
Send file samples when further analysis is required
Configure Attack Surface Reduction rules

Exclude files and paths from Attack Surface Reduction Rules
Configure allowed applications
Configure Controlled folder access
Configure protected folders
Prevent users and apps from accessing dangerous websites
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
Configure extended cloud check
Enable file hash computation feature
Select cloud protection level
Specify additional definition sets for network traffic inspection
This setting controls datagram processing for network protection.
Turn on definition retirement
Turn on protocol recognition
Configure local setting override for the removal of items from Quarantine folder
Configure removal of items from Quarantine folder
Configure local setting override for monitoring file and program activity on your computer
Configure local setting override for monitoring for incoming and outgoing file activity
Configure local setting override for scanning all downloaded files and attachments
Configure local setting override for turn on behavior monitoring
Configure local setting override to turn on real-time protection
Configure monitoring for incoming and outgoing file and program activity
Define the maximum size of downloaded files and attachments to be scanned
Monitor file and program activity on your computer
Scan all downloaded files and attachments
Turn off real-time protection
Turn on behavior monitoring
Turn on process scanning whenever real-time protection is enabled
Turn on raw volume write notifications
Turn on script scanning
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Specify the day of the week to run a scheduled full scan to complete remediation
Specify the time of day to run a scheduled full scan to complete remediation
Configure time out for detections in critically failed state
Configure time out for detections in non-critical failed state
Configure time out for detections in recently remediated state
Configure time out for detections requiring additional action
Configure Watson events
Configure Windows software trace preprocessor components
Configure WPP tracing level
Turn off enhanced notifications
Allow users to pause scan
Check for the latest virus and spyware security intelligence before running a scheduled scan
Configure local setting override for maximum percentage of CPU utilization
Configure local setting override for schedule scan day
Configure local setting override for scheduled quick scan time
Configure local setting override for scheduled scan time
Configure local setting override for the scan type to use for a scheduled scan
Configure low CPU priority for scheduled scans
Create a system restore point
Define the number of days after which a catch-up scan is forced
Run full scan on mapped network drives
Scan archive files
Scan network files
Scan packed executables
Scan removable drives
Specify the day of the week to run a scheduled scan
Specify the interval to run quick scans per day
Specify the maximum depth to scan archive files
Specify the maximum percentage of CPU utilization during a scan
Specify the maximum size of archive files to be scanned
Specify the scan type to use for a scheduled scan
Specify the time for a daily quick scan
Specify the time of day to run a scheduled scan
Start the scheduled scan only when computer is on but not in use
Turn on catch-up full scan
Turn on catch-up quick scan
Turn on e-mail scanning
Turn on heuristics
Turn on removal of items from scan history folder
Turn on reparse point scanning
Allow notifications to disable security intelligence based reports to Microsoft MAPS
Allow real-time security intelligence updates based on reports to Microsoft MAPS
Allow security intelligence updates from Microsoft Update
Allow security intelligence updates when running on battery power
Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
Check for the latest virus and spyware security intelligence on startup
Define file shares for downloading security intelligence updates
Define security intelligence location for VDI clients.
Define the number of days after which a catch-up security intelligence update is required
Define the number of days before spyware security intelligence is considered out of date
Define the number of days before virus security intelligence is considered out of date
Define the order of sources for downloading security intelligence updates
Initiate security intelligence update on startup
Specify the day of the week to check for security intelligence updates
Specify the interval to check for security intelligence updates
Specify the time to check for security intelligence updates
Turn on scan after security intelligence update
Specify threat alert levels at which default action should not be taken when detected
Specify threats upon which default action should not be taken when detected
Use a common set of exploit protection settings
Allow companion device for secondary authentication
Configure Sync Method
Contact IT Link Text
Contact IT URL
Do not synchronize Windows Apps
Enable UEV
First Use Notification
Ping the settings storage location before sync
Settings package size warning threshold
Settings storage path
Settings template catalog path
Sync settings over metered connections
Sync settings over metered connections even when roaming
Sync Unlisted Windows Apps
Synchronization timeout
Synchronize Windows settings
Tray Icon
Use User Experience Virtualization (UE-V)
VDI Configuration
Access 2013 backup only
Calculator
Common 2013 backup only
Excel 2013 backup only
InfoPath 2013 backup only
Internet Explorer 10
Internet Explorer 8
Internet Explorer 9
Internet Explorer Common Settings
Lync 2013 backup only
Microsoft Access 2010
Microsoft Excel 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft Lync 2013
Microsoft Lync 2016
Microsoft Office 2010 Common Settings
Microsoft Office 2013 Upload Center
Microsoft Office 365 Access 2013
Microsoft Office 365 Common 2013
Microsoft Office 365 Excel 2013
Microsoft Office 365 InfoPath 2013
Microsoft Office 365 Lync 2013
Microsoft Office 365 OneNote 2013
Microsoft Office 365 Outlook 2013
Microsoft Office 365 PowerPoint 2013
Microsoft Office 365 Project 2013
Microsoft Office 365 Publisher 2013
Microsoft Office 365 SharePoint Designer 2013
Microsoft Office 365 Visio 2013
Microsoft Office 365 Word 2013
Microsoft OneDrive for Business 2013
Microsoft OneNote 2010
Microsoft Outlook 2010
Microsoft PowerPoint 2010
Microsoft Project 2010
Microsoft Publisher 2010
Microsoft SharePoint Designer 2010
Microsoft SharePoint Workspace 2010
Microsoft Visio 2010
Microsoft Word 2010
Microsoft Word 2013
Microsoft Word 2016
Notepad
OneNote 2013 backup only
Outlook 2013 backup only
PowerPoint 2013 backup only
Project 2013 backup only
Publisher 2013 backup only
SharePoint Designer 2013 backup only
Visio 2013 backup only
Word 2013 backup only
WordPad
Finance
Games
Maps
Music
News
Reader
Sports
Travel
Video
Weather
Disable remote Desktop Sharing
Prevent OneDrive files from syncing over metered connections
Prevent OneDrive from generating network traffic until the user signs in to OneDrive
Prevent the usage of OneDrive for file storage
Prevent the usage of OneDrive for file storage on Windows 8.1
Save documents to OneDrive by default
Turn off Active Help
Don't launch privacy settings experience on user logon
Allow hibernate (S4) when starting from a Windows To Go workspace
Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace
Windows To Go Default Startup Options
Turn off Windows presentation settings
Turn off Push To Install service
License server security group
Prevent license upgrade
Allow .rdp files from unknown publishers
Allow .rdp files from valid publishers and user's default .rdp settings
Configure server authentication for client
Do not allow hardware accelerated decoding
Do not allow passwords to be saved
Prompt for credentials on the client computer
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Turn Off UDP On Client
Allow RDP redirection of other supported RemoteFX USB devices from this computer
Do not use Remote Desktop Session Host server IP address when virtual IP address is not available
Select the network adapter to be used for Remote Desktop IP Virtualization
Turn off Windows Installer RDS Compatibility
Turn on Remote Desktop IP Virtualization
Allow remote start of unlisted programs
Allow users to connect remotely by using Remote Desktop Services
Automatic reconnection
Configure keep-alive connection interval
Deny logoff of an administrator logged in to the console session
Limit number of connections
Restrict Remote Desktop Services users to a single Remote Desktop Services session
Select network detection on the server
Select RDP transport protocols
Set rules for remote control of Remote Desktop Services user sessions
Suspend user sign-in to complete app registration
Turn off Fair Share CPU Scheduling
Allow audio and video playback redirection
Allow audio recording redirection
Allow time zone redirection
Do not allow Clipboard redirection
Do not allow COM port redirection
Do not allow drive redirection
Do not allow LPT port redirection
Do not allow smart card device redirection
Do not allow supported Plug and Play device redirection
Do not allow video capture redirection
Limit audio playback quality
Hide notifications about RD Licensing problems that affect the RD Session Host server
Set the Remote Desktop licensing mode
Use the specified Remote Desktop license servers
Do not allow client printer redirection
Do not set default client printer to be default printer in a session
Redirect only the default client printer
Specify RD Session Host server fallback printer driver behavior
Use Remote Desktop Easy Print printer driver first
Limit the size of the entire roaming user profile cache
Set path for Remote Desktop Services Roaming User Profile
Set Remote Desktop Services User Home Directory
Use mandatory profiles on the RD Session Host server
Configure RD Connection Broker farm name
Configure RD Connection Broker server name
Join RD Connection Broker
Use IP Address Redirection
Use RD Connection Broker load balancing
Allow desktop composition for remote desktop sessions
Always show desktop on connection
Configure compression for RemoteFX data
Configure H.264/AVC hardware encoding for Remote Desktop Connections
Configure image quality for RemoteFX Adaptive Graphics
Configure RemoteFX Adaptive Graphics
Do not allow font smoothing
Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
Enforce Removal of Remote Desktop Wallpaper
Limit maximum color depth
Limit maximum display resolution
Limit number of monitors
Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections
Remove "Disconnect" option from Shut Down dialog
Remove Windows Security item from Start menu
Start a program on connection
Use advanced RemoteFX graphics for RemoteApp
Use hardware graphics adapters for all Remote Desktop Services sessions
Use WDDM graphics display driver for Remote Desktop Connections
Configure RemoteFX
Optimize visual experience for Remote Desktop Service Sessions
Optimize visual experience when using RemoteFX
Always prompt for password upon connection
Do not allow local administrators to customize permissions
Require secure RPC communication
Require use of specific security layer for remote (RDP) connections
Require user authentication for remote connections by using Network Level Authentication
Server authentication certificate template
Set client connection encryption level
End session when time limits are reached
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for active Remote Desktop Services sessions
Set time limit for disconnected sessions
Set time limit for logoff of RemoteApp sessions
Do not delete temp folders upon exit
Do not use temporary folders per session
Prevent access to feed list
Prevent automatic discovery of feeds and Web Slices
Prevent downloading of enclosures
Prevent subscribing to or deleting a feed or a Web Slice
Turn off background synchronization for feeds and Web Slices
Turn on Basic feed authentication over HTTP
Add primary intranet search location
Add secondary intranet search locations
Allow Cloud Search
Allow Cortana
Allow Cortana above lock screen
Allow Cortana Page in OOBE on an AAD account
Allow indexing of encrypted files
Allow search and Cortana to use location
Allow use of diacritics
Always use automatic language detection when indexing content and properties
Control rich previews for attachments
Default excluded paths
Default indexed paths
Disable indexer backoff
Do not allow locations on removable drives to be added to libraries
Do not allow web search
Don't search the web or display web results in Search
Don't search the web or display web results in Search over metered connections
Enable indexing of online delegate mailboxes
Enable indexing uncached Exchange folders
Enable throttling for online mail indexing
Indexer data location
Prevent adding UNC locations to index from Control Panel
Prevent adding user-specified locations to the All Locations menu
Prevent automatically adding shared folders to the Windows Search index
Prevent clients from querying the index remotely
Prevent customization of indexed locations in Control Panel
Prevent indexing certain paths
Prevent indexing e-mail attachments
Prevent indexing files in offline files cache
Prevent indexing Microsoft Office Outlook
Prevent indexing of certain file types
Prevent indexing public folders
Prevent indexing when running on battery power to conserve energy
Prevent the display of advanced indexing options for Windows Search in the Control Panel
Prevent unwanted iFilters and protocol handlers
Preview pane location
Set large or small icon view in desktop search results
Set the SafeSearch setting for Search
Set what information is shared in Search
Stop indexing in the event of limited hard drive space
Turn on Security Center (Domain PCs only)
Timeout for hung logon sessions during shutdown
Turn off legacy remote shutdown interface
Allow certificates with no extended key usage certificate attribute
Allow ECC certificates to be used for logon and authentication
Allow Integrated Unblock screen to be displayed at the time of logon
Allow signature keys valid for Logon
Allow time invalid certificates
Allow user name hint
Configure root certificate clean up
Display string when smart card is blocked
Filter duplicate logon certificates
Force the reading of all certificates from the smart card
Notify user of successful smart card driver installation
Prevent plaintext PINs from being returned by Credential Manager
Reverse the subject name stored in a certificate when displaying
Turn on certificate propagation from smart card
Turn on root certificate propagation from smart card
Turn on Smart Card Plug and Play service
Control Device Reactivation for Retail devices
Turn off KMS Client Online AVS Validation
Do not allow Sound Recorder to run
Allow Automatic Update of Speech Data
Disable all apps from Microsoft Store
Only display the private store within the Microsoft Store
Turn off Automatic Download and Install of updates
Turn off Automatic Download of updates on Win8 machines
Turn off the offer to update to the latest version of Windows
Turn off the Store application
Do not sync
Do not sync app settings
Do not sync Apps
Do not sync browser settings
Do not sync desktop personalization
Do not sync on metered connections
Do not sync other Windows settings
Do not sync passwords
Do not sync personalize
Do not sync start settings
Do not allow Inkball to run
Do not allow printing to Journal Note Writer
Do not allow Snipping Tool to run
Do not allow Windows Journal to be run
Turn off pen feedback
Prevent Back-ESC mapping
Prevent launch an application
Prevent press and hold
Turn off hardware buttons
Disable text prediction
For tablet pen input donâ€™t show the Input Panel icon
For touch input donâ€™t show the Input Panel icon
Include rarely used Chinese Kanji or Hanja characters
Prevent Input Panel tab from appearing
Turn off AutoComplete integration with Input Panel
Turn off password security in Input Panel
Turn off tolerant and Z-shaped scratch-out gestures
Prevent Flicks Learning Mode
Prevent flicks
Turn off Tablet PC Pen Training
Turn off Tablet PC touch input
Turn off Touch Panning
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
Hide Property Pages
Prevent Task Run or End
Prohibit Browse
Prohibit Drag-and-Drop
Prohibit New Task Creation
Prohibit Task Deletion
Allow uninstallation of language features when a language is uninstalled
Improve inking and typing recognition
Turn off Windows Calendar
Prohibit installing or uninstalling color profiles
Allow Corporate redirection of Customer Experience Improvement uploads
Tag Windows Customer Experience Improvement data with Study Identifier
Configure App Install Control

Prevent bypassing Windows Defender SmartScreen prompts for sites
Automatically send memory dumps for OS-generated error reports
Configure Error Reporting
Disable logging
Disable Windows Error Reporting
Display Error Notification
Do not send additional data
Do not throttle additional data
Prevent display of the user interface for critical errors
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Configure Corporate Windows Error Reporting
Configure Report Archive
Configure Report Queue
Default application reporting settings
List of applications to always report errors for
List of applications to be excluded
List of applications to never report errors for
Report operating system errors
Report unplanned shutdown events
Configure Default consent
Customize consent settings
Ignore custom consent settings
Allow enumeration of emulated smart card for all users
Configure device unlock factors
Configure dynamic lock factors
Turn off smart card emulation
Use a hardware security device
Use biometrics
Use certificate for on-premises authentication
Use cloud trust for on-premises authentication
Use PIN Recovery
Use Windows Hello for Business
Use Windows Hello for Business certificates as smart card certificates
Allow suggested apps in Windows Ink Workspace
Allow Windows Ink Workspace
Allow user control over installs
Allow users to browse for source while elevated
Allow users to patch elevated products
Allow users to use media source while elevated
Always install with elevated privileges
Control maximum size of baseline file cache
Enforce upgrade component rules
Prevent embedded UI
Prevent Internet Explorer security prompt for Windows Installer scripts
Prevent users from using Windows Installer to install updates and upgrades
Prohibit flyweight patching
Prohibit non-administrators from applying vendor signed updates
Prohibit removal of updates
Prohibit rollback
Prohibit use of Restart Manager
Prohibit User Installs
Remove browse dialog box for new source
Save copies of transform files in a secure location on workstation
Specify the types of events Windows Installer records in its transaction log
Turn off creation of System Restore checkpoints
Turn off logging via package settings
Turn off shared components
Turn off Windows Installer
Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
Disable or enable software Secure Attention Sequence
Display information about previous logons during user logon
Report when logon server was not available during user logon
Sign-in and lock last interactive user automatically after a restart
Prevent Windows Media DRM Internet Access
Do Not Show First Use Dialog Boxes
Prevent Automatic Updates
Prevent Desktop Shortcut Creation
Prevent Media Sharing
Prevent Quick Launch Toolbar Shortcut Creation
Prevent Video Smoothing
Do not allow Windows Messenger to be run
Do not automatically start Windows Messenger initially
Turn off Windows Mobility Center
Set the default source path for Update-Help
Turn on Module Logging
Turn on PowerShell Script Block Logging

Turn on PowerShell Transcription
Turn on Script Execution
Configure Reliability WMI Providers
Allow Basic authentication
Allow CredSSP authentication
Allow unencrypted traffic
Disallow Digest authentication
Disallow Kerberos authentication
Disallow Negotiate authentication
Trusted Hosts
Allow Basic authentication
Allow CredSSP authentication
Allow remote server management through WinRM
Allow unencrypted traffic
Disallow Kerberos authentication
Disallow Negotiate authentication
Disallow WinRM from storing RunAs credentials
Specify channel binding token hardening level
Turn On Compatibility HTTP Listener
Turn On Compatibility HTTPS Listener
Allow Remote Shell Access
MaxConcurrentUsers
Specify idle Timeout
Specify maximum amount of memory in MB per Shell
Specify maximum number of processes per Shell
Specify maximum number of remote shells per user
Specify Shell Timeout
Allow audio input in Windows Sandbox
Allow clipboard sharing with Windows Sandbox
Allow networking in Windows Sandbox
Allow printer sharing with Windows Sandbox
Allow vGPU sharing for Windows Sandbox
Allow video input in Windows Sandbox
Hide the Account protection area
Hide the App and browser protection area
Prevent users from modifying settings
Hide the Device performance and health area
Disable the Clear TPM button
Hide the Device security area
Hide the Secure boot area
Hide the Security processor (TPM) troubleshooter page
Hide the TPM Firmware Update recommendation.
Configure customized contact information
Configure customized notifications
Specify contact company name
Specify contact email address or Email ID
Specify contact phone number or Skype ID
Specify contact website
Hide the Family options area
Hide the Firewall and network protection area
Hide all notifications
Hide non-critical notifications
Hide Windows Security Systray
Hide the Ransomware data recovery area
Hide the Virus and threat protection area
Allow Automatic Updates immediate installation
Allow non-administrators to receive update notifications
Allow signed updates from an intranet Microsoft update service location
Allow updates to be downloaded automatically over metered connections
Always automatically restart at the scheduled time
Automatic Updates detection frequency
Configure Automatic Updates
Configure auto-restart reminder notifications for updates
Configure auto-restart required notification for updates
Configure auto-restart warning notifications schedule for updates
Delay Restart for scheduled installations
Display options for update notifications
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not allow update deferral policies to cause scans against Windows Update
Do not connect to any Windows Update Internet locations
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Do not include drivers with Windows Updates
Enable client-side targeting
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
No auto-restart with logged on users for scheduled automatic updates installations
Remove access to "Pause updates" feature
Remove access to use all Windows Update features
Re-prompt for restart with scheduled installations
Reschedule Automatic Updates scheduled installations
Specify active hours range for auto-restarts
Specify deadline before auto-restart for update installation
Specify deadlines for automatic updates and restarts
Specify Engaged restart transition and notification schedule for updates
Specify intranet Microsoft update service location
Turn off auto-restart for updates during active hours
Turn off auto-restart notifications for update installations
Turn on recommended updates via Automatic Updates
Turn on Software Notifications
Update Power Policy for Cart Restarts
Disable safeguards for Feature Updates
Manage preview builds
Select the target Feature Update version
Select when Preview Builds and Feature Updates are received
Select when Quality Updates are received
Force automatic setup for all users
Enabled Enabled
Enabled Enabled
Enabled
Enabled
Disable driver (reco Disable driver (recomme

Disabled Disabled
Enabled Enabled
Enabled Enabled
P-node (recommendeP-node (recommended)
Disabled Disabled
Highest protection, s Highest protection, sourc

Highest protection, s Highest protection, sourc
Disabled Disabled
Enabled Enabled
Enabled Enabled
Disabled Disabled
\\*\SYSVOL = \\*\SYSVOL =
RequireIntegrity=1_ RequireIntegrity=1_x00
x000D_ 0D_
RequireMutualAuth RequireMutualAuthenti
entication=1 cation=1
\\*\NETLOGON = \\*\NETLOGON =
RequireIntegrity=1_ RequireIntegrity=1_x00
x000D_ 0D_
RequireMutualAuth RequireMutualAuthenti
entication=1 cation=1
Force Updated Client Force Updated Clients
Enabled Enabled
[[[main setting]]] = [[[main setting]]] =

Enabled Enabled
Virtualization Based Virtualization Based
Protection of Code Protection of Code
Integrity = Enabled Integrity = Enabled with
with UEFI lock UEFI lock
Credential Guard Credential Guard
Configuration = Configuration =
Enabled with UEFI Disabled
lock Select Platform Security
Select Platform Level = Secure Boot
Security Level = Secure Launch
Secure Boot Configuration = Enabled
Secure Launch Require UEFI Memory
Configuration = Attributes Table = True
Enabled
Require UEFI
Memory Attributes
Table = True
Good, unknown and ba
Good, unknown and bad b
tion server and File Share Shadow Copy Agent running on th

Process even if the Process even if the
Group Policy objects Group Policy objects
have not changed = have not changed =
True True
Do not apply during Do not apply during
periodic background periodic background
processing = False processing = False
Block all Block all
Disabled
elDnsDomain setting is not enabled.
Authenticated
a the Windows Online Troubleshooting Service - WOTS)
Enabled Enabled
Do not execute any Do not execute any aut

All drives All drives
Enabled Enabled
ws 10 [Version 1507])
32768 32768
196608 196608
32768 32768

Enabled Enabled
Pick one of the Pick one of the
following settings = following settings =
Warn and prevent Warn and prevent
bypass bypass
Enabled Enabled
Enabled Enabled
On On
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Disabled Disabled
Enabled Enabled
Disabled Disabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Use TLS 1.1 and TLS 1Use TLS 1.1 and TLS 1.2
Enabled Enabled
Enabled Enabled
Disabled Disabled
Enabled Enabled
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Enable Enable
Enable Enable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Java Disable Java
Disable Disable
Prompt for user nam Prompt for user name a
Disable Disable
Disable Disable
Disable Disable
Prompt Prompt
Enable Enable
Enable Enable
Enable Enable
Enable Enable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
High safety High safety
Disable Disable

Enable Enable

Enabled Enabled
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Enable Enable
Enable Enable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Anonymous logon Anonymous logon
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
Enable Enable
Enable Enable
Enable Enable
Enable Enable
Disable Disable
Disable Disable
Disable Disable
Disable Disable
High safety High safety
No Sites No Sites
Enabled Enabled
Disabled Disabled
iexplore.exe = iexplore.exe = Enabled

Enabled explorer.exe = Enabled
explorer.exe = (Reserved) = Enabled
Enabled
(Reserved) =
Enabled

Enabled
(Reserved) =
Enabled

Enabled
(Reserved) =
Enabled
Enabled
(Reserved) =
Enabled

Enabled
(Reserved) =
Enabled

Enabled
(Reserved) =
Enabled

Enabled
(Reserved) =
Enabled
Enabled
(Reserved) =
Enabled
Block Block
Enabled Enabled
Advanced MAPS Advanced MAPS
Send safe samples Send safe samples
Enabled Enabled
be9ba2d9-53ea- be9ba2d9-53ea-4cdc-
4cdc-84e5- 84e5-9b1eeee46550 =
9b1eeee46550 = 1 1
b2b3f03d-6a65- b2b3f03d-6a65-4f7b-
4f7b-a9c7- a9c7-1c7ef74a9ba4 = 1
1c7ef74a9ba4 = 1 9e6c4e1f-7d60-472f-
9e6c4e1f-7d60- ba1a-a39ef669e4b2 = 1
472f-ba1a- d4f940ab-401b-4efc-
a39ef669e4b2 = 1 aadc-ad5f3c50688a = 1
d4f940ab-401b- d3e037e1-3eb8-44c8-
4efc-aadc- a917-57927947596d =
ad5f3c50688a = 1 1
d3e037e1-3eb8- 5beb7efe-fd9a-4556-
44c8-a917- 801d-275e5ffc04cc = 1
57927947596d = 1 3b576869-a4ec-4529-
5beb7efe-fd9a- 8536-b80a7769e899 =
4556-801d- 1
275e5ffc04cc = 1 26190899-1602-49e8-
3b576869-a4ec- 8b27-eb1d0a1ce869 =
4529-8536- 1
b80a7769e899 = 1 92E97FA1-2EDF-4476-
26190899-1602- BDD6-9DD0B4DDDC7B
49e8-8b27- =1
eb1d0a1ce869 = 1 7674ba52-37eb-4a4f-
92E97FA1-2EDF- a9a1-f0f9a1619a2c = 1
4476-BDD6- 75668c1f-73b5-4cf0-
9DD0B4DDDC7B = 1 bb93-3ecf5cb7cc84 = 1
7674ba52-37eb- c1db55ab-c21a-4637-
4a4f-a9a1- bb3f-a12568109d35 = 1
f0f9a1619a2c = 1 e6db77e5-3df2-4cf1-
75668c1f-73b5-4cf0- b95a-636979351e5b =
bb93-3ecf5cb7cc84 1
=1
c1db55ab-c21a-
4637-bb3f-
Block Block
Enabled: High blocking

Enabled: High blocking le
Enabled Enabled
Disabled Disabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
Enabled Enabled
High Level High Level
Enabled Enabled
Disabled Disabled
Enabled: Warn and Enabled: Warn and
prevent bypass prevent bypass
On, but disallow acceOn, but disallow access
Disabled Disabled
Disabled Disabled
Disabled Disabled

Enabled Enabled
Log script block Log script block
invocation start / invocation start / stop
stop events = events = [[[delete]]]
[[[delete]]]
Disabled Disabled
Disabled Disabled
Enabled Enabled
Disabled Disabled
Diabled Diabled
Enabled Enabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AllowOnlineTips
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SettingsPageVisibility
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreen
HKLM\Software\Policies\Microsoft\Windows\Personalization!PersonalColors_Background HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\Personalization!LockScreenImage HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\Personalization!ForceStartBackground
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoChangingLockScreen
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoChangingStartMenuBackground
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreenCamera
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreenSlideshow
HKLM\Software\Policies\Microsoft\InputPersonalization!AllowInputPersonalization
HKLM\Software\Policies\Microsoft\Control Panel\International!BlockCleanupOfUnusedPreinstalledL
HKLM\Software\Policies\Microsoft\MUI\Settings!MachineUILock
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesIns
HKLM\Software\Policies\Microsoft\MUI\Settings!PreferredUILanguages
HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization!RestrictImplicitTextCollection HKLM\SOFTWA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!UseDefaultTile
HKLM\Software\Policies\Microsoft Services\AdmPwd!PwdExpirationProtectionEnabled
HKLM\Software\Policies\Microsoft Services\AdmPwd!AdmPwdEnabled
HKLM\Software\Policies\Microsoft Services\AdmPwd!AdminAccountName
HKLM\Software\Policies\Microsoft Services\AdmPwd!PasswordComplexity HKLM\Software\Policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!LocalAccountTokenFilterPoli
HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility!Comment
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation!DependOnService
HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10!Start
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMB1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel!DisableExceptionChainValidation
HKLM\System\CurrentControlSet\Services\NTDS\Parameters!LdapEnforceChannelBinding; HKLM\Sys
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!RestrictDriverInstallationTo
HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RunAsPPL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!A
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters!NodeType
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartBanner HKLM\SOFTWARE
HKLM\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LE
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpEnablePus
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest!UseLogonCredential
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!AutoAdminLogon
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl!AutoReboot
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters!AutoShareServer
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters!AutoShareWks
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters!DisableIPSourceRouting
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!DisableIPSourceRouting
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters!DisableSavePassword
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableDeadGWDetect
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableICMPRedirect
HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters!Hidden
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!KeepAliveTime
HKLM\System\CurrentControlSet\Services\IPSEC!NoDefaultExempt
HKLM\System\CurrentControlSet\Services\Netbt\Parameters!NoNameReleaseOnDemand
HKLM\System\CurrentControlSet\Control\FileSystem!NtfsDisable8dot3NameCreation
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!PerformRouterDiscovery
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager!SafeDllSearchMode
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!ScreenSaverGracePeriod
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!SynAttackProtect
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!TcpMaxConnectResponseRetransmissi
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters!TcpMaxDataRetransmissions
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!TcpMaxDataRetransmissions
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security!WarningLevel
HKLM\Software\Policies\Microsoft\System\DFSClient!DfsDcNameDelay
HKLM\Software\Policies\Microsoft\Windows\BITS!EnablePeercaching
HKLM\Software\Policies\Microsoft\Windows\BITS!DisableBranchCache
HKLM\Software\Policies\Microsoft\Windows\BITS!DisablePeerCachingClient
HKLM\Software\Policies\Microsoft\Windows\BITS!DisablePeerCachingServer
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxContentAge
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxCacheSize
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxDownloadTime
HKLM\Software\Policies\Microsoft\Windows\BITS!EnableBITSMaxBandwidth; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxBandwidthServed
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxJobsPerUser
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxJobsPerMachine
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxFilesPerJob
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxRangesPerFile
HKLM\Software\Policies\Microsoft\Windows\BITS\TransferPolicy!ForegroundTransferPolicy HKLM\So
HKLM\Software\Policies\Microsoft\Windows\BITS\Throttling!EnableMaintenanceLimits; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\BITS\Throttling!EnableBandwidthLimits; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\BITS!JobInactivityTimeout
HKLM\Software\Policies\Microsoft\Windows\NetCache!PeerCachingLatencyThreshold
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service\Versioning!PreferredContentInformationVers
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\MultipleServers
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Discovery!SCPDiscoveryEnabled
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Retrieval!SegmentTTL
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching!Enable
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection!Location
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication!SizePercent
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service!Enable
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\Probes!Probe
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\CustomCommands
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!PassiveMode
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!FriendlyName
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs!DTE
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!NamePreferenceAllo
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!SupportEmail
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!ShowUI
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AppendToMultiLabelName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!QueryNetBTFQDN
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DoHPolicy
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AdapterDomainName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!NameServer
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!SearchList
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationEnabled
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableIdnMapping
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!PreferLocalOverLowerBindingDNS
HKLM\Software\Policies\Microsoft\System\DNSClient!NV PrimaryDnsSuffix
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UseDomainNameDevolution
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableDevolutionLevelControl; HKLM\S
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterAdapterName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterReverseLookup
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationRefreshInterval
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationOverwritesInConflict
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationTtl
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableIdnEncoding
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableMulticast
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableSmartNameResolution
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableSmartProtocolReordering
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateSecurityLevel
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateTopLevelDomainZones
HKLM\Software\Policies\Microsoft\Windows\System!EnableFontProviders
HKLM\Software\Policies\Microsoft\Windows\HotspotAuthentication!Enabled
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!CipherSuiteOrder
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HashPublicationForPeerCaching
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HashSupportVersion
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HonorCipherSuiteOrder
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!CipherSuiteOrder
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!AllowInsecureGuestAuth
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!EnableHandleCachingForCAFiles
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!AllowOfflineFilesforCAShares
HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableLLTDIO; HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableRspndr; HKLM\Software\Policies\Microso
HKLM\Software\policies\Microsoft\Peernet!IgnoreDomainPasswordPolicyForNewGroups
HKLM\Software\policies\Microsoft\Peernet!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SeedServer HKLM\Software\policies\M
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SeedServer
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SeedServer
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!Disabled
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_DoNotShowLocalOnlyIcon
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowNetBridge_NLA
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_PersonalFirewallConfig
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_ShowSharedAccessUI
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_StdDomainUserSetLocation
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Force_Tunneling
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\ICFv4!BypassFirewall
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutbound
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!Enable
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!Ena
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!En
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!AllowUse
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Allo
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogDroppedPackets HK
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!Enabled; H
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DoNotAllowExceptions
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DisableNotifications
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DisableUnicastResponsesToMu
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!EnableFirewall
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboun
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enab
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!En
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!E
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!AllowUs
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!All
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogDroppedPackets
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!Enabled;
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!Enab
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DoNotAllowExceptions
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableNotifications
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableUnicastResponsesToM
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!EnableFirewall
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnec
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnect
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectiv
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnec
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnect
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!UseGlobalDns
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!DisablePassivePoll
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!NeutralResources
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!CloudResources
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainProxies
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainLocalProxies
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainSubnets
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DProxiesAuthoritive
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DSubnetsAuthoritive
HKLM\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
HKLM\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
HKLM\Software\Policies\Microsoft\Windows\NetCache!Enabled
HKLM\Software\Policies\Microsoft\Windows\NetCache!PurgeAtLogoff; HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows\NetCache!BackgroundSyncEnabled; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\NetCache!SlowLinkSpeed
HKLM\Software\Policies\Microsoft\Windows\NetCache!SlowLinkEnabled; HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\NetCache!DefCacheSize
HKLM\Software\Policies\Microsoft\Windows\NetCache!ExcludedFileTypes
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncEnabledForCostedNetwork
HKLM\Software\Policies\Microsoft\Windows\NetCache!OnlineCachingLatencyThreshold
HKLM\Software\Policies\Microsoft\Windows\NetCache!EncryptCache
HKLM\Software\Policies\Microsoft\Windows\NetCache!EventLoggingLevel
HKLM\Software\Policies\Microsoft\Windows\NetCache!ExcludeExtensions
HKLM\Software\Policies\Microsoft\Windows\NetCache!InitialBalloonTimeoutSeconds
HKLM\Software\Policies\Microsoft\Windows\NetCache!CacheQuotaLimit HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoCacheViewer
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
HKLM\Software\Policies\Microsoft\Windows\NetCache!ReminderFreqMinutes
HKLM\Software\Policies\Microsoft\Windows\NetCache!ReminderBalloonTimeoutSeconds
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoMakeAvailableOffline
HKLM\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
HKLM\Software\Policies\Microsoft\Windows\NetCache!WorkOfflineDisabled
HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
HKLM\Software\Policies\Microsoft\Windows\NetCache!AlwaysPinSubFolders
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoReminders
HKLM\Software\Policies\Microsoft\Windows\NetCache!EconomicalAdminPinning
HKLM\Software\Policies\Microsoft\Windows\Psched!MaxOutstandingSends
HKLM\Software\Policies\Microsoft\Windows\Psched!NonBestEffortLimit
HKLM\Software\Policies\Microsoft\Windows\Psched!TimerResolution
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeBe
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeC
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceType
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeN
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeQu
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTy
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceT
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceT
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeBestEffort
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeControlledLo
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeGuaranteed
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNetworkCont
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNonConform
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeQualitative
HKLM\Software\Policies\SNMP\Parameters\ValidCommunities
HKLM\Software\Policies\SNMP\Parameters\PermittedManagers
HKLM\Software\Policies\SNMP\Parameters\TrapConfiguration\public
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!EccCurves
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_RouterName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_RouterNameResolutionInterv
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_State
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface!IPHTTPS
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!ISATAP_RouterName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!ISATAP_State
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_ClientPort
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_DefaultQualified
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_RefreshRate
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_ServerName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_State
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableIPAutoConfigurationLimits
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableWsd
HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars!EnableRegistrars; HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\WCN\UI!DisableWcnUi
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fDisablePowerManagement
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fSoftDisconnectConnections
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fMinimizeConnections
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fBlockNonDomain
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fBlockRoaming
HKLM\SOFTWARE\Policies\Microsoft\WirelessDisplay!PreferPinBasedPairing
HKLM\SOFTWARE\Policies\Microsoft\WirelessDisplay!EnforcePinBasedPairing
HKLM\Software\Policies\Microsoft\Windows\Wireless\NetCost!Cost
HKLM\Software\Microsoft\wcmsvc\wifinetworkmanager\config!AutoConnectAllowedOEM
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess!LetAppsAccessCellularD
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\NetCost!Cost3G
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\NetCost!Cost4G
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\UISettings!AppCellularAccessUI
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPrinting
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!DomainDisplayPrinters_State; HKL
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!NonDomainDisplayPrinters_State;
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ShowJobTitleInEventLogs
HKLM\Software\Policies\Microsoft\Windows NT\Printers!RegisterSpoolerRemoteRpcEndPoint
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PublishPrinters
HKLM\Software\Policies\Microsoft\Windows NT\Printers!Immortal
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ForceSoftwareRasterization
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ForceCSREMFDespooling
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Auto Publishing
HKLM\Software\Policies\Microsoft\Windows NT\Printers!MXDWUseLegacyOutputFormatMSXPS
HKLM\Software\Policies\Microsoft\Windows NT\Printers!VerifyPublishedState
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocation
HKLM\Software\Policies\Microsoft\Windows NT\Printers!SupportLink
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningInterval
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningPriority
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetries
HKLM\Software\Policies\Microsoft\Windows NT\Printers!KMPrintersAreBlocked
HKLM\Software\Policies\Microsoft\Windows NT\Printers!V4DriverDisallowPrinterExtension
HKLM\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PrintDriverIsolationExecutionPolicy
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DoNotInstallCompatibleDriverFromWindo
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApplicationDriverIsolation
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetryLog
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPr
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PrintDriverIsolationOverrideCompat
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrin
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocationSupport
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ServerThread
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruneDownlevel
HKLM\Software\Policies\Microsoft\Windows\Explorer!DisableContextMenusInStart
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsHistory
HKLM\Software\Policies\Microsoft\Windows\Explorer!ForceStartSize
HKLM\Software\Policies\Microsoft\Windows\Explorer!StartPinAppsWhenInstalled; HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\Explorer!HideRecentlyAddedApps
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMorePrograms
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HidePowerOptions
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMFUprogramsLi
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKLM\Software\Policies\Microsoft\Windows\Explorer!LockedStartLayout; HKLM\Software\Policies\M
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!WnsEndpoint
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoCloudApplication
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!SnapShot
HKLM\Software\Policies\Microsoft\Windows\System!DLT_AllowDomainMode
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!VerboseStatus
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!ShutdownReasonOn; HKLM\Software\Pol
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS!DisableShowAtLogon
HKLM\Software\Policies\Microsoft\Windows NT!DontPowerOffAfterShutdown
HKLM\Software\Policies\Microsoft\Windows\App Management!COMClassStore
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!TimeStampEnabled; HKLM\Software\Polic
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStatusMessages
HKLM\Software\Policies\Microsoft\Windows\System!HelpQualifiedRootDir
HKLM\Software\Policies\Microsoft\Windows\System!DisableInHelp
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing HKLM\Software\Microsoft\Wi
HKLM\Software\Policies\Microsoft\Windows NT\Setup!SourcePath
HKLM\Software\Policies\Microsoft\Windows NT\Setup!ServicePackSourcePath
HKLM\Software\Policies\Microsoft\Windows\System!DisableHHDEP
HKLM\SOFTWARE\Policies\Microsoft\Windows\ADR\AccessDenied!Enabled; HKLM\SOFTWARE\Polici
HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!EnableShellExecuteFileStreamCheck
HKLM\Software\Policies\Microsoft\AppV\Client!Enabled
HKLM\SOFTWARE\Policies\Microsoft\AppV\CEIP!CEIPEnable
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Coexistence!MigrationMode
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!IntegrationRootGlobal
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!IntegrationRootUser
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!RoamingFileExclusions
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!RoamingRegistryExclusions
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\PackageManagement!AutoCleanupEnabled
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\PowerManagement!SyncOnBatteriesEnabled
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Publishing!EnablePublishingRefreshUI
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\1!Name HKLM\SOFTWARE\Policie
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Reporting!ReportingEnabled; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Scripting!EnablePackageScripts
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!AllowHighCostLaunch
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!CertFilterForClientSsl
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!SupportBranchCache
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!LocationProvider
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!PackageInstallationRoot
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!PackageSourceRoot
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!ReestablishmentInterval
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!ReestablishmentRetries
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!RequirePublishAsAdmin
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!SharedContentStoreMode
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!Autoload
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!VerifyCertificateRevocationList
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization!EnableDynamicVirtualization
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization!ProcessesUsingVirtualComponents;
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit!ProcessCreationInclud
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowDefaultCredentials; HKLM\
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowDefCredentialsWhenNTLM
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowFreshCredentials; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowFreshCredentialsWhenNT
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowSavedCredentials; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowSavedCredentialsWhenNT
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenyDefaultCredentials; HKLM\
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenyFreshCredentials; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenySavedCredentials; HKLM\So
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters!AllowEnc
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowProtectedCreds
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!RestrictedRemoteAdministratio
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!DeployConfigCIPolicy; HKLM\SOFTWARE\P
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity;
HKLM\Software\Policies\Microsoft\DeviceHealthAttestationService!EnableDeviceHealthAttestationSe
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!AllowRemoteRPC
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!InstallTimeout
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSendGenericDriverNot
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSystemRestore
HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata!PreventDeviceMetadataFromNetw
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSendRequestAdditional
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!AllSigningEqual
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!SearchOrderConfig
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DriverServerSelection
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableBalloonTips
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowAdminInstall
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDeviceIDs; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowInstanceIDs; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDeviceClasses; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy!SimpleText
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy!DetailText
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyUnspecified
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyDeviceIDs; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyInstanceIDs; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyDeviceClasses; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyRemovableDevices
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!ForceReboot; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\NvCache!OptimizeBootAndResume
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnablePowerModeState
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnableNvCache
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnableSolidStateMode
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!ApplyToRemovableMedia
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enable
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enforce
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverLimit
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverThreshold
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Limit HKLM\Software\Policies\Microsof
HKLM\Software\Policies\Microsoft\Windows\Control Panel\Desktop!EnablePerProcessSystemDPI HK
HKLM\Software\Policies\Microsoft\Windows\Display!DisableGdiDPIScaling
HKLM\Software\Policies\Microsoft\Windows\Display!EnableGdiDPIScaling
HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!AllowLocalActivationSecurityCh
HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!ListBox_Support_ActivationSecu
HKLM\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions!AllowUserDeviceClasses; HKL
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
HKLM\System\CurrentControlSet\Policies\EarlyLaunch!DriverLoadPolicy; HKLM\System\CurrentContro
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!RootHubConnectedEnStorDe
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices!Polic
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedSilos!SiloAllowListP
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!DisallowLegacyDiskDevices
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!DisablePasswordAuthenticat
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!TCGSecurityActivationDisabl
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!LockDeviceOnMachineLock
HKLM\SOFTWARE\Policies\Microsoft\Windows\FCI!EnableManualUX
HKLM\SOFTWARE\Policies\Microsoft\Windows\FCI!CentralClassificationList
HKLM\Software\Policies\Microsoft\Windows\fssProv!EncryptProtocol
HKLM\System\CurrentControlSet\Policies!DisableDeleteNotification
HKLM\System\CurrentControlSet\Control\FileSystem!LongPathsEnabled
HKLM\Software\Policies\Microsoft\Windows\Filesystems\NTFS!SymLinkState; HKLM\Software\Polic
HKLM\System\CurrentControlSet\Policies!NtfsDisableCompression
HKLM\System\CurrentControlSet\Policies!NtfsDisableEncryption
HKLM\System\CurrentControlSet\Policies!NtfsEnableTxfDeprecatedFunctionality
HKLM\System\CurrentControlSet\Policies!NtfsForceNonPagedPoolAllocation
HKLM\System\CurrentControlSet\Policies!NtfsEncryptPagingFile
HKLM\System\CurrentControlSet\Policies!NtfsDefaultTier
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushThreshold
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushWorkers
HKLM\System\CurrentControlSet\Policies!NtfsDisable8dot3NameCreation
HKLM\Software\Policies\Microsoft\Windows\System\Fdeploy!PrimaryComputerEnabledFR
HKLM\Software\Policies\Microsoft\Windows\System\Fdeploy!LocalizeXPRelativePaths
HKLM\Software\Policies\Microsoft\Windows\System!ProcessTSUserLogonAsync
HKLM\Software\Policies\Microsoft\Windows\System!AllowX-ForestPolicy-and-RUP
HKLM\Software\Policies\Microsoft\Windows\Group Policy!OnlyUseLocalAdminFiles
HKLM\Software\Policies\Microsoft\Windows\System!SlowlinkDefaultToAsync
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{F9C77450-3A41-477E-9310-9ACD617BD9
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{728EE579-943C-4519-9EF7-AB56765798
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{1A6364EB-776B-4120-ADE1-B63A406A76
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDefaultForDirectAccess
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a6
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{5794DAFD-BE60-433f-88A2-1A31939AC0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0E28E245-9368-4853-AD84-6DA3BA35BB
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{7150F9BF-48AD-4da4-A49C-29EF4A8369
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A3F3E39B-5D83-4940-B954-28315B82F0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6232C319-91AC-4931-9385-E70C2B099F
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonOptimization; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{74EE6C03-5363-4554-B161-627540339C
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86A
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e2
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{17D89FEC-5C44-4972-B12D-241CAEF745
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonScriptDelay; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3A0DBA37-F8B2-4356-83DE-3E90BD5C26
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6A4C88C6-C502-4f74-8F60-2CB23EDC24
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E62688F0-25FD-4c90-BFF5-F508B9D2E31
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E5094040-C46C-4115-B030-04FB2E545B
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBC
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B087BE9D-ED37-454f-AF9C-04291E3511
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{AADCED64-746C-4633-A97C-D61349046
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{91FBB303-0CD5-4055-BF42-E512A681B3
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{C418DD9D-0D14-4efb-8FBF-CFE535C8FA
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E4F48E54-F38D-4884-BFB9-D4D2E5729C
HKLM\Software\Policies\Microsoft\Windows\System!UserPolicyMode
HKLM\Software\Policies\Microsoft\Windows\System!EnableAppUriHandlers
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B587E2B1-4D59-4e7e-AED9-22B9DF11D
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7F
HKLM\Software\Policies\Microsoft\Windows\System!EnableCdp
HKLM\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
HKLM\Software\Policies\Microsoft\Windows\System!ResetDfsClientInfoDuringRefreshPolicy
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonOptimizationOnServerSKU; HKLM
HKLM\Software\Policies\Microsoft\Windows\System!EnableMmx
HKLM\Software\Policies\Microsoft\Windows\System!DenyUsersFromMachGP
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeDC HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\System!GpNetworkStartTimeoutPolicyValue
HKLM\Software\Policies\Microsoft\Windows\System!CorpConnStartTimeoutPolicyValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableBkGndGroupPolicy
HKLM\Software\Policies\Microsoft\Windows\System!DisableAOACProcessing
HKLM\Software\Policies\Microsoft\Windows\System!DisableLGPOProcessing
HKLM\Software\Policies\Microsoft\Windows\System!RSoPLogging
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{F9C77450-3A41-477E-9310-9ACD617BD9
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{728EE579-943C-4519-9EF7-AB56765798E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{1A6364EB-776B-4120-ADE1-B63A406A76
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{5794DAFD-BE60-433f-88A2-1A31939AC01
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0E28E245-9368-4853-AD84-6DA3BA35BB
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{7150F9BF-48AD-4da4-A49C-29EF4A8369B
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A3F3E39B-5D83-4940-B954-28315B82F0A
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6232C319-91AC-4931-9385-E70C2B099F0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{74EE6C03-5363-4554-B161-627540339CA
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E47248BA-94CC-49c4-BBB5-9EB7F05183D
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{17D89FEC-5C44-4972-B12D-241CAEF7450
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3A0DBA37-F8B2-4356-83DE-3E90BD5C26
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{6A4C88C6-C502-4f74-8F60-2CB23EDC24E
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E62688F0-25FD-4c90-BFF5-F508B9D2E31
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{BC75B1ED-5833-4858-9BB8-CBF0B166DF
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E5094040-C46C-4115-B030-04FB2E545B0
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B087BE9D-ED37-454f-AF9C-04291E35118
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{AADCED64-746C-4633-A97C-D613490465
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{91FBB303-0CD5-4055-BF42-E512A681B32
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{C418DD9D-0D14-4efb-8FBF-CFE535C8FAC
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{E4F48E54-F38D-4884-BFB9-D4D2E5729C1
HKLM\Software\Policies\Microsoft\InternetManagement!RestrictCommunication; HKLM\Software\Mi
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWindowsUpdateAccess
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoUseStoreOpenWith
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftEventVwrDisableLinks
HKLM\Software\Policies\Microsoft\Windows\TabletPC!PreventHandwritingDataSharing
HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports!PreventHandwritingErrorRep
HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!Headlines
HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!MicrosoftKBSearch
HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control!NoRegistration
HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
HKLM\Software\Policies\Microsoft\SQMClient\Windows!CEIPEnable
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!DoReport HKLM\Software\Policies\Mic
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!NoActiveProbe
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RestrictAdditionalLogins
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ChangeIQNName
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ChangeCHAPSecret
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireIPSec
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireMutualCHAP
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireOneWayCHAP
HKLM\Software\Policies\Microsoft\Windows\iSCSI!NewStaticTargets
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureTargets
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureiSNSServers
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureTargetPortals
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EnableCbacA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!PKINITFreshn
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EmitLILI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!RequestCom
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!UseForestSear
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EnableTicketS
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!CloudKer
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Alway
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!domain_realm_Enabl
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!MitRealms_Enabled;
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!NoRevo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!RequireF
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Enable
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!KdcValid
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!StrictTar
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters!EnableMaxTokenSize; HKLM\Sys
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!KdcProxyServer_Enab
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!CompoundIdDisabled; HKLM\Software\Pol
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!DevicePK
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!UseFores
HKLM\Software\Policies\Microsoft\Windows\Kernel DMA Protection!DeviceEnumerationPolicy
HKLM\Software\Policies\Microsoft\Control Panel\International!PreventGeoIdChange
HKLM\Software\Policies\Microsoft\Control Panel\International!BlockUserInputMethodsForSignIn
HKLM\Software\Policies\Microsoft\Control Panel\International!CustomLocalesNoSelect
HKLM\Software\Policies\Microsoft\Control Panel\International!PreventUserOverrides
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictSystemLocales; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictUserLocales; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainDelayLock
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonType
HKLM\Software\Policies\Microsoft\Windows\System!UseOEMBackground
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon!SyncForegroundPolicy
HKLM\Software\Policies\Microsoft\Windows\System!DefaultCredentialProvider
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DefaultLogonDomain
HKLM\Software\Policies\Microsoft\Windows\System!BlockUserFromShowingAccountDetailsOnSigni
HKLM\Software\Policies\Microsoft\Windows\System!DontDisplayNetworkSelectionUI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
HKLM\Software\Policies\Microsoft\Windows\System!DontEnumerateConnectedUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRunOnc
HKLM\Software\Policies\Microsoft\Windows\System!EnumerateLocalUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ExcludedCredentialProviders
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideFastUserSwitching
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Policies\Microsoft\Windows\System!DisableAcrylicBackgroundOnLogon
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableFirstLogonAnimation
HKLM\Software\Policies\Microsoft\Windows\System!DisableLockScreenAppNotifications
HKLM\Software\Policies\Microsoft\Windows\System!BlockDomainPicturePassword
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStartupSound
HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainPINLogon
HKLM\Software\Policies\Microsoft\FIDO!EnableFIDODeviceLogon
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions!MitigationOptions_FontBockin
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowNT4Crypto
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidPdcOnWan
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveScriptsShareAccess
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ScavengeInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveSysvolShareAccess
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ExpectedDialupDelay
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!dbFlag
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!MaximumLogFileSize
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NegativeCachePeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NonBackgroundSuccessfulRefreshPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteName
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryQuitTime
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryInitialPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryMaximumPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundSuccessfulRefreshPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!PingUrgencyMode
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!IgnoreIncomingMailslotMessages
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidFallbackNetbiosDiscovery
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ForceRediscoveryInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AddressTypeReturned
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvPriority
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsTtl
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvWeight
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AddressLookupOnPingBehavior
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsAvoidRegisterRecords
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!UseDynamicDns
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsRefreshInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NdncSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!GcSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!TryNextClosestSite
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AutoSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowDnsSuffixSearch
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowSingleLabelDnsDomain
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsSrvRecordUseLowerCaseHostNames
HKLM\Software\Policies\Microsoft\Windows\System!AllowClipboardHistory
HKLM\Software\Policies\Microsoft\Windows\System!AllowCrossDeviceClipboard
HKLM\Software\Policies\Microsoft\Windows\System!PublishUserActivities
HKLM\Software\Policies\Microsoft\Windows\System!UploadUserActivities
HKLM\Software\Policies\Microsoft\Windows\System!EnableActivityFeed
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!Expiration
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!History
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!MaximumPINLength
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!MinimumPINLength
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!Digits
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!LowercaseLetters
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!SpecialCharacters
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!UppercaseLetters
HKLM\Software\Policies\Microsoft\Power\PowerSettings!ActivePowerScheme
HKLM\Software\Policies\Microsoft\Power\PowerSettings!ActivePowerScheme
HKLM\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936
HKLM\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280
HKLM\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5
HKLM\Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD4
HKLM\Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD4
HKLM\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\637EA02F-BBCB-4015-8E2C-A1C7B9C0B546
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9A66D8D7-4FF7-4EF9-B5A2-5A326CA2A46
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\8183ba9a-e910-48da-8769-14ae6dc1170a!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F0
HKLM\Software\Policies\Microsoft\Power\PowerSettings\bcded951-187b-4d05-bccc-f7e51960c258!
HKLM\System\CurrentControlSet\Control\Power\PowerThrottling!PowerThrottlingOff
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364
HKLM\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1
HKLM\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A1
HKLM\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335
HKLM\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335
HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7
HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4!A
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE!DisableSetup
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!CreateEncryptedOnlyTickets
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicited; HKLM\Software
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowToGetHelp; HKLM\Software\
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!UseCustomMessages; HKLM\Softw
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!UseBandwidthOptimization; HKL
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!LoggingEnabled
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!EnableAuthEpResolution
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!IgnoreDelegationFailure
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!StateInformation
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!ExtErrorInformation HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!RestrictRemoteClients
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!MinimumConnectionTimeout
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!AllowRemoteDASD
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read!Deny_R
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write!Deny_W
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!RebootTimeinSeconds_stat
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!Allow-LogonScript-NetbiosDisa
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideShutdownScripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideStartupScripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunStartupScriptSync
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunComputerPSScriptsFirst
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunUserPSScriptsFirst
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MaxGPOScriptWait
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM!SamNGCKeyROCAValidat
HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager!RefreshIntervalEnabled; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\Server\InitialConfigurationTasks!DoNotOpenAtLogon
HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager!DoNotOpenAtLogon
HKLM\System\CurrentControlSet\Control\SCMConfig!EnableSvchostMitigationPolicy
HKLM\Software\Policies\Microsoft\Windows\System!HiberbootEnabled
HKLM\Software\Policies\Microsoft\Windows\System!AllowBlockingAppsAtShutdown
HKLM\Software\Policies\Microsoft\Windows\StorageHealth!AllowDiskHealthModelUpdates
HKLM\Software\Policies\Microsoft\Windows\StorageSense!AllowStorageSenseGlobal
HKLM\Software\Policies\Microsoft\Windows\StorageSense!AllowStorageSenseTemporaryFilesClean
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseGlobalCadence; HKL
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseCloudContentDehydr
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseRecycleBinCleanupTh
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseDownloadsCleanupTh
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableConfig
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI!ScenarioExecutionEnabled; HKLM\SOFTWARE\Pol
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI!DataRetentionBySizeEnabled; HKLM\SOFTWARE\P
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{88D69CE1-577A-4dd9-87AE-AD36D3CD9643}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{659F08FB-2FAB-42a7-BD4F-566CFA528769}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{acfd1ca6-18b6-4ccf-9c07-580cdb6eded4}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{D113E4AA-2D07-41b1-8D9B-C065194A791D}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{081D3213-48AA-4533-9284-D98F01BDC8E6}!Sce
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePcaUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{affc81e2-612a-4f70-6fb2-916ff5c7e3f8}!Scenar
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{8519d925-541e-4a2b-8b1e-8059d16082f2}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD}!Dfd
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}!Do
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy!DisableQueryRe
HKLM\Software\Policies\Microsoft\Windows\Troubleshooting\AllowRecommendations!Troublesho
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{54077489-683b-4762-86c8-02cf87a33423}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics!EnabledExecution; HKLM\SOFT
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics!ValidateTrust
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics!EnableDiagnostics
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy!EnableQueryRem
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{eb73b633-3f4e-4ba0-8f60-8f3c6f53168f}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{3af8b24a-c441-4fa4-8c5c-bed591bfa867}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}!Scenar
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}!Scen
HKLM\Software\Policies\Microsoft\TPM!OSManagedAuthLevel
HKLM\SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands!Enabled; HKLM\SOFTWARE\Policies\M
HKLM\Software\Policies\Microsoft\TPM!ClearTPMIfNotReadyGP
HKLM\Software\Policies\Microsoft\TPM!UseLegacyDictionaryAttackParameters
HKLM\Software\Policies\Microsoft\TPM\BlockedCommands!IgnoreDefaultList
HKLM\Software\Policies\Microsoft\TPM\BlockedCommands!IgnoreLocalList
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureIndividualThreshold; HKLM
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureDuration; HKLM\Software\
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureTotalThreshold; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\System!AddAdminGroupToRUP
HKLM\Software\Policies\Microsoft\Windows\System!UserProfileMinTransferRate HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\System!DeleteRoamingCache
HKLM\Software\Policies\Microsoft\Windows\System!CleanupProfiles
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDetectEnabled
HKLM\Software\Policies\Microsoft\Windows\System!CompatibleRUPSecurity
HKLM\Software\Policies\Microsoft\Windows\System!DisableForceUnload
HKLM\Software\Policies\Microsoft\Windows\System!ProfileErrorAction
HKLM\Software\Policies\Microsoft\Windows\System!PrimaryComputerEnabledRUP
HKLM\Software\Policies\Microsoft\Windows\System!ProfileDlgTimeOut
HKLM\Software\Policies\Microsoft\Windows\System!LeaveAppMgmtData
HKLM\Software\Policies\Microsoft\Windows\System!ProfileUnloadTimeout
HKLM\Software\Policies\Microsoft\Windows\System!LocalProfile
HKLM\Software\Policies\Microsoft\Windows\System!ReadOnlyProfile
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkUIEnabled
HKLM\Software\Policies\Microsoft\Windows\System!WaitForNetwork
HKLM\Software\Policies\Microsoft\Windows\System!MachineProfilePath
HKLM\Software\Policies\Microsoft\Windows\System!UploadHiveMethod HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows\System!HomeDirLocation HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo!DisabledByGroupPolicy
HKLM\Software\Policies\Microsoft\Windows\System!AllowUserInfoAccess; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkProfileDefault
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcShowProgress
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcQuota
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcScan
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SFCDllCacheDir
HKLM\Software\Policies\Microsoft\W32Time\Config!FrequencyCorrectRate HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\W32time\Parameters!NtpServer HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient!Enabled
HKLM\Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\AxInstaller!ApprovedList; HKLM\SOFTWARE\Policies\M
HKLM\SOFTWARE\Policies\Microsoft\Windows\AxInstaller\AxISURLZonePolicies!InstallTrustedOCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU!Disabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager!AllowShare
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAllTrustedApps
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowDeploymentInSpecialProfiles
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowDevelopmentWithoutDevLicense
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAutomaticAppArchiving
HKLM\Software\Policies\Microsoft\Windows\Appx!RestrictAppToSystemVolume
HKLM\Software\Policies\Microsoft\Windows\Appx!BlockNonAdminUserInstall
HKLM\Software\Policies\Microsoft\Windows\Appx!RestrictAppDataToSystemVolume
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessAccountInfo HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGazeInput HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCallHistory HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessContacts HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsGetDiagnosticInfo HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessEmail HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessLocation HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessMessaging HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessMotion HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessNotifications HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessTasks HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCalendar HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessMicrophone HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessTrustedDevices HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessBackgroundSpatialPercepti
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsActivateWithVoice
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsActivateWithVoiceAboveLock
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsSyncWithDevices HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessRadios HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessPhone HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsRunInBackground HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureProgramma
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureWithoutBo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MSAOptional
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockFileElevation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!BlockHostedAppAccessWinRT
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications!EnableDynamicC
HKLM\Software\Policies\Microsoft\Windows\AppCompat!VDMDisallowed
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine
HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR
HKLM\Software\Policies\Microsoft\Windows\AppCompat!SbEnable
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoAutoplayfornonVolume
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DontSetAutoplayCheckbox
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!OnlySystemBackup
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToDisk
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToNetwork
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToOptical
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoRunNowBackup
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!Domain Accounts
HKLM\SOFTWARE\Policies\Microsoft\Biometrics!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!SwitchTimeoutInSeconds
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures!EnhancedAntiSpoofing
HKLM\SOFTWARE\Policies\Microsoft\FVE!DefaultRecoveryFolderPath
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethodWithXtsOs HKLM\SOFTWARE\Policies\M
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethodNoDiffuser
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethod
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseRecoveryPassword HKLM\SOFTWARE\Policies\Microsof
HKLM\Software\Policies\Microsoft\FVE!DisableExternalDMAUnderLock
HKLM\Software\Policies\Microsoft\FVE!MorBehavior
HKLM\Software\Policies\Microsoft\FVE!IdentificationField; HKLM\Software\Policies\Microsoft\FVE!Id
HKLM\Software\Policies\Microsoft\FVE!ActiveDirectoryBackup; HKLM\Software\Policies\Microsoft\F
HKLM\Software\Policies\Microsoft\FVE!CertificateOID
HKLM\Software\Policies\Microsoft\FVE!FDVDiscoveryVolumeType; HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVRecovery; HKLM\SOFTWARE\Policies\Microsoft\FVE!F
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVHardwareEncryption; HKLM\SOFTWARE\Policies\Micros
HKLM\Software\Policies\Microsoft\FVE!FDVPassphrase; HKLM\Software\Policies\Microsoft\FVE!FD
HKLM\Software\Policies\Microsoft\FVE!FDVAllowUserCert; HKLM\Software\Policies\Microsoft\FVE!
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE!FDVDenyWriteAccess
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVEncryptionType; HKLM\SOFTWARE\Policies\Microsoft
HKLM\Software\Policies\Microsoft\FVE!OSEnablePreBootPinExceptionOnDECapableDevice
HKLM\Software\Policies\Microsoft\FVE!UseEnhancedPin
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSManageNKP
HKLM\Software\Policies\Microsoft\FVE!OSAllowSecureBootForIntegrity
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSRecovery; HKLM\SOFTWARE\Policies\Microsoft\FVE!OS
HKLM\Software\Policies\Microsoft\FVE!MinimumPIN
HKLM\Software\Policies\Microsoft\FVE!RecoveryKeyMessageSource HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation!Enabled; HKLM\SOFTWARE\Policies\Mic
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS!Enabled; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI!Enabled; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSHardwareEncryption; HKLM\SOFTWARE\Policies\Microso
HKLM\Software\Policies\Microsoft\FVE!OSPassphrase; HKLM\Software\Policies\Microsoft\FVE!OSPa
HKLM\Software\Policies\Microsoft\FVE!DisallowStandardUserPINReset
HKLM\Software\Policies\Microsoft\FVE!OSEnablePrebootInputProtectorsOnSlates
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSEncryptionType; HKLM\SOFTWARE\Policies\Microsoft\
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseAdvancedStartup; HKLM\SOFTWARE\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!EnableNonTPM HKLM\SOFTWARE\Policies\Microsoft\FVE!U
HKLM\Software\Policies\Microsoft\FVE!TPMAutoReseal
HKLM\Software\Policies\Microsoft\FVE!OSUseEnhancedBcdProfile; HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\FVE!RDVDiscoveryVolumeType; HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVRecovery; HKLM\SOFTWARE\Policies\Microsoft\FVE!R
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVHardwareEncryption; HKLM\SOFTWARE\Policies\Micros
HKLM\Software\Policies\Microsoft\FVE!RDVPassphrase; HKLM\Software\Policies\Microsoft\FVE!RD
HKLM\Software\Policies\Microsoft\FVE!RDVAllowUserCert; HKLM\Software\Policies\Microsoft\FVE
HKLM\Software\Policies\Microsoft\FVE!RDVConfigureBDE; HKLM\Software\Policies\Microsoft\FVE!
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE!RDVDenyWriteAccess; HKLM\Software\Pol
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVEncryptionType; HKLM\SOFTWARE\Policies\Microsoft
HKLM\software\Policies\Microsoft\Camera!AllowCamera
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableSoftLanding
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableCloudOptimizedContent
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsConsumerFeatures
HKLM\Software\Policies\Microsoft\Windows\Connect!AllowProjectionToPC
HKLM\Software\Policies\Microsoft\Windows\Connect!RequirePinForPairing; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Windows\CredUI!DisablePasswordReveal
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnumerateAdministrators
HKLM\Software\Policies\Microsoft\Windows\System!NoLocalPasswordResetQuestions
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnableSecureCredentialPrompt
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowCommercialDataPipeline
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowDesktopAnalyticsProcessing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowDeviceNameInTelemetry
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowTelemetry
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowUpdateComplianceProcessing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowWUfBCloudProcessing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableEnterpriseAuthProxy; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\DataCollection!TelemetryProxyServer
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableTelemetryOptInChangeNotificati
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableTelemetryOptInSettingsUx; HKLM
HKLM\Software\Policies\Microsoft\Windows\DataCollection!ConfigureMicrosoft365UploadEndpoint
HKLM\Software\Policies\Microsoft\Windows\DataCollection!CommercialId
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableDeviceDelete
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableDiagnosticDataViewer
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableOneSettingsDownloads
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DoNotShowFeedbackNotifications
HKLM\Software\Policies\Microsoft\Windows\DataCollection!EnableOneSettingsAuditing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDiagnosticLogCollection
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDumpCollection
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitEnhancedDiagnosticDataWindowsA
HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds!AllowBuildPreview
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOAbsoluteMaxCacheSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinBatteryPercentageAllo
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOCacheHost
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOCacheHostSource
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayCacheServerFallbackB
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayBackgroundDownload
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayCacheServerFallbackF
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayForegroundDownload
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODownloadMode
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOAllowVPNPeerCaching
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOGroupId
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxCacheAge
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxCacheSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxBackgroundDownloadB
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOPercentageMaxBackground
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxForegroundDownloadB
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOPercentageMaxForeground
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinBackgroundQos
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinDiskSizeAllowedToPeer
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinFileSizeToCache
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinRAMAllowedToPeer
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOModifyCacheDrive
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMonthlyUploadDataCap
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DORestrictPeerSelectionBy
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOGroupIdSource
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOSetHoursToLimitBackgrou
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOSetHoursToLimitForegrou
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUnsignedGa
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffSidebar
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUserInstalle
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowFlip3d
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowAnimations
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisableAccentGradient
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowColorizationColorChanges
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DefaultColorizationColorState; HKLM\SOFTWAR
HKLM\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDeviceFlags
HKLM\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDriverShims
HKLM\Software\Policies\Microsoft\Windows\WorkplaceJoin!autoWorkplaceJoin
HKLM\SOFTWARE\Policies\Microsoft\Windows\Digital Locker!DoNotRunDigitalLocker
HKLM\Software\Policies\Microsoft\Windows\EdgeUI!AllowEdgeSwipe
HKLM\Software\Policies\Microsoft\Windows\EdgeUI!DisableHelpSticker
HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding!MaxForwardingRate
HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\Application!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\Security!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\Setup!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!Enabled
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\System!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging!EnableProtectedEvent
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgram
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgramCommandLineParame
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionURL
HKLM\Software\Policies\Microsoft\Windows\Explorer!EnableShellShortcutIconRemotePath
HKLM\Software\Policies\Microsoft\Windows\System!EnableSmartScreen; HKLM\Software\Policies\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableBindDirectlyToPropert
HKLM\Software\Policies\Microsoft\Windows\Explorer!DisableRoamedProfileInit
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoNewAppAlert
HKLM\Software\Policies\Microsoft\Windows\Explorer!DefaultLibrariesLocation
HKLM\Software\Policies\Microsoft\Windows\System!DefaultAssociationsConfiguration
HKLM\Software\Policies\Microsoft\Windows\Explorer!AdminInfoUrl
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowHibernateOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowLockOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowSleepOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ExplorerRibbonStartsMinimized; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoDataExecutionPrevention
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoHeapTerminationOnCorruption
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStrCmpLogical
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavi
HKLM\Software\Policies\Microsoft\Windows\Explorer!CheckSameSourceAndTargetForFRAndDFS
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableLocalPage
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableRemotePage
HKLM\Software\Policies\Microsoft\PreviousVersions!HideBackupEntries
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableLocalRestore
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableBackupRestore
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableRemoteRestore
HKLM\Software\Policies\Microsoft\Windows\FileHistory!Disabled
HKLM\SOFTWARE\Policies\Microsoft\FindMyDevice!AllowFindMyDevice
HKLM\Software\Policies\Microsoft\Handwriting!PanelDefaultModeDocked
HKLM\Software\Policies\Microsoft\Windows\HomeGroup!DisableHomeGroup
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!AddPolicySearchProvi
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!AllowSaveTargetAsInIE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ShutdownWaitForOnUnload
HKLM\Software\Policies\Microsoft\Internet Explorer!AllowServicePoweredQSA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!IgnoreFrameApprovalCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!NeedEdgeBrowser HKLM
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!Version
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoJITSetup
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Autoconfig
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connection Settings HKLM\Softw
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
HKLM\Software\Policies\Microsoft\Internet Explorer!DisableImportExportFavorites
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NotifyDisableIEOptions
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoUpdateCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSplash
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMSAppLogo5ChannelNotif
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!EnableExtendedIEMode
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus; HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!EnableAutoUpgrade
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!KeepIntranetSitesInInte
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!Enable
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!DomainAllowList
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!ZoneAllowList
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxySettingsPerUser
HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows!ListBox_Support_Allow; HKLM\S
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!DisableFixSecuritySettings
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpMenu
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverride
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverrideAppRepUnknow
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!DisablePopupFilterLevel
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Proxy
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChangeDefaultSea
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AllowWindowReuse
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!OpenInForeground
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchBox
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!RestrictPopupExceptionList
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV9
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram
HKLM\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX!BlockNonAdminActiveXInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableFirstRunCustomize
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!UsePolicySearchProvi
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_zones_map_
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_options_edi
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_HKLM_only
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!RestrictIE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!TabProcGrowth
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!ShowMessageWhenOpen
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!NewTabPageShow
HKLM\Software\Policies\Microsoft\Windows\AxInstaller!OnlyUseAXISForActiveXInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableAddSiteMode
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!NoFirsttimeprompt
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!DisableAddonLoadTimePerformance
HKLM\Software\Policies\Microsoft\Internet Explorer\Recovery!AutoRecover
HKLM\Software\Policies\Microsoft\Internet Explorer\Geolocation!PolicyDisableGeolocation
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!PopupsUseNewWindow
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
HKLM\Software\Policies\Microsoft\Internet Explorer\LinksBar!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV8
HKLM\Software\Policies\Microsoft\Internet Explorer\ZOOM!ZoomDisabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPopupManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!QuickTabsThreshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Recovery!NoReopenLastSession
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!ShowSearchSuggestionsGlobal
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Enabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!AutoSuggest
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!DisplayQuickPick
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!DisableSecuritySettingsCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering!IsEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!Active
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!XMLPath
HKLM\Software\Policies\Microsoft\Internet Explorer\Suggested Sites!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!SiteList
HKLM\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesDefaultInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions!UsePolicyActivitiesOnly
HKLM\Software\Policies\Microsoft\Internet Explorer\Activities!NoActivities
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_Featur
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPrinting
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoReportSiteProblems
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!MSCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!DisableSiteListEditing
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowCompatibilityViewButton
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!AllSitesCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!IntranetCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CodeBaseSearchPath
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!ClearBrowsingHistoryOnExit
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!History; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteBrowsingHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTrackingProtection
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanCookies
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanDownloadHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!UseAllowList
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteForms
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanInPrivateBlocking
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeletePasswords
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTIF
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Settings
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!AdvancedTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ConnectionsTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ContentTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!GeneralTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!PrivacyTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ProgramsTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!SecurityTab
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!PreventIgnoreCertErr
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnablePunyCode
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols\Mailto!UT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoWebJITSetup
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHTTP2
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableSPDY3_0
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DoNotTrack
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoUpdateCheck
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CertificateRevocation
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!CheckExeSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableEPMCompat
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableRIED
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisableCachingOfSSL
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache!Persistent
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Play_Animations
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Play_Background_Sounds
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Videos
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!UseClearType
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!SecureProtocols
HKLM\Software\Policies\Microsoft\Internet Explorer\PrefetchPrerender!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Security\P3Global!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!UTF8URLQuery
HKLM\Software\Policies\Microsoft\Internet Explorer\FlipAhead!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation64Bit
HKLM\Software\Policies\Microsoft\Internet Explorer\CaretBrowsing!EnableOnStartup
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHttp1_1
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxyHttp1.1
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ShowContentAdvisor
HKLM\Software\Policies\Microsoft\Internet Explorer\ContinuousBrowsing!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!AllowWebsiteCach
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!AllowWebsiteData
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!MaxTrustedDomai
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!GarbageCollection
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage!DefaultDomainCacheLimitInM
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!MaxTrustedDoma
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestSingleRe
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestResource
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!TotalLimitInMB
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!TotalLimitInMB
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies!In
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!IntranetN
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!UNCAsIntr
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!ProxyByPa
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies!Int
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template P
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template P
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Tem
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Templ
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Polic
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_Zo
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policie
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!AutoDetec
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnBadCertRecv
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnIntranet
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1406
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120b
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120c
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180E
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180F
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!140C
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120A
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A04
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1C00
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270B
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1E05
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ApplicationTileImmersiveActivation
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AssociationActivationMode
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!GotoIntranetSiteForSingleWordEntry
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!HideNewEdgeButton
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FormatDetection!PhoneNumberEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!EnableAlternativeCodec
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AutoSearch
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!TopResult
HKLM\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch!EnabledScopes
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion!IEAKUpdateUrl
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Update_Check_Page
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Update_Check_Interval
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!Threshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!TrackingProtectionThreshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableToolbars
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableLogging
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!EnableInPrivateBrowsing
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableInPrivateBlocking
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableTrackingProtection
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisablePasswordReveal
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DEPOff
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI!iexpl
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID; HKLM\Soft
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RunThisTimeEnabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!VersionCheckEnabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_DomainAllowlist; HKLM\So
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!AuditModeEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!XMLHTTP
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOC
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET!ie
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQU
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_All
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!*
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!ENABLE_MD2_MD4
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!(Re
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEAT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDL
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMAC
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACH
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFIN
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_L
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAN
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACH
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVAT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_F
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RES
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_REST
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!TextOption
HKLM\Software\Policies\Microsoft\Internet Explorer\MINIE!ShowTabsBelowAddressBar
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!CommandBarEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!StatusBarWeb
HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbar!Locked
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowLeftAddressToolbar
HKLM\Software\Policies\Microsoft\Internet Explorer\IEDevTools!Disabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions!DisableToolbarUpgrader
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!SmallIcons
HKLM\Software\Policies\Microsoft\Windows NT\IIS!PreventIISInstall
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocation
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocationScripting
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableSensors
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableWindowsLocationProvider
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Activation Boundary
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Randomized; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!WakeUp
HKLM\Software\Policies\Microsoft\Windows\Maps!AutoDownloadAndUpdateMapData
HKLM\Software\Policies\Microsoft\Windows\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\MDM!DisableRegistration
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\MDM!AutoEnrollMDM; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\Messaging!AllowMessageSync
HKLM\Software\Policies\Microsoft\MicrosoftAccount!DisableUserAuth
HKLM\Software\Policies\Microsoft\Windows Defender!ServiceKeepAlive
HKLM\Software\Policies\Microsoft\Windows Defender!AllowFastServiceStartup
HKLM\Software\Policies\Microsoft\Windows Defender!PUAProtection; HKLM\Software\Policies\Mic
HKLM\Software\Policies\Microsoft\Windows Defender!DisableLocalAdminMerge
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyBypass
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyPacUrl
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyServer
HKLM\Software\Policies\Microsoft\Windows Defender!SupportLogLocation
HKLM\Software\Policies\Microsoft\Windows Defender!RandomizeScheduleTaskTimes
HKLM\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware
HKLM\Software\Policies\Microsoft\Windows Defender!DisableRoutinelyTakingAction
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!CustomDefaultActionToastS
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!UILockdown
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!Notification_Suppress
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!SuppressRebootNotificatio
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Extensions; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_IpAddresses; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Paths; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Processes; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!DisableAutoExclusions
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReporting
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!DisableBlockAtFirstSeen
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting; HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR!Exploi

HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR!Exploi
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled F
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Pr
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network P
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpBafsExtendedTimeout; HKLM\S
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!EnableFileHashComputation
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpCloudBlockLevel; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\SKU Differentiation!Nis_C
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableDatagramProcessing
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS!DisableSignatureRetirem
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableProtocolRecognition
HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine!LocalSettingOverridePurgeItemsA
HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine!PurgeItemsAfterDelay; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!LocalSettingOverrideDi
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!LocalSettingOverrideRe
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!RealtimeScanDirection;
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!IOAVMaxSize; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableOnAccessProtec
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableIOAVProtection
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRealtimeMonito
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableBehaviorMonito
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScanOnRealtim
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRawWriteNotifi
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScriptScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!LocalSettingOverrideScan_Sch
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!Scan_ScheduleDay; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!Scan_ScheduleTime; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!CriticalFailureTimeout; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!NonCriticalTimeout; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!RecentlyCleanedTimeout; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!AdditionalActionTimeout; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!DisableGenericRePorts
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!WppTracingComponents; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!WppTracingLevel; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!DisableEnhancedNotifications
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!AllowPause
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!CheckForSignaturesBeforeRunningScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideAvgCPULoadFactor
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleDay
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleQuickSca
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleTime
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScanParameters
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LowCpuPriority
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRestorePoint
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!MissedScheduledScanCountBeforeCatc
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableScanningMappedNetworkDrivesF
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableArchiveScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableScanningNetworkFiles
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisablePackedExeScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRemovableDriveScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleDay; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!QuickScanInterval; HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ArchiveMaxDepth; HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!AvgCPULoadFactor; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ArchiveMaxSize; HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScanParameters; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleQuickScanTime; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleTime; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScanOnlyIfIdle
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableCatchupFullScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableCatchupQuickScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableEmailScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableHeuristics
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!PurgeItemsAfterDelay; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableReparsePointScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureDisableNotificat
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!RealtimeSignatureDeliver
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ForceUpdateFromMU
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableScheduledSignatu
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!MeteredConnectionUpda
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!UpdateOnStartUp
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DefinitionUpdateFileShar
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SharedSignatureRoot
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureUpdateCatchupIn
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ASSignatureDue; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!AVSignatureDue; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!FallbackOrder
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableUpdateOnStartup
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ScheduleDay; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureUpdateInterval;
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ScheduleTime; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableScanOnUpdate
HKLM\Software\Policies\Microsoft\Windows Defender\Threats!Threats_ThreatSeverityDefaultAction
HKLM\Software\Policies\Microsoft\Windows Defender\Threats!Threats_ThreatIdDefaultAction; HKL
HKLM\Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection!ExploitProtec
HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor!AllowSecondaryAuthenticatio
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncMethod HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!ContactITDescription
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!ContactITUrl
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!DontSyncWindows8AppSettings
HKLM\Software\Policies\Microsoft\UEV\Agent!Enabled; HKLM\Software\Policies\Microsoft\Window
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!FirstUseNotificationEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncProviderPingEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!MaxPackageSizeInBytes
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SettingsStoragePath
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SettingsTemplateCatalogPath HKLM\So
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetwork
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetworkWhenRoam
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncUnlistedWindows8Apps
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncTimeoutInMilliseconds
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!DesktopSettings HKL
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!TrayIconEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!VdiState; HKLM\Soft
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Bac
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftCalculator6
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013B
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016B
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Back
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplore
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplo
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Back
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Back
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win3
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2010
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Win32
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Win32
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Wi
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Win
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Offi
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Of
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Of
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Off
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftNotepad6
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Ba
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftWordpad6
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingFin
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.XboxLI
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingMa
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneMu
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingNe
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.Reader_
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingSpo
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingTra
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneVid
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingWe
HKLM\Software\Policies\Microsoft\Conferencing!NoRDS
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableMeteredNetworkFileSync
HKLM\SOFTWARE\Microsoft\OneDrive!PreventNetworkTrafficPreUserSignIn
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableFileSyncNGSC
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableFileSync
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableLibrariesDefaultSaveToOneDrive
HKLM\Software\Policies\Microsoft\Assistance\Client\1.0!NoActiveHelp
HKLM\Software\Policies\Microsoft\Windows\OOBE!DisablePrivacyExperience
HKLM\System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem!Hibernate
HKLM\System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem!Sleep
HKLM\Software\Policies\Microsoft\PortableOperatingSystem!Launcher
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings!NoPresentationSe
HKLM\Software\Policies\Microsoft\PushToInstall!DisablePushToInstall
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fSecureLicensing
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fPreventLicenseUpgrade
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowUnsignedFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowSignedFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AuthenticationLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!EnableHardwareMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!PromptForCredsOnClient
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!TrustedCertThumbprints
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!fClientDisableUDP
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!fUsbRedirectionEnable
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!PromptOnIP
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!VIPAdapter
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\TSMSI!Enable
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\TSAppSrv\VirtualIP!EnableVirt
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fAllowUnlistedRemoteProgram
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDenyTSConnections
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAutoReconnect
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!KeepAliveEnable; HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxInstanceCount
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fSingleSessionPerUser
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SelectNetworkDetect
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SelectTransport
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllUserInstallAgent!LogonWaitF
HKLM\SOFTWARE\Policies\Microsoft\Windows\Session Manager\Quota System!EnableCpuQuota
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCam
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAudioCapture
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableTimeZoneRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableClip
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCcm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableLPT
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableSmartCard
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisablePNPRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCameraRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowedAudioQualityMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableTerminalServerTooltip
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicensingMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicenseServers
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCpm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fForceClientLptDef
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RedirectOnlyDefaultClientPrint
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPolicyFallbackPrintDriver; HK
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseUniversalPrinterDriverFirst
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DeleteRoamingUserProfile; HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFProfilePath
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirUNC HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFDontAppendUserNameToPro
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryClusterName
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryActive
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryExposeServerI
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ParticipateInLoadBalancing
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fAllowDesktopCompositionOnS
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fTurnOffSingleAppMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxCompressionLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AVCHardwareEncodePreferred
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ImageQuality
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!GraphicsProfile
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoFontSmoothing
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableVirtualizedGraphics
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoRemoteDesktopWallpaper
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ColorDepth
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxXResolution HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxMonitors
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AVC444ModePreferred
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDisconnect
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNTSecurity
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!InitialProgram HKLM\SOFTWARE
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableRemoteFXAdvancedR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!bEnumerateHWBeforeSW
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableWddmDriver
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableVirtualizedGraphics
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!VisualExperiencePolicy
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\!VGOptimization_CaptureFrameR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPromptForPassword
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fWritableTSCCPermTab
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEncryptRPCTraffic
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SecurityLayer
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UserAuthentication
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!CertTemplateName
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RemoteAppLogoffTimeLimit
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DeleteTempDirsOnExit
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!PerSessionTempDir
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableFeedPane
HKLM\Software\Policies\Microsoft\Internet Explorer\Feed Discovery!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableEnclosureDownload
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableAddRemove
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!BackgroundSyncStatus
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!AllowBasicAuthInClear
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PrimaryIntranetSearchScopeUrl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!SecondaryIntranetSearchScopeUrl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCloudSearch; HKLM\SOFTWARE
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCortana
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCortanaAboveLock
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCortanaInAAD; HKLM\SOFTWA
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowIndexingEncryptedStoresOrIt
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowSearchToUseLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowUsingDiacritics
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AlwaysUseAutoLangDetection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!RichAttachmentPreviews
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultExcludedPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultIndexedPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableBackoff
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableRemovableDriveIndexing
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableWebSearch
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWeb
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWebOverMete
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableIndexingDelegateMailboxes
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingUncachedExchange
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableThrottlingOnlineMailboxes;
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DataDirectory
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!HideUNCTab
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!FavoriteLocations
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AutoIndexSharedFolders
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventRemoteQueries
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventModifyingIndexedLocations
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingEmailAttachments
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingOfflineFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingOutlook
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ExcludedExtensionsMultiline0 HKLM
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingPublicFolders
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexOnBattery
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventUsingAdvancedIndexingOpt
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventUnwantedAddins
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreviewPaneLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!SearchResultIconSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchSafeSearch; HKLM
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchPrivacy; HKLM\SO
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingLowDiskSpaceMB
HKLM\Software\Policies\Microsoft\Windows NT\Security Center!SecurityCenterInDomain
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ShutdownSessionTimeout
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableShutdownNamedPipe
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowCertificatesWit
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!EnumerateECCCerts
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowIntegratedUnblo
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowSignatureOnlyKe
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowTimeInvalidCertif
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!X509HintsNeeded
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!RootCertificateCleanupOption
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!IntegratedUnblockPro
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!FilterDuplicateCerts
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!ForceReadingAllCertifi
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScPnP!ScPnPNotification
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!DisallowPlaintextPin
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!ReverseSubject
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!CertPropEnabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!EnableRootCertificatePropagation
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScPnP!EnableScPnP
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform!Allo
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform!NoGe
HKLM\SOFTWARE\Policies\Microsoft\SoundRecorder!Soundrec
HKLM\Software\Policies\Microsoft\Speech!AllowSpeechModelUpdate
HKLM\Software\Policies\Microsoft\WindowsStore!DisableStoreApps
HKLM\Software\Policies\Microsoft\WindowsStore!RequirePrivateStoreOnly
HKLM\Software\Policies\Microsoft\WindowsStore!AutoDownload
HKLM\Software\Policies\Microsoft\WindowsStore!AutoDownload
HKLM\Software\Policies\Microsoft\WindowsStore!DisableOSUpgrade
HKLM\Software\Policies\Microsoft\WindowsStore!RemoveWindowsStore
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableSettingSync; HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableApplicationSettingSync; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableAppSyncSettingSync; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableWebBrowserSettingSync; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableDesktopThemeSettingSync; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableSyncOnPaidNetwork
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableWindowsSettingSync; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableCredentialsSettingSync; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisablePersonalizationSettingSync; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableStartLayoutSettingSync; HKLM\Soft
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableInkball
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableNoteWriterPrinting
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableJournal
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPenFeedback
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonBackEscapeMapping
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonApplicationLaunch
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonPressAndHold
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffButtons
HKLM\software\policies\microsoft\TabletTip\1.7!DisablePrediction
HKLM\software\policies\microsoft\TabletTip\1.7!HideIPTIPTarget
HKLM\software\policies\microsoft\TabletTip\1.7!HideIPTIPTouchTarget
HKLM\software\policies\microsoft\TabletTip\1.7!IncludeRareChar
HKLM\software\policies\microsoft\TabletTip\1.7!DisableEdgeTarget
HKLM\software\policies\microsoft\TabletTip\1.7!DisableACIntegration
HKLM\software\policies\microsoft\TabletTip\1.7!PasswordSecurityState; HKLM\software\policies\mi
HKLM\software\policies\microsoft\TabletTip\1.7!ScratchOutState; HKLM\software\policies\microsof
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicksLearningMode
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicks
HKLM\SOFTWARE\Policies\Microsoft\PenTraining!DisablePenTraining
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffTouchInput
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPanning
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput!AllowLanguageFeaturesUnins
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput!AllowLinguisticDataCollectio
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows!TurnOffWinCal
HKLM\Software\Policies\Microsoft\Windows\WindowsColorSystem!ProhibitInstallUninstall
HKLM\Software\Policies\Microsoft\SQMClient!CorporateSQMURL
HKLM\Software\Policies\Microsoft\SQMClient\Windows!StudyId; HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen!ConfigureAppInstallControlEnab
HKLM\Software\Policies\Microsoft\Windows\System!EnableSmartScreen; HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!EnabledV9
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverride
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!AutoApproveOSDumps
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWNoExternalURL HKLM\Software\
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!LoggingDisabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!Disabled
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!ShowUI; HKLM\Software\Policies\Mic
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassDataThrottling
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontShowUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassPowerThrottling
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassNetworkCostThrottl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!CorporateWerServer HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableArchive; HKLM\SOF
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableQueue; HKLM\SOFT
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!AllOrNone HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeKernelFaults
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeShutdownErrs
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultConsent
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultOverrideB
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!AllowAllUserAccessToSmartCardNode
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock!GroupA HKLM\SOFTWARE\Polic
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DynamicLock!DynamicLock; HKLM\SOFTWARE\
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!DisableSmartCardNode
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!RequireSecurityDevice; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio\Credential Provider!Domain Account
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseCertificateForOnPremAuth
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseCloudTrustForOnPremAuth
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!EnablePinRecovery
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!Enabled; HKLM\SOFTWARE\Policies\Microsoft
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseHelloCertificatesAsSmartCardCertificates
HKLM\Software\Policies\Microsoft\WindowsInkWorkspace!AllowSuggestedAppsInWindowsInkWork
HKLM\Software\Policies\Microsoft\WindowsInkWorkspace!AllowWindowsInkWorkspace; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\Installer!EnableUserControl
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownBrowse
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownPatch
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownMedia
HKLM\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
HKLM\Software\Policies\Microsoft\Windows\Installer!MaxPatchCacheSize
HKLM\Software\Policies\Microsoft\Windows\Installer!EnforceUpgradeComponentRules
HKLM\Software\Policies\Microsoft\Windows\Installer!MsiDisableEmbeddedUI
HKLM\Software\Policies\Microsoft\Windows\Installer!SafeForScripting
HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatch
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableFlyweightPatching
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLUAPatching
HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatchUninstall
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableRollback
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableAutomaticApplicationShutdown
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableUserInstalls
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableBrowse
HKLM\Software\Policies\Microsoft\Windows\Installer!TransformsSecure
HKLM\Software\Policies\Microsoft\Windows\Installer!Logging
HKLM\Software\Policies\Microsoft\Windows\Installer!LimitSystemRestoreCheckpointing
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLoggingFromPackage
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableSharedComponent
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableMSI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!AutomaticRestartSignOnConfig
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!SoftwareSASGeneration
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisplayLastLogonInfo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ReportControllerMissing
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableAutomaticRestartSignO
HKLM\Software\Policies\Microsoft\WMDRM!DisableOnline
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!GroupPrivacyAcceptance
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DisableAutoUpdate
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DesktopShortcut
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!PreventLibrarySharing
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!QuickLaunchShortcut
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DontUseFrameInterpolation
HKLM\Software\Policies\Microsoft\Messenger\Client!PreventRun
HKLM\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter!NoMobilityCenter
HKLM\Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp!EnableUpdateHelpDefaultS
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging!EnableModuleLogging; H
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging!EnableScriptBlockLoggi
HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription!EnableTranscripting; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts; HKLM\Software\Policies\Mi
HKLM\SOFTWARE\Policies\Microsoft\Windows\Reliability Analysis\WMI!WMIEnable
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowBasic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowCredSSP
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowUnencryptedTraffic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowDigest
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowKerberos
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowNegotiate
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!TrustedHosts; HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowBasic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowCredSSP
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowAutoConfig; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowUnencryptedTraffic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowKerberos
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowNegotiate
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!DisableRunAs
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!CBTHardeningLevelStatus; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!HttpCompatibilityListener
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!HttpsCompatibilityListener
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!AllowRemoteShellAccess
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxConcurrentUsers
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!IdleTimeout HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxMemoryPerShellMB
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxProcessesPerShell
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxShellsPerUser
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!ShellTimeOut
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowAudioInput
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowClipboardRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowNetworking
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowPrinterRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVGPU
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVideoInput
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection!UILoc
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protecti
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and h
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!DisableCl
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!UILockdo
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!HideSecur
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!HideTPMTr
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!Disable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!E
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customizatio
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!E
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!U
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options!UILockdow
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network prot
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications!DisableNotific
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications!DisableEnhanc
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray!HideSystray
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protecti
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protecti
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AutoInstallMinorUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ElevateNonAdmins
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AcceptTrustedPublisherCerts
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AllowAutoWindowsUpdateDownloa
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AlwaysAutoRebootAtScheduledT
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!DetectionFrequencyEnabled; HKL
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoUpdate; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartNotificationConfig; HK
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartRequiredNotificationDi
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetRestartWarningSchd; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RebootWarningTimeoutEnabled;
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetUpdateNotificationLevel; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableDualScan
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DoNotConnectToWindowsUpdateInter
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ExcludeWUDriversInQualityUpdate
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!TargetGroupEnabled; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AUPowerManagement
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoRebootWithLoggedOnUse
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetDisablePauseUXAccess
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetDisableUXWUAccess
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RebootRelaunchTimeoutEnabled;
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RescheduleWaitTimeEnabled; HK
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetActiveHoursMaxRange; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartDeadline; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetComplianceDeadline; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetEngagedRestartTransitionSchedul
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseWUServer HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetActiveHours; HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartNotificationDisable
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!IncludeRecommendedUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!EnableFeaturedSoftware
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetEDURestart
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWUfBSafeguards
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ManagePreviewBuildsPolicyValue; HK
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!TargetReleaseVersion; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdates; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdates; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\WorkFolders!AutoProvision
Supported On Help Text
At least Windows Server 2016 Windows 10 Version 1709 Enables or disables the re
At least Windows Server 2016 Windows 10 Version 1703 Specifies the list of pages
At least Windows Server 2012 Windows 8 or Windows RT This policy setting contro
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only Forces Windows to use t
At least Windows Server 2012 Windows 8 or Windows RT This setting allows you to
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Forces the Start screen to
At least Windows Server 2012 Windows 8 or Windows RT Prevents users from chan
At least Windows Server 2012 Windows 8 or Windows RT Prevents users from chan
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Disables the lock screen c
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Disables the lock screen s
At least Windows Server 2016 Windows 10 This policy specifies
At least Windows Server 2012 Windows 8 or Windows RT This policy setting c
At least Windows Vista This policy setting contro
At least Windows Server 2016 Windows 10 This policy setting re
At least Windows Vista This policy setting restric
At least Windows Vista This policy setting tu
At least Windows Vista This policy setting allows
At least Microsoft Windows Vista or Windows Server 2003 family When you enable this se
At least Microsoft Windows Vista or Windows Server 2003 family Enables management of
At least Microsoft Windows Vista or Windows Server 2003 family Administrator account na
At least Microsoft Windows Vista or Windows Server 2003 family Configures password par
At least Windows Vista This setting controls whe
At least Windows Server 2008 R2 or Windows 7 This policy setting contro
Only Windows 7 Windows Server 2008 Windows Server 2008R2 Windows Server 2012 APPLIES ONLY TO: Windo
At least Windows Server 2008 R2 or Windows 7 Configures the SMB v1 cl
At least Windows Server 2008 R2 or Windows 7 Disabling this setting disa
At least Windows Vista If this setting is enabled S
Windows Server 2008 and newer Beginning with the Wind
At least Windows Server 2008 R2 or Windows 7 Determines whether use
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Enable LSA protection. Fo
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Enable auditing of Lsass.e
At least Windows Server 2008 R2 or Windows 7 The NetBT NodeType setti
At least Windows Vista This setting controls whe
At least Windows Server 2016 Windows 10 Version 1803 This policy setting contro
At least Windows Server 2016 Windows 10 Beginning with Windows
At least Windows Server 2008 R2 or Windows 7 When WDigest authentic
At least Windows Vista MSS: (AutoAdminLogon)
At least Windows Vista MSS: (AutoReboot) Allow
At least Windows Vista MSS: (AutoShareServer)
At least Windows Vista MSS: (AutoShareWks) En
At least Windows Vista MSS: (DisableIPSourceRo
At least Windows Vista MSS: (DisableIPSourceRo
At least Windows Vista MSS: (DisableSavePasswo
At least Windows Vista MSS: (EnableDeadGWDe
At least Windows Vista MSS: (EnableICMPRedire
At least Windows Vista MSS: (Hidden) Hide Com
At least Windows Vista MSS: (KeepAliveTime) Ho
At least Windows Vista MSS: (NoDefaultExempt)
At least Windows Vista MSS: (NoNameReleaseO
At least Windows Vista MSS: (NtfsDisable8dot3N
At least Windows Vista MSS: (PerformRouterDisc
At least Windows Vista MSS: (SafeDllSearchMod
At least Windows Vista MSS: (ScreenSaverGraceP
At least Windows Vista MSS: (SynAttackProtect)
At least Windows Vista MSS: (TcpMaxConnectRe
At least Windows Vista MSS: (TcpMaxDataRetran
At least Windows Vista MSS: (TcpMaxDataRetran
At least Windows Vista MSS: (WarningLevel) Per
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting allows
At least Windows Vista This policy setting determ
Windows 7 or computers with BITS 3.5 installed. This setting affects wheth
At least Windows Vista This policy setting specifi
At least Windows Vista This policy setting limits t
Windows XP SP2 or Windows Server 2003 SP1 or computers with BITS 2.0 installed. This policy setting limits t
Windows 8 or Windows Server 2012 or Windows RT or computers with BITS 5 installed. This policy setting d
Windows 7 or computers with BITS 3.5 installed. This policy setting limits t
Windows 7 or computers with BITS 3.5 installed. This policy setting limits t
Windows XP or Windows Server 2003 or computers with BITS 1.5 installed. This policy setting specifi
At least Windows Server 2008 R2 or Windows 7 This policy setting is used
At least Windows Server 2012 Windows 8 or Windows RT This policy setting specifi
At least Windows 7 or Windows Server 2008 R2* This policy setting specifi
At least Windows Server 2008 R2 or Windows 7 Specifies resources on yo
At least Windows Server 2008 R2 or Windows 7 Specifies commands confi
At least Windows Server 2008 R2 or Windows 7 Specifies whether NCA se
At least Windows Server 2008 R2 or Windows 7 Specifies the string that a
At least Windows Server 2008 R2 or Windows 7 Specifies the IPv6 addres
At least Windows Server 2008 R2 or Windows 7 Specifies whether the use
At least Windows Server 2008 R2 or Windows 7 Specifies the e-mail addr
At least Windows Server 2008 R2 or Windows 7 Specifies whether an ent
At least Windows Vista Specifies that computers
At least Windows Server 2012 Windows 8 or Windows RT Specifies that NetBIOS ov
At least Windows Vista Specifies if the DNS clien
Windows XP Professional only Specifies a connection-sp
Windows XP Professional only Defines the DNS servers
At least Windows Server 2003 operating systems or Windows XP Professional Specifies the DNS suffixe
At least Windows Server 2003 operating systems or Windows XP Professional Specifies if DNS dynamic
At least Windows Server 2012 Windows 8 or Windows RT Specifies whether the DN
At least Windows Server 2012 Windows 8 or Windows RT Specifies that responses
At least Windows 2000 Specifies the primary DN
At least Windows Server 2003 operating systems or Windows XP Professional Specifies if the DNS clien
At least Windows 2000 Specifies if the devolutio
At least Windows Server 2003 operating systems or Windows XP Professional Specifies if a computer p
At least Windows Server 2003 operating systems or Windows XP Professional Specifies if DNS client com
At least Windows Server 2003 operating systems or Windows XP Professional Specifies the interval use
Windows XP Professional only Specifies whether dynam
At least Windows Server 2003 operating systems or Windows XP Professional Specifies the value of the
At least Windows Server 2012 Windows 8 or Windows RT Specifies whether the DN
At least Windows Vista Specifies that link local m
At least Windows Server 2012 Windows 8 or Windows RT Specifies that a multi-hom
At least Windows Server 2012 Windows 8 or Windows RT Specifies that the DNS cli
At least Windows Server 2003 operating systems or Windows XP Professional Specifies the security lev
At least Windows Server 2003 operating systems or Windows XP Professional Specifies if computers ma
At least Windows Server 2016 Windows 10 This policy setting de
At least Windows Server 2012 Windows 8 or Windows RT This policy setting define
At least Windows Server 2016 Windows 10 This policy setting determ
At least Windows Server 2008 R2 or Windows 7 This policy setting specifi
At least Windows Vista This policy setting change
At least Windows Vista This policy setting change
At least Windows Vista By default when a Peer G
At least Windows XP Professional with SP2 This setting turns off Mic
At least Windows XP Professional with SP2 This policy setting limits a
At least Windows XP Professional with SP2 This setting sets the seed
At least Windows XP Professional with SP2 This setting disables PNR
At least Windows XP Professional with SP2 This policy setting enable
At least Windows Server 2008 R2 or Windows 7 Specifies whether or not
At least Windows Server 2003 operating systems or Windows XP Professional Determines whether a us
Windows Server 2003 and Windows XP only Prohibits use of Internet
At least Windows Server 2003 operating systems or Windows XP Professional Determines whether adm
At least Windows Server 2008 R2 or Windows 7 This policy setting determ
At least Windows XP Professional with SP2 Allows unsolicited incom
At least Windows XP Professional with SP2 Defines the set of Interne
At least Windows XP Professional with SP2 Allows inbound file and p
At least Windows XP Professional with SP2 Allows remote administr
At least Windows XP Professional with SP2 Allows this computer to r
At least Windows XP Professional with SP2 Allows administrators to
At least Windows XP Professional with SP2 Allows Windows Defende
At least Windows XP Professional with SP2 Allows you to view and c
At least Windows XP Professional with SP2 Specifies that Windows D
At least Windows XP Professional with SP2 Prevents Windows Defen
At least Windows XP Professional with SP2 Prevents this computer f
At least Windows XP Professional with SP2 Turns on Windows Defen
At least Windows XP Professional with SP2 Defines the set of Interne
At least Windows XP Professional with SP2 Allows inbound file and p
At least Windows XP Professional with SP2 Allows remote administr
At least Windows XP Professional with SP2 Allows Windows Defende
At least Windows XP Professional with SP2 Specifies that Windows D
At least Windows XP Professional with SP2 Prevents Windows Defen
At least Windows XP Professional with SP2 Prevents this computer f
At least Windows XP Professional with SP2 Turns on Windows Defen
At least Windows Server 2008 R2 or Windows 7 This policy setting enable
At least Windows Server 2016 Windows 10 Version 1709 This policy setting enable
At least Windows Server 2012 Windows 8 or Windows RT This Policy setting enable
At least Windows Server 2012 Windows 8 or Windows RT This setting does not app
At least Windows Vista This policy setting configu

Windows Server 2003 Windows XP and Windows 2000 only Determines whether net
At least Windows 2000 This policy setting determ
Windows Server 2003 Windows XP and Windows 2000 only Deletes local copies of th
Windows XP Professional only Configures the threshold
Windows Server 2003 Windows XP and Windows 2000 only Limits the percentage of
At least Windows Server 2012 Windows 8 or Windows RT This policy setting determ
At least Windows Server 2003 operating systems Service Pack 1 Windows XP Professional Service Pa This policy setting determ
Windows Server 2003 Windows XP and Windows 2000 only Determines which events
Windows Server 2003 Windows XP and Windows 2000 only Lists types of files that ca
Windows Server 2003 Windows XP and Windows 2000 only Determines how long the
Windows Server 2003 Windows XP and Windows 2000 only Determines how comput
Windows Server 2003 Windows XP and Windows 2000 only Disables the Offline Files
Windows Server 2003 Windows XP and Windows 2000 only Prevents users from enab
Windows Server 2003 Windows XP and Windows 2000 only Determines how often re
Windows Server 2003 Windows XP and Windows 2000 only Determines how long up
At least Windows 2000 This policy setting preven
At least Windows Server 2012 Windows 8 or Windows RT This policy setting remov
At least Windows 2000 This policy setting lists ne
Windows Server 2003 Windows XP and Windows 2000 only Makes subfolders availab
Windows Server 2003 Windows XP and Windows 2000 only Determines whether offl
Windows Server 2003 Windows XP and Windows 2000 only Hides or displays reminde
At least Windows Server 2003 operating systems or Windows XP Professional Specifies the maximum n
At least Windows Server 2003 operating systems or Windows XP Professional Determines the percenta
At least Windows Server 2003 operating systems or Windows XP Professional Determines the smallest
At least Windows Server 2003 operating systems or Windows XP Professional Specifies an alternate Lay
At least Windows Server 2003 operating systems or Windows XP Professional Specifies an alternate link
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting configu
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting determ
At least Windows Server 2008 R2 or Windows 7 This policy setting allows
Windows Server 2008 Windows 7 Windows Vista and Windows 10 This policy setting allows
At least Windows Vista This policy setting prohib
At least Windows Server 2016 Windows 10 Version 1709 This policy setting determ
At least Windows Server 2012 Windows 8 or Windows RT This policy setting de
At least Windows Server 2012 Windows 8 or Windows RT This policy setting preven
At least Windows Server 2016 Windows 10 This policy applies to Wir
At least Windows Server 2016 Windows 10 This policy applies to Wir
At least Windows Server 2012 Windows 8 or Windows RT This policy setting configu
At least Windows Server 2016 Windows 10 Version 1703 This policy setting specifi
At least Windows Server 2016 Windows 10 This policy setting configu
Windows 2000 only Internet printing lets you
At least Windows Vista If you enable this policy s
At least Windows Vista This policy sets the maxim
At least Windows Server 2012 Windows 8 or Windows RT This policy controls w
At least Windows Server 2003 This policy controls whet
At least Windows 2000 Determines whether the
At least Windows Server 2012 Windows 8 or Windows RT Determines whether the
At least Windows Vista When printing through a
Windows Server 2003 Windows XP and Windows 2000 only Determines whether the
At least Windows Server 2012 Windows 8 or Windows RT Microsoft XPS Document
At least Windows 2000 Directs the system to per
At least Windows 2000 If this policy setting is ena
Windows Server 2003 Windows XP and Windows 2000 only By default the Printers fo
At least Windows 2000 Specifies how often the p
At least Windows 2000 Sets the priority of the pr
At least Windows 2000 Specifies how many time
Windows Server 2003 Windows XP and Windows 2000 only Determines whether prin
At least Windows Server 2012 Windows 8 or Windows RT This policy determines if
At least Windows Server 2016 Windows 10 Determines whethe
At least Windows Server 2012 Windows 8 or Windows RT Determines if print driver
At least Windows Server 2016 Windows 10 This setting is a co
At least Windows Server 2003 operating systems or Windows XP Professional Specifies whether or not
At least Windows Vista This policy restricts client
At least Windows Vista Restricts package point a
At least Windows 2000 Enables the physical Loca
At least Windows 2000 Announces the presence
At least Windows Server 2016 Windows 10 Version 1803 This policy allows you to
At least Windows 2000 Prevents the operating sy
At least Windows Server 2016 or Windows 10 If you enable this policy a
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only This policy setting allows
At least Windows Server 2016 Windows 10 Version 1803 This policy allows you to
At least Windows Server 2016 Windows 10 If you enable this setting
At least Windows Server 2016 Windows 10 This policy setting preven
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista Windows XP and Windows 1 If you enable this setting
At least Windows Server 2016 Windows 10 Version 1909 If you enable this policy s
At least Windows Server 2016 Windows 10 Specifies the Start layout
At least Windows Server 2016 Windows 10 This policy sets a special
At least Windows Server 2012 Windows 8 or Windows RT This policy setting b
Windows Server 2003 only This policy setting define
Windows Server 2003 Windows XP and Windows 2000 only Specifies that Distributed
At least Windows 2000 This policy setting directs
At least Windows Server 2003 operating systems or Windows XP Professional The Shutdown Event Trac
At least Windows Server 2003 This policy setting allows
At least Windows Server 2003 operating systems or Windows XP Professional with SP1 This policy setting allows
Windows Server 2003 Windows XP and Windows 2000 only This policy setting suppre
At least Internet Explorer 6 Service Pack 1 This policy setting allows
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting all
At least Windows Server 2003 operating systems or Windows XP Professional Specifies an alternate loc
At least Windows Server 2003 operating systems or Windows XP Professional Specifies an alternate loc
At least Windows Server 2012 Windows 8 or Windows RT This Group Policy Setting
At least Windows Server 2016 or Windows 10 This policy setting allows
At least Windows Server 2008 R2 or Windows 7 The program collects info
At least Windows Server 2008 R2 or Windows 7 Migration mode allows th
At least Windows Server 2008 R2 or Windows 7 Specifies the location wh
At least Windows Server 2008 R2 or Windows 7 Specifies the location wh
At least Windows Server 2008 R2 or Windows 7 Specifies the file paths re
At least Windows Server 2008 R2 or Windows 7 Specifies the registry pat
At least Windows Server 2016 or Windows 10 Enables automatic cleanu
At least Windows Server 2016 or Windows 10 Enables background sync
At least Windows Server 2008 R2 or Windows 7 Enables a UX to display to
At least Windows Server 2008 R2 or Windows 7 Publishing Server Disp
At least Windows Server 2008 R2 or Windows 7 Reporting Server URL: Di
At least Windows Server 2008 R2 or Windows 7 Enables scripts defined in
At least Windows Server 2008 R2 or Windows 7 This setting controls whe
At least Windows Server 2008 R2 or Windows 7 Specifies the path to a va
At least Windows Server 2008 R2 or Windows 7 If enabled the App-V clie
At least Windows Server 2008 R2 or Windows 7 Specifies the CLSID for a
At least Windows Server 2008 R2 or Windows 7 Specifies directory where
At least Windows Server 2008 R2 or Windows 7 Overrides source location
At least Windows Server 2008 R2 or Windows 7 Specifies the number of s
At least Windows Server 2008 R2 or Windows 7 Specifies the number of ti
At least Windows Server 2008 R2 or Windows 7 Requires admin privilege
At least Windows Server 2008 R2 or Windows 7 Specifies that streamed p
At least Windows Server 2008 R2 or Windows 7 Specifies how new packa
At least Windows Server 2008 R2 or Windows 7 Verifies Server certificate
At least Windows Server 2008 R2 or Windows 7 Enables Dynamic Virtuali
At least Windows Server 2008 R2 or Windows 7 Specifies a list of process
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting determ
At least Windows Vista This policy setting applies
At least Windows Vista Encryption Oracle Remed
At least Windows Server 2016 Windows 10 Version 1703 Remote host allows dele
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 When running in Restrict
At least Windows Server 2016 Windows 10 Deploy Windows Defend
At least Windows Server 2016 Windows 10 Specifies whether Virtual

At least Windows Server 2016 Windows 10 Version 1709 This group policy enables
Windows Server 2008 Windows 7 and Windows Vista This policy setting allows
Windows Server 2016 Version 1709 Windows 10 Version 1709 Windows Server 2016 Version 1703 Windows has a feature th
Windows Server 2016 Version 1709 Windows 10 Version 1709 Windows Server 2016 Version 1703 Windows has a feature th
At least Windows Server 2016 Windows 10 Version 1909 This policy setting allows
At least Windows Server 2008 R2 or Windows 7 This policy setting establi
At least Windows Vista This policy setting turns o
At least Windows 2000 This policy setting extend
At least Windows 2000 This policy setting turns o
At least Windows 2000 This policy setting specifi
At least Windows Server 2016 Windows 10 Version 1803 Per Process System DPI is
At least Windows Server 2016 Windows 10 Version 1703 GDI DPI Scaling enables a
At least Windows Server 2016 Windows 10 Version 1703 GDI DPI Scaling enables a
At least Windows XP Professional with SP2 Allows you to specify tha
Windows Server 2008 Windows Server 2003 Windows Vista and Windows XP SP2 Specifies whether the ad
At least Windows Server 2012 Windows 8 or Windows RT This policy setting allows
At least Windows Server 2008 R2 or Windows 7 This policy setting configu
At least Windows Server 2008 R2 or Windows 7 This policy setting locks E
At least Windows Server 2012 Windows 8 or Windows RT Determines whether the
At least Windows Server 2008 R2 or Windows 7 Delete notification is a fe
At least Windows Server 2016 Windows 10 Enabling Win32 long path
At least Windows Vista Symbolic links can introd
At least Windows Server 2008 R2 or Windows 7 Compression can add to
At least Windows Server 2008 R2 or Windows 7 Encryption can add to th
At least Windows Server 2012 Windows 8 or Windows RT TXF deprecated features
At least Windows Server 2016 Windows 10 By default NTFS allocates
At least Windows Server 2008 R2 or Windows 7 Encrypting the page file p
At least Windows Server 2016 Windows 10 For NTFS tiered volumes
At least Windows Server 2016 Windows 10 When flushing modified fi
At least Windows Server 2016 Windows 10 When flushing modified fi
At least Windows Server 2008 R2 or Windows 7 These settings provide co
Windows Server 2003 and Windows XP only This policy setting lets yo
At least Windows Vista This policy directs Group
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting all
At least Windows 2000 This policy setting define
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Enter â€œ0â€ to di

At least Windows Server 2003 operating systems or Windows XP Professional This policy setting contro
At least Windows Server 2012 Windows 8 or Windows RT Enabling this setting will
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting all
At least Windows Server 2016 Windows 10 Version 1803 This policy allows IT adm
At least Windows Vista This policy setting preven
At least Windows Server 2003 operating systems or Windows XP Professional This setting allows you to
At least Windows XP Professional with SP2 This policy setting specifi
At least Windows Server 2003 operating systems Windows XP Professional Service Pack 1 or WindowsThis policy setting allows
At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2 This policy setting specifi
At least Windows Server 2008 R2 or Windows 7 Turns off data sharing fro
At least Windows Vista Turns off the handwriting
At least Windows Server 2003 operating systems or Windows XP Professional with SP2 This policy setting specifi
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista and Windows XP This policy setting specifi
Windows Server 2008 Windows Server 2003 Windows Vista and Windows XP SP2 This policy setting specifi
At least Windows Vista If enabled then only thos
At least Windows Vista If enabled then do not a
At least Windows Vista If enabled then do not a
At least Windows Vista If enabled then new targ
At least Windows Vista If enabled then discovere
At least Windows Vista If enabled then new iSNS
At least Windows Vista If enabled then new targ
At least Windows Server 2016 Windows 10 Support for PKInit Freshn
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting allows
At least Windows Server 2008 R2 or Windows 7 This policy setting define
At least Windows Server 2016 Windows 10 This policy setting allows
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting contro
At least Windows Server 2016 Windows 10 Support for device authe
At least Windows Server 2008 R2 or Windows 7 This policy setting define
At least Windows Server 2016 Windows 10 Enumeration policy for e
At least Windows Server 2012 Windows 8 or Windows RT This policy prevents
Windows Server 2003 and versions of Windows from Windows XP Professional through Windows 7. This policy is not availabl
Windows Server 2008 R2 and Windows 7 This policy setting ignore
At least Windows Server 2016 Windows 10 This policy prevents the u
Windows 2000 only This policy setting hides t
At least Windows 2000 This policy setting ignore
At least Windows 2000 This policy setting ignore
At least Windows Server 2016 Windows 10 Version 1903 This policy setting disable
Windows operating systems from Windows Vista through Windows 7 This policy is not availabl
At least Windows 10 This policy setting allows
At least Windows Server 2016 Windows 10 This security feature
At least Windows Server 2016 Windows 10 This security feature prov
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting define
At least Windows Server 2003 This policy setting contro
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting specifi
At least Windows Server 2003 This policy setting specifi
At least Windows Vista This policy setting detrem
At least Windows Vista This policy setting enable
At least Windows Server 2012 R2 or Windows 8.1 This policy setting specifi
Unknown This policy setting configu
At least Windows Server 2016 Windows 10 This policy setting
At least Windows 10 This setting specifies the
At least Windows 10 This setting specifies the
At least Windows 10 Maximum PIN length con
At least Windows 10 Minimum PIN length con
At least Windows 10 Use this policy setting to
Windows Vista only This policy setting specifi
Windows Vista only This policy setting specifi
At least Windows Vista This policy setting manag
At least Windows Vista This policy setting manag
Windows Server 2008 R2 and Windows 7 Requirements: Window
At least Windows Vista This policy setting enable
At least Windows Vista This policy setting lets yo
At least Windows XP Professional with SP2 This policy setting contro
At least Windows XP Professional with SP2 This policy setting contro
At least Windows Server 2003 operating systems or Windows XP Professional with SP1 This policy setting contro
At least Windows Vista Configure access to all re
At least Windows Vista This policy setting grants
At least Windows Server 2008 R2 or Windows 7 This policy setting denies
At least Windows Vista This policy setting denies
At least Windows 2000 This policy setting display
At least Windows 2000 This policy setting display
At least Windows 2000 This policy setting lets th
Windows Server 2008 and Windows Server 2008 R2 operating systems only This policy setting allows
At least Windows Server 2016 Windows 10 This policy setting enable
At least Windows Server 2016 Windows 10 Version 1709 Allows downloading
Unknown Storage Sense can autom
Unknown When Storage Sense run
Unknown Storage Sense can autom
At least Windows Server 2008 R2 or Windows 7 Allows you to disable Sys
At least Windows Server 2008 R2 or Windows 7 Allows you to disable Sys
At least Windows Vista This setting exists only fo
Windows Server 2008 with Desktop Experience installed or Windows Vista This policy setting substit
Windows Server 2008 with Desktop Experience installed or Windows Vista This policy setting determ
At least Windows Server 2008 R2 or Windows 7 This policy setting permit
At least Windows Server 2016 Windows 10 Version 1903 This policy setting configu
At least Windows Server 2008 R2 or Windows 7 Determines whether sch
At least Windows Vista Determines the executio
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting adds th
At least Windows 2000 This policy setting define
At least Windows 2000 This policy setting disable
At least Windows Server 2003 operating systems Windows XP Professional Service Pack 1 or WindowsThis policy setting disable
At least Windows 2000 This policy setting will au
Windows Server 2003 Windows XP and Windows 2000 only This policy setting contro
At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2 This policy setting determ
Windows Server 2003 Windows XP and Windows 2000 only This policy setting determ
At least Windows Server 2003 operating systems or Windows XP Professional This setting determines if
At least Windows 2000 This policy setting provid
At least Windows Server 2008 R2 or Windows 7 This policy setting sets th
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting turns o
At least Windows Server 2012 Windows 8 or Windows RT This setting prevents use
Windows Server 2003 Windows XP and Windows 2000 only This policy setting hides t
Windows Server 2003 Windows XP and Windows 2000 only This policy setting specifi
Windows Server 2003 Windows XP and Windows 2000 only This policy setting allows
Windows Server 2003 Windows XP and Windows 2000 only This policy setting specifi
At least Windows Server 2008 R2 or Windows 7 By default Add features t
At least Windows Server 2016 Windows 10 Manages a Windows app
At least Windows Server 2012 Windows 8 or Windows RT Allows or denies dev
At least Windows Server 2016 Windows 10 This policy setting contro
At least Windows 8.1 Update 2 This policy setting all
At least Windows Server 2016 Windows 10 Manages non-Administra
At least Windows 8.1 Update 2 Prevent users' app d
At least Windows Server 2016 Windows 10 This policy setting specifi
At least Windows Server 2016 Windows 10 Version 1703 This policy setting specifi
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting lets yo
At least Windows Server 2012 Windows 8 or Windows RT This policy setting lets yo
At least Windows Server 2012 Windows 8 or Windows RT This policy setting lets yo
At least Windows Server 2016 Windows 10 This policy setting co
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 This policy setting lets yo
At least Windows Server 2003 Specifies whether to prev
At least Windows Server 2003 This policy controls the v
At least Windows Server 2003 This policy controls the s
At least Windows Server 2008 R2 or Windows 7 The policy controls the st
At least Windows Server 2008 R2 or Windows 7 The policy controls the st
At least Windows Server 2008 R2 or Windows 7 This policy setting disallo
At least Windows Vista This policy setting sets th
At least Windows Server 2016 or Windows 10 This policy setting determ
Windows Server 2008 and Windows Vista This policy setting allows
Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server 2008 WindThis policy setting contro
At least Windows Server 2012 or Windows 8 This policy setting contro
At least Windows Server 2008 R2 or Windows 7 This policy setting a
At least Windows Server 2016 or Windows 10 This policy setting lets yo
At least Windows Server 2012 or Windows 8 This policy setting specifi
At least Windows Server 2016 Windows 10 This policy settin
At least Windows Server 2016 Windows 10 Version 1909 This policy setting lets yo
At least Windows 10 This policy setting turns o
At least Windows Server 2012 Windows 8 or Windows RT or at least Internet Explorer 10 This policy setting allows
At least Windows Server 2016 Windows 10 Version 1903 If you turn this policy setti
At least Windows Vista This policy setting require
At least Windows Server 2016 Windows 10 Version 1903 AllowCommercialDataPip
At least Windows Server 2016 Windows 10 Version 1909 Allows IT admins to
At least Windows Server 2016 Windows 10 Version 1803 This policy allows the dev
At least Windows Server 2016 Windows 10 By configuring this policy
At least Windows Server 2016 Windows 10 This policy setting blocks
At least Windows Server 2016 Windows 10 With this policy setting yo
At least Windows Server 2016 Windows 10 Version 1803 This policy setting determ
At least Windows Server 2016 Windows 10 Version 1809 This policy sets the uploa
At least Windows Server 2016 Windows 10 This policy setting define
At least Windows Server 2016 Windows 10 Version 1909 This policy setting limits t
At least Windows Server 2016 Windows 10 Version 1709 This policy setting in com
Windows Server 2016 Windows 10 up to Version 1703 This policy setting determ
At least Windows Server 2016 Windows 10 Specifies the maximum s
At least Windows Server 2016 Windows 10 Specify any value betwee
At least Windows Server 2016 Windows 10 This policy allows you to
At least Windows Server 2016 Windows 10 Set this policy to delay th
At least Windows Server 2016 Windows 10 Set this policy to delay th
At least Windows Server 2016 Windows 10 Specifies the download m
At least Windows Server 2016 Windows 10 Specify "true" to allow th
At least Windows Server 2016 Windows 10 Group ID must be set as a
At least Windows Server 2016 Windows 10 Specifies the maximum ti
At least Windows Server 2016 Windows 10 Specifies the maximum c
At least Windows Server 2016 Windows 10 Specifies the maximum b
At least Windows Server 2016 Windows 10 Specifies the maximum f
At least Windows Server 2016 Windows 10 Specifies the minimum d
At least Windows Server 2016 Windows 10 Specifies the required mi
At least Windows Server 2016 Windows 10 Specifies the minimum co
At least Windows Server 2016 Windows 10 Specifies the minimum R
At least Windows Server 2016 Windows 10 Specifies the drive Delive
At least Windows Server 2016 Windows 10 Specifies the maximum t
At least Windows Server 2016 Windows 10 Set this policy to restrict
At least Windows Server 2016 Windows 10 Set this policy to restrict
At least Windows Server 2012 Windows 8 or Windows RT Changes behavior of Mic
At least Windows Server 2012 Windows 8 or Windows RT Changes behavior of 3rd-
At least Windows Server 2012 R2 or Windows 8.1 This setting lets you confi
At least Windows Vista Specifies whether Digital
At least Windows Server 2016 Windows 10 If you disable this policy s
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Disables help tips that W
At least Windows Server 2016 Windows 10 This policy setting lets yo
At least Windows XP Professional with SP2 This is the program that w
At least Windows XP Professional with SP2 This specifies the comma
At least Windows XP Professional with SP2 This is the URL that will b
At least Windows Server 2012 Windows 8 or Windows RT This policy allows you to
At least Windows Vista Changes the behavior of
At least Windows Server 2012 Windows 8 or Windows RT This policy removes the e
At least Windows Server 2012 Windows 8 or Windows RT This policy specifies the p
At least Windows Server 2008 R2 or Windows 7 Sets the target of the Mo
At least Windows Server 2012 Windows 8 or Windows RT Shows or hides hibernate
At least Windows Server 2012 Windows 8 or Windows RT Shows or hides lock from
At least Windows Server 2012 Windows 8 or Windows RT Shows or hides sleep from
At least Windows Server 2008 R2 or Windows 7 Disabling data execution
At least Windows Vista Disabling heap terminatio
At least Windows XP Professional with SP2 This policy setting allows
Supported Windows Vista through Windows 7 This policy setting lets yo
At least Windows Vista This setting lets you supp
At least Windows 10 This policy turns on Find
At least Windows Server 2016 Windows 10 Version 1709 The handwriting panel ha
At least Internet Explorer 7.0 This policy setting allows
At least Internet Explorer 11.0 Enables you to configure
Only Internet Explorer 5.0 and Internet Explorer 6.0 Prevents Internet Explore
At least Internet Explorer 5.0 This setting specifies to a
At least Internet Explorer 5.0 Prevents users from chan
At least Internet Explorer 8.0 Secondary home pages a
At least Internet Explorer 5.0 This policy settings disab
At least Internet Explorer 11.0 This policy lets you restri
Only Internet Explorer 5.0 and Internet Explorer 6.0 Prevents Internet Explore
Only Internet Explorer 5.0 Prevents the Internet Exp
Only Internet Explorer 5.0 and Internet Explorer 6.0 Specifies that programs u
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This policy setting allows
At least Internet Explorer 11.0 This policy setting lets ad
At least Internet Explorer 10.0 This policy setting configu
At least Internet Explorer 11.0 Prevents intranet sites fr
At least Internet Explorer 11.0 This policy setting lets yo
At least Internet Explorer 5.0 Applies proxy settings to
At least Internet Explorer 7.0 This policy setting preven
At least Internet Explorer 8.0 This policy setting determ
At least Internet Explorer 5.0 This policy setting specifi
Only Internet Explorer 7.0 and Internet Explorer 8.0 This policy setting preven
At least Internet Explorer 7.0 You can allow pop-ups fr
Only Internet Explorer 7.0 This policy setting preven
At least Internet Explorer 7.0. Not supported on Windows Vista This policy setting preven
At least Internet Explorer 5.0 Prevents users from addi
At least Internet Explorer 5.0 Prevents users from chan
At least Internet Explorer 5.0 Applies security zone info
At least Internet Explorer 11.0 on Windows 10 vertion 1607 or later This setting lets you decid
At least Internet Explorer 11.0 on Windows 10 vertion 1607 or later This policy setting lets yo
At least Internet Explorer 8.0 This policy setting turns o
Only Internet Explorer 8.0 This policy setting allows
Internet Explorer 7.0 to Internet Explorer 10.0 This policy setting allows
At least Internet Explorer 5.0 This AutoComplete featu
At least Internet Explorer 9.0 This policy setting contro
At least Internet Explorer 7.0 This policy setting logs in
At least Internet Explorer 11.0 This policy setting lets yo
At least Internet Explorer 8.0 This policy setting restric
At least Internet Explorer 8.0 This policy controls the w
Internet Explorer 8.0 to Internet Explorer 10.0 This policy setting contro
At least Internet Explorer 8.0 Compatibility View deter
At least Internet Explorer 5.0 This setting specifies the
At least Internet Explorer 9.0 In Internet Explorer 9 and
Only Internet Explorer 8.0 This policy setting preven
Only Internet Explorer 5.0 through Internet Explorer 7.0 This policy setting is used
At least Internet Explorer 5.0 Removes the Advanced t
At least Internet Explorer 5.0 Removes the Connection
At least Internet Explorer 5.0 If you enable this policy s
At least Internet Explorer 5.0 Removes the General tab
At least Internet Explorer 5.0 Removes the Privacy tab
At least Internet Explorer 5.0 Removes the Programs ta
At least Internet Explorer 5.0 Removes the Security tab
Only Internet Explorer 6.0 in Windows 2003 Service Pack 1 This policy setting allows
At least Internet Explorer 11.0 on Windows 10 This policy setting determ
Only Internet Explorer 11.0 on Windows 8.1 This policy setting determ
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1 This policy setting allows
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1. Not supported on Windows Vista This policy setting allows
Only Internet Explorer 6.0 in Windows 2003 Service Pack 1 This policy setting specifi
At least Internet Explorer 10.0 on Windows 8 This policy setting determ
At least Internet Explorer 10.0 Enhanced Protected Mod
At least Internet Explorer 10.0 This policy setting shows
At least Internet Explorer 10.0 This policy setting configu
At least Internet Explorer 10.0 This policy setting sets fil
At least Internet Explorer 10.0 This policy setting sets th
At least Internet Explorer 10.0 This policy setting sets da
At least Internet Explorer 10.0 This policy setting sets da
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This template policy setti
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This policy setting contro
At least Internet Explorer 7.0 This policy setting enable
At least Internet Explorer 7.0 This policy setting causes
Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 throuThis policy setting allows
At least Internet Explorer 11.0 on Windows 10 vertion 1607 or later This policy setting contro
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This policy setting manag
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This policy setting determ
At least Internet Explorer 8.0 This policy controls whet
At least Internet Explorer 7.0 in Windows Vista This policy setting allows
At least Internet Explorer 10.0 on Windows 8 This policy setting configu
At least Internet Explorer 10.0 on Windows 8 This policy setting allows
At least Internet Explorer 9.0 This policy allows the use
At least Internet Explorer 11.0 on Windows 10 version 1703 or later This policy setting allows
Only Internet Explorer 9.0 through 11.0. Not supported on Windows 10 This policy setting allows
At least Internet Explorer 10.0 The WebSocket object al
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic For each zone the Binary
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer contain
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer uses M
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer places z
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic The MK Protocol Security
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer may be
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic File Explorer and Interne
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer may be
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic For each zone the Netwo
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This policy setting define
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer places r
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic This policy setting enable
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic Internet Explorer allows s
Windows Server 2003 only This policy setting preven
At least Windows Server 2008 R2 or Windows 7 This policy setting tu
Windows Server 2012 Windows 8 Windows RT Windows Server 2012 R2 Windows 8.1 or Windows RT This policy setting tu
At least Windows Server 2012 Windows 8 or Windows RT This policy setting a
At least Windows 10 Enables or disables the a
At least Windows 10 This policy setting
At least Windows Server 2016 Windows 10 Version 1703 This setting controls whe
At least Windows Server 2016 Windows 10 Version 1607 Enable or disable de
At least Windows Server 2012 Windows 8 or Windows RT This policy if defined will
At least Windows Server 2016 Windows 10 This policy setting define
At least Windows Vista This policy setting allow
At least Windows Vista This policy setting all
At least Windows Server 2016 Windows 10 Use this policy setting to
At least Windows Vista This policy setting allo
At least Windows Server 2016 Windows 10 Version 1709 Allows an administrator t
At least Windows Server 2016 Allows an administra
At least Windows Server 2016 Windows 10 This feature ensures the
At least Windows Vista This policy setting co
At least Windows Server 2016 Windows 10 Version 1709 Set the state for each A
At least Windows Server 2016 Windows 10 Version 1709 Exclude files and paths
At least Windows Server 2016 Windows 10 Version 1709 Add additional applicati
At least Windows Server 2016 Windows 10 Version 1709 Enable or disable con
At least Windows Server 2016 Windows 10 Version 1709 Specify additional folde
At least Windows Server 2016 Windows 10 Version 1709 Enable or disable Micro
At least Windows Server 2016 Windows 10 Version 1709 Disabled (Default): If
At least Windows Server 2016 Windows 10 This feature allows M
Unknown Enable or disable file
At least Windows Server 2016 Windows 10 This policy setting det
At least Windows Server 2016 Windows 10 Version 1709 Disabled (Default): If
At least Windows Server 2012 Windows 8 or Windows RT This policy configures Wi
At least Windows Server 2016 Windows 10 Use this policy setting
At least Windows Server 2016 Windows 10 Version 1809 This policy setting all
At least Windows Server 2012 Windows 8 or Windows RT This policy setting allow
At least Windows Server 2012 Windows 8 or Windows RT Disabled (Default): U
At least Windows Server 2012 Windows 8 or Windows RT This policy setting custom
At least Windows Server 2016 Windows 10 Version 1709 Specify a common set of
At least Windows Server 2016 Windows 10 This policy allows users t
At least Windows Server 2016 or Windows 10 This policy setting configu
at least Windows NetMeeting v3.0 Disables the remote desk
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only This policy setting allows
At least Windows Server 2008 R2 or Windows 7 Enable this setting to pre
At least Windows Server 2008 R2 or Windows 7 This policy setting lets yo
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only This policy setting lets yo
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only This policy setting lets yo
At least Windows Server 2016 Windows 10 Version 1809 When logging into a new
At least Windows Server 2012 Windows 8 or Windows RT Specifies whether the PC
At least Windows Server 2012 Windows 8 or Windows RT Specifies whether the PC
At least Windows Server 2016 Windows 10 If you enable this setting
At least Windows Vista with Service Pack 1 This policy setting allows
At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2 Controls whether passwo
At least Windows Vista with Service Pack 1 This policy setting determ
At least Windows 8 or Windows RT This policy setting specifi
At least Windows 7 with Service Pack 1 or Windows Server 2008 R2 with Service Pack 1 This policy setting allows
At least Windows Server 2008 R2 This policy setting specifi
At least Windows Server 2003 operating systems or Windows XP Professional Specifies whether to allo
At least Windows XP and Windows Server 2003 only This policy setting determ
At least Windows Server 2003 Specifies whether Remot
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista an If you enable this policy s
At least Windows 8 Enterprise or Windows Server 2012 This policy setting allows
At least Windows Server 2008 R2 Fair Share CPU Schedulin
At least Windows Server 2003 This policy setting determ
At least Windows Server 2016 Windows 10 Version 1803 This policy setting lets yo
At least Windows Server 2003 with Service Pack 1 This policy setting determ
At least Windows Server 2003 with Service Pack 1 This policy setting all
At least Windows Server 2003 with Service Pack 1 This policy setting allows
Windows Server 2003 with Service Pack 1 only This policy setting allows
At least Windows Server 2008 R2 This policy setting allows
At least Windows Server 2003 Specifies whether Remot
At least Windows Server 2003 with Service Pack 2 This policy setting allows
At least Windows Server 2003 Enterprise Edition This policy setting allows
Windows Server 2008 R2 only This policy setting allows
At least Windows Server 2003 with Service Pack 1 This policy setting determ
At least Windows Server 2016 Windows 10 This policy setting lets yo
At least Windows Server 2008 R2 This policy setting allows
At least Windows Server 2003 operating systems or Windows XP Professional Specifies whether deskto
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista and Windows XP This policy setting allows
At least Windows Server 2016 Windows 10 This policy setting prioriti
At least Windows 2000 Terminal Services This policy setting allows
At least Windows 2000 Terminal Services Specifies whether to rem
At least Windows Server 2003 Configures Remote Deskt
At least Windows Server 2012 R2 or Windows 8.1 This policy setting allows
At least Windows Server 2012 Windows 8 or Windows RT This policy setting enable
Windows 10 Version 1903 Windows 10 Version 1909 and Windows 10 Version 2004 This policy setting lets yo
Windows 7 or Windows Server 2008 R2 (and their subsequent Service Packs) only This policy setting allows
At least Windows Server 2003 Specifies whether a Rem
At least Windows Server 2003 operating systems or Windows XP Professional Specifies whether to requ
Microsoft Windows XP or Windows Server 2003 with Windows Search version 3.01 or later Enabling this policy allow
At least Windows Server 2016 Windows 10 Allow search and Cortana
At least Windows Server 2016 Windows 10 Allow the cortana opt-in
Microsoft Windows Vista or any version of Windows with Windows Search 4.0 or later This policy setting allows
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later This policy setting allows
Microsoft Windows 8 or later This policy setting determ
Microsoft Windows XP or Windows Server 2003 with Windows Search version 3.01 or later Enabling this policy defin
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of MicEnabling this policy allow
Any version of Microsoft Windows with Windows Search 4.0 or later If enabled the search ind
Microsoft Windows 8.1 or later This policy setting configu
Microsoft Windows XP or Windows Server 2003 with Windows Search version 3.01 or later Enabling this policy remo
Microsoft Windows 8.1 or later This policy setting allows
Microsoft Windows 8.1. Not supported on Windows 10 or later This policy setting allows
Any version of Microsoft Windows with Windows Search 4.0 or later Enabling this policy allow
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later Enabling this policy allow
Any version of Microsoft Windows with Windows Search 4.0 or later When using Microsoft Offi
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later Store indexer database in
Any version of Microsoft Windows with Windows Search 4.0 or later Enabling this policy preve
Microsoft Windows XP or Windows Server 2003 with Windows Search version 4.0 or later This policy setting allows
Any version of Microsoft Windows with Windows Search 4.0 This policy setting configu
Any version of Microsoft Windows with Windows Search 4.0 or later If enabled clients will be
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of MicIf enabled Search and Ind
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of MicIf you enable this policy s
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later Enable this policy setting
Microsoft Windows Vista or later If enabled files on netwo
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later Enable this policy to prev
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later Enable this policy to prev
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of MicIf enabled the indexer pa
Microsoft Windows Vista or any version of Windows with Windows Search 3.01 or later This policy setting hides o
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of M Enabling this policy preve
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of MicEnabling this policy preve
At least Windows Vista This policy setting permit
At least Windows Vista This policy settings lets y
At least Windows Vista Service Pack 1 This policy setting preven
At least Windows Server 2016 Windows 10 This policy setting lets
At least Windows Vista Specifies whether Sound
At least Windows Server 2016 Windows 10 Specifies whether the de
At least Windows Server 2016 Windows 10 DisableÂ turns off the lau
At least Windows Server 2016 Windows 10 Denies access to the reta
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Enables or disables the a
At least Windows Server 2012 Windows 8 or Windows RT Enables or disables the a
At least Windows Server 2012 Windows 8 or Windows RT Enables or disables the S
At least Windows Server 2012 Windows 8 or Windows RT Denies or allows access t
At least Windows Server 2012 Windows 8 or Windows RT Prevent syncing to and fr
At least Windows Server 2012 Windows 8 or Windows RT Prevent the "app settings
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Prevent the "AppSyn
At least Windows Server 2012 Windows 8 or Windows RT Prevent the "browser" gr
At least Windows Server 2012 Windows 8 or Windows RT Prevent the "desktop per
At least Windows Server 2012 Windows 8 or Windows RT Prevent syncing to and fr
At least Windows Server 2012 Windows 8 or Windows RT Prevent the "Other Wind
At least Windows Server 2012 Windows 8 or Windows RT Prevent the "passwords"
At least Windows Server 2012 Windows 8 or Windows RT Prevent the "personalize
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Prevent the "Start la
Windows Vista only Prevents start of InkBall g
At least Windows Vista Prevents printing to Jour
At least Windows Vista Prevents the snipping too
At least Windows Vista Prevents start of Window
Windows Server 2008 Windows 7 and Windows Vista Disables visual pen action
At least Windows Vista Removes the Back->ESC m
At least Windows Vista Prevents the user from la
At least Windows Vista Prevents press and hold a
At least Windows Vista Turns off Tablet PC hardw
At least Windows Server 2008 R2 or Windows 7 Prevents the Touch Keyb
Windows Server 2008 Windows 7 and Windows Vista Prevents the Tablet PC In
Windows Server 2008 Windows 7 and Windows Vista Prevents the Tablet PC In
At least Windows Vista Includes rarely used Chin
Windows Server 2008 Windows 7 and Windows Vista Prevents Input Panel tab
Windows Server 2008 Windows 7 and Windows Vista Turns off the integration
At least Windows Vista Adjusts password securit
Windows Vista only Turns off both the m
Windows Server 2008 Windows 7 and Windows Vista Makes pen flicks learning
Windows Server 2008 Windows 7 and Windows Vista Makes pen flicks and all r
Windows Vista only Turns off Tablet PC Pen T
Windows Server 2008 Windows 7 and Windows Vista Turn off Tablet PC touch
Windows Server 2008 R2 and Windows 7 Turn off Panning Turn
Windows Server 2003 Windows XP and Windows 2000 only This setting removes the
Windows Server 2003 Windows XP and Windows 2000 only Prevents users from view
Windows Server 2003 Windows XP and Windows 2000 only Prevents users from starti
Windows Server 2003 Windows XP and Windows 2000 only Limits newly scheduled t
Windows Server 2003 Windows XP and Windows 2000 only Prevents users from addi
Windows Server 2003 Windows XP and Windows 2000 only Prevents users from crea
Windows Server 2003 Windows XP and Windows 2000 only Prevents users from dele
At least Windows Server 2016 Windows 10 When this policy setting i
Windows Vista only Windows Calendar is a fe
At least Windows Vista This policy setting affects
At least Windows Vista If you enable this setting
At least Windows Vista This policy setting will en
At least Windows Server 2016 Windows 10 Version 1809 App Install Control is a fe
Unknown This policy setting lets yo
Unknown This policy setting lets yo
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only This policy setting contro
Windows Server 2003 and Windows XP only This policy setting configu
Windows Server 2003 and Windows XP only This policy setting contro
Windows Server 2016 Version 1703 Windows 10 Version 1703 Windows 10 Windows 8.1 Windows 8 This policy setting determ
Windows Server 2003 and Windows XP only This policy setting specifi
At least Windows Vista This policy setting limits W
Windows Server 2003 only This policy setting contro
Windows 8.1 Windows 8 Windows 7 and Windows Vista only This policy setting determ
At least Windows 10 Windows prevents users
At least Windows 10 Configure a comma sepa
At least Windows 10 Configure a comma sepa
At least Windows 10 Windows Hello for Busin
At least Windows 10 A Trusted Platform Modu
At least Windows 10 TBD
At least Windows 10 PIN recovery enables a u
At least Windows 10 If you enable this policy s
At least Windows 10 Redstone Allow suggested apps in
At least Windows 10 Redstone Allow Windows Ink Work
At least Windows 2000 This policy setting permit
Windows Installer v3.0 This policy controls t
Windows Installer v3.0 This policy setting causes
Windows Installer v4.5 This policy setting contro
At least Windows 2000 This policy setting prohib
Microsoft Windows XP or Windows 2000 with Windows Installer v2.0 This policy setting allows
At least Windows 2000 This policy setting pr
At least Windows 2000 This policy setting saves c
At least Windows 2000 Specifies the types o
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting preven
At least Windows 2000 This policy setting restric
At least Windows 10 Version 1903 This policy setting contro
At least Windows Vista This policy controls whet
At least Windows 10 Version 1903 This policy setting contro
At least Windows Server 2003 Prevents Windows Media
Windows Media Player 9 Series and later. This policy setting allows
Windows Media Player 11 for Windows XP or Windows Media Player 11 for Windows Vista or later. This policy setting allows
At least Windows Server 2003 operating systems or Windows XP Professional This policy setting preven
At least Microsoft Windows 7 or Windows Server 2008 family This policy setting allows
At least Microsoft Windows 7 or Windows Server 2008 family This policy setting all
At least Microsoft Windows 7 or Windows Server 2008 family This policy setting en
At least Microsoft Windows 7 or Windows Server 2008 family This policy setting le
At least Microsoft Windows 7 or Windows Server 2008 family This policy setting lets yo
At least Windows Vista This policy setting is depr
Unknown This policy setting enable
Unknown This policy setting is to en
At least Windows Server 2016 Windows 10 Version 1803 Hide the Account pro
At least Windows Server 2016 Windows 10 Version 1709 Hide the App and br
At least Windows Server 2016 Windows 10 Version 1709 Prevent users from m
At least Windows Server 2016 Windows 10 Version 1709 Hide the Device perf
At least Windows Server 2016 Windows 10 Version 1809 Disable the Clear TPM
At least Windows Server 2016 Windows 10 Version 1803 Hide the Device secu
At least Windows Server 2016 Windows 10 Version 1803 Hide the Secure boo
At least Windows Server 2016 Windows 10 Version 1803 Hide the Security pro
At least Windows Server 2016 Windows 10 Version 1809 Hide the recommend
At least Windows Server 2016 Windows 10 Version 1709 Display specified con
At least Windows Server 2016 Windows 10 Version 1709 Display specified con
At least Windows Server 2016 Windows 10 Version 1709 Specify the company
At least Windows Server 2016 Windows 10 Version 1709 Specify the email ad
At least Windows Server 2016 Windows 10 Version 1709 Specify the phone nu
At least Windows Server 2016 Windows 10 Version 1709 Specify the URL that
At least Windows Server 2016 Windows 10 Version 1709 Hide the Family opti
At least Windows Server 2016 Windows 10 Version 1709 Hide the Firewall and
At least Windows Server 2016 Windows 10 Version 1709 Hide notifications fro
At least Windows Server 2016 Windows 10 Version 1709 Only show critical no
At least Windows Server 2016 Windows 10 Version 1809 This policy setting hi
At least Windows Server 2016 Windows 10 Version 1803 Hide the Ransomwar
At least Windows Server 2016 Windows 10 Version 1709 Hide the Virus and th
At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through W Specifies whether Autom
At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through W This policy setting allows
At least Windows Server 2003 operating systems or Windows XP Professional with SP1 excluding Wi This policy setting allows
At least Windows Server 2016 Windows 10 Enabling this policy will a
At least Windows Server 2012 Windows 8 or Windows RT If you enable this policy a
At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3 excluding WindowsSpecifies the hours that W
Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3Option 7 only supporSpecifies whether this co
At least Windows Server 2016 or Windows 10 Enable this policy to spec
At least Windows Server 2016 or Windows 10 Enable this policy to cont
Windows 7 Windows Server 2008 R2 Windows Vista Windows Server 2003 Windows XP SP2 WindowsSpecifies the amount of ti
At least Windows Server 2016 or Windows 10 0 (default) â€“ Use the d
Windows 7 Windows Server 2008 R2 Windows Vista Windows XP SP2 This policy setting allows
At least Windows Server 2016 Windows 10 Version 1607 Enable this policy to not
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 Even when Windows Upd
Windows 7 Windows Server 2008 R2 Windows Vista Windows XP SP2 This policy setting allows
At least Windows Server 2016 or Windows 10 Enable this policy to not
At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3 excluding WindowsSpecifies the target group
Windows Server 2008 Windows 7 Windows Vista and Windows 10 Specifies whether the Wi
Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 Specifies that to complet
At least Windows Server 2016 Windows 10 Version 1809 This setting allows to rem
At least Windows Server 2016 or Windows 10 This setting allows you to
Windows 7 Windows Server 2008 R2 Windows Vista Windows Server 2003 Windows XP SP2 Windows Specifies the amoun
Windows 7 Windows Server 2008 R2 Windows Vista Windows Server 2003 Windows XP SP2 WindowsSpecifies the amount of ti
At least Windows Server 2016 or Windows 10 Specify the deadline befo
At least Windows Server 2016 Windows 10 Version 1709 This policy lets you specif
At least Windows Server 2016 or Windows 10 Enable this policy to cont
At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3 excluding Windows Specifies an intranet
At least Windows Server 2016 or Windows 10 If you enable this policy t
At least Windows Vista through Windows 8.1 or Windows Server 2012 R2 with most current service Specifies whether Autom
At least Windows Server 2016 Windows 10 Enabling this policy for ED
At least Windows Server 2016 Windows 10 Version 1909 Enable this setting w
At least Windows Server 2016 Windows 10 Version 1709 Enable this policy to man
Enables or disables the retrieval of online tips and help for the Settings app.If disabled Settings will not contact Microsoft content service
Specifies the list of pages to show or hide from the System Settings app.This policy allows an administrator to block a given set of pages f
This policy setting controls whether the lock screen appears for users.If you enable this policy setting users that are not required to press
Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.By default users
This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same
Forces the Start screen to use one of the available backgrounds 1 through 20 and prevents the user from changing it.If this setting is set t
Prevents users from changing the background image shown when the machine is locked or when on the logon screen.By default users ca
Prevents users from changing the look of their start menu background such as its color or accent.By default users can change the look of
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.By default use
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.By default users can
This policy specifies whether users on the device have the option to enable online speech recognition services. If this policy
This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used
This policy setting controls which UI language is used for computers with more than one UI language installed.If you enable this policy se
This policy setting restrictsâ€¯all users from installing language packs and language features on demand packages.â€¯This policy doe
This policy setting restricts the Windows UI language for all users.This is a policy setting for computers with more than one UI language in
This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enable
This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. On
When you enable this setting planned password expiration longer than password age dictated by "Password Settings" policy is NOT allow
Enables management of password for local administrator accountIf you enable this setting local administrator password is managedIf you
Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use built-in adm
Configures password parametersPassword complexity: which characters are used when generating a new password Default: Large letter
This setting controls whether local accounts can be used for remote administration via network logon (e.g. NET USE connecting to C$ etc
This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocking applies
APPLIES ONLY TO: Windows 7 and Windows Servers 2008 2008R2 and 2012 (NOT 2012R2):To disable client-side processing of the SMBv1
Configures the SMB v1 client driver's start type.To disable client-side processing of the SMBv1 protocol select the "Enabled" radio button
Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)Enabling this setting enables server-side pro
If this setting is enabled SEHOP is enforced. For more information see https://support.microsoft.com/en-us/help/956607/how-to-enable
Beginning with the Windows 10 and Windows Server v2004 security baseline this setting has been moved to Security Options\Domain co
Determines whether users that aren't Administrator can install print drivers on this computer.By default users that aren't Administrators
Enable LSA protection. For more information see http://technet.microsoft.com/en-us/library/dn408187.aspx
Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information see http://technet.microsoft.com/en
The NetBT NodeType setting determines what methods NetBT uses to register and resolve names:* A B-node computer uses broadcasts.
This setting controls whether "Run As Different User" appears on the Shift+RightClick context menu for .bat .cmd .exe and .msc files.Enab
This policy setting controls JScript execution per Security Zone within Internet Explorer and WebBrowser Control (WebOC) for Office app
Beginning with Windows 10 v1809 and Windows Server v1809 this functionality should instead be configured through the following Grou
When WDigest authentication is enabled Lsass.exe retains a copy of the user's plaintext password in memory where it can be at risk of th
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments)
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended 5 is default)
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a n
This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific computer
This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installe
This policy setting specifies whether the computer will act as a BITS peer caching client. By default when BITS peer caching is enabled the
This policy setting specifies whether the computer will act as a BITS peer caching server. By default when BITS peer caching is enabled th
This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to make the m
This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache as a percentage of the total system
This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS jo
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This p
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers from the or
This policy setting limits the number of BITS jobs that can be created by a user. By default BITS limits the total number of jobs that can be
This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default BITS limits the total numbe
This policy setting limits the number of files that a BITS job can contain. By default a BITS job is limited to 200 files. You can use this settin
This policy setting limits the number of ranges that can be added to a file in a BITS job. By default files in a BITS job are limited to 500 ran
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By defau
This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. This policy setti
This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compati
This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the
This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching fo
This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers.If yo
This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy is applied. I
This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is applied. In ad
This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on client computer
This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to this policy
Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of r
Specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
Specifies whether NCA service runs in Passive Mode or not.Set this to Disabled to keep NCA probing actively all the time. If this setting is
Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example yo
Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to
Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notificati
Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the us
Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.Set this to Di
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original na
Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting NetBT qu
Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH).By default the DNS client will do classic DNS name re
Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes and those configured usin
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of D
Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.An unqualified s
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS
Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form a canonical Unicode repr
Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order ar
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.To use this policy setting click Ena
Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.With devolution a DNS client creat
Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution proces
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its comput
Specifies if DNS client computers will register PTR resource records.By default DNS clients configured to perform dynamic DNS registratio
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers perfo
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.This policy setting is
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy settin
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-doma
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.LLMNR is a secondary name resolution protoc
Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing
Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS respo
Specifies the security level for dynamic DNS updates.To use this policy setting click Enabled and then select one of the following values:U
Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zon
This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font provider.
This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support.If
This policy setting determines the cipher suites used by the SMB server.If you enable this policy setting cipher suites are prioritized in the
This policy setting specifies whether a hash generation service generates hashes also called content information for data that is stored in
This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes version 2 (V2) hashes or bo
This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB client.If you en
This policy setting determines the cipher suites used by the SMB client.If you enable this policy setting cipher suites are prioritized in the
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.If you enable this policy setting or if you
This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Ava
This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous Availability (
This policy setting changes the operational behavior of the Mapper I/O network protocol driver.LLTDIO allows a computer to discover the
This policy setting changes the operational behavior of the Responder network protocol driver.The Responder allows a computer to parti
By default when a Peer Group is created that allows for password-authentication (or the password for such a Group is changed) Peer Gro
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety and will cause all dependent applications to stop working
This policy setting limits a node to resolving but not publishing names in a specific Peer Name Resolution Protocol (PNRP) cloud.This polic
This setting sets the seed server for the global cloud to a specified node in the enterprise. The Peer Name Resolution Protocol (PNRP) allo
This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the global cl
This policy setting enables or disables PNRP cloud creation.PNRP is a distributed name resolution protocol allowing Internet hosts to pub
This setting sets the seed server for the link local cloud to a specified node in the enterprise.The Peer Name Resolution Protocol (PNRP) a
This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the link loca
This setting sets the seed server for the site local cloud to a specified node in the enterprise.The Peer Name Resolution Protocol (PNRP) a
This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the site loca
Specifies whether or not the "local access only" network icon will be shown.When enabled the icon for Internet access will be shown in t
Determines whether a user can install and configure the Network Bridge.Important: This settings is location aware. It only applies when a
Prohibits use of Internet Connection Firewall on your DNS domain network.Determines whether users can enable the Internet Connectio
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection an
This policy setting determines whether to require domain users to elevate when setting a network's location.If you enable this policy setti
This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the clie
Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport.If you enable this policy setting
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Defender Firewall allows. Utilities can use ICM
Allows inbound file and printer sharing. To do this Windows Defender Firewall opens UDP ports 137 and 138 and TCP ports 139 and 445.
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windo
Allows this computer to receive inbound Remote Desktop requests. To do this Windows Defender Firewall opens TCP port 3389.If you en
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with built-in firewal
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local port exceptions list. Windows
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local program exceptions list. Windo
Allows Windows Defender Firewall to record information about the unsolicited incoming messages that it receives.If you enable this poli
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Defender Firewall uses two port excep
Allows you to view and change the program exceptions list defined by Group Policy. Windows Defender Firewall uses two program excep
Specifies that Windows Defender Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Defen
Prevents Windows Defender Firewall from displaying notifications to the user when a program requests that Windows Defender Firewall
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.If you enable this policy setting
Turns on Windows Defender Firewall.If you enable this policy setting Windows Defender Firewall runs and ignores the "Computer Config
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Defender Firewall allows. Utilities can use ICM
Allows inbound file and printer sharing. To do this Windows Defender Firewall opens UDP ports 137 and 138 and TCP ports 139 and 445.
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC) and Windo
Allows this computer to receive inbound Remote Desktop requests. To do this Windows Defender Firewall opens TCP port 3389.If you en
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with built-in firewal
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local port exceptions list. Windows
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local program exceptions list. Windo
Allows Windows Defender Firewall to record information about the unsolicited incoming messages that it receives.If you enable this poli
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Defender Firewall uses two port excep
Allows you to view and change the program exceptions list defined by Group Policy. Windows Defender Firewall uses two program excep
Specifies that Windows Defender Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Windows Defen
Prevents Windows Defender Firewall from displaying notifications to the user when a program requests that Windows Defender Firewall
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.If you enable this policy setting
Turns on Windows Defender Firewall.If you enable this policy setting Windows Defender Firewall runs and ignores the "Computer Config
This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the ho
This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of th
This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of add
This policy setting enables you to specify the URL of the corporate website against which an active probe is performed.
This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain locati
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently pr
This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a fr
This setting does not apply to desktop apps.A comma-separated list of domain names that can be used as both work or personal resourc
This setting does not apply to desktop apps.A pipe-separated list of domain cloud resources. Each cloud resource can also be paired opti
This setting does not apply to desktop apps.A semicolon-separated list of Internet proxy server IP addresses. These addresses are catego
This setting does not apply to desktop apps.A semicolon-separated list of intranet proxy server IP addresses. These addresses are catego
This setting does not apply to desktop apps.A comma-separated list of IP address ranges that are in your corporate network.If you enabl
This setting does not apply to desktop apps.Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate e
This setting does not apply to desktop apps.Turns off Windows Network Isolation's automatic discovery of private network hosts in the
This policy setting configures secure access to UNC paths.If you enable this policy Windows only allows access to the specified UNC paths
Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files.This settin
This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the user's compu
Deletes local copies of the user's offline files when the user logs off.This setting specifies that automatically and manually cached offline fi
This policy setting controls when background synchronization occurs while operating in slow-link mode and applies to any user who logs
Configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below this value is
This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files and folder
Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.This setting also disables th
This policy setting enables administrators to block certain file types from being created in the folders that have been made available offlin
This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone
This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files cache for
This policy setting determines whether offline files are encrypted.Offline files are locally cached copies of files from a network share. Encr
Determines which events the Offline Files feature records in the event log.Offline Files records events in the Application log in Event View
Lists types of files that cannot be used offline.This setting lets you exclude certain types of files from automatic and manual caching for o
Determines how long the first reminder balloon for a network status change is displayed.Reminder balloons appear when the user's conn
This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by automatically cac
Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default res
Disables the Offline Files folder.This setting disables the "View Files" button on the Offline Files tab. As a result users cannot use the Offlin
Prevents users from enabling disabling or changing the configuration of Offline Files.This setting removes the Offline Files tab from the Fo
Determines how often reminder balloon updates appear.If you enable this setting you can select how often reminder balloons updates a
Determines how long updated reminder balloons are displayed.Reminder balloons appear when the user's connection to a network file i
This policy setting prevents users from making network files and folders available offline.If you enable this policy setting users cannot des
This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" command.If yo
This policy setting removes the "Work offline" command from Explorer preventing users from manually changing whether Offline Files is
This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders a
Makes subfolders available offline whenever their parent folder is made available offline.This setting automatically extends the "make av
Determines whether offline files are fully synchronized when users log off.This setting also disables the "Synchronize all offline files befor
Determines whether offline files are fully synchronized when users log on.This setting also disables the "Synchronize all offline files befor
Determines whether offline files are synchonized before a computer is suspended.If you enable this setting offline files are synchronized
Hides or displays reminder balloons and prevents users from changing the setting.Reminder balloons appear above the Offline Files icon
This policy setting allows you to turn on economical application of administratively assigned Offline Files.If you enable or do not configure
Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this
Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservation
Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler can
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeB
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceT
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceType
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (Service
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeB
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceT
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceType
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (Service
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQ
Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet S
Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). Th
Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packe
Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). T
Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler in
Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet
This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.SNMP is a p
This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent runn
This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.Simple Network Management P
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.If you enable this policy setting ECC curves a
This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).If you enable this policy setting SSL cipher suites are
This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffi
This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting h
This policy setting allows you to configure 6to4 an address assignment and router-to-router automatic tunneling technology that is used
This policy setting allows you to configure IP-HTTPS a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a re
This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.If you enable thi
This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) an address-to-router and host-to-ho
This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0 the operating
This policy setting allows you to set Teredo to be ready to communicate a process referred to as qualification. By default Teredo enters a
This policy setting allows you to configure the Teredo refresh rate.Note: On a periodic basis (by default every 30 seconds) Teredo clients
This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer whe
This policy setting allows you to configure Teredo an address assignment and automatic tunneling technology that provides unicast IPv6
This policy setting allows you to configure IP Stateless Autoconfiguration Limits.If you enable or do not configure this policy setting IP Sta
This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity a
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the disco
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting the wizards are turned off a
This policy setting specifies that power management is disabled when the machine enters connected standby mode.If this policy setting i
This policy setting determines whether Windows will soft-disconnect a computer from a network.If this policy setting is enabled or not co
This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If multiple conn
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same ti
This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider n
This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods.When enabled it ma
This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devices is requi
This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.If this policy setting is enabled a drop-do
This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots" "Connect to
This policy setting specifies whether Windows apps can access cellular data.You can specify either a default setting for all apps or a per-a
This policy setting configures the cost of 3G connections on the local machine.If this policy setting is enabled a drop-down list box presen
This policy setting configures the cost of 4G connections on the local machine. If this policy setting is enabled a drop-down list box pre
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX.If this po
Internet printing lets you display printers on Web pages so that printers can be viewed managed and used across the Internet or an intra
If you enable this policy setting it sets the maximum number of printers (of each type) that the Add Printer wizard will display on a compu
This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged
This policy controls whether the print job name will be included in print event logs. If you disable or do not configure this policy s
This policy controls whether the print spooler will accept client connections.When the policy is unconfigured or enabled the spooler will a
Determines whether the computer's shared printers can be published in Active Directory. If you enable this setting or do not config
Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. By de
Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a G
When printing through a print server determines whether the print spooler on the client will process print jobs itself or pass them on to t
Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. If you enable
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10 Windows 10 and Windows Server 2
Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also spe
If this policy setting is enabled it specifies the default location criteria used when searching for printers. This setting is a component
By default the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also include a link t
Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. The
Sets the priority of the pruning thread. The pruning thread which runs only on domain controllers deletes printer objects from Acti
Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the comp
Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have access to syst
This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optional customiz
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default there are no re
This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers a
This policy setting allows you to manage where client computers search for Point and Printer drivers.If you enable this policy setting the c
Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print d
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing by enablin
Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning t
This policy restricts clients computers to use package point and print only.If this setting is enabled users will only be able to point and prin
This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This
Restricts package point and print to approved servers.This policy setting restricts package point and print connections to approved server
This policy setting controls the client Point and Print behavior including the security prompts for Windows Vista computers. The policy se
Enables the physical Location Tracking setting for Windows printers.Use Location Tracking to design a location scheme for your enterpris
Announces the presence of shared printers to print browse master servers for the domain.On domains with Active Directory shared print
Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever
This policy allows you to prevent users from being able to open context menus in the Start Menu.If you enable this policy then invocation
Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.If you enabl
If you enable this policy and set it to Start menu or full screen Start Start will be that size and users will be unable to change the size of St
This policy setting allows pinning apps to Start by default when they are included by AppID on the list.
This policy allows you to prevent the Start Menu from displaying a list of recently installed applications.If you enable this policy the Start
If you enable this setting the Start Menu will either collapse or remove the all apps list from the Start menu.Selecting "Collapse" will not d
This policy setting prevents users from performing the following commands from the Windows security screen the logon screen and the
If you enable this setting the frequently used programs list is removed from the Start menu.If you disable this setting or do not configure
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of user settings
Specifies the Start layout for users.This setting lets you specify the Start layout for users and prevents them from changing its configurati
This policy sets a special WNS FQDN for specific environments.
This policy setting blocks applications from using the network to send notifications to update tiles tile badges toast or raw notificati
This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.The system state data file contains in
Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server which runs on domain co
This policy setting directs the system to display highly detailed status messages.This policy setting is designed for advanced users who req
The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displ
This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.If you enable this policy setting File
This policy setting allows you to turn off the automatic display of the Manage Your Server page. If you enable this policy setting the Mana
This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting d
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program
This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule contr
This policy setting suppresses system status messages.If you enable this setting the system does not display a message reminding users t
This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders
This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting you can p
This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optiona
Specifies an alternate location for Windows installation files.If you enable this policy setting enter the fully qualified path to the new loca
Specifies an alternate location for Windows Service Pack installation files.If you enable this policy setting enter the fully qualified path to
This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention.
This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Den
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for disable to ta
The program collects information about computer hardware and how you use Microsoft Application Virtualization without interrupting y
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts file type associati
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts file type associa
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='desktop;my
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;software\cl
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
Enables background sync to server when on battery power.
Enables a UX to display to the user when a publishing refresh is performed on the client.
Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of publishing s
Reporting Server URL: Displays the URL of reporting server. Reporting Time: When the client data should be reported to the server. Ac
Enables scripts defined in the package manifest of configuration files that should run.
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network connection
Specifies the path to a valid certificate in the certificate store.
If enabled the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired this should be d
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
Specifies directory where all new applications and updates will be installed.
Overrides source location for downloading package content.
Specifies the number of seconds between attempts to reestablish a dropped session.
Specifies the number of times to retry a dropped session.
Requires admin privileges to publish and unpublish packages and connection groups.
Specifies that streamed package contents will be not be saved to the local hard disk.
Specifies how new packages should be loaded automatically by App-V on a specific computer.
Verifies Server certificate revocation status before streaming using HTTPS.
Enables Dynamic Virtualization of supported shell extensions browser helper objects and ActiveX controls.
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions browser help
This policy setting determines what information is logged in security audit events when a new process has been created.This setting only
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).This policy setting ap
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).If you enable this po
Encryption Oracle RemediationThis policy setting applies to applications using the CredSSP component (for example: Remote Desktop Co
Remote host allows delegation of non-exportable credentialsWhen using credential delegation devices provide an exportable version of
When running in Restricted Admin or Remote Credential Guard mode participating apps do not expose signed in or supplied credentials t
Deploy Windows Defender Application ControlThis policy setting lets you deploy a Code Integrity Policy to a machine to control what is a
Specifies whether Virtualization Based Security is enabled.Virtualization Based Security uses the Windows Hypervisor to provide support
This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send D
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting remote conn
This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable
Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure. This policy allow
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally promp
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this policy settin
Windows has a feature that allows a device driver to request additional software through the Windows Error Reporting infrastructure. Th
This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with drivers signe
This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy
This policy setting allows you to specify the search server that Windows uses to find updates for device drivers.If you enable this policy se
This policy setting allows you to turn off "Found New Hardware" balloons during device installation.If you enable this policy setting "Foun
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any devi
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to ins
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to install. Use this p
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is a
This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a policy settin
This policy setting allows you to display a custom message to users in a notification when a device installation is attempted and a policy s
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.If you en
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented fro
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from installing. T
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is p
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver f
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device i
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.If you enable this policy setting the
This policy setting turns off power save mode on the hybrid hard disks in the system.If you enable this policy setting the hard disks are no
This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you have hybrid h
This policy setting turns off the solid state mode for the hybrid hard disks. If you enable this policy setting frequently written files such as
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.If you disable or do not
This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer and prevents users from changing
This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting.If you enable this pol
This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on
This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning leve
This policy setting specifies the default disk quota limit and warning level for new users of the volume.This policy setting determines how
Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a display-scale fa
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.This policy setting lets you specify legacy a
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.This policy setting lets you specify legacy a
Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.If you en
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security che
This policy setting specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Use
Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the Internet.No
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch An
This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub
This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your com
This policy setting allows you to create a list of IEEE 1667 silos compliant with the Institute of Electrical and Electronics Engineers Inc. (IEE
This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.If you enable this
This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.If you enable this policy setti
This policy setting configures whether or not Windows will activate an Enhanced Storage device.If you enable this policy setting Windows
This policy setting locks Enhanced Storage devices when the computer is locked.This policy setting is supported in Windows Server SKUs
This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer.The Classification tab en
This policy setting controls which set of properties is available for classifying files on affected computers.Administrators can define the pr
Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled.VSS for SMB2 File Shares feature e
Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation.A value
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond the normal
Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue you can selectively enable or disable the evaluati
Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of co
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encr
TXF deprecated features included savepoints secondary RM miniversion and roll forward. Please enable it if you want to use these APIs.
By default NTFS allocates memory from both pageable and non-pageable memory as needed. Enabling this setting tells NTFS to use non
Encrypting the page file prevents malicious users from reading data that has been paged to disk but also adds processing overhead for fil
For NTFS tiered volumes this controls the tier that new allocations go to by default.Client systems default to the Performance tier.Server
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are currently open. T
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are currently open. T
These settings provide control over whether or not short names are generated during file creation. Some applications require short nam
This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve log
This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs Startup
This policy setting allows Microsoft Windows to process user Group Policy settings asynchronously when logging on through Remote Des
This policy setting allows user-based policy processing roaming user profiles and user object logon scripts for interactive logons across fo
This policy setting lets you always use local ADM files for the Group Policy snap-in.By default when you edit a Group Policy Object (GPO)
This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is whet
This policy setting allows you to configure when preference items in the Applications preference extension are updated.If you enable this
This policy setting allows you to configure when preference items in the Data Sources preference extension are updated.If you enable th
This policy setting allows you to configure when preference items in the Devices preference extension are updated.If you enable this poli
This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the pur
This policy setting determines when disk quota policies are updated.This policy setting affects all policies that use the disk quota compon
This policy setting allows you to configure when preference items in the Drive Maps preference extension are updated.If you enable this
This policy setting determines when encryption policies are updated.This policy setting affects all policies that use the encryption compon
This policy setting allows you to configure when preference items in the Environment preference extension are updated.If you enable thi
This policy setting allows you to configure when preference items in the Files preference extension are updated.If you enable this policy s
This policy setting allows you to configure when preference items in the Folder Options preference extension are updated.If you enable t
This policy setting determines when folder redirection policies are updated.This policy setting affects all policies that use the folder redire
This policy setting allows you to configure when preference items in the Folders preference extension are updated.If you enable this poli
This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy setting Gro
This policy setting defines a slow connection for purposes of applying and updating Group Policy.If the rate at which data is transferred fr
This policy setting allows you to configure when preference items in the Ini Files preference extension are updated.If you enable this poli
This policy setting determines when Internet Explorer Maintenance policies are updated.This policy setting affects all policies that use the
This policy setting allows you to configure when preference items in the Internet Settings preference extension are updated.If you enable
This policy setting determines when IP security policies are updated.This policy setting affects all policies that use the IP security compon
This policy setting allows you to configure when preference items in the Local Users and Groups preference extension are updated.If you
Enter â€œ0â€ to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits a
This policy setting allows you to configure when preference items in the Network Options preference extension are updated.If you enabl
This policy setting allows you to configure when preference items in the Network Shares preference extension are updated.If you enable
This policy setting allows you to configure when preference items in the Power Options preference extension are updated.If you enable t
This policy setting allows you to configure when preference items in the Printers preference extension are updated.If you enable this pol
This policy setting allows you to configure when preference items in the Regional Options preference extension are updated.If you enabl
This policy setting determines when registry policies are updated.This policy setting affects all policies in the Administrative Templates fo
This policy setting allows you to configure when preference items in the Registry preference extension are updated.If you enable this pol
This policy setting allows you to configure when preference items in the Scheduled Tasks preference extension are updated.If you enable
This policy setting determines when policies that assign shared scripts are updated.This policy setting affects all policies that use the scrip
This policy setting determines when security policies are updated.This policy setting affects all policies that use the security component o
This policy setting allows you to configure when preference items in the Services preference extension are updated.If you enable this pol
This policy setting allows you to configure when preference items in the Shortcuts preference extension are updated.If you enable this po
This policy setting determines when software installation policies are updated.This policy setting affects all policy settings that use the so
This policy setting allows you to configure when preference items in the Start Menu preference extension are updated.If you enable this
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer aff
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.Enabling this policy setting enables w
This policy setting determines when policies that assign wired network settings are updated.This policy setting affects all policies that use
This policy setting determines when policies that assign wireless network settings are updated.This policy setting affects all policies that u
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue experiences).I
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.By default interactively logged on users ca
Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active
This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this policy s
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading emailing and other tasks that requires lin
This policy setting allows you to control a user's ability to invoke a computer policy refresh.If you enable this policy setting users are not a
This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This settin
This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The upd
This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If th
This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. I
This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for c
This policy setting prevents the Group Policy Client Service from stopping when idle.
This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.By default the policy settings in Local GPOs are ap
This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.RSoP logs information on Group P
This policy setting allows you to configure the level of detail recorded by event logging for the Applications preference extension and to t
This policy setting allows you to configure the level of detail recorded by event logging for the Data Sources preference extension and to
This policy setting allows you to configure the level of detail recorded by event logging for the Devices preference extension and to turn o
This policy setting allows you to configure the level of detail recorded by event logging for the Drive Maps preference extension and to tu
This policy setting allows you to configure the level of detail recorded by event logging for the Environment preference extension and to
This policy setting allows you to configure the level of detail recorded by event logging for the Files preference extension and to turn on t
This policy setting allows you to configure the level of detail recorded by event logging for the Folder Options preference extension and t
This policy setting allows you to configure the level of detail recorded by event logging for the Folders preference extension and to turn o
This policy setting allows you to configure the level of detail recorded by event logging for the Ini Files preference extension and to turn o
This policy setting allows you to configure the level of detail recorded by event logging for the Internet preference extension and to turn
This policy setting allows you to configure the level of detail recorded by event logging for the Local User and Local Group preference ext
This policy setting allows you to configure the level of detail recorded by event logging for the Network Options preference extension and
This policy setting allows you to configure the level of detail recorded by event logging for the Network Shares preference extension and
This policy setting allows you to configure the level of detail recorded by event logging for the Power Options preference extension and t
This policy setting allows you to configure the level of detail recorded by event logging for the Printers preference extension and to turn o
This policy setting allows you to configure the level of detail recorded by event logging for the Regional Options preference extension and
This policy setting allows you to configure the level of detail recorded by event logging for the Registry preference extension and to turn
This policy setting allows you to configure the level of detail recorded by event logging for the Scheduled Tasks preference extension and
This policy setting allows you to configure the level of detail recorded by event logging for the Services preference extension and to turn
This policy setting allows you to configure the level of detail recorded by event logging for the Shortcuts preference extension and to turn
This policy setting allows you to configure the level of detail recorded by event logging for the Start Menu preference extension and to tu
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.If you enable th
This policy setting allows you to remove access to Windows Update.If you enable this policy setting all Windows Update features are rem
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protoc
This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically a certificate is
This policy setting specifies whether to allow this client to download print driver packages over HTTP.To set up HTTP printing non-inbox d
This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.The Event Viewe
Turns off data sharing from the handwriting recognition personalization tool.The handwriting recognition personalization tool tool enable
Turns off the handwriting recognition error reporting tool.The handwriting recognition error reporting tool enables users to report errors
This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.This content is dynamically update
This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.The Knowl
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Prov
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards.The
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file asso
This policy setting specifies whether to allow printing over HTTP from this client.Printing over HTTP allows a client to print to printers on t
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.If you enable thi
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet search
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.The Order Prints On
This policy setting specifies whether the tasks "Publish this file to the Web" "Publish this folder to the Web" and "Publish the selected ite
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement
This policy setting controls whether or not errors are reported to Microsoft.Error Reporting is used to report information about a system
This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determine wheth
This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are presen
If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be cre
If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed.
If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed.
If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured
If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured
If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configure
If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets m
If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. Not
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may no
If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not b
This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Contr
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controllerâ€™s domai
This policy setting controls whether the domain controller provides information about previous logons to client computers.If you enable
This policy setting allows you to configure a domain controller to request compound authentication.Note: For a domain controller to req
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authenticati
This policy setting allows retrieving the cloud kerberos ticket during the logon.If you disable or do not configure this policy setting the clo
This policy setting controls whether a device always sends a compound authentication request when the resource domain requests comp
This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.If you enable this
This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms as defined by this poli
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.If you enable this policy
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a dom
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate logon. If y
This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. Whe
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer s
This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.If you ena
This policy setting controls configuring the device's Active Directory account for compound authentication.Support for providing compou
Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certifica
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service princip
Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA
This policy setting prevents users from changing their user geographical location (GeoID).If you enable this policy setting users cannot cha
This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restric
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of loc
This policy setting prevents the user from customizing their locale by changing their user overrides.Any existing overrides in place when t
This policy setting restricts the permitted system locales to the specified list. If the list is empty it locks the system locale to its current val
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty it locks all user locales to their curre
This policy setting allows you to control whether a user can change the time before a password is required when a Connected Standby de
This policy is not available in this version of Windows.
This policy setting ignores Windows Logon Background.This policy setting may be used to make Windows give preference to a custom log
This policy setting determines whether Group Policy processing is synchronous (that is whether computers wait for the network to be ful
This policy setting allows the administrator to assign a specified credential provider as the default credential provider.If you enable this p
This policy setting specifies a default logon domain which might be a different domain than the domain to which the computer is joined.
This policy prevents the user from showing account details (email address or user name) on the sign-in screen.If you enable this policy se
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.If you enable this po
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.If you enable thi
This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting the Lo
This policy setting ignores the customized run list.You can create a customized list of additional programs and documents that the system
This policy setting ignores customized run-once lists.You can create a customized list of additional programs and documents that are star
This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting Logon UI will enum
This policy setting allows the administrator to exclude the specifiedcredential providers from use during authentication.Note: credential p
This policy setting allows you to hide the Switch User interface in the Logon UI the Start menu and the Task Manager.If you enable this po
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.If yo
This policy setting disables the acrylic blur effect on logon background image. If you enable this policy the logon background image sh
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. T
This policy setting allows you to prevent app notifications from appearing on the lock screen.If you enable this policy setting no app notifi
This policy setting allows you to control whether a domain user can sign in using a picture password.If you enable this policy setting a dom
This policy is not available in this version of Windows.
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.If you enable this policy setting a dom
This policy setting allows you to control whether users can sign in using external security keys. If you enable this policy setting users ca
This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a numb
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed o
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows N
This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emu
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should supp
This policy setting determines the interval at which Netlogon performs the following scavenging operations:- Checks if a password on a se
This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should suppor
This policy setting specifies the additional time for the computer to wait for the domain controllerâ€™s (DC) response when logging on to
This policy setting specifies the level of debug output for the Net Logon service.The Net Logon service outputs debug information to the l
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabl
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not
This policy setting specifies the Active Directory site to which computers belong.An Active Directory site is one or more well-connected T
This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers
This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic search
This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controlle
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodi
This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).Note: To locate a
This policy setting allows you to control the domain controller (DC) location algorithm. By default the DC location algorithm prefers DNS-b
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.The Domain Controller Locator (DC L
This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address o
This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is app
This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service
This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is
This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any c
This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.If you enable this policy setting
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS r
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DN
This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register th
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records.
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is no
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the close
This policy setting specifies whether the computers to which this setting is applied attemps DNS name resolution of single-lablel domain n
This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain
This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when re
This policy setting determines whether history of Clipboard contents can be stored in memory. If you enable this policy setti
This policy setting determines whether Clipboard contents can be synchronized across devices. If you enable this policy setti
This policy setting determines whether User Activities can be published. If you enable this policy setting activities of type Use
This policy setting determines whether published User Activities can be uploaded. If you enable this policy setting activities o
This policy setting determines whether ActivityFeed is enabled. If you enable this policy setting all activity types (as applicab
This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The PIN can be
This setting specifies the number of past PINs that can be associated to a user account that canâ€™t be reused. This policy enables admin
Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configure for this
Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configure for this p
Use this policy setting to configure the use of digits in the PIN.If you enable this policy setting Windows requires the user to include at lea
Use this policy setting to configure the use of lowercase letters in the PIN.If you enable this policy setting Windows requires the user to in
Use this policy setting to configure the use of special characters in the PIN. Allowable special characters are: ! " # $ % & ' ( ) * + - . / : ; < =
Use this policy setting to configure the use of uppercase letters in the PIN.If you enable this policy setting Windows requires the user to in
This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan use the Cu
This policy setting specifies the active power plan from a specified power planâ€™s GUID. The GUID for a custom power plan GUID can be
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.Possible actions include:-Take no acti
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.Possible actions include:-Take no acti
This policy setting specifies the action that Windows takes when a user presses the power button.Possible actions include:-Take no action
This policy setting specifies the action that Windows takes when a user presses the power button.Possible actions include:-Take no action
This policy setting specifies the action that Windows takes when a user presses the sleep button.Possible actions include:-Take no action-
This policy setting specifies the action that Windows takes when a user presses the sleep button.Possible actions include:-Take no action-
This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.If you enable this policy setti
This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.If you enable this policy setti
This policy setting allows you to specify battery charge level at which Energy Saver is turned on.If you enable this policy setting you must
This policy setting allows you to specify battery charge level at which Energy Saver is turned on.If you enable this policy setting you must
This policy setting specifies the period of inactivity before Windows turns off the hard disk.If you enable this policy setting you must prov
This policy setting specifies the period of inactivity before Windows turns off the hard disk.If you enable this policy setting you must prov
This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level.If you enab
This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action.If you enable
This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level.If you enable
This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action.If you enable th
This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode.If you enable this policy s
This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level.If you enab
This policy setting allows you to turn off Power Throttling.If you enable this policy setting Power Throttling will be turned off.If you disabl
This policy setting allows applications and services to prevent automatic sleep.If you enable this policy setting any application service or d
This policy setting allows applications and services to prevent automatic sleep.If you enable this policy setting any application service or d
This policy setting allows you to manage automatic sleep with open network files.If you enable this policy setting the computer automati
This policy setting allows you to manage automatic sleep with open network files.If you enable this policy setting the computer automati
This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.If you enable this
This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.If you enable this
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.If you e
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep state.If you e
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.If you enable or do
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.If you enable or do
This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.If you enable this pol
This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.If you enable this pol
This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.If you enable this policy s
This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.If you enable this policy s
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not pres
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user is not pres
This policy setting allows you to turn off hybrid sleep.If you enable this policy setting a hiberfile is not generated when the system transiti
This policy setting allows you to turn off hybrid sleep.If you enable this policy setting a hiberfile is not generated when the system transiti
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.If you enable this po
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.If you enable this po
This policy setting allows you to specify the period of inactivity before Windows automatically reduces brightness of the display.If you en
This policy setting allows you to specify the period of inactivity before Windows automatically reduces brightness of the display.If you en
This policy setting allows you to specify the brightness of the display when Windows automatically reduces brightness of the display.If yo
This policy setting allows you to specify the brightness of the display when Windows automatically reduces brightness of the display.If yo
This policy setting allows you to manage how long a computer must be inactive before Windows turns off the computerâ€™s display.If yo
This policy setting allows you to manage how long a computer must be inactive before Windows turns off the computerâ€™s display.If yo
This policy setting allows you to specify the period of inactivity before Windows turns off the display.If you enable this policy setting you
This policy setting allows you to specify the period of inactivity before Windows turns off the display.If you enable this policy setting you
This policy setting allows you to specify if Windows should enable the desktop background slideshow.If you enable this policy setting des
This policy setting allows you to specify if Windows should enable the desktop background slideshow.If you enable this policy setting des
Requirements: Windows 7 Description: This policy setting controls whether users can access the options in Recovery (in Control Pane
This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.If you enable this policy settin
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.If you enable this policy setting
This policy setting lets you customize warning messages.The "Display warning message before sharing control" policy setting allows you t
This policy setting allows you to improve performance in low bandwidth scenarios.This setting is incrementally scaled from "No optimizati
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance.If yo
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains a
This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.The constrained delegatio
This policy setting determines whether the RPC Runtime maintains RPC state information for the system and how much information it m
This policy setting controls whether the RPC runtime generates extended error information when an error occurs.Extended error informa
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.This policy setting
This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where a network
Configure access to all removable storage classes.This policy setting takes precedence over any individual removable storage policy settin
This policy setting grants normal users direct access to removable storage devices in remote sessions.If you enable this policy setting rem
This policy setting denies execute access to the CD and DVD removable storage class.If you enable this policy setting execute access is de
This policy setting denies read access to the CD and DVD removable storage class.If you enable this policy setting read access is denied to
This policy setting denies write access to the CD and DVD removable storage class.If you enable this policy setting write access is denied t
This policy setting denies read access to custom removable storage classes.If you enable this policy setting read access is denied to these
This policy setting denies write access to custom removable storage classes.If you enable this policy setting write access is denied to thes
This policy setting denies execute access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable this polic
This policy setting denies read access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable this policy s
This policy setting denies write access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable this policy s
This policy setting denies execute access to removable disks.If you enable this policy setting execute access is denied to this removable st
This policy setting denies read access to removable disks.If you enable this policy setting read access is denied to this removable storage
This policy setting denies write access to removable disks.If you enable this policy setting write access is denied to this removable storage
This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in a
This policy setting denies execute access to the Tape Drive removable storage class.If you enable this policy setting execute access is den
This policy setting denies read access to the Tape Drive removable storage class.If you enable this policy setting read access is denied to t
This policy setting denies write access to the Tape Drive removable storage class.If you enable this policy setting write access is denied to
This policy setting denies read access to removable disks which may include media players cellular phones auxiliary displays and CE devic
This policy setting denies write access to removable disks which may include media players cellular phones auxiliary displays and CE devic
This policy setting allows user logon scripts to run when the logon cross-forest DNS suffixes are not configured and NetBIOS or WINS is di
This policy setting displays the instructions in shutdown scripts as they run.Shutdown scripts are batch files of instructions that run when
This policy setting displays the instructions in startup scripts as they run.Startup scripts are batch files of instructions that run before the
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and cre
This policy setting lets the system run startup scripts simultaneously.Startup scripts are batch files that run before the user is invited to lo
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer sta
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon an
This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total time allow
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to
This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updated informa
This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows Server 200
This policy setting allows you to turn off the automatic display of Server Manager at logon.If you enable this policy setting Server Manage
This policy setting enables process mitigation options on svchost.exe processes.If you enable this policy setting built-in system services ho
This policy setting controls the use of fast startup. If you enable this policy setting the system requires hibernate to be enabled.If you dis
This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to b
Allows downloading new updates to ML Model parameters for predicting storage disk failure. Enabled: Updates would be do
Storage Sense can automatically clean some of the userâ€™s files to free up disk space. By default Storage Sense is automatically turned
When Storage Sense runs it can delete the userâ€™s temporary files that are not in use.If the group policy "Allow Storage Sense" is disab
Storage Sense can automatically clean some of the userâ€™s files to free up disk space.If the group policy "Allow Storage Sense" is disabl
When Storage Sense runs it can dehydrate cloud-backed content that hasnâ€™t been opened in a certain amount of days.If the group po
When Storage Sense runs it can delete files in the userâ€™s Recycle Bin if they have been there for over a certain amount of days.If the g
When Storage Sense runs it can delete files in the userâ€™s Downloads folder if they havenâ€™t been opened for more than a certain nu
Allows you to disable System Restore configuration through System Protection.This policy setting allows you to turn off System Restore c
Allows you to disable System Restore.This policy setting allows you to turn off System Restore.System Restore enables users in the event
This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios.If you enable this policy setting you must s
This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.If you enable this policy setting yo
This setting exists only for backward compatibility and is not valid for this version of Windows. To configure the Program Compatibility As
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If y
This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:Regular: Detection troubleshoo
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. If yo
This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. Self-Monitoring And Reporting Technology (S.M.A
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems.If y
This policy setting determines the execution level for Microsoft Support Diagnostic Tool.Microsoft Support Diagnostic Tool (MSDT) gathe
This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool.Microsoft Support Diagnostic Tool (MSDT) gat
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gath
This policy setting configures how troubleshooting for known problems can be applied on the device and lets administrators configure ho
This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:Prompt for Resolution: Det
Determines whether scheduled diagnostics will run to proactively detect and resolve system problems.If you enable this policy setting yo
This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers.If yo
This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to
This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted on Micros
Determines the execution level for Windows Boot Performance Diagnostics.If you enable this policy setting you must select an execution
This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems.If you enable or do not configure
Determines the execution level for Windows Resource Exhaustion Detection and Resolution.If you enable this policy setting you must sel
Determines the execution level for Windows Shutdown Performance Diagnostics.If you enable this policy setting you must select an exec
Determines the execution level for Windows Standby/Resume Performance Diagnostics.If you enable this policy setting you must select a
Determines the execution level for Windows System Responsiveness Diagnostics.If you enable this policy setting you must select an exec
This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depe
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows.If you e
This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready.
This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the v
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.If yo
This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.If you e
This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform M
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform M
This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform M
This policy setting adds the Administrator security group to the roaming user profile share.Once an administrator has configured a user's
This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. To dete
This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the us
This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specifi
This policy setting disables the detection of slow network connections. Slow link detection measures the speed of the connection betwee
This policy setting disables the more secure default setting for the user's roaming user profile folder.After an administrator has configure
This policy setting controls whether Windows forcefully unloads the user's registry at logoff even if there are open handles to the per-us
This policy setting will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user profile fol
This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers only. This p
This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user profiles.The
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installatio
This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. When the num
This setting determines if roaming user profiles are available on a particular computer. By default when roaming profile users log on to a
This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile.By def
This policy setting provides users with the ability to download their roaming profile even when a slow network connection with their roam
This policy setting controls how long Windows waits for a response from the network before logging on a user without a remote home di
This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all users logging
This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy setting cont
This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session.If you en
This policy setting turns off the advertising ID preventing apps from using the ID for experiences across apps.If you enable this policy setti
This setting prevents users from managing the ability to allow apps to access the user name account picture and domain information.If y
This policy setting directs the system to wait for the remote copy of the roaming user profile to load even when loading is slow. Also the
This policy setting hides the file scan progress window. This window provides status information to sophisticated users but it might confu
This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.Windows File
This policy setting allows you to set when Windows File Protection scans protected files. This policy setting directs Windows File Protectio
This policy setting specifies an alternate location for the Windows File Protection cache.If you enable this policy setting enter the fully qu
This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controlle
This policy setting specifies a set of parameters for controlling the Windows NTP Client.If you enable this policy setting you can specify th
This policy setting specifies whether the Windows NTP Client is enabled.Enabling the Windows NTP Client allows your computer to synch
This policy setting allows you to specify whether the Windows NTP Server is enabled.If you enable this policy setting for the Windows NT
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX controls on th
This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting ActiveX controls a
By default Add features to Windows 10 is available for all administrators. If you enable this policy setting the wizard will not run.If you dis
Manages a Windows app's ability to share data between users who have installed the app. If you enable this policy a Windows app ca
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.If you
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special profile. Specia
Allows or denies development of Microsoft Store applications and installing them directly from an IDE. If you enable this setting
This policy setting controls whether the system can archive infrequently used apps.If you enable this policy setting then the system will p
This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions USB drives or S
Manages non-Administrator users' ability to install Windows app packages. If you enable this policy non-Administrators will be unabl
Prevent users' app data from moving to another location when an app is moved or installed on another location. If you enable th
This policy setting specifies whether Windows apps can access account information.You can specify either a default setting for all apps or
This policy setting specifies whether Windows apps can access the eye tracker.You can specify either a default setting for all apps or a pe
This policy setting specifies whether Windows apps can access call history.You can specify either a default setting for all apps or a per-app
This policy setting specifies whether Windows apps can access contacts.You can specify either a default setting for all apps or a per-app s
This policy setting specifies whether Windows apps can get diagnostic information about other Windows apps including user name.You c
This policy setting specifies whether Windows apps can access email.You can specify either a default setting for all apps or a per-app setti
This policy setting specifies whether Windows apps can access location.You can specify either a default setting for all apps or a per-app se
This policy setting specifies whether Windows apps can read or send messages (text or MMS).You can specify either a default setting for
This policy setting specifies whether Windows apps can access motion data.You can specify either a default setting for all apps or a per-a
This policy setting specifies whether Windows apps can access notifications.You can specify either a default setting for all apps or a per-a
This policy setting specifies whether Windows apps can access tasks.You can specify either a default setting for all apps or a per-app setti
This policy setting specifies whether Windows apps can access the calendar.You can specify either a default setting for all apps or a per-a
This policy setting specifies whether Windows apps can access the camera.You can specify either a default setting for all apps or a per-ap
This policy setting specifies whether Windows apps can access the microphone.You can specify either a default setting for all apps or a pe
This policy setting specifies whether Windows apps can access trusted devices.You can specify either a default setting for all apps or a pe
This policy setting specifies whether Windows apps can access the movement of the user's head hands motion controllers and other trac
This policy setting specifies whether Windows apps can be activated by voice.If you choose the "User is in control" option employees in y
This policy setting specifies whether Windows apps can be activated by voice while the system is locked.If you choose the "User is in con
This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.You can specify either a default setti
This policy setting specifies whether Windows apps have access to control radios.You can specify either a default setting for all apps or a
This policy setting specifies whether Windows apps can make phone calls.You can specify either a default setting for all apps or a per-app
This policy setting specifies whether Windows apps can run in the background.You can specify either a default setting for all apps or a pe
This policy setting specifies whether Windows apps can take screenshots of various windows or displays.You can specify either a default
This policy setting specifies whether Windows apps can turn off the screenshot border.You can specify either a default setting for all apps
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. Th
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Because desk
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI scheme. Because
This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web content can be lau
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app ma
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16
This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the propert
This policy controls the state of the application compatibility engine in the system.The engine is part of the loader and looks through a co
The policy controls the state of the Application Telemetry engine in the system.Application Telemetry is a mechanism that tracks anonym
This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications files devices and drive
This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. Whe
This policy setting controls the state of Steps Recorder.Steps Recorder keeps a record of steps taken by the user. The data generated by S
The policy controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic com
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting AutoPlay is not allowe
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected. If you
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. Th
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in th
This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can be backed
This policy setting allows you to manage whether backups of a machine can run to locally attached storage or not.If you enable this polic
This policy setting allows you to manage whether backups of a machine can run to a network share or not.If you enable this policy setting
This policy setting allows you to manage whether backups of a machine can run to an optical media or not.If you enable this policy settin
This policy setting allows you to manage whether run-once backups of a machine can be run or not.If you enable this policy setting mach
This policy setting determines whether users with a domain account can log on or elevate User Account Control (UAC) permissions using
This policy setting allows or prevents the Windows Biometric Service to run on this computer. If you enable or do not configure this p
This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics. By default
This policy setting specifies the number of seconds a pending fast user switch event will remain active before the switch is initiated. By d
This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.If you enable this settin
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is app
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery o
This policy setting allows you toÂ block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you
This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery info
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setti
This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on compu
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentia
This policy setting allows you to manage BitLockerâ€™s use of hardware-based encryption on fixed data drives and specify which encrypti
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the u
This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed da
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.If you enable t
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you
This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HSTI) to not h
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.Enhanced startup PINs permit t
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and jo
This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required st
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is
This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boot key reco
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker e
This policy setting allows you to manage BitLockerâ€™s use of hardware-based encryption on operating system drives and specify which
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protec
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs provided they are
This policy setting allows users to turn on authentication options that require user input from the pre-boot environment even if the platfo
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and wheth
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an additional authenti
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocke
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation.If you enable t
This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on co
This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required cre
This policy setting allows you to manage BitLockerâ€™s use of hardware-based encryption on removable data drives and specify which e
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow u
This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable d
This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker.When
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive.
This policy setting allow the use of Camera devices on the machine. If you enable or do not configure this policy setting Cam
This policy setting prevents Windows tips from being shown to users.If you enable this policy setting users will no longer see Windows tip
This policy setting lets you turn off cloud optimized content in all Windows experiences.If you enable this policy Windows experiences th
This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account.If you enable this pol
This policy setting allows you to turn off projection to a PC. If you turn it on your PC isn't discoverable and can't be projected to except if
This policy setting allows you to require a pin for pairing. If you set this to 'Never' a pin isn't required for pairing.If you set this to 'First Tim
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.If you enable thi
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running application. By defa
If you turn this policy setting on local users wonâ€™t be able to set up and use security questions to reset their passwords.
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path to prevent a Trojan horse or other types
AllowCommercialDataPipeline controls whether Microsoft is a processor or controller for Windows diagnostic data collected from this de
Allows IT admins to enable diagnostic data from this device to be processed by Desktop Analytics. The following list shows th
This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.If you disable or do not configure this polic
By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restricts the user
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. The following list shows
Allows IT admins to enable diagnostic data from this device to be processed by Windows Update for Business cloud. The follo
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated proxy to send
With this policy setting you can forward Connected User Experience and Telemetry requests to a proxy server.If you enable this policy se
This policy setting controls whether notifications are shown following a change to diagnostic data opt-in settings on first logon and when
This policy setting determines whether an end user can change diagnostic data settings in the Settings app.If you set this policy setting to
This policy sets the upload endpoint for this deviceâ€™s diagnostic data as part of the Desktop Analytics program.If your organization is p
This policy setting defines the identifier used to uniquely associate this deviceâ€™s diagnostic data data as belonging to a given organizati
This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & feedback Settings page.If you enable thi
This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & feedback Settings pag
This policy setting controls whether Windows can download configuration settings from the OneSettings service.If you enable this policy
This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft.If you enable this policy
This policy setting controls whether Windows records attempts to download configuration settings from the OneSettings service to the E
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot a problem
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem.â€¯Dumps
This policy setting in combination with the "Allow Diagnostic Data" policy setting enables organizations to send the minimum data requir
This policy setting determines whether users can get preview builds of Windows by configuring controls in Settings > Update and security
Specifies the maximum size in GB of Delivery Optimization cache.This policy overrides the DOMaxCacheSize policy.The value 0 (zero) mea
Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC power (Batt
This policy allows you to set one or more Delivery Optimization in Network Cache servers that will be used by your client(s).One or more
This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically.Options ava
Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds.Note: if you s
This policy allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.After the max delay has re
Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds.Note: if you s
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.After the max
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates Apps and App updates.The follow
Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network.This means the device c
Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.Use this if you need to create a sing
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully.The value
Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size (1-100).
Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent download acti
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a p
Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent download acti
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a p
Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloBytes/second.This policy affects the
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default value will be us
Specifies the minimum content file size in MB enabled to use Peer Caching.Recommended values: 1 MB to 100000 MB.
Specifies the minimum RAM size in GB required to use Peer Caching.For example if the minimum set is 1 GB then devices with 1 GB or hig
Specifies the drive Delivery Optimization shall use for its cache.By default %SystemDrive% is used to store the cache. The drive location c
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month.The va
Set this policy to restrict peer selection via selected option.Options available are:0 = NAT.1 = Subnet mask.2 = Local discovery (DNS-SD).T
Set this policy to restrict peer selection to a specific source.Options available are:1 = AD Site.2 = Authenticated domain SID.3 = DHCP Opti
Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all co
Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all co
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed files eithe
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop.If
This policy setting allows you to turn off desktop gadgets that have been installed by the user.If you enable this setting Windows will not
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the Windows d
This policy setting controls the appearance of window animations such as those found when restoring minimizing and maximizing window
This policy setting controls the Start background visuals.If you enable this policy setting the Start background will use a solid color.If you d
This policy setting controls the ability to change the color of window frames. If you enable this policy setting you prevent users from chan
This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting an
Changes behavior of Microsoft bus drivers to work with specific devices.
Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.
This setting lets you configure how domain joined computers become registered as devices.When you enable this setting domain joined
Specifies whether Digital Locker can run.Digital Locker is a dedicated download manager associated with Windows Marketplace and a fea
If you disable this policy setting users will not be able to invoke any system UI by swiping in from any screen edge.If you enable or do not
Disables help tips that Windows shows to the user.By default Windows will show the user help tips until the user has successfully comple
This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Co
This policy setting allows you to configure the server address refresh interval and issuer certificate authority (CA) of a target Subscription
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain old events"
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string.If you
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) string. You
This policy setting controls Event Log behavior when the log file reaches its maximum size.If you enable this policy setting and a log file re
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only b
This policy setting specifies the maximum size of the log file in kilobytes.If you enable this policy setting you can configure the maximum l
This policy setting turns on logging.If you enable or do not configure this policy setting then events can be written to this log.If the policy
This policy setting lets you configure Protected Event Logging.If you enable this policy setting components that support it will use the cer
This is the program that will be invoked when the user clicks the events.asp link.
This specifies the command line parameters that will be passed to the events.asp program
This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to use a differ
This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.If you enable this policy setting file shor
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implemen
This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Profile Group P
This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or pr
This policy setting allows you to specify a location where all default Library definition files for users/machines reside.If you enable this po
This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default appli
Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.
Shows or hides hibernate from the power options menu.If you enable this policy setting the hibernate option will be shown in the Power
Shows or hides lock from the user tile menu.If you enable this policy setting the lock option will be shown in the User Tile menu.If you dis
Shows or hides sleep from the power options menu.If you enable this policy setting the sleep option will be shown in the Power Options
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. If y
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immedia
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order.If you en
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality
This policy setting allows you to prevent data loss when you change the target location for Folder Redirection and the new and old target
This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-
This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk re
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. P
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous ver
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous ver
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of
This policy setting allows you to turn off File History.If you enable this policy setting File History cannot be activated to create regular aut
This policy turns on Find My Device.When Find My Device is on the device and its location are registered in the cloud so that the device c
The handwriting panel has 2 modes - floats near the text box or attached to the bottom of the screen. Default is floating near text box. If
This policy setting specifies whether users can add computers to a homegroup. By default users can add their computer to a homegroup
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally search provid
This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.If you enable this policy "Save Targe
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI during shut
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide enhanced su
This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explorer 9 browse
Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this policy if your e
This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Agent header
Prevents Internet Explorer from automatically installing components.If you enable this policy it prevents Internet Explorer from downloa
This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet Explorer. T
Prevents users from changing dial-up settings.If you enable this policy the Settings button on the Connections tab in the Internet Options
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page whenever the brow
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browser import se
This policy lets you restrict launching of Internet Explorer as a standalone browser.If you enable this policy it:- Prevents Internet Explorer
Prevents Internet Explorer from checking whether a new version of the browser is available.If you enable this policy it prevents Internet
Prevents the Internet Explorer splash screen from appearing when users start the browser.If you enable this policy the splash screen whi
Specifies that programs using the Microsoft Software Distribution Channel will not notify users when they install new components. The S
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.If you enable
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as "Ctrl+S" to have "Save as" functio
This policy setting allows you to enforce full-screen mode which disables the navigation bar the menu bar and the Command bar. Starting
This policy setting configures Internet Explorer to automatically install new versions of Internet Explorer when they are available.If you en
Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the â€˜Send all sites not included in t
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionally this polic
This policy setting allows you to control which Domains are included in the discovery functionality of the Internet Explorer Site discovery
This policy setting allows you to control which site zones are included in the discovery functionality of the Internet Explorer Site discovery
Applies proxy settings to all users of the same computer.If you enable this policy users cannot set user-specific proxy settings. They must
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Internet Explore
This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check.If you enable this policy
This policy setting prevents the user from accessing Help in Internet Explorer.If you enable this policy setting the following occur: â€¢ Th
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the user from
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the user about e
This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Block all pop-u
This policy setting specifies if a user can change proxy settings.If you enable this policy setting the user will not be able to configure proxy
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box.If you ena
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applications.If yo
This policy setting allows you to configure how new tabs are created by default in Internet Explorer.If you enable this policy setting the us
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available it includes all installed s
You can allow pop-ups from specific websites by adding the sites to the exception list.If you enable this policy setting the user cannot add
This policy setting prevents the user from managing SmartScreen Filter which warns the user if the website being visited is known for frau
This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudulent attem
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).If you enable this policy
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.If you enable this policy setting ActiveX co
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after installing Inte
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those defined in the lis
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same security level.If y
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.If you enable thi
Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same security level.
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use this settin
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms that Interne
This policy setting lets you decide whether employees see an additional page in Internet Explorer 11 stating that a site has been opened u
This policy setting allows you to specify what is displayed when the user opens a new tab.If you enable this policy setting you can choose
This policy setting allows you to specify how ActiveX controls are installed.If you enable this policy setting ActiveX controls are installed o
This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed such as the taskbar the deskto
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX control w
This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enabled add-ons
This policy setting turns off Automatic Crash Recovery.If you enable this policy setting Automatic Crash Recovery does not prompt the us
This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data about the
This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Internet Explor
This policy setting allows you to manage the crash detection feature of add-on Management.If you enable this policy setting a crash in In
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer.If you enable this policy settin
This policy setting allows the user to enable the SmartScreen Filter which warns the user if the website being visited is known for fraudul
This policy setting prevents the user from zooming in to or out of a page to better see the content.If you enable this policy setting applica
This policy setting allows you to manage pop-up management functionality in Internet Explorer.If you enable this policy setting the Contr
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer.If you enable this policy setting the entry points
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Explorer.If yo
This policy setting allows you to turn off suggestions for all user-installed search providers.If you enable this policy setting the user canno
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. Starting with
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.If you enable t
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box.If you enable this polic
This policy setting turns off the Security Settings Check feature which checks Internet Explorer security settings to determine when the se
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to turn off Ac
This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information is displayed
This policy setting allows you to turn on or turn off the earlier menus (for example File Edit and View) in Internet Explorer.If you enable th
This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site discovery Toolkit(SDTK). When enable
This policy setting allows you to manage the XML output functionality of the Internet Explorer Site discovery Toolkit(SDTK). When enable
This policy setting controls the Suggested Sites feature which recommends websites based on the userâ€™s browsing activity. Suggested
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE instead of Standard mode
This policy setting allows you to add default Accelerators.If you enable this policy setting the specified Accelerators are added to the user
This policy setting allows you to add non-default Accelerators.If you enable this policy setting the specified Accelerators are added to the
This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy.If you enable th
This policy setting allows you to manage whether users can access Accelerators.If you enable this policy setting users cannot access Acce
This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to perform a Cl
This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to perform a Cl
This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user.Note: Do no
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8 this policy setting also allows
This policy setting allows you to manage whether users can launch the report site problems dialog using a menu option.If you enable this
This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Windows Update.If
This policy setting controls the Compatibility View feature which allows the user to fix website display problems that he or she may encou
This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix website di
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Explorer identi
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage that belong
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.If you enable this policy s
Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Qui
This policy setting prevents the user from specifying the code download path for each computer. The Internet Component Download ser
This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences selected in the
This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Temporary Interne
This policy setting prevents the user from performing actions which will delete browsing history. For more information on browsing histo
In Internet Explorer 9 and Internet Explorer 10:This policy setting prevents users from deleting ActiveX Filtering and Tracking Protection d
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box.If you enab
This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing History dia
This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History dialog box.If
This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog box.If you en
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data during brows
This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box.If you enab
This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing History dialog
This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in the Delete
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history available by clic
Removes the Advanced tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented from seein
Removes the Connections tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented from see
If you enable this policy setting users are prevented from seeing and changing ratings certificates AutoComplete Wallet and Profile Assist
Removes the General tab from the interface in the Internet Options dialog box.If you enable this policy users are unable to see and chang
Removes the Privacy tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented from seeing a
Removes the Programs tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented from seeing
Removes the Security tab from the interface in the Internet Options dialog box.If you enable this policy it prevents users from seeing and
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrup
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized domain name (I
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mailto links.If y
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to run.If you en
This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Explorer comp
This policy setting allows you to manage whether users can automatically download and install Web components (such as fonts) that can
This policy setting determines whether Internet Explorer uses the HTTP2 network protocol. HTTP2 requests help optimize the latency of n
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests to optimiz
This policy setting allows you to manage whether software such as ActiveX controls and file downloads can be installed or run by the use
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects such as to
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.If you enable this policy setting Int
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Explorer is set
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certificates are re
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed s
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. When a user h
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings allows the u
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) information su
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder after all b
This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Generally only a
This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only sound files such
This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only embedded v
This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the readability o
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0 TLS 1.1 TLS 1.2 Secure Sockets Layer (SSL) 2.0 or SS
This policy setting determines whether Internet Explorer preemptively loads websites and content in the background speeding up perfor
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information.If you enable this policy setti
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query strings in UR
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of a website.M
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (for greater co
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using the keyboar
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versions of Wind
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1.If you enable this policy setting Internet Explorer uses H
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections.If you enable this policy setti
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box.If you enable this policy settin
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default Internet Explorer display
This policy setting allows websites to store file resources in application caches on client computers.If you enable this policy setting websit
This policy setting allows websites to store indexed database cache information on client computers.If you enable this policy setting web
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage limit. The â€œ
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache is used be
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set this policy s
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage limit. The â€
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to create the
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an application ca
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting you provide th
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting you provide
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level for example Low M
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local Intranet se
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.If you enable this policy setti
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.If you enable th
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone numbers hav
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain.If you enable this poli
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on the user
This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping rules have n
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML P
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can run active c
This policy setting allows you to manage whether script code on pages in the zone is run.If you enable this policy setting script code on pa
This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTM
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example cut copy and paste) in a specifie
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.If you enable
This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of t
This policy setting allows you to manage whether pages of the zone may download HTML fonts.If you enable this policy setting HTML fon
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this option are: If
This policy setting allows you to manage the loading of XAML Browser Applications (XBAPs). These are browser-hosted ClickOnce-deploy
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based decl
This policy setting allows you to manage the loading of XPS files. These files contain a fixed-layout representation of paginated content an
This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the website that
This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.If you enable this policy setting
This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors in File Expl
This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in the preview
This policy setting determines whether a page can control embedded WebBrowser controls via script.If you enable this policy setting scri
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status ba
This policy setting allows you to manage whether the user can run scriptlets.If you enable this policy setting the user can run scriptlets.If
This policy setting allows you to manage whether script is allowed to update the status bar within the zone.If you enable this policy settin
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.If you selecte
This policy setting allows the playing of video and animation through older media players in specified zones. Video and animation playbac
This policy setting controls whether websites can open new Internet Explorer windows that have no status bar or Address bar.If you enab
This policy setting determines whether scripted windows are automatically displayed.If you enable this policy setting scripted windows a
This policy setting manages whether users will be automatically prompted for ActiveX control installations.If you enable this policy setting
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting users will r
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a security inform
This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one certificate exi
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls to check if they're safe to lo
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.If you enable this
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A MIME sniff
This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If the local p
This policy setting allows you to manage ActiveX controls not marked as safe.If you enable this policy setting ActiveX controls are run load
This policy setting allows you to manage permissions for Java applets.If you enable this policy setting you can choose options from the dr
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME reference in the
This policy setting allows you to manage settings for logon options.If you enable this policy setting you can choose from the following log
This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.If you e
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone.If you enable this policy setting you can con
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed f
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.If you enable
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.If you enable this
This policy setting allows you to manage whether applets are exposed to scripts within the zone.If you enable this policy setting scripts ca
This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open executable fi
This policy setting allows you to manage software channel permissions.If you enable this policy setting you can choose the following opti
This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent with SSL (Secu
This policy setting prevents the user's computer from starting Microsoft .NET Framework Setup when the user is browsing to .NET Frame
This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When the user encounters a new control th
This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in
This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities b
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.If you enable this policy setting Sma
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end us
This policy setting allows you to manage the preservation of information in the browser's history in favorites in an XML store or directly w
This policy setting allows you to manage whether Web sites from less privileged zones such as Restricted Sites can navigate into this zone
This policy setting allows you to manage whether Web sites from less privileged zones such as Internet sites can navigate into this zone.If
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone can run ac
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop.If you enable this policy setting Internet Exp
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide always in Internet Explore
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.If you enable this policy setting Intern
This policy setting allows you to manage if users can see the button (next to the New Tab button) that opens Microsoft Edge.If you enable
This policy setting determines whether phone numbers are recognized and turned into hyperlinks which can be used to invoke the defau
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional software.I
This policy setting specifies whether the user can conduct a search on the Address bar.If you enable this policy setting you must specify w
This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on the Address
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on common UR
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Address bar.Wind
This policy setting prevents the user from specifying a URL that contains update information about cipher strength. When the user logs o
This policy setting prevents the user from changing the default URL for checking updates to Internet Explorer and Internet Tools.If you en
This policy setting prevents the user from specifying the update check interval. The default value is 30 days.If you enable this policy settin
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode.The threshold sets the number of first-par
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode.The threshold sets the number of first-p
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default during an InPr
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode.The data consists of the UR
This policy setting allows you to turn off the InPrivate Browsing feature.InPrivate Browsing prevents Internet Explorer from storing data a
This policy setting allows you to turn off InPrivate Filtering.InPrivate Filtering helps users control whether third parties can automatically
This policy setting allows you to turn off Tracking Protection.Tracking Protection helps users control whether third parties can automatica
This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled Internet Explorer will attempt to connec
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The reveal passw
This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008 Windows V
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images and .css fi
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are controls l
This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Add-on Mana
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are denied. Add-on
This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as entered into Add
This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never b
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX controls. Outdat
This policy setting determines whether Internet Explorer saves log information for ActiveX controls.If you enable this policy setting Intern
This policy setting allows the user to run natively implemented scriptable XMLHTTP.If you enable this policy setting the user can run nativ
This policy setting allows you to change the default connection limit for HTTP 1.1 from 6 connections per host to a limit of your choice (fr
This policy setting allows you to change the default connection limit for HTTP 1.0 from 6 connections per host to a limit of your choice (fr
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can select a valu
This policy setting allows you to manage whether documents can request data across third-party domains embedded in the page.If you e
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. This policy s
This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest object. Note th
For each zone the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved behaviors.
Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elements to which
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed with MD2 and
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received throug
Internet Explorer places zone restrictions on each Web page it opens which are dependent upon the location of the Web page (Internet I
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the M
Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner.
File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an
Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsafe manner.
For each zone the Network Protocol Lockdown security restriction may be configured to prevent active content obtained through restrict
This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explorer processe
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code instal
This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code installs are rest
This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or to a new do
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Inter
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation.If y
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.If you enable this policy setting
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control installation.If y
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not use
This policy setting enables blocking of file download prompts that are not user initiated.If you enable this policy setting file download pro
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that are not use
Internet Explorer allows scripts to programmatically open resize and reposition windows of various types. The Window Restrictions secur
This policy setting allows you to choose among three different labels for command buttons: show all text labels show selective text or sho
This policy setting allows you to manage where tabs are displayed.If you enable this policy setting tabs are displayed on a separate row.If
This policy setting allows you to show or hide the Command bar.If you enable this policy setting the Command bar is hidden and the user
This policy setting allows you to show or hide the status bar.If you enable this policy setting the status bar is hidden and the user cannot c
This policy setting allows you to lock or unlock the toolbars on the user interface.If you enable this policy setting the toolbars are locked a
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons.If you enable this policy setting
This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer.If you enable this policy settin
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible toolbars o
This policy setting allows you increase the size of icons for command buttons.If you enable this policy setting icons for command buttons
This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting Internet In
This policy setting turns off the location feature for this computer. If you enable this policy setting the location feature is turned o
This policy setting turns off scripting for the location feature. If you enable this policy setting scripts for the location feature will n
This policy setting turns off the sensor feature for this computer. If you enable this policy setting the sensor feature is turned off
This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting the Window
This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary
This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance random delay is
This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy specifies if
Enables or disables the automatic download and update of map data.If you enable this setting the automatic download and update of m
This policy setting allows you to turn on or turn off unsolicited network traffic on the Offline Maps page in Settings > System > Offline Ma
This policy setting specifies whether Mobile Device Management (MDM) Enrollment is allowed. When MDM is enabled it allows the user
This policy setting specifies whether to automatically enroll the device to the Mobile Device Management (MDM) service configur
This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enable
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware secu
This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup bu
Enable or disable detection for potentially unwanted applications. You can choose to block audit or allow when potentially unwante
This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings
This policy if defined will prevent antimalware from using the configured proxy server when communicating with the specified IP address
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security in
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for s
This policy setting allows you to configure the directory path where the support log files would be copied to. The value of this setting sho
This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence
This policy setting turns off Microsoft Defender Antivirus. If you enable this policy setting Microsoft Defender Antivirus does not run a
This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The t
This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM UI won't be
Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. If you disable or do not co
This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode). If yo
This policy setting allows you specify a list of file types that should be excluded from scheduled custom and real-time scanning. File types
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified reso
This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy does not app
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. Disabled (Default): M
This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy.
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content t
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to
This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set. Possible options are: (
Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting you can set each rule to the following in the Opti
Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources that should be
Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowed to modify
Enable or disable controlled folder access for untrusted applications. You can choose to block audit or allow attempts by untrusted a
Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be modified or
Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to access dan
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit mode on Win
This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds and scan it in the cloud to make sure it
Enable or disable file hash computation feature. Enabled: When this feature is enabled Microsoft Defender will compute has
This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files. If this s
This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit mode on Win
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definitio
This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you e
This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder b
This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this s
This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setti
This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can o
This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can
This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy.
This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group P
This policy setting allows you to configure monitoring for incoming and outgoing files without having to turn off monitoring entirely. It is
This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this
This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting monito
This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setti
This policy setting turns off real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts you when m
This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting behavior monitoring will b
This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which co
This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure th
This policy setting allows you to configure script scanning. If you enable or do not configure this setting script scanning will be enabled.
This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This
This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation.
This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The ti
This policy setting configures the time in minutes before a detection in the â€œcritically failedâ€ state to moves to either the â€œadditi
This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared" state.
This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" state.
This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting Watson
This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are d
Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients. If you dis
This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this s
This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before running a scan
This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can
This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. I
This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Po
This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy.
This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only
This policy setting allows you to enable or disable low CPU priority for scheduled scans. If you enable this setting low CPU priority
This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setti
This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-up scan will
This policy setting allows you to configure scanning mapped network drives. If you enable this setting mapped network drives will be sc
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enab
This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of remova
This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to ru
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hou
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked d
This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting a
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represen
This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2
This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the numb
This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the numb
This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do no
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a reg
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a r
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled the engine will parse the mailbox and mail fi
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client.
This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The va
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned there is a possible risk of recu
This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in res
This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the servi
This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automatic Updates
This policy setting allows you to configure security intelligence updates when the computer is running on battery power. If you enable o
Disabled (Default): Updates and communications are not allowed over metered connections. Enabled: Allow managed devices to
This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediately after ser
This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted
This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do not configu
This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required. By defaul
This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date.
This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If s
This policy setting allows you to define the order in which different security intelligence update sources should be contacted. The value o
This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present. If you
This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can also be co
This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is represented as th
This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is represented
This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred. If you enab
This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat alert levels
This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats sh
Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to all endpoint
This policy allows users to use a companion device such as a phone fitness band or IoT device to sign on to a desktop computer running W
This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between usersâ€™ compute
This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.If you enable this policy setting the C
This policy setting specifies the URL for the Contact IT link in the Company Settings Center.If you enable this policy setting the Company S
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.By default th
This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable to take effe
This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent runs for th
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage path before
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package file size reac
This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy setting the us
This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace the default M
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections.By de
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connections outsi
This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows apps that ar
This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settings storage
This policy setting configures the synchronization of Windows settings between computers.Certain Windows settings will synchronize bet
This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default an icon appears in the system tray that displays
This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier.
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers running in a
This policy setting configures the backup of certain user settings for Microsoft Access 2013.Microsoft Access 2013 has user settings that a
This policy setting configures the backup of certain user settings for Microsoft Access 2016.Microsoft Access 2016 has user settings that a
This policy setting configures the synchronization of user settings of Calculator.By default the user settings of Calculator synchronize betw
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 application
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 application
This policy setting configures the backup of certain user settings for Microsoft Excel 2013.Microsoft Excel 2013 has user settings that are
This policy setting configures the backup of certain user settings for Microsoft Excel 2016.Microsoft Excel 2016 has user settings that are
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013.Microsoft InfoPath 2013 has user settings th
This policy setting configures the synchronization of user settings of Internet Explorer 10.By default the user settings of Internet Explorer
This policy setting configures the synchronization of user settings of Internet Explorer 11.By default the user settings of Internet Explorer
This policy setting configures the synchronization of user settings for Internet Explorer 8.By default the user settings of Internet Explorer
This policy setting configures the synchronization of user settings for Internet Explorer 9.By default the user settings of Internet Explorer
This policy setting configures the synchronization of user settings which are common between the versions of Internet Explorer.By defau
This policy setting configures the backup of certain user settings for Microsoft Lync 2013.Microsoft Lync 2013 has user settings that are b
This policy setting configures the backup of certain user settings for Microsoft Lync 2016.Microsoft Lync 2016 has user settings that are b
This policy setting configures the synchronization of user settings for Microsoft Access 2010.By default the user settings of Microsoft Acce
This policy setting configures the synchronization of user settings for Microsoft Excel 2010.By default the user settings of Microsoft Excel
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010.By default the user settings of Microsoft Inf
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013.By default the user settings of Microsoft Inf
This policy setting configures the synchronization of user settings for Microsoft Lync 2010.By default the user settings of Microsoft Lync 2
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010 application
This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center.By default the user settings of
This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center.By default the user settings of
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013.Microsoft Office 365 synchronizes
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016.Microsoft Office 365 synchronizes
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013.Microsoft Office 365 synchronizes c
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016.Microsoft Office 365 synchronizes c
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013.Microsoft Office 365 synchronize
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013.Microsoft Office 365 synchronizes ce
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016.Microsoft Office 365 synchronizes ce
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013.Microsoft Office 365 synchroniz
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016.Microsoft Office 365 synchroniz
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013.Microsoft Office 365 synchronize
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016.Microsoft Office 365 synchronize
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013.Microsoft Office 365 synchro
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016.Microsoft Office 365 synchro
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013.Microsoft Office 365 synchronizes
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016.Microsoft Office 365 synchronizes
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013.Microsoft Office 365 synchroniz
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016.Microsoft Office 365 synchroniz
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013.Microsoft Office 365 synchronizes ce
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016.Microsoft Office 365 synchronizes ce
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013.Microsoft Office 365 synchronizes c
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016.Microsoft Office 365 synchronizes c
This policy setting configures the synchronization of user settings for OneDrive for Business 2013.By default the user settings of OneDrive
This policy setting configures the synchronization of user settings for OneDrive for Business 2016.By default the user settings of OneDrive
This policy setting configures the synchronization of user settings for Microsoft OneNote 2010.By default the user settings of Microsoft O
This policy setting configures the synchronization of user settings for Microsoft Outlook 2010.By default the user settings of Microsoft Ou
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010.By default the user settings of Microsoft
This policy setting configures the synchronization of user settings for Microsoft Project 2010.By default the user settings of Microsoft Pro
This policy setting configures the synchronization of user settings for Microsoft Publisher 2010.By default the user settings of Microsoft P
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010.By default the user settings o
This policy setting configures the synchronization of user settings for Microsoft Visio 2010.By default the user settings of Microsoft Visio 2
This policy setting configures the synchronization of user settings for Microsoft Word 2010.By default the user settings of Microsoft Word
This policy setting configures the synchronization of user settings of Notepad.By default the user settings of Notepad synchronize betwee
This policy setting configures the backup of certain user settings for Microsoft OneNote 2013.Microsoft OneNote 2013 has user settings t
This policy setting configures the backup of certain user settings for Microsoft OneNote 2016.Microsoft OneNote 2016 has user settings t
This policy setting configures the backup of certain user settings for Microsoft Outlook 2013.Microsoft Outlook 2013 has user settings tha
This policy setting configures the backup of certain user settings for Microsoft Outlook 2016.Microsoft Outlook 2016 has user settings tha
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013.Microsoft PowerPoint 2013 has user setti
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016.Microsoft PowerPoint 2016 has user setti
This policy setting configures the backup of certain user settings for Microsoft Project 2013.Microsoft Project 2013 has user settings that
This policy setting configures the backup of certain user settings for Microsoft Project 2016.Microsoft Project 2016 has user settings that
This policy setting configures the backup of certain user settings for Microsoft Publisher 2013.Microsoft Publisher 2013 has user settings t
This policy setting configures the backup of certain user settings for Microsoft Publisher 2016.Microsoft Publisher 2016 has user settings t
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013.Microsoft SharePoint Designer 2
This policy setting configures the backup of certain user settings for Microsoft Visio 2013.Microsoft Visio 2013 has user settings that are b
This policy setting configures the backup of certain user settings for Microsoft Visio 2016.Microsoft Visio 2016 has user settings that are b
This policy setting configures the backup of certain user settings for Microsoft Word 2013.Microsoft Word 2013 has user settings that are
This policy setting configures the backup of certain user settings for Microsoft Word 2016.Microsoft Word 2016 has user settings that are
This policy setting configures the synchronization of user settings of WordPad.By default the user settings of WordPad synchronize betwe
This policy setting configures the synchronization of user settings for the Finance app.By default the user settings of Finance sync betwee
This policy setting configures the synchronization of user settings for the Games app.By default the user settings of Games sync between
This policy setting configures the synchronization of user settings for the Maps app.By default the user settings of Maps sync between co
This policy setting configures the synchronization of user settings for the Music app.By default the user settings of Music sync between co
This policy setting configures the synchronization of user settings for the News app.By default the user settings of News sync between co
This policy setting configures the synchronization of user settings for the Reader app.By default the user settings of Reader sync between
This policy setting configures the synchronization of user settings for the Sports app.By default the user settings of Sports sync between c
This policy setting configures the synchronization of user settings for the Travel app.By default the user settings of Travel sync between c
This policy setting configures the synchronization of user settings for the Video app.By default the user settings of Video sync between co
This policy setting configures the synchronization of user settings for the Weather app.By default the user settings of Weather sync betw
Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use it for controlling their computers re
This policy setting allows configuration of OneDrive file sync behavior on metered connections.
Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates etc.) until th
This policy setting lets you prevent apps and features from working with files on OneDrive.If you enable this policy setting:* Users canâ€™
This policy setting lets you prevent apps and features from working with files on OneDrive for Windows 8.1.If you enable this policy settin
This policy setting lets you disable OneDrive as the default save location. It does not prevent apps and users from saving files on OneDriv
This policy setting specifies whether active content links in trusted assistance content are rendered. By default the Help viewer renders t
When logging into a new user account for the first time or after an upgrade in some scenarios that user may be presented with a screen
Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace.If you enable this setti
Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace.If you enable this setting
This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connec
This policy setting turns off Windows presentation settings.If you enable this policy setting Windows presentation settings cannot be invo
If you enable this setting users will not be able to push Apps to this device from the Microsoft Store running on other devices or the web.
This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop
This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Serv
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknow
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file w
This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cann
This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. I
Controls whether passwords can be saved on this computer from Remote Desktop Connection.If you enable this setting the password sa
This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote D
This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. If you enable this polic
This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected Remo
This policy setting specifies whether a session uses the IP address of the Remote Desktop Session Host server if a virtual IP address is not
This policy setting specifies the IP address and network mask that corresponds to the network adapter used for virtual IP addresses. The
This policy setting specifies whether Windows Installer RDS Compatibility runs on a per user basis for fully installed applications. Window
This policy setting specifies whether Remote Desktop IP Virtualization is turned on. By default Remote Desktop IP Virtualization is turned
This policy setting allows you to specify whether remote users can start any program on the RD Session Host server when they start a Rem
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.If you enable this policy setting
Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if the
This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent wi
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an adminis
Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server.You can use this setting to restr
This policy setting allows you to restrict users to a single Remote Desktop Services session.If you enable this policy setting users who log o
This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency)
This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server.If you enab
If you enable this policy setting administrators can interact with a user's Remote Desktop Services session based on the option selected. S
This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By defaul
Fair Share CPU Scheduling dynamically distributes processor time across all Remote Desktop Services sessions on the same RD Session Ho
This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop S
This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session.U
This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session.If you
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer an
This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Deskt
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redirection).By d
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session.You c
This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session.If you enable this poli
This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices such as Windows Portable Devi
This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session
This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio play
This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensi
This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to conne
This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers.
This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions.You can u
This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD
This policy setting allows you to specify whether the default client printer is the only printer redirected in Remote Desktop Services sessio
This policy setting allows you to specify the RD Session Host server fallback printer driver behavior.By default the RD Session Host server
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. If yo
This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to
This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles.By default Remote
Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's home direct
This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to t
This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to
This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user s
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection B
This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Se
This policy setting allows you to specify whether to use the RD Connection Broker load balancing feature to balance the load between se
This policy setting allows you to specify whether desktop composition is allowed for remote desktop sessions. This policy setting does no
This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program
This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use.By default servers use an RD
This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable hardware
This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop C
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop V
This policy setting allows you to specify whether font smoothing is allowed for remote connections.Font smoothing provides ClearType fu
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so t
Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services.You can use this setting to en
This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections.You can us
This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desk
This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting t
This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting on the RDP
This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services se
Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to p
Configures Remote Desktop Services to run a specified program automatically upon connection.You can use this setting to specify a prog
This policy setting allows you to enable RemoteApp programs to use advanced graphics including support for transparency live thumbnai
This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions.If you enable
This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections.If you enable or do not configure this p
This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtualization Hos
This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. Remote ses
This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connectio
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.You can use th
This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured commu
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Sess
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected t
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session H
This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it.You can use
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (withou
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is a
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.You can use this policy setting
This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconnected state after closing all Remote
This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff.You can use this se
This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders.You can use this polic
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Windows RSS
This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available for an ass
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer.If you ena
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice.If you enable this policy setting the menu comm
This policy setting controls whether to have background synchronization for feeds and Web Slices.If you enable this policy setting the abi
This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypted HTTP co
Enabling this policy allows you to add a primary intranet search location within Windows Desktop Search. The value of this text should be
Enabling this policy allows you to add intranet search locations in addition to the primary intranet search location defined in the Add Prim
Allow search and Cortana to search cloud sources like OneDrive and SharePoint
This policy setting specifies whether Cortana is allowed on the device. Â If you enable or don't configure this setting Cortana will be allow
This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked.If you enable or
Allow the cortana opt-in page during windows setup out of the box experience
This policy setting allows encrypted items to be indexed. If you enable this policy setting indexing will attempt to decrypt and index the c
This policy setting specifies whether search and Cortana can provide location aware search and Cortana results.Â If this is enabled search
This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setting words t
This policy setting determines when Windows uses automatic language detection results and when it relies on indexing history. If you en
Enabling this policy defines a semicolon-delimited list of file extensions which will be allowed to have rich attachment previews.When thi
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths and includ
Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude them from ind
If enabled the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If dis
This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this policy setting l
Enabling this policy removes the option of searching the Web from Windows Desktop Search.When this policy is disabled or not configur
This policy setting allows you to control whether or not Search can perform queries on the web and if the web results are displayed in Se
This policy setting allows you to control whether or not Search can perform queries on the web over metered connections and if the web
Enabling this policy allows indexing of items for online delegate mailboxes on a Microsoft Exchange server. This policy affects only delega
Enabling this policy allows indexing of mail items on a Microsoft Exchange server when Microsoft Outlook is not running in cached mode.
When using Microsoft Office Outlook in online mode you can enable this policy to control how fast online mail is indexed on a Microsoft
Store indexer database in this directory. This directory must be located on a local fixed drive.
Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Panel. Any U
This policy setting allows you to enable or disable the Add/Remove location options on the All Locations menu as well as any defined loca
This policy setting configures how Windows Search adds shared folders to the search index.If you enable this policy setting Windows Sea
If enabled clients will be unable to query this computer's index remotely. Thus when they are browsing network shares that are stored o
If enabled Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can be opened
If you enable this policy setting you specify a list of paths to exclude from indexing. The user cannot enter any path that starts with one o
Enable this policy setting to prevent the indexing of the content of e-mail attachments. If enabled indexing service components (including
If enabled files on network shares made available offline are not indexed. Otherwise they are indexed. Disabled by default.
Enable this policy to prevent indexing of any Microsoft Outlook items. The default is to automatically index Outlook items. If this policy is
Enabling this policy allows you to edit the list of file types to exclude from indexing. The end user cannot modify this list. You should sepa
Enable this policy to prevent indexing public folders in Microsoft Office Outlook. When this policy is disabled or not configured the user h
If enabled the indexer pauses whenever the computer is running on battery. If disabled the indexing follows the default behavior. Defaul
This policy setting hides or displays the Advanced Options dialog for Search and Indexing Options in the Control Panel.If you enable this p
Enabling this policy prevents Windows Desktop Search from using iFilters and protocol handlers unless they are specified in the allow list
Enabling this policy allows you to set the location of the preview pane in the Desktop Search results. You can also turn off the preview pa
Enabling this policy allows you to specify whether you want large icon or small icon view for your Desktop Search results. The two option
This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this policy setting y
This policy setting allows you to control what information is shared with Bing in Search.If you enable this policy setting you can specify on
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive a
This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. Whe
This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the system shu
This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in
This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.In versions of Windows prior t
This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a d
This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI).In order to
This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.If you enable this policy settin
This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.Under previous versions of M
This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter hi
This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root certificate c
This policy setting allows you to manage the displayed message when a smart card is blocked.If you enable this policy setting the specifie
This policy settings lets you configure if all your valid logon certificates are displayed.During the certificate renewal period a user can hav
This policy setting allows you to manage the reading of all certificates from the smart card for logon.During logon Windows will by defaul
This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed.If you e
This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting Credential Manag
This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By defa
This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.If you enable or do not con
This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.If you enable or do no
This policy setting allows you to control whether Smart Card Plug and Play is enabled.If you enable or do not configure this policy setting
This policy setting controls whether OS Reactivation is blocked on a device. Policy Options: - Not Configured (defa
This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting prevents this
Specifies whether Sound Recorder can run.Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from
Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model contains da
DisableÂ turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be updated
Denies access to the retail catalog in the Microsoft Store but displays the private store.If you enable this setting users will not be able to v
Enables or disables the automatic download and installation of app updates.If you enable this setting the automatic download and instal
Enables or disables the automatic download of app updates on PCs running Windows 8.If you enable this setting the automatic download
Enables or disables the Store offer to update to the latest version of Windows.If you enable this setting the Store application will not offe
Denies or allows access to the Store application.If you enable this setting access to the Store application is denied. Access to the Store is r
Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" page in PC Setti
Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the "sync your
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "sync your se
Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync your setting
Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop personalization"
Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on metered c
Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Windows settings"
Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sync your se
Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "sync your s
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on the "sync y
Prevents start of InkBall game.If you enable this policy the InkBall game will not run.If you disable this policy the InkBall game will run.If y
Prevents printing to Journal Note Writer.If you enable this policy the Journal Note Writer printer driver will not allow printing to it. It will
Prevents the snipping tool from running.If you enable this policy setting the Snipping Tool will not run.If you disable this policy setting the
Prevents start of Windows Journal.If you enable this policy the Windows Journal accessory will not run.If you disable this policy the Wind
Disables visual pen action feedback except for press and hold feedback.If you enable this policy all visual pen action feedback is disabled
Removes the Back->ESC mapping that normally occurs when menus are visible and for applications that subscribe to this behavior.If you
Prevents the user from launching an application from a Tablet PC hardware button.If you enable this policy applications cannot be launch
Prevents press and hold actions on hardware buttons so that only one action is available per button.If you enable this policy press and ho
Turns off Tablet PC hardware buttons.If you enable this policy no actions will occur when the buttons are pressed and the buttons tab in
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from providing text
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This p
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is available. This p
Includes rarely used Chinese Kanji and Hanja characters when handwriting is converted to typed text. This policy applies only to the use o
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.Tablet PC Input Panel is a Tablet PC accessory that enables
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available.Tab
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vi
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that
Makes pen flicks learning mode unavailable.If you enable this policy pen flicks are still available but learning mode is not. Pen flicks are off
Makes pen flicks and all related features unavailable.If you enable this policy pen flicks and all related features are unavailable. This inclu
Turns off Tablet PC Pen Training.If you enable this policy setting users cannot open Tablet PC Pen Training.If you disable or do not configu
Turn off Tablet PC touch inputTurns off touch input which allows the user to interact with their computer using their finger.If you enable
Turn off Panning Turns off touch panning which allows users pan inside windows by touch. On a compatible PC with a touch digitizer
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from the last page of the Scheduled Task
Prevents users from viewing and changing the properties of an existing task.This setting removes the Properties item from the File menu
Prevents users from starting and stopping tasks manually.This setting removes the Run and End Task items from the context menu that a
Limits newly scheduled to items on the user's Start menu and prevents the user from changing the scheduled program for existing tasks.
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.This setting disables the Cut
Prevents users from creating new tasks.This setting removes the Add Scheduled Task item that starts the New Task Wizard. Also the syste
Prevents users from deleting tasks from the Scheduled Tasks folder.This setting removes the Delete command from the Edit menu in the
When this policy setting is enabled some language features (such as handwriting recognizers and spell checking dictionaries) included wit
This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and suggestion cap
Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars publishing them and
This policy setting affects the ability of users to install or uninstall color profiles.If you enable this policy setting users cannot install new c
If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Manager server
This policy setting will enable tagging of Windows Customer Experience Improvement data when a study is being conducted.If you enabl
App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only from the S
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running
This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides war
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malic
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. Thi
This policy setting configures how errors are reported to Microsoft and what information is sent when Windows Error Reporting is enable
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log.If you ena
This policy setting turns off Windows Error Reporting so that reports are not collected or sent to either Microsoft or internal servers with
This policy setting controls whether users are shown an error dialog box that lets them report an error.If you enable this policy setting us
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.If you enable this p
This policy setting determines whether Windows Error Reporting (WER) sends additional second-level report data even if a CAB file conta
This policy setting prevents the display of the user interface for critical errors.If you enable or do not configure this policy setting Window
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default w
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data
This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send error reports
This policy setting controls the behavior of the Windows Error Reporting archive.If you enable this policy setting you can configure Windo
This policy setting determines the behavior of the Windows Error Reporting report queue.If you enable this policy setting you can configu
This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is enabled.If you
This policy setting specifies applications for which Windows Error Reporting should always report errors.To create a list of applications fo
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on
This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned
This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled.If you enable this po
This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.If you enable th
This policy setting determines the default consent behavior of Windows Error Reporting.If you enable this policy setting you can set the d
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.If you enable this policy setting y
This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.If you enable t
Windows prevents users on the same computer from enumerating provisioned Windows Hello for Business credentials for other users.If
Configure a comma separated list of credential provider GUIDs such as face and fingerprint provider GUIDs to be used as the first and sec
Configure a comma separated list of signal rules in the form of xml for each signal type.If you enable this policy setting these signal rules
Windows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled applications.If you en
A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it cannot be used on oth
Windows Hello for Business enables users to use biometric gestures such as face and fingerprints as an alternative to the PIN gesture. Ho
Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authentication.If you e
PIN recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service without losing any asso
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Directory acco
If you enable this policy setting applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are u
Allow suggested apps in Windows Ink Workspace
Allow Windows Ink Workspace
This policy setting permits users to change installation options that typically are available only to system administrators.If you enable this
This policy setting allows users to search for installation files during privileged installations.If you enable this policy setting the Browse bu
This policy setting allows users to patch elevated products.If you enable this policy setting all users are permitted to install patches even w
This policy setting allows users to install programs from removable media during privileged installations.If you enable this policy setting a
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.If you enable this po
This policy controls the percentage of disk space available to the Windows Installer baseline file cache. The Windows Installer us
This policy setting causes the Windows Installer to enforce strict rules for component upgrades.If you enable this policy setting strict upg
This policy setting controls the ability to prevent embedded UI.If you enable this policy setting no packages on the system can run embed
This policy setting allows Web-based programs to install software on the computer without notifying the user.If you disable or do not con
This policy setting prevents users from using Windows Installer to install patches.If you enable this policy setting users are prevented from
This policy setting controls the ability to turn off all patch optimizations.If you enable this policy setting all Patch Optimization options are
This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor.N
This policy setting controls the ability for users or administrators to remove Windows Installer based updates.This policy setting should b
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful inst
This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate or reduce th
This policy setting allows you to configure user installs. To configure this policy setting set it to enabled and use the drop-down list to sele
This policy setting prevents users from searching for installation files when they add features or components to an installed program
This policy setting saves copies of transform files in a secure location on the local computer.Transform files consist of instructions to mod
Specifies the types of events that Windows Installer records in its transaction log for each installation. The log Msi.log appears in the
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Re
This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package
This policy setting controls the ability to turn off shared components.If you enable this policy setting no packages on the system get the s
This policy setting restricts the use of Windows Installer.If you enable this policy setting you can prevent users from installing software on
This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If
This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).If you enable this policy setting yo
This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.For local
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has bee
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restarts or after a
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).When enabled Windows Media DR
This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode.If you ena
This policy setting allows you to turn off do not show first use dialog boxes.If you enable this policy setting the Privacy Options and Install
This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.If you enable this policy se
This policy setting allows you to prevent media sharing from Windows Media Player.If you enable this policy setting any user on this com
This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.If you enable this policy setti
This policy setting allows you to prevent video smoothing from occurring.If you enable this policy setting video smoothing is prevented w
This policy setting allows you to prevent Windows Messenger from running.If you enable this policy setting Windows Messenger does no
This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting Windows Messeng
This policy setting turns off Windows Mobility Center.If you enable this policy setting the user is unable to invoke Windows Mobility Cent
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.If you enable this policy se
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting pipeline execu
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log. If you
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts. If you en
This policy setting lets you configure the script execution policy controlling which scripts are allowed to run.If you enable this policy settin
This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilitymetrics and Win32_Reli
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.If you en
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication.If you
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted m
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.If you en
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentication direc
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authentication.If yo
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in TrustedHo
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication fr
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the netw
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted m
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos credentials over
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate authentication
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials t
This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel bi
This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote Manageme
This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote Managem
This policy setting configures access to remote shells.If you enable or do not configure this policy setting new remote shell connections a
This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the system.The val
This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is automatica
This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote shell and a
This policy setting configures the maximum number of processes a remote shell is allowed to launch.If you enable this policy setting you
This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.Any number fro
This policy setting is deprecated and has no effect when set to any state: Enabled Disabled or Not Configured.
This policy setting enables or disables audio input to the Sandbox. If you enable this policy setting Windows Sandbox will be able to recei
This policy setting enables or disables clipboard sharing with the sandbox.If you enable this policy setting copy and paste between the ho
This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed
This policy setting enables or disables printer sharing from the host into the Sandbox.If you enable this policy setting host printers will be
This policy setting is to enable or disable the virtualized GPU. If you enable this policy setting vGPU will be supported in the Windows San
This policy setting enables or disables video input to the Sandbox. If you enable this policy setting video input is enabled in Windows Sand
Hide the Account protection area in Windows Security. Enabled: The Account protection area will be hidden. Disabled:
Hide the App and browser protection area in Windows Security. Enabled: The App and browser protection area will be hidde
Prevent users from making changes to the Exploit protection settings area in Windows Security. Enabled: Local users can not
Hide the Device performance and health area in Windows Security. Enabled: The Device performance and health area will be
Disable the Clear TPM button in Windows Security. Enabled: The Clear TPM button will be unavailable for use. Disabled:
Hide the Device security area in Windows Security. Enabled: The Device security area will be hidden. Disabled: The D
Hide the Secure boot area in Windows Security. Enabled: The Secure boot area will be hidden. Disabled: The Secure b
Hide the Security processor (TPM) troubleshooting area in Windows Security. Enabled: The Security processor (TPM) trouble
Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. Enabled: Users will not be show
Display specified contact information to local users in a contact card flyout menu in Windows Security Enabled: Your compan
Display specified contact information to local users in Windows Security notifications. Enabled: Your company contact inform
Specify the company name that will be displayed in Windows Security and associated notifications. This setting must be enabled for
Specify the email address or email ID that will be displayed in Windows Security and associated notifications. Users can click on
Specify the phone number or Skype ID that will be displayed in Windows Security and associated notifications. Users can click on
Specify the URL that will be displayed in Windows Security and associated notifications. Users can click on the contact informati
Hide the Family options area in Windows Security. Enabled: The Family options area will be hidden. Disabled: The Fam
Hide the Firewall and network protection area in Windows Security. Enabled: The Firewall and network protection area will b
Hide notifications from Windows Security. Enabled: Local users will not see notifications from Windows Security.
Only show critical notifications from Windows Security. If the Suppress all notifications GP setting has been enabled this setting w
This policy setting hides the Windows Security notification area control. The user needs to either sign out and sign in or reboot th
Hide the Ransomware data recovery area in Windows Security. Enabled: The Ransomware data recovery area will be hidden
Hide the Virus and threat protection area in Windows Security. Enabled: The Virus and threat protection area will be hidden.
Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart W
This policy setting allows you to control whether non-administrative users will receive update notifications based on the "Configure Auto
This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the u
Enabling this policy will automatically download updates even over metered data connections (charges may apply)
If you enable this policy a restart timer will always begin immediately after Windows Update installs important updates instead of first no
Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is a s
Specifies whether this computer will receive security updates and other important downloads through the Windows automatic updating
Enable this policy to specify when auto-restart reminders are displayed.You can specify the amount of time prior to a scheduled restart t
Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is required to install
Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installation deadline
Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.If the status is set to Enabled a s
0 (default) â€“ Use the default Windows Update notifications1 â€“ Turn off all notifications excluding restart warnings2 â€“ Turn off all no
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Sh
Enable this policy to not allow update deferral policies to cause scans against Windows Update.If this policy is disabled or not configured
Even when Windows Update is configured to receive updates from an intranet update service it will periodically retrieve information from
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dial
Enable this policy to not include drivers with Windows quality updates.If you disable or do not configure this policy Windows Update will
Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.If the status
Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from sle
Specifies that to complete a scheduled installation Automatic Updates will wait for the computer to be restarted by any user who is logge
This setting allows to remove access to "Pause updates" feature.Once enabled user access to pause updates is removed.
This setting allows you to remove access to scan Windows Update.If you enable this setting user access to Windows Update scan downlo
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the status is set
Specifies the amount of time for Automatic Updates to wait following system startup before proceeding with a scheduled installation tha
Enable this policy to specify the maximum number of hours from the start time that users can set their active hours.The max active hours
Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the default resta
This policy lets you specify the number of days before quality and feature updates are installed on devices automatically and a grace peri
Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart whic
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update co
If you enable this policy the PC will not automatically restart after updates during active hours. The PC will attempt to restart outside of a
This policy setting allows you to control whether users receive notifications for auto restarts for update installations including reminder a
Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update se
This policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the M
Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happen at the sc
Enable this setting when Feature Updates should be deployed to devices without blocking on any safeguard holds.â€¯Safeguard ho
Enable this policy to manage which updates you receive prior to the update being released to the world.Dev ChannelIdeal for highly tech
Enable this policy to specify a Feature Update version to be requested in subsequent scans.Enter version as listed in the Windows Releas
Enable this policy to specify when to receive Feature Updates.Defer Updates | This enables devices to defer taking the next Feature Upd
Enable this policy to specify when to receive quality updates.You can defer receiving quality updates for up to 30 days.To prevent quality
This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable
tact Microsoft content services to retrieve tips and help content.
to block a given set of pages from the System Settings app. Blocked pages will not be visible in the app and if all pages in a category are bl
that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.If you disable or do not co
n hex as #RGB.By default users can change the background and accent colors.If this setting is enabled the background and accent colors of
n) of the image file. The same image will be used for both the lock and logon screens.This setting lets you specify the default lock screen an
hanging it.If this setting is set to zero or not configured then Start uses the default background and users can change it.If this setting is set
gon screen.By default users can change the background image shown when the machine is locked or displaying the logon screen.If you en
t users can change the look of their start menu background such as its color or accent.If you enable this setting the user will be assigned th
the lock screen.By default users can enable invocation of an available camera on the lock screen.If you enable this setting users will no lon
ck screen.By default users can enable a slide show that will run after they lock the machine.If you enable this setting users will no longer be
services. If this policy is enabled or not configured control is deferred to users and users may choose whether to enable speech se
n a machine but are not used by any users on that machine. If you enable this policy setting language packs that are installed as part
ed.If you enable this policy setting the UI language of Windows menus and dialogs for systems with more than one language is restricted t
d packages.â€¯This policy does not restrict switching theâ€¯Windowsâ€¯languageâ€¯if you want to restrict theâ€¯Windowsâ€¯languageâ€
more than one UI language installed.If you enable this policy setting the UI language of Windows menus and dialogs for systems with mor
tion. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognitio
he default account picture. One application for this policy setting is to standardize the account pictures to a company logo.Note: The defau
d Settings" policy is NOT allowed. When such expiration is detected password is changed immediately and password expiration is set acco
tor password is managedIf you disable or not configure this setting local administrator password is NOT managed
ure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID even when renamed DO configure w
password Default: Large letters + small letters + numbers + special charactersPassword length Minimum: 8 characters Maximum: 64 char
NET USE connecting to C$ etc.). Local accounts are at high risk for credential theft when the same account and password is configured on
at activation blocking applies only within Office processes.If you enable this policy setting you can choose from three options to control w
-side processing of the SMBv1 protocol (recommended) do ALL of the following:* Set the SMBv1 client driver to "Disable driver" using the
ect the "Enabled" radio button then select "Disable driver" from the dropdown.WARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTO
setting enables server-side processing of the SMBv1 protocol. (Default.)Changes to this setting require a reboot to take effect.For more inf
/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems.If this setting is d
o Security Options\Domain controller: LDAP server channel binding token requirements.
ers that aren't Administrators can't install print drivers on this computer.If you enable this setting or do not configure it the system will lim
p://technet.microsoft.com/en-us/library/dn408187.aspx
de computer uses broadcasts.* A P-node computer uses only point-to-point name queries to a name server (WINS).* An M-node compute
t .cmd .exe and .msc files.Enabled (recommended): Keeps "Run As Different User" from appearing in the context menu when the user hold
ontrol (WebOC) for Office applications.It's important to determine whether legacy JScript is being used to provide business-critical function
ed through the following Group Policy setting:Computer Configuration\Administrative Templates\Windows Components\Windows Defen
ory where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.If this setting is not configu
highly secure environments)

om WINS servers
ot acknowledged
mended 5 is default)
ded 5 is default)
over domain controllers on a network. By default a DFS client attempts to discover domain controllers every 15 minutes.If you enable this
nabled on a specific computer. By default the files in a BITS job are downloaded only from the origin server specified by the job's owner.
h Cache component is installed and enabled on a computer BITS jobs on that computer can use Windows Branch Cache by default. If
TS peer caching is enabled the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (download
ITS peer caching is enabled the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (download
r cache. In order to make the most efficient use of disk space by default BITS removes any files in the peer cache that have not been access
percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache conten
download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative d
r background transfers. (This policy setting does not affect foreground transfers.) You can specify a limit to use during a specific time i
ot affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers by default BIT
tal number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs a
ult BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lower th
00 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this policy settin
BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If you enabl
uses for background transfers when the system is connected to a costed network (3G etc.). Download behavior policies further limit the n
r background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is used f
r background transfers during the work and nonwork days and hours. The work schedule is defined using a weekly calendar which consists
nsidered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be aband
our main office. This policy setting specifies when client computers in branch offices start caching content from file servers based on the n
e in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version
es the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client compute
d cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's current Activ
ache on client computers.If you enable this policy setting you can configure the age for segments in the data cache.If you disable or do not
o which this policy is applied. In addition to this policy you must use the policy "Turn on BranchCache" to enable BranchCache on client co
hich this policy is applied. In addition to this policy you must use the policy "Turn on BranchCache" to enable BranchCache on client compu
disk cache on client computers.If you enable this policy setting you can configure the percentage of total disk space to allocate for the cac
lied. In addition to this policy setting you must specify whether the client computers are hosted cache mode or distributed cache mode cli
ng that identifies the type of resource and the location of the resource. Each string can be one of the following types: - A DNS name or IP
tion to default log commands.
y all the time. If this setting is not configured NCA probing is in active mode by default.
tion area icon. For example you can specify â€œContoso Intranet Accessâ€ for the DirectAccess clients of the Contoso Corporation.If this
irectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel e
icks the Networking notification area icon.If the user clicks the Disconnect option NCA removes the DirectAccess rules from the Name Res
k administrator. When the user sends the log files to the Administrator NCA uses the default e-mail client to open a new message with the
fication area icon.Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess clie
t DNS queries if the original name query fails.A name containing dots but not dot-terminated is called an unqualified multi-label name for
le this policy setting NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in addition
nt will do classic DNS name resolution (over UDP or TCP). This setting can enhance the DNS client to use DoH protocol to resolve domain n
xes and those configured using DHCP.To use this policy setting click Enabled and then enter a string value representing the DNS suffix.If yo
setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting click Enabled and
or that name.An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully q
egister and update their DNS resource records with a DNS server.If you enable this policy setting or you do not configure this policy setting
orm a canonical Unicode representation of the string.If this policy setting is enabled IDNs are converted to the Nameprep form.If this polic
higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local n
use this policy setting click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.Important: In
devolution a DNS client creates queries by appending a single-label unqualified domain name with the parent suffix of the primary DNS su
ng the name resolution process.With devolution a DNS client creates queries by appending a single-label unqualified domain name with th
a concatenation of its computer name and a connection-specific DNS suffix in addition to registering these records with a concatenation of
rform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resou
nly applies to computers performing dynamic DNS updates.Computers configured to perform dynamic DNS registration of A and PTR reso
ddresses.This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dyna
uters to which this policy setting is applied.To specify the TTL click Enabled and then enter a value in seconds (for example 900 is 15 minute
the computer is on non-domain networks with no WINS servers configured.If this policy setting is enabled IDNs are not converted to Puny
ndary name resolution protocol. With LLMNR queries are sent using multicast over a local network link on a single subnet from a client co
roves performance by issuing parallel DNS link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across a
main networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local m
one of the following values:Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updat
nown as top-level domain zones for example: "com."By default a DNS client that is configured to perform dynamic DNS update will update
om an online font provider. If you enable this policy setting Windows periodically queries an online font provider to determine whethe
ng (WISPr) protocol support.If a WLAN hotspot supports the WISPr protocol users can submit credentials when manually connecting to th
her suites are prioritized in the order specified.If you enable this policy setting and do not specify at least one supported cipher suite or if y
ation for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and b
es version 2 (V2) hashes or both V1 and V2 hashes. Hashes also called content information are created based on the data in shared folders
n with an SMB client.If you enable this policy setting the SMB server will select the cipher suite it most prefers from the list of client-suppo
er suites are prioritized in the order specified.If you enable this policy setting and do not specify at least one supported cipher suite or if yo
ble this policy setting or if you do not configure this policy setting the SMB client will allow insecure guest logons.If you disable this policy
are where the Continuous Availability (CA) flag is enabled. If you enable this policy setting the SMB client will allow cached handles to fi
e the Continuous Availability (CA) flag is enabled. If you enable this policy setting the "Always Available offline" option will appear in th
ws a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests suc
der allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It
a Group is changed) Peer Grouping validates that the password meets the password complexity requirements for the local system. Thus
t applications to stop working.Peer-to-Peer protocols allow for applications in the areas of RTC collaboration content distribution and distr
otocol (PNRP) cloud.This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example a client computer c
esolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol in some cases req
he local subnet in the global cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 addre
allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolv
e Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol in some cases r
he local subnet in the link local cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 add
e Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol in some cases r
he local subnet in the site local cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 add
ernet access will be shown in the system tray even when a user is connected to a network with local access only.If you disable this setting o
n aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was refresh
enable the Internet Connection Firewall feature on a connection and if the Internet Connection Firewall service can run on a computer.Im
e of an Internet connection and if the ICS service can run on the computer.ICS lets administrators configure their system as an Internet gat
n.If you enable this policy setting domain users must elevate when setting a network's location.If you disable or do not configure this polic
al network or whether the client accesses the Internet directly.When a remote client computer connects to an internal network using Dire
you enable this policy setting you must type a security descriptor containing a list of computers or groups of computers. If a computer on
all allows. Utilities can use ICMP messages to determine the status of other computers. For example Ping uses the echo request message. I
8 and TCP ports 139 and 445.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer can rece
nt Console (MMC) and Windows Management Instrumentation (WMI). To do this Windows Defender Firewall opens TCP ports 135 and 44
opens TCP port 3389.If you enable this policy setting Windows Defender Firewall opens this port so that this computer can receive Remot
as routers with built-in firewalls. To do this Windows Defender Firewall opens TCP port 2869 and UDP port 1900.If you enable this policy s
port exceptions list. Windows Defender Firewall uses two port exceptions lists; the other is defined by the "Windows Defender Firewall: De
program exceptions list. Windows Defender Firewall uses two program exceptions lists; the other is defined by the "Windows Defender Fir
eceives.If you enable this policy setting Windows Defender Firewall writes the information to a log file. You must provide the name locatio
er Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender Firewal
ewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender Firewal
rides all other Windows Defender Firewall policy settings that allow such messages.If you enable this policy setting in the Windows Defend
at Windows Defender Firewall add the program to the program exceptions list.If you enable this policy setting Windows Defender Firewall
you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Defender Firewall b
ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firew
all allows. Utilities can use ICMP messages to determine the status of other computers. For example Ping uses the echo request message. I
8 and TCP ports 139 and 445.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer can rece
nt Console (MMC) and Windows Management Instrumentation (WMI). To do this Windows Defender Firewall opens TCP ports 135 and 44
opens TCP port 3389.If you enable this policy setting Windows Defender Firewall opens this port so that this computer can receive Remot
as routers with built-in firewalls. To do this Windows Defender Firewall opens TCP port 2869 and UDP port 1900.If you enable this policy s
port exceptions list. Windows Defender Firewall uses two port exceptions lists; the other is defined by the "Windows Defender Firewall: De
program exceptions list. Windows Defender Firewall uses two program exceptions lists; the other is defined by the "Windows Defender Fir
eceives.If you enable this policy setting Windows Defender Firewall writes the information to a log file. You must provide the name locatio
er Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender Firewal
ewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender Firewal
rides all other Windows Defender Firewall policy settings that allow such messages.If you enable this policy setting in the Windows Defend
at Windows Defender Firewall add the program to the program exceptions list.If you enable this policy setting Windows Defender Firewall
you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Defender Firewall b
ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Firew
uccessful resolution of the host name to this address indicates corporate connectivity.
ork. Successful resolution of this host name to the expected address indicates corporate connectivity.
nnectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
performed.
mine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destinatio
the interface it is currently probing on. If you enable this setting NCSI will allow the DNS lookups to happen on any interface.
hout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive p
both work or personal resource.For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
source can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address.Contains a list o
es. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Client or I
es. These addresses are categorized as private by Windows Network Isolation and are accessible to apps that have the Home/Work Netwo
orporate network.If you enable this policy setting it ensures that apps with the Home/Work Networking capability have appropriate acces
ery in the domain corporate environment.If you enable this policy setting it turns off Windows Network Isolation's automatic proxy discov
private network hosts in the domain corporate environment.If you enable this policy setting it turns off Windows Network Isolation's auto
ess to the specified UNC paths after fulfilling additional security requirements.
er hosting the files.This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents users fr
work files on the user's computer for use when the computer is not connected to the network.If you enable this policy setting Offline Files
and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off the system delete
applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode use the "Configure slow-li
work speed below this value is considered to be slow.When a connection is considered slow Offline Files automatically adjust its behavior
rs to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not degrade
les.This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This prevents use
ave been made available offline.If you enable this policy setting a user will be unable to create files with the specified file extensions in an
in extra charges on cell phone or broadband plans.If you enable this setting synchronization can occur in the background when the user's
d in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached Windows reads from the
les from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache without pr
e Application log in Event Viewer when it detects errors. By default Offline Files records an event only when the offline files storage cache
atic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside on a ne
s appear when the user's connection to a network file is lost or reconnected and they are updated periodically. By default the first remind
pace used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the user ac
etting overrides the default response a user-specified response and the response specified in the "Action on server disconnect" setting.To
sult users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also they cannot use the fol
he Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables t
n reminder balloons updates appear and also prevent users from changing this setting.Reminder balloons appear when the user's connecti
connection to a network file is lost or reconnected and they are updated periodically. By default the first reminder for an event is displaye
policy setting users cannot designate files to be saved on their computer for offline use. However Windows will still cache local copies of fi
ailable Offline" command.If you enable this policy setting the "Make Available Offline" command is not available for the files and folders t
anging whether Offline Files is in online mode or offline mode.If you enable this policy setting the "Work offline" command is not displayed
he specified files and folders are available offline to users of the computer.If you enable this policy setting the files you enter are always av
matically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of excludin
nchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option while a se
nchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option while a setti
offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only that all file
ar above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are worki
you enable or do not configure this policy setting only new files and folders in administratively assigned folders are synchronized at logon.
standing packets reaches this limit the Packet Scheduler postpones all submissions to network adapters until the number falls below this li
mbined bandwidth reservations of all programs running on the system.By default the Packet Scheduler limits the system to 80 percent of th
ion. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry.If you enab
ort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.This se
ed Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pack
eed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.Thi
k Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pa
tive service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.This s
ort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.This se
ed Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pack
eed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.Thi
k Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pa
tive service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets.This s
TypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable this setti
erviceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enab
ceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable this s
ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you ena
ation. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable this setting you can
eTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable this setti
ol (SNMP) service.SNMP is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting
anagement (SNMP) agent running on the client computer.Simple Network Management Protocol is a protocol designed to give a user the
mple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polli
this policy setting ECC curves are prioritized in the order specified.(Enter one Curve name per line)If you disable or do not configure this po
cy setting SSL cipher suites are prioritized in the order specified.If you disable or do not configure this policy setting default cipher suite or
gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on th
me resolution interval setting has no effect if 6to4 connectivity is not available on the host.If you enable this policy setting you can specify t
neling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the glo
provide IP connectivity to a remote network.If you disable or do not configure this policy setting the local host settings are used.If you en
SATAP router.If you enable this policy setting you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 addr
ress-to-router and host-to-host host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 con
the default of 0 the operating system will select a port (recommended). If you select a UDP port that is already in use by a system the Tere
on. By default Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.If you disable or d
ry 30 seconds) Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertiseme
e Teredo client computer where this policy setting is applied.If you enable this policy setting you can specify a Teredo server name that ap
ogy that provides unicast IPv6 connectivity across the IPv4 Internet.If you disable or do not configure this policy setting the local host settin
figure this policy setting IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addresse
ithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Sca
CN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 WLAN through the Windows Po
g the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks including "Set up a wir
by mode.If this policy setting is enabled Windows Connection Manager does not manage adapter radios to reduce power consumption wh
icy setting is enabled or not configured Windows will soft-disconnect a computer from a network when it determines that the computer s
dows domain. If multiple connections are allowed it then determines how network traffic will be routed. If this policy setting is set to 0
n based network at the same time.If this policy setting is enabled the computer responds to automatic and manual network connection att
tered on a roaming provider network.If this policy setting is enabled all automatic and manual connection attempts to roaming provider ne
methods.When enabled it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairing meth
reless Display devices is required rather than optional.Conversely it means that Push Button is NOT allowed.If this policy setting is disabled
cy setting is enabled a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list w
ed open hotspots" "Connect to networks shared by my contacts" and "Enable paid services"."Connect to suggested open hotspots" enable
setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using th
d a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of
bled a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost
he cellular setting UX.If this policy setting is enabled a drop-down list box presenting possible values will be active. Select "Hide" or "Show"
across the Internet or an intranet. If you enable this policy setting Internet printing is activated on this server. If you disable this
wizard will display on a computer on a managed network (when the computer is able to reach a domain controller e.g. a domain-joined la
a computer on an unmanaged network (when the computer is not able to reach a domain controller e.g. a domain-joined laptop on a hom
r do not configure this policy setting the print job name will not be included. If you enable this policy setting the print job name will be
d or enabled the spooler will always accept client connections.When the policy is disabled the spooler will not accept client connections n
ble this setting or do not configure it users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish shared pr
by this computer. By default the pruning service on the domain controller prunes printer objects from Active Directory if the compu
ftware rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages.This setting may improve the performance of the XPS Raste
obs itself or pass them on to the server to do the work.This policy setting only effects printing to a Windows print server.If you enable this
ve Directory. If you enable this setting or do not configure it the Add Printer Wizard automatically publishes all shared printers. If you
ows 10 and Windows Server 2022. If you enable this group policy setting the default MXDW output format is the legacy Microsoft XPS
Directory. This setting also specifies how often the system repeats the verification. By default the system only verifies published prin
This setting is a component of the Location Tracking feature of Windows printers. To use this setting enable Location Tracking by enablin
ng". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy setting
ters are operational. The pruning service periodically contacts computers that have published printers. If a computer does not respo
letes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keep
puter before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to ve
ode drivers have access to system-wide memory and therefore poorly-written kernel-mode drivers can cause stop errors.If you disable this
y include an optional customized user interface known as a printer extension. These extensions may provide access to more device feature
By default there are no restrictions to printing based on connection type or printer Make/Model. If you enable this setting the co
e process. When print drivers are loaded in an isolated process (or isolated processes) a print driver failure will not cause the print spooler
enable this policy setting the client computer will continue to search for compatible Point and Print drivers from Windows Update after it
applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.Not all applications suppo
vice Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. When Device Control Printing is enabled th
t a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printe
l only be able to point and print to printers that use package-aware drivers. When using package point and print client computers will che
orted by the print driver. This enables executing print drivers in an isolated process even if the driver does not report compatibility.If you e
onnections to approved servers. This setting only applies to Package Point and Print connections and is completely independent from the "
Vista computers. The policy setting applies only to non-Print Administrator clients and only to computers that are members of a domain.
tion scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard me
h Active Directory shared printer resources are available in Active Directory and are not announced.If you enable this setting the print spoo
atically republished whenever the host computer does not respondjust as it does with Windows 2000 printers. This setting applies to print
able this policy then invocations of context menus within the Start Menu will be ignored.
pened documents.If you enable this setting the system and Windows programs do not create shortcuts to documents opened while the se
unable to change the size of Start in Settings. If you disable or donâ€™t configure this policy setting Windows will automatically select the s
ou enable this policy the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled in Setti
.Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open th
een the logon screen and the Start menu: Shut Down Restart Sleep and Hibernate. This policy setting does not prevent users from running
his setting or do not configure it the frequently used programs list remains on the simple Start menu.
pps regardless of user settings.Selecting "Show" will force the "Most used" list to be shown and user cannot change to hide it using the Setti
from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartLayout
badges toast or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Servi
stem state data file contains information about the basic system state as well as the state of all running processes.If you enable this policy
rver which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volume to an
ed for advanced users who require this information.If you enable this policy setting the system displays status messages that reflect each s
a set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the compute
enable this policy setting File Explorer will not automatically encrypt files that are moved to an encrypted folder.If you disable or do not co
le this policy setting the Manage Your Server page is not displayed each time an administrator logs on to the server. If you disable or do no
own completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start menu or Ta
M) components that a program requires.Many Windows programs such as the MMC snap-ins use the interfaces provided by the COM comp
me to disk on a schedule controlled by the Timestamp Interval.If you enable this policy setting you are able to specify how often the Persist
y a message reminding users to wait while their system starts or shuts down or while users log on or off.If you disable or do not configure t
) files within specified folders and their subfolders. Alternatively you can disable these commands on the entire system. It is strongly recom
ble this policy setting you can prevent specified programs from being run from Help. When you enable this policy setting enter the file nam
ption and for enabling optional features that have had their payload files removed.If you enable this policy setting and specify the new loc
qualified path to the new location in the "Windows Setup file path" box. If you disable or do not configure this policy setting the Windows
nter the fully qualified path to the new location in the "Windows Service Pack Setup file path" box.If you disable or do not configure this po
d Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-
can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email
oot is needed for disable to take effect.

lization without interrupting you. This helps Microsoft identify which Microsoft Application Virtualization features to improve. No informati
us version of App-V.
ge. Shortcuts file type associations etc. are created pointing to this path. If empty symbolic links are not used during publishing. Example: %
ge. Shortcuts file type associations etc. are created pointing to this path. If empty symbolic links are not used during publishing. Example:
EEXCLUSIONLIST='desktop;my pictures'.
=software\classes;software\clients.
splays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). Global Publishing R
d be reported to the server. Acceptable range is 0~23 corresponding to the 24 hours in a day. A good practice is don't set this time to a bus
a metered network connection (e.g. 4G).
is not desired this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
(shell extensions browser helper objects etc). Only processes whose full path matches one of these items can use virtual components.
been created.This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line
nnection).This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.If you enable
nnection).This policy setting applies when server authentication was achieved via NTLM.If you enable this policy setting you can specify the
nnection).This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.If you enable this p
nnection).This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.If you enable this p
nnection).If you enable this policy setting you can specify the servers to which the user's default credentials cannot be delegated (default c
nnection).If you enable this policy setting you can specify the servers to which the user's fresh credentials cannot be delegated (fresh crede
nnection).If you enable this policy setting you can specify the servers to which the user's saved credentials cannot be delegated (saved cre
example: Remote Desktop Connection).Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack against the c
vide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remot
ned in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the
a machine to control what is allowed to run on that machine.If you deploy a Code Integrity Policy Windows will restrict what can run in bo
Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with t
s supported devices to send Device Health Attestation related information (device boot logs PCR values TPM certificate etc.) to Device Hea
this policy setting remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting rem
ask to complete. If you enable this policy setting Windows waits for the number of seconds you specify before terminating the installation.
infrastructure. This policy allows you to disable the feature.If you enable this policy setting an error report is not sent when a generic drive
ty that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver acti
If you enable this policy setting Windows does not retrieve device metadata for installed devices from the Internet. This policy setting ove
or Reporting infrastructure. This policy allows you to disable the feature.If you enable this policy setting Windows will not send an error re
e are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardless of t
rivers. If you enable this policy setting you can select whether Windows searches for drivers on Windows Update unconditionally only if ne
vers.If you enable this policy setting you can select whether Windows searches Windows Update (WU) searches a Managed Server or a com
nable this policy setting "Found New Hardware" balloons do not appear while a device is being installed.If you disable or do not configure
pdate the drivers for any device regardless of other policy settings.If you enable this policy setting members of the Administrators group c
that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy setti
is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setti
vice drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by othe
s attempted and a policy setting prevents the installation.If you enable this policy setting Windows displays the text you type in the Main T
on is attempted and a policy setting prevents the installation.If you enable this policy setting Windows displays the text you type in the De
y other policy setting.If you enable this policy setting Windows is prevented from installing or updating the device driver for any device tha
that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to instal
is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.If yo
vice drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Wind
d removable when the driver for the device to which it is connected indicates that the device is removable. For example a Universal Serial
o enforce a change in device installation restriction policies.If you enable this policy setting set the amount of seconds you want the syste
u enable this policy setting the system does not use the non-volatile (NV) cache to optimize boot and resume.If you disable this policy setti
y setting the hard disks are not put into NV cache power save mode and no power savings are achieved.If you disable this policy setting th
. To check if you have hybrid hard disks in the system from Device Manager right-click the disk drive and select Properties. The NV cache c
equently written files such as the file system metadata and registry may not be stored in the NV cache.If you disable this policy setting the
media.If you disable or do not configure this policy setting the disk quota policies established in this folder apply to fixed-media NTFS volum
prevents users from changing the setting.If you enable this policy setting disk quota management is turned on and users cannot turn it off
e setting.If you enable this policy setting disk quota limits are enforced. If you disable this policy setting disk quota limits are not enforced.
reach their disk quota limit on a volume and prevents users from changing the logging setting.If you enable this policy setting the system
h their disk quota warning level on a volume.If you enable this policy setting the system records an event. If you disable this policy setting n
policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also sp
properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen when yo
etting lets you specify legacy applications that have GDI DPI Scaling turned off.If you enable this policy setting GDI DPI Scaling is turned off
etting lets you specify legacy applications that have GDI DPI Scaling turned on.If you enable this policy setting GDI DPI Scaling is turned on
heck exemptions" list.If you enable this policy setting and DCOM does not find an explicit entry for a DCOM server application id (appid) in
DCOM Activation security check. DCOM uses two such lists one configured via Group Policy through this policy setting and the other via t
or members of the built-in Users group may install on the system.If you enable this policy setting members of the Users group may install
drivers using the Internet.Note: This setting only has effect if "Turn off Windows Update device driver searching" in "Administrative Temp
ermined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifi
lowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an
ID that are usable on your computer.If you enable this policy setting only Enhanced Storage devices that contain a manufacturer and prod
Electronics Engineers Inc. (IEEE) 1667 specification that are usable on your computer.If you enable this policy setting only IEEE 1667 silos t
r computer.If you enable this policy setting non-Enhanced Storage removable devices are not allowed on your computer.If you disable or d
e.If you enable this policy setting a password cannot be used to unlock an Enhanced Storage device.If you disable or do not configure this p
ble this policy setting Windows will not activate unactivated Enhanced Storage devices.If you disable or do not configure this policy setting
rted in Windows Server SKUs only.If you enable this policy setting the Enhanced Storage device remains locked when the computer is lock
plorer.The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the prope
ministrators can define the properties for the organization by using Active Directory Domain Services (AD DS) and then group these prope
for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware ap
a file delete operation.A value of 0 the default will enable delete notifications for all volumes.A value of 1 will disable delete notifications fo
ess paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long paths to
enable or disable the evaluation of these types of symbolic links:Local Link to a Local TargetLocal Link to a Remote TargetRemote Link to
nt access to and creation of compressed files.A reboot is required for this setting to take effect
access to and creation of encrypted files.A reboot is required for this setting to take effect
f you want to use these APIs.
s setting tells NTFS to use non-pageable memory for all allocations. NTFS also changes all of its code sections to be non-pageable.The ben
ds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
o the Performance tier.Server systems default to the Capacity tier.
any files are currently open. This setting gives control over the open file threshold used to trigger parallel flush.
any files are currently open. This setting gives control over how many threads will be used.Making this value larger may decrease the time
pplications require short names for compatibility but short names have a negative performance impact on the system.If you enable short
etting is useful to improve logon performance and to increase security for user data on computers where the user might not want to down
s for the All Programs Startup My Music My Pictures and My Videos subfolders when redirecting the parent Start Menu and legacy My Do
gging on through Remote Desktop Services. Asynchronous user Group Policy processing is the default processing mode for Windows Vista
or interactive logons across forests.This policy setting affects all user accounts that interactively log on to a computer in a different forest w
a Group Policy Object (GPO) using the Group Policy Object Editor snap-in the ADM files are loaded from that GPO into the Group Policy O
onous processing (that is whether computers wait for the network to be fully initialized during computer startup and user logon) when a s
are updated.If you enable this policy setting you can configure processing options for Application preference items.If you disable or do no
n are updated.If you enable this policy setting you can configure processing options for Data Sources preference items.If you disable or do
updated.If you enable this policy setting you can configure processing options for Device preference items.If you disable or do not configur
etwork connection for the purposes of applying and updating Group Policy.When Group Policy detects the bandwidth speed of a Direct Ac
at use the disk quota component of Group Policy such as those in Computer Configuration\Administrative Templates\System\Disk Quotas
are updated.If you enable this policy setting you can configure processing options for Drive Maps preference items.If you disable or do not
hat use the encryption component of Group Policy such as policies related to encryption in Windows Settings\Security Settings.It overrides
are updated.If you enable this policy setting you can configure processing options for Environment Variable preference items.If you disab
ated.If you enable this policy setting you can configure processing options for File preference items.If you disable or do not configure this
on are updated.If you enable this policy setting you can configure processing options for Folder Options Open With and File Type preferen
icies that use the folder redirection component of Group Policy such as those in WindowsSettings\Folder Redirection. You can only set fol
updated.If you enable this policy setting you can configure processing options for Folder preference items.If you disable or do not configure
onfigure this policy setting Group Policy caches policy information after every background processing session. This cache saves applicable G
at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate sp
updated.If you enable this policy setting you can configure processing options for Ini Files preference items.If you disable or do not configu
affects all policies that use the Internet Explorer Maintenance component of Group Policy such as those in Windows Settings\Internet Exp
sion are updated.If you enable this policy setting you can configure processing options for Internet preference items.If you disable or do n
at use the IP security component of Group Policy such as policies in Computer Configuration\Windows Settings\Security Settings\IP Securi
e extension are updated.If you enable this policy setting you can configure processing options for Local User and Local Group preference it
he Group Policy client waits after logon before running scripts. By default the Group Policy client waits five minutes before running log
sion are updated.If you enable this policy setting you can configure processing options for VPN Connection and DUN Connection preferen
ion are updated.If you enable this policy setting you can configure processing options for Network Shares preference items.If you disable o
on are updated.If you enable this policy setting you can configure processing options for Power Options and Power Scheme preference ite
updated.If you enable this policy setting you can configure processing options for Shared Printer TCP/IP Printer and Local Printer preferenc
sion are updated.If you enable this policy setting you can configure processing options for Regional Options preference items.If you disabl
e Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program
updated.If you enable this policy setting you can configure processing options for Registry preference items.If you disable or do not config
sion are updated.If you enable this policy setting you can configure processing options for Scheduled Task and Immediate Task preference
ts all policies that use the scripts component of Group Policy such as those in WindowsSettings\Scripts. It overrides customized settings tha
use the security component of Group Policy such as those in Windows Settings\Security Settings.This policy setting overrides customized s
updated.If you enable this policy setting you can configure processing options for Service preference items.If you disable or do not configu
e updated.If you enable this policy setting you can configure processing options for Shortcut preference items.If you disable or do not confi
policy settings that use the software installation component of Group Policy such as policy settings in Software Settings\Software Installati
are updated.If you enable this policy setting you can configure processing options for Start Menu preference items.If you disable or do not
who logs on to a computer affected by this setting. It is intended for special-use computers such as those in public places laboratories and
ng this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.Disabling this policy disables web-to-app
tting affects all policies that use the wired network component of Group Policy such as those in Windows Settings\Wired Network Policies.I
etting affects all policies that use the wireless network component of Group Policy such as those in WindowsSettings\Wireless Network Po
ences (continue experiences).If you enable this policy setting the Windows device is discoverable by other Windows devices that belong to
teractively logged on users can view their own Resultant Set of Policy (RSoP) data.If you enable this policy setting interactive users cannot
ares as is being used for Active Directory.
. If you enable this policy setting Group Policy caches policy information after every background processing session. This cache saves a
d other tasks that requires linking between Phone and PC.If you enable this policy setting the Windows device will be able to enroll in Pho
s policy setting users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an officia
in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.In additio
g (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.By default Gro
startup policy processing. If the startup policy processing is synchronous the computer is blocked until the network is available or the defa
ng startup policy processing. If the startup policy processing is synchronous the computer is blocked until workplace connectivity is availab
ng applies to Group Policy for computers users and domain controllers.If you enable this policy setting the system waits until the current u
y settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the lo
P logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Poli
preference extension and to turn on tracing for the Applications extension. Logging and tracing provide diagnostic information for trouble
s preference extension and to turn on tracing for the Data Sources extension. Logging and tracing provide diagnostic information for troub
erence extension and to turn on tracing for the Devices extension. Logging and tracing provide diagnostic information for troubleshooting.
preference extension and to turn on tracing for the Drive Maps extension. Logging and tracing provide diagnostic information for troublesh
preference extension and to turn on tracing for the Environment extension. Logging and tracing provide diagnostic information for troub
nce extension and to turn on tracing for the Files extension. Logging and tracing provide diagnostic information for troubleshooting.If you
ns preference extension and to turn on tracing for the Folder Options extension. Logging and tracing provide diagnostic information for tro
erence extension and to turn on tracing for the Folders extension. Logging and tracing provide diagnostic information for troubleshooting.I
erence extension and to turn on tracing for the Ini Files extension. Logging and tracing provide diagnostic information for troubleshooting.
erence extension and to turn on tracing for the Internet extension. Logging and tracing provide diagnostic information for troubleshooting
nd Local Group preference extension and to turn on tracing for the Local User and Local Group extension. Logging and tracing provide diag
tions preference extension and to turn on tracing for the Network Options extension. Logging and tracing provide diagnostic information f
res preference extension and to turn on tracing for the Network Shares extension. Logging and tracing provide diagnostic information for
ns preference extension and to turn on tracing for the Power Options extension. Logging and tracing provide diagnostic information for tro
erence extension and to turn on tracing for the Printers extension. Logging and tracing provide diagnostic information for troubleshooting
tions preference extension and to turn on tracing for the Regional Options extension. Logging and tracing provide diagnostic information fo
erence extension and to turn on tracing for the Registry extension. Logging and tracing provide diagnostic information for troubleshooting
asks preference extension and to turn on tracing for the Scheduled Tasks extension. Logging and tracing provide diagnostic information for
erence extension and to turn on tracing for the Services extension. Logging and tracing provide diagnostic information for troubleshooting
eference extension and to turn on tracing for the Shortcuts extension. Logging and tracing provide diagnostic information for troubleshooti
preference extension and to turn on tracing for the Start Menu extension. Logging and tracing provide diagnostic information for troublesh
rnet resources.If you enable this setting all of the the policy settings listed in the "Internet Communication settings" section are set such th
dows Update features are removed. This includes blocking access to the Windows Update website at http://windowsupdate.microsoft.com
n unhandled file type or protocol association.When a user opens a file type or protocol that is not associated with any applications on the c
ebsite. Typically a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certifica
up HTTP printing non-inbox drivers need to be downloaded over HTTP.Note: This policy setting does not prevent the client from printing
er application.The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In additi
ersonalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. T
enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft ove
content is dynamically updated when users who are connected to the Internet open Help and Support Center and provides up-to-date inf
nd Support Center.The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products and
a list of Internet Service Providers (ISPs).If you enable this policy setting the "Choose a list of Internet Service Providers" path in the Intern
nd online ordering wizards.These wizards allow users to select from a list of companies that provide services such as online storage and ph
le with an unhandled file association.When a user opens a file that has an extension that is not associated with any applications on the co
a client to print to printers on the intranet as well as the Internet.Note: This policy setting affects the client side of Internet printing only. It
e registration.If you enable this policy setting it blocks users from connecting to Microsoft.com for online registration and users cannot reg
uring local and Internet searches.When users search the local computer or the Internet Search Companion occasionally connects to Micros
ws folders.The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.If you enable this p
" and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.The Web Publishing Wizard is us
dows Messenger software and service is used.With the Customer Experience Improvement program users can allow Microsoft to collect an
mer Experience Improvement Program collects information about your hardware configuration and how you use our software and service
t information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.If
or (NCSI) to determine whether your computer is connected to the Internet or to a more limited network.As part of determining the conn
drivers for a device are present.If you enable this policy setting Windows Update is not searched when a new device is installed.If you disab
w persistent logins may be created. If disabled then additional persistent and non persistent logins may be established.
may be changed.
cret may be changed.
onnections that are configured for IPSec or connections not configured for IPSec may be established.
en sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.
hen sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if the "Do
; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured
y be manually configured. Note: if enabled there may be cases where this will break VDS.
; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those iSN
sting target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on those por
tion for Dynamic Access Control and Kerberos armoring using Kerberos authentication.If you enable this policy setting client computers th
domain controllerâ€™s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.This policy setting allows you to
ient computers.If you enable this policy setting the domain controller provides the information message about previous logons.For Windo
For a domain controller to request compound authentication the policy "KDC support for claims compound authentication and Kerberos ar
ttempting to resolve two-part service principal names (SPNs).If you enable this policy setting the KDC will search the forests in this list if it
d during Kerberos authentication. The ticket size warnings are logged in the System log.If you enable this policy setting you can set the thre
gure this policy setting the cloud kerberos ticket is not retrieved during the logon.If you enable this policy setting the cloud kerberos ticket
source domain requests compound identity.Note: For a domain controller to request compound authentication the policies "KDC support
rberos realm.If you enable this policy setting you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos r
realms as defined by this policy setting. If you enable this policy setting you can view and change the list of interoperable Kerberos V5
erver.If you enable this policy setting revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This
en communicating with a domain controller.Warning: When a domain does not support Kerberos armoring by enabling "Support Dynamic
Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy s
d system certificate logon. If you enable this policy setting the Kerberos client requires that the KDC's X.509 certificate contains the KDC ke
is system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the se
the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an app
r DNS suffix names.If you enable this policy setting the Kerberos client will use the KDC proxy server for a domain when a domain controll
Support for providing compound authentication which is used for access control will require enough domain controllers in the resource ac
omain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to attem
esolve two-part service principal names (SPNs).If you enable this policy setting the Kerberos client searches the forests in this list if it is un
takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394 PCMCIA or Exp
policy setting users cannot change their GeoID.If you disable or do not configure this policy setting users may select any GeoID.If you enab
n-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the ava
er is restricted to the set of locales that are installed with the operating system.This does not affect the selection of replacement locales. T
ting overrides in place when this policy is enabled will be frozen. To remove existing user overrides first reset the user(s) values to the def
system locale to its current value. This policy setting does not change the existing system locale; however the next time that an administra
ks all user locales to their current values. This policy setting does not change existing user locale settings; however the next time a user att
when a Connected Standby device screen turns off.If you enable this policy setting a user on a Connected Standby device can change the a
ive preference to a custom logon background. If you enable this policy setting the logon screen always attempts to load a custom backgrou
wait for the network to be fully initialized during computer startup and user logon). By default on client computers Group Policy processin
al provider.If you enable this policy setting the specified credential provider is selected on other user tile.If you disable or do not configure
which the computer is joined. Without this policy setting at logon if a user does not specify a domain for logon the domain to which the co
een.If you enable this policy setting the user cannot choose to show account details on the sign-in screen.If you disable or do not configure
on screen.If you enable this policy setting the PC's network connectivity state cannot be changed without signing into Windows.If you disa
user logs on.If you enable this policy setting the welcome screen is hidden from the user logging on to a computer where this policy is app
nable this policy setting the Logon UI will not enumerate any connected users on domain-joined computers.If you disable or do not config
nd documents that the system starts automatically when it runs on Windows Vista Windows XP Professional and Windows 2000 Professio
s and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the stan
icy setting Logon UI will enumerate all local users on domain-joined computers.If you disable or do not configure this policy setting the Log
thentication.Note: credential providers are used to process and validate usercredentials during logon or when authentication is required.W
Manager.If you enable this policy setting the Switch User interface is hidden from the user who is attempting to log on or is logged on to t
ser logs on to the system.If you enable this policy setting you can specify which programs can run at the time the user logs on to this comp
he logon background image shows without blur. If you disable or do not configure this policy the logon background image adopts the a
computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added
his policy setting no app notifications are displayed on the lock screen.If you disable or do not configure this policy setting users can choos
enable this policy setting a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting a
nable this policy setting a domain user can set up and sign in with a convenience PIN.If you disable or don't configure this policy setting a d
able this policy setting users can sign in with external security keys.If you disable or don't configure this policy setting users can't sign in wit
an be used to enforce a number of security policies specific to applications. The application name is specified as the Value name including
d fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On Off and Audit. B
ms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithm
d by a client with the PDC emulator if the DC failed to validate the password.Contacting the PDC emulator is useful in case the clientâ€™s
in controller (DC) should support compatibility in file sharing semantics with earlier applications.If you enable this policy setting the Netlog
:- Checks if a password on a secure channel needs to be modified and modifies it if necessary.- On the domain controllers (DC) discovers a
controller (DC) should support compatibility in file sharing semantics with earlier applications.When this setting is enabled the SYSVOL sha
) response when logging on to the network.To specify the expected dial-up delay at logon click Enabled and then enter the desired value i
uts debug information to the log file netlogon.log in the directory %windir%\debug. By default no debug information is logged.If you enab
%\debug when logging is enabled.By default the maximum size of the log file is 20MB. If you enable this policy setting the maximum size of
oller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting DC Disco
o caller programs that do not periodically attempt to locate DCs and it is applied before the returning the DC information to the caller prog
one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specify the si
arches for domain controllers (DC) are unable to find a DC. For example retires may be set to occur according to the Use maximum DC disc
that perform periodic searches for domain controllers (DC) that are unable to find a DC.The default value for this setting is 10 minutes (10
searches for Domain Controllers (DCs) are unable to find a DC.For example the retry intervals may be set at 10 minutes then 20 minutes an
o caller programs that periodically attempt to locate DCs and it is applied before returning the DC information to the caller program. The d
hen trying to locate a domain controller (DC).When an environment has a large number of DCs running both old and new operating system
ntroller (DC).Note: To locate a remote DC based on its NetBIOS (single-label) domain name DC Locator first gets the list of DCs from a WIN
cation algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain nam
omain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Loca
or APIs return the IP address of the DC with the other parts of information. Before the support of IPv6 the returned DC IP address was IPv4
DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.T
ered by the Net Logon service. These DNS records are dynamically registered and they are used to locate the domain controller (DC).To sp
rs (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and they are used to locate
address does not map to any configured site.Domain controllers use the client IP address during a DC locator ping request to compute whi
you enable this policy setting select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records
cords is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate t
his setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to l
ry partition should register the site-specific application directory partition-specific DC Locator DNS SRV resource records. These records ar
tor DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the D
or DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC
st if a DC in same the site is not found. In scenarios with multiple sites failing over to the try next closest site during DC Location streamline
ecific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DN
lution of single-lablel domain names by appending different registered DNS suffixes and uses NetBIOS name resolution only if DNS name r
ution of a single-label domain names.By default the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch po
their DNS host name when registering SRV records.If enabled domain controllers will lowercase their DNS host name when registering do
If you enable this policy setting history of Clipboard contents are allowed to be stored. If you disable this policy setting history of Cl
If you enable this policy setting Clipboard contents are allowed to be synchronized across devices logged in under the same Microsoft ac
cy setting activities of type User Activity are allowed to be published. If you disable this policy setting activities of type User Activity a
e this policy setting activities of type User Activity are allowed to be uploaded. If you disable this policy setting activities of type Use
g all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the user.
r to change it. The PIN can be set to expire after any number of days between 1 and 730 or PINs can be set to never expire if the policy is s
sed. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not preserv
ber you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configured in the
ber you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in the Ma
uires the user to include at least one digit in their PIN.If you disable this policy setting Windows does not allow the user to include digits in
Windows requires the user to include at least one lowercase letter in their PIN.If you disable this policy setting Windows does not allow the
e: ! " # $ % & ' ( ) * + - . / : ; < = > ? @ [ \ ]
Windows requires the user to include at least one uppercase letter in their PIN.If you disable this policy setting Windows does not allow the
custom power plan use the Custom Active Power Plan setting.If you enable this policy setting specify a power plan from the Active Power P
ustom power plan GUID can be retrieved by using powercfg the power configuration command line tool. If you enable this policy setting y
le actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you disa
le actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you disa
actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you disabl
actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you disabl
ctions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you disable
ctions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you disable
on.If you enable this policy setting select one of the following actions:-Sleep-Hibernate-Shut downIf you disable this policy or do not config
on.If you enable this policy setting select one of the following actions:-Sleep-Hibernate-Shut downIf you disable this policy or do not config
e this policy setting you must provide a percent value indicating the battery charge level. Energy Saver will be automatically turned on at (
e this policy setting you must provide a percent value indicating the battery charge level. Energy Saver will be automatically turned on at (
s policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns off the hard disk.I
s policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns off the hard disk.I
y notification level.If you enable this policy setting select one of the following actions:-Take no action-Sleep-Hibernate-Shut downIf you di
otification action.If you enable this policy setting you must enter a numeric value (percentage) to set the battery level that triggers the criti
otification level.If you enable this policy setting select one of the following actions:-Take no action-Sleep-Hibernate-Shut downIf you disab
cation action.If you enable this policy setting you must enter a numeric value (percentage) to set the battery level that triggers the low no
ode.If you enable this policy setting you must enter a numeric value (percentage) to set the battery level that triggers the reserve power n
y notification level.If you enable this policy setting Windows shows a notification when the battery capacity remaining equals the low batt
will be turned off.If you disable or do not configure this policy setting users control this setting.
ng any application service or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.If y
ng any application service or device driver prevents Windows from automatically transitioning to sleep after a period of user inactivity.If y
etting the computer automatically sleeps when network files are open.If you disable or do not configure this policy setting the computer d
etting the computer automatically sleeps when network files are open.If you disable or do not configure this policy setting the computer d
ble systems.If you enable this policy setting network connectivity will be maintained in standby.If you disable this policy setting network c
ble systems.If you enable this policy setting network connectivity will be maintained in standby.If you disable this policy setting network c
mputer in a sleep state.If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep sta
mputer in a sleep state.If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sleep sta
from sleep.If you enable or do not configure this policy setting the user is prompted for a password when the system resumes from sleep.
from sleep.If you enable or do not configure this policy setting the user is prompted for a password when the system resumes from sleep.
ibernate.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Window
ibernate.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Window
eep.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows tra
eep.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows tra
atically when a user is not present at the computer.If you enable this policy setting you must provide a value in seconds indicating how mu
atically when a user is not present at the computer.If you enable this policy setting you must provide a value in seconds indicating how mu
ated when the system transitions to sleep (Stand By).If you disable or do not configure this policy setting users control this setting.
ated when the system transitions to sleep (Stand By).If you disable or do not configure this policy setting users control this setting.
sleeping.If you enable this policy setting an application or service may prevent the system from sleeping (Hybrid Sleep Stand By or Hibern
sleeping.If you enable this policy setting an application or service may prevent the system from sleeping (Hybrid Sleep Stand By or Hibern
htness of the display.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse bef
htness of the display.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse bef
brightness of the display.If you enable this policy setting you must provide a value in percentage indicating the display brightness when W
brightness of the display.If you enable this policy setting you must provide a value in percentage indicating the display brightness when W
he computerâ€™s display.If you enable this policy setting Windows automatically adjusts the setting based on what users do with their ke
he computerâ€™s display.If you enable this policy setting Windows automatically adjusts the setting based on what users do with their ke
enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns off the d
enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns off the d
enable this policy setting desktop background slideshow is enabled.If you disable this policy setting the desktop background slideshow is
enable this policy setting desktop background slideshow is enabled.If you disable this policy setting the desktop background slideshow is
s in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image. If you enable or do no
t only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote As
If you enable this policy setting users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) R
f you enable this policy setting users on this computer can use email or file transfer to ask someone for help. Also users can use instant me
rol" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.The "Display warn
ally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting.For example
under Remote Assistance.If you enable this policy setting log files are generated.If you disable this policy setting log files are not generated
all they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service p
ted.The constrained delegation model introduced in Windows Server 2003 does not report that delegation was enabled on a security cont
d how much information it maintains. Basic state information which consists only of the most commonly needed state data is required fo
occurs.Extended error information includes the local time that the error occurred the RPC version and the name of the computer on which
RPC servers.This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it
eful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC
emovable storage policy settings. To manage individual classes use the policy settings available for each class.If you enable this policy setti
enable this policy setting remote users can open direct handles to removable storage devices in remote sessions.If you disable or do not c
cy setting execute access is denied to this removable storage class.If you disable or do not configure this policy setting execute access is all
etting read access is denied to this removable storage class.If you disable or do not configure this policy setting read access is allowed to th
setting write access is denied to this removable storage class.If you disable or do not configure this policy setting write access is allowed to
read access is denied to these removable storage classes.If you disable or do not configure this policy setting read access is allowed to thes
write access is denied to these removable storage classes.If you disable or do not configure this policy setting write access is allowed to th
Drives.If you enable this policy setting execute access is denied to this removable storage class.If you disable or do not configure this poli
ives.If you enable this policy setting read access is denied to this removable storage class.If you disable or do not configure this policy setti
rives.If you enable this policy setting write access is denied to this removable storage class.If you disable or do not configure this policy setti
is denied to this removable storage class.If you disable or do not configure this policy setting execute access is allowed to this removable
ed to this removable storage class.If you disable or do not configure this policy setting read access is allowed to this removable storage cla
nied to this removable storage class.If you disable or do not configure this policy setting write access is allowed to this removable storage
order to enforce a change in access rights to removable storage devices.If you enable this policy setting you can set the number of second
setting execute access is denied to this removable storage class.If you disable or do not configure this policy setting execute access is allo
tting read access is denied to this removable storage class.If you disable or do not configure this policy setting read access is allowed to thi
etting write access is denied to this removable storage class.If you disable or do not configure this policy setting write access is allowed to t
auxiliary displays and CE devices.If you enable this policy setting read access is denied to this removable storage class.If you disable or do n
auxiliary displays and CE devices.If you enable this policy setting write access is denied to this removable storage class.If you disable or do
red and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.If you enable thi
of instructions that run when the user restarts the system or shuts it down. By default the system does not display the instructions in the
structions that run before the user is invited to log on. By default the system does not display the instructions in the startup script.If you en
rer interface program and creates the desktop.If you enable this policy setting File Explorer does not start until the logon scripts have finis
before the user is invited to log on. By default the system waits for each startup script to complete before it runs the next startup script.If
ell scripts during computer startup and shutdown. By default Windows PowerShell scripts run after non-Windows PowerShell scripts. If yo
ell scripts during user logon and logoff. By default Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable th
tting limits the total time allowed for all logon logoff startup and shutdown scripts applied by Group Policy to finish running. If the scripts h
fB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.For more information on the ROCA vulnerability
Manager with updated information about which roles and features are installed on servers that you are managing by using Server Manager
ogon on Windows Server 2008 and Windows Server 2008 R2. If you enable this policy setting the Initial Configuration Tasks window is not
s policy setting Server Manager is not displayed automatically when a user logs on to the server.If you disable this policy setting Server Ma
tting built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.This includes a policy requ
rnate to be enabled.If you disable or do not configure this policy setting the local setting is used.
visible top-level windows to block or cancel shutdown. By default such applications are automatically terminated if they attempt to cance
bled: Updates would be downloaded for the Disk Failure Prediction Failure Model. Disabled: Updates would not be downloade
Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pre
"Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:Storage Sense will delete the userâ€™s temporary files
Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:You must provide the desired Storage Sense cadence. S
mount of days.If the group policy "Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:You must provide th
ertain amount of days.If the group policy "Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:You must pr
ned for more than a certain number of days.If the group policy "Allow Storage Sense" is disabled then this policy does not have any effect.
u to turn off System Restore configuration through System Protection.System Restore enables users in the event of a problem to restore t
ore enables users in the event of a problem to restore their computers to a previous state without losing personal data files. By default Sys
e this policy setting you must select an execution level from the drop-down menu. If you select problem detection and troubleshooting onl
ou enable this policy setting you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshoo
the Program Compatibility Assistant use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administra
n and driver compatibility. If you enable this policy setting the PCA is configured to detect failures during application installation failures d
egular: Detection troubleshooting and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt
reports a S.M.A.R.T. fault. If you enable this policy setting Windows displays custom alert text in the disk diagnostic message. The custom t
d Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.
heap corruption problems.If you enable this policy setting the DPS detects troubleshoots and attempts to resolve automatically any heap
Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.If you enable this policy setting administrators can us
rt Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems MSDT may prompt the user to
e support provider. MSDT gathers diagnostic data for analysis by support professionals.If you enable this policy setting users can use MSDT
ts administrators configure how it's applied to their domains/IT environments.Not configuring this policy setting will allow the user to con
tes:Prompt for Resolution: Detection troubleshooting and recovery of corrupted MSI applications will be turned on. Windows will prompt
ou enable this policy setting you must choose an execution level. If you choose detection and troubleshooting only Windows will periodica
d by untrusted publishers.If you enable this policy setting the scripted diagnostics execution engine validates the signer of any diagnostic p
shooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.If you enable or do not config
ntent that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting Contr
you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the Diagnostic Po
you enable or do not configure this policy setting the DPS enables Windows Memory Leak Diagnosis by default.If you disable this policy se
his policy setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only t
etting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the Diagnos
policy setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the D
etting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the Diagnos
ry of the local computer. Depending on the amount of TPM owner authorization information stored locally the operating system and TPM
s blocked by Windows.If you enable this policy setting Windows will block the specified commands from being sent to the TPM on the com
n any state other than Ready. This policy will take effect only if the systemâ€™s TPM is in a state other than Ready including if the TPM is â
ld and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) th
Module (TPM) commands.If you enable this policy setting Windows will ignore the computer's default list of blocked TPM commands and w
dule (TPM) commands.If you enable this policy setting Windows will ignore the computer's local list of blocked TPM commands and will on
user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Loc
ailures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization fail
ers for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Stand
trator has configured a user's roaming profile the profile will be created at the user's next login. The profile is created at the location that
sts of network speed. To determine the network performance characteristics a connection is made to the file share storing the user's profi
puter's hard drive when the user logs off. Roaming profiles reside on a network server. By default when users with roaming profiles log off
not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accessed.If you
eed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a
n administrator has configured a user's roaming profile the profile will be created at the user's next login. The profile is created at the loca
re open handles to the per-user registry keys. Note: This policy setting should only be used for cases where you may be running into applic
not access the user profile folder or the profile contains errors that prevent it from loading Windows logs on the user with a temporary pr
primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers wh
e for roaming user profiles.The default user profile is applied when the user does not respond to messages explaining that any of the follow
olicy based software installation data on their profile deletion.By default Windows deletes all information related to a roaming user (which
of a user profile. When the number of trials specified by this policy setting is exhausted the system stops trying. As a result the user profile
ming profile users log on to a computer their roaming profile is copied down to the local computer. If they have already logged on to this
ver copy of their profile.By default when a user with a roaming profile logs on to a computer the roaming profile is copied down to the loc
ork connection with their roaming profile server is detected.If you enable this policy setting users will be allowed to define whether they w
ser without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in which a
rofile path for all users logging onto this computer.To use this policy setting type the path to the network share in the form \\Computerna
er.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles are not b
er for a logon session.If you enable this policy setting the user's home folder is configured to the specified local or network location creatin
s.If you enable this policy setting the advertising ID is turned off. Apps can't use the ID for experiences across apps.If you disable or do not
e and domain information.If you enable this policy setting sharing of user name picture and domain information may be controlled by setti
when loading is slow. Also the system waits for the remote copy when the user is notified about a slow connection but does not respond in
cated users but it might confuse novices.If you enable this policy setting the file scan window does not appear during file scanning.If you d
ection file cache.Windows File Protection adds protected files to the cache until the cache content reaches the quota. If the quota is great
directs Windows File Protection to enumerate and scan all system files for changes.If you enable this policy setting select a rate from the "
olicy setting enter the fully qualified local path to the new location in the "Cache file path" box.If you disable this setting or do not configur
W32time) for domain controllers including RODCs.If this policy setting is enabled W32time Service on target machines use the settings pro
olicy setting you can specify the following parameters for the Windows NTP Client.If you disable or do not configure this policy setting the
allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide to use
cy setting for the Windows NTP Server your computer can service NTP requests from other computers.If you disable or do not configure th
o install ActiveX controls on their computers. When this setting is enabled the administrator can create a list of approved Activex Install sit
olicy setting ActiveX controls are installed according to the settings defined by this policy setting. If you disable or do not configure this
e wizard will not run.If you disable this policy setting or set it to Not Configured the wizard will run.
e this policy a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. This folde
ed Windows Store apps.If you enable this policy setting you can install any LOB or developer-signed Windows Store app (which must be si
using a special profile. Special profiles are the following user profiles where changes are discarded after the user signs off:Roaming user p
If you enable this setting and enable the "Allow all trusted apps to install" Group Policy you can develop Microsoft Store apps and inst
setting then the system will periodically check for and archive infrequently used apps.If you disable this policy setting then the system wil
dary partitions USB drives or SD cards. If you enable this setting you can't move or install Windows apps on volumes that are not the sy
n-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do
r location. If you enable this setting all users' app data will stay on the system volume regardless of where the app is installed. If yo
a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by
ault setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by usin
etting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the
tting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the G
pps including user name.You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You
g for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-
tting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the G
ify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for
t setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using th
g for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-
t setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using t
tion controllers and other tracked objects while the apps are running in the background.You can specify either a default setting for all apps
ontrol" option employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings
you choose the "User is in control" option employees in your organization can decide whether users can interact with applications using sp
an specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family N
efault setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by u
etting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the
u can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family
er a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app
equire an account to sign in. This policy only affects Windows Store apps that support it.If you enable this policy setting Windows Store app
pp for a file type. Because desktop apps run at a higher integrity level than Windows Store apps there is a risk that a Windows Store app m
pp for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps there is a risk that a URI scheme launc
y from web content can be launched. If you enable this policy setting Universal Windows apps which declare Windows Runtime API ac
defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer.I
ng affects the launching of 16-bit applications in the operating system.You can use this setting to turn off the MS-DOS subsystem which w
ension is visible on the property context-menu of any program shortcut or executable file.The compatibility property page displays a list of
e loader and looks through a compatibility database every time an application is started on the system. If a match for the application is fou
mechanism that tracks anonymous usage of specific Windows system components by applications.Turning Application Telemetry off by sel
cations files devices and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compati
plications run by the user. When a potential compatibility issue with an application is detected the PCA will prompt the user with recomme
user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers unders
sm that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior
setting AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting AutoPla
evice is connected. If you enable this policy setting AutoPlay prompts the user to choose what to do when a device is connected.
stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista when media contain
soon as you insert media in the drive. As a result the setup file of programs and the music on audio media start immediately. Prior to
d data volumes can be backed up.If you enable this policy setting machine administrator/backup operator can backup only volumes hostin
or not.If you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run backups to a lo
f you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run backups to a network s
If you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run backups to an optical m
nable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-once back
ntrol (UAC) permissions using biometrics.If you enable or do not configure this policy setting Windows allows domain users to log on to a d
able or do not configure this policy setting the Windows Biometric Service is available and users can run applications that use biometrics o
using biometrics. By default local users will be able to log on to the local computer but the "Allow domain users to log on using biometric
re the switch is initiated. By default a fast user switch event is active for 10 seconds before becoming inactive.If you enable this policy setti
tication.If you enable this setting Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello face au
tion setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied w
ption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encryp
nd specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This pol
downstream ports until a user logs into Windows. Once a user logs in Windows willÂ enumerate the PCI devices connected to the host Thu
icy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies on
ith BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows you to as
Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data
rotected drive. This policy setting is applied when you turn on BitLocker.The object identifier is specified in the enhanced key usage (EKU) o
locked and viewed on computers running Windows Server 2008 Windows Vista Windows XP with Service Pack 3 (SP3) or Windows XP wit
ence of the required credentials. This policy setting is applied when you turn on BitLocker.The "Allow data recovery agent" check box is us
ves and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve p
If you choose to permit the use of a password you can require that a password be used enforce complexity requirements on the passwor
e BitLocker-protected fixed data drives on a computer.If you enable this policy setting smart cards can be used to authenticate user access
on a computer.If you enable this policy setting all fixed data drives that are not BitLocker-protected will be mounted as read-only. If the dr
cy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryptio
y Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Require star
nhanced startup PINs permit the use of characters including uppercase and lowercase letters symbols numbers and spaces. This policy setti
ocal Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically u
ovider for BitLocker operating system drives.Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally s
the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.The "Allow certificate-based
rtup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a
ayed on the pre-boot key recovery screen when the OS drive is locked.If you select the "Use default recovery message and URL" option the
dware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLo
tem drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can imp
tem drives. If non-TPM protectors are allowed on operating system drives you can provision a password enforce complexity requirements
olume PINs provided they are able to provide the existing PIN first.This policy setting is applied when you turn on BitLocker.If you enable t
environment even if the platform lacks pre-boot input capability.The Windows touch keyboard (such as that used by tablets) isn't availabl
he computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied w
o set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you turn on
s is started following BitLocker recovery.If you enable this policy setting platform validation data will be refreshed when Windows is starte
tform validation.If you enable this policy setting you will be able to add additional settings remove the default settings or both.If you disabl
be unlocked and viewed on computers running Windows Server 2008 Windows Vista Windows XP with Service Pack 3 (SP3) or Windows X
he absence of the required credentials. This policy setting is applied when you turn on BitLocker.The "Allow data recovery agent" check bo
ata drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can impr
drives. If you choose to allow use of a password you can require a password to be used enforce complexity requirements and configure a m
Locker-protected removable data drives on a computer.If you enable this policy setting smart cards can be used to authenticate user acce
n you turn on BitLocker.When this policy setting is enabled you can select property settings that control how users can configure BitLocker
ata to a removable data drive.If you enable this policy setting all removable data drives that are not BitLocker-protected will be mounted a
nfigure this policy setting Camera devices will be enabled. If you disable this property setting Camera devices will be disabled.
will no longer see Windows tips.If you disable or do not configure this policy setting users may see contextual popups explaining how to us
olicy Windows experiences that use the cloud optimized content client component will instead present the default fallback content.If you
account.If you enable this policy setting users will no longer see personalized recommendations from Microsoft and notifications about th
can't be projected to except if the user manually launches the Connect app. If you turn it off or don't configure it your PC is discoverable
iring.If you set this to 'First Time' the pairing ceremony for new devices will always require a PIN.If you set this to 'Always' all pairings will
experiences.If you enable this policy setting the password reveal button will not be displayed after a user types a password in the passwo
a running application. By default administrator accounts are not displayed when the user attempts to elevate a running application.If you
heir passwords.
t a Trojan horse or other types of malicious code from stealing the userâ€™s Windows credentials.Note: This policy affects nonlogon authe
tic data collected from this device.If you enable this policy Microsoft will be the processor of Windows diagnostic data collected from the
The following list shows the supported values: 0 (default)â€“ Diagnostic data is not processed by Desktop Analytics. 2
e or do not configure this policy setting then device name will not be sent to Microsoft as part of Windows diagnostic data.
y setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data collected
The following list shows the supported values: 0 (default)â€“ Diagnostic data is not processed by Update Compliance.
Business cloud. The following list shows the supported values: 0 (default)â€“ Diagnostic data is not processed by Windows U
n authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting the Connected U
ver.If you enable this policy setting you can specify the FQDN or IP address of the destination device within your organizationâ€™s networ
ttings on first logon and when the changes occur in settings.If you set this policy setting to "Disable diagnostic data change notifications" d
If you set this policy setting to "Disable diagnostic data opt-in settings" diagnostic data settings are disabled in the Settings app.If you donâ
ogram.If your organization is participating in the program and has been instructed to configure a custom upload endpoint then use this se
belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging t
Settings page.If you enable this policy setting the Delete diagnostic data button will be disabled in Settings page preventing the deletion of
nostic & feedback Settings page.If you enable this policy setting the Diagnostic Data Viewer will not be enabled in Settings page and it will
rvice.If you enable this policy Windows will not download configuration settings from the OneSettings service.If you disable or don't config
rosoft.If you enable this policy setting users will no longer see feedback notifications through the Windows Feedback app.If you disable or
e OneSettings service to the EventLog.If you enable this policy Windows will record attempts to download configuration settings from the
ed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional diagnosti
bleshoot a problem.â€¯Dumps are only sent when the device has been configured to send optional diagnostic data.By enabling this setting
end the minimum data required by Desktop Analytics.To enable the behavior described above complete the following steps: 1. Enable th
Settings > Update and security > Windows Insider Program.If you enable or do not configure this policy setting users can download and ins
e policy.The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk space.
peers while on DC power (Battery).The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can downloa
by your client(s).One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple values s
rvers dynamically.Options available are:1 = DHCP Option 235.2 = DHCP Option 235 Force.For both options the client will query DHCP Optio
oad by X seconds.Note: if you set the policy to delay background download from http it will apply first (to allow downloads from peers first
P2P.After the max delay has reached the download will resume using HTTP either downloading the entire payload or complementing the b
ad by X seconds.Note: if you set the policy to delay foreground download from http it will apply first (to allow downloads from peers first)
wed to use P2P.After the max delay has reached the download will resume using HTTP either downloading the entire payload or complem
s and App updates.The following list shows the supported values:0 = HTTP only no peering.1 = HTTP blended with peering behind the sam
twork.This means the device can download from or upload to other domain network devices either on VPN or on the corporate domain ne
his if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same LAN.N
oading successfully.The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the files a
ss all concurrent download activities using Delivery Optimization.The default value 0 (zero) means that Delivery Optimization dynamically a
rent download activities as a percentage of available download bandwidth.The default value 0 (zero) means that Delivery Optimization dy
s all concurrent download activities using Delivery Optimization.The default value 0 (zero) means that Delivery Optimization dynamically a
ent download activities as a percentage of available download bandwidth.The default value 0 (zero) means that Delivery Optimization dyn
/second.This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from HTTP source to
vice set default value will be used.Recommended values: 64 GB to 256 GB.Note: If the DOModifyCacheDrive policy is set the disk size chec
100000 MB.
B then devices with 1 GB or higher available RAM will be allowed to use Peer caching.Recommended values: 1 GB to 4 GB.
he cache. The drive location can be specified using environment variables drive letter or using a full path.
n each calendar month.The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
2 = Local discovery (DNS-SD).The default value has changed from 0 (no restriction) to 1 (restrict to the subnet).These options apply to both
ted domain SID.3 = DHCP Option ID.4 = DNS Suffix.5 = AAD Tenant ID.When set the Group ID will be assigned automatically from the selec
de business hours across all concurrent download activities as a percentage of available download bandwidth.
e business hours across all concurrent download activities as a percentage of available download bandwidth.
oyed as compressed files either digitally signed or unsigned.If you enable this setting gadgets that have not been digitally signed will not b
n or utilities on the desktop.If you enable this setting desktop gadgets will be turned off.If you disable or do not configure this setting desk
this setting Windows will not run any user-installed gadgets.If you disable or do not configure this setting Windows will run user-installed
view items on the Windows desktop as they are being flipped through in three dimensions. If you enable this policy setting Flip 3D is inacc
mizing and maximizing windows. If you enable this policy setting window animations are turned off. If you disable or do not configure this
nd will use a solid color.If you disable or do not configure this policy setting the Start background will use the default visuals.Note: If this po
g you prevent users from changing the default window frame color. If you disable or do not configure this policy setting you allow users to
ou enable this policy setting and specify a default color this color is used in glass window frames if the user does not specify a color. If you
ble this setting domain joined computers automatically and silently get registered as devices with Azure Active Directory.Note: Additional r
Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Win
n edge.If you enable or do not configure this policy setting users will be able to invoke system UI by swiping in from the screen edges.
e user has successfully completed the scenarios.If this setting is enabled Windows will not show any help tips to the user.
er second sent to the Event Collector.If you enable this policy setting you can control the volume of events sent to the Event Collector by t
y (CA) of a target Subscription Manager.If you enable this policy setting you can configure the Source Computer to contact a specific FQDN
only if the "Retain old events" policy setting is enabled.If you enable this policy setting and the "Retain old events" policy setting is enabled
n Language (SDDL) string.If you enable this policy setting only those users matching the security descriptor can access the log.If you disable
n Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and legacy
s policy setting and a log file reaches its maximum size new events are not written to the log and are lost.If you disable or do not configure
Log service and should only be accessible to administrators.If you enable this policy setting the Event Log uses the path specified in this p
can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte in
n Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settings for t
n Language (SDDL) string. You cannot configure write permissions for this log.If you enable this policy setting only those users whose secur
can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyt
n Language (SDDL) string.If you enable this policy setting only those users matching the security descriptor can access the log.If you disable
written to this log.If the policy setting is disabled then no new events can be logged. Events can always be read from the log regardless of t
n Language (SDDL) string.If you enable this policy setting only users whose security descriptor matches the configured value can access the
hat support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will
alue if you want to use a different Web server to handle event information requests.
ble this policy setting file shortcut icons are allowed to be obtained from remote paths.If you disable or do not configure this policy setting
warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial d
IPropertySetStorage implementation and to include the intermediate layers provided by the Property System. This behavior is consistent
ached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settings to d
d on file types (e.g. *.txt) or protocols (e.g. http:)If this group policy is enabled no notifications will be shown. If the group policy is not con
es reside.If you enable this policy setting administrators can specify a path where all default Library definition files for users reside. The us
ype and protocol default application associations. This file can be created using the DISM tool.For example:Dism.exe /Online /Export-Defa
m that is blocked by policy.
on will be shown in the Power Options menu (as long as it is supported by the machine's hardware).If you disable this policy setting the hib
n the User Tile menu.If you disable this policy setting the lock option will never be shown in the User Tile menu.If you do not configure this
shown in the Power Options menu (as long as it is supported by the machine's hardware).If you disable this policy setting the sleep option
lorer windows are opened. If you enable this policy setting you can set how the ribbon appears the first time users open File Explorer and
nating Explorer.
terminating Explorer immediately although Explorer may still terminate unexpectedly later.
n in numerical order.If you enable this policy setting File Explorer will sort file names by each digit in a file name (for example 111 < 22 < 3
en using the full functionality of this protocol applications can open folders and launch files. The protected mode reduces the functionality
on and the new and old targets point to the same network share but have different network paths.If you enable this policy setting Folder R
sions could come from the on-disk restore points or from backup media.If you enable this policy setting users cannot list or restore previou
sions come from the on-disk restore points on the file share.If you enable this policy setting users cannot list or restore previous versions o
is located on backup media. Previous versions can come from the on-disk restore points or the backup media.If you enable this policy setti
er has selected a previous version of a local file.If you enable this policy setting the Restore button is disabled when the user selects a prev
er has selected a previous version of a local file in which the previous version is stored on a backup.If you enable this policy setting the Re
selected a previous version of a file on a file share.If you enable this policy setting the Restore button is disabled when the user selects a p
ctivated to create regular automatic backups.If you disable or do not configure this policy setting File History can be activated to create re
the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. On devices that are com
ult is floating near text box. If you want the panel to be fixed use this policy to fix it to the bottom.
eir computer to a homegroup on a private network.If you enable this policy setting users cannot add computers to a homegroup. This poli
viders. Normally search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from the pro
enable this policy "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explorer.If yo
dlers to display UI during shutdown. This policy setting may be needed to fix compatibility problems with particular web applications.If you
ss bar. To provide enhanced suggestions the user's keystrokes are sent to Microsoft through Microsoft services.If you enable this policy setti
he Internet Explorer 9 browser. Any add-ons that were activated in a previous version of Internet Explorer are considered to be the same a
rence). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the chosen
n the HTTP User Agent header.If you enable this policy setting Internet Explorer sends the specified custom string in the version portion of
ternet Explorer from downloading a component when users browse to a Web site that needs that component.If you disable this policy or
customize Internet Explorer. This setting specifies that Internet explorer use the configuration settings provided in a file by the system adm
ns tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it users can change their settings fo
ome page whenever the browser is run. This policy setting allows you to set default secondary home pages.If you enable this policy setting
m another browser import settings from a file or export settings to a file. Importing settings from another browser allows the user to impo
it:- Prevents Internet Explorer 11 from launching as a standalone browser.- Restricts Internet Explorer's usage to Microsoft Edge's native 'I
his policy it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if a new v
s policy the splash screen which displays the program name licensing and copyright information is not displayed.If you disable this policy o
nstall new components. The Software Distribution Channel is a means of updating software dynamically on users' computers by using Ope
dd-On Manager.If you enable this policy setting users cannot enable or disable add-ons through Add-On Manager.If you disable or do not
rl+S" to have "Save as" functionality.If you enable this policy extended hotkey functionality is enabled in Internet Explorer mode and work
nd the Command bar. Starting with Windows 8 this policy only applies to Internet Explorer on the desktop.The navigation bar includes fea
hen they are available.If you enable this policy setting automatic upgrade of Internet Explorer will be turned on.If you disable this policy se
Send all sites not included in the Enterprise Mode Site List to Microsoft Edgeâ€™ (â€˜RestrictIEâ€™) policy isnâ€™t enabled this policy has
ity issues. Optionally this policy also lets you specify where to get reports (through post messages) about the websites for which users turn
ternet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the domains configured
nternet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the zones configured in
cific proxy settings. They must use the zones created for all users of the computer.If you disable this policy or do not configure it users of th
ardless of the Internet Explorer process's Pop-Up Blocker settings.If you enable this policy setting you can enter a list of sites which will be
heck.If you enable this policy setting the user cannot use the "Fix settings" functionality.If you disable or do not configure this policy settin
g the following occur: â€¢ The Help menu on the menu bar is not functional. â€¢ Help is removed from the Command bar. â€¢ The sh
Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter also pr
Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.If you enable this
follows: High: Block all pop-ups. Medium: Block most automatic pop-ups. Low: Allow pop-ups from secure sites.If you enable this poli
not be able to configure proxy settings.If you disable or do not configure this policy setting the user can configure proxy settings.
toolbar Search box.If you enable this policy setting the user cannot change the default search provider.If you disable or do not configure t
s from other applications.If you enable this policy setting the user cannot configure how windows open in Internet Explorer when he or sh
nable this policy setting the user cannot configure how new tabs are created by default. You must specify whether tabs should open in the
ailable it includes all installed search providers and a link to search settings.If you enable this policy setting the Search box does not appear
icy setting the user cannot add websites to or remove websites from the exception list.If you disable or do not configure this policy setting
being visited is known for fraudulent attempts to gather personal information through "phishing" or is known to host malware.If you ena
is known for fraudulent attempts to gather personal information through "phishing."If you enable this policy setting the user is not promp
(CEIP).If you enable this policy setting the user cannot participate in the CEIP and the Customer Feedback Options command does not app
e this policy setting ActiveX controls cannot be installed on a per-user basis.If you disable or do not configure this policy setting ActiveX co
he browser after installing Internet Explorer or Windows.If you enable this policy setting you must make one of the following choices: â€
orer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Expl
with the same security level.If you enable this policy the site management settings for security zones are disabled. (To see the site managem
security level.If you enable this policy the Custom Level button and security-level slider on the Security tab in the Internet Options dialog b
s with the same security level.If you enable this policy changes that the user makes to a security zone will apply to all users of that comput
oft Edge. If you use this setting you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use the Ent
e two algorithms that Internet Explorer uses.The default algorithm has four settings: low medium high or default. Low creates very few ta
g that a site has been opened using Microsoft Edge with Enterprise Mode.If you enable this setting employees see an additional page in Int
policy setting you can choose which page to display when the user opens a new tab: blank page (about:blank) the first home page the new
ctiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX con
such as the taskbar the desktop or File Explorer.If you enable this policy setting users cannot pin sites.If you disable or do not configure thi
loading any ActiveX control without prior approval. If a website attempts to load an ActiveX control that Internet Explorer has not used be
all the user's enabled add-ons exceeds the threshold. The notification informs the user that add-ons are slowing his or her browsing and di
overy does not prompt the user to recover his or her data after a program stops responding.If you disable or do not configure this policy s
esting location data about the user.If you enable this policy setting browser geolocation support is turned off.If you disable this policy setti
ed browsing in Internet Explorer.If you enable this policy setting the user cannot configure pop-up windows in tabbed browsing. You must
this policy setting a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier namely to
.If you enable this policy setting the Favorites bar is turned off.If you disable this policy setting the Favorites bar is turned on.If you do not
ng visited is known for fraudulent attempts to gather personal information through "phishing" or is known to host malware.If you enable t
able this policy setting applications that host MSHTML do not respond to user input that causes the content to be re-rendered at a scaled
le this policy setting the Control Panel information relating to pop-up management will be unavailable (grayed out) and all other pop-up m
policy setting the entry points to Quick Tabs are removed from the Internet Explorer user interface.If you disable or do not configure this p
ature in Internet Explorer.If you enable this policy setting the user cannot use the Reopen Last Browsing Session feature.If you disable or d
s policy setting the user cannot view suggestions for user-installed search providers.If you disable or do not configure this policy setting the
er user interface. Starting with Windows 8 this policy only applies to Internet Explorer on the desktop.If you enable this policy setting tabb
ser address bar.If you enable this policy setting user will not be suggested matches when entering Web addresses. The user cannot change
ch box.If you enable this policy setting when a user clicks in the Search box the quick pick menu does not appear until the user starts typin
ngs to determine when the settings put Internet Explorer at risk.If you enable this policy setting the feature is turned off.If you disable or d
user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.If you enable this policy setting
tibility information is displayed in the Windows Event Viewer.If you enable this policy setting the user can log information that is blocked b
ernet Explorer.If you enable this policy setting the menu bar appears in Internet Explorer by default and the user cannot turn it off.If you d
ry Toolkit(SDTK). When enabled the feature will write data collected to a WMI class which can then be aggregated using a client managem
y Toolkit(SDTK). When enabled the feature will write data collected to an XML file at a location specified when setting this policy. When di
s browsing activity. Suggested Sites reports a userâ€™s browsing history to Microsoft to suggest sites that the user might want to visit.If yo
e IE instead of Standard mode because of compatibility issues. Users can't edit this list.If you enable this policy setting Internet Explorer d
lerators are added to the user's browser. The user can append other Accelerators to this list but the user cannot remove or change the Ac
Accelerators are added to the user's browser. The user can append other Accelerators to this list but the user cannot remove or change th
h Group Policy.If you enable this policy setting the user can access only Accelerators that are deployed through Group Policy. The user cann
tting users cannot access Accelerators.If you disable or do not configure this policy setting users can access Accelerators and install new Ac
uter attempts to perform a Clipboard operation (delete copy or paste).If you enable this policy setting the user is not prompted when a sc
cess attempts to perform a Clipboard operation (delete copy or paste) and the URL action for the zone is set to prompt.If you enable this p
ompting the user.Note: Do not enter the Internet Explorer processes in this list. To enable or disable Internet Explorer processes use the "
8 this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers under the D
menu option.If you enable this policy setting a menu option wonâ€™t be available in Internet Explorer settings or in the tools menu in the
ailable on Windows Update.If you enable this policy setting the Microsoft-provided website lists are used during browser navigation. If a u
lems that he or she may encounter while browsing.If you enable this policy setting the user cannot use the Compatibility View button or m
lows the user to fix website display problems that he or she may encounter while browsing.If you enable this policy setting the user canno
s how Internet Explorer identifies itself to a web server and determines whether content is rendered in Internet Explorer 7 Standards Mod
d as any webpage that belongs to the local intranet security zone.If you enable this policy setting Internet Explorer uses the current user ag
View.If you enable this policy setting the user can add and remove sites from the list but the user cannot remove the entries that you spec
her content is rendered in Quirks Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this policy
net Component Download service exposes a function that is called by an application to download verify and install code for an Object Link
he preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files cookies history form data and
access the Temporary Internet Files and History Settings dialog box from the Menu bar on the Tools menu click Internet Options click the G
nformation on browsing history Group Policy settings see "Group Policies Settings in Internet Explorer 10" in the TechNet technical library
ring and Tracking Protection data which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tracking
History dialog box.If you enable this policy setting cookies are preserved when the user clicks Delete.If you disable this policy setting cooki
he Delete Browsing History dialog box.If you enable this policy setting download history is preserved when the user clicks Delete.If you dis
Browsing History dialog box.If you enable this policy setting favorites site data is preserved when the user clicks Delete.If you disable this
ng History dialog box.If you enable this policy setting form data is preserved when the user clicks Delete.If you disable this policy setting for
te Filtering data during browser sessions other than InPrivate Browsing sessions to determine which third-party items should be blocked w
History dialog box.If you enable this policy setting passwords are preserved when the user clicks Delete.If you disable this policy setting pa
Delete Browsing History dialog box.If you enable this policy setting temporary Internet files are preserved when the user clicks Delete.If yo
ature is available in the Delete Browsing History dialog box.If you enable this policy setting websites that the user has visited are preserved
owsing history available by clicking Tools Internet Options and then Delete Browsing History in Internet Explorer.If you enable this policy se
sers are prevented from seeing and changing advanced Internet settings such as security multimedia and printing.If you disable this policy
y users are prevented from seeing and changing connection and proxy settings.If you disable this policy or do not configure it users can see
plete Wallet and Profile Assistant settings.If you disable this policy or do not configure it users can see and change these settings.
rs are unable to see and change settings for the home page the cache history Web page appearance and accessibility.If you disable this po
s are prevented from seeing and changing default settings for privacy.If you disable this policy or do not configure it users can see and cha
sers are prevented from seeing and changing default settings for Internet programs.If you disable this policy or do not configure it users ca
revents users from seeing and changing settings for security zones such as scripting downloads and user authentication.If you disable this
certificate errors that interrupt browsing (such as "expired" "revoked" or "name mismatch" errors) in Internet Explorer.If you enable this p
ernationalized domain name (IDN) format (Punycode) before sending them to Domain Name System (DNS) servers or to proxy servers.If yo
mat (UTF-8) for mailto links.If you enable this policy setting Internet Explorer encodes mailto links in UTF-8.If you disable or do not configur
ntent on a CD to run.If you enable this policy setting active content on a CD will run without a prompt.If you disable this policy setting acti
s (non-Internet Explorer components) that are registered with Internet Explorer (such as Macromedia and Java) that are required in order
onents (such as fonts) that can installed by Internet Explorer Active Setup. For example if you open a Web page that requires Japanese-tex
s help optimize the latency of network requests through compression multiplexing and prioritization.If you enable this policy setting Intern
with HTTP requests to optimize the latency of network requests through compression multiplexing and prioritization.If you enable this po
be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with t
wser helper objects such as toolbars. Browser helper objects may contain flaws such as buffer overruns which impact Internet Explorer's p
u enable this policy setting Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to the ser
When Internet Explorer is set to do this the checks occur approximately every 30 days and users are prompted to install new versions as t
certificates. Certificates are revoked when they have been compromised or are no longer valid and this option protects users from submitti
ntifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading exec
ode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website attempt
Explorer Settings allows the user to reset all settings changed since installation delete browsing history and disable add-ons that are not p
secure (HTTPS) information such as passwords and credit card numbers to the Internet Explorer cache which may be insecure.If you enabl
Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer or storing sensitiv
Web content. Generally only animated GIF files are affected by this setting; active Web content such as java applets are not.If you enable t
Generally only sound files such as MIDI files are affected by this setting; active Web content such as java applets are not.If you enable this
t. Generally only embedded video files are affected by this setting; active Web content such as java applets are not.If you enable this polic
that enhances the readability of text on LCD displays.If you enable this policy setting applications that host MSHTML do not render text by
e Sockets Layer (SSL) 2.0 or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and t
ackground speeding up performance such that when the user clicks a hyperlink the background page seamlessly switches into view.If you
on.If you enable this policy setting Profile Assistant information will not be provided and users will not be prompted to provide information
) to encode query strings in URLs before sending them to servers or to proxy servers.If you enable this policy setting you must specify whe
pre-loaded page of a website.Microsoft collects your browsing history to improve how flip ahead with page prediction works. This feature
32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.Important: Some Ac
webpage by using the keyboard to move the cursor. Caret Browsing supports standard text-editor functionality such as using the Shift key
sses on 64-bit versions of Windows. For computers running at least Windows 8 Enhanced Protected Mode also limits the locations Interne
etting Internet Explorer uses HTTP 1.1.If you disable this policy setting Internet Explorer does not use HTTP 1.1.If you do not configure this
ns.If you enable this policy setting Internet Explorer uses HTTP 1.1 through proxy connections.If you disable this policy setting Internet Exp
.If you enable this policy setting Internet Explorer displays the Content Advisor setting on the Content tab of the Internet Options dialog bo
efault Internet Explorer displays the home page. In Internet Explorer 10 Internet Explorer can start a new browsing session with the tabs fr
nable this policy setting websites will be able to store application caches on client computers. Allow website database and caches on Webs
enable this policy setting websites will be able to store an indexed database on client computers. Allow website database and caches on W
ed their storage limit. The â€œSet default storage limits for websitesâ€ policy setting sets the data storage limits for application caches. I
e application cache is used before the expiration time limit it will not be automatically removed. When you set this policy setting you prov
tes. When you set this policy setting you provide the cache limit in MB.If you enable this policy setting Internet Explorer displays a notificati
eed their storage limit. The â€œSet default storage limits for websitesâ€ policy setting sets the data storage limits for indexed databases
nifest file is used to create the application cache. If any file in the manifest exceeds the allowed size Internet Explorer sends an error to th
ociated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed including
s policy setting you provide the storage limit in MB. When the limit is reached Internet Explorer notifies the user and the user must delete
his policy setting you provide the storage limit in MB. When the limit is reached Internet Explorer notifies the user and the user must dele
ecurity level for example Low Medium Low Medium or High.If you enable this template policy setting and select a security level all values f
orced into the local Intranet security zone.If you enable this policy setting local sites which are not explicitly mapped into a zone are consid
ne.If you enable this policy setting all network paths are mapped into the Intranet Zone.If you disable this policy setting network paths are
security zone.If you enable this policy setting sites which bypass the proxy server are mapped into the Intranet Zone.If you disable this pol
one. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security zones
domain.If you enable this policy setting automatic detection of the intranet is turned on and intranet mapping rules are applied automatic
y setting is turned on the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different websit
intranet mapping rules have not been configured. The Notification bar allows the user to enable intranet mappings if they require them.If
one using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).If you enable this policy setting users can load a page in the z
Intranet Zone can run active content such as script ActiveX Java and Binary Behaviors. The list of restricted protocols may be set in the Int
policy setting script code on pages in the zone can run automatically. If you select Prompt in the drop-down box users are queried to choo
e specific functionality for HTML elements to which they were attached.If you enable this policy setting binary and script behaviors are ava
ut copy and paste) in a specified region.If you enable this policy setting a script can perform a clipboard operation.If you select Prompt in th
within the zone.If you enable this policy setting users can drag files or copy and paste files from this zone automatically. If you select Prom
s determined by the zone of the page with the link causing the download not the zone from which the file is delivered.If you enable this po
le this policy setting HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the drop-dow
e settings for this option are: If you enable this policy setting users can install desktop items from this zone automatically.If you select Prom
wser-hosted ClickOnce-deployed applications built via WinFX. These applications run in a security sandbox and take advantage of the Wind
es. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage
tation of paginated content and are portable across platforms devices and applications.If you enable this policy setting and set the drop-d
if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.If you enable this policy settin
es other than the website that installed the ActiveX control.If you enable this policy setting the user is prompted before ActiveX controls ca
you enable this policy setting the TDC ActiveX control will not run from websites in this zone.If you disable this policy setting the TDC Acti
Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search results wi
tom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch queries usin
u enable this policy setting script access to the WebBrowser control is allowed.If you disable this policy setting script access to the WebBro
include the title and status bars.If you enable this policy setting Windows Restrictions security will not apply in this zone. The security zone
g the user can run scriptlets.If you disable this policy setting the user cannot run scriptlets.If you do not configure this policy setting the use
.If you enable this policy setting script is allowed to update the status bar.If you disable or do not configure this policy setting script is not a
nternet Explorer.If you selected Enable in the drop-down box VBScript can run without user intervention.If you selected Prompt in the dro
. Video and animation playback through the object tag may still be allowed because this involves external controls or media players.The d
bar or Address bar.If you enable this policy setting websites can open new Internet Explorer windows that have no status bar or Address b
cy setting scripted windows are displayed.If you disable this policy setting the user must choose to display any scripted windows by using
f you enable this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.If you disa
dless of this setting users will receive file download dialogs for user-initiated downloads.If you enable this setting users will receive a file do
users receive a security information message to display pages containing both secure and nonsecure items.If you enable this policy setting
cate or only one certificate exists.If you enable this policy setting Internet Explorer does not prompt users with a "Client Authentication" m
ols to check if they're safe to load on pages.If you enable this policy setting Internet Explorer won't check with your antimalware program t
in the zone.If you enable this policy users can download signed controls without user intervention. If you select Prompt in the drop-down
zone. Such code is potentially harmful especially when coming from an untrusted zone.If you enable this policy setting users can run unsig
hen the source and destination are in different windows.If you enable this policy setting and click Enable users can drag content from one
hen the source and destination are in the same window.If you enable this policy setting and click Enable users can drag content from one d
on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.If you enable this policy settin
a an HTML form. If the local path information is sent some information may be unintentionally revealed to the server. For instance files se
g ActiveX controls are run loaded with parameters and scripted without setting object safety for untrusted data or scripts. This setting is n
an choose options from the drop-down box. Custom to control permissions settings individually.Low Safety enables applets to perform all
m an IFRAME reference in the HTML of the pages in this zone.If you enable this policy setting users can run applications and download file
choose from the following logon options.Anonymous logon to disable HTTP authentication and use the guest account only for the Commo
oss different domains.If you enable this policy setting users can open windows and frames from othe domains and access applications from
this policy setting you can control whether or not Internet Explorer renders legacy filters by selecting Enable or Disable under Options in G
uthenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and man
nticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and manage
he specified zone.If you enable this policy setting controls and plug-ins can run without user intervention.If you selected Prompt in the dro
with a script.If you enable this policy setting script interaction can occur automatically without user intervention.If you select Prompt in th
ble this policy setting scripts can access applets automatically without user intervention.If you select Prompt in the drop-down box users a
ser tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer for example).If you ena
can choose the following options from the drop-down box.Low safety to allow users to be notified of software updates by e-mail software
tted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submission.If yo
ser is browsing to .NET Framework content in Internet Explorer. The .NET Framework is the next-generation platform for Windows. It uses
r encounters a new control that has not previously run in Internet Explorer he or she may be prompted to approve the control. This policy
ipt injections into websites in this zone.If you enable this policy setting the XSS Filter is turned on for sites in this zone and the XSS Filter att
rom exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.If you enable t
enable this policy setting SmartScreen Filter scans pages in this zone for malicious content.If you disable this policy setting SmartScreen F
t are opened when the end user clicks a link are not blocked.If you enable this policy setting most unwanted pop-up windows are prevente
es in an XML store or directly within a Web page saved to disk. When a user returns to a persisted page the state of the page can be restor
tes can navigate into this zone.If you enable this policy setting Web sites from less privileged zones can open new windows in or navigate
.If you enable this policy setting script is allowed to update the status bar.If you disable or do not configure this policy setting script is allow
s can navigate into this zone.If you enable this policy setting Web sites from less privileged zones can open new windows in or navigate int
oss different domains.If you enable this policy setting users can open additional windows and frames from other domains and access appl
Trusted Sites Zone can run active content such as script ActiveX Java and Binary Behaviors. The list of restricted protocols may be set in th
oss different domains.If you enable this policy setting users can open additional windows and frames from other domains and access appl
this policy setting Internet Explorer opens tiles only on the desktop.If you disable this policy setting Internet Explorer does not open tiles o
cide always in Internet Explorer or always in Internet Explorer on the desktop.If you enable this policy setting Internet Explorer enforces yo
nable this policy setting Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar if it is available.If you dis
ns Microsoft Edge.If you enable this policy setting the button to open Microsoft Edge from Internet Explorer will be hidden.If you disable th
n be used to invoke the default phone application on the system.If you enable this policy setting phone number detection is turned off. Us
t require additional software.If you enable this policy setting Internet Explorer plays these files if the appropriate software is installed.If yo
licy setting you must specify which of the following actions applies to searches on the Address bar. The user cannot change the specified a
rch is enabled on the Address bar. The possible options are: â€¢ Disable top result search: When a user performs a search in the Address
ress bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over the inte
net Explorer Address bar.Windows Search AutoComplete suggests possible matches when a user is entering a web address in the browser
trength. When the user logs on to a secure page the page cannot grant access unless the Internet browser connects with a prespecified en
er and Internet Tools.If you enable this policy setting the user cannot change the URL that is displayed for checking updates to Internet Ex
.If you enable this policy setting the user cannot specify the update check interval. You must specify the update check interval.If you disab
ld sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this value lowe
hold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this value low
aded by default during an InPrivate Browsing session.Toolbars and BHOs may store data about a user's browsing session. By default the co
de.The data consists of the URLs of third-party content along with data about the first-party websites that referenced it. It is collected dur
et Explorer from storing data about a user's browsing session. This includes cookies temporary Internet files history and other data.If you e
hird parties can automatically collect information about their browsing based on the sites that they visit. InPrivate Filtering does this by ide
er third parties can automatically collect information about their browsing based on the sites that they visit. Tracking Protection does this b
xplorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.We recommend that you do not allow insecure
a password. The reveal password button is displayed during password entry. When the user clicks the button the current password value
ndows Server 2008 Windows Vista with SP1 and Windows XP with SP3.If you enable this policy setting Internet Explorer does not turn on D
encapsulate images and .css files within the body of the URL and optionally encode them by using base 64 encoding. Malware filters or oth
-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which are specifically written to extend or
(as reflected by Add-on Manager) or policy settings. By default any process other than the Internet Explorer processes or those listed in t
icy setting are denied. Add-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which are speci
eferences (as entered into Add-on Manager) or policy settings. By default only Internet Explorer processes use the add-on management u
c outdated ActiveX controls in Internet Explorer.If you enable this policy setting users won't see the "Run this time" button on the warning
ed ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting Internet Explorer stops blocking outdated Active
dated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting you can enter a c
nable this policy setting Internet Explorer logs ActiveX control information (including the source URI that loaded the control and whether i
y setting the user can run natively implemented scriptable XMLHTTP.If you disable this policy setting the user cannot run natively impleme
ost to a limit of your choice (from 2 through 128).If you enable this policy setting Internet Explorer uses the connection limit of your choice
ost to a limit of your choice (from 2 through 128).If you disable or do not configure this policy setting Internet Explorer will use the default
limit is 6; you can select a value from 2 through 128.If you enable this policy setting Internet Explorer uses the WebSocket connection limi
embedded in the page.If you enable this policy setting documents cannot request data across third-party domains embedded in the page.I
bSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not prevent
omainRequest object. Note that this policy setting does not block client-side communication across domains through other features in Int
of admin-approved behaviors. This list may be configured here and applies to all processes which have opted in to the behavior and to all z
or the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is pr
binaries signed with MD2 and MD4 signing technologies. Internet Explorer 9 does not support MD2 and MD4 signing technologies by defa
or the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is pr
or the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setting is p
dures for files received through a Web server.This policy setting determines whether Internet Explorer requires that all file-type informati
on of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restrictions an
on of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restrictions an
on of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest security restrictio
ne type to a more dangerous file type.If you enable this policy setting the Mime Sniffing Safety Feature is enabled for all processes.If you d
ne type to a more dangerous file type.If you enable this policy setting MIME sniffing will never promote a file of one type to a more dange
ne type to a more dangerous file type.This policy setting allows administrators to define applications for which they want this security fea
col. Resources hosted on the MK protocol will fail.If you enable this policy setting the MK Protocol is disabled for all processes. Any use of
col. Resources hosted on the MK protocol will fail.If you enable this policy setting the MK Protocol is prevented for File Explorer and Intern
col. Resources hosted on the MK protocol will fail.This policy setting allows administrators to define applications for which they want this s
running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented o
d protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protoco
running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is prevented o
tent obtained through restricted protocols from running in an unsafe manner either by prompting the user or simply disabling the conten
the Internet Explorer processes when file or code installs are restricted. By default the Notification bar is not displayed for any process wh
cesses when file or code installs are restricted. By default the Notification bar is displayed for Internet Explorer processes.If you enable thi
en file or code installs are restricted. By default the Notification bar is not displayed for any process when file or code installs are restricte
e same domain or to a new domain.If you enable this policy setting object reference is no longer accessible when navigating within or acro
e same domain or to a new domain.If you enable this policy setting an object reference is no longer accessible when navigating within or a
e same domain or to a new domain.This policy setting allows administrators to define applications for which they want this security featur
ocation of the Web page (Internet Intranet Local Machine zone and so on). For example Web pages on the local computer have the fewest
ocation of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restriction
ocation of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest security rest
ActiveX control installation.If you enable this policy setting the Web Browser Control will block automatic prompting of ActiveX control inst
f you enable this policy setting prompting for ActiveX control installations will be blocked for Internet Explorer processes.If you disable this
ActiveX control installation.If you enable this policy setting and enter a Value of 1 automatic prompting of ActiveX control installation is blo
file downloads that are not user initiated.If you enable this policy setting the Web Browser Control will block automatic prompting of file d
olicy setting file download prompts that are not user initiated will be blocked for Internet Explorer processes.If you disable this policy setti
file downloads that are not user initiated.If you enable this policy setting and enter a Value of 1 automatic prompting of non-initiated file d
The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and stat
bels show selective text or show only icons.If you enable this policy setting command buttons are displayed according to which one of the
displayed on a separate row.If you disable this policy setting tabs are not displayed on a separate row.If you do not configure this policy se
and bar is hidden and the user cannot choose to show it.If you disable this policy setting the Command bar is shown and the user cannot c
s hidden and the user cannot choose to show it.If you disable this policy setting the status bar is shown and the user cannot choose to hide
etting the toolbars are locked and the user cannot move them.If you disable this policy setting the toolbars are unlocked and the user can m
you enable this policy setting the Stop and Refresh buttons are next to the Forward and Back buttons and the user cannot move them.If y
f you enable this policy setting the user cannot access Developer Tools.If you disable or do not configure this policy setting the user can ac
ether incompatible toolbars or Browser Helper Objects are installed when Internet Explorer starts. If the tool detects an incompatible tool
g icons for command buttons are 20 x 20 pixels and cannot be made smaller (16 x 16 pixels).If you disable this policy setting icons for com
e this policy setting Internet Information Services (IIS) cannot be installed and you will not be able to install Windows components or appli
he location feature is turned off and all programs on this computer are prevented from using location information from the location featu
s for the location feature will not run. If you disable or do not configure this policy setting all location scripts will run.
e sensor feature is turned off and all programs on this computer cannot use the sensor feature. If you disable or do not configure this
e this policy setting the Windows Location Provider feature will be turned off and all programs on this computer will not be able to use the
ntenance activation boundary is the daily schduled time at which Automatic Maintenance starts If you enable this policy setting this w
maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary.
ance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note
tic download and update of map data is turned off.If you disable this setting the automatic download and update of map data is turned on
Settings > System > Offline Maps.If you enable this policy setting features that generate network traffic on the Offline Maps settings page a
M is enabled it allows the user to have the computer remotely managed by a MDM Server. If you do not configure this policy setting MDM
ment (MDM) service configured in Azure Active Directory (Azure AD). If the enrollment is successful the device will remotely managed by
rvices. If this setting is enabled all applications and services on the device are prevented from using Microsoft accounts for authentication
ntivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. If you enable this setting t
ow for faster service startup but may impact performance. If you enable or do not configure this setting the antimalware service will load
ow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: Specify the m
ged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you enable or do not configure this setting un
g with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting the proxy server will be b
nect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config spec
o connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified th
o. The value of this setting should be a valid directory path. If you enable this setting the support log files will be copied to the specified s
cheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example it could be
ender Antivirus does not run and will not scan computers for malware or other potentially unwanted software. If you disable this policy
on on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action use
ed to perform an action. The text displayed is a custom administrator-defined string. For example the phone number to call the company
ble this setting AM UI won't be available to users.
. If you disable or do not configure this setting Microsoft Defender Antivirus notifications will display on clients. If you enable this setti
be in lockdown mode). If you enable this setting AM UI won't show reboot notifications.
real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair where th
et of IP addresses.
d or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a nam
sses. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process use the Path exclusion.
. Disabled (Default): Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. Enabled
only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or d
ore allowing certain content to be run or accessed. If this feature is disabled the check will not occur which will lower the protection state
ou choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. You can
Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send all samp
ule to the following in the Options section: - Block: the rule will be applied - Audit Mode: if the rule would normally cause an event the
and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair: - Na
ications are allowed to modify or delete files in controlled folder access folders. Microsoft Defender Antivirus automatically determines w
allow attempts by untrusted apps to: - Modify or delete files in protected folders such as the Documents folder - Write to disk sect
folders cannot be modified or deleted by untrusted applications. Default system folders are automatically protected. You can configure
g any application to access dangerous domains that may host phishing scams exploit-hosting sites and other malicious content on the Inter
to block or audit mode on Windows Server. Enabled: If Enabled administrators can control whether Network Protection is allowed to b
it in the cloud to make sure it's safe. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feature spe
oft Defender will compute hash value for files it scans. Disabled: File hash value is not computed Not configured: Same
ning suspicious files. If this setting is on Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to block a
GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair where the name should be a strin
to block or audit mode on Windows Server. Enabled: If Enabled administrators can control whether Network Protection is allowed to b
nown vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a
nown vulnerabilities. If you enable or do not configure this setting protocol recognition will be enabled. If you disable this setting proto
ept in the Quarantine folder before being removed. This setting can only be set by Group Policy. If you enable this setting the local prefe
emoved. If you enable this setting items will be removed from the Quarantine folder after the number of days specified. If you disable
ty on your computer. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority
g file activity. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Gro
attachments. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Gro
tting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disa
n off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for performa
e scanned. If you enable this setting downloaded files and attachments smaller than the size specified will be scanned. If you disable or
t configure this setting monitoring for file and program activity will be enabled. If you disable this setting monitoring for file and program
e or do not configure this setting scanning for all downloaded files and attachments will be enabled. If you disable this setting scanning f
der Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. If you enab
tting behavior monitoring will be enabled. If you disable this setting behavior monitoring will be disabled.
lps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting a process s
u enable or do not configure this setting raw write notifications will be enabled. If you disable this setting raw write notifications be disab
ript scanning will be enabled. If you disable this setting script scanning will be disabled.
o complete remediation. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take prio
der to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configured with
o complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equiva
moves to either the â€œadditional actionâ€ state or the â€œclearedâ€ state.
es to the "cleared" state.
"cleared" state.
to the "cleared" state.
t configure this setting Watson events will be sent. If you disable this setting Watson events will not be sent.
Tracing). Tracing levels are defined as: 1 - Error 2 - Warning 3 - Info 4 - Debug
play on clients. If you disable or do not configure this setting Microsoft Defender Antivirus enhanced notifications will display on clien
able or do not configure this setting a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disa
ill occur before running a scan. This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate" but it has n
on during scan. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over G
nly be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disable or do
g can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disab
ed scan. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group P
le this setting low CPU priority will be used during scheduled scans. If you disable or do not configure this setting not changes will be m
aning. If you enable this setting a system restore point will be created. If you disable or do not configure this setting a system restore p
fter which a catch-up scan will be forced. By default the value of this setting is 2 consecutive scheduled scans. If you enable this setting a
pped network drives will be scanned. If you disable or do not configure this setting mapped network drives will not be scanned.
les such as .ZIP or .CAB files. If you enable or do not configure this setting archive files will be scanned. If you disable this setting archiv
able this setting. If you enable this setting network files will be scanned. If you disable or do not configure this setting network files wil
pe of scanning remain enabled. If you enable or do not configure this setting packed executables will be scanned. If you disable this setti
ware in the contents of removable drives such as USB flash drives when running a full scan. If you enable this setting removable drives wi
n can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values:
esented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero interval qu
as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting archive files will be scanned
n. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no throttli
e scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning. If you
: 1 = Quick Scan (default) 2 = Full Scan If you enable this setting the scan type will be set to the specified value. If you disable or do
ue is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equivalent to 02:00 AM. By default this setti
ue is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equivalent to 02:00 AM. By default this setti
n use. If you enable or do not configure this setting scheduled scans will only run when the computer is on but not in use. If you disable
that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was tur
an that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was t
parse the mailbox and mail files according to their specific format in order to analyze the mail bodies and attachments. Several e-mail for
reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn
permanently removed. The value represents the number of days to keep items in the folder. If set to zero items will be kept forever and w
d there is a possible risk of recursion. However the engine supports following reparse points to a maximum depth so at worst scanning cou
dual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security int
o Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has sec
ven if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this settin
attery power. If you enable or do not configure this setting security intelligence updates will occur as usual regardless of power state. If
d: Allow managed devices to update through metered connections. Data charges may apply.
ill occur immediately after service startup. If you enable this setting a check for new security intelligence will occur after service startup.
ates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating t
you disable or do not configure this setting security intelligence will be referred from the default local source.
ate will be required. By default the value of this setting is 1 day. If you enable this setting a catch-up security intelligence update will occu
nce is considered out of date. If security intelligence is determined to be out of date this state may trigger several additional actions includ
is considered out of date. If security intelligence is determined to be out of date this state may trigger several additional actions including
ould be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sour
lware engine present. If you enable or do not configure this setting security intelligence updates will be initiated on startup when there i
ates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal nu
time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If
The time value is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equivalent to 02:00 AM. By defa
ate has occurred. If you enable or do not configure this setting a scan will start following a security intelligence update. If you disable th
t alert level.Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. The nam
ected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name
can be applied to all endpoints that have this GP setting configured.There are some prerequisites before you can enable this setting:- Man
a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.If you en
gs between usersâ€™ computers. With Sync Method set to â€SyncProviderâ€ the UE-V Agent uses a built-in sync provider to keep user
nable this policy setting the Company Settings Center displays the specified text in the link to the Contact IT URL.If you disable this policy s
s policy setting the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such as htt
r Windows apps.By default the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage locati
needed for enable to take effect. With Auto-register inbox templates enabled the UE-V inbox templates such as Office 2016 will be automa
ation (UE-V) Agent runs for the first time.By default a notification informs users that Company Settings Center the user-facing name for th
he settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize the setti
settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file size. If yo
nable this policy setting the user settings are stored in the specified location. If you disable or do not configure this policy setting the user s
used to replace the default Microsoft templates installed with the UE-V Agent.If you enable this policy setting the UE-V Agent checks the
ver metered connections.By default the UE-V Agent does not synchronize settings over a metered connection.With this setting enabled the
ver metered connections outside of the home provider network for example when connected via a roaming connection.By default the UE-
ent for Windows apps that are not explicitly listed in Windows App List.By default the UE-V Agent only synchronizes settings of those Win
ttings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable this policy
ws settings will synchronize between computers by default. These settings include Windows themes Windows desktop settings Ease of Acc
the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application Company Settings Center
ndows 10 or earlier.
tion for computers running in a non-persistent pooled VDI environment. UE-V settings rollback data and checkpoints are normally stored o
s 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of
s 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of
of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization betwe
Office Suite 2013 applications.Microsoft Office Suite 2013 has user settings which are common between applications and are backed up i
Office Suite 2016 applications.Microsoft Office Suite 2016 has user settings which are common between applications and are backed up i
013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of spe
Path 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
r settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer
r settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer
r settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 8
r settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Explorer 9
of Internet Explorer.By default the user settings which are common between the versions of Internet Explorer synchronize between comp
13 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of spec
16 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of spec
user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Ac
ser settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Excel
e user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
e user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
er settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Lync 20
ft Office Suite 2010 applications.By default the user settings which are common between the Microsoft Office Suite 2010 applications sync
By default the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to prevent the
By default the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to prevent the
rosoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disab
ft Office Suite 2013 applications.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabili
ft Office Suite 2016 applications.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabili
soft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disable
icrosoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are dis
Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are dis
crosoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disa
crosoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disa
.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are
ner 2013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office
osoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabl
osoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are disabl
t the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user settings of On
t the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user settings of On
e user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microso
e user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user settings of Mi
user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft P
he user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microso
y default the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to prevent the u
y default the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to prevent the u
0.By default the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to prevent
er settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Visio 2
ser settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft Wor
f Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization between c
eNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
eNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
ook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
ook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the
PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the
ct 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup o
ct 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup o
blisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the back
blisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the back
crosoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting
2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of sp
2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of sp
f WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization betwee
ttings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing between com
ttings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between compu
ngs of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between computers
ttings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between compute
ngs of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between computers
ttings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between comp
ttings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between comput
ttings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between compute
ttings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between computer
ettings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing between c
controlling their computers remotely.
cking for updates etc.) until the user signs in to OneDrive or starts syncing files to the local computer.If you enable this setting users must
s policy setting:* Users canâ€™t access OneDrive from the OneDrive app and file picker.* Windows Store apps canâ€™t access OneDrive u
.If you enable this policy setting:* Users canâ€™t access OneDrive from the OneDrive app and file picker.* Windows Store apps canâ€™t a
s from saving files on OneDrive. If you disable this policy setting files will be saved locally by default. Users will still be able to change the v
ault the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.If you enabl
y be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this policy to p
kspace.If you enable this setting Windows when started from a Windows To Go workspace can hibernate the PC.If you disable or don't co
pace.If you enable this setting Windows when started from a Windows To Go workspace can't use standby states to make the PC sleep.If y
ws To Go workspace is connected and controls whether users can make changes using the Windows To Go Startup Options Control Panel i
ntation settings cannot be invoked.If you disable this policy setting Windows presentation settings can be invoked. The presentation setting
g on other devices or the web.
ver will offer Remote Desktop Services client access licenses (RDS CALs).You can use this policy setting to control which RD Session Host se
S CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based
es and .rdp files from unknown publishers on the client computer.If you enable or do not configure this policy setting users can run unsign
publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client such as
st server when the client cannot authenticate the RD Session Host server.If you enable this policy setting you must specify one of the follow
ported hardware is available. If you use this setting the Remote Desktop Client will use only software decoding. For example if you have a p
e this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passw
als for a remote connection to an RD Session Host server.If you enable this policy setting a user will be prompted on the client computer in
t represent trusted Remote Desktop Protocol (.rdp) file publishers.If you enable this policy setting any certificate with an SHA1 thumbprin
otocol. If you enable this policy setting Remote Desktop Protocol traffic will only use the TCP protocol.If you disable or do not configure th
s computer. Redirected RemoteFX USB devices will not be available for local usage on this computer.If you enable this policy setting you c
er if a virtual IP address is not available.If you enable this policy setting the IP address of the RD Session Host server is not used if a virtual
d for virtual IP addresses. The IP address and network mask should be entered in Classless Inter-Domain Routing notation; for example 192
nstalled applications. Windows Installer allows one instance of the msiexec process to run at a time. By default Windows Installer RDS Com
ktop IP Virtualization is turned off.If you enable this policy setting Remote Desktop IP Virtualization is turned on. You can select the mode i
st server when they start a Remote Desktop Services session or whether they can only start programs that are listed in the RemoteApp pro
f you enable this policy setting users who are members of the Remote Desktop Users group on the target computer can connect remotely
n RD Session Host server if their network link is temporarily lost. By default a maximum of twenty reconnection attempts are made at five
on Host server is consistent with the client state.After an RD Session Host server client loses the connection to an RD Session Host server t
a server can log off an administrator currently logged on to the console.This policy is useful when the currently connected administrator d
ou can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceede
s policy setting users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconne
uality (bandwidth and latency).You can choose to disable Connect Time Detect Continuous Network Detect or both Connect Time Detect a
cess to this server.If you enable this policy setting you must specify if you would like RDP to use UDP.You can select one of the following o
based on the option selected. Select the desired level of control and permission from the options list:1. No remote control allowed: Disallo
t screen to the user. By default when a new user signs in to a computer the Start screen is shown and apps are registered in the backgroun
ons on the same RD Session Host server based on the number of sessions and the demand for processor time within each session. If you en
output in a Remote Desktop Services session.Users can specify where to play the remote computer's audio output by configuring the rem
te Desktop Services session.Users can specify whether to record audio to the remote computer by configuring the remote audio settings o
Desktop Services session.If you enable this policy setting clients that are capable of time zone redirection send their time zone information
etween a remote computer and a client computer during a Remote Desktop Services session.You can use this setting to prevent users from
e computer in a Remote Desktop Services session.You can use this setting to prevent users from redirecting data to COM port peripherals
ession (drive redirection).By default an RD Session Host server maps client drives automatically upon connection. Mapped drives appear i
Desktop Services session.You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote com
session.If you enable this policy setting Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services se
uch as Windows Portable Devices to the remote computer in a Remote Desktop Services session. By default Remote Desktop Services does
mote Desktop Services session. By default Remote Desktop Services allows redirection of video capture devices.If you enable this policy se
iting the quality of audio playback can improve connection performance particularly over slow links.If you enable this policy setting you m
e are problems with RD Licensing that affect the RD Session Host server.By default notifications are displayed on an RD Session Host server
CAL) that is required to connect to this RD Session Host server. You can use this policy setting to select one of two licensing modes: Pe
mote Desktop license servers.If you enable this policy setting an RD Session Host server first attempts to locate the specified license server
op Services sessions.You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer atta
t printer in a session on an RD Session Host server.By default Remote Desktop Services automatically designates the client default printer
emote Desktop Services sessions.If you enable this policy setting only the default client printer is redirected in Remote Desktop Services se
ult the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches t
o install all client printers. If you enable or do not configure this policy setting the RD Session Host server first tries to use the Remote Desk
is policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed.Note: If you want to limit t
ser profiles.By default Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy settin
root of the user's home directory for a Remote Desktop Services session.To use this setting select the location for the home directory (net
users connecting remotely to the RD Session Host server.If you enable this policy setting Remote Desktop Services uses the path specified
Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore you mus
ses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote D
ction Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Sess
n existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host serv
balance the load between servers in an RD Session Host server farm. If you enable this policy setting RD Connection Broker redirects user
ns. This policy setting does not apply to RemoteApp sessions.Desktop composition provides the user interface elements of Windows Aero
computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote comput
e.By default servers use an RDP compression algorithm that is based on the server's hardware configuration.If you enable this policy settin
. When you enable hardware encoding if an error occurs we will attempt to use software encoding. If you disable or do not configure this
er by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality th
sion Host or Remote Desktop Virtualization Host servers. By default the system will choose the best experience based on available nework
moothing provides ClearType functionality for a remote connection. ClearType is a technology for displaying computer fonts so that they ap
esktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2
s.You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default Windows XP Professio
rvices connections.You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color dept
used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection perfo
top Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance
ou use this setting on the RDP server the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the client and s
in Remote Desktop Services sessions.You can use this policy setting to prevent users from using this familiar method to disconnect their cl
s. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently.If the status is set
e this setting to specify a program to run automatically when a user logs on to a remote computer.By default Remote Desktop Services ses
or transparency live thumbnails and seamless application moves. This policy setting applies only to RemoteApp programs and does not ap
Services sessions.If you enable this policy setting all Remote Desktop Services sessions use the hardware graphics renderer instead of the M
nable or do not configure this policy setting Remote Desktop Connections will use WDDM graphics display driver.If you disable this policy s
on Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server.When deployed on an RD Virtualizatio
Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience.By default Remote Desk
p Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of gra
on connection.You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services even if they already
or the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups all
ts or allows unsecured communication.You can use this setting to strengthen the security of RPC communication with clients by allowing o
s between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.If you enable this policy setting all com
he RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authenticati
ate is automatically selected to authenticate an RD Session Host server.A certificate is needed to authenticate an RD Session Host server w
t computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using
of disconnecting it.You can use this setting to direct Remote Desktop Services to end a session (that is the user is logged off and the session
ces session can be idle (without user input) before it is automatically disconnected.If you enable this policy setting you must select the des
ion can be active before it is automatically disconnected.If you enable this policy setting you must select the desired time limit in the Activ
You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By defaul
state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.By default if a user closes a R
s at logoff.You can use this setting to maintain a user's session-specific temporary folders on a remote computer even if the user logs off f
y folders.You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By d
o impact on the Windows RSS Platform.If you enable this policy setting the user cannot access the feed list in the Favorites Center.If you di
Web Slice is available for an associated webpage.If you enable this policy setting the user does not receive a notification on the toolbar that
the user's computer.If you enable this policy setting the user cannot set the Feed Sync Engine to download an enclosure through the Feed
policy setting the menu command to subscribe to a feed and the menu command to delete a feed are disabled and access to Web Slices i
able this policy setting the ability to synchronize feeds and Web Slices in the background is turned off.If you disable or do not configure th
over an unencrypted HTTP connection.If you enable this policy setting the Windows RSS Platform authenticates feeds to servers by using t
he value of this text should be:nameurlFor example:Intranethttp://intranetsearch.aspx?k=$w You must provide the following:1) A name f
cation defined in the Add Primary Intranet Search Location policy. The value of this text should be:name1url1;name2url2;...nameNurlNFo
is setting Cortana will be allowed on the device. If you disable this setting Cortana will be turned off. Â When Cortana is off users will still b
tem is locked.If you enable or donâ€™t configure this setting the user can interact with Cortana using speech while the system is locked.If
mpt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (in
ults.Â If this is enabled search and Cortana can access location information.
able this policy setting words that only differ in diacritics are treated as different words. If you disable this policy setting words with diacriti
on indexing history. If you enable this policy setting Windows will always use automatic language detection to index (as it did in Windows
ttachment previews.When this policy is disabled or not configured the default settings will be set to .bmp;.emf;.gif;.jpg;.jpeg;.png;.wmf;.w
verride these paths and include them in indexing.
ths and exclude them from indexing.
en system activity is high. If disabled backoff logic will be used to throttle back indexing activity when system activity is high. Default is disa
you enable this policy setting locations on removable drives cannot be added to libraries. In addition locations on removable drives canno
licy is disabled or not configured the Web option is available and users can search the Web via their default browser search engine.
web results are displayed in Search.If you enable this policy setting queries won't be performed on the web and web results won't be displa
ed connections and if the web results are displayed in Search.If you enable this policy setting queries won't be performed on the web over
This policy affects only delegate mailboxes that are online. Microsoft Outlook 2007 allows users to cache portions of delegate mailboxes l
s not running in cached mode. The default behavior for search is to not index uncached Exchange folders. Disabling this policy will block an
mail is indexed on a Microsoft Exchange server. The lower you set this policy the lower the burden will be on the corresponding Microsoft E
ptions in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed.When this policy is
enu as well as any defined locations that were made by a user. When this policy is not configured the default behavior is to allow users to
is policy setting Windows Search is prevented from automatically adding shared folders to the index. Windows Search does not automatic
twork shares that are stored on this computer they will not search them using the index. If disabled client search requests will use this com
g. Otherwise it can be opened. Disabled by default.
ny path that starts with one of the paths you specified.If you enable and then disable this policy setting users can index any path not restr
service components (including non-Microsoft components) are expected not to index e-mail attachments. Consider enabling this policy if
bled by default.
Outlook items. If this policy is enabled then the user's Outlook items will not be added to the index and the user will not see them in searc
odify this list. You should separate each extension type with a semicolon.Note that limitations of Group Policy Object Editor require this lis
d or not configured the user has the option to index cached public folders in Outlook. Public folders are only indexed when using Outlook
s the default behavior. Default is disabled.
ntrol Panel.If you enable this policy setting the Advanced Options dialog for Search and Indexing Options in the Control Panel cannot be op
y are specified in the allow list. However This policy will not prevent iFilters or protocol handlers from being installed nor will it prevent the
an also turn off the preview pane. The four options are:- Auto- Right- Bottom- OffYou should consider enabling this policy to turn off the pr
Search results. The two options are:- Large Icon- Small Icon.If you have disabled the preview pane because your organization does not sup
you enable this policy setting you can specify one of three SafeSearch settings which users won't be able to change: -Strict: Filter out adu
olicy setting you can specify one of four settings which users won't be able to change: -User info and location: Share a user's search histo
ace is left on the same drive as the index location. Select between 0 and 2147483647 MB.Enable this policy if computers in your environm
Active Directory domain. When Security Center is turned on it monitors essential security settings and notifies the user when the compute
roceeding with the system shutdown.If you enable this policy setting the system waits for the hung logon sessions for the number of minu
hutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.If you enable t
In versions of Windows prior to Windows Vista smart card certificates that are used for logon require an enhanced key usage (EKU) exten
rd can be used to log on to a domain.If you enable this policy setting ECC certificates on a smart card can be used to log on to a domain.If
User Interface (UI).In order to use the integrated unblock feature your smart card must support this feature. Please check with your hard
If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon scree
d.Under previous versions of Microsoft Windows certificates were required to contain a valid time and not be expired. The certificate mu
n that allows a user to enter his or her user name or user name and domain thereby associating a certificate with that user.If you enable th
setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root ce
this policy setting the specified message will be displayed to the user when the smart card is blocked. Note: The following policy setting m
renewal period a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to
logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in a single
evice driver is installed.If you enable or do not configure this policy setting a confirmation message will be displayed when a smart card dev
olicy setting Credential Manager does not return a plaintext PIN. If you disable or do not configure this policy setting plaintext PINs can be
it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distinguish one
ed.If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.If you disab
nserted.If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart card. N
ot configure this policy setting Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver w
- Not Configured (default -- Windows registration and reactivation is allowed) - Disabled (Windows registration and reacti
bling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not configure t
n be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.If you enable this p
A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically updated t
ded. Apps will not be updated. Your Store will also be disabled.Â EnableÂ turns all of it back on. This setting applies only to Enterprise and
tting users will not be able to view the retail catalog in the Microsoft Store but they will be able to view apps in the private store.If you disa
utomatic download and installation of app updates is turned off.If you disable this setting the automatic download and installation of app
etting the automatic download of app updates is turned off.If you disable this setting the automatic download of app updates is turned on
Store application will not offer updates to the latest version of Windows.If you disable or do not configure this setting the Store applicatio
denied. Access to the Store is required for installing app updates.If you disable or don't configure this setting access to the Store applicatio
c your settings" page in PC Settings.If you enable this policy setting "sync your settings" will be turned off and none of the "sync your settin
ttings" group on the "sync your settings" page in PC settings.If you enable this policy setting the "app settings" group will not be synced.Use
nc" group on the "sync your settings" page in PC settings.If you enable this policy setting the "AppSync" group will not be synced.Use the o
roup on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites.If you enable
he "desktop personalization" group on the "sync your settings" page in PC settings.If you enable this policy setting the "desktop personaliz
nc your settings on metered connections" switch on the "sync your settings" page in PC Settings.If you enable this policy setting syncing on
he "Other Windows settings" group on the "sync your settings" page in PC settings.If you enable this policy setting the "Other Windows se
ds" group on the "sync your settings" page in PC settings.If you enable this policy setting the "passwords" group will not be synced.Use the
lize" group on the "sync your settings" page in PC settings.If you enable this policy setting the "personalize" group will not be synced.Use t
t layout" group on the "sync your settings" page in PC settings. If you enable this policy setting the "Start layout" group will not be sync
y the InkBall game will run.If you do not configure this policy the InkBall game will run.
not allow printing to it. It will remain displayed in the list of available printers but attempts to print to it will fail.If you disable this policy y
u disable this policy setting the Snipping Tool will run.If you do not configure this policy setting the Snipping Tool will run.
ou disable this policy the Windows Journal accessory will run.If you do not configure this policy the Windows Journal accessory will run.
en action feedback is disabled except for press and hold feedback. Additionally the mouse cursors are shown instead of the pen cursors.If
bscribe to this behavior.If you enable this policy a button assigned to Back will not map to ESC.If you disable this policy Back->ESC mapping
applications cannot be launched from a hardware button and "Launch an application" is removed from the drop down menu for configur
enable this policy press and hold actions are unavailable and the button configuration dialog will display the following text: "Some settings
ressed and the buttons tab in Tablet PC Control Panel will be removed.If you disable this policy user and OEM defined button actions will o
ws Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab when th
his behavior is available. This policy applies only when using a tablet pen as an input device.Tablet PC Input Panel is a Tablet PC accessory t
his behavior is available. This policy applies only when a user is using touch input.Tablet PC Input Panel is a Tablet PC accessory that enable
policy applies only to the use of the Microsoft recognizers for Chinese (Simplified) Chinese (Traditional) Japanese and Korean. This setting a
let PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If yo
e this behavior is available.Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to
n Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default preventing users from switching to anot
aped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out ink
g mode is not. Pen flicks are off by default and can be turned on system-wide but cannot be restricted to learning mode applications. This
ures are unavailable. This includes: pen flicks themselves pen flicks training pen flicks training triggers in Internet Explorer the pen flicks no
f you disable or do not configure this policy setting users can open Tablet PC Pen Training.
sing their finger.If you enable this setting the user will not be able to produce input with touch. They will not be able to use touch input or
tible PC with a touch digitizer by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolli
t page of the Scheduled Task Wizard. This policy is only designed to simplify task creation for beginning users.The checkbox when checke
rties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result users ca
from the context menu that appears when you right-click a task. As a result users cannot start tasks manually or force tasks to end before
ed program for existing tasks.This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properti
r.This setting disables the Cut Copy Paste and Paste Shortcut items on the context menu and the Edit menu in Scheduled Tasks. It also disa
ew Task Wizard. Also the system does not respond when users try to move paste or drag programs or documents into the Scheduled Task
and from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also the system does n
king dictionaries) included with a language can be uninstalled from a userâ€™s machine when the language is uninstalled. The language c
ecognition and suggestion capabilities of apps and services running on Windows.
alendars publishing them and subscribing to other users calendars.If you enable this setting Windows Calendar will be turned off.If you dis
tting users cannot install new color profiles or uninstall previously installed color profiles.If you disable or do not configure this policy settin
oft Operations Manager server.If you disable this setting uploads are not redirected to a Microsoft Operations Manager server.If you do no
being conducted.If you enable this setting then Windows CEIP data uploaded will be tagged.If you do not configure this setting or disable
to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.If you enable this setting you must cho
warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial d
der SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By def
arnings about potentially malicious websites.If you enable this setting employees can't ignore Windows Defender SmartScreen warnings a
o Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products or additional data other than memo
dows Error Reporting is enabled.This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Reporting
he system event log.If you enable this policy setting Windows Error Reporting events are not recorded in the system event log.If you disab
rosoft or internal servers within your organization when software unexpectedly stops working or fails.If you enable this policy setting Wind
u enable this policy setting users are notified in a dialog box that an error has occurred and can display more details about the error. If the
omatically.If you enable this policy setting any additional data requests from Microsoft in response to a Windows Error Reporting report a
rt data even if a CAB file containing data about the same event types has already been uploaded to the server.If you enable this policy setti
ure this policy setting Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.If you dis
n battery power. By default when a computer is running on battery power WER only checks for solutions but does not upload additional r
at restricts the amount of data that is sent over the network.If you enable this policy setting WER does not check for network cost policy r
ot want to send error reports to Microsoft).If you enable this policy setting you can specify the name or IP address of an error report desti
tting you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all all data collected for each error
policy setting you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down
ror Reporting is enabled.If you enable this policy setting you can instruct Windows Error Reporting in the Default pull-down menu to repo
create a list of applications for which Windows Error Reporting never reports errors click Show under the Exclude errors for applications o
ws Error Reporting is turned on.If you enable this policy setting you can create a list of applications that are never included in error reports.
ows Error Reporting is turned on.If you enable this policy setting you can create a list of applications that are never included in error repor
s enabled.If you enable this policy setting Windows Error Reporting includes operating system errors.If you disable this policy setting opera
ng is enabled.If you enable this policy setting error reporting includes unplanned shutdown events.If you disable this policy setting unplan
policy setting you can set the default consent handling for error reports. The following list describes the Consent level settings that are ava
you enable this policy setting you can add specific event types to a list by clicking Show and typing event types in the Value Name column o
onsent settings.If you enable this policy setting the default consent levels of Windows Error Reporting always override any other consent p
s credentials for other users.If you enable this policy setting Windows allows all users of the computer to enumerate all Windows Hello for
to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors you should also con
olicy setting these signal rules will be evaluated to detect user absence and automatically lock the device.If you disable or do not configure
enabled applications.If you enable this policy setting Windows Hello for Business provisions Windows Hello for Business credentials that a
ed by it cannot be used on other devices.If you enable this policy setting Windows Hello for Business provisioning only occurs on devices w
rnative to the PIN gesture. However users must still configure a PIN to use in case of failures.If you enable or do not configure this policy s
emises authentication.If you enable this policy setting Windows Hello for Business enrolls a sign-in certificate that is used for on-premises a
ervice without losing any associated credentials or certificates including any keys associated with the user's personal accounts on the devi
or Azure Active Directory account that can replace passwords Smart Cards and Virtual Smart Cards.If you enable this policy the device prov
ficates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is des
ministrators.If you enable this policy setting some of the security features of Windows Installer are bypassed. It permits installations to co
s policy setting the Browse button in the "Use feature from" dialog box is enabled. As a result users can search for installation files even w
mitted to install patches even when the installation program is running with elevated system privileges. Patches are updates or upgrades t
ou enable this policy setting all users are permitted to install programs from removable media such as floppy disks and CD-ROMs even wh
e system.If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for programs that h
The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is use
le this policy setting strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can f
on the system can run embedded UI.If you disable or do not configure this policy setting embedded UI is allowed to run.
ser.If you disable or do not configure this policy setting by default when a script hosted by an Internet browser tries to install a program on
etting users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those progra
Patch Optimization options are turned off during the installation.If you disable or do not configure this policy setting it enables faster applic
d by the application vendor.Non-administrator updates provide a mechanism for the author of an application to create digitally signed up
es.This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where
terrupted or unsuccessful installation.If you enable this policy setting Windows Installer is prevented from recording the original state of t
API can eliminate or reduce the number of system restarts that are required to complete an installation or update.If you enable this policy
use the drop-down list to select the behavior you want.If you do not configure this policy setting or if the policy setting is enabled and "Al
onents to an installed program. If you enable this policy setting the Browse button beside the "Use feature from" list in the Windows In
consist of instructions to modify or customize a program during installation.If you enable this policy setting the transform file is saved in a
The log Msi.log appears in the Temp directory of the system volume. When you enable this policy setting you can specify the types of
lication is installed. System Restore enables users in the event of a problem to restore their computers to a previous state without losing p
perty in an installation package can be used to enable automatic logging of all install operations for the package.If you enable this policy se
kages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Compone
ers from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use
after a restart or cold boot. If you chose â€œDisabledâ€ in the â€œSign-in and lock last interactive user automatically after a restartâ€ p
u enable this policy setting you have one of four options:If you set this policy setting to "None" user mode software cannot simulate the S
n failures to the user.For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level if yo
ed during logon and he has been logged on using previously stored account information.If enabled a notification popup will be displayed to
r the system restarts or after a shutdown and cold boot.This only occurs if the last interactive user didnâ€™t sign out before the restart or
n enabled Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades.When
ayer is in skin mode.If you enable this policy setting the anchor window is hidden when the Player is in skin mode. In addition the option o
the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows Media P
op.If you enable this policy setting users cannot add the Player shortcut icon to their desktops.If you disable or do not configure this policy
y setting any user on this computer is prevented from sharing digital media content from Windows Media Player with other computers an
r.If you enable this policy setting the user cannot add the shortcut for the Player to the Quick Launch bar.If you disable or do not configure
deo smoothing is prevented which can improve video playback on computers with limited resources. In addition the Use Video Smoothing
Windows Messenger does not run.If you disable or do not configure this policy setting Windows Messenger can be used.Note: If you enab
licy setting Windows Messenger is not loaded automatically when a user logs on.If you disable or do not configure this policy setting Wind
nvoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch i
dlet.If you enable this policy setting the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter
is policy setting pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Vie
/Operational event log. If you enable this policy setting Windows PowerShell will log the processing of commands script blocks function
based transcripts. If you enable this policy setting Windows PowerShell will enable transcripting for Windows PowerShell the Windows
.If you enable this policy setting the scripts selected in the drop-down list are allowed to run.The "Allow only signed scripts" policy setting
abilitymetrics and Win32_ReliabilityRecords to provide data to Reliability Monitor in the Security and Maintenance control panel and to re
Basic authentication.If you enable this policy setting the WinRM client uses Basic authentication. If WinRM is configured to use HTTP trans
CredSSP authentication.If you enable this policy setting the WinRM client uses CredSSP authentication.If you disable or do not configure th
s and receives unencrypted messages over the network.If you enable this policy setting the WinRM client sends and receives unencrypted
Digest authentication.If you enable this policy setting the WinRM client does not use Digest authentication.If you disable or do not configu
Kerberos authentication directly.If you enable this policy setting the Windows Remote Management (WinRM) client does not use Kerbero
Negotiate authentication.If you enable this policy setting the WinRM client does not use Negotiate authentication.If you disable or do not
the list specified in TrustedHostsList to determine if the destination host is a trusted entity.If you enable this policy setting the WinRM clie
epts Basic authentication from a remote client. If you enable this policy setting the WinRM service accepts Basic authentication from a
epts CredSSP authentication from a remote client. If you enable this policy setting the WinRM service accepts CredSSP authentication
omatically listens on the network for requests on the HTTP transport over the default HTTP port.If you enable this policy setting the WinRM
ds and receives unencrypted messages over the network.If you enable this policy setting the WinRM client sends and receives unencrypte
epts Kerberos credentials over the network. If you enable this policy setting the WinRM service does not accept Kerberos credentials o
epts Negotiate authentication from a remote client. If you enable this policy setting the WinRM service does not accept Negotiate auth
not allow RunAs credentials to be stored for any plug-ins.If you enable this policy setting the WinRM service will not allow the RunAsUser
vice with regard to channel binding tokens. If you enable this policy setting the WinRM service uses the level specified in HardeningLe
Windows Remote Management (WinRM) service. If you enable this policy setting the HTTP listener always appears. If you disable
e Windows Remote Management (WinRM) service. If you enable this policy setting the HTTPS listener always appears. If you disab
w remote shell connections are accepted by the server.If you set this policy to â€˜disabledâ€™ new remote shell connections are rejected
erations on the system.The value can be any number from 1 to 100.If you enable this policy setting the new shell connections are rejected
er activity until it is automatically deleted.Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used
any active remote shell and all its child processes.Any value from 0 to 0x7FFFFFFF can be set where 0 equals unlimited memory which me
enable this policy setting you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero (0) mea
e same system.Any number from 0 to 0x7FFFFFFF cand be set where 0 means unlimited number of shells.If you enable this policy setting t
Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting.If you disable this pol
opy and paste between the host and Windows Sandbox are permitted. If you disable this policy setting copy and paste in and out of Sandb
ase the attack surface exposed by the sandbox.If you enable this policy setting networking is done by creating a virtual switch on the host a
cy setting host printers will be shared into Windows Sandbox. If you disable this policy setting Windows Sandbox will not be able to view p
upported in the Windows Sandbox.If you disable this policy setting Windows Sandbox will use software rendering which can be slower tha
ut is enabled in Windows Sandbox.If you disable this policy setting video input is disabled in Windows Sandbox. Applications using video in
will be hidden. Disabled: The Account protection area will be shown. Not configured: Same as Disabled.
r protection area will be hidden. Disabled: The App and browser protection area will be shown. Not configured: Same as Di
abled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to make cha
mance and health area will be hidden. Disabled: The Device performance and health area will be shown. Not configured: S
vailable for use. Disabled: The Clear TPM button will be available for use. Not configured: Same as Disabled.
dden. Disabled: The Device security area will be shown. Not configured: Same as Disabled.
Disabled: The Secure boot area will be shown. Not configured: Same as Disabled.
urity processor (TPM) troubleshooting area will be hidden. Disabled: The Security processor (TPM) troubleshooting area will be sh
led: Users will not be shown a recommendation to update their TPM Firmware. Disabled: Users will see a recommendation to
Enabled: Your company contact information will be displayed in a flyout menu in Windows Security. After setting this to Enable
Your company contact information will be displayed in notifications that come from Windows Security. After setting this to Enabled y
s setting must be enabled for any contact information to appear. Enabled: Enter the company name in the Options section. Dis
ations. Users can click on the contact information to create an email that will be sent to the specified address. The default email applic
cations. Users can click on the contact information to automatically call the supplied number. Skype will be used to initiate the call.
click on the contact information to visit the specified website. The default web browser will be used. Enabled: Enter the URL in th
den. Disabled: The Family options area will be shown. Not configured: Same as Disabled.
network protection area will be hidden. Disabled: The Firewall and network protection area will be shown. Not configured:
om Windows Security. Disabled: Local users can see notifications from Windows Security. Not configured: Same a
has been enabled this setting will have no effect. Enabled: Local users will only see critical notifications from Windows Security. The
gn out and sign in or reboot the computer for this setting to take effect. Enabled: Windows Security notification area control will b
a recovery area will be hidden. Disabled: The Ransomware data recovery area will be shown. Not configured: Same as Disa
protection area will be hidden. Disabled: The Virus and threat protection area will be shown. Not configured: Same as Disab
indows services nor restart Windows.If the status is set to Enabled Automatic Updates will immediately install these updates once they ar
based on the "Configure Automatic Updates" policy setting.If you enable this policy setting Windows Automatic Update and Microsoft Upd
her than Microsoft when the update is found on an intranet Microsoft update service location.If you enable this policy setting Automatic U
ant updates instead of first notifying users on the login screen for at least two days.The restart timer can be configured to start with any v
ates. The exact wait time is a sum of the specific value and a random variant of 0-4 hours. If the status is set to Enabled Windows will c
Windows automatic updating service.Note: This policy does not apply to Windows RT.This setting lets you specify whether automatic upd
prior to a scheduled restart to notify the user.If you disable or do not configure this policy the default period will be used.
a restart is required to install updates the auto-restart required notification is displayed. By default the notification is automatically dismis
he update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the restart i
he status is set to Enabled a scheduled restart will occur the specified number of minutes after the installation is finished.If the status is se
rt warnings2 â€“ Turn off all notifications including restart warningsThis policy allows you to define what Windows Update notifications us
be the default choice in the Shut Down Windows dialog.If you enable this policy setting the user's last shut down choice (Hibernate Restar
y is disabled or not configured then the Windows Update client may initiate automatic scans against Windows Update while update deferr
ically retrieve information from the public Windows Update service to enable future connections to Windows Update and other services li
n the Shut Down Windows dialog box.If you enable this policy setting 'Install Updates and Shut Down' will not appear as a choice in the Shu
is policy Windows Update will include updates that have a Driver classification.
ft update service.If the status is set to Enabled the specified target group information is sent to the intranet Microsoft update service whic
y wake up the system from sleep if there are updates scheduled for installation.Windows Update will only automatically wake up the syst
arted by any user who is logged on instead of causing the computer to restart automatically.If the status is set to Enabled Automatic Upda
s is removed.
Windows Update scan download andÂ install is removed.
restart. If the status is set to Enabled a scheduled restart will occur the specified number of minutes after the previous prompt for rest
th a scheduled installation that was missed previously.If the status is set to Enabled a scheduled installation that did not take place earlier
ve hours.The max active hours range can be set between 8 and 18 hours.If you disable or do not configure this policy the default max activ
14 days past the default restart date.The restart may happen inside active hours.If you disable or do not configure this policy the PC will r
automatically and a grace period after which required restarts occur automatically.Set deadlines for feature updates and quality updates t
hours to Engaged restart which requires the user to schedule. The period can be set between 0 and 30 days from the time the restart beco
ce to automatically update computers on your network. This setting lets you specify a server on your network to function as an intern
attempt to restart outside of active hours.Note that the PC must restart for certain updates to take effect.If you disable or do not configure
tallations including reminder and warning notifications.Enable this policy to turn off all auto restart notifications.If you disable or do not co
e Windows Update update service.When this policy is enabled Automatic Updates will install recommended updates as well as important
featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and
e reboots will happen at the scheduled install time.
eguard holds.â€¯Safeguard holds are known compatibility issues that block the upgrade from being deployed to affected devices until the
v ChannelIdeal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that is earlie
s listed in the Windows Release Information page aka.ms/ReleaseInformationPage
r taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for the Se
to 30 days.To prevent quality updates from being received on their scheduled time you can temporarily pause quality updates. The pause
ed computer. If you enable this policy setting Work Folders will be set up automatically for all users of the affected computer. This preve
f all pages in a category are blocked the category will be hidden as well. Direct navigation to a blocked page via URI context menu in Explo
r PC.If you disable or do not configure this policy setting users that are not required to press CTRL + ALT + DEL before signing in will see a lo
ckground and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be ap
ecify the default lock screen and logon image shown when no user is signed in and also sets the specified image as the default for all users
change it.If this setting is set to a nonzero value then Start uses the specified background and users cannot change it. If the specified back
ing the logon screen.If you enable this setting the user will not be able to change their lock screen and logon image and they will instead s
ng the user will be assigned the default start menu background and colors and will not be allowed to change them.If the "Force a specific b
le this setting users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be invoked
setting users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start.
whether to enable speech services via settings. If this policy is disabled speech services will be disabled and users cannot enable
acks that are installed as part of the system image will remain installed even if they are not used by any user on that system. If you d
an one language is restricted to a specified language. If the specified language is not installed on the target computer or you disable this p
heâ€¯Windowsâ€¯languageâ€¯use the following policy: "Restricts the UI languages Windows uses for all logged users."â€¯â€¯ If you e
d dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The
p adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing messages i
company logo.Note: The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The default gu
assword expiration is set according to policy.When you disable or not configure this setting password expiration time may be longer than r
when renamed DO configure when you use custom local admin account
characters Maximum: 64 characters Default: 14 charactersPassword age in days Minimum: 1 day Maximum: 365 days Default: 30 days
nd password is configured on multiple systems. Enabling this policy significantly reduces that risk.Enabled (recommended): Applies UAC t
om three options to control whether and how Flash is blocked from activation:1. "Block all activation" prevents the Flash control from bein
er to "Disable driver" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanWorkstation depen
HE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!For Windows 7 and Servers 2008 2008R2 and 2012 you must also configure
oot to take effect.For more information see https://support.microsoft.com/kb/2696547
ating-systems.If this setting is disabled or not configured SEHOP is not enforced for 32-bit processes.
configure it the system will limit installation of print drivers to Administrators of this computer.If you disable this setting the system will no
(WINS).* An M-node computer broadcasts first and then queries the name server.* An H-node computer queries the name server first an
text menu when the user holds Shift while right-clicking on a .bat .cmd .exe or .msc file in Explorer.Disabled: Restores the Windows defau
ovide business-critical functionality before you enable this setting.If Enabled Office applications will not execute legacy JScript for the Inter
Components\Windows Defender Antivirus\Configure detection for potentially unwanted applications.
ed.If this setting is not configured WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled by defa
15 minutes.If you enable this policy setting you can configure how often a DFS client attempts to discover domain controllers. This value is
specified by the job's owner. If BITS peer caching is enabled BITS caches downloaded files and makes them available to other BITS pe
anch Cache by default. If you enable this policy setting the BITS client does not use Windows Branch Cache. If you disable or do n
peer caching client (downloading files from its peers). If you enable this policy setting the computer will no longer use the BITS peer c
peer caching client (downloading files from its peers). If you enable this policy setting the computer will no longer cache downloaded
che that have not been accessed in the past 90 days. If you enable this policy setting you can specify in days the maximum age of file
o peers until the cache content reaches the specified cache size. By default BITS will use 1 percent of the total system disk for the peercach
g files. When the cumulative download time exceeds this limit the job is placed in the error state. By default BITS uses a maximum do
to use during a specific time interval and at all other times. For example limit the use of network bandwidth to 10 Kbps from 8:00 A.M. to
ving other peers by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example if a comp
ximum number of BITS jobs a user can create. If you enable this policy setting BITS will limit the maximum number of BITS jobs a user
icy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting BITS will limit the maximum num
If you enable this policy setting BITS will limit the maximum number of files a job can contain to the specified number. If you disable o
nges per file. If you enable this policy setting BITS will limit the maximum number of ranges that can be added to a file to the specifie
vior policies further limit the network usage of background transfers. If you enable this policy setting you can define a default downlo
work bandwidth that is used for background transfers. If you enable this policy setting you can define a separate set of network band
weekly calendar which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule are co
job is determined to be abandoned the job is deleted from BITS and any downloaded files for the job are deleted from the disk. Note
om file servers based on the network latency - or delay - that occurs when the clients download content from the main office over a Wide
he same BranchCache version cache efficiency might be reduced because client computers that are using different versions of BranchCach
mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same
d with the client's current Active Directory site. If you enable this policy setting client computers to which the policy setting is applied sear
cache.If you disable or do not configure this policy setting the age is set to 28 days.Policy configurationSelect one of the following:- Not Co
able BranchCache on client computers.In distributed cache mode client computers download content from BranchCache-enabled main offi
BranchCache on client computers.When a client computer is configured as a hosted cache mode client it is able to download cached cont
k space to allocate for the cache.If you disable or do not configure this policy setting the cache is set to 5 percent of the total disk space on
or distributed cache mode clients. To do so configure one of the following the policy settings: - Set BranchCache Distributed Cache mode
ng types: - A DNS name or IPv6 address that NCA pings. The syntax is â€œPING:â€ followed by a fully qualified domain name (FQDN) th
he Contoso Corporation.If this setting is not configured the string that appears for DirectAccess connectivity is â€œCorporate Connectionâ
ough these configured tunnel endpoints. By default NCA uses the same DirectAccess server that the DirectAccess client computer connecti
ccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is a
open a new message with the support email address in the To: field of the message then attaches the generated log files as a .html file. T
otely manage DirectAccess client computers from your intranet and not providing seamless intranet access. If this setting is not configured
qualified multi-label name for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an examp
ww.example.com" in addition to single-label names. If you disable this policy setting or if you do not configure this policy setting NetBT q
H protocol to resolve domain names.To use this policy setting click Enabled and then select one of the following options from the drop-dow
presenting the DNS suffix.If you enable this policy setting the DNS suffix that you enter will be applied to all network connections used by c
olicy setting click Enabled and then enter a space-delimited list of IP addresses in the available field. To use this policy setting you must ent
This is different from a fully qualified domain name such as "example.microsoft.com."Client computers that receive this policy setting will
not configure this policy setting computers will attempt to use dynamic DNS registration on all network connections that have connection-s
he Nameprep form.If this policy setting is disabled or if this policy setting is not configured IDNs are not converted to the Nameprep form.
order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (Ne
microsoft.com.Important: In order for changes to this policy setting to be applied on computers that receive it you must restart Windows
nt suffix of the primary DNS suffix name and the parent of that suffix and so on stopping if the name is successfully resolved or at a level d
qualified domain name with the parent suffix of the primary DNS suffix name and the parent of that suffix and so on stopping if the name i
ecords with a concatenation of its computer name and the primary DNS suffix.By default a DNS client performing dynamic DNS registration
ed the corresponding A resource record.If you enable this policy setting registration of PTR records will be determined by the option that
registration of A and PTR resource records periodically reregister their records with DNS servers even if the record has not changed. This r
s that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS cli
(for example 900 is 15 minutes).If you enable this policy setting the TTL value that you specify will be applied to DNS resource records reg
DNs are not converted to Punycode.If this policy setting is disabled or if this policy setting is not configured IDNs are converted to Punycod
single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not requ
CP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received the network binding order is used to d
on protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).If you enable this policy setting the DN
hen nonsecure dynamic updates are refused.Only unsecure - computers send only nonsecure dynamic updates.Only secure - computers se
ynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level d
provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text.
hen manually connecting to the network. If authentication is successful users will be connected automatically on subsequent attempts. Cre
e supported cipher suite or if you disable or do not configure this policy setting the default cipher suite order is used.SMB 3.11 cipher suite
ave the File Services role and both the File Server and the BranchCache for Network Files role services installed.Policy configurationSelect
d on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported content information for th
rs from the list of client-supported cipher suites ignoring the client's preferences.If you disable or do not configure this policy setting the S
supported cipher suite or if you disable or do not configure this policy setting the default cipher suite order is used.SMB 3.11 cipher suites
gons.If you disable this policy setting the SMB client will reject insecure guest logons.Insecure guest logons are used by file servers to allow
will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstru
offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA
Quality-of-Service requests such as bandwidth estimation and network health analysis.If you enable this policy setting additional options a
nd located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and netw
nts for the local system. Thus it will not allow any passwords to be used for a Peer Group that are weaker than what would be allowed for
content distribution and distributed processing.If you enable this setting peer-to-peer protocols will be turned off.If you disable this settin
r example a client computer can detect other computers to initiate chat sessions but other computers cannot detect that client and initiat
he protocol in some cases requires a seed server from which to get bootstrapped.Any node running peer to peer can be used as a seed se
on of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the same subn
s. Other hosts can then resolve the name retrieve the corresponding address and establish peer-to-peer (P2P) connections. The PNRP clou
. The protocol in some cases requires a seed server from which to get bootstrapped. This setting allows for setting the seed server to a spe
ution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the same su
. The protocol in some cases requires a seed server from which to get bootstrapped. This setting allows for setting the seed server to a spe
ution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the same su
nly.If you disable this setting or do not configure it the "local access only" icon will be used when a user is connected to a network with loc
o when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was conne
ice can run on a computer.Important: This setting is location aware. It only applies when a computer is connected to the same DNS doma
heir system as an Internet gateway for a small network and provides network services such as name resolution and addressing through DH
e or do not configure this policy setting domain users can set a network's location without elevating.
an internal network using DirectAccess it can access the Internet in two ways: through the secure tunnel that DirectAccess establishes bet
f computers. If a computer on that list authenticates using IPsec Windows Defender Firewall does not block its unsolicited messages. This
s the echo request message. If you do not enable the "Allow inbound echo request" message type Windows Defender Firewall blocks ech
so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from whi
all opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Co
computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are
900.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer can receive Plug and Play messag
Windows Defender Firewall: Define inbound port exceptions" policy setting.If you enable this policy setting the Windows Defender Firewal
by the "Windows Defender Firewall: Define inbound program exceptions" policy setting.If you enable this policy setting the Windows Defe
must provide the name location and maximum size of the log file. The location can contain environment variables. You must also specify w
he Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the inbound port exc
he Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the program exceptio
setting in the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is selected and adm
g Windows Defender Firewall prevents the display of these notifications.If you disable this policy setting Windows Defender Firewall allow
Windows Defender Firewall blocks the unicast responses sent by those other computers.If you disable or do not configure this policy setti
e of Internet Connection Firewall on your DNS domain network" policy setting.If you disable this policy setting Windows Defender Firewall
s the echo request message. If you do not enable the "Allow inbound echo request" message type Windows Defender Firewall blocks ech
so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets from whi
all opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distributed Co
computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messages are
900.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer can receive Plug and Play messag
Windows Defender Firewall: Define inbound port exceptions" policy setting.If you enable this policy setting the Windows Defender Firewal
by the "Windows Defender Firewall: Define inbound program exceptions" policy setting.If you enable this policy setting the Windows Defe
must provide the name location and maximum size of the log file. The location can contain environment variables. You must also specify w
he Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the inbound port exc
he Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the program exceptio
setting in the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is selected and adm
g Windows Defender Firewall prevents the display of these notifications.If you disable this policy setting Windows Defender Firewall allow
Windows Defender Firewall blocks the unicast responses sent by those other computers.If you disable or do not configure this policy setti
e of Internet Connection Firewall on your DNS domain network" policy setting.If you disable this policy setting Windows Defender Firewall
achability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
on any interface.
ptions to control the passive polling behavior.
proxy address.Contains a list of Enterprise resource domains hosted in the cloud. Connections to these resources are considered connecti
at have the Internet Client or Internet Client/Server capabilities.If you enable this policy setting apps on proxied networks can access the In
t have the Home/Work Networking capability.If you enable this policy setting it allows an administrator to configure a set of proxies that p
ability have appropriate access to your corporate network. These addresses are only accessible to apps if and only if the app has declared
ation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This
dows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts within
iles tab. This prevents users from trying to change the option while a setting controls it.If you enable this setting you can use the "Action"
this policy setting Offline Files is enabled and users cannot disable it.If you disable this policy setting Offline Files is disabled and users cann
ser logs off the system deletes all local copies of offline files.If you disable this setting or do not configure it automatically and manually ca
ode use the "Configure slow-link mode" policy setting.If you enable this policy setting you can control when Windows synchronizes in the
omatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the presence
ess to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode all network file requests ar
ne Files tab. This prevents users from trying to change the option while a setting controls it.Automatic caching can be set on any network s
specified file extensions in any of the folders that have been made available offline.If you disable or do not configure this policy setting a u
e background when the user's network is roaming near or over the plan's data limit. This may result in extra charges on cell phone or broa
hed Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandwidth co
Offline Files cache without proper permissions.If you enable this policy setting all files in the Offline Files cache are encrypted. This includ
the offline files storage cache is corrupted. However you can use this setting to specify additional events you want Offline Files to record.T
even when they reside on a network share configured for automatic caching. Also if users try to make a file of this type available offline the
lly. By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for 15
matically cached if the user accesses a file on an automatic caching network share.This setting also disables the ability to adjust through th
server disconnect" setting.To use this setting click Show. In the Show Contents dialog box in the Value Name column box type the server's
r. Also they cannot use the folder to view characteristics of offline files such as their server status type or location.This setting does not pre
s context menu and disables the Settings button on the Offline Files Status dialog box. As a result users cannot view or change the options
pear when the user's connection to a network file is lost or reconnected and they are updated periodically. By default the first reminder fo
minder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for 15 seconds. You can use this
will still cache local copies of files that reside on network shares designated for automatic caching.If you disable or do not configure this po
able for the files and folders that you list. To specify these files and folders click Show. In the Show Contents dialog box in the Value Name
ne" command is not displayed in File Explorer.If you disable or do not configure this policy setting the "Work offline" command is displayed
he files you enter are always available offline to users of the computer. To specify a file or folder click Show. In the Show Contents dialog b
not have the option of excluding subfolders.If you enable this setting when you make a folder available offline all folders within that folder
change the option while a setting controls it.If you enable this setting offline files are fully synchronized. Full synchronization ensures that
change the option while a setting controls it.If you enable this setting offline files are fully synchronized at logon. Full synchronization ens
Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files and fold
networked file and are working on a local copy of the file. Users can then decide how to proceed.If you enable this setting the system hid
ers are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later.If you disable this p
l the number falls below this limit."Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapter for tra
the system to 80 percent of the bandwidth of a connection but you can use this setting to override the default.If you enable this setting yo
value of this entry.If you enable this setting you can override the default timer resolution established for the system usually units of 10 mi
header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you can change
ue in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you c
e IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you can cha
alue in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you
IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you can chang
header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting you can
ue in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this settin
e IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting you c
alue in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setti
IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting you can
packets.If you enable this setting you can change the default priority value associated with the Best Effort service type.If you disable this se
der of the packets.If you enable this setting you can change the default priority value associated with the Controlled Load service type.If y
he packets.If you enable this setting you can change the default priority value associated with the Guaranteed service type.If you disable t
ader of the packets.If you enable this setting you can change the default priority value associated with the Network Control service type.If
ou enable this setting you can change the default priority value associated with nonconforming packets.If you disable this setting the syste
e packets.If you enable this setting you can change the default priority value associated with the Qualitative service type.If you disable this
network by polling and setting terminal values and monitoring network events.A valid community is a community recognized by the SNMP
ol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monitoring ne
e a computer network by polling and setting terminal values and monitoring network events.This policy setting allows you to configure the
ble or do not configure this policy setting the default ECC curve order is used.Default Curve Order============curve25519NistP256NistP
setting default cipher suite order is used.Link for all the cipherSuites: http://go.microsoft.com/fwlink/?LinkId=517265
nectivity is not available on the host.If you enable this policy setting you can specify a relay name for a 6to4 host.If you disable or do not co
policy setting you can specify the value for the duration at which the relay name is resolved periodically.If you disable or do not configure t
v4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the globa
ost settings are used.If you enable this policy setting you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS with o
uter. If you enter an IPv4 address of the ISATAP router in the text box DNS services are not required.If you disable or do not configure this
ed to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.If you disable or do not configure this policy setting the
dy in use by a system the Teredo client will fail to initialize.If you enable this policy setting you can customize a UDP port for the Teredo cl
mant state.If you disable or do not configure this policy setting the local host setting is used.This policy setting contains only one state:Pol
er sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the translation
a Teredo server name that applies to a Teredo client.If you disable or do not configure this policy setting the local settings on the compute
icy setting the local host settings are used.If you enable this policy setting you can configure Teredo with one of the following settings:Defa
er of autoconfigured addresses and routes.If you disable this policy setting IP Stateless Autoconfiguration Limits will be disabled and system
at don't interpret Window Scaling option correctly.If you do not configure this policy setting the local host settings are used.If you enable t
WLAN through the Windows Portable Device API (WPD) and via USB Flash drives.Additional options are available to allow discovery and con
d tasks including "Set up a wireless router or access point" and "Add a wireless device" are disabled. If you disable or do not configure this
educe power consumption when the machine enters connected standby mode.If this policy setting is not configured or is disabled power
termines that the computer should no longer be connected to a network.If this policy setting is disabled Windows will disconnect a compu
If this policy setting is set to 0 a computer can have simultaneous connections to the internet to a Windows domain or to both. Internet tr
manual network connection attempts based on the following circumstances:Automatic connection attempts- When the computer is alread
ttempts to roaming provider networks are blocked until the client registers with the home provider network.If this policy setting is not confi
r the Push Button pairing method.If this policy setting is disabled or is not configured by default Push Button pairing is preferred (if allowed
If this policy setting is disabled or is not configured by default Push Button pairing is allowed (but not necessarily preferred).
following values from the list will set the cost of all WLAN connections on the local machine:- Unrestricted: Use of this connection is unlim
gested open hotspots" enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing networks that
ly Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choos
om the list will set the cost of all 3G connections on the local machine:- Unrestricted: Use of this connection is unlimited and not restricte
s from the list will set the cost of all 4G connections on the local machine:- Unrestricted: Use of this connection is unlimited and not restric
ctive. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.If this policy setting is disabled o
erver. If you disable this policy setting or do not configure it Internet printing is not activated. Internet printing is an extension o
ntroller e.g. a domain-joined laptop on a corporate network.) If this policy setting is disabled the network scan page will not be display
omain-joined laptop on a home network.)If this setting is disabled the network scan page will not be displayed.If this setting is not configu
tting the print job name will be included in new log entries. Note: This setting does not apply to Branch Office Direct Printing jobs.
ot accept client connections nor allow users to share printers. All printers currently shared will continue to be shared.The spooler must be
aring tab to publish shared printers in Active Directory. If you disable this setting this computer's shared printers cannot be publishe
m Active Directory if the computer that published them does not respond to contact requests. When the computer that published the print
performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU as com
print server.If you enable this policy setting on a client machine the client spooler will not process print jobs before sending them to the p
es all shared printers. If you disable this setting the Add Printer Wizard does not automatically publish printers. However you can publis
mat is the legacy Microsoft XPS (*.xps). If you disable or do not configure this policy setting the default MXDW output format is OpenX
m only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. To enable
e Location Tracking by enabling the "Pre-populate printer search location text" setting. When Location Tracking is enabled the system
you enable this policy setting you replace the "Get help with printing" default link with a link to a Web page customized for your enterpris
. If a computer does not respond to the contact message (optionally after repeated attempts) the pruning service "prunes" (deletes from A
ct attempts. This process keeps printer information in Active Directory current. The thread priority influences the order in which the
t have published printers to verify that the printers are still available for use. If a computer does not respond to the contact message the m
e stop errors.If you disable this setting or do not configure it then printers using a kernel-mode drivers may be installed on the local compu
access to more device features but this may not be appropriate for all enterprises. If you enable this policy setting then all printer exte
you enable this setting the computer will restrict printing to printer connections on the corporate network or approved USB-connected p
ill not cause the print spooler service to fail.If you enable or do not configure this policy setting the print spooler will execute print drivers
rom Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache.If you disable this p
ash.Not all applications support driver isolation. By default Microsoft Excel 2007 Excel 2010 Word 2007 Word 2010 and certain other appli
e Control Printing is enabled the system uses the specified list of vid/pid values to determine if the current USB connected printer is appro
ers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact attemp
print client computers will check the driver signature of all drivers that are downloaded from print servers.If this setting is disabled or not c
ot report compatibility.If you enable this policy setting the print spooler isolates all print drivers that do not explicitly opt out of Driver Isola
pletely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connections.W
t are members of a domain. If you enable this policy setting: -Windows XP and later clients will only download print driver comp
king overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP address
able this setting the print spooler announces shared printers to the print browse master servers.If you disable this setting shared printers
rs. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published outside th
ocuments opened while the setting is in effect. Also they retain but do not display existing document shortcuts. The system empties the Re
will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings.
ng will also be disabled in Settings.

displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.Selecting "Collapse an
ot prevent users from running Windows-based programs that perform these functions.If you enable this policy setting the shutdown resta
change to hide it using the Settings app.Selecting "Hide" will force the "Most used" list to be hidden and user cannot change to show it usi
ted by the Export-StartLayout PowerShell cmdlet.To use this setting you must first manually configure a device's Start layout to the desired
ndows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to update tile
esses.If you enable this policy setting the System State Data feature is activated when the user indicates that the shutdown or restart is un
d within an NTFS volume to another NTFS volume on the same computer or to an NTFS volume on another computer. The DLT client can
us messages that reflect each step in the process of starting shutting down logging on or logging off the system.If you disable or do not con
re shutting down the computer.If you enable this setting and choose "Always" from the drop-down menu list the Shutdown Event Tracker
lder.If you disable or do not configure this policy setting File Explorer automatically encrypts files that are moved to an encrypted folder.T
e server. If you disable or do not configure this policy setting the Manage Your Server page is displayed each time an administrator logs on
ted using the Start menu or Task Manager user interfaces. Applications such as UPS software may rely on Windows shutdown behavior.T
es provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered the req
o specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Int
u disable or do not configure this policy setting the system displays the message reminding users to wait while their system starts or shuts
tire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If you enab
olicy setting enter the file names names of the programs you want to restrict separated by commas. If you disable or do not config
etting and specify the new location the files in that location will be used to repair operating system corruption and for enabling optional fe
his policy setting the Windows Setup source path will be the location used during the last time Windows Setup was run on the system.
ble or do not configure this policy setting the Windows Service Pack Setup source path will be the location used during the last time Windo
takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory
th the ability to send an email to request access to the file or folder to which they were denied access.If you enable this policy setting user
tures to improve. No information collected is used to identify or contact you. For more details read about the program online at http://go
d during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.

d during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
ean). Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Refresh In
e is don't set this time to a busy hour e.g. 9AM. Delay reporting for the random minutes: The maximum minutes of random delay on
with BranchCache
n use virtual components.

olicy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Proce
cate or Kerberos.If you enable this policy setting you can specify the servers to which the user's default credentials can be delegated (defa
licy setting you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use
or Kerberos.If you enable this policy setting you can specify the servers to which the user's fresh credentials can be delegated (fresh creden
licy setting you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are pro
or Kerberos.If you enable this policy setting you can specify the servers to which the user's saved credentials can be delegated (saved crede
licy setting you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect t
cannot be delegated (default credentials are those that you use when first logging on to Windows).If you disable or do not configure (by de
nnot be delegated (fresh credentials are those that you are prompted for when executing the application).If you disable or do not configur
annot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).If you disable or
tion oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to set the
ft from attackers on the remote host.If you enable this policy setting the host supports Restricted Admin or Remote Credential Guard mod
servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resou
will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be
n optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctl
M certificate etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates
nfigure this policy setting remote connections to the Plug and Play interface are not allowed.
re terminating the installation.If you disable or do not configure this policy setting Windows waits 240 seconds for a device installation task
not sent when a generic driver is installed.If you disable or do not configure this policy setting an error report is sent when a generic drive
e points for certain driver activity such as the installation of an unsigned driver. A system restore point enables you to more easily restore
nternet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security > System
dows will not send an error report to request additional software even if this is specified by the device driver.If you disable or do not confi
lation process. Regardless of this policy setting a signed driver is still preferred over a driver that is not signed at all.If you enable or do not
date unconditionally only if necessary or not at all.Note that searching always implies that Windows will attempt to search Windows Upda
hes a Managed Server or a combination of both.Note that if both are specified then Windows will first search the Managed Server such as
ou disable or do not configure this policy setting "Found New Hardware" balloons appear while a device is being installed unless the driver
of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device
described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over thi
ther policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.If you en
devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precede
he text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.If you disable or d
ays the text you type in the Detail Text box when a policy setting prevents device installation.If you disable or do not configure this policy s
evice driver for any device that is not described by either the "Allow installation of devices that match any of these device IDs" the "Allow
that allows Windows to install a device.If you enable this policy setting Windows is prevented from installing a device whose hardware ID
indows to install a device.If you enable this policy setting Windows is prevented from installing a device whose device instance ID appears
olicy setting that allows Windows to install a device. If you enable this policy setting Windows is prevented from installing or updating dev
or example a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connecte
of seconds you want the system to wait until a reboot.If you disable or do not configure this policy setting the system does not force a rebo
e.If you disable this policy setting the system uses the NV cache to achieve faster boot and resume. The system determines the data that w
ou disable this policy setting the hard disks are put into an NV cache power saving mode. In this mode the system tries to save power by ag
ect Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The
u disable this policy setting the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusi
ply to fixed-media NTFS volumes only. Note: When this policy setting is applied the computer will apply the disk quota to both fixed and re
on and users cannot turn it off.If you disable the policy setting disk quota management is turned off and users cannot turn it on.If this poli
quota limits are not enforced. When you enable or disable this policy setting the system disables the "Deny disk space to users exceeding q
this policy setting the system records an event when the user reaches their limit. If you disable this policy setting no event is recorded. Als
you disable this policy setting no event is recorded. When you enable or disable this policy setting the system disables the corresponding "
umes on a computer. It also specifies the warning level the point at which the user's status in the Quota Entries window changes to indica
es (which can happen when you connect or disconnect a display that has a different display scale factor (DPI) connect remotely from a dev
g GDI DPI Scaling is turned off for all applications in the list even if they are enabled by using ApplicationCompatibility database Application
g GDI DPI Scaling is turned on for all legacy applications in the list.If you disable or do not configure this policy setting GDI DPI Scaling will n
erver application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled) DCOM will look for an entry in the loca
licy setting and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is config
of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver S
hing" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled or not co
an return the following classifications for each boot-start driver:- Good: The driver has been signed and has not been tampered with.- Ba
USB device reading data on an Enhanced Storage device.If you enable this policy setting only USB root hub connected Enhanced Storage de
tain a manufacturer and product ID specified in this policy are usable on your computer.If you disable or do not configure this policy settin
y setting only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.If you disable or do not c
ur computer.If you disable or do not configure this policy setting non-Enhanced Storage removable devices are allowed on your computer
sable or do not configure this policy setting a password can be used to unlock an Enhanced Storage device.
ot configure this policy setting Windows will activate unactivated Enhanced Storage devices.
ed when the computer is locked.If you disable or do not configure this policy setting the Enhanced Storage device state is not changed wh
istrators can define the properties for the organization by using Group Policy and supplement these with properties defined on individual
S) and then group these properties into lists. Administrators can supplement these properties on individual file servers by using File Classifi
up and restore of VSS aware applications storing data on SMB2 File Shares.By default the RPC protocol message between File Server VSS p
l disable delete notifications for all volumes.
ng will cause the long paths to be accessible within the process.
emote TargetRemote Link to Remote TargetRemote Link to Local TargetFor further information please refer to the Windows Help section
s to be non-pageable.The benefit of enabling this feature is a reduction in page-faults and stack usage at the cost of additional memory co
larger may decrease the time it takes to flush a volume but the flush may have a larger impact on other concurrent IO operations.Values
he system.If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then t
e user might not want to download private data such as on a meeting room computer or on a computer in a remote office.To designate a
Start Menu and legacy My Documents folder respectively.If you enable this policy setting Windows Vista Windows 7 Windows 8 and Wind
ssing mode for Windows Vista and Windows XP.By default Window Server processes user Group Policy settings synchronously.If you enab
omputer in a different forest when a trust across forests or a two-way forest trust exists.If you do not configure this policy setting:- No use
at GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the G
rtup and user logon) when a slow network connection is detected.If you enable this policy setting when a slow network connection is dete
e items.If you disable or do not configure this policy setting Application preference items are allowed to process across a slow network con
nce items.If you disable or do not configure this policy setting Data Sources preference items are allowed to process across a slow network
you disable or do not configure this policy setting Device preference items are allowed to process across a slow network connection to be
andwidth speed of a Direct Access connection the detection can sometimes fail to provide any bandwidth speed information. If Group Pol
emplates\System\Disk Quotas.This policy setting overrides customized settings that the program implementing the disk quota policy set w
items.If you disable or do not configure this policy setting Drive Maps preference items are allowed to process across a slow network conn
s\Security Settings.It overrides customized settings that the program implementing the encryption policy set when it was installed.If you en
preference items.If you disable or do not configure this policy setting Environment Variable preference items are allowed to process acro
sable or do not configure this policy setting File preference items are allowed to process across a slow network connection to be applied d
n With and File Type preference items.If you disable or do not configure this policy setting Folder Options Open With and File Type prefere
direction. You can only set folder redirection policy for Group Policy objects stored in Active Directory not for Group Policy objects on the
you disable or do not configure this policy setting Folder preference items are allowed to process across a slow network connection to be a
. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode it re
roup is slower than the rate specified by this setting the system considers the connection to be slow.The system's response to a slow polic
you disable or do not configure this policy setting Ini Files preference items are allowed to process across a slow network connection to b
Windows Settings\Internet Explorer Maintenance.This policy setting overrides customized settings that the program implementing the Inte
ce items.If you disable or do not configure this policy setting Internet preference items are allowed to process across a slow network conn
ngs\Security Settings\IP Security Policies on Local Machine.This policy setting overrides customized settings that the program implementin
and Local Group preference items.If you disable or do not configure this policy setting Local User and Local Group preference items are all
five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. If you en
and DUN Connection preference items.If you disable or do not configure this policy setting VPN Connection and DUN Connection preferen
eference items.If you disable or do not configure this policy setting Network Shares preference items are allowed to process across a slow
Power Scheme preference items.If you disable or do not configure this policy setting Power Options and Power Scheme preference items
ter and Local Printer preference items.If you disable or do not configure this policy setting Shared Printer TCP/IP Printer and Local Printer p
preference items.If you disable or do not configure this policy setting Regional Options preference items are allowed to process across a s
mized settings that the program implementing a registry policy set when it was installed.If you enable this policy setting you can use the ch
If you disable or do not configure this policy setting Registry preference items are allowed to process across a slow network connection to
nd Immediate Task preference items.If you disable or do not configure this policy setting Scheduled Task and Immediate Task preference it
errides customized settings that the program implementing the scripts policy set when it was installed.If you enable this policy setting you
setting overrides customized settings that the program implementing the security policy set when it was installed.If you enable this policy
f you disable or do not configure this policy setting Service preference items are allowed to process across a slow network connection to b
ms.If you disable or do not configure this policy setting Shortcut preference items are allowed to process across a slow network connection
re Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory not for G
items.If you disable or do not configure this policy setting Start Menu preference items are allowed to process across a slow network conn
public places laboratories and classrooms where you must modify the user setting based on the computer that is being used.By default the
is policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app.If you
ttings\Wired Network Policies.It overrides customized settings that the program implementing the wired network set when it was installed.
sSettings\Wireless Network Policies.It overrides customized settings that the program implementing the wireless network set when it was
indows devices that belong to the same user and can participate in cross-device experiences.If you disable this policy setting the Windows
etting interactive users cannot generate RSoP data.If you disable or do not configure this policy setting interactive users can generate RSoP
ng session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground
ce will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.If you disable this policy setting the
d at startup or when an official policy refresh occurs.If you disable or do not configure this policy setting the default behavior applies. By d
Configuration folder.In addition to background updates Group Policy for the computer is always updated when the system starts.By defau
e system starts.By default Group Policy on the domain controllers is updated every five minutes.If you enable this setting you can specify a
etwork is available or the default wait time is reached. If the startup policy processing is asynchronous the computer is not blocked and po
orkplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous the computer is not blocked a
stem waits until the current user logs off the system before updating the computer and user settings.If you disable or do not configure thi
apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-b
tails such as which Group Policy Objects (GPO) were applied where they came from and the client-side extension settings that were includ
nostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Applica
agnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Data S
ormation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Devices extensio
ostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Drive Ma
agnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Enviro
tion for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Files extension for clien
e diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Fo
ormation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Folders extension
ormation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Ini Files extension
nformation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Internet extens
gging and tracing provide diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and t
ovide diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for th
de diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the
e diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Po
formation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Printers extensio
ovide diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for th
formation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Registry extensi
vide diagnostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the
formation for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Services extensi
c information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Shortcuts ext
ostic information for troubleshooting.If you enable this policy setting you can configure event logging and turn on tracing for the Start Men
ettings" section are set such that their respective features cannot access the Internet.If you disable this policy setting all of the the policy s
windowsupdate.microsoft.com from the Windows Update hyperlink on the Start menu and also on the Tools menu in Internet Explorer. W
with any applications on the computer the user is given the choice to select a local application or use the Store service to find an applicati
mail. Anyone can issue certificates but to have transactions that are as secure as possible certificates must be issued by a trusted certificate
event the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are not alre
rowser when clicked. In addition "More Information" is placed at the end of the description text if the event is created by a Microsoft com
by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition in futu
ansmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in future vers
er and provides up-to-date information about Windows and the computer.If you enable this policy setting the Help and Support Center no
ols for Microsoft products and is searched as part of all Help and Support Center searches with the default search options.If you enable th
e Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs which res
such as online storage and photographic printing. By default Windows displays providers downloaded from a Windows website in additio
with any applications on the computer the user is given the choice to select a local application or use the Web service to find an application
de of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers av
istration and users cannot register their copy of Windows online.If you disable or do not configure this policy setting users can connect to
ccasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results.If
ints online.If you enable this policy setting the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.If you disab
he Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.If you enable this policy setti
an allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the product in fu
u use our software and services to identify trends and usage patterns. Microsoft will not collect your name address or any other personally
e the quality of the product.If you enable this policy setting users are not given the option to report errors.If you disable or do not configu
s part of determining the connectivity level NCSI performs one of two active tests: downloading a page from a dedicated Web server or ma
w device is installed.If you disable this policy setting Windows Update is always searched for drivers when no local drivers are present.If you
ablished. Note that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one.
ts may be manually configured. Note: if enabled there may be cases where this will break VDS.
argets discovered via those iSNS servers; existing iSNS servers may be removed.
rgets discovered on those portals; existing target portals may be removed.
cy setting client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware
his policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.If you enable this policy settin
out previous logons.For Windows Logon to leverage this feature the "Display information about previous logons during user logon" policy
uthentication and Kerberos armoring" must be configured and enabled. If you enable this policy setting domain controllers will request co
arch the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catal
icy setting you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high then authentication failures
tting the cloud kerberos ticket is retrieved during the logon.
tion the policies "KDC support for claims compound authentication and Kerberos armoring" and "Request compound authentication" mus
uffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings enable the policy setting and then click the Sh
of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms enable the policy setting and
ed by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. Warning: When revocation ch
by enabling "Support Dynamic Access Control and Kerberos armoring" then all authentication for all its users will fail from computers with
ures. If you enable this policy setting the client computers will request claims provide information required to create compounded authenti
certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions and that the KDC's X.509 certificate
er with a NULL value for the service principal name (SPN) computers running Windows 7 or later attempt to use Kerberos by generating an
of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships
main when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain enable the
controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dyna
support for Kerberos to attempt authentication using the certificate for the device to the domain.If you enable this policy setting the devic
the forests in this list if it is unable to resolve a two-part SPN. If a match is found the Kerberos client requests a referral ticket to the appro
t apply to 1394 PCMCIA or ExpressCard devices.
y select any GeoID.If you enable this policy setting at the computer level it cannot be disabled by a per-user policy setting. If you disable th
ote this does not affect the availability of user input methods on the lock screen or with the UAC prompt. If the policy is Enabled then t
tion of replacement locales. To prevent the selection of replacement locales adjust the permissions of the %windir%\Globalization directo
t the user(s) values to the defaults and then apply this policy.When this policy setting is enabled users can still choose alternate locales ins
e next time that an administrator attempts to change the computer's system locale they will be restricted to the specified list.The locale lis
wever the next time a user attempts to change their user locale their choices will be restricted to locales in this list.To set this policy setting
andby device can change the amount of time after the device's screen turns off before a password is required when waking the device. Th
mpts to load a custom background instead of the Windows-branded logon background. If you disable or do not configure this policy setting
mputers Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup
ou disable or do not configure this policy setting the system picks the default credential provider on other user tile.Note: A list of registered
on the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrikam dom
ou disable or do not configure this policy setting the user may choose to show account details on the sign-in screen.
ning into Windows.If you disable or don't configure this policy setting any user can disconnect the PC from the network or can connect th
mputer where this policy is applied.Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welcome"" i
If you disable or do not configure this policy setting connected users will be enumerated on domain-joined computers.
and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system starts.If you
rograms are added to the standard list of programs and services that the system starts.If you enable this policy setting the system ignores
gure this policy setting the Logon UI will not enumerate local users on domain-joined computers.
en authentication is required.Windows Vista provides two default credential providers:Password and Smart Card. An administrator can ins
ng to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the Logon U
e the user logs on to this computer that has this policy applied.To specify values for this policy setting click Show. In the Show Contents dia
ackground image adopts the acrylic blur effect.
tup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for servic
policy setting users can choose which apps display notifications on the lock screen.
t configure this policy setting a domain user can set up and use a picture password.Note that the user's domain password will be cached in
configure this policy setting a domain user can't set up and use a convenience PIN.Note: The user's domain password will be cached in the
y setting users can't sign in with external security keys.
d as the Value name including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to e
n 3 modes: On Off and Audit. By default it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organiza
ot as secure as newer algorithms used in Windows 2000 or later including this version of Windows.By default Net Logon will not allow the
useful in case the clientâ€™s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature
e this policy setting the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share e
in controllers (DC) discovers a DC that has not been discovered.- On the PDC attempts to add the <DomainName>[1B] NetBIOS name if it
tting is enabled the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even w
then enter the desired value in seconds (for example the value "60" is 1 minute).If you do not configure this policy setting it is not applied
ormation is logged.If you enable this policy setting and specify a non-zero value debug information will be logged to the file. Higher values
y setting the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netl
me set in this setting DC Discovery immediately fails without attempting to find the DC.The default value for this setting is 45 seconds. The
information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BAC
nd replication.To specify the site name for this setting click Enabled and then enter the site name. When the site to which a computer belo
g to the Use maximum DC discovery retry interval policy setting but when the value set in this policy setting is reached no more retries occ
or this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this
10 minutes then 20 minutes and then 40 minutes but when the interval reaches the value set in this setting that value becomes the retry i
on to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200) wh
old and new operating systems the default DC locator discovery behavior may be insufficient to find DCs running a newer operating syste
ets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remo
s and the NetBIOS domain name is known the algorithm then uses NetBIOS-based discovery as a fallback mechanism.NetBIOS-based disco
ectory domain. When DC Locator finds a domain controller it caches domain controllers to improve the efficiency of the location algorithm
turned DC IP address was IPv4. But with the support of IPv6 the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address
nd are used to locate the DC.The Priority field in the SRV record sets the preference for target hosts (specified in the SRV recordâ€™s Targ
e domain controller (DC).To specify the TTL for DC Locator DNS records click Enabled and then enter a value in seconds (for example the va
ce and they are used to locate the DC.The Weight field in the SRV record can be used in addition to the Priority value to provide a load-bal
ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed the DC may do an addres
or the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.Select the mnemonics from the follow
e Locator algorithm to locate the DC.If you enable this policy setting DCs to which this setting is applied dynamically register DC Locator DN
the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.DCs configured to perform dyna
urce records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides and reco
tered for the site where the DC resides and records registered by a DC configured to register DC Locator DNS SRV records for those sites w
ered for the site where the GC resides and records registered by a GC configured to register GC Locator DNS SRV records for those sites wi
during DC Location streamlines network traffic more effectively.The DC Locator service is used by clients to find domain controllers for the
same forest exists). These DNS records are dynamically registered by the Net Logon service and they are used to locate the DC.If you enab
resolution only if DNS name resolution fails. This policy including the specified default behavior is not used if the AllowSingleLabelDnsDom
If the AllowDnsSuffixSearch policy is disabled then NetBIOS name resolution is used exclusively to locate a domain controller hosting an Ac
ost name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV reco
this policy setting history of Clipboard contents are not allowed to be stored. Policy change takes effect immediately.
under the same Microsoft account or Azure AD account. If you disable this policy setting Clipboard contents cannot be shared to ot
ctivities of type User Activity are not allowed to be published. Policy change takes effect immediately.
y setting activities of type User Activity are not allowed to be uploaded. Deletion of activities of type User Activity are independent o
oss device graph of the user. If you disable this policy setting activities can't be published and ActivityFeed shall disable cloud sync.
o never expire if the policy is set to 0.Default: 0.
ally. PIN history is not preserved through PIN reset.The value must be between 0 to 50 PINs. If this policy is set to 0 then storage of previo
n the number configured in the Minimum PIN length policy setting or the number 4 whichever is greater.If you configure this policy setting
number configured in the Maximum PIN length policy setting or the number 127 whichever is the lowest.If you configure this policy settin
ow the user to include digits in their PINs.If you do not configure this policy setting Windows allows but does not require digits in the PIN.
g Windows does not allow the user to include lowercase letters in their PIN.If you do not configure this policy setting Windows allows but d
g Windows does not allow the user to include uppercase letters in their PIN.If you do not configure this policy setting Windows allows but
r plan from the Active Power Plan list.If you disable or do not configure this policy setting users control this setting.
ou enable this policy setting you must specify a power plan specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX-XX
t the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
t the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
he desired action.If you disable this policy setting or do not configure it users can see and change this setting.
he desired action.If you disable this policy setting or do not configure it users can see and change this setting.
e desired action.If you disable this policy setting or do not configure it users can see and change this setting.
e desired action.If you disable this policy setting or do not configure it users can see and change this setting.
ble this policy or do not configure this policy setting users control this setting.
ble this policy or do not configure this policy setting users control this setting.
e automatically turned on at (and below) the specified level.If you disable or do not configure this policy setting users control this setting.
e automatically turned on at (and below) the specified level.If you disable or do not configure this policy setting users control this setting.
ndows turns off the hard disk.If you disable or do not configure this policy setting users can see and change this setting.
ndows turns off the hard disk.If you disable or do not configure this policy setting users can see and change this setting.
Hibernate-Shut downIf you disable or do not configure this policy setting users control this setting.
ttery level that triggers the critical notification.To set the action that is triggered see the "Critical Battery Notification Action" policy setting.
bernate-Shut downIf you disable or do not configure this policy setting users control this setting.
y level that triggers the low notification.To set the action that is triggered see the "Low Battery Notification Action" policy setting.If you dis
t triggers the reserve power notification.If you disable or do not configure this policy setting users can see and change this setting.
remaining equals the low battery notification level. To configure the low battery notification level see the "Low Battery Notification Level"
a period of user inactivity.If you disable or do not configure this policy setting applications services or drivers do not prevent Windows fro
a period of user inactivity.If you disable or do not configure this policy setting applications services or drivers do not prevent Windows fro
policy setting the computer does not automatically sleep when network files are open.
policy setting the computer does not automatically sleep when network files are open.
e this policy setting network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks on
e this policy setting network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN networks on
ut the computer in a sleep state.If you disable this policy setting standby states (S1-S3) are not allowed.
ut the computer in a sleep state.If you disable this policy setting standby states (S1-S3) are not allowed.
e system resumes from sleep.If you disable this policy setting the user is not prompted for a password when the system resumes from slee
e system resumes from sleep.If you disable this policy setting the user is not prompted for a password when the system resumes from slee
should elapse before Windows transitions to hibernate.If you disable or do not configure this policy setting users control this setting.If the
should elapse before Windows transitions to hibernate.If you disable or do not configure this policy setting users control this setting.If the
uld elapse before Windows transitions to sleep.If you disable or do not configure this policy setting users control this setting.If the user has
uld elapse before Windows transitions to sleep.If you disable or do not configure this policy setting users control this setting.If the user has
in seconds indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you s
in seconds indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended. If you s
ers control this setting.
ers control this setting.
ybrid Sleep Stand By or Hibernate).If you disable or do not configure this policy setting users control this setting.
ybrid Sleep Stand By or Hibernate).If you disable or do not configure this policy setting users control this setting.
ch idle time should elapse before Windows automatically reduces the brightness of the display.Windows will only reduce the brightness o
ch idle time should elapse before Windows automatically reduces the brightness of the display.Windows will only reduce the brightness o
the display brightness when Windows automatically reduces brightness of the display.If you disable or do not configure this policy setting
the display brightness when Windows automatically reduces brightness of the display.If you disable or do not configure this policy setting
on what users do with their keyboard or mouse to keep the display on.If you disable this policy setting Windows uses the same setting rega
on what users do with their keyboard or mouse to keep the display on.If you disable this policy setting Windows uses the same setting rega
before Windows turns off the display.If you disable or do not configure this policy setting users control this setting.If the user has configure
before Windows turns off the display.If you disable or do not configure this policy setting users control this setting.If the user has configure
ktop background slideshow is disabled.If you disable or do not configure this policy setting users control this setting.
ktop background slideshow is disabled.If you disable or do not configure this policy setting users control this setting.
mage. If you enable or do not configure this policy setting the items "Use a system image you created earlier to recover your computer"
tting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote Assist
staff using Offer (Unsolicited) Remote Assistance.If you disable this policy setting users on this computer cannot get help from their corpor
. Also users can use instant messaging programs to allow connections to this computer and you can configure additional Remote Assistanc
er computer.The "Display warning message before connecting" policy setting allows you to specify a custom message to display before a u
timization setting.For example:"Turn off background" will include the following optimizations:-No full window drag-Turn off background"F
tting log files are not generated.If you do not configure this setting application-based settings are used.
ng Windows NT4 (all service packs) cannot process authentication information supplied in this manner. If you disable this policy setting RP
was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAP
eded state data is required for troubleshooting RPC problems.If you disable this policy setting the RPC runtime defaults to "Auto2" level.If
ame of the computer on which the error occurred or from which it was propagated. Programs can retrieve the extended error information
uld be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change to this p
n the IIS server running the RPC/HTTP proxy. In such cases RPC/HTTP clients may encounter errors because connections will be timed out f
s.If you enable this policy setting no access is allowed to any removable storage class.If you disable or do not configure this policy setting w
sions.If you disable or do not configure this policy setting remote users cannot open direct handles to removable storage devices in remot
cy setting execute access is allowed to this removable storage class.
ng read access is allowed to this removable storage class.
tting write access is allowed to this removable storage class.
read access is allowed to these removable storage classes.
ng write access is allowed to these removable storage classes.
e or do not configure this policy setting execute access is allowed to this removable storage class.
not configure this policy setting read access is allowed to this removable storage class.
do not configure this policy setting write access is allowed to this removable storage class.
is allowed to this removable storage class.
d to this removable storage class.
ed to this removable storage class.Note: To require that users write data to BitLocker-protected storage enable the policy setting "Deny w
can set the number of seconds you want the system to wait until a reboot.If you disable or do not configure this setting the operating syst
y setting execute access is allowed to this removable storage class.
g read access is allowed to this removable storage class.
ng write access is allowed to this removable storage class.
age class.If you disable or do not configure this policy setting read access is allowed to this removable storage class.
orage class.If you disable or do not configure this policy setting write access is allowed to this removable storage class.
he computer.If you enable this policy setting user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the D
display the instructions in the shutdown script.If you enable this policy setting the system displays each instruction in the shutdown script
s in the startup script.If you enable this policy setting the system displays each instruction in the startup script as it runs. Instructions appe
ntil the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts work
runs the next startup script.If you enable this policy setting the system does not coordinate the running of startup scripts. As a result start
dows PowerShell scripts. If you enable this policy setting within each applicable Group Policy Object (GPO) Windows PowerShell scripts ar
rShell scripts. If you enable this policy setting within each applicable Group Policy Object (GPO) PowerShell scripts are run before non-Pow
finish running. If the scripts have not finished running when the specified time expires the system stops script processing and records an e
on on the ROCA vulnerability please see:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361https://en.wikipedia.org/wiki/
aging by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers.If you enable t
figuration Tasks window is not displayed when an administrator logs on to the server. If you disable this policy setting the Initial Configurati
e this policy setting Server Manager is displayed automatically when a user logs on to the server.If you do not configure this policy setting
em.This includes a policy requiring all binaries loaded in these processes to be signed by microsoft as well as a policy disallowing dynamica
nated if they attempt to cancel shutdown or block it indefinitely.If you enable this setting console applications or GUI applications without
ates would not be downloaded for the Disk Failure Prediction Failure Model. Not configured: Same as Enabled.
machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence" gr
e the userâ€™s temporary files that are not in use. Users cannot disable this setting in Storage settings.Disabled:Storage Sense will not dele
sired Storage Sense cadence. Supported options are: daily weekly monthly and during low free disk space. The default is 0 (during low free
t.Enabled:You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates it fro
ny effect.Enabled:You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Sup
olicy does not have any effect.Enabled:You must provide the minimum number of days a file can remain unopened before Storage Sense d
vent of a problem to restore their computers to a previous state without losing personal data files. The behavior of this policy setting depe
sonal data files. By default System Restore is turned on for the boot volume.If you enable this policy setting System Restore is turned off a
ection and troubleshooting only the DPS will detect problems and attempt to determine their root causes. These root causes will be logged
egabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.If you disable or do not configure th
uter Configuration\Administrative Templates\Windows Components\Application Compatibility.
plication installation failures during application runtime and drivers blocked due to compatibility issues. When failures are detected the PC
display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery behavior for
gnostic message. The custom text may not exceed 512 characters. If you disable or do not configure this policy setting Windows displays th
ws. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S.M.A.R.
solve automatically any heap corruption problems.If you disable this policy setting Windows cannot detect troubleshoot and attempt to re
y setting administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.If you disable this
MSDT may prompt the user to download additional tools for troubleshooting.These tools are required to completely troubleshoot the pro
icy setting users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.By default the support p
tting will allow the user to configure how troubleshooting is applied.Enabling this policy allows you to configure how troubleshooting is app
ned on. Windows will prompt the user with a dialog box when application reinstallation is required. This is the default recovery behavior o
g only Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resolution. If y
the signer of any diagnostic package and runs only those signed by trusted publishers.If you disable or do not configure this policy setting
.If you enable or do not configure this policy setting users can access and run the troubleshooting tools from the Troubleshooting Control P
hin the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states "Do you want the most up-to
hooting only the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their root cau
ult.If you disable this policy setting the DPS is not able to diagnose memory leak problems.This policy setting takes effect only under the fo
on and troubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to determ
ubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determine the
nd troubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and attempt to
ubleshooting only the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determine the
he operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requir
ng sent to the TPM on the computer. TPM commands are referenced by a command number. For example command number 129 is TPM_
Ready including if the TPM is â€œReady with reduced functionalityâ€. The prompt to clear the TPM will start occurring after the next reb
cy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System
blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list.The default list of blocked TPM
ed TPM commands and will only block those TPM commands specified by Group Policy or the default list.The local list of blocked TPM com
uration for Standard User Lockout Duration equals this value the standard user is prevented from sending commands to the Trusted Platfo
ands with an authorization failure within the duration equals a threshold a standard user is prevented from sending commands requiring a
s within the duration for Standard User Lockout Duration equals this value all standard users are prevented from sending commands to th
s created at the location that is specified by the administrator.For the Windows XP Professional and Windows 2000 Professional operating
e share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer the network's latency and
s with roaming profiles log off the system also saves a copy of their roaming profile on the hard drive of the computer they are using in cas
ser profile was accessed.If you enable this policy setting the User Profile Service will automatically delete on the next system restart all use
e. When the system detects a slow link the related policy settings in this folder tell the computer how to respond.If you enable this policy
e profile is created at the location that is specified by the administrator.For Windows 2000 Professional pre-SP4 and Windows XP pre-SP1
you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this polic
the user with a temporary profile. This policy setting allows the administrator to disable this behavior preventing Windows from loggin on
or user data on computers where the user might not want to download private data such as on a meeting room computer or on a comput
xplaining that any of the following events has occurred:-- The system detects a slow connection between the user's computer and the ser
ated to a roaming user (which includes the user's settings data Windows Installer related data and the like) when their profile is deleted. A
ng. As a result the user profile might not be current and local and roaming user profiles might not match.When a user logs off of the comp
ave already logged on to this computer in the past the roaming profile is merged with the local profile. Similarly when the user logs off thi
ofile is copied down to the local computer. If the user has logged on to the computer in the past the roaming profile is merged with the loc
owed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is detected.In
seful for the cases in which a network might take typically longer to initialize such as with a wireless network.Note: Windows doesn't wait
are in the form \\Computername\Sharename\. It is recommended to use a path such as \\Computername\Sharename\%USERNAME% to
and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming user pr
cal or network location creating a new folder for each user name.To use this policy setting in the Location list choose the location for the h
s apps.If you disable or do not configure this policy setting users can control whether apps can use the advertising ID for experiences acros
tion may be controlled by setting one of the following options:"Always on" - users will not be able to change this setting and the user's nam
ection but does not respond in the time allowed.This policy setting and related policy settings in this folder together define the system's re
ar during file scanning.If you disable or do not configure this policy setting the file scan progress window appears.
he quota. If the quota is greater than 50 MB Windows File Protection adds other important Windows XP files to the cache until the cache
setting select a rate from the "Scanning Frequency" box. You can use this setting to direct Windows File Protection to scan files more often
this setting or do not configure it the Windows File Protection cache is located in the %Systemroot%\System32\Dllcache directory.Note: D
machines use the settings provided here. Otherwise the service on target machines use locally configured settings values.For more details
nfigure this policy setting the WIndows NTP Client uses the defaults of each of the following parameters.NtpServerThe Domain Name Syst
his service if you decide to use a third-party time provider.If you enable this policy setting you can set the local computer clock to synchron
disable or do not configure this policy setting your computer cannot service NTP requests from other computers.
of approved Activex Install sites specified by host URL. If you enable this setting the administrator can create a list of approved ActiveX Ins
sable or do not configure this policy setting ActiveX controls prompt the user before installation. If the trusted site uses the HTTPS protoco
SharedLocal folder. This folder is available through the Windows.Storage API. If you disable this policy a Windows app can't share app
s Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).If you disable or do no
user signs off:Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting appliesMandatory user p
Microsoft Store apps and install them directly from an IDE. If you disable or do not configure this setting you cannot develop Microso
cy setting then the system will not archive any apps.If you do not configure this policy setting (default) then the system will follow default
on volumes that are not the system volume. If you disable or do not configure this setting you can move or install Windows apps on ot
install an app will need to do so from an Administrator context (for example an Administrator PowerShell window). All users will still be a
e the app is installed. If you disable or do not configure this setting then when an app is moved to a different volume the users' app da
age Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If yo
amily Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you ch
Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose
ame for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose th
g a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A p
e for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose the "
ame for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose th
the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default s
e for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose the "
ly Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choo
y Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose
er a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app
oice keyword by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to be activated w
ract with applications using speech while the system is locked by using Settings > Privacy on the device.If you choose the "Force Allow" op
can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the d
Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you
Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose
ou can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides th
ckage Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.I
icy setting Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account in
k that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.If you enable this pol
a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.If you enable this po
clare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows apps wh
tion capability on a computer.If you enable this policy setting you can define additional Content URI Rules that all Windows Store apps tha
e MS-DOS subsystem which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application o
property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting leg
match for the application is found it provides either run-time solutions or compatibility fixes or displays an Application Help message if the
pplication Telemetry off by selecting "enable" will stop the collection of usage data.If the customer Experience Improvement program is tu
sed to help diagnose compatibility problems.If you enable this policy setting the Inventory Collector will be turned off and data will not be
rompt the user with recommended solutions. To configure the diagnostic settings for the PCA go to System->Troubleshooting and Diagno
ting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input user interfac
pplications and new behavior to new applications. Switchback is on by default.If you enable this policy setting Switchback will be turned off
ure this policy setting AutoPlay is enabled for non-volume devices.
en a device is connected. If you disable or do not configure this policy setting AutoPlay remembers user's choice of what to do when
ws Vista when media containing an autorun command is inserted the system will automatically execute the program without user interve
tart immediately. Prior to Windows XP SP2 Autoplay is disabled by default on removable drives such as the floppy disk drive (but not
an backup only volumes hosting OS components and no data only volumes can be backed up.If you disable or do not configure this policy s
Backup to run backups to a locally attached storage or disk.If you disable or do not configure this policy setting there is no restriction on lo
to run backups to a network share.If you disable or do not configure this policy setting there is no restriction on network share being back
to run backups to an optical media.If you disable or do not configure this policy setting there is no restriction on optical media being back
non-scheduled run-once backups.If you disable or do not configure this policy setting there is no restriction on running run-once backups.
s domain users to log on to a domain-joined computer using biometrics.If you disable this policy setting Windows prevents domain users f
lications that use biometrics on Windows. If you want to enable the ability to log on with biometrics you must also configure the "Allow us
users to log on using biometrics" policy setting will need to be enabled for domain users to log on to the domain.If you enable or do not co
ve.If you enable this policy setting you can configure the fast user switch event timeout to specify the number of seconds the event remain
fing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanced anti
This policy setting is applied when you turn on BitLocker.If you enable this policy setting you can specify the path that will be used as the d
ct if the drive is already encrypted or if encryption is in progress.If you enable this policy setting you will be able to configure an encryption
ct if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft Te
ct if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft Te
08 or Windows Vista. This policy setting is applied when you turn on BitLocker.Two recovery options can be used to unlock BitLocker-encr
ices connected to the host Thunderbolt PCI ports. Every time the user locks the machine DMA will be blocked on hot plug Thunderbolt PC
a. This policy setting applies only when BitLocker protection is enabled.If you enable this policy setting memory will not be overwritten whe
tification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatically adde
d by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Serv
he enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificate to a B
ack 3 (SP3) or Windows XP with Service Pack 2 (SP2) operating systems.If this policy setting is enabled or not configured fixed data drives fo
ecovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. Before a
sed encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you enable thi
requirements on the password and configure a minimum length for the password. For the complexity requirement setting to be effective
ed to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart cards on fix
mounted as read-only. If the drive is protected by BitLocker it will be mounted with read and write access.If you disable or do not configure
ready encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turne
N with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on compliant
ers and spaces. This policy setting is applied when you turn on BitLocker.If you enable this policy setting all new BitLocker startup PINs set
d computers to automatically unlock the operating system drive when the computer is started.If you enable this policy clients configured w
ads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre-boot c
er.The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocke
ngth of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting you can require a minimum number of d
message and URL" option the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. If you ha
e a compatible TPM or if BitLocker has already been turned on with TPM protection.If you enable this policy setting before turning on BitL
e a compatible TPM or if BitLocker has already been turned on with TPM protection.Important: This group policy only applies to computer
e a compatible TPM or if BitLocker has already been turned on with TPM protection.Important: This group policy only applies to computer
ware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you en
orce complexity requirements on the password and configure a minimum length for the password. For the complexity requirement setting
rn on BitLocker.If you enable this policy setting standard users will not be allowed to change BitLocker PINs or passwords.If you disable or
t used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password.If
This policy setting is applied when you turn on BitLocker.Note: Only one of the additional authentication options can be required at startu
ng is applied when you turn on BitLocker.Note: This policy is only applicable to computers running Windows Server 2008 or Windows Vist
eshed when Windows is started following BitLocker recovery.If you disable this policy setting platform validation data will not be refreshed
t settings or both.If you disable this policy setting the computer will revert to a BCD profile similar to the default BCD profile used by Wind
vice Pack 3 (SP3) or Windows XP with Service Pack 2 (SP2) operating systems.If this policy setting is enabled or not configured removable d
data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable data driv
are-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you ena
equirements and configure a minimum length. For the complexity requirement setting to be effective the Group Policy setting "Password m
sed to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart cards on r
w users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to run the
r-protected will be mounted as read-only. If the drive is protected by BitLocker it will be mounted with read and write access.If the "Deny
a devices will be disabled.
l popups explaining how to use Windows. Microsoft uses diagnostic data to determine which tips to show.Note: If you disable or do not co
default fallback content.If you disable or do not configure this policy Windows experiences will be able to use cloud optimized content.
soft and notifications about their Microsoft account.If you disable or do not configure this policy setting users may see suggestions from M
gure it your PC is discoverable and can be projected to above lock screen only. The user has an option to turn it always on or off except for
his to 'Always' all pairings will require PIN.
pes a password in the password entry text box.If you disable or do not configure this policy setting the password reveal button will be disp
e a running application.If you enable this policy setting all local administrator accounts on the PC will be displayed so the user can choose
policy affects nonlogon authentication tasks only. As a security best practice this policy should be enabled.If you enable this policy setting
nostic data collected from the Windows device and the customer will be the controller. The device must be registered in Azure AD for this
y Desktop Analytics. 2 â€“ Diagnostic data is allowed to be processed by Desktop Analytics. If you disable or do not configure
iagnostic data.
The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and does not
by Update Compliance. 16 â€“ Diagnostic data is allowed to be processed by Update Compliance. If you disable or do not co
s not processed by Windows Update for Business cloud.. 8 â€“ Diagnostic data is allowed to be processed by Windows Update for
policy setting the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data back to M
our organizationâ€™s network (and optionally a port number if desired). The connection will be made over a Secure Sockets Layer (SSL) co
c data change notifications" diagnostic data opt-in change notifications will not appear.If you set this policy setting to "Enable diagnostic d
n the Settings app.If you donâ€™t configure this policy setting or you set it to "Enable diagnostic data opt-in settings" end users can chang
oad endpoint then use this setting to define that endpoint.The value for this setting will be provided by Microsoft as part of the onboardin
to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provi
age preventing the deletion of diagnostic data collected by Microsoft from the device.If you disable or don't configure this policy setting th
ed in Settings page and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.If you disable or do
e.If you disable or don't configure this policy setting Windows will periodically download configuration settings from the OneSettings servi
eedback app.If you disable or do not configure this policy setting users may see notifications through the Windows Feedback app asking u
onfiguration settings from the OneSettings service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel.If you disabl
red to send optional diagnostic data.By enabling this policy setting diagnostic logs will not be collected.If you disable or do not configure t
c data.By enabling this setting Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps.If you disabl
following steps: 1. Enable this policy setting 2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data" 3. Enable the
ng users can download and install preview builds of Windows by configuring Windows Insider Program settings.If you disable this policy se
ice runs low on disk space.
40%). The device can download from peers while on battery regardless of this policy.The value 0 means "not-limited"; The cloud service se
esses. To add multiple values separate each FQDN or IP address by commas.
he client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Server Ho
ow downloads from peers first).
yload or complementing the bytes that could not be downloaded from Peers.Note that a download that is waiting for peer sources will ap
w downloads from peers first).
he entire payload or complementing the bytes that could not be downloaded from Peers.Note that a download that is waiting for peer so
d with peering behind the same NAT.2 = HTTP blended with peering across a private group. Peering occurs on devices in the same Active D
or on the corporate domain network.
or are not on the same LAN.Note: this is a best effort optimization and should not be relied on for an authentication of identity.
he longer and make the files available for uploads to other devices as long as the cache size has not exceeded.
ery Optimization dynamically adjusts to use the available bandwidth for downloads.
that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
ery Optimization dynamically adjusts to use the available bandwidth for downloads.
that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
ownload from HTTP source to achieve the specified minimum QoS value.
policy is set the disk size check will apply to the new working directory specified by this policy.
1 GB to 4 GB.
t).These options apply to both Download Mode LAN (1) and Group (2).
d automatically from the selected source. If you set this policy the GroupID policy will be ignored.The options set in this policy only apply t
been digitally signed will not be extracted.If you disable or do not configure this setting both signed and unsigned gadgets will be extracted
not configure this setting desktop gadgets will be turned on.The default is for desktop gadgets to be turned on.
indows will run user-installed gadgets.The default is for Windows to run user installed gadgets.
s policy setting Flip 3D is inaccessible. If you disable or do not configure this policy setting Flip 3D is accessible if desktop composition is tur
sable or do not configure this policy setting window animations are turned on. Changing this policy setting requires a logoff for it to be app
default visuals.Note: If this policy setting is enabled users can continue to select a color in Start Personalization. However setting the acce
olicy setting you allow users to change the default window frame color. Note: This policy setting can be used in conjunction with the "Spec
oes not specify a color. If you disable or do not configure this policy setting the default internal color is used if the user does not specify a
ve Directory.Note: Additional requirements may apply on certain Windows SKUs. Refer to Azure Active Directory Device Registration Overv
d and stored in the user's Windows Marketplace Digital Locker.If you enable this setting Digital Locker will not run.If you disable or do not
n from the screen edges.
s to the user.
ent to the Event Collector by the source computer. This may be required in high volume environments.If you disable or do not configure t
ter to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.Use the following syntax wh
vents" policy setting is enabled the Event Log file is automatically closed and renamed when it is full. A new file is then started.If you disab
an access the log.If you disable or do not configure this policy setting all authenticated users and system services can write read or clear th
ct the both modern and legacy tools.If you enable this policy setting only those users matching the security descriptor can access the log.If
ou disable or do not configure this policy setting and a log file reaches its maximum size new events overwrite old events.Note: Old events
ses the path specified in this policy setting.If you disable or do not configure this policy setting the Event Log uses the folder %SYSTEMROO
483647 kilobytes) in kilobyte increments.If you disable or do not configure this policy setting the maximum size of the log file will be set to
og access" policy settings for this log in order to affect the both modern and legacy tools.If you enable this policy setting only those users w
only those users whose security descriptor matches the configured specified value can access the log.If you disable this policy setting only
47483647 kilobytes) in kilobyte increments.If you disable or do not configure this policy setting the maximum size of the log file will be set
an access the log.If you disable or do not configure this policy setting all authenticated users and system services can write read or clear th
ct the both modern and legacy tools.If you enable this policy setting only those users matching the security descriptor can access the log.If
ad from the log regardless of this policy setting.
ct the both modern and legacy tools.If you enable this policy setting only users whose security descriptor matches the configured value ca
onfigured value can access the log.If you disable this policy setting only system software and administrators can write or clear this log and
g it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. You c
ot configure this policy setting file shortcut icons that use remote paths are prevented from being displayed.Note: Allowing the use of rem
s presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or kno
m. This behavior is consistent with Windows Vista's behavior in this scenario.This disables access to user-defined properties and propertie
iations and other settings to default values. If you enable this policy setting on a machine that does not contain all programs installed in th
. If the group policy is not configured or disabled notifications will be shown to the end user if a new application has been installed that ca
n files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon the policy settings are
Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txtFor more information refer to the DISM documentation on TechNet.If th
sable this policy setting the hibernate option will never be shown in the Power Options menu.If you do not configure this policy setting use
nu.If you do not configure this policy setting users will be able to choose whether they want lock to show through the Power Options Cont
policy setting the sleep option will never be shown in the Power Options menu.If you do not configure this policy setting users will be able
e users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting users can choose ho
ame (for example 111 < 22 < 3).If you disable or do not configure this policy setting File Explorer will sort file names by increasing number v
mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able to open
able this policy setting Folder Redirection creates a temporary file in the old location in order to verify that new and old locations point to t
s cannot list or restore previous versions of files on local disks.If you disable this policy setting users cannot list and restore previous versio
or restore previous versions of files on file shares.If you disable this policy setting users can list and restore previous versions of files on fil
ia.If you enable this policy setting users cannot see any previous versions corresponding to backup copies and can see only previous versio
d when the user selects a previous version corresponding to a local file.If you disable this policy setting the Restore button remains active
able this policy setting the Restore button is disabled when the user selects a previous version corresponding to a backup.If you disable th
bled when the user selects a previous version corresponding to a file on a file share.If you disable this policy setting the Restore button rem
y can be activated to create regular automatic backups.
ft.com. On devices that are compatible with active digitizers enabling Find My Device will also allow the user to view the last location of use
ters to a homegroup. This policy setting does not affect other network sharing features.If you disable or do not configure this policy setting
a search provider from the provider's website.If you enable this policy setting the user can add and remove search providers but only from
same as Internet Explorer.If you disable or do not configure this policy setting "Save Target As" will not show up in the Internet Explorer m
rticular web applications.If you enable this policy setting OnUnLoad script handlers display UI during shutdown.If you disable or do not con
es.If you enable this policy setting users receive enhanced suggestions while typing in the Address bar. In addition users won't be able to c
e considered to be the same as newly installed add-ons and are not activated when the user upgrades to Internet Explorer 9.In Internet E
oft Edge. If any of the chosen versions are not installed on the device that preference will be bypassed.If both the Windows Update for th
string in the version portion of the User Agent header.If you disable or do not configure this policy setting Internet Explorer sends the curre
nt.If you disable this policy or do not configure it users will be prompted to download and install a component when visiting a Web site tha
ded in a file by the system administrator.If you enable this policy setting the user will not be able to do automatic configuration. You can im
ers can change their settings for dial-up connections.If you set the "Disable the Connections page" policy (located in \User Configuration\A
f you enable this policy setting you can specify which default home pages should load as secondary home pages. The user cannot set custo
owser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import favorites
ge to Microsoft Edge's native 'Internet Explorer mode'.- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge Stable C
n and notifying users if a new version is available.If you disable this policy or do not configure it Internet Explorer checks every 30 days by d
ayed.If you disable this policy or do not configure it the splash screen will be displayed when users start their browsers.
users' computers by using Open Software Distribution (.osd) technologies.If you enable this policy users will not be notified if their program
nager.If you disable or do not configure this policy setting the appropriate controls in the Add-On Manager will be available to the user.
ernet Explorer mode and work the same as Internet Explorer.If you disable or don't configure this policy extended hotkeys will not work in
he navigation bar includes features for browsing webpages searching the web by using a selection of search tools viewing a history of visit
on.If you disable this policy setting automatic upgrade of Internet Explorer will be turned off.If you do not configure this policy users can tu
snâ€™t enabled this policy has no effect.If you enable this policy all intranet sites are opened in Internet Explorer 11. The only exceptions a
e websites for which users turn on Enterprise Mode using the Tools menu.If you turn this setting on users can see and use the Enterprise M
art of the domains configured in the policy. When disabled or not configured all domains will be included in site discovery. This policy can
part of the zones configured in the policy. When disabled or not configured all Zones will be included in site discovery. This policy can be u
r do not configure it users of the same computer can establish their own proxy settings.This policy is intended to ensure that proxy settings
ter a list of sites which will be allowed to open pop-up windows regardless of user settings. Only the domain name is allowed so www.con
not configure this policy setting the user can use the "Fix settings" functionality.Note: When this policy setting is enabled the "Fix settings"
he Command bar. â€¢ The shortcut key F1 does not make Help appear. â€¢ Help cannot be accessed from the Settings charm (starting
ent. SmartScreen Filter also prevents the execution of files that are known to be malicious.If you enable this policy setting SmartScreen Filt
he Internet.If you enable this policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting
ure sites.If you enable this policy setting the user cannot change the filter level. You can specify the filter level by importing Privacy settings
figure proxy settings.
u disable or do not configure this policy setting the user can change the default search provider.
ternet Explorer when he or she clicks links from other applications. You must specify one of the following: â€¢ Open in an existing Intern
hether tabs should open in the foreground or in the background. The user cannot open the tabs in the background by pressing Ctrl+Shift+S
e Search box does not appear in the Internet Explorer frame.If you disable or do not configure this policy setting the Search box appears b
ot configure this policy setting the user can add websites to or remove websites from the exception list.Note: You can allow a default list o
wn to host malware.If you enable this policy setting the user is not prompted to turn on SmartScreen Filter. All website addresses that are
y setting the user is not prompted to enable the phishing filter. You must specify which mode the phishing filter uses: manual automatic or
ptions command does not appear on the Help menu.If you disable this policy setting the user must participate in the CEIP and the Custome
e this policy setting ActiveX controls can be installed on a per-user basis.
of the following choices: â€¢ Skip the First Run wizard and go directly to the user's home page. â€¢ Skip the First Run wizard and go di
olicies\Microsoft\Internet Explorer\SearchScopes]). Normally search providers can be added from third-party toolbars or in Setup but the
bled. (To see the site management settings for security zones in the Internet Options dialog box click the Security tab and then click the Sit
n the Internet Options dialog box are disabled.If you disable this policy or do not configure it users can change the settings for security zon
ply to all users of that computer.If you disable this policy or do not configure it users of the same computer can establish their own securit
Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mode Site
fault. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process to grow
es see an additional page in Internet Explorer 11 stating that a site has been opened using Microsoft Edge with Enterprise Mode.If you disa
k) the first home page the new tab page or the new tab page with my news feed.If you disable or do not configure this policy setting the u
the installation of ActiveX controls.If you disable or do not configure this policy setting ActiveX controls including per-user controls are inst
disable or do not configure this policy setting users can pin sites.
ernet Explorer has not used before a Notification bar will appear asking the user for approval.If you enable this policy setting the ActiveX O
wing his or her browsing and displays a button that opens the Disable Add-ons dialog box. The Disable Add-ons dialog box displays the load
do not configure this policy setting Automatic Crash Recovery prompts the user to recover his or her data after a program stops respondi
.If you disable this policy setting browser geolocation support is turned on.If you do not configure this policy setting browser geolocation s
in tabbed browsing. You must specify one of the following values: 0: Let Internet Explorer decide. 1: Force pop-up windows to open in
Pack 1 and earlier namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.If you dis
bar is turned on.If you do not configure this policy setting the user can turn on or turn off the Favorites bar.
o host malware.If you enable this policy setting the user is not prompted to turn on SmartScreen Filter. You must specify which mode the S
to be re-rendered at a scaled size.If you disable or do not configure this policy setting applications that host MSHTML respond to user inp
ed out) and all other pop-up manager controls notifications and dialog boxes will not appear. Pop-up windows will continue to function as
able or do not configure this policy setting Quick Tabs is turned on.
sion feature.If you disable or do not configure this policy setting the user can use the Reopen Last Browsing Session feature.
onfigure this policy setting the user can choose to view suggestions for all user-installed search providers that offer suggestions.
enable this policy setting tabbed browsing and related entry points are turned off for Internet Explorer and the user cannot turn them on.
esses. The user cannot change the auto-complete for web-address setting.If you disable this policy setting user will be suggested matches
pear until the user starts typing.If you disable or do not configure this policy setting when a user clicks in the Search box the quick pick men
is turned off.If you disable or do not configure this policy setting the feature is turned on.
you enable this policy setting ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering although they m
g information that is blocked by new Internet Explorer features. The user cannot turn off logging.If you disable this policy setting the user c
user cannot turn it off.If you disable this policy setting the menu bar appears in Internet Explorer by default and the user cannot turn it on
gated using a client management solution(SCCM) or other means. When disabled no data will be written to the WMI class. Enabling or dis
en setting this policy. When disabled no data will be written to the XML file. Enabling or disabling this setting will not impact other output
e user might want to visit.If you enable this policy setting the user is not prompted to enable Suggested Sites. The userâ€™s browsing hist
icy setting Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\
nnot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overlap.If you
er cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overlap.If
gh Group Policy. The user cannot add or delete Accelerators.If you disable or do not configure this policy setting the user can access any A
ccelerators and install new Accelerators.
ser is not prompted when a script that is running in any process on the computer performs a Clipboard operation. This means that if the zo
to prompt.If you enable this policy setting the user is not prompted when a script that is running in the Internet Explorer process perform
t Explorer processes use the "Bypass prompting for Clipboard access for scripts running in the Internet Explorer process" policy. If the "Byp
r and any printers under the Devices charm.If you enable this policy setting the Print menu in Internet Explorer will not be available. Startin
gs or in the tools menu in the desktop. Users wonâ€™t be able to use it to launch the report site problems dialog box.If you disable or do n
uring browser navigation. If a user visits a site on the compatibility lists the pages are automatically displayed in Compatibility View.If you d
Compatibility View button or manage the Compatibility View sites list.If you disable or do not configure this policy setting the user can use
s policy setting the user cannot use the Compatibility View button.If you disable or do not configure this policy setting the user can use the
rnet Explorer 7 Standards Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this policy setting
plorer uses the current user agent string for local intranet content. Additionally all local intranet Standards Mode pages appear in the Stan
move the entries that you specify.If you disable or do not configure this policy setting the user can add and remove sites from the list.
plorer.If you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended).
install code for an Object Linking and Embedding (OLE) component.If you enable this policy setting the user cannot specify the download p
cookies history form data and passwords) are applied and those items are deleted.If you enable this policy setting deleting browsing histo
ick Internet Options click the General tab and then click Settings under Browsing history.If you enable this policy setting a user cannot set
the TechNet technical library.If you enable this policy setting the user cannot access the Delete Browsing History dialog box. Starting with
e ActiveX Filtering or Tracking Protection. In addition Tracking Protection data is also collected if users turn on the Personalized Tracking P
isable this policy setting cookies are deleted when the user clicks Delete.If you do not configure this policy setting the user can choose whe
he user clicks Delete.If you disable this policy setting download history is deleted when the user clicks Delete.If you do not configure this p
icks Delete.If you disable this policy setting favorites site data is deleted when the user clicks Delete.If you do not configure this policy setti
u disable this policy setting form data is deleted when the user clicks Delete.If you do not configure this policy setting the user can choose
arty items should be blocked when InPrivate Filtering is enabled. This feature is available in the Delete Browsing History dialog box.If you e
u disable this policy setting passwords are deleted when the user clicks Delete.If you do not configure this policy setting the user can choo
hen the user clicks Delete.If you disable this policy setting temporary Internet files are deleted when the user clicks Delete.If you do not con
user has visited are preserved when he or she clicks Delete.If you disable this policy setting websites that the user has visited are deleted
orer.If you enable this policy setting users will not be able to delete temporary Internet files and cookies.If you disable or do not configure
nting.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do not need to s
o not configure it users can see and change these settings.When you set this policy you do not need to set the following policies for the Co
hange these settings.
essibility.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do not need
figure it users can see and change these settings.
or do not configure it users can see and change these settings.When you set this policy you do not need to set the following policies for th
hentication.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do not ne
et Explorer.If you enable this policy setting the user cannot continue browsing.If you disable or do not configure this policy setting the use
ervers or to proxy servers.If you enable this policy setting you must specify when IDN server names should be sent: 0) Unicode domain n
you disable or do not configure this policy setting Internet Explorer sends mailto links encoded through the user's code page. This behavio
disable this policy setting active content on a CD will always prompt before running.If you do not configure this policy users can choose w
ava) that are required in order to view web pages as intended.If you enable this policy setting non-Internet Explorer components will be au
age that requires Japanese-text display support Internet Explorer could prompt the user to download the Japanese Language Pack compon
nable this policy setting Internet Explorer uses the HTTP2 network protocol.If you disable this policy setting Internet Explorer won't use the
ritization.If you enable this policy setting Internet Explorer uses the SPDY/3 network protocol.If you disable this policy setting Internet Expl
someone has tampered with the file.If you enable this policy setting users will be prompted to install or run files with an invalid signature.
h impact Internet Explorer's performance or stability.If you enable this policy setting Internet Explorer automatically launches any browse
NT:1 header signals to the servers not to track the user.For Internet Explorer 9 and 10:If you disable this policy setting Internet Explorer on
ted to install new versions as they become available.If you enable this policy setting Internet Explorer checks the Internet for a new version
on protects users from submitting confidential data to a site that may be fraudulent or not secure.If you enable this policy setting Internet
uters before downloading executable programs.If you enable this policy setting Internet Explorer will check the digital signatures of execut
d Mode and a website attempts to load the control Internet Explorer notifies the user and gives the option to run the website in regular Pro
disable add-ons that are not preapproved.If you enable this policy setting the user cannot use Reset Internet Explorer Settings.If you disab
may be insecure.If you enable this policy setting Internet Explorer will not save encrypted pages containing secure (HTTPS) information to
e computer or storing sensitive files that other users could see in addition to managing total disk space usage.If you enable this policy setti
applets are not.If you enable this policy setting Internet Explorer will play animated pictures found in Web content.If you disable this polic
lets are not.If you enable this policy setting Internet Explorer will play sounds found in Web content.If you disable this policy setting Intern
are not.If you enable this policy setting Internet Explorer will play videos found in Web content.If you disable this policy setting Internet Ex
MSHTML do not render text by using the Microsoft ClearType rendering engine.If you disable or do not configure this policy setting applicati
on between the browser and the target server. When the browser attempts to set up a protected communication with the target server th
ssly switches into view.If you enable this policy setting Internet Explorer doesn't load any websites or content in the background.If you dis
ompted to provide information.If you disable this policy setting then when a Web site requests Profile Assistant information users will be p
setting you must specify when to use UTF-8 to encode query strings: 0) Never encode query strings. 1) Only encode query strings for U
prediction works. This feature isn't available for Internet Explorer for the desktop.If you enable this policy setting flip ahead with page pred
Windows.Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.If you enable this policy setti
ity such as using the Shift key to select text and copying a selection to the clipboard. This policy setting is particularly useful to users who d
so limits the locations Internet Explorer can read from in the registry and the file system.If you enable this policy setting Enhanced Protect
1.1.If you do not configure this policy setting users can configure Internet Explorer to use or not use HTTP 1.1.
this policy setting Internet Explorer does not use HTTP 1.1 through proxy connections.If you do not configure this policy setting users can c
the Internet Options dialog box. Users can change Content Advisor settings.If you disable or do not configure this policy setting Internet Ex
owsing session with the tabs from the last browsing session.If you enable this policy setting Internet Explorer starts a new browsing session
database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting websites will not be able to sto
site database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting websites will not be able to
limits for application caches. If a domain exceeds the application cache storage limit for an individual domain Internet Explorer sends an e
set this policy setting you provide the expiration time limit in days.If you enable this policy setting Internet Explorer will remove application
et Explorer displays a notification when a website exceeds the configured storage limit.If you disable or do not configure this policy setting
e limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain Internet Explorer sends an
t Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting you provide the reso
of resources allowed including the page that referenced the manifest Internet Explorer sends an error to the website. No notification will
user and the user must delete application caches before an updated one can be saved on their computer. The default maximum storage li
e user and the user must delete indexed databases before an updated database can be saved on their computer. The default maximum st
ect a security level all values for individual settings in the zone will be overwritten by the standard template defaults.If you disable this tem
mapped into a zone are considered to be in the Intranet Zone.If you disable this policy setting local sites which are not explicitly mapped in
olicy setting network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).If you do not configure th
net Zone.If you disable this policy setting sites which bypass the proxy server aren't necessarily mapped into the Intranet Zone (other rules
Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intranet zon
ng rules are applied automatically if the computer belongs to a domain.If you disable this policy setting automatic detection of the intrane
s issued for a different website address. This warning helps prevent spoofing attacks.If you enable this policy setting the certificate addres
ppings if they require them.If you enable this policy setting a Notification bar notification appears whenever the user browses to a page th
users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the drop-d
protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.If you enable this policy se
box users are queried to choose whether to allow script code on pages in the zone to run.If you disable this policy setting script code on pa
ry and script behaviors are available. If you select Administrator approved in the drop-down box only behaviors listed in the Admin-approv
ation.If you select Prompt in the drop-down box users are queried as to whether to perform clipboard operations.If you disable this policy
tomatically. If you select Prompt in the drop-down box users are queried to choose whether to drag or copy files from this zone.If you disa
delivered.If you enable this policy setting files can be downloaded from the zone.If you disable this policy setting files are prevented from
mpt is selected in the drop-down box users are queried whether to allow HTML fonts to download.If you disable this policy setting HTML fo
utomatically.If you select Prompt in the drop-down box users are queried to choose whether to install desktop items from this zone.If you
nd take advantage of the Windows Presentation Foundation platform for the web.If you enable this policy setting and set the drop-down b
graphics that take advantage of the Windows Presentation Foundation.If you enable this policy setting and set the drop-down box to Enab
licy setting and set the drop-down box to Enable XPS files are automatically loaded inside Internet Explorer. The user cannot change this b
.If you enable this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another
ted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current site or fro
his policy setting the TDC Active X control will run from all sites in this zone.
le Explorer. Search results will be returned in File Explorer and can be acted upon like local files.If you enable this policy setting users can
ed by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer) it might aff
g script access to the WebBrowser control is not allowed.If you do not configure this policy setting the user can enable or disable script ac
in this zone. The security zone runs without the added layer of security provided by this feature.If you disable this policy setting the possib
gure this policy setting the user can enable or disable scriptlets.
his policy setting script is not allowed to update the status bar.
ou selected Prompt in the drop-down box users are asked to choose whether to allow VBScript to run.If you selected Disable in the drop-d
ontrols or media players.The dynsrc attribute on the img tag specifies an older media player. Also as of Internet Explorer 8 this policy settin
ave no status bar or Address bar.If you disable this policy setting websites cannot open new Internet Explorer windows that have no statu
ny scripted windows by using the Notification bar.If you do not configure this policy setting the user can enable or disable the Notification
o not have installed.If you disable this policy setting ActiveX control installations will be blocked using the Notification bar. Users can click
tting users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting file download
you enable this policy setting and the drop-down box is set to Enable the user does not receive a security information message (This page
th a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate.If you disable this pol
h your antimalware program to see if it's safe to create an instance of the ActiveX control.If you disable this policy setting Internet Explore
lect Prompt in the drop-down box users are queried whether to download controls signed by publishers who aren't trusted. Code signed b
icy setting users can run unsigned controls without user intervention. If you select Prompt in the drop-down box users are queried to choo
rs can drag content from one domain to a different domain when the source and destination are in different windows. Users cannot chang
rs can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot chang
If you enable this policy setting the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the added l
he server. For instance files sent from the user's desktop may contain the user name as a part of the path.If you enable this policy setting
ata or scripts. This setting is not recommended except for secure and administered zones. This setting causes both unsafe and safe contro
enables applets to perform all operations.Medium Safety enables applets to run in their sandbox (an area in memory outside of which the
applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop-down
t account only for the Common Internet File System (CIFS) protocol.Prompt for user name and password to query users for user IDs and p
ns and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to allow windows an
e or Disable under Options in Group Policy Editor.If you disable or do not configure this policy setting users can choose whether or not to r
d from an object tag and managed executables referenced from a link.If you enable this policy setting Internet Explorer will execute unsig
om an object tag and managed executables referenced from a link.If you enable this policy setting Internet Explorer will execute signed m
ou selected Prompt in the drop-down box users are asked to choose whether to allow the controls or plug-in to run.If you disable this poli
tion.If you select Prompt in the drop-down box users are queried to choose whether to allow script interaction.If you disable this policy se
in the drop-down box users are queried to choose whether to allow scripts to access applets.If you disable this policy setting scripts are pr
plorer for example).If you enable this policy setting and set the drop-down box to Enable these files open without a security warning. If yo
re updates by e-mail software packages to be automatically downloaded to users' computers and software packages to be automatically i
SSL form data submission.If you enable this policy setting information using HTML forms on pages in this zone can be submitted automatic
platform for Windows. It uses the common language runtime and incorporates support from multiple developer tools. It includes the new
pprove the control. This policy setting determines whether the user is prompted.If you enable this policy setting the first-run prompt is tur
this zone and the XSS Filter attempts to block cross-site script injections.If you disable this policy setting the XSS Filter is turned off for site
the file system.If you enable this policy setting Protected Mode is turned on. The user cannot turn off Protected Mode.If you disable this p
s policy setting SmartScreen Filter does not scan pages in this zone for malicious content.If you do not configure this policy setting the use
pop-up windows are prevented from appearing.If you disable this policy setting pop-up windows are not prevented from appearing.If you
tate of the page can be restored if this policy setting is appropriately configured.If you enable this policy setting users can preserve inform
n new windows in or navigate into this zone. The security zone will run without the added layer of security that is provided by the Protecti
his policy setting script is allowed to update the status bar.
tting users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting users will rec
ew windows in or navigate into this zone. The security zone will run without the added layer of security that is provided by the Protection
ther domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to allow
ted protocols may be set in the Trusted Sites Zone Restricted Protocols section under Network Protocol Lockdown policy.If you enable thi
ther domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to allow
Explorer does not open tiles on the desktop.If you do not configure this policy users can choose how Internet Explorer tiles are opened.
g Internet Explorer enforces your choice. Users cannot change the setting.If you disable or do not configure this policy setting users can cho
s bar if it is available.If you disable or do not configure this policy setting Internet Explorer does not go directly to an intranet site for a one
will be hidden.If you disable this policy setting the button to open Microsoft Edge from Internet Explorer will be shown.If you do not config
ber detection is turned off. Users won't be able to modify this setting.If you disable this policy setting phone number detection is turned o
iate software is installed.If you disable this policy setting Internet Explorer does not play these files.If you do not configure this policy setti
cannot change the specified action. â€¢ Do not search from the Address bar: The user cannot use the Address bar for searches. The user
forms a search in the Address bar a list of search results from the selected search provider is displayed in the main window. â€¢ Enable
user data is sent over the internet by this feature.If you enable this policy setting URL Suggestions will be turned off. Users will not be able
a web address in the browser Address bar. This feature provides more relevant results in the browser Address bar.If you enable this polic
onnects with a prespecified encryption. To ensure that the browser meets this requirement this policy setting allows you to specify the UR
ecking updates to Internet Explorer and Internet Tools. You must specify this URL.If you disable or do not configure this policy setting the
ate check interval.If you disable or do not configure this policy setting the user can specify the update check interval.
ocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However doing so m
blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However doing so
sing session. By default the computer does not load them when InPrivate Browsing starts.If you enable this policy setting toolbars and BHO
eferenced it. It is collected during non-InPrivate (normal) browsing sessions.If you enable this policy setting InPrivate Filtering data collectio
history and other data.If you enable this policy setting InPrivate Browsing is turned off.If you disable this policy setting InPrivate Browsing
rivate Filtering does this by identifying third-party content that is used by multiple websites that users have visited.If you enable this policy
Tracking Protection does this by identifying third-party content that is used by multiple websites that users have visited.If you enable this
that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.This policy does not affect which security protocols
n the current password value is visible until the mouse button is released (or until the tap ends).If you enable this policy setting the reveal
et Explorer does not turn on Data Execution Prevention on platforms that support the SetProcessDEPPolicy function.If you disable or do n
ncoding. Malware filters or other network-based filters may not properly filter encapsulated data.If you enable this policy setting Data URI
ecifically written to extend or enhance the functionality of the browser or web pages.This list can be used with the 'Deny all add-ons unles
r processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.If you enable
bjects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.By default the 'Add-on Lis
se the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user preferenc
s time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.If you disable or don't con
tops blocking outdated ActiveX controls.If you disable or don't configure this policy setting Internet Explorer continues to block specific ou
olicy setting you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each doma
ded the control and whether it was blocked) to a local file.If you disable or don't configure this policy setting Internet Explorer won't log Ac
r cannot run natively implemented scriptable XMLHTTP.If you do not configure this policy setting the user can choose to run natively imple
onnection limit of your choice for HTTP 1.1.If you disable or do not configure this policy setting Internet Explorer uses the default connecti
t Explorer will use the default connection limit for HTTP 1.0 (6 connections per host).In versions of Internet Explorer prior to Internet Explo
he WebSocket connection limit that you set with this policy setting.If you disable or do not configure this policy setting Internet Explorer u
mains embedded in the page.If you disable or do not configure this policy setting documents can request data across third-party domains
olicy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also this policy setting
s through other features in Internet Explorer 8 and it does not prevent a site from requesting cross-domain data through a server.If you en
in to the behavior and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page.)If you enabl
ecurity Restriction setting is prevented or allowed.If you enable this policy setting binary behaviors are prevented for all processes. Any use
4 signing technologies by default because they are not as secure as other technologies.If you enable this policy setting Internet Explorer 9
ecurity Restriction setting is prevented or allowed.If you enable this policy setting binary behaviors are prevented for the File Explorer and
ecurity Restriction setting is prevented or allowed.This policy setting allows administrators to define applications for which they want this
ires that all file-type information provided by Web servers be consistent. For example if the MIME type of a file is text/plain but the MIME
fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content. This fea
fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content processe
e the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content. Th
abled for all processes.If you disable or do not configure this policy setting the Mime Sniffing Safety Feature is disabled for all processes.
e of one type to a more dangerous file type.If you disable this policy setting Internet Explorer processes will allow a MIME sniff promoting
ch they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 this protection will be
d for all processes. Any use of the MK Protocol is blocked.If you disable or do not configure this policy setting the MK Protocol is enabled.
ed for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.If you disable this policy setting applications ca
tions for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 use of the
icted protocols is prevented or allowed.If you enable this policy setting restricting content obtained through restricted protocols is allowed
ned through restricted protocols is prevented or allowed.If you enable this policy setting restricting content obtained through restricted pr
icted protocols is prevented or allowed.This policy setting allows administrators to define applications for which they want restricting cont
or simply disabling the content. For each zone this list of protocols may be configured here and applies to all processes which have opted i
t displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes for which the Notification ba
er processes.If you enable this policy setting the Notification bar will be displayed for Internet Explorer Processes.If you disable this policy
e or code installs are restricted (except for the Internet Explorer Processes for which the Notification bar is displayed by default).If you ena
when navigating within or across domains for all processes.If you disable or do not configure this policy setting object reference is retained
le when navigating within or across domains for Internet Explorer processes.If you disable this policy setting an object reference is retaine
they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 references to objects ar
ocal computer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime t
the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target for malicious
r have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target for ma
ompting of ActiveX control installation for all processes.If you disable or do not configure this policy setting the Web Browser Control will n
er processes.If you disable this policy setting prompting for ActiveX control installations will not be blocked for Internet Explorer processes
tiveX control installation is blocked. If you enter a Value of 0 automatic prompting of ActiveX control installation is allowed. The Value Nam
automatic prompting of file downloads that are not user initiated for all processes.If you disable this policy setting the Web Browser Cont
s.If you disable this policy setting prompting will occur for file downloads that are not user initiated for Internet Explorer processes.If you d
ompting of non-initiated file downloads is blocked. If you enter a Value of 0 automatic prompting of non-initiated file downloads is allowe
ows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable this policy
ows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable this policy
ows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.This policy setting allow
according to which one of the following options you choose and the user cannot change how command buttons are displayed:Show all tex
do not configure this policy setting the user can change where tabs are displayed.
shown and the user cannot choose to hide it.If you do not configure this policy setting the Command bar is shown by default and the use
the user cannot choose to hide it.If you do not configure this policy setting the status bar is shown by default and the user can choose to h
re unlocked and the user can move them.If you do not configure this policy setting the toolbars are locked by default but the user can unlo
e user cannot move them.If you disable this policy setting the Stop and Refresh buttons are next to the Address bar and the user cannot m
s policy setting the user can access Developer Tools.
l detects an incompatible toolbar the user is prompted to update or disable the toolbar. Specific toolbars or Browser Helper Objects that a
his policy setting icons for command buttons are 16 x 16 pixels (the default) and cannot be made bigger (20 x 20 pixels).If you do not config
Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not rece
mation from the location feature. If you disable or do not configure this policy setting all programs on this computer will not be preven
pts will run.
sable or do not configure this policy setting all programs on this computer can use the sensor feature.
ter will not be able to use the Windows Location Provider feature. If you disable or do not configure this policy setting all programs on
enable this policy setting this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenan
om its Activation Boundary. If you enable this policy setting Automatic Maintenance will delay starting from its Activation Boundary b
cheduled maintenance. Note that if the OS power wake policy is explicitly disabled then this setting has no effect. If you enable this p
date of map data is turned on.If you don't configure this setting the automatic download and update of map data is determined by a regis
e Offline Maps settings page are turned off. Note: This may turn off the entire settings page. If you disable or do not configure this policy s
nfigure this policy setting MDM Enrollment will be enabled. If you enable this policy setting MDM Enrollment will be disabled for all users. I
ce will remotely managed by the MDM service. Important: The device must be registered in Azure AD for enrollment to succeed.
ft accounts for authentication. This applies both to existing users of a device and new users who may be added. However any application
d. If you enable this setting the antimalware service will always remain running even if both antivirus and antispyware security intelligenc
e antimalware service will load as a normal priority task. If you disable this setting the antimalware service will load as a low priority task.
Enabled: Specify the mode in the Options section: -Block: Potentially unwanted software will be blocked. -Audit Mode: Po
do not configure this setting unique items defined in Group Policy and in preference settings configured by the local administrator will be m
tting the proxy server will be bypassed for the specified addresses. If you disable or do not configure this setting the proxy server will not
re is no proxy auto-config specified the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .
there is no proxy specified the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .pac URL
ill be copied to the specified support log location path. If you disable or do not configure this setting the support logs files will not be cop
nning. For example it could be used in guest virtual machines sharing a host to prevent multiple guest virtual machines from undertaking a
re. If you disable this policy setting Microsoft Defender Antivirus will run regardless of any other installed antivirus product. If you do n
the policy-defined action user-defined action and the signature-defined action. If you enable this policy setting Microsoft Defender Anti
number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncat
ients. If you enable this setting Microsoft Defender Antivirus notifications will not display on clients.
as a name value pair where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not u
entry must be listed as a name value pair where the name should be a string representation of a path or a fully qualified resource name.
rocess use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pai
ove performance. Enabled: Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machine perfo
oup Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
will lower the protection state of the device. Enabled â€“ The Block at First Sight setting is turned on. Disabled â€“ The Block at First Sig
software infections. You can choose to send basic or additional information about detected software. Additional information helps Micr
r send (0x3) Send all samples automatically
d normally cause an event then it will be recorded (although the rule will not actually be applied) - Off: the rule will not be applied - No
e as a name-value pair: - Name column: Enter a folder path or a fully qualified resource name. For example ""C:\Windows"" will exclude
rus automatically determines which applications should be trusted. You can configure this setting to add additional applications. Enabled
folder - Write to disk sectors You can also choose to only block or audit writes to disk sectors while still allowing the modification
protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown in Wind
malicious content on the Internet. Enabled: Specify the mode in the Options section: -Block: Users and applications will not be able to
work Protection is allowed to be configured into block or audit mode on Windows Server. Note that this configuration is dependent on th
ended cloud check feature specify the extended time in seconds up to an additional 50 seconds. For example if the desired timeout is 6
Not configured: Same as Disabled.
ying suspicious files to block and scan; otherwise it will be less aggressive and therefore block and scan with less frequency. For mo
ere the name should be a string representation of a definition set GUID. As an example the definition set GUID to enable test security intel
work Protection is allowed to be configured into block or audit mode on Windows Server. Note that this configuration is dependent on th
cessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition then that defin
you disable this setting protocol recognition will be disabled.
ble this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Polic
ays specified. If you disable or do not configure this setting items will be kept in the quarantine folder indefinitely and will not be autom
ence setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the loca
tting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local prefere
tting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local prefer
over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
g file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configuration sh
be scanned. If you disable or do not configure this setting a default size will be applied.
onitoring for file and program activity will be disabled.
disable this setting scanning for all downloaded files and attachments will be disabled.
n your computer. If you enable this policy setting Microsoft Defender Antivirus will not prompt users to take actions on malware detectio
figure this setting a process scan will be initiated when real-time protection is turned on. If you disable this setting a process scan will no
aw write notifications be disabled.
eference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the
setting can be configured with the following ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x
r example 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing. If you
otifications will display on clients. If you enable this setting Microsoft Defender Antivirus enhanced notifications will not display on c
r to pause a scan. If you disable this setting users will not be able to pause scans.
mdrun -SigUpdate" but it has no effect on scans initiated manually from the user interface. If you enable this setting a check for new secu
etting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local pref
up Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
er Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference
s setting not changes will be made to CPU priority for scheduled scans.
this setting a system restore point will not be created.
. If you enable this setting a catch-up scan will occur after the specified number consecutive missed scheduled scans. If you disable or d
will not be scanned.
you disable this setting archive files will not be scanned.
e this setting network files will not be scanned.
anned. If you disable this setting packed executables will not be scanned.
is setting removable drives will be scanned during any type of scan. If you disable or do not configure this setting removable drives will n
owing ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6
day). If set to zero interval quick scans will not occur. By default this setting is set to 0. If you enable this setting a quick scan will run at t
ng archive files will be scanned to the directory depth level specified. If you disable or do not configure this setting archive files will be sc
hat there should be no throttling of CPU utilization. The default value is 50. If you enable this setting CPU utilization will not exceed the p
chive size for scanning. If you enable this setting archive files less than or equal to the size specified will be scanned. If you disable or do
d value. If you disable or do not configure this setting the default scan type will used.
02:00 AM. By default this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is
02:00 AM. By default this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the scan is
but not in use. If you disable this setting scheduled scans will run at the scheduled time.
because the computer was turned off at the scheduled time. If you enable this setting catch-up scans for scheduled full scans will be turn
d because the computer was turned off at the scheduled time. If you enable this setting catch-up scans for scheduled quick scans will be
ttachments. Several e-mail formats are currently supported for example: pst (Outlook) dbx mbx mime (Outlook Express) binhex (Mac). If
mended that you do not turn off heuristics. If you enable or do not configure this setting heuristics will be enabled. If you disable this s
ms will be kept forever and will not be automatically removed. By default the value is set to 30 days. If you enable this setting items will
epth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functi
fications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft M
ity intelligence update has security intelligence for a threat involving that file the service will receive all of the latest security intelligence fo
date. If you enable this setting security intelligence updates will be downloaded from Microsoft Update. If you disable or do not configu
regardless of power state. If you disable this setting security intelligence updates will be turned off while the computer is running on batt
will occur after service startup. If you disable this setting or do not configure this setting a check for new security intelligence will not occu
eparated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by default. If yo
ty intelligence update will occur after the specified number of days. If you disable or do not configure this setting a catch-up security inte
everal additional actions including falling back to an alternative update source or displaying a warning icon in the user interface. By default
al additional actions including falling back to an alternative update source or displaying a warning icon in the user interface. By default thi
curity intelligence update sources in order. Possible values are: â€œInternalDefinitionUpdateServerâ€ â€œMicrosoftUpdateServerâ€ â€
tiated on startup when there is no antimalware engine present. If you disable this setting security intelligence updates will not be initiate
d with the following ordinal number values: (0x0) Every Day (default) (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday
hour) to 24 (once per day). If you enable this setting checks for security intelligence updates will occur at the interval specified. If you d
quivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the scheduled scan
nce update. If you disable this setting a scan will not start following a security intelligence update.
as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should be tak
a name value pair. The name defines a valid Threat ID while the value contains the action ID for the remediation action that should be tak
can enable this setting:- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation PowerS
with Windows Hello.If you enable or do not configure this policy setting users can authenticate to Windows Hello using a companion dev
in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You
URL.If you disable this policy setting the Company Settings Center does not display an IT Contact link.If you do not configure this policy setti
standard protocol such as http or mailto. If you disable this policy setting the Company Settings Center does not display an IT Contact link
and the settings storage location. If you enable this policy setting the UE-V Agent will not synchronize settings for Windows apps.If you dis
as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed it will only take effect when UE-
er the user-facing name for the UE-V Agent now helps to synchronize settings between their work computers.With this setting enabled th
ttempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesnâ€™t attempt the synchronization. If
n about package file size. If you enable this policy setting specify the threshold file size in bytes. When the settings package file exceeds th
re this policy setting the user settings are stored in the userâ€™s home directory if configured for your environment.
ng the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in this loc
n.With this setting enabled the UE-V Agent synchronizes settings over a metered connection.With this setting disabled the UE-V Agent doe
connection.By default the UE-V Agent does not synchronize settings over a metered connection that is roaming.With this setting enabled t
hronizes settings of those Windows apps included in the Windows App List.With this setting enabled the settings of all Windows apps not e
conds. If you enable this policy setting set the number of milliseconds that the system waits to retrieve settings. If you disable or do not co
s desktop settings Ease of Access settings and network printers. Use this policy setting to specify which Windows settings synchronize betw
tion Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by double-clic
ckpoints are normally stored only on the local computer. With this policy setting enabled the rollback information is copied to the settings
tting to suppress the backup of specific Microsoft Access 2013 settings.If you enable this policy setting certain user settings of Microsoft Acc
tting to suppress the backup of specific Microsoft Access 2016 settings.If you enable this policy setting certain user settings of Microsoft Acc
or from synchronization between computers. If you enable this policy setting the Calculator user settings continue to synchronize. If you d
plications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific comm
plications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific comm
to suppress the backup of specific Microsoft Excel 2013 settings.If you enable this policy setting certain user settings of Microsoft Excel 20
to suppress the backup of specific Microsoft Excel 2016 settings.If you enable this policy setting certain user settings of Microsoft Excel 20
setting to suppress the backup of specific Microsoft InfoPath 2013 settings.If you enable this policy setting certain user settings of Microso
settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting the Internet Explorer 10 user
settings for Internet Explorer 11 from synchronization between computers.If you enable this policy setting the Internet Explorer 11 user s
ettings for Internet Explorer 8 from synchronization between computers. If you enable this policy setting the Internet Explorer 8 user setti
ettings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting the Internet Explorer 9 user setti
er synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization between
o suppress the backup of specific Microsoft Lync 2013 settings.If you enable this policy setting certain user settings of Microsoft Lync 2013
o suppress the backup of specific Microsoft Lync 2016 settings.If you enable this policy setting certain user settings of Microsoft Lync 2016
e user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting Microsoft Access 2010
e user settings of Microsoft Access 2013 from synchronization between computers.If you enable this policy setting Microsoft Access 2013 u
e user settings of Microsoft Access 2016 from synchronization between computers.If you enable this policy setting Microsoft Access 2016 u
ser settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting Microsoft Excel 2010 user s
ser settings of Microsoft Excel 2013 from synchronization between computers.If you enable this policy setting Microsoft Excel 2013 user se
ser settings of Microsoft Excel 2016 from synchronization between computers.If you enable this policy setting Microsoft Excel 2016 user se
t the user settings of Microsoft InfoPath 2010 from synchronization between computers.If you enable this policy setting Microsoft InfoPath
t the user settings of Microsoft InfoPath 2013 from synchronization between computers.If you enable this policy setting Microsoft InfoPath
er settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting Microsoft Lync 2010 user setti
er settings of Microsoft Lync 2013 from synchronization between computers.If you enable this policy setting Microsoft Lync 2013 user setti
er settings of Microsoft Lync 2016 from synchronization between computers.If you enable this policy setting Microsoft Lync 2016 user setti
e Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common between
e policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.If you enabl
e policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.If you enabl
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Access 2013 will synchronize between a userâ€™s work co
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Access 2016 will synchronize between a userâ€™s work co
f the synchronization capabilities of Microsoft Office 365 are disabled then the user settings which are common between the Microsoft Offi
f the synchronization capabilities of Microsoft Office 365 are disabled then the user settings which are common between the Microsoft Offi
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a userâ€™s work comp
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a userâ€™s work comp
of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a userâ€™s wor
icrosoft Office 365 are disabled then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a userâ€™s work compu
icrosoft Office 365 are disabled then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a userâ€™s work compu
of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a userâ€™s wo
of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a userâ€™s wo
f Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a userâ€™s work
f Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a userâ€™s work
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a userâ€™
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a userâ€™
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Project 2013 will synchronize between a userâ€™s work c
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Project 2016 will synchronize between a userâ€™s work c
of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a userâ€™s wo
of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a userâ€™s wo
apabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchronize b
icrosoft Office 365 are disabled then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a userâ€™s work comp
icrosoft Office 365 are disabled then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a userâ€™s work comp
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Word 2013 will synchronize between a userâ€™s work com
Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Word 2016 will synchronize between a userâ€™s work com
prevent the user settings of OneDrive for Business 2013 from synchronization between computers.If you enable this policy setting OneDriv
prevent the user settings of OneDrive for Business 2016 from synchronization between computers.If you enable this policy setting OneDriv
nt the user settings of Microsoft OneNote 2010 from synchronization between computers.If you enable this policy setting Microsoft OneN
the user settings of Microsoft Outlook 2010 from synchronization between computers.If you enable this policy setting Microsoft Outlook 2
revent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.If you enable this policy setting Microsoft
he user settings of Microsoft Project 2010 from synchronization between computers.If you enable this policy setting Microsoft Project 2010
nt the user settings of Microsoft Publisher 2010 from synchronization between computers.If you enable this policy setting Microsoft Publi
policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.If you enable t
policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.If you enable t
the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.If you e
er settings of Microsoft Visio 2010 from synchronization between computers.If you enable this policy setting Microsoft Visio 2010 user setti
user settings of Microsoft Word 2010 from synchronization between computers.If you enable this policy setting Microsoft Word 2010 user
om synchronization between computers. If you enable this policy setting the Notepad user settings continue to synchronize. If you disable
y setting to suppress the backup of specific Microsoft OneNote 2013 settings.If you enable this policy setting certain user settings of Micro
y setting to suppress the backup of specific Microsoft OneNote 2016 settings.If you enable this policy setting certain user settings of Micro
etting to suppress the backup of specific Microsoft Outlook 2013 settings.If you enable this policy setting certain user settings of Microsoft
etting to suppress the backup of specific Microsoft Outlook 2016 settings.If you enable this policy setting certain user settings of Microsoft
policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.If you enable this policy setting certain user settings o
policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.If you enable this policy setting certain user settings o
tting to suppress the backup of specific Microsoft Project 2013 settings.If you enable this policy setting certain user settings of Microsoft Pr
tting to suppress the backup of specific Microsoft Project 2016 settings.If you enable this policy setting certain user settings of Microsoft Pr
y setting to suppress the backup of specific Microsoft Publisher 2013 settings.If you enable this policy setting certain user settings of Micro
y setting to suppress the backup of specific Microsoft Publisher 2016 settings.If you enable this policy setting certain user settings of Micro
mputers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.If you enable this policy setti
to suppress the backup of specific Microsoft Visio 2013 settings.If you enable this policy setting certain user settings of Microsoft Visio 201
to suppress the backup of specific Microsoft Visio 2016 settings.If you enable this policy setting certain user settings of Microsoft Visio 201
g to suppress the backup of specific Microsoft Word 2013 settings.If you enable this policy setting certain user settings of Microsoft Word
g to suppress the backup of specific Microsoft Word 2016 settings.If you enable this policy setting certain user settings of Microsoft Word
from synchronization between computers. If you enable this policy setting the WordPad user settings continue to synchronize. If you disab
m synchronizing between computers.If you enable this policy setting Finance user settings continue to sync.If you disable this policy settin
synchronizing between computers.If you enable this policy setting Games user settings continue to sync.If you disable this policy setting Ga
hronizing between computers.If you enable this policy setting Maps user settings continue to sync.If you disable this policy setting Maps u
chronizing between computers.If you enable this policy setting Music user settings continue to sync.If you disable this policy setting Music
hronizing between computers.If you enable this policy setting News user settings continue to sync.If you disable this policy setting News u
synchronizing between computers.If you enable this policy setting Reader user settings continue to sync.If you disable this policy setting R
nchronizing between computers.If you enable this policy setting Sports user settings continue to sync.If you disable this policy setting Spo
nchronizing between computers.If you enable this policy setting Travel user settings continue to sync.If you disable this policy setting Trave
chronizing between computers.If you enable this policy setting Video user settings continue to sync.If you disable this policy setting Video
from synchronizing between computers.If you enable this policy setting Weather user settings continue to sync.If you disable this policy se
enable this setting users must sign in to the OneDrive sync client on the local computer or select to sync OneDrive or SharePoint files on th
ps canâ€™t access OneDrive using the WinRT API.* OneDrive doesnâ€™t appear in the navigation pane in File Explorer.* OneDrive files are
Windows Store apps canâ€™t access OneDrive using the WinRT API.* OneDrive doesnâ€™t appear in the navigation pane in File Explorer.*
ill still be able to change the value of this setting to save to OneDrive by default. They will also be able to open and save files on OneDrive
Guided Help links.If you enable this policy setting active content links are not rendered. The text is displayed but there are no clickable link
ccount. Enable this policy to prevent this experience from launching.If this policy is enabled the privacy experience will not launch for new
e PC.If you disable or don't configure this setting Windows when started from a Windows To Go workspace can't hibernate the PC.
ates to make the PC sleep.If you disable or don't configure this setting Windows when started from a Windows To Go workspace can use s
tartup Options Control Panel item.If you enable this setting booting to Windows To Go when a USB device is connected will be enabled an
oked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure their s
ntrol which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default a license server issues an RDS CA
unning other Windows-based operating systems.A license server attempts to provide the most appropriate RDS or TS CAL for a connection
y setting users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP sess
ecognized by the client such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also c
u must specify one of the following settings:Always connect even if authentication fails: The client connects to the RD Session Host server e
ng. For example if you have a problem that you suspect may be related to hardware acceleration use this setting to disable the acceleratio
o longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings any password
pted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Hos
cate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted
disable or do not configure this policy setting Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
nable this policy setting you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only
t server is not used if a virtual IP is not available. The session will not have network connectivity.If you disable or do not configure this polic
ting notation; for example 192.0.2.96/24. If you enable this policy setting the specified IP address and network mask are used to select the
ult Windows Installer RDS Compatibility is turned on. If you enable this policy setting Windows Installer RDS Compatibility is turned off and
on. You can select the mode in which this setting is applied. If you are using Per Program mode you must enter a list of programs to use vi
re listed in the RemoteApp programs list.You can control which programs on an RD Session Host server can be started remotely by using th
mputer can connect remotely to the target computer by using Remote Desktop Services.If you disable this policy setting users cannot conn
tion attempts are made at five second intervals.If the status is set to Enabled automatic reconnection is attempted for all clients running R
to an RD Session Host server the session on the RD Session Host server might remain active instead of changing to a disconnected state ev
tly connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off any data
rver. If this number is exceeded addtional users who try to connect receive an error message telling them that the server is busy and to tr
sion (either active or disconnected) on that server. If the user leaves the session in a disconnected state the user automatically reconnects
r both Connect Time Detect and Continuous Network Detect. If you disable Connect Time Detect Remote Desktop Protocol will not determ
n select one of the following options: "Use both UDP and TCP" "Use only TCP" or "Use either UDP or TCP (default)" If you select "Use eithe
emote control allowed: Disallows an administrator to use remote control or view a remote user session.2. Full Control with user's permissi
re registered in the background. However some apps may not work until app registration is complete.If you enable this policy setting user
e within each session. If you enable this policy setting Fair Share CPU Scheduling is turned off. If you disable or do not configure this policy
output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to pla
ng the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an audio in
d their time zone information to the server. The server base time is then used to calculate the current session time (current session time =
s setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default Remote D
data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default Rem
ction. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername>. You c
ting data from the remote computer to local LPT port peripherals. By default Remote Desktop Services allows LPT port redirection.If you en
a Remote Desktop Services session.If you disable or do not configure this policy setting smart card device redirection is allowed. By defau
Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices.If you disable this policy settin
ces.If you enable this policy setting users cannot redirect their video capture devices to the remote computer. If you disable or do not con
nable this policy setting you must select one of the following: High Medium or Dynamic. If you select High the audio will be sent without a
d on an RD Session Host server after you log on as a local administrator if there are problems with RD Licensing that affect the RD Session H
one of two licensing modes: Per User or Per Device. Per User licensing mode requires that each user account connecting to this RD Ses
ate the specified license servers. If the specified license servers cannot be located the RD Session Host server will attempt automatic licens
ote computer to a printer attached to their local (client) computer. By default Remote Desktop Services allows this client printer mapping
ates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override th
in Remote Desktop Services sessions.If you disable or do not configure this policy setting all client printers are redirected in Remote Deskt
a printer driver that matches the client's printer no printer will be available for the Remote Desktop Services session.If you enable this poli
t tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print prin
ed.Note: If you want to limit the size of an individual user profile use the "Limit profile size" policy setting located in User Configuration\Po
. You can use this policy setting to specify a network share where user profiles can be centrally stored allowing a user to access the same p
on for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share typ
rvices uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the m
rver farm. Therefore you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name do
must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same
ion in a load-balanced RD Session Host server farm. To participate in RD Connection Broker the Remote Desktop Session Host role service
lies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server.If you enable
nnection Broker redirects users who do not have an existing session to the RD Session Host server in the farm with the fewest sessions. Re
ce elements of Windows Aero such as translucent windows for remote desktop sessions. Because Windows Aero requires additional syste
connects to a remote computer even if an initial program is already specified in the default user profile Remote Desktop Connection Rem
.If you enable this policy setting you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to u
sable or do not configure this policy we will always use software encoding.
usage with the visual quality that is delivered. If you enable this policy setting and set quality to Low RemoteFX Adaptive Graphics uses a
nce based on available nework bandwidth.If you enable this policy setting the RemoteFX experience could be set to one of the following op
computer fonts so that they appear clear and smooth especially when you are using an LCD monitor. Because font smoothing requires add
d for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you enable this policy
default Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop depending on the client config
es RDP. Limiting the color depth can improve connection performance particularly over slow links and reduce server load.If you enable this
can improve connection performance particularly over slow links and reduce server load.If you enable this policy setting you must specify
rove connection performance particularly over slow links and reduce server load.If you enable this policy setting you can specify the numb
on where both the client and server can use H.264/AVC 444.
method to disconnect their client from an RD Session Host server.If you enable this policy setting "Disconnect" does not appear as an opti
advertently.If the status is set to Enabled Windows Security does not appear in Settings on the Start menu. As a result users must type a se
t Remote Desktop Services sessions provide access to the full Windows desktop unless otherwise specified with this setting by the server a
pp programs and does not apply to remote desktop sessions.If you enable or do not configure this policy setting RemoteApp programs pu
phics renderer instead of the Microsoft Basic Render Driver as the default adapter.If you disable this policy setting all Remote Desktop Ser
iver.If you disable this policy setting Remote Desktop Connections will NOT use WDDM graphics display driver. In this case the Remote De
eployed on an RD Virtualization Host server RemoteFX delivers a rich user experience by rendering content on the server by using graphic
ience.By default Remote Desktop Services sessions are optimized for rich multimedia such as applications that use Silverlight or Windows
dth usage with the type of graphics experience that is delivered.Depending on the requirements of your users you can reduce network ban
p Services even if they already provided the password in the Remote Desktop Connection client.By default Remote Desktop Services allow
changes to the user groups allowed to connect remotely to the RD Session Host server. By default administrators are able to make such c
ation with clients by allowing only authenticated and encrypted requests.If the status is set to Enabled Remote Desktop Services accepts re
able this policy setting all communications between clients and RD Session Host servers during remote connections must use the security m
equiring that user authentication occur earlier in the remote connection process.If you enable this policy setting only client computers that
te an RD Session Host server when TLS 1.0 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server dur
ly applies when you are using native RDP encryption. However native RDP encryption (as opposed to SSL encryption) is not recommended
er is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default Remote Deskt
etting you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but
desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified
active on the server. By default Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logg
r.By default if a user closes a RemoteApp program the session is disconnected from the RD Session Host server but it is not logged off.If yo
uter even if the user logs off from a session. By default Remote Desktop Services deletes a user's temporary folders when the user logs off
mputer for each session. By default Remote Desktop Services creates a separate temporary folder for each active session that a user main
n the Favorites Center.If you disable or do not configure this policy setting the user can access the feed list in the Favorites Center.
notification on the toolbar that a feed or Web Slice is available.If you disable or do not configure this policy setting the user receives a notifi
n enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.If you disable or do
led and access to Web Slices is turned off. A developer cannot add a feed or Web Slice or delete a feed or Web Slice by using the Feed API
disable or do not configure this policy setting the user can synchronize feeds and Web Slices in the background.
ates feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.If you disable or do not
vide the following:1) A name for the scope such as 'Intranet'.2) The URL to the search service. Use $w in place of the query term for the se
1;name2url2;...nameNurlNFor example:MySearchhttp://mysearch.aspx?q=$w;MySearch2http://mysearch2?q=$w.For each search scope
n Cortana is off users will still be able to use search to find things on the device.
h while the system is locked.If you disable this setting the system will need to be unlocked for the user to interact with Cortana using spee
search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This po
licy setting words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by default
to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this policy se
mf;.gif;.jpg;.jpeg;.png;.wmf;.wrn;.txt;.err;.xml;.cpp;.c;.h;.cxx;.hxx;.idl;.cs;.vb;.idl;.xsd;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.vsd;.xlsb;.xltx;.dot;.rtf
activity is high. Default is disabled.
ns on removable drives cannot be indexed.If you disable or do not configure this policy setting locations on removable drives can be added
browser search engine.
nd web results won't be displayed when a user performs a query in Search.If you disable this policy setting queries will be performed on th
be performed on the web over metered connections and web results won't be displayed when a user performs a query in Search.If you dis
rtions of delegate mailboxes locally (for example contacts or a calendar). This policy will not affect portions of a delegate mailbox that are
sabling this policy will block any indexing of uncached Exchange folders. Delegate mailboxes are managed separately from online mailboxe
the corresponding Microsoft Exchange server. The default value for this policy is 120 items per minute. To lower the burden on Microsoft
e removed.When this policy is disabled or not configured users will be able to add UNC locations to the index.This policy has no effect if th
t behavior is to allow users to add and remove new locations to the locations menu. When the policy is enabled the Add and Remove loca
ws Search does not automatically add shares created on the computer to the scope of the index.If you disable or do not configure this pol
arch requests will use this computer's index. Default is disabled.
s can index any path not restricted by other policies but their original list of paths to index is not restored.
onsider enabling this policy if you are concerned about the security or indexing performance of non-Microsoft document filters (iFilters). T
user will not see them in search results.

cy Object Editor require this list to be split across multiple values. Desktop Search combines all these into a single exclusion list.When this p
indexed when using Outlook 2003 or later. The user must be running in cached mode and the Download Public Folder Favorites option m
he Control Panel cannot be opened.If you disable or do not configure this policy setting users can acess the Advanced Options dialog for S
nstalled nor will it prevent them from being used by other applications or services. You can also specify an allow list of add-ins by providin
ng this policy to turn off the preview pane if your environment does not support Office XP or later. The full preview pane functionality is on
our organization does not support Office XP or above you should enforce the large icon view so that users can see snippets related to their
hange: -Strict: Filter out adult text images and videos from search results; -Moderate: Filter adult images and videos but not text from
on: Share a user's search history some Microsoft account info and specific location to personalize their search and other Microsoft experien
if computers in your environment have extremely limited hard drive space.When this policy is disabled or not configured Windows Deskto
es the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section where the
ssions for the number of minutes specified.If you disable or do not configure this policy setting the default timeout value is 3 minutes for w
er 2003 system.If you enable this policy setting the system does not create the named pipe remote shutdown interface.If you disable or do
hanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restriction.If you
used to log on to a domain.If you disable or do not configure this policy setting ECC certificates on a smart card cannot be used to log on t
. Please check with your hardware manufacturer to see if your smart card supports this feature.If you enable this policy setting the integr
ill be listed on the logon screen.If you disable or do not configure this policy setting any available smart card signature key-based certificat
e expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the displaying of t
with that user.If you enable this policy setting then an optional field that allows a user to enter their user name or user name and domain
figure this setting then root certificate clean up will occur on log off.
The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon.If you disable or do n
his can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renewed and
val of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a significant
played when a smart card device driver is installed.If you disable this policy setting a confirmation message will not be displayed when a s
setting plaintext PINs can be returned by Credential Manager.Note: Enabling this policy setting could prevent certain smart cards from wo
e to help users distinguish one certificate from another. For example if the certificate subject was CN=User1 OU=Users DN=example DN=
rt your smart card.If you disable this policy setting certificate propagation will not occur and the certificates will not be made available to a
n you insert your smart card. Note: For this policy setting to work the following policy setting must also be enabled: Turn on certificate pro
l a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.If you disable this policy setting Smart Card Pl
Windows registration and reactivation is not allowed) - Enabled (Windows registration is allowed)
u disable or do not configure this policy setting KMS client activation data will be sent to Microsoft services when this device activates. P
n audio file.If you enable this policy setting Sound Recorder will not run.If you disable or do not configure this policy setting Sound Recorde
dels are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled (default) the device
applies only to Enterprise and Education editions of Windows.
in the private store.If you disable or don't configure this setting users can access the retail catalog in the Microsoft Store.
wnload and installation of app updates is turned on.If you don't configure this setting the automatic download and installation of app upda
d of app updates is turned on.If you don't configure this setting the automatic download of app updates is determined by a registry settin
his setting the Store application will offer updates to the latest version of Windows.
access to the Store application is allowed.
d none of the "sync your setting" groups will be synced on this PC.Use the option "Allow users to turn syncing on" so that syncing it turned
" group will not be synced.Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but not disa
p will not be synced.Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.If you do
ory and favorites.If you enable this policy setting the "browser" group including info like history and favorites will not be synced.Use the o
etting the "desktop personalization" group will not be synced.Use the option "Allow users to turn desktop personalization syncing on" so t
e this policy setting syncing on metered connections will be turned off and no syncing will take place when this PC is on a metered connec
etting the "Other Windows settings" group will not be synced.Use the option "Allow users to turn other Windows settings syncing on" so t
up will not be synced.Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not disabled.If
group will not be synced.Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not disable
layout" group will not be synced. Use the option "Allow users to turn start syncing on" so that syncing is turned off by default but not
fail.If you disable this policy you will be able to use this feature to print to a Journal Note.If you do not configure this policy users will be ab
Tool will run.
Journal accessory will run.
n instead of the pen cursors.If you disable or do not configure this policy visual feedback and pen cursors will be shown unless the user dis
this policy Back->ESC mapping will occur.If you do not configure this policy Back->ESC mapping will occur.
drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab).If you disable this policy applications can be la
following text: "Some settings are controlled by Group Policy. If a setting is unavailable contact your system administrator."If you disable t
M defined button actions will occur when the buttons are pressed.If you do not configure this policy user and OEM defined button actions
d the handwriting tab when the feature is available for the current input area and input language.Touch Keyboard and Handwriting panel
anel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard sh
ablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If y
nese and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languages or k
ers or keyboard shortcuts.If you enable this policy Input Panel tab will not appear on the edge of the Tablet PC screen. Users will not be ab
or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy application auto complete lists w
g users from switching to another Input Panel skin (the writing pad or character pad) and not showing what keys are tapped when enterin
ures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. Tablet PC Input Panel is a Ta
rning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notificatio
net Explorer the pen flicks notification and the pen flicks tray icon.If you disable or do not configure this policy pen flicks and related featu
t be able to use touch input or touch gestures such as tap and double tap the touch pointer and other touch-specific features.If you disable
or down directly on the scrolling content.If you enable this setting the user will not be able to pan windows by touch. If you disable this se
rs.The checkbox when checked instructs Task Scheduler to automatically open the newly created task's property sheet upon completion o
lick a task. As a result users cannot change any properties of a task. They can only see the properties that appear in Detail view and in the
ly or force tasks to end before they are finished.Note: This setting appears in the Computer Configuration and User Configuration folders.
om the Task tab of the properties dialog box for a task. Also users cannot edit the "Run" box or the "Start in" box that determine the progr
n Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.As a result users cannot add new scheduled t
ments into the Scheduled Tasks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If both setti
a task. Also the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.Note: This setting appears in
is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setting
ar will be turned off.If you disable or do not configure this setting Windows Calendar will be turned on.The default is for Windows Calenda
not configure this policy setting all users can install new color profiles. Standard users can uninstall color profiles that they previously insta
s Manager server.If you do not configure this setting uploads are not redirected to a Microsoft Operations Manager server.
onfigure this setting or disable it then CEIP data will not be tagged with the Study Identifier.
nable this setting you must choose from the following behaviors: - Turn off app recommendations - Show me app recommendations
s presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or kno
and malicious software. By default Windows Defender SmartScreen is turned on.If you enable this setting Windows Defender SmartScreen
nder SmartScreen warnings and they are blocked from continuing to the site.If you disable or don't configure this setting employees can ig
ditional data other than memory dumps.If you enable or do not configure this policy setting any memory dumps generated for error repor
urn Windows Error Reporting on or off see the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative
e system event log.If you disable or do not configure this policy setting Windows Error Reporting events and errors are logged to the system
enable this policy setting Windows Error Reporting does not send any problem information to Microsoft. Additionally solution information
e details about the error. If the Configure Error Reporting policy setting is also enabled the user can also report the error.If you disable this
dows Error Reporting report are automatically declined without notification to the user.If you disable or do not configure this policy settin
er.If you enable this policy setting WER does not throttle data; that is WER uploads additional CAB files that can contain data about the sam
xes for critical errors.If you disable this policy setting Windows Error Reporting displays the GUI-based error messages or dialog boxes for c
t does not upload additional report data until the computer is connected to a more permanent power source.If you enable this policy setti
heck for network cost policy restrictions and transmits data even if network cost is restricted.If you disable or do not configure this policy
ddress of an error report destination server on your organizationâ€™s network. You can also select Connect using SSL to transmit error rep
data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only only the mini
Queuing behavior pull-down list is set to Default Windows determines when a problem occurs whether the report should be placed in th
fault pull-down menu to report either all application errors (the default setting) or no application errors.If the Report all errors in Microsoft
clude errors for applications on this list setting and then add or remove applications from the list of application file names in the Show Con
ever included in error reports. To create a list of applications for which Windows Error Reporting never reports errors click Show and then
e never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors click Show under
isable this policy setting operating system errors are not included in error reports.If you do not configure this policy setting users can chan
able this policy setting unplanned shutdown events are not included in error reporting.If you do not configure this policy setting users can
sent level settings that are available in the pull-down menu in this policy setting:- Always ask before sending data: Windows prompts users
es in the Value Name column of the Show Contents dialog box. Event types are those for generic non-fatal errors: crash no response and k
s override any other consent policy setting.If you disable or do not configure this policy setting custom consent policy settings for error rep
umerate all Windows Hello for Business credentials but still require each user to provide their own factors for authentication.If you disable
ock factors you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.If you ena
ou disable or do not configure this policy setting users can continue to lock with existing locking options.For more information see: https:/
for Business credentials that are not compatible with smart card applications.If you disable or do not configure this policy setting Windows
oning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices which prevents Windows Hello for B
r do not configure this policy setting Windows Hello for Business allows the use biometric gestures.If you disable this policy setting Window
that is used for on-premises authentication.If you disable or do not configure this policy setting Windows Hello for Business enrolls a key
personal accounts on the device. To achieve this the Azure-based PIN recovery service encrypts a recovery secret which is stored on the d
able this policy the device provisions Windows Hello for Business using keys or certificates for all users.If you disable this policy setting the
e key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.If you disable or
d. It permits installations to complete that otherwise would be halted due to a security violation.If you disable or do not configure this poli
ch for installation files even when the installation program is running with elevated system privileges.Because the installation is running w
hes are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious
y disks and CD-ROMs even when the installation program is running with elevated system privileges.This policy setting does not affect inst
y reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automatically) o
nce updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when
pgrades to fail. Upgrades can fail if they attempt to do one of the following:(1) Remove a component from a feature.This can also occur if y
owed to run.
er tries to install a program on the system the system warns users and allows them to select or refuse the installation.If you enable this po
that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs some installations p
setting it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily de
on to create digitally signed updates that can be applied by non-privileged users.If you enable this policy setting only administrators or user
ockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.If you enable
ecording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from reta
update.If you enable this policy setting you can use the options in the Prohibit Use of Restart Manager box to control file in use detection b
olicy setting is enabled and "Allow User Installs" is selected the installer allows and makes use of products that are installed per user and pr
e from" list in the Windows Installer dialog box is disabled. As a result users must select an installation file source from the "Use features f
the transform file is saved in a secure location on the user's computer.If you do not configure this policy setting on Windows Server 2003 W
g you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded type the letter repre
previous state without losing personal data files.If you enable this policy setting the Windows Installer does not generate System Restore c
age.If you enable this policy setting you can use the options in the Disable logging via package settings box to control automatic logging via
ared attribute in the Component Table.If you disable or do not configure this policy setting by default the shared component functionality
em administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.-- The "Never" option i
tomatically after a restartâ€ policy then automatic sign on will not occur and this policy does not need to be configured.If you enable this
oftware cannot simulate the SAS.If you set this policy setting to "Services" services can simulate the SAS.If you set this policy setting to "Ea
rver 2008 functional level if you enable this setting a message appears after the user logs on that displays the date and time of the last suc
tion popup will be displayed to the user when the user logs on with cached credentials.If disabled or not configured no popup will be displ
sign out before the restart or shutdown.â€‹If the device is joined to Active Directory or Azure Active Directory this policy only applies to W
and security upgrades.When this policy is enabled programs are not able to acquire licenses for secure content upgrade Windows Media
mode. In addition the option on the Player tab in the Player that enables users to choose whether the anchor window displays is not availa
user starts Windows Media Player.This policy setting prevents the dialog boxes which allow users to select privacy file types and other de
or do not configure this policy setting users can choose whether to add the Player shortcut icon to their desktops.
ayer with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or from prog
ou disable or do not configure this policy setting the user can choose whether to add the shortcut for the Player to the Quick Launch bar.
tion the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available.If you dis
can be used.Note: If you enable this policy setting Remote Assistance also cannot use Windows Messenger.Note: This policy setting is ava
figure this policy setting Windows Messenger will be loaded automatically at logon.Note: This policy setting simply prevents Windows Me
the .exe file does not launch it.If you disable this policy setting the user is able to invoke Windows Mobility Center and the .exe file launch
for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter on the
ws PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails proper
mmands script blocks functions and scripts - whether invoked interactively or through automation. If you disable this policy settin
ows PowerShell the Windows PowerShell ISE and any other applications that leverage the Windows PowerShell engine. By default Wi
signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.The "Allow local scripts and remote si
enance control panel and to respond to WMI requests.If you enable or do not configure this policy setting the listed providers will respond
s configured to use HTTP transport the user name and password are sent over the network as clear text.If you disable or do not configure t
u disable or do not configure this policy setting the WinRM client does not use CredSSP authentication.
nds and receives unencrypted messages over the network.If you disable or do not configure this policy setting the WinRM client sends or r
f you disable or do not configure this policy setting the WinRM client uses Digest authentication.
M) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authentication
cation.If you disable or do not configure this policy setting the WinRM client uses Negotiate authentication.
policy setting the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. The WinR
ts Basic authentication from a remote client. If you disable or do not configure this policy setting the WinRM service does not accept B
cepts CredSSP authentication from a remote client. If you disable or do not configure this policy setting the WinRM service does not ac
e this policy setting the WinRM service automatically listens on the network for requests on the HTTP transport over the default HTTP por
ends and receives unencrypted messages over the network.If you disable or do not configure this policy setting the WinRM client sends or
accept Kerberos credentials over the network. If you disable or do not configure this policy setting the WinRM service accepts Kerbero
oes not accept Negotiate authentication from a remote client. If you disable or do not configure this policy setting the WinRM service
will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the RunAsUser
level specified in HardeningLevel to determine whether or not to accept a received request based on a supplied channel binding token.
ays appears. If you disable or do not configure this policy setting the HTTP listener never appears. When certain port 80 listeners a
ways appears. If you disable or do not configure this policy setting the HTTPS listener never appears. When certain port 443 listene
shell connections are rejected by the server.
shell connections are rejected if they exceed the specified limit.If you disable or do not configure this policy setting the default number is fi
milliseconds (1 minute) is used for smaller values.If you enable this policy setting the server will wait for the specified amount of time since
s unlimited memory which means the ability of remote operations to allocate memory is only limited by the available virtual memory.If yo
process per shell. Zero (0) means unlimited number of processes.If you disable or do not configure this policy setting the limit is five proce
ou enable this policy setting the user cannot open new remote shells if the count exceeds the specified limit.If you disable or do not confi
s setting.If you disable this policy setting Windows Sandbox will not be able to receive audio input from the user. Applications using a micr
and paste in and out of Sandbox will be restricted.If you do not configure this policy setting clipboard sharing will be enabled.
g a virtual switch on the host and connects the Windows Sandbox to it via a virtual NIC.If you disable this policy setting networking is disab
dbox will not be able to view printers from the host.If you do not configure this policy setting printer redirection will be disabled.
dering which can be slower than virtualized GPU.If you do not configure this policy setting vGPU will be enabled. Note that enabling virtual
ox. Applications using video input may not function properly in Windows Sandbox.If you do not configure this policy setting video input w
s Disabled.
users are allowed to make changes in the Exploit protection settings area. Not configured: Same as Disabled.
own. Not configured: Same as Disabled.
me as Disabled.
roubleshooting area will be shown. Not configured: Same as Disabled.

will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable firmwar
After setting this to Enabled you must configure the Specify contact company name GP setting and at least one of the following GP setti
After setting this to Enabled you must configure the Specify contact company name GP setting and at least one of the following GP setting
in the Options section. Disabled: Company information will not be shown at all in either Windows Security or any notifications tha
dress. The default email application will be used. Enabled: Enter the email address or email ID in the Options section. Disabled
be used to initiate the call. Enabled: Enter the phone number or Skype ID in the Options section. Disabled: A contact pho
abled: Enter the URL in the Options section. Disabled: A contact website URL will not be shown in either Windows Security or a
hown. Not configured: Same as Disabled.

ns from Windows Security. They will not see other types of notifications such as regular PC or device health information. Disabled:
notification area control will be hidden. Disabled: Windows Security notification area control will be shown. Not configured:
configured: Same as Disabled.
configured: Same as Disabled.
all these updates once they are downloaded and ready to install.If the status is set to Disabled such updates will not be installed immediat
atic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update notifica
this policy setting Automatic Updates accepts updates received through an intranet Microsoft update service location if they are signed by
configured to start with any value from 15 to 180 minutes. When the timer runs out the restart will proceed even if the PC has signed-in u
set to Enabled Windows will check for available updates at the specified interval. If the status is set to Disabled or Not Configured Win
pecify whether automatic updates are enabled on this computer. If the service is enabled you must select one of the four options in the Gr
d will be used.
fication is automatically dismissed after 25 seconds.The method can be set to require user action to dismiss the notification.If you disable
been reached and the restart is automatically executed.Specifies the amount of time prior to a scheduled restart to display the warning re
on is finished.If the status is set to Disabled or Not Configured the default wait time is 15 minutes.Note: This policy applies only when Auto
ndows Update notifications users see. This policy doesnâ€™t control how and when updates are downloaded and installed.Important: if yo
own choice (Hibernate Restart etc.) is the default option in the Shut Down Windows dialog box regardless of whether the 'Install Updates
ws Update while update deferral policies are enabled.Note: This policy applies only when the intranet Microsoft update service this compu
ws Update and other services like Microsoft Update or the Windows Store.Enabling this policy will disable that functionality and may cause
t appear as a choice in the Shut Down Windows dialog box even if updates are available for installation when the user selects the Shut Do
Microsoft update service which uses it to determine which updates should be deployed to this computer.If the intranet Microsoft update
utomatically wake up the system if Windows Update is configured to install updates automatically. If the system is in sleep when the sche
et to Enabled Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to the com
r the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured the default interval is 10 minutes.
that did not take place earlier will occur the specified number of minutes after the computer is next started.If the status is set to Disabled
his policy the default max active hours range will be used.
nfigure this policy the PC will restart according to the default schedule.Enabling either of the following two policies will override the above
updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they are offered and au
from the time the restart becomes pending.You can specify the number of days a user can snooze Engaged restart reminder notifications.
twork to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the comput
you disable or do not configure this policy and have no other reboot group policies the user selected active hours will be in effect.If any of
ons.If you disable or do not configure this policy the default notification behaviors will be unchanged.
d updates as well as important updates from Windows Update update service.When disabled or not configured Automatic Updates will con
promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in which yo
d to affected devices until the issue is resolved.â€¯Enabling this policy can allow an organization to deploy the Feature Update to devices fo
elopment branch that is earliest in a development cycle. These builds are not matched to a specific Windows 10 release.Beta ChannelIdeal
and up to 365 days for the Semi-Annual Channel. Or if the device is updating from the Semi-Annual Channel a version for the device to mo
use quality updates. The pause will remain in effect for 35 days or until you clear the start date field.To resume receiving Quality Updates w
affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manually spe
via URI context menu in Explorer or other means will result in the front page of Settings being shown instead.This policy has two modes: it
L before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch the keyboard or by dragging
ors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
age as the default for all users (it replaces the inbox default image).To use this setting type the fully qualified path and name of the file tha
change it. If the specified background is not supported the default background is used.
image and they will instead see the default image.
them.If the "Force a specific background and accent color" policy is also set on a supported version of Windows then those colors take pr
he camera cannot be invoked on the lock screen.
bled and users cannot enable speech services via settings.

r on that system. If you disable or do not configure this policy setting language packs that are installed as part of the system image bu
omputer or you disable this policy setting the language selection defaults to the language selected by the local administrator.If you disabl
ged users."â€¯â€¯ If you enable this policy setting theâ€¯installation of language packs and language featuresâ€¯isâ€¯preventedâ€¯for
s the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages.If you
cludes all outgoing messages in Windows Mail and MAPI enabled email clients as well as URLs from the Internet Explorer browser history.
ctures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the default picture
tion time may be longer than required by "Password Settings" policy.
m: 365 days Default: 30 days

ecommended): Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administrators is
nts the Flash control from being loaded whether directly referenced by the document or indirectly by another embedded object.2. "Block
ure LanmanWorkstation dependencies" text box enter the following three lines of text:BowserMRxSmb20NSITo restore the default behavi
2012 you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting.To restore default SMB
this setting the system will not limit installation of print drivers to this computer.Additional Information: https://support.microsoft.com/e
eries the name server first and then broadcasts.Resolution through LMHOSTS or DNS follows these methods. If the NodeType value is pre
Restores the Windows default behavior for "Run As Different User."
ute legacy JScript for the Internet or Restricted Sites zones and users arenâ€™t notified by the application that legacy JScript execution is r
2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.Update KB2871997 must first be installed to disable
omain controllers. This value is specified in minutes.If you disable or do not configure this policy setting the default value of 15 minutes ap
hem available to other BITS peers. When transferring a download job BITS first requests the files for the job from its peers in the same IP su
che. If you disable or do not configure this policy setting the BITS client uses Windows Branch Cache. Note: This policy setting do
no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However the compute
l no longer cache downloaded files and offer them to its peers. However the computer will still download files from peers. If you disa
days the maximum age of files in the cache. You can enter a value between 1 and 120 days. If you disable or do not configure this po
al system disk for the peercache. If you enable this policy setting you can enter the percentage of disk space to be used for the BITS pe
fault BITS uses a maximum download time of 90 days (7776000 seconds). If you enable this policy setting you can set the maximum jo
h to 10 Kbps from 8:00 A.M. to 5:00 P.M. and use all available unused bandwidth the rest of the day's hours. If you enable this policy s
erface. For example if a computer has both a 100 Mbps network card and a 56 Kbps modem and both are active BITS will use a maximum
um number of BITS jobs a user can create to the specified number. If you disable or do not configure this policy setting BITS will use th
S will limit the maximum number of BITS jobs to the specified number. If you disable or do not configure this policy setting BITS will u
d number. If you disable or do not configure this policy setting BITS will use the default value of 200 for the maximum number of files
added to a file to the specified number. If you disable or do not configure this policy setting BITS will limit ranges to 500 ranges per fi
ou can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by
separate set of network bandwidth limits and set up a schedule for the maintenance period. You can specify a limit to use for backgr
ned in a work schedule are considered non-work hours. If you enable this policy setting you can set up a schedule for limiting networ
leted from the disk. Note: Any property changes to the job or any successful download action will reset this timeout. Consider in
m the main office over a Wide Area Network (WAN) link. When you configure a value for this setting which is the maximum round trip net
fferent versions of BranchCache might store cache data in incompatible formats.If you enable this policy setting all clients use the version o
s that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for
e policy setting is applied search for hosted cache servers using Active Directory and will prefer both these servers and hosted cache mode
t one of the following:- Not Configured. With this selection BranchCache client computer cache age settings are not applied to client comp
BranchCache-enabled main office content servers cache the content locally and serve the content to other BranchCache distributed cache
able to download cached content from a hosted cache server that is located at the branch office. In addition when the hosted cache client
rcent of the total disk space on the client computer.Policy configurationSelect one of the following:- Not Configured. With this selection Br
ache Distributed Cache mode- Set BranchCache Hosted Cache mode- Configure Hosted Cache ServersPolicy configurationSelect one of the
ified domain name (FQDN) that resolves to an IPv6 address or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002
is â€œCorporate Connectionâ€.
cess client computer connection is using. In default configurations of DirectAccess there are typically two IPsec tunnel endpoints: one for
er normal name resolution is available to the client computer in its current network configuration including sending all DNS queries to the
rated log files as a .html file. The user can review the message and add additional information before sending the message.
If this setting is not configured the entry for DirectAccess connectivity appears.
orp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.For example if attaching suffixes is allowed
ure this policy setting NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully qualified
ing options from the drop-down list:Prohibit DoH: No DoH name resolution will be performed.Allow DoH: Perform DoH queries if the confi
network connections used by computers that receive this policy setting.If you disable this policy setting or if you do not configure this polic
his policy setting you must enter at least one IP address.If you enable this policy setting the list of DNS servers is applied to all network con
receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example a DNS query for the single-
ections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network conn
erted to the Nameprep form.
and NetBIOS over TCP/IP (NetBT).If you enable this policy setting responses from link local protocols will be preferred over DNS response
e it you must restart Windows.If you enable this policy setting it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIO
essfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a s
d so on stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user o
ming dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffi
etermined by the option that you choose under Register PTR records.To use this policy setting click Enabled and then select one of the foll
record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically
s and does not allow a DNS client to overwrite records that are registered by other computers.During dynamic update of resource records
d to DNS resource records registered for all network connections used by computers that receive this policy setting.If you disable this poli
DNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
nabled. LLMNR does not require a DNS server or DNS client configuration and provides name resolution in scenarios in which conventiona
work binding order is used to determine which response to accept.If you enable this policy setting the DNS client will not perform any opti
able this policy setting the DNS client will prefer DNS responses followed by LLMNR followed by NetBT for all networks. If you disable this
es.Only secure - computers send only secure dynamic updates.If you enable this policy setting computers that attempt to send dynamic D
thoritative zone is a top-level domain or root zone.If you enable this policy setting computers send dynamic updates to any zone that is au
eded to format or render text. If you disable this policy setting Windows does not connect to an online font provider and only enumera
y on subsequent attempts. Credentials can also be configured by network operators.If you enable this policy setting or if you do not config
is used.SMB 3.11 cipher suites:AES_128_GCMAES_128_CCMAES_256_GCMAES_256_CCMSMB 3.0 and 3.02 cipher suites:AES_128_CCMH
ed.Policy configurationSelect one of the following:- Not Configured. With this selection hash publication settings are not applied to file ser
ed content information for that version is the only type that is generated by BranchCache and it is the only type of content information th
nfigure this policy setting the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites.N
s used.SMB 3.11 cipher suites:AES_128_GCMAES_128_CCMAES_256_GCMAES_256_CCMSMB 3.0 and 3.02 cipher suites:AES_128_CCMH
re used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment insecure guest l
ssing a large number of unstructured data files on CA shares running in Microsoft Azure Files. If you disable or do not configure this po
ed share. Pinning of files on CA-enabled shares using client-side caching will also be possible. If you disable or do not configure this po
cy setting additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to all
ndwidth estimation and network health analysis.If you enable this policy setting additional options are available to fine-tune your selectio
an what would be allowed for a login password.This setting controls this validation behavior. If set to 1 then this validation will not be per
ned off.If you disable this setting or do not configure it the peer-to-peer protocols will be turned on.
ot detect that client and initiate sessions with it.If you enable this policy setting this computer cannot register PNRP names and cannot hel
peer can be used as a seed server. No configuration is needed for the seed server itself.This setting provides the added flexibility of allowi
ng multicast on the same subnet. That is PNRP publishes itself on the local subnet so that other computers can find it when needed.If you
P) connections. The PNRP cloud is a group of connected PNRP nodes in which connections exist between peers so that a node in the PNRP
etting the seed server to a specified node in an enterprise.To use this setting click Enable and then enter a semicolon-delimited list of IPV6
using multicast on the same subnet. That is PNRP publishes itself on the local subnet so that other computers can find it when needed.If yo
setting the seed server to a specified node in an enterprise.To use this setting click Enable and then enter a semicolon-delimited list of DNS
using multicast on the same subnet. That is PNRP publishes itself on the local subnet so that other computers can find it when needed.If yo
onnected to a network with local access only.
her than the one it was connected to when the setting was refreshed this setting does not apply.The Network Bridge allows users to creat
ected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is connected
on and addressing through DHCP to the local private network.If you enable this setting ICS cannot be enabled or configured by administra
t DirectAccess establishes between the computer and the internal network or directly through the local default gateway.If you enable this
its unsolicited messages. This policy setting overrides other policy settings that would block those messages.If you disable or do not config
Defender Firewall blocks echo request messages sent by Ping running on other computers but it does not block outbound echo request m
addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel th
calls (RPC) and Distributed Component Object Model (DCOM). Additionally on Windows XP Professional with at least SP2 and Windows Se
these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" check box is
n receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the W
he Windows Defender Firewall component in Control Panel allows administrators to define a local port exceptions list.If you disable this po
olicy setting the Windows Defender Firewall component in Control Panel allows administrators to define a local program exceptions list.If y
ables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information abo
d change the inbound port exceptions list defined by Group Policy. To view this port exceptions list enable the policy setting and then click
d change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled that program ca
check box is selected and administrators cannot clear it. You should also enable the "Windows Defender Firewall: Protect all network conn
ndows Defender Firewall allows the display of these notifications. In the Windows Defender Firewall component of Control Panel the "Noti
o not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Defender Firew
g Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrato
Defender Firewall blocks echo request messages sent by Ping running on other computers but it does not block outbound echo request m
addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel th
calls (RPC) and Distributed Component Object Model (DCOM). Additionally on Windows XP Professional with at least SP2 and Windows Se
these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" check box is
n receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. In the W
he Windows Defender Firewall component in Control Panel allows administrators to define a local port exceptions list.If you disable this po
olicy setting the Windows Defender Firewall component in Control Panel allows administrators to define a local program exceptions list.If y
ables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and information abo
d change the inbound port exceptions list defined by Group Policy. To view this port exceptions list enable the policy setting and then click
d change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled that program ca
check box is selected and administrators cannot clear it. You should also enable the "Windows Defender Firewall: Protect all network conn
ndows Defender Firewall allows the display of these notifications. In the Windows Defender Firewall component of Control Panel the "Noti
o not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Defender Firew
g Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and administrato
outside the network.
urces are considered connections to enterprise networks.If a proxy is paired with a cloud resource traffic to the cloud resource will be rout
ied networks can access the Internet without relying on the Private Network capability. However in most situations Windows Network Iso
onfigure a set of proxies that provide access to intranet resources.If you disable or do not configure this policy setting Windows Network I
nd only if the app has declared the Home/Work Networking capability.Windows Network Isolation attempts to automatically discover priv
p Policy are authoritative. This applies to both Internet and intranet proxies.If you disable or do not configure this policy setting Windows N
nt. Only network hosts within the address ranges configured via Group Policy will be classified as private.If you disable or do not configure
tting you can use the "Action" box to specify how computers in the group respond.-- "Work offline" indicates that the computer can use lo
iles is disabled and users cannot enable it.If you do not configure this policy setting Offline Files is enabled on Windows client computers a
automatically and manually cached copies are retained on the user's computer for later offline use.Caution: Files are not synchronized bef
Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to override
to a server when the presence of a server is detected.If you enable this setting you can configure the threshold value that will be used to d
ode all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.If you enable this policy settin
ng can be set on any network share. When a user opens a file on the share the system automatically stores a copy of the file on the user's
configure this policy setting a user can create a file of any type in the folders that have been made available offline.
charges on cell phone or broadband plans.If this setting is disabled or not configured synchronization will not run in the background on ne
s and decreases bandwidth consumption over WAN links.The cached files are temporary and are not available to the user when offline. Th
che are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected but the associ
want Offline Files to record.To use this setting in the "Enter" box select the number corresponding to the events you want the system to l
f this type available offline the operation will fail and the following message will be displayed in the Synchronization Manager progress dia
utes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.This setting appears in the Com
the ability to adjust through the Offline Files control panel applet the disk space limits on the Offline Files cache. This prevents users from
column box type the server's computer name. Then in the Value column box type "0" if users can work offline when they are disconnecte
ation.This setting does not prevent users from working offline or from saving local copies of files available offline. Also it does not prevent
ot view or change the options on the Offline Files tab or Offline Files dialog box.This is a comprehensive setting that locks down the config
By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for 15 seco
r 15 seconds. You can use this setting to change the duration of the update reminder.This setting appears in the Computer Configuration a
ble or do not configure this policy setting users can manually specify files and folders that they want to make available offline.Notes:This p
dialog box in the Value Name column box type the fully qualified UNC path to the file or folder. Leave the Value column field blank.If you
offline" command is displayed in File Explorer.
n the Show Contents dialog box in the Value Name column type the fully qualified UNC path to the file or folder. Leave the Value column fi
e all folders within that folder are also made available offline. Also new folders that you create within a folder that is available offline are m
l synchronization ensures that offline files are complete and current.If you disable this setting the system only performs a quick synchroniz
ogon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon synchroniza
es that all cached files and folders are up-to-date with the most current version.If you disable or do not configuring this setting files are no
ble this setting the system hides the reminder balloons and prevents users from displaying them.If you disable the setting the system disp
nized later.If you disable this policy setting all administratively assigned folders are synchronized at logon.
ed to a network adapter for transmission but which have not yet been sent.If you enable this setting you can limit the number of outstandi
ult.If you enable this setting you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve.If you disab
e system usually units of 10 microseconds.If you disable this setting or do not configure it the setting has no effect on the system.Importan
ble this setting you can change the default DSCP value associated with the Best Effort service type.If you disable this setting the system use
If you enable this setting you can change the default DSCP value associated with the Controlled Load service type.If you disable this setting
nable this setting you can change the default DSCP value associated with the Guaranteed service type.If you disable this setting the system
n.If you enable this setting you can change the default DSCP value associated with the Network Control service type.If you disable this setti
able this setting you can change the default DSCP value associated with the Qualitative service type.If you disable this setting the system u
ou enable this setting you can change the default DSCP value associated with the Best Effort service type.If you disable this setting the syst
cation.If you enable this setting you can change the default DSCP value associated with the Controlled Load service type.If you disable this
f you enable this setting you can change the default DSCP value associated with the Guaranteed service type.If you disable this setting the
ification.If you enable this setting you can change the default DSCP value associated with the Network Control service type.If you disable t
you enable this setting you can change the default DSCP value associated with the Qualitative service type.If you disable this setting the sy
rvice type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for this service ty
ntrolled Load service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value f
ed service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for this serv
Network Control service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority valu
u disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for nonconforming packets is s
service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for this service
munity recognized by the SNMP service while a community is a group of hosts (servers workstations hubs and routers) that are administere
minal values and monitoring network events.The manager is located on the host computer on the network. The manager's role is to poll th
ng allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap message
====curve25519NistP256NistP384To See all the curves supported on the system Use the following command:CertUtil.exe -DisplayEccCurv
d=517265
host.If you disable or do not configure this policy setting the local host setting is used and you cannot specify a relay name for a 6to4 host.
u disable or do not configure this policy setting the local host setting is used.
al representation of the global IPv4 address (w.x.y.z) assigned to a site.If you disable or do not configure this policy setting the local host s
e to configure IP-HTTPS with one of the following settings:Policy Default State: The IP-HTTPS interface is used when there are no other con
isable or do not configure this policy setting the local host setting is used.
onfigure this policy setting the local host setting is used.If you enable this policy setting you can configure ISATAP with one of the following
e a UDP port for the Teredo client.If you disable or do not configure this policy setting the local host setting is used.
ng contains only one state:Policy Enabled State: If Default Qualified is enabled Teredo will attempt qualification immediately and remain q
port mapping in the translation table of the Teredo client's NAT device.If you enable this policy setting you can specify the refresh rate. If y
local settings on the computer are used to determine the Teredo server name.
e of the following settings:Default: The default state is "Client."Disabled: No Teredo interfaces are present on the host.Client: The Teredo i
mits will be disabled and system will not limit the number of autoconfigured addresses and routes.
ttings are used.If you enable this policy setting Window Scaling Heuristics will be enabled and system will try to identify connectivity and t
able to allow discovery and configuration over a specific medium. If you enable this policy setting additional choices are available to turn o
isable or do not configure this policy setting users can access the wizard tasks including "Set up a wireless router or access point" and "Add
nfigured or is disabled power management is enabled when the machine enters connected standby mode.
ndows will disconnect a computer from a network immediately when it determines that the computer should no longer be connected to a
domain or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. This was
When the computer is already connected to a domain based network all automatic connection attempts to non-domain networks are blo
If this policy setting is not configured or is disabled clients are allowed to connect to roaming provider Mobile Broadband networks.
pairing is preferred (if allowed by other policies).
arily preferred).
Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restr
y crowdsourcing networks that other people using Windows have connected to."Connect to networks shared by my contacts" enables Win
he default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acce
is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restricted by usage charge
on is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restricted by usage char
this policy setting is disabled or is not configured the link to the per-application cellular access control page is showed by default.
rnet printing is an extension of Internet Information Services (IIS). To use Internet printing IIS must be installed and printing support and th
k scan page will not be displayed. If this policy setting is not configured the Add Printer wizard will display the default number of prin
ed.If this setting is not configured the Add Printer wizard will display the default number of printers of each type:TCP/IP printers: 50Web S
ffice Direct Printing jobs.
be shared.The spooler must be restarted for changes to this policy to take effect.
ed printers cannot be published in Active Directory and the "List in directory" option is not available. Note: This settings takes priorit
mputer that published the printers restarts it republishes any deleted printer objects. If you enable this setting or do not configure it t
elatively powerful CPU as compared to the machineâ€™s GPU.
before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the server.If y
nters. However you can publish shared printers manually. The default behavior is to automatically publish shared printers in Active Dire
MXDW output format is OpenXPS (*.oxps).
is operating. To enable this additional verification enable this setting and then select a verification interval. To disable verifica
Tracking is enabled the system uses the specified location as a criterion when users search for printers. The value you type here overrides
customized for your enterprise. If you disable this setting or do not configure it or if you do not enter an alternate Internet address th
rvice "prunes" (deletes from Active Directory) printer objects the computer has published. By default the pruning service contacts c
uences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority threads.
to the contact message the message is repeated for the specified number of times. If the computer still fails to respond then the pruning
e installed on the local computer running Windows XP Home Edition and Windows XP Professional.If you do not configure this setting on W
icy setting then all printer extensions will not be allowed to run. If you disable this policy setting or do not configure it then all printer e
or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to printing based on co
oler will execute print drivers in an isolated process by default.If you disable this policy setting the print spooler will execute print drivers i
ver cache.If you disable this policy setting the client computer will only search the local driver store and server driver cache for compatible
d 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers depend
SB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by commas) that corresp
espond to the contact attempt the attempt is retried a specified number of times at a specified interval. The "Directory pruning retry" setti
this setting is disabled or not configured users will not be restricted to package-aware point and print only.
explicitly opt out of Driver Isolation.If you disable or do not configure this policy setting the print spooler uses the Driver Isolation compatib
point and print connections.Windows Vista and later clients will attempt to make a non-package point and print connection anytime a pac
y download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client a printer c
hod uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers.If you enable this setting user
le this setting shared printers are not announced to print browse master servers even if Active Directory is not available.If you do not confi
0 printers published outside their forest. The Windows pruning service prunes printer objects from Active Directory when the comp
ts. The system empties the Recent Items menu on the Start menu and Windows programs do not display shortcuts at the bottom of the Fi
Start in Settings.
gs to Off.Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Se
icy setting the shutdown restart sleep and hibernate commands are removed from the Start menu. The Power button is also removed from
r cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this policy setting all will
ce's Start layout to the desired look and feel. Once you are done run the Export-StartLayout PowerShell cmdlet on that same device. The c
plication services to update tiles. If you enable this policy setting applications and system features will not be able receive notification
t the shutdown or restart is unplanned.If you disable this policy setting the System State Data feature is never activated.If you do not confi
computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless the DLT se
m.If you disable or do not configure this policy setting only the default status messages are displayed to the user during these processes.N
t the Shutdown Event Tracker is displayed when the computer shuts down.If you enable this policy setting and choose "Server Only" from
oved to an encrypted folder.This setting applies only to files moved within a volume. When files are moved to other volumes or if you crea
time an administrator logs on to the server. However if the administrator has selected the "Donâ€™t display this page at logon" option at
Windows shutdown behavior.This setting is only applicable when Windows shutdown is initiated by software programs invoking the Windo
as internally registered the required components.If you enable this policy setting and a component registration is missing the system searc
can specify the Timestamp Interval in seconds.If you disable this policy setting the Persistent System Timestamp is turned off and the timin
le their system starts or shuts down or while users log on or off.
policy setting. If you enable this policy setting the commands function only for .chm files in the specified folders and their subfolders.
If you disable or do not configure this policy setting users can run all applications from online Help. Note: You can also restrict use
on and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new locatio
up was run on the system.
sed during the last time Windows Service Pack Setup was run on the system.
that they use system memory safely. If you enable this policy setting DEP for HTML Help Executable is turned off. This will allow certa
enable this policy setting users receive a customized Access Denied message from the file servers on which this policy setting is applied. If
e program online at http://go.microsoft.com/fwlink/?LinkID=184686.
Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable package refre
m minutes of random delay on top of the reporting time. For a busy system the random delay will help reduce the server load. Repea
t log as part of the Audit Process Creation event 4688 "a new process has been created" on the workstations and servers on which this po
entials can be delegated (default credentials are those that you use when first logging on to Windows).The policy becomes effective the ne
entials are those that you use when first logging on to Windows).If you disable or do not configure (by default) this policy setting delegatio
an be delegated (fresh credentials are those that you are prompted for when executing the application).If you do not configure (by defaul
als are those that you are prompted for when executing the application).If you do not configure (by default) this policy setting after prope
can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).If you do not con
tials are those that you elect to save/remember using the Windows credential manager).If you do not configure (by default) this policy setti
able or do not configure (by default) this policy setting this policy setting does not specify any server.Note: The "Deny delegating default cr
you disable or do not configure (by default) this policy setting this policy setting does not specify any server.Note: The "Deny delegating fr
ntial manager).If you disable or do not configure (by default) this policy setting this policy setting does not specify any server.Note: The "De
his policy allows you to set the level of protection desired for the encryption oracle vulnerability.If you enable this policy setting CredSSP ve
Remote Credential Guard mode.If you disable or do not configure this policy setting Restricted Administration and Remote Credential Guar
does not limit access to resources because it redirects all requests back to the client device.Participating apps:Remote Desktop ClientIf yo
his policy the machine must be rebooted. The file path must be either a UNC path (for example \\ServerName\ShareName\SIPolicy.p7b) o
will only be enabled on correctly configured devices.Virtualization Based Protection of Code IntegrityThis setting enables virtualization base
h Attestation Service validates the security state and health of the devices and makes the findings accessible to enterprise administrators v
ds for a device installation task to complete before terminating the installation.

rt is sent when a generic driver is installed.
les you to more easily restore your system to its state before the activity. If you enable this policy setting Windows does not create a syste
System and Security > System > Advanced System Settings > Hardware tab).If you disable or do not configure this policy setting the settin
r.If you disable or do not configure this policy setting Windows sends an error report when a device driver that requests additional softwar
d at all.If you enable or do not configure this policy setting drivers that are signed by a Microsoft Windows Publisher certificate and drivers
mpt to search Windows Update exactly one time. With this setting Windows will not continually search for updates. This setting is used to
h the Managed Server such as a Windows Server Update Services (WSUS) server. Only if no update is found will Windows then also search
eing installed unless the driver for the device suppresses the balloons.
date the drivers for any device. If you enable this policy setting on a remote desktop server the policy setting affects redirection of the spe
tion take precedence over this one.If you enable this policy setting Windows is allowed to install or update any device whose Plug and Pla
edence over this one.If you enable this policy setting Windows is allowed to install or update any device whose Plug and Play device instan
evice installation take precedence over this one.If you enable this policy setting Windows is allowed to install or update device drivers who
installation.If you disable or do not configure this policy setting Windows displays a default title in a notification when a policy setting prev
r do not configure this policy setting Windows displays a default message when a policy setting prevents device installation.
f these device IDs" the "Allow installation of devices for these device classes" or the "Allow installation of devices that match any of these
g a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server t
ose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server the policy setting affects r
rom installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a
o which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.I
e system does not force a reboot.Note: If no reboot is forced the device installation restriction right will not take effect until the system is
em determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cache durin
stem tries to save power by aggressively spinning down the disk.If you do not configure this policy setting the default behavior is to allow t
the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun dow
s allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. Note that this can c
disk quota to both fixed and removable media.
rs cannot turn it on.If this policy setting is not configured disk quota management is turned off by default but administrators can turn it on
disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in effect.If y
tting no event is recorded. Also when you enable or disable this policy setting the system disables the "Log event when a user exceeds the
m disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot c
ries window changes to indicate that the user is approaching the disk quota limit.This setting overrides new usersâ€™ settings for the disk
) connect remotely from a device with a different display scale factor or manually change the display scale factor) many desktop applicatio
patibility database ApplicationCompatibility UI System (Enhanced) setting or an application manifest.If you disable or do not configure thi
y setting GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatibility da
will look for an entry in the locally configured list.If you disable this policy setting DCOM will not look in the locally configured DCOM activa
en this policy setting is configured unless the "Allow local activation security check exemptions" policy is enabled.DCOM server appids add
according to Windows Driver Signing Policy or be signed by publishers already in the TrustedPublisher store.If you disable or do not configu
settings" is disabled or not configured.If you enable this setting administrators will not be prompted to search Windows Update.If you dis
not been tampered with.- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to
nnected Enhanced Storage devices are allowed.If you disable or do not configure this policy setting USB Enhanced Storage devices connec
not configure this policy setting all Enhanced Storage devices are usable on your computer.
puter.If you disable or do not configure this policy setting all IEEE 1667 silos on Enhanced Storage devices are usable on your computer.
are allowed on your computer.
device state is not changed when the computer is locked.

operties defined on individual file servers by using File Classification Infrastructure which is part of the File Server Resource Manager role s
le servers by using File Classification Infrastructure which is part of the File Server Resource Manager role service.If you enable this policy
age between File Server VSS provider and File Server VSS Agent is signed but not encrypted. Note: To make changes to this setting effectiv
to the Windows Help sectionNOTE: If this policy is Disabled or Not Configured local administrators may select the types of symbolic links
cost of additional memory consumption.A reboot is required for this setting to take effect
current IO operations.Values with special meaning: 0: Use the system calculated default 1: Disable parallel flushThe default value and
ble them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then a
remote office.To designate a user's primary computers an administrator must use management software or a script to add primary comp
ndows 7 Windows 8 and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Menu or leg
ngs synchronously.If you enable this policy setting Windows applies user Group Policy settings asynchronously when logging on through Re
ure this policy setting:- No user-based policy settings are applied from the user's forest.- Users do not receive their roaming profiles; they
that were used to create the GPO while editing this GPO.This leads to the following behavior:- If you originally created the GPO with for e
ow network connection is detected Group Policy processing will always run in an asynchronous manner.Client computers will not wait for t
ess across a slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs)
process across a slow network connection to be applied during background processing and to process even if the Group Policy objects (GP
ow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unchanged
eed information. If Group Policy detects a bandwidth speed Group Policy will follow the normal rules for evaluating if the Direct Access co
ting the disk quota policy set when it was installed.If you enable this policy setting you can use the check boxes provided to change the opti
ess across a slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) a
when it was installed.If you enable this policy setting you can use the check boxes provided to change the options. If you disable or do not
ms are allowed to process across a slow network connection to be applied during background processing and to process even if the Group
ork connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unchanged. By defa
pen With and File Type preference items are allowed to process across a slow network connection to be applied during background proces
r Group Policy objects on the local computer.This policy setting overrides customized settings that the program implementing the folder r
ow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unchanged
hronous foreground mode it refers to this cache which enables it to run faster. When the cache is read Group Policy attempts to contact a
tem's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow
slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unchang
rogram implementing the Internet Explorer Maintenance policy set when it was installed.If you enable this policy setting you can use the c
ss across a slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) ar
hat the program implementing the IP security policy set when it was installed.If you enable this policy setting you can use the check boxes
Group preference items are allowed to process across a slow network connection to be applied during background processing and to proce
disk contention. If you enable this policy setting Group Policy will wait for the specified amount of time before running logon scripts.
and DUN Connection preference items are allowed to process across a slow network connection to be applied during background processi
owed to process across a slow network connection to be applied during background processing and to process even if the Group Policy ob
wer Scheme preference items are allowed to process across a slow network connection to be applied during background processing and to
P/IP Printer and Local Printer preference items are allowed to process across a slow network connection to be applied during background p
allowed to process across a slow network connection to be applied during background processing and to process even if the Group Policy
icy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has no effec
a slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unchan
Immediate Task preference items are allowed to process across a slow network connection to be applied during background processing a
enable this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this setting it has
talled.If you enable this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this p
slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unchang
ss a slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) are unch
d in Active Directory not for Group Policy Objects on the local computer.This policy setting overrides customized settings that the program
ess across a slow network connection to be applied during background processing and to process even if the Group Policy objects (GPOs) a
at is being used.By default the user's Group Policy Objects determine which user settings apply. If this setting is enabled then when a user
hing the associated app.If you do not configure this policy setting the default behavior depends on the Windows edition. Changes to this p
work set when it was installed.If you enable this policy you can use the check boxes provided to change the options.If you disable this setti
eless network set when it was installed.If you enable this policy you can use the check boxes provided to change the options.If you disable
his policy setting the Windows device is not discoverable by other devices and cannot participate in cross-device experiences.If you do no
ctive users can generate RSoP.Note: This policy setting does not affect administrators. If you enable or disable this policy setting by defaul
ns in synchronous foreground mode it refers to this cache which enables it to run faster. When the cache is read Group Policy attempts to
u disable this policy setting the Windows device is not allowed to be linked to Phones will remove itself from the device list of any linked P
default behavior applies. By default computer policy is applied when the computer starts up. It also applies at a specified refresh interval o
en the system starts.By default computer Group Policy is updated in the background every 90 minutes with a random offset of 0 to 30 min
e this setting you can specify an update rate from 0 to 64800 minutes (45 days). If you select 0 minutes the domain controller tries to upda
omputer is not blocked and policy processing will occur in the background. In either case configuring this policy setting overrides any system
the computer is not blocked and policy processing will occur in the background. In either case configuring this policy setting overrides any
disable or do not configure this policy setting updates can be applied while users are working. The frequency of updates is determined by t
to ensure that only domain-based GPOs are applied.If you enable this policy setting the system does not process and apply any Local GPO
nsion settings that were included.If you enable this setting RSoP logging is turned off.If you disable or do not configure this setting RSoP log
turn on tracing for the Applications extension for client computers.If you disable or do not configure this policy setting by default event log
d turn on tracing for the Data Sources extension for client computers.If you disable or do not configure this policy setting by default event
acing for the Devices extension for client computers.If you disable or do not configure this policy setting by default event logging for this e
rn on tracing for the Drive Maps extension for client computers.If you disable or do not configure this policy setting by default event loggin
d turn on tracing for the Environment extension for client computers.If you disable or do not configure this policy setting by default event l
or the Files extension for client computers.If you disable or do not configure this policy setting by default event logging for this extension i
and turn on tracing for the Folder Options extension for client computers.If you disable or do not configure this policy setting by default e
acing for the Folders extension for client computers.If you disable or do not configure this policy setting by default event logging for this ex
acing for the Ini Files extension for client computers.If you disable or do not configure this policy setting by default event logging for this ex
racing for the Internet extension for client computers.If you disable or do not configure this policy setting by default event logging for this
n configure event logging and turn on tracing for the Local User and Local Group extension for client computers.If you disable or do not con
ging and turn on tracing for the Network Options extension for client computers.If you disable or do not configure this policy setting by de
ng and turn on tracing for the Network Shares extension for client computers.If you disable or do not configure this policy setting by defau
and turn on tracing for the Power Options extension for client computers.If you disable or do not configure this policy setting by default e
racing for the Printers extension for client computers.If you disable or do not configure this policy setting by default event logging for this e
ging and turn on tracing for the Regional Options extension for client computers.If you disable or do not configure this policy setting by de
racing for the Registry extension for client computers.If you disable or do not configure this policy setting by default event logging for this
ing and turn on tracing for the Scheduled Tasks extension for client computers.If you disable or do not configure this policy setting by defa
racing for the Services extension for client computers.If you disable or do not configure this policy setting by default event logging for this
n tracing for the Shortcuts extension for client computers.If you disable or do not configure this policy setting by default event logging for
rn on tracing for the Start Menu extension for client computers.If you disable or do not configure this policy setting by default event loggin
y setting all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can
s menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical up
ore service to find an application.If you enable this policy setting the "Look for an app in the Store" item in the Open With dialog is remove
e issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizati
ading drivers that are not already installed locally.If you enable this policy setting print drivers cannot be downloaded over HTTP.If you dis
is created by a Microsoft component. This text contains a link (URL) that if clicked sends information about the event to Microsoft and allo
andwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure connectio
ting recognition in future versions of Windows.If you enable this policy users cannot start the handwriting recognition error reporting tool
e Help and Support Center no longer retrieves nor displays "Did you know?" content.If you disable or do not configure this policy setting t
earch options.If you enable this policy setting it removes the Knowledge Base section from the Help and Support Center "Set search optio
eving the list of ISPs which resides on Microsoft servers.If you disable or do not configure this policy setting users can connect to Microsoft
a Windows website in addition to providers specified in the registry.If you enable this policy setting Windows does not download provider
b service to find an application.If you enable this policy setting the link and the dialog for using the Web service to open an unhandled file
making its shared printers available via HTTP.If you enable this policy setting it prevents this client from printing to Internet printers over
y setting users can connect to Microsoft.com to complete the online Windows Registration.Note that registration is optional and involves s
o format and display results.If you enable this policy setting Search Companion does not download content updates during searches.If you
e Explorer folders.If you disable or do not configure this policy setting the task is displayed.
eb.If you enable this policy setting these tasks are removed from the File and Folder tasks in Windows folders.If you disable or do not confi
d to improve the product in future releases.If you enable this policy setting Windows Messenger does not collect usage information and th
ddress or any other personally identifiable information. There are no surveys to complete no salesperson will call and you can continue wo
you disable or do not configure this policy setting the errors may be reported to Microsoft via the Internet or to a corporate file share.This
a dedicated Web server or making a DNS request for a dedicated address.If you enable this policy setting NCSI does not run either of the t
local drivers are present.If you do not configure this policy setting searching Windows Update is optional when installing a device.Also see
verrides this one.
nd are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain contr
If you enable this policy setting the following options are supported:Supported: PKInit Freshness Extension is supported on request. Kerbe
ons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled.I
main controllers will request compound authentication. The returned service ticket will contain compound authentication only when the ac
formed by using a global catalog or name suffix hints. If a match is found the KDC will return a referral ticket to the client for the appropria
h then authentication failures might be occurring even though warning events are not being logged. If set too low then there will be too m
ompound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and the resour
y setting and then click the Show button. To add a mapping enable the policy setting note the syntax and then click Show. In the Show Con
enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm enable the policy setting note the sy
Warning: When revocation check is ignored the server represented by the certificate is not guaranteed valid. If you disable or do not confi
s will fail from computers with this policy setting enabled.If you enable this policy setting the client computers in the domain enforce the u
o create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for D
hat the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If the com
use Kerberos by generating an SPN. If you enable this policy setting only services running as LocalSystem or NetworkService are allo
sing and group memberships the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting the
erver to a domain enable the policy setting click Show and then map the KDC proxy server name(s) to the DNS name for the domain using
gure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.If you enable
ble this policy setting the deviceÂ’s credentials will be selected based on the following options:Automatic: Device will attempt to authentic
s a referral ticket to the appropriate domain.If you disable or do not configure this policy setting the Kerberos client does not search the lis
policy setting. If you disable this policy setting at the computer level the per-user policy is ignored. If you do not configure this policy settin
If the policy is Enabled then the user will get input methods enabled for the system account on the sign-in page. If the policy is Disabl
windir%\Globalization directory to prevent the installation of locales by unauthorized users.The policy setting "Restrict user locales" can a
till choose alternate locales installed on the system unless prevented by other policies however they will be unable to customize those cho
the specified list.The locale list is specified using language names separated by a semicolon (;). For example en-US is English (United State
his list.To set this policy setting on a per-user basis make sure that you do not configure the per-computer policy setting.The locale list is sp
d when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device lock
ot configure this policy setting Windows uses the default Windows logon background or custom background.
o be fully initialized at startup and logon. Existing users are logged on using cached credentials which results in shorter logon times. Group
er tile.Note: A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTWARE\M
er belongs to the Fabrikam domain the default domain for user logon is Fabrikam. If you enable this policy setting the default logon domain
he network or can connect the PC to other available networks without signing into Windows.
nu or by typing ""Welcome"" in the Run dialog box.If you disable or do not configure this policy the welcome screen is displayed each time
es that the system starts.If you enable this policy setting the system ignores the run list for Windows Vista Windows XP Professional and W
icy setting the system ignores the run-once list.If you disable or do not configure this policy setting the system runs the programs in the ru
Card. An administrator can install additionalcredential providers for different sets of credentials(for example to support biometric authenti
ace appear are in the Logon UI the Start menu and the Task Manager.If you disable or do not configure this policy setting the Switch User
how. In the Show Contents dialog box in the Value column type the name of the executable program (.exe) file or document file. To specify
d the opt-in prompt for services during their first sign-in.If you enable this policy setting Microsoft account users will see the opt-in promp
ain password will be cached in the system vault when using this feature.
password will be cached in the system vault when using this feature.To configure Windows Hello for Business use the Administrative Temp
r positions. Bits can be set to either 0 (setting is forced off) 1 (setting is forced on) or ? (setting retains its existing value prior to GPO evalua
this feature into your organization you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issu
t Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algor
ay want to disable this feature if the PDC emulator is located over a slow WAN connection.If you enable this policy setting the DCs to which
d access to files on the share even when the caller has only read permission.If you disable or do not configure this policy setting the Netlo
ame>[1B] NetBIOS name if it hasnâ€™t already been successfully added.None of these operations are critical. 15 minutes is optimal in all
ess to files on the share even when the caller has only read permission.When this setting is disabled or not configured the SYSVOL share wi
policy setting it is not applied to any computers and computers use their local configuration.
gged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.If you specif
aved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.If you disable or do
this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.Warning: If t
have not specified the DS_BACKGROUND_ONLY flag.The default value for this setting is 30 minutes (1800). The maximum value for this se
site to which a computer belongs is not specified the computer automatically discovers its site from Active Directory.If you do not configu
s reached no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval p
0). The minimum value for this setting is 0.This setting is relevant only to those callers of DsGetDcName that have specified the DS_BACKG
hat value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.The defaul
his setting is (4294967200) while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treate
nning a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a
mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.T
chanism.NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure
iency of the location algorithm. As long as the cached domain controller meets the requirements and is running DC Locator will continue t
The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such
ed in the SRV recordâ€™s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the
in seconds (for example the value "900" is 15 minutes).If you do not configure this policy setting it is not applied to any DCs and DCs use th
ity value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the
uted the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a m
e mnemonics from the following list:Mnemonic Type DNS RecordLdapIpAddress A <DnsDomainName>Ldap SRV _ldap._t
amically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.If you disable this policy setti
Cs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS serve
where the DC resides and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that a
S SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net Logon se
SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dynamical
find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are f
d to locate the DC.If you enable this policy setting the DCs to which this setting is applied dynamically register DC Locator site-specific DNS
f the AllowSingleLabelDnsDomain policy setting is enabled.By default when no setting is specified for this policy the behavior is the same a
omain controller hosting an Active Directory domain specified with a single-label name.If you enable this policy setting computers to which
previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedur
ct immediately.
ntents cannot be shared to other devices. Policy change takes effect immediately.
ser Activity are independent of this setting. Policy change takes effect immediately.
eed shall disable cloud sync. Policy change takes effect immediately.
set to 0 then storage of previous PINs is not required.Default: 0.

ou configure this policy setting the PIN length must be less than or equal to this number.If you disable or do not configure this policy settin
you configure this policy setting the PIN length must be greater than or equal to this number.If you disable or do not configure this policy
not require digits in the PIN.
y setting Windows allows but does not require lowercase letters in the PIN.
y setting Windows allows but does not require uppercase letters in the PIN.
XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example 103eea6e-9fcd-4544-a713-c282d8e50083) indicating the power plan to be active
tting users control this setting.

tting users control this setting.
fication Action" policy setting.If you disable this policy setting or do not configure it users control this setting.
Action" policy setting.If you disable this policy setting or do not configure it users control this setting.
nd change this setting.
ow Battery Notification Level" policy setting.The notification will only be shown if the "Low Battery Notification Action" policy setting is co
s do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automaticall
s do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should automaticall
y applies to WLAN networks only and is subject to change.If you do not configure this policy setting users control this setting.
y applies to WLAN networks only and is subject to change.If you do not configure this policy setting users control this setting.
the system resumes from sleep.

the system resumes from sleep.
users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the
users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the
trol this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the sleep tra
trol this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the sleep tra
when left unattended. If you specify 0 seconds Windows does not automatically transition to sleep.If you disable or do not configure this p
when left unattended. If you specify 0 seconds Windows does not automatically transition to sleep.If you disable or do not configure this p
l only reduce the brightness of the primary display integrated into the computer.If you disable or do not configure this policy setting users
l only reduce the brightness of the primary display integrated into the computer.If you disable or do not configure this policy setting users
t configure this policy setting users control this setting.
t configure this policy setting users control this setting.
ows uses the same setting regardless of usersâ€™ keyboard or mouse behavior.If you do not configure this policy setting users control this
ows uses the same setting regardless of usersâ€™ keyboard or mouse behavior.If you do not configure this policy setting users control this
etting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the display from turnin
etting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the display from turnin
er to recover your computer" and "Reinstall Windows" (or "Return your computer to factory condition") appears on the "Advanced recov
nsolicited Offer Remote Assistance.If you enable this policy setting only computers running this version (or later versions) of the operating
not get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.If you do not configure this policy setti
e additional Remote Assistance settings.If you disable this policy setting users on this computer cannot use email or file transfer to ask som
message to display before a user allows a connection to his or her computer.If you enable this policy setting the warning message you spe
w drag-Turn off background"Full optimization" will include the following optimizations:-Use 16-bit color (8-bit color in Windows Vista)-Turn
u disable this policy setting RPC clients will not authenticate to the Endpoint Mapper Service but they will be able to communicate with th
d to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag but some applications written for the traditional delegation mo
me defaults to "Auto2" level.If you do not configure this policy setting the RPC defaults to "Auto2" level. If you enable this policy setting yo
he extended error information by using standard Windows application programming interfaces (APIs).If you disable this policy setting the R
lf. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should never be
onnections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use
configure this policy setting write and read accesses are allowed to all removable storage classes.
able storage devices in remote sessions.
able the policy setting "Deny write access to drives not protected by BitLocker" which is located in "Computer Configuration\Administrative
this setting the operating system does not force a reboot.Note: If no reboot is forced the access right does not take effect until the operati
ss-forest logons without the DNS suffixes being configured.If you disable or do not configure this policy setting user account cross-forest in
uction in the shutdown script as it runs. The instructions appear in a command window.If you disable or do not configure this policy settin
pt as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not configur
te before the user starts working but it can delay the appearance of the desktop.If you disable or do not configure this policy setting the lo
tartup scripts. As a result startup scripts can run simultaneously.If you disable or do not configure this policy setting a startup cannot run u
Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. For example assume
scripts are run before non-PowerShell scripts during user logon and logoff. For example assume the following scenario: There are three GP
pt processing and records an error event.If you enable this setting then in the Seconds box you can type a number from 1 to 32000 for the
https://en.wikipedia.org/wiki/ROCA_vulnerabilityIf you enable this policy setting the following options are supported:Ignore: during authe
anaged servers.If you enable this policy setting Server Manager uses the refresh interval specified in the policy setting instead of the â€œC
cy setting the Initial Configuration Tasks window is displayed when an administrator logs on to the server.If you do not configure this policy
ot configure this policy setting Server Manager is displayed when a user logs on to the server. However if the "Do not show me this console
a policy disallowing dynamically-generated code.If you disable or do not configure this policy setting these stricter security settings will no
s or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during shutdow
s Enabled.
ure Storage Sense cadence" group policy.Enabled:Storage Sense is turned on for the machine with the default cadence as â€˜during low fr
ed:Storage Sense will not delete the userâ€™s temporary files. Users cannot enable this setting in Storage settings.Not Configured:By defa
he default is 0 (during low free disk space).Disabled or Not Configured:By default the Storage Sense cadence is set to â€œduring low free d
Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365.If you set this value to zero Storage Sense will not dehydrate
torage Sense will delete it. Supported values are: 0 - 365.If you set this value to zero Storage Sense will not delete files in the userâ€™s Rec
pened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365.If you set this value to zero Storage Sense wil
avior of this policy setting depends on the "Turn off System Restore" policy setting.If you enable this policy setting the option to configure S
System Restore is turned off and the System Restore Wizard cannot be accessed. The option to configure System Restore or create a resto
hese root causes will be logged to the event log when detected but no corrective action will be taken. If you select detection troubleshooti
disable or do not configure this policy setting the DPS deletes scenario data once it exceeds 128 megabytes in size.No reboots or service re
n failures are detected the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft w
default recovery behavior for corrupted files.Silent: Detection troubleshooting and recovery of corrupted files will automatically start with
cy setting Windows displays the default alert text in the disk diagnostic message. No reboots or service restarts are required for this policy
DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. If you enable this policy setting the DPS also warns users of S.M.A
roubleshoot and attempt to resolve automatically any heap corruption problems that are handled by the DPS.If you do not configure this
e a problem.If you disable this policy setting MSDT cannot gather diagnostic data.If you do not configure this policy setting MSDT is turned
mpletely troubleshoot the problem. If tool download is restricted it may not be possible to find the root cause of the problem.If you enab
blem.By default the support provider is set to Microsoft Corporation.If you disable this policy setting MSDT cannot run in support mode an
ure how troubleshooting is applied on the user's device. You can select from one of the following values:0 = Do not allow users system fea
e default recovery behavior on Windows client.Silent: Detection troubleshooting and notification of MSI application to reinstall will occur
m for interactive resolution. If you choose detection troubleshooting and resolution Windows will resolve some of these problems silently w
ot configure this policy setting the scripted diagnostics execution engine runs all digitally signed packages.
the Troubleshooting Control Panel.If you disable this policy setting users cannot access or run the troubleshooting tools from the Control
"Do you want the most up-to-date troubleshooting content?"If you enable or do not configure this policy setting users who are connecte
pt to determine their root causes. These root causes will be logged to the event log when detected but no corrective action will be taken.
takes effect only under the following conditions: -- If the diagnostics-wide scenario execution policy is not configured. -- When the Diagno
roblems and attempt to determine their root causes. These root causes will be logged to the event log when detected but no corrective ac
and attempt to determine their root causes. These root causes will be logged to the event log when detected but no corrective action will
nce problems and attempt to determine their root causes. These root causes will be logged to the event log when detected but no correcti
and attempt to determine their root causes. These root causes will be logged to the event log when detected but no corrective action will
r authorization without requiring the user to enter the TPM owner password.You can choose to have the operating system store either th
ommand number 129 is TPM_OwnerReadInternalPub and command number 170 is TPM_FieldUpgrade. To find the command number ass
rt occurring after the next reboot upon user login only if the logged in user is part of the Administrators group for the system. The prompt
ersion 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (wh
The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc" navigating to
e local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_T
ommands to the Trusted Platform Module (TPM) that require authorization.This setting helps administrators prevent the TPM hardware fr
ending commands requiring authorization to the TPM.This setting helps administrators prevent the TPM hardware from entering a lockou
rom sending commands to the Trusted Platform Module (TPM) that require authorization.This setting helps administrators prevent the TP
ws 2000 Professional operating systems the default file permissions for the newly generated profile are full control or read and write acces
fer the network's latency and connection speed are determined.This policy setting and related policy settings in this folder together define
computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local copy is also
the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disable or do
pond.If you enable this policy setting the system does not detect slow connections or recognize any connections as being slow. As a result
SP4 and Windows XP pre-SP1 operating systems the default file permissions for the newly generated profile are full control access for the
mmended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.If you ena
nting Windows from loggin on the user with a temporary profile.If you enable this policy setting Windows will not log on a user with a tem
oom computer or on a computer in a remote office.To designate a user's primary computers an administrator must use management softw
e user's computer and the server that stores users' roaming user profiles.-- The system cannot access users' server-based profiles when u
when their profile is deleted. As a result the next time a roaming user whose profile was previously deleted on that client logs on they will
en a user logs off of the computer the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (NTUSER.
arly when the user logs off this computer the local copy of their profile including any changes they have made is merged with the server co
profile is merged with the local profile. Similarly when the user logs off the computer the local copy of their profile including any changes
ng profile server is detected.In operating systems earlier than Microsoft Windows Vista a dialog box will be shown to the user during logo
k.Note: Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is disconn
harename\%USERNAME% to give each user an individual profile folder. If not specified all users logging onto this computer will use the sa
s not stop the roaming user profile's registry file from being uploaded at user logoff.If "Run at set interval" is chosen then an interval must
t choose the location for the home folder. If you choose â€œOn the networkâ€ enter the path to a file share in the Path box (for example
tising ID for experiences across apps.
this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that
ogether define the system's response when roaming user profiles are slow to load.If you enable this policy setting the system waits for the
s to the cache until the cache size reaches the quota.If you enable this policy setting enter the maximum amount of disk space to be used
ection to scan files more often.-- "Do not scan during startup" the default scans files only during setup.-- "Scan during startup" also scans
m32\Dllcache directory.Note: Do not put the cache on a network shared directory.
ettings values.For more details on individual parameters combinations of parameter values as well as definitions of flags see https://go.mic
ServerThe Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsNameflags"" where ""
al computer clock to synchronize time with NTP servers.If you disable or do not configure this policy setting the local computer clock does
e a list of approved ActiveX Install sites specified by host URL. If you disable or do not configure this policy setting ActiveX controls prom
d site uses the HTTPS protocol this policy setting can also control how ActiveX Installer Service responds to certificate errors. By default al
Windows app can't share app data with other instances of that app. If this policy was previously enabled any previously shared app data w
mputer).If you disable or do not configure this policy setting you cannot install LOB or developer-signed Windows Store apps.
etting appliesMandatory user profiles and super-mandatory profiles which are created by an administratorTemporary user profiles which a
g you cannot develop Microsoft Store apps or install them directly from an IDE.
the system will follow default behavior which is to periodically check for and archive infrequently used apps and the user will be able to co
or install Windows apps on other volumes.
window). All users will still be able to install Windows app packages via the Microsoft Store if permitted by other policies. If you disable
erent volume the users' app data will also move to this volume.
errides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps
es the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can a
e default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acces
default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can access c
ndows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your o
ault setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can access em
efault setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can access lo
setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Wind
he default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acce
he default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acc
ult setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can access task
he default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acc
e default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acce
es the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can
es the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can a
ckage Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.I
are allowed to be activated with a voice keyword and employees in your organization cannot change it.If you choose the "Force Deny" op
u choose the "Force Allow" option users can interact with applications using speech while the system is locked and employees in your orga
er-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide wheth
ides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps ha
e default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can make
es the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can r
A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide wh
overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows ap
n with an enterprise account instead.If you disable or do not configure this policy setting users will need to sign in with a Microsoft account
file type.If you enable this policy setting Windows Store apps cannot open files in the default desktop app for a file type; they can open fil
sktop app.If you enable this policy setting Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they can op
d; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. If you disable or do
at all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.If you disable or don't set this policy setti
To run any 16-bit application or any application with 16-bit components ntvdm.exe must be allowed to run. The MS-DOS subsystem starts
st common issues affecting legacy applications. Enabling this policy setting removes the property page from the context-menus but does n
pplication Help message if the application has a know problem.Turning off the application compatibility engine will boost system performa
ce Improvement program is turned off Application Telemetry will be turned off regardless of how this policy is set.Disabling telemetry will
turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disable
->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting the PCA will be turned off. The u
and mouse input user interface data and screen shots. Steps Recorder includes an option to turn on and off data collection.If you enable t
g Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for serve
r's choice of what to do when a device is connected.

program without user intervention. This creates a major security concern as code may be executed without user's knowledge. The d
the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2 Autoplay is enabled for remo
r do not configure this policy setting backups can include both system or data volumes.
ng there is no restriction on locally attached storage or disk being backup target.
n on network share being backup target.
n on optical media being backup target.
on running run-once backups.
dows prevents domain users from logging on to a domain-joined computer using biometrics.Note: Prior to Windows 10 not configuring th
st also configure the "Allow users to log on using biometrics" policy setting.If you disable this policy setting the Windows Biometric Service
main.If you enable or do not configure this policy setting all users can log on to a local Windows-based computer and can elevate permissio
er of seconds the event remains active. This value cannot exceed 60 seconds.If you disable or do not configure this policy setting a default
do not support enhanced anti-spoofing.If you disable or don't configure this setting Windows doesn't require enhanced anti-spoofing for
path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. You can s
ble to configure an encryption algorithm and key cipher strength for fixed data drives operating system drives and removable data drives i
oyment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to compu
oyment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to compu
used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numer
d on hot plug Thunderbolt PCI ports with no children devices until the user logs in again. Devices which were already enumerated when th
ry will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will increase
dentifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using the ma
mputers running Windows Server 2008 or Windows Vista.If you enable this policy setting BitLocker recovery information is automatically an
nticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier that is d
configured fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008 Windows Vi
cted fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Group Pol
a to the drive.If you enable this policy setting you can specify additional options that control whether BitLocker software-based encryption
rement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration
quire use of smart cards on fixed data drives" check box.Note: These settings are enforced when turning on BitLocker not when unlocking
ou disable or do not configure this policy setting all fixed data drives on the computer will be mounted with read and write access.
rypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is e
t startup" policy on compliant hardware.If you enable this policy setting users on InstantGo and HSTI compliant devices will have the choic
ew BitLocker startup PINs set will be enhanced PINs.Note: Not all computers may support enhanced PINs in the pre-boot environment. It
this policy clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors.To use a N
bility for managing pre-boot configuration than legacy BitLocker integrity checks.If you enable or do not configure this policy setting BitLoc
ent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from the Pu
quire a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy setting users
key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default message you
setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to the BitLo
olicy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) e
olicy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Ser
g of data to the drive.If you enable this policy setting you can specify additional options that control whether BitLocker software-based enc
omplexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Comput
or passwords.If you disable or do not configure this policy setting standard users will be permitted to change BitLocker PINs and passwords
n such as a PIN or Password.If you enable this policy setting devices must have an alternative means of pre-boot input (such as an attached
tions can be required at startup otherwise a policy error occurs.If you want to use BitLocker on a computer without a TPM select the "Allow
s Server 2008 or Windows Vista.On a computer with a compatible Trusted Platform Module (TPM) two authentication methods can be use
tion data will not be refreshed when Windows is started following BitLocker recovery.If you do not configure this policy setting platform v
ault BCD profile used by Windows 7.If you do not configure this policy setting the computer will verify the default Windows BCD settings. N
or not configured removable data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008
protected removable data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either th
of data to the drive.If you enable this policy setting you can specify additional options that control whether BitLocker software-based encr
oup Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security Settings
equire use of smart cards on removable data drives" check box.Note: These settings are enforced when turning on BitLocker not when un
" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLocker on
and write access.If the "Deny write access to devices configured in another organization" option is selected only drives with identification
ote: If you disable or do not configure this policy setting but enable the "Computer Configuration\Administrative Templates\Windows Com
e cloud optimized content.
s may see suggestions from Microsoft and notifications about their Microsoft account.Note: This setting only applies to Enterprise and Edu
n it always on or off except for manual launch too.
word reveal button will be displayed after a user types a password in the password entry text box.By default the password reveal button is
layed so the user can choose one and enter the correct password.If you disable this policy setting users will always be required to type a u
f you enable this policy setting users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path m
egistered in Azure AD for this policy to succeed.If you disable or don't configure this policy setting Microsoft will be the controller of Wind
ou disable or do not configure this policy setting diagnostic data from this device will not be processed by Desktop Analytics.
part of Windows and does not apply to any additional apps installed by your organization. - Diagnostic data off (not recommended). Usin
If you disable or do not configure this policy setting diagnostic data from this device will not be processed by Update Compliance.
essed by Windows Update for Business cloud.. If you disable or do not configure this policy setting diagnostic data from this device w
proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from automati
a Secure Sockets Layer (SSL) connection. If the named proxy fails or if you disable or do not configure this policy setting Connected User Ex
setting to "Enable diagnostic data change notifications" or don't configure this policy setting diagnostic data opt-in change notifications ap
settings" end users can change the device diagnostic settings in the Settings app.Note:To set a limit on the amount of diagnostic data that
osoft as part of the onboarding process for the program.
ue for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this p
configure this policy setting the Delete diagnostic data button will be enabled in Settings page which allows people to erase all diagnostic d
the device.If you disable or don't configure this policy setting the Diagnostic Data Viewer will be enabled in Settings page.
ngs from the OneSettings service.
ndows Feedback app asking users for feedback.Note: If you disable or do not configure this policy setting users can control how often they
EventLog channel.If you disable or don't configure this policy setting Windows will not record attempts to download configuration settings
u disable or do not configure this policy setting we may occasionally collect diagnostic logs if the device has been configured to send option
ode triage dumps.If you disable or do not configure this policy setting we may occasionally collect full or heap dumps if the user has opted
diagnostic data" 3. Enable the "Limit Dump Collection" policy 4. Enable the "Limit Diagnostic Log Collection" policyWhen these policies
ngs.If you disable this policy setting Windows Insider Program settings will be unavailable to users through the Settings app.This policy is on
-limited"; The cloud service set default value will be used.
overrides the Cache Server Hostname policy if configured.
waiting for peer sources will appear to be stuck for the end user.The recommended value is 1 hour (3600).
oad that is waiting for peer sources will appear to be stuck for the end user.The recommended value is 1 minute (60).
n devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected peering will cross NATs. T
ntication of identity.
s set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode this policy will be ignored.For option 3
gned gadgets will be extracted.The default is for Windows to extract both signed and unsigned gadgets.
e if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab keys a visual version of the desktop is pr
equires a logoff for it to be applied.
tion. However setting the accent will have no effect.
in conjunction with the "Specify a default color for window frames" policy setting to enforce a specific color for window frames that canno
if the user does not specify a color. Note: This policy setting can be used in conjunction with the "Prevent color changes of window frame
tory Device Registration Overview.http://go.microsoft.com/fwlink/?LinkId=307136

ot run.If you disable or do not configure this setting Digital Locker can be run.
u disable or do not configure this policy setting forwarder resource usage is not specified.This setting applies across all subscriptions for the
cs.Use the following syntax when using the HTTPS protocol:Server=https://<FQDN of the collector>:5986/wsman/SubscriptionManager/W
file is then started.If you disable this policy setting and the "Retain old events" policy setting is enabled new events are discarded and old e
ices can write read or clear this log.Note: If you enable this policy setting some tools and APIs may ignore it. The same change should be m
descriptor can access the log.If you disable this policy setting all authenticated users and system services can write read or clear this log.If y
e old events.Note: Old events may or may not be retained according to the "Backup log automatically when full"Â policy setting.
uses the folder %SYSTEMROOT%\System32\winevt\Logs.
ze of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Properties d
olicy setting only those users whose security descriptor matches the configured specified value can access the log.If you disable or do not
disable this policy setting only system software and administrators can read or clear this log.If you do not configure this policy setting the
m size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Propertie
ices can write read or clear this log.Note: If you enable this policy setting some tools and APIs may ignore it. The same change should be m
descriptor can access the log.If you disable this policy setting all authenticated users and system services can write read or clear this log.If y
atches the configured value can access the log.If you disable or do not configure this policy setting only system software and administrator
can write or clear this log and any authenticated user can read events from it.If you do not configure this policy setting the previous policy
e public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages provided that y
.Note: Allowing the use of remote paths in file shortcut icons can expose usersâ€™ computers to security risks.
net and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.Some information is se
fined properties and properties stored in NTFS secondary streams.
ain all programs installed in the same manner as it was on the machine on which the user had last logged on unexpected behavior could o
tion has been installed that can handle the file type or protocol association that was invoked.
y logon the policy settings are verified and Libraries for the user are updated or changed according to the path defined.If you disable or do
ocumentation on TechNet.If this group policy is enabled and the client machine is domain-joined the file will be processed and default asso
onfigure this policy setting users will be able to choose whether they want hibernate to show through the Power Options Control Panel.
rough the Power Options Control Panel.
policy setting users will be able to choose whether they want sleep to show through the Power Options Control Panel.
cy setting users can choose how the ribbon appears when they open new windows.
names by increasing number value (for example 3 < 22 < 111).

plications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in the pro
ew and old locations point to the same network share. If both new and old locations point to the same share the target path is updated an
st and restore previous versions of files on local disks.If you do not configure this policy setting it defaults to disabled.
previous versions of files on file shares.If you do not configure this policy setting it is disabled by default.
d can see only previous versions corresponding to on-disk restore points.If you disable this policy setting users can see previous versions c
Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button Windows attempts to
g to a backup.If you disable this policy setting the Restore button remains active for a previous version corresponding to a backup. If the R
setting the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore button
to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each use of t
ot configure this policy setting users can add computers to a homegroup. However data on a domain-joined computer is not shared with t
search providers but only from the set of search providers specified in the list of policy keys for search providers (found under [HKCU or HK
up in the Internet Explorer mode context menu.For more information see https://go.microsoft.com/fwlink/?linkid=2102115
wn.If you disable or do not configure this policy setting OnUnLoad script handlers do not display UI during shutdown (default behavior in In
dition users won't be able to change the Suggestions setting on the Settings charm.If you disable this policy setting users won't receive enh
ternet Explorer 9.In Internet Explorer 9 add-ons are defined as toolbars Browser Helper Objects or Explorer bars. ActiveX controls are refer
th the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed the following behaviors oc
ernet Explorer sends the current Internet Explorer version in the User Agent header (for example "MSIE 7.0").
nt when visiting a Web site that uses that component.This policy is intended to help the administrator control which components the user
matic configuration. You can import your current connection settings from your machine using Internet Explorer Maintenance under Admin
ated in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need t
ges. The user cannot set custom default secondary home pages.If you disable or do not configure this policy setting the user can add seco
ws the user to import favorites feeds and cookies from a file. Exporting settings to a file allows the user to export favorites feeds and cooki
11 to Microsoft Edge Stable Channel browser.- Overrides any other policies that redirect to Internet Explorer 11.If you disable or donâ€™t
orer checks every 30 days by default and then notifies users if a new version is available.This policy is intended to help the administrator m
not be notified if their programs are updated using Software Distribution Channels.If you disable this policy or do not configure it users wil
will be available to the user.
nded hotkeys will not work in Internet Explorer mode.For more information see https://go.microsoft.com/fwlink/?linkid=2102115
tools viewing a history of visited pages printing and accessing email and newsgroups. The menu bar contains menus that open lists of com
nfigure this policy users can turn on or turn off automatic updates from the About Internet Explorer dialog.Note: This policy is deprecated
orer 11. The only exceptions are sites listed in your Enterprise Mode Site List.If you disable or donâ€™t configure this policy all intranet sit
n see and use the Enterprise Mode option from the Tools menu. If you turn this setting on but don't specify a report location Enterprise Mo
site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configure the doma
discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configure zone(s) includ
d to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
name is allowed so www.contoso.com is valid but not http://www.contoso.com. Wildcards are allowed so *.contoso.com is also valid.If y
ng is enabled the "Fix settings" command on the Notification bar shortcut menu should be disabled.
m the Settings charm (starting with Internet Explorer 10 on Windows 8).If you disable or do not configure this policy setting the Internet Ex
policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting the user can bypass SmartScr
ot configure this policy setting the user can bypass SmartScreen Filter warnings.
el by importing Privacy settings from your computer under Internet Explorer Maintenance.If you disable or do not configure this policy setti
â€¢ Open in an existing Internet Explorer window. If tabbed browsing is enabled a new tab is created in this scenario. â€¢ Open a new In
ground by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select.If you disable or do not configure this
tting the Search box appears by default in the Internet Explorer frame.Note: If you enable this policy setting Internet Explorer does not enu
e: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker settings b
All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or d
ter uses: manual automatic or off.If you select manual mode the phishing filter performs only local analysis and the user is prompted to pe
e in the CEIP and the Customer Feedback Options command does not appear on the Help menu.If you do not configure this policy setting
the First Run wizard and go directly to the "Welcome to Internet Explorer" webpage.Starting with Windows 8 the "Welcome to Internet E
y toolbars or in Setup but the user can also add them from a search provider's website.If you enable this policy setting the user cannot con
urity tab and then click the Sites button.)If you disable this policy or do not configure it users can add Web sites to or remove sites from th
e the settings for security zones.This policy prevents users from changing security zone settings established by the administrator.Note: Th
can establish their own security zone settings.This policy is intended to ensure that security zone settings apply uniformly to the same com
te in the Enterprise Mode Site List.Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in Micros
llows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The default setting creat
th Enterprise Mode.If you disable or don't configure this setting the default app behavior occurs and no additional page appears.
nfigure this policy setting the user can select his or her preference for this behavior.
ding per-user controls are installed through the standard installation process.
his policy setting the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to load an ActiveX con
ns dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-ons and configure t
fter a program stops responding.
y setting browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
e pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs.If you disable or do not configure this policy
ng continue to apply.If you disable or do not configure this policy setting the crash detection feature for add-on management will be functi
must specify which mode the SmartScreen Filter uses: on or off.All website addresses that are not on the filter's allow list are sent automati
MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
ws will continue to function as they did in Windows XP Service Pack 1 or earlier although windows launched off screen will continue to be r
Session feature.
at offer suggestions.
the user cannot turn them on.If you disable this policy setting tabbed browsing and related entry points appear on the user interface for In
ser will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.If you do
Search box the quick pick menu appears.
ctiveX Filtering although they may add per-site exceptions.If you disable or do not configure this policy setting ActiveX Filtering is not enab
e this policy setting the user cannot log information that is blocked by new Internet Explorer features. The user cannot turn on logging.If y
and the user cannot turn it on.If you do not configure this policy setting the menu bar is turned off by default. The user can turn on or turn
the WMI class. Enabling or disabling this setting will not impact other output methods available for the SDTK.
will not impact other output methods available for the SDTK.
s. The userâ€™s browsing history is sent to Microsoft to produce suggestions.If you disable this policy setting the entry points and function
s\Microsoft\Internet Explorer\Main\EnterpriseMode) opening all listed websites using Enterprise Mode IE.If you disable or don't configure
tors should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided through first use o
elerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided through first u
tting the user can access any Accelerators that he or she has installed.
ation. This means that if the zone behavior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting the u
rnet Explorer process performs a Clipboard operation. In the Internet Explorer process if the zone behavior is currently set to prompt it wi
rer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enabled the processe
er will not be available. Starting with Windows 8 the Print flyout for Internet Explorer will not be available and users will not see printers u
alog box.If you disable or do not configure this policy setting the menu options will be available.
in Compatibility View.If you disable this policy setting the Microsoft-provided website lists are not used. Additionally the user cannot activ
olicy setting the user can use the Compatibility View button and manage the Compatibility View sites list.
cy setting the user can use the Compatibility View button.
you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended). Addition
Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behavior thro
emove sites from the list.
additional string appended). Additionally webpages included in this list appear in Quirks Mode.
cannot specify the download path for the code. You must specify the download path.If you disable or do not configure this policy setting t
etting deleting browsing history on exit is turned on.If you disable this policy setting deleting browsing history on exit is turned off.If you d
olicy setting a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must specify the
story dialog box. Starting with Windows 8 users cannot click the Delete Browsing History button on the Settings charm.If you disable or do
on the Personalized Tracking Protection List which blocks third-party items while the user is browsing.With at least Internet Explorer 11:Th
etting the user can choose whether to delete or preserve cookies when he or she clicks Delete.If the "Prevent access to Delete Browsing H
.If you do not configure this policy setting the user can choose whether to delete or preserve download history when he or she clicks Dele
o not configure this policy setting the user can choose whether to delete or preserve favorites site data when he or she clicks Delete.If the
cy setting the user can choose whether to delete or preserve form data when he or she clicks Delete.If the "Prevent access to Delete Brow
sing History dialog box.If you enable this policy setting InPrivate Filtering data is preserved when the user clicks Delete.If you disable this p
olicy setting the user can choose whether to delete or preserve passwords when he or she clicks Delete.If the "Prevent access to Delete Br
clicks Delete.If you do not configure this policy setting the user can choose whether to delete or preserve temporary Internet files when h
he user has visited are deleted when he or she clicks Delete.If you do not configure this policy setting the user can choose whether to delet
u disable or do not configure this policy setting users will be able to delete temporary Internet files and cookies.
his policy you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrative Tem
e following policies for the Content tab because this policy removes the Connections tab from the interface:"Disable Internet Connection W
et this policy you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templates\Win
et the following policies for the Programs tab because this policy removes the Programs tab from the interface:"Disable changing Messagi
u set this policy you do not need to set the following Internet Explorer policies because this policy removes the Security tab from the inter
gure this policy setting the user can choose to ignore certificate errors and continue browsing.
e sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN format only for a
user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavior on the Internet
this policy users can choose whether to be prompted before running active content on a CD.
xplorer components will be automatically installed as necessary.If you disable this policy setting users will be prompted when non-Interne
panese Language Pack component if it is not already installed.If you enable this policy setting Web components such as fonts will be autom
nternet Explorer won't use the HTTP2 network protocol.If you don't configure this policy setting users can turn this behavior on or off usin
his policy setting Internet Explorer won't use the SPDY/3 network protocol.If you don't configure this policy setting users can turn this beh
files with an invalid signature.If you disable this policy setting users cannot run or install files with an invalid signature.If you do not configu
matically launches any browser helper objects that are installed on the user's computer.If you disable this policy setting browser helper ob
cy setting Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode is used
the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are available.If yo
ble this policy setting Internet Explorer will check to see if server certificates have been revoked.If you disable this policy setting Internet Ex
he digital signatures of executable programs and display their identities before downloading them to user computers.If you disable this po
run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced Protect
t Explorer Settings.If you disable or do not configure this policy setting the user can use Reset Internet Explorer Settings.
secure (HTTPS) information to the cache.If you disable this policy setting Internet Explorer will save encrypted pages containing secure (H
e.If you enable this policy setting Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all browser
ontent.If you disable this policy setting Internet Explorer will not play or download animated pictures helping pages display more quickly.If
isable this policy setting Internet Explorer will not play or download sounds in Web content helping pages display more quickly.If you enab
e this policy setting Internet Explorer will not play or download videos helping pages display more quickly.If you do not configure this policy
ure this policy setting applications that host MSHTML render text by using the Microsoft ClearType rendering engine.
ation with the target server the browser and server negotiate which protocol and version to use. The browser and server attempt to matc
nt in the background.If you disable this policy setting Internet Explorer preemptively loads websites and content in the background.If you d
ant information users will be prompted to choose which information to share. At that time users can also choose to allow this information
Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the Intranet zone.
tting flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.If you disable this policy setting fl
ed.If you enable this policy setting Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on 64-bit
ticularly useful to users who do not use a mouse.If you enable this policy setting Caret Browsing is turned on.If you disable this policy setti
olicy setting Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected Mode.
e this policy setting users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections.
e this policy setting Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Options dialog box.N
starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the home page.
websites will not be able to store application caches on client computers. Allow website database and caches on Website Data Settings will
ng websites will not be able to store an indexed database on client computers. Allow website database and caches on Website Data Settin
n Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum file sto
xplorer will remove application caches that haven't been used within the timeframe set in this policy setting.If you disable or do not config
not configure this policy setting users can set default data storage limits for indexed databases and application caches.
ain Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data storage lim
cy setting you provide the resource size limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow the cr
e website. No notification will be displayed to the user. When you set this policy setting you provide the resource limit as a number. The de
he default maximum storage limit for all application caches is 1 GB.If you enable this policy setting you can set the maximum storage limit
uter. The default maximum storage limit for all indexed databases is 4 GB.If you enable this policy setting you can set the maximum storag
defaults.If you disable this template policy setting no security level is configured.If you do not configure this template policy setting no sec
ch are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone).If you
ere).If you do not configure this policy setting users choose whether network paths are mapped into the Intranet Zone.
the Intranet Zone (other rules might map one there).If you do not configure this policy setting users choose whether sites which bypass th
nes. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for each o
matic detection of the intranet is turned off and intranet mapping rules are applied however they are configured.If this policy setting is no
y setting the certificate address mismatch warning always appears.If you disable or do not configure this policy setting the user can choose
the user browses to a page that loads content from an intranet site.If you disable this policy setting a Notification bar notification does no
ou select Prompt in the drop-down box users are queried to choose whether to allow a page to be loaded in the zone that uses MSXML or
licy.If you enable this policy setting no Intranet Zone content accessed is affected even for protocols on the restricted list. If you select Pro
policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting script code on pages in
ors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.If you disable this policy setting
tions.If you disable this policy setting a script cannot perform a clipboard operation.If you do not configure this policy setting a script can p
files from this zone.If you disable this policy setting users are prevented from dragging files or copying and pasting files from this zone.If y
tting files are prevented from being downloaded from the zone. If you do not configure this policy setting files can be downloaded from th
ble this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting HTML fonts can be download
op items from this zone.If you disable this policy setting users are prevented from installing desktop items from this zone.If you do not con
tting and set the drop-down box to Enable XBAPs are automatically loaded inside Internet Explorer. The user cannot change this behavior
set the drop-down box to Enable XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavior. If you
The user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XPS files.If you disable this
g can be redirected to another Web page.If you disable this policy setting a user's browser that loads a page containing an active Meta Ref
un from the current site or from all sites.If you disable this policy setting the user does not see the per-site ActiveX prompt and ActiveX co
e this policy setting users can perform OpenSearch queries in this zone using Search Connectors.If you disable this policy setting users are
n the File Explorer) it might affect other items as well that are marked from this zone. For example some application-specific items such as
can enable or disable script access to the WebBrowser control. By default script access to the WebBrowser control is allowed only in the Lo
le this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that include the title and statu
selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting VBScript is
net Explorer 8 this policy setting controls HTML+TIME media elements that refer to audio and video files.If you enable this policy setting vid
er windows that have no status bar or Address bar.If you do not configure this policy setting the user can choose whether websites can op
ble or disable the Notification bar behavior.
otification bar. Users can click on the Notification bar to allow the ActiveX control prompt.If you do not configure this policy setting ActiveX
gure this setting file downloads that are not user-initiated will be blocked and users will see the Notification bar instead of the file downlo
formation message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonsecure co
rtificate.If you disable this policy setting Internet Explorer prompts users with a "Client Authentication" message when they connect to a W
policy setting Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX contro
o aren't trusted. Code signed by trusted publishers is silently downloaded.If you disable the policy setting signed controls cannot be downl
box users are queried to choose whether to allow the unsigned control to run.If you disable this policy setting users cannot run unsigned
windows. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content from one domain t
window. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content from one domain to
e will run without the added layer of security provided by this feature.If you disable this policy setting the actions that may be harmful can
you enable this policy setting path information is sent when the user is uploading a file via an HTML form.If you disable this policy setting p
s both unsafe and safe controls to be initialized and scripted ignoring the Script ActiveX controls marked safe for scripting option.If you en
memory outside of which the program cannot make calls) plus capabilities like scratch space (a safe and secure storage area on the client
ect Prompt in the drop-down box users are queried to choose whether to run applications and download files from IFRAMEs on the pages
query users for user IDs and passwords. After a user is queried these values can be used silently for the remainder of the session.Automati
whether to allow windows and frames to access applications from other domains.If you disable this policy setting users cannot open wind
an choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dialog box
net Explorer will execute unsigned managed components. If you select Prompt in the drop-down box Internet Explorer will prompt the use
xplorer will execute signed managed components. If you select Prompt in the drop-down box Internet Explorer will prompt the user to de
n to run.If you disable this policy setting controls and plug-ins are prevented from running.If you do not configure this policy setting contro
on.If you disable this policy setting script interaction is prevented from occurring.If you do not configure this policy setting script interactio
his policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts can access applets automa
thout a security warning. If you set the drop-down box to Prompt a security warning appears before the files open.If you disable this polic
packages to be automatically installed on users' computers.Medium safety to allow users to be notified of software updates by e-mail and
e can be submitted automatically. If you select Prompt in the drop-down box users are queried to choose whether to allow information u
oper tools. It includes the new managed code APIs for Windows.If you enable this policy setting .NET Framework Setup is turned off. The u
tting the first-run prompt is turned off in the corresponding zone.If you disable this policy setting the first-run prompt is turned on in the co
XSS Filter is turned off for sites in this zone and Internet Explorer permits cross-site script injections.
cted Mode.If you disable this policy setting Protected Mode is turned off. The user cannot turn on Protected Mode.If you do not configure
ure this policy setting the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.Note: In Internet Exp
evented from appearing.If you do not configure this policy setting most unwanted pop-up windows are prevented from appearing.
tting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page saved to disk.If you d
hat is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning is issued to th
selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting VBScript w
otification bar. Users can click on the Notification bar to allow the ActiveX control prompt.If you do not configure this policy setting users w
gure this setting users will receive a file download dialog for automatic download attempts.
evented from appearing.If you do not configure this policy setting pop-up windows are not prevented from appearing.
is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning is issued to the u
policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting users are queried to cho
selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting users are a
tions.If you disable this policy setting a script cannot perform a clipboard operation.If you do not configure this policy setting a script cann
tting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are prevented from being d
ble this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are queried whether to
are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy setting u
his policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are prevented from accessi
kdown policy.If you enable this policy setting no Trusted Sites Zone content accessed is affected even for protocols on the restricted list. If
tions.If you disable this policy setting a script cannot perform a clipboard operation.If you do not configure this policy setting a script cann
tting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are prevented from being d
ble this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are queried whether to
are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy setting u
his policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are prevented from accessi
et Explorer tiles are opened.
his policy setting users can choose how links are opened in Internet Explorer.
tly to an intranet site for a one-word entry in the Address bar.
be shown.If you do not configure this policy setting the button to open Microsoft Edge from Internet Explorer can be configured by the us
number detection is turned on. Users won't be able to modify this setting.If you don't configure this policy setting users can turn this beh
o not configure this policy setting the user can change the "Enable alternative codecs in HTML5 media elements" setting on the Advanced t
ress bar for searches. The user can still perform searches on the Search bar by clicking the Search button. â€¢ Display the results in the m
e main window. â€¢ Enable top result search: When a user performs a search in the Address bar the user is directed to an external top re
rned off. Users will not be able to turn on URL Suggestions.If you disable this policy setting URL Suggestions will be turned on. Users will no
ess bar.If you enable this policy setting Internet Explorer does not use Windows Search AutoComplete for providing relevant results in the
g allows you to specify the URL to update the browser security setting.If you enable this policy setting the user cannot specify the cipher s
nfigure this policy setting the user can change the URL that is displayed for checking updates to Internet Explorer and Internet Tools.
browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you enable this
's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you enable th
policy setting toolbars and BHOs are not loaded by default during an InPrivate Browsing session.If you disable this policy setting toolbars an
nPrivate Filtering data collection is turned off.If you disable this policy setting InPrivate Filtering collection is turned on.If you do not config
cy setting InPrivate Browsing is available for use.If you do not configure this policy setting InPrivate Browsing can be turned on or off throu
visited.If you enable this policy setting InPrivate Filtering is turned off in all browsing sessions and InPrivate Filtering data is not collected.If
have visited.If you enable this policy setting Tracking Protection is disabled in all browsing sessions and Tracking Protection data is not colle
affect which security protocols are enabled.If you disable this policy system defaults will be used.
e this policy setting the reveal password button will be hidden for all password fields. Users and developers will not be able to depend on t
function.If you disable or do not configure this policy setting Internet Explorer uses the SetProcessDEPPolicy function to turn on Data Exec
ble this policy setting Data URI support is turned off. Without Data URI support a Data URI will be interpreted as a failed URL.If you disable
th the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting which defines whether add-ons not listed here are ass
d policy settings.If you enable this policy setting all processes will respect add-on management user preferences and policy settings.If you
ges.By default the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. However users can sti
pport for these user preferences and policy settings to specific processes listed in the process list.If you enable this policy setting and enter
ntrol.If you disable or don't configure this policy setting users will see the "Run this time" button on the warning message that appears whe
continues to block specific outdated ActiveX controls.For more information see "Outdated ActiveX Controls" in the Internet Explorer Tech
Internet Explorer. Each domain entry must be formatted like one of the following:1. "domain.name.TLD". For example if you want to inclu
Internet Explorer won't log ActiveX control information.Note that you can turn this policy setting on or off regardless of the "Turn off bloc
n choose to run natively implemented scriptable XMLHTTP.
lorer uses the default connection limit for HTTP 1.1 (6 connections per host).In versions of Internet Explorer before Internet Explorer 8 the
Explorer prior to Internet Explorer 8 the default connection limit for HTTP 1.0 was 4.
icy setting Internet Explorer uses the default limit of 6 WebSocket connections per server.
ta across third-party domains embedded in the page.
rer 10. Also this policy setting does not prevent a site from requesting cross-domain data through a server.If you enable this policy setting
data through a server.If you enable this policy setting websites cannot request data across domains by using the XDomainRequest object.If
havior on a page.)If you enable this policy setting this sets the list of behaviors permitted in each zone for which Script and Binary Behavio
nted for all processes. Any use of binary behaviors for HTML rendering is blocked.If you disable or do not configure this policy setting bina
icy setting Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies.If you disable or do not configure this policy s
nted for the File Explorer and Internet Explorer processes.If you disable this policy setting binary behaviors are allowed for the File Explore
tions for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 binary be
file is text/plain but the MIME sniff indicates that the file is really an executable file Internet Explorer renames the file by saving it in the In
ocal files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicious HT
ocal files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone is used as an att
o all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malicio
is disabled for all processes.
allow a MIME sniff promoting a file of one type to a more dangerous file type.If you do not configure this policy setting MIME sniffing will n
alue of 1 this protection will be in effect. If you enter a Value of 0 any file may be promoted to more dangerous file types. The Value Name
the MK Protocol is enabled.
s policy setting applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and Internet
d enter a Value of 1 use of the MK protocol is prevented. If you enter a Value of 0 use of the MK protocol is allowed. If a Value Name is em
restricted protocols is allowed for all processes other than File Explorer or Internet Explorer.If you disable this policy setting restricting con
obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example you can restrict active cont
hich they want restricting content obtained through restricted protocols to be prevented or allowed.If you enable this policy setting and en
processes which have opted in to the security restriction.If you enable this policy setting for a zone this sets the list of protocols to be rest
es for which the Notification bar is displayed by default). If you enable this policy setting the Notification bar will be displayed for all proces
esses.If you disable this policy setting the Notification bar will not be displayed for Internet Explorer processes.If you do not configure this
isplayed by default).If you enable this policy setting and enter a Value of 1 the Notification bar is displayed. If you enter a Value of 0 the N
ng object reference is retained when navigating within or across domains in the Restricted Zone sites.
an object reference is retained when navigating within or across domains for Internet Explorer processes.If you do not configure this polic
e of 1 references to objects are inaccessible after navigation. If you enter a Value of 0 references to objects are still accessible after navigati
achine security zone a prime target for malicious users.If you enable this policy setting any zone can be protected from zone elevation for
ne a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.If you enable this pol
ity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.This policy setti
he Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
or Internet Explorer processes.If you do not configure this policy setting the user's preference will be used to determine whether to block
tion is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is igno
setting the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
net Explorer processes.If you do not configure this policy setting the user's preference determines whether to prompt for file downloads th
tiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the pol
s bars.If you enable this policy setting scripted windows are restricted for all processes.If you disable or do not configure this policy setting
s bars.If you enable this policy setting popup windows and other restrictions apply for File Explorer and Internet Explorer processes.If you
s bars.This policy setting allows administrators to define applications for which they want this security feature to be prevented or allowed.
ons are displayed:Show all text labels: All command buttons have only text.Show selective text: Some command buttons have only text; s
shown by default and the user can choose to hide it.

t and the user can choose to hide it.
y default but the user can unlock them through the shortcut menu of the Command bar.
ress bar and the user cannot move them.If you do not configure this policy setting the Stop and Refresh buttons are next to the Address ba
Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check.If you enable this policy setting the toolb
20 pixels).If you do not configure this policy setting icons for command buttons are 16 x 16 pixels and the user can make them bigger (20
hat require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting will not h
s computer will not be prevented from using location information from the location feature.
policy setting all programs on this computer can use the Windows Location Provider feature.
tenance/Automatic Maintenance Control Panel. If you disable or do not configure this policy setting the daily scheduled time as speci
rom its Activation Boundary by upto this time. If you do not configure this policy setting 4 hour random delay will be applied to Autom
effect. If you enable this policy setting Automatic Maintenance will attempt to set OS wake policy and make a wake request for the da
data is determined by a registry setting that the user can change using Windows Settings.
do not configure this policy setting the Offline Maps setting page may generate network traffic.
will be disabled for all users. It will not unenroll existing MDM enrollments.If you disable this policy setting MDM Enrollment will be enabl
for enrollment to succeed. If you do not configure this policy setting automatic MDM enrollment will not be initiated. If you e
ded. However any application or service that has already authenticated a user will not be affected by enabling this setting until the authen
ntispyware security intelligence is disabled. If you disable or do not configure this setting the antimalware service will be stopped when b
will load as a low priority task.
blocked. -Audit Mode: Potentially unwanted software will not be blocked however if this feature would have blocked access if it were
he local administrator will be merged into the resulting effective policy. In the case of conflicts Group policy Settings will override preferen
tting the proxy server will not be bypassed for the specified addresses.
rver (if specified) 2. Proxy .pac URL (if specified) 3. None 4. Internet Explorer proxy settings 5. Autodetect If you enable this s
specified) 2. Proxy .pac URL (if specified) 3. None 4. Internet Explorer proxy settings 5. Autodetect If you enable this setting t
pport logs files will not be copied to any location.
l machines from undertaking a disk-intensive operation at the same time. If you enable or do not configure this setting scheduled tasks w
antivirus product. If you do not configure this policy setting Windows will internally manage Microsoft Defender Antivirus. If you install an
etting Microsoft Defender Antivirus does not automatically take action on the detected threats but prompts users to choose from the actio
Longer strings will be truncated before display. If you enable this setting the additional text specified will be displayed. If you disable o
obj" or "lib"). The value is not used and it is recommended that this be set to 0.
ully qualified resource name. As an example a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified
t be listed as a name value pair where the name should be a string representation of the path to the process image. Note that only execut
This can impact machine performance in some scenarios. Not configured: Same as Disabled.
ence setting.
abled â€“ The Block at First Sight setting is turned off. This feature requires these Group Policy settings to be set as follows: MAPS -> T
itional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include thin
rule will not be applied - Not Configured: the rule is enabled with default values - Warn: the rule will be applied and the end-user will h
e ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific folder
itional applications. Enabled: Specify additional allowed applications in the Options section.. Disabled: No additional applications w
still allowing the modification or deletion of files in protected folders. Microsoft Defender Antivirus automatically determines which ap
are protected is shown in Windows Security. Enabled: Specify additional folders that should be protected in the Options section. Disab
applications will not be able to access dangerous domains -Audit Mode: Users and applications can connect to dangerous domains howe
nfiguration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection will be igno
mple if the desired timeout is 60 seconds specify 50 seconds in this setting which will enable the extended cloud check feature and will raise
less frequency. For more information about specific values that are supported see the Microsoft Defender Antivirus documentation
ID to enable test security intelligence is defined as: â€œ{b54b6ac9-a737-498e-9120-6616ad3bf590}â€. The value is not used and it is rec
nfiguration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection will be igno
by a definition then that definition is "retired". If all security intelligence for a given protocal are retired then that protocol is no longer pa
figure this setting Group Policy will take priority over the local preference setting.
finitely and will not be automatically removed.
will take priority over the local preference setting.
e priority over the local preference setting.
e priority over the local preference setting.
ence setting.
al preference setting.
e appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS volumes
e actions on malware detections. If you disable or do not configure this policy setting Microsoft Defender Antivirus will prompt users to t
s setting a process scan will not be initiated when real-time protection is turned on.
olicy will take priority over the local preference setting.

Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) If you enable this se
the scan is executing. If you enable this setting a scheduled full scan to complete remediation will run at the time of day specified. If y
tifications will not display on clients.
s setting a check for new security intelligence will occur before running a scan. If you disable this setting or do not configure this setting
ake priority over the local preference setting.
ence setting.
preference setting.
ence setting.
ority over the local preference setting.
uled scans. If you disable or do not configure this setting a catch-up scan will occur after the 2 consecutive missed scheduled scans.
setting removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
nesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) If you enable this setting a scheduled scan will run at the f
etting a quick scan will run at the interval specified. If you disable or do not configure this setting a quick scan will run at a default time.
setting archive files will be scanned to the default directory depth level.
tilization will not exceed the percentage specified. If you disable or do not configure this setting CPU utilization will not exceed the defau
scanned. If you disable or do not configure this setting archive files will be scanned according to the default value.
e computer where the scan is executing. If you enable this setting a daily quick scan will run at the time of day specified. If you disable
e computer where the scan is executing. If you enable this setting a scheduled scan will run at the time of day specified. If you disable o
cheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans a catch-up scan is started the next time
scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans a catch-up scan is started the next ti
ok Express) binhex (Mac). If you enable this setting e-mail scanning will be enabled. If you disable or do not configure this setting e-ma
enabled. If you disable this setting heuristics will be disabled.
u enable this setting items will be removed from the scan history folder after the number of days specified. If you disable or do not config
mmended state for this functionality. If you enable this setting reparse point scanning will be enabled. If you disable or do not configu
ur computer to join Microsoft MAPS for this functionality to work. If you enable this setting or do not configure the antimalware service w
e latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functio
f you disable or do not configure this setting security intelligence updates will be downloaded from the configured download source.
he computer is running on battery power.
urity intelligence will not occur after service startup.

list is empty by default. If you enable this setting the specified sources will be contacted for security intelligence updates. Once security
etting a catch-up security intelligence update will be required after the default number of days.
n the user interface. By default this value is set to 7 days. If you enable this setting spyware security intelligence will be considered out of
e user interface. By default this value is set to 7 days. If you enable this setting virus security intelligence will be considered out of date aft
MicrosoftUpdateServerâ€ â€œMMPCâ€ and â€œFileSharesâ€ For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServ
nce updates will not be initiated on startup when there is no antimalware engine present.
3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never If you enable this setting the check for secur
he interval specified. If you disable or do not configure this setting checks for security intelligence updates will occur at the default interv
utes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. If you enable thi
ation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = Severe Valid remediation action
ation action that should be taken. Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore
Set-ProcessMitigation PowerShell cmdlet the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet or directly in Windows Security.- Gen
Hello using a companion device.If you disable this policy users cannot use a companion device to authenticate with Windows Hello.
. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings s
do not configure this policy setting any defined values will be deleted.
not display an IT Contact link.If you do not configure this policy setting any defined values will be deleted.
gs for Windows apps.If you disable this policy setting the UE-V Agent will synchronize settings for Windows apps. If you do not configure th
will only take effect when UE-V service is re-enabled.
s.With this setting enabled the notification appears the first time that the UE-V Agent runs.With this setting disabled no notification appea
ttempt the synchronization. If you enable this policy setting the sync provider pings the settings storage location before synchronizing setti
ettings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.If you disable or do not configure this
onment.
ed on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V Agent. T
g disabled the UE-V Agent does not synchronize settings over a metered connection.If you do not configure this policy setting any defined
ing.With this setting enabled the UE-V Agent synchronizes settings over a metered connection that is roaming.With this setting disabled th
ttings of all Windows apps not expressly disable in the Windows App List are synchronized.With this setting disabled only the settings of the
ngs. If you disable or do not configure this policy setting the default value of 2000 milliseconds is used.
dows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in information for c
electing Open or by double-clicking the icon. When this group policy setting is enabled the UE-V tray icon is visible the UE-V notifications di
ation is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register a VDI-
user settings of Microsoft Access 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Acc
user settings of Microsoft Access 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Acc
ntinue to synchronize. If you disable this policy setting Calculator user settings are excluded from the synchronization settings.If you do not
s the backup of specific common Microsoft Office Suite 2013 applications.If you enable this policy setting certain user settings which are co
s the backup of specific common Microsoft Office Suite 2016 applications.If you enable this policy setting certain user settings which are co
settings of Microsoft Excel 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Excel 201
settings of Microsoft Excel 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Excel 201
ertain user settings of Microsoft InfoPath 2013 will continue to be backed up.If you disable this policy setting certain user settings of Micro
the Internet Explorer 10 user settings continue to synchronize. If you disable this policy setting Internet Explorer 10 user settings are exclu
the Internet Explorer 11 user settings continue to synchronize.If you disable this policy setting Internet Explorer 11 user settings are exclud
e Internet Explorer 8 user settings continue to synchronize. If you disable this policy setting Internet Explorer 8 user settings are excluded f
e Internet Explorer 9 user settings continue to synchronize. If you disable this policy setting Internet Explorer 9 user settings are excluded f
rom synchronization between computers. If you enable this policy setting the user settings which are common between the versions of In
ettings of Microsoft Lync 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Lync 2013 w
ettings of Microsoft Lync 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Lync 2016 w
setting Microsoft Access 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Access 2010 user settings ar
etting Microsoft Access 2013 user settings continue to synchronize.If you disable this policy setting Microsoft Access 2013 user settings are
etting Microsoft Access 2016 user settings continue to synchronize.If you disable this policy setting Microsoft Access 2016 user settings are
ng Microsoft Excel 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2010 user settings are exclud
g Microsoft Excel 2013 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2013 user settings are exclud
g Microsoft Excel 2016 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2016 user settings are exclud
olicy setting Microsoft InfoPath 2010 user settings continue to synchronize.If you disable this policy setting Microsoft InfoPath 2010 user se
olicy setting Microsoft InfoPath 2013 user settings continue to synchronize.If you disable this policy setting Microsoft InfoPath 2013 user se
Microsoft Lync 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2010 user settings are excluded
s which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable this p
s which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.If you enable this po
ween computers.If you enable this policy setting Microsoft Office 2013 Upload Center user settings continue to synchronize.If you disable
s which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.If you enable this po
ween computers.If you enable this policy setting Microsoft Office 2016 Upload Center user settings continue to synchronize.If you disable
e between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Acc
e between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Acc
mon between the Microsoft Office Suite 2013 applications will synchronize between a userâ€™s work computers with UE-V by default. Use
mon between the Microsoft Office Suite 2016 applications will synchronize between a userâ€™s work computers with UE-V by default. Use
tween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel
tween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Excel
nize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365
ween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 20
ween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lync 20
onize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 36
ize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365
ynchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offi
e between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Pr
e between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Pr
signer 2013 will synchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings
tween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2
tween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Visio 2
etween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word
etween a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Word
able this policy setting OneDrive for Business 2013 user settings continue to synchronize.If you disable this policy setting OneDrive for Busin
able this policy setting OneDrive for Business 2016 user settings continue to synchronize.If you disable this policy setting OneDrive for Busin
policy setting Microsoft OneNote 2010 user settings continue to synchronize.If you disable this policy setting Microsoft OneNote 2010 use
icy setting Microsoft Outlook 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Outlook 2010 user setti
ble this policy setting Microsoft PowerPoint 2010 user settings continue to synchronize.If you disable this policy setting Microsoft PowerPo
setting Microsoft Project 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Project 2010 user settings a
policy setting Microsoft Publisher 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Publisher 2010 us
een computers.If you enable this policy setting Microsoft SharePoint Designer 2010 user settings continue to synchronize.If you disable th
een computers.If you enable this policy setting Microsoft SharePoint Designer 2013 user settings continue to synchronize.If you disable th
n between computers.If you enable this policy setting Microsoft SharePoint Workspace 2010 user settings continue to synchronize.If you d
Microsoft Visio 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Visio 2010 user settings are excluded
ng Microsoft Word 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Word 2010 user settings are excl
to synchronize. If you disable this policy setting Notepad user settings are excluded from the synchronization settings.If you do not config
certain user settings of Microsoft OneNote 2013 will continue to be backed up.If you disable this policy setting certain user settings of Mic
certain user settings of Microsoft OneNote 2016 will continue to be backed up.If you disable this policy setting certain user settings of Mic
tain user settings of Microsoft Outlook 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microso
tain user settings of Microsoft Outlook 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microso
setting certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.If you disable this policy setting certain user setti
setting certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.If you disable this policy setting certain user setti
n user settings of Microsoft Project 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft P
n user settings of Microsoft Project 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft P
g certain user settings of Microsoft Publisher 2013 will continue to be backed up.If you disable this policy setting certain user settings of Mi
g certain user settings of Microsoft Publisher 2016 will continue to be backed up.If you disable this policy setting certain user settings of Mi
gs.If you enable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up.If you disable
settings of Microsoft Visio 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Visio 2013
settings of Microsoft Visio 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Visio 2016
er settings of Microsoft Word 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Word 2
er settings of Microsoft Word 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Word 2
ue to synchronize. If you disable this policy setting WordPad user settings are excluded from the synchronization settings.If you do not con
f you disable this policy setting Finance user settings are excluded from synchronization.If you do not configure this policy setting any defi
ou disable this policy setting Games user settings are excluded from synchronization.If you do not configure this policy setting any defined
able this policy setting Maps user settings are excluded from synchronization.If you do not configure this policy setting any defined values
isable this policy setting Music user settings are excluded from the synchronizing settings.If you do not configure this policy setting any defi
able this policy setting News user settings are excluded from synchronization.If you do not configure this policy setting any defined values
ou disable this policy setting Reader user settings are excluded from the synchronization.If you do not configure this policy setting any defi
disable this policy setting Sports user settings are excluded from synchronization.If you do not configure this policy setting any defined val
disable this policy setting Travel user settings are excluded from synchronization.If you do not configure this policy setting any defined valu
sable this policy setting Video user settings are excluded from synchronization.If you do not configure this policy setting any defined values
ync.If you disable this policy setting Weather user settings are excluded from synchronization.If you do not configure this policy setting any
Drive or SharePoint files on the computer for the sync client to start automatically.If this setting is not enabled the OneDrive sync client w
e Explorer.* OneDrive files arenâ€™t kept in sync with the cloud.* Users canâ€™t automatically upload photos and videos from the camer
gation pane in File Explorer.* OneDrive files arenâ€™t kept in sync with the cloud.* Users canâ€™t automatically upload photos and video
en and save files on OneDrive using the OneDrive app and file picker and Windows Store apps will still be able to access OneDrive using the
but there are no clickable links for these elements.If you disable or do not configure this policy setting the default behavior applies (Help
erience will not launch for newly-created user accounts or for accounts that would have been prompted to choose their privacy settings aft
can't hibernate the PC.
ws To Go workspace can use standby states to make the PC sleep.
connected will be enabled and users will not be able to make changes using the Windows To Go Startup Options Control Panel item.If you
d easy way to configure their system settings before a presentation to block system notifications and screen blanking adjust speaker volum
icense server issues an RDS CAL to any RD Session Host server that requests one.If you enable this policy setting and this policy setting is a
RDS or TS CAL for a connection. For example a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clien
efore a user starts an RDP session the user receives a warning message and is asked to confirm whether they want to connect.If you disabl
store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example when a user d
o the RD Session Host server even if the client cannot authenticate the RD Session Host server.Warn me if authentication fails: The client a
tting to disable the acceleration; then if the problem still occurs you will know that there are additional issues to investigate. If you disable
aves his settings any password that previously existed in the RDP file will be deleted.If you disable this setting or leave it not configured the
nnection to an RD Session Host server. If saved credentials for the user are available on the client computer the user will not be prompted
p file that is signed by a trusted certificate the user does not receive any warning messages when they start the file. To obtain the thumbpr
and UDP protocols.
es over RDP to all users or only to users who are in the Administrators group on the computer.If you disable or do not configure this policy
e or do not configure this policy setting the IP address of the RD Session Host server is used if a virtual IP is not available.
ork mask are used to select the network adapter used for the virtual IP addresses.If you disable or do not configure this policy setting Remo
Compatibility is turned off and only one instance of the msiexec process can run at a time. If you disable or do not configure this policy setti
ter a list of programs to use virtual IP addresses. List each program on a separate line (do not enter any blank lines between programs). Fo
be started remotely by using the RemoteApp Manager on Windows Server 2008 R2 and Windows Server 2008. If you are using Windows S
olicy setting users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will maintain
mpted for all clients running Remote Desktop Connection whenever their network connection is lost.If the status is set to Disabled automa
ing to a disconnected state even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same R
nistrator is logged off any data not previously saved is lost.If you enable this policy setting logging off the connected administrator is not a
hat the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demand
user automatically reconnects to that session at the next logon.If you disable this policy setting users are allowed to make unlimited simul
esktop Protocol will not determine the network quality at the connect time and it will assume that all traffic to this server originates from a
fault)" If you select "Use either UDP or TCP" and the UDP connection is successful most of the RDP traffic will use UDP.If the UDP connecti
ll Control with user's permission: Allows the administrator to interact with the session with the user's consent.3. Full Control without user
enable this policy setting user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when
or do not configure this policy setting Fair Share CPU Scheduling is turned on.
(RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the
ord audio by using an audio input device on the local computer such as a built-in microphone.By default audio recording redirection is not
n time (current session time = server base time + client time zone).If you disable or do not configure this policy setting the client compute
mputer. By default Remote Desktop Services allows Clipboard redirection.If you enable this policy setting users cannot redirect Clipboard
rvices session. By default Remote Desktop Services allows this COM port redirection.If you enable this policy setting users cannot redirect
r> on <computername>. You can use this policy setting to override this behavior.If you enable this policy setting client drive redirection is
s LPT port redirection.If you enable this policy setting users in a Remote Desktop Services session cannot redirect server data to the local L
direction is allowed. By default Remote Desktop Services automatically redirects smart card devices on connection.Note: The client comp
If you disable this policy setting users can redirect their supported Plug and Play devices to the remote computer. Users can use the More
r. If you disable or do not configure this policy setting users can redirect their video capture devices to the remote computer. Users can us
he audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium
ng that affect the RD Session Host server. If applicable a notification will also be displayed that notes the number of days until the licensing
ount connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. Per Device licensing mod
will attempt automatic license server discovery. In the automatic license server discovery process an RD Session Host server in a Window
ws this client printer mapping.If you enable this policy setting users cannot redirect print jobs from the remote computer to a local client p
is policy setting to override this behavior.If you enable this policy setting the default printer is the printer specified on the remote comput
re redirected in Remote Desktop Services sessions.
session.If you enable this policy setting the fallback printer driver is enabled and the default behavior is for the RD Session Host server to
emote Desktop Easy Print printer driver cannot be used a printer driver on the RD Session Host server that matches the client printer is us
cated in User Configuration\Policies\Administrative Templates\System\User Profiles.If you enable this policy setting you must specify a mo
ng a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profil
ectory on a network share type the Home Dir Root Path in the form \\Computername\Sharename and then select the drive letter to which
tting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profil
anced farm. The farm name does not have to correspond to a name in Active Directory Domain Services.If you specify a new farm name a
ced farm should use the same RD Connection Broker server.If you enable this policy setting you must specify the RD Connection Broker se
ktop Session Host role service must be installed on the server.If the policy setting is enabled the RD Session Host server joins the farm that
on Broker server.If you enable this policy setting a Remote Desktop Services client queries the RD Connection Broker server and is redirect
m with the fewest sessions. Redirection behavior for users with existing sessions is not affected. If the server is configured to use RD Conne
Aero requires additional system and bandwidth resources allowing desktop composition for remote desktop sessions can reduce connecti
ote Desktop Connection Remote Desktop Services client or through Group Policy.If you enable this policy setting the desktop is always dis
lgorithm that is optimized to use less memory this option is less memory-intensive but uses more network bandwidth. If you select the alg
teFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of netwo
e set to one of the following options:1. Let the system choose the experience for the network condition2. Optimize for server scalability3. O
e font smoothing requires additional bandwidth resources not allowing font smoothing for remote connections can improve connection p
Codec.If you enable this policy setting users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for enc
depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers r
e server load.If you enable this policy setting the color depth that you specify is the maximum color depth allowed for a user's RDP connec
olicy setting you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by e
tting you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from
ct" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.If you disable or do not configure this policy
As a result users must type a security attention sequence such as CTRL+ALT+END to open the Windows Security dialog box on the client co
with this setting by the server administrator or by the user in configuring the client connection. Enabling this setting overrides the "Start Pro
tting RemoteApp programs published from this RD Session Host server will use these advanced graphics.If you disable this policy setting Re
etting all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter.If you do not configure this policy
er. In this case the Remote Desktop Connections will use XDDM graphics display driver.For this change to take effect you must restart Win
on the server by using graphics processing units (GPUs). By default RemoteFX for RD Virtualization Host uses server-side GPUs to deliver a
at use Silverlight or Windows Presentation Foundation.If you enable this policy setting you must select the visual experience for which you
rs you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reduc
Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.If you enab
rators are able to make such changes.If you enable this policy setting the default security descriptors for existing groups on the RD Session
te Desktop Services accepts requests from RPC clients that support secure requests and does not allow unsecured communication with un
ections must use the security method specified in this setting. The following security methods are available:* Negotiate: The Negotiate me
tting only client computers that support Network Level Authentication can connect to the RD Session Host server.To determine whether a c
an RD Session Host server during RDP connections.If you enable this policy setting you need to specify a certificate template name. Only ce
cryption) is not recommended. This policy does not apply to SSL encryption.If you enable this policy setting all communications between cl
ched. By default Remote Desktop Services disconnects sessions that reach their time limits.Time limits are set locally by the server adminis
matically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the sessio
ve sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disco
Services session without logging off and ending the session.When a session is in a disconnected state running programs are kept active ev
er but it is not logged off.If you enable this policy setting when a user closes the last running RemoteApp program associated with a sessio
folders when the user logs off.If you enable this policy setting a user's per-session temporary folders are retained when the user logs off f
active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder
the Favorites Center.
etting the user receives a notification when a feed or Web Slice is available and can click the feed discovery button.
Feed APIs.If you disable or do not configure this policy setting the user can set the Feed Sync Engine to download an enclosure through th
eb Slice by using the Feed APIs. A developer also cannot create or delete folders.If you disable or do not configure this policy setting the u
ction.If you disable or do not configure this policy setting the Windows RSS Platform does not authenticate feeds to servers by using the B
e of the query term for the search service URL.If your intranet search service is SharePoint Portal Server your query should resemble the f
?q=$w.For each search scope provide:1) A name for the scope such as 'IT Web'.2) The URL to the search service. Use $w in place of the qu
eract with Cortana using speech.
ms or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured
ng is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. N
mmend enabling this policy setting only on PCs where documents are stored in many languages. If you disable or do not configure this pol
;.pptx;.vsd;.xlsb;.xltx;.dot;.rtf
emovable drives can be added to libraries. In addition locations on removable drives can be indexed.
ueries will be performed on the web and web results will be displayed when a user performs a query in Search.If you don't configure this
ms a query in Search.If you disable this policy setting queries will be performed on the web over metered connections and web results will
of a delegate mailbox that are cached locally. To have this policy affect all parts of a delegate mailbox ensure that for Microsoft Outlook 20
eparately from online mailboxes. The "Enable Indexing of Uncached Exchange Folders" has no effect on delegate mailboxes. To stop indexi
ower the burden on Microsoft Exchange servers lower the rate of items indexed per minute. If you disable this policy then online mail item
x.This policy has no effect if the Files on Microsoft Networks add-in is not installed.Disabled by default.
bled the Add and Remove locations options and any previously defined user locations will not be visible. When the policy is disabled both
le or do not configure this policy setting Windows Search monitors which folders are shared or not shared on this computer and automati
oft document filters (iFilters). This policy is disabled by default.
ingle exclusion list.When this policy is disabled or not configured the user can edit the default list of excluded file types. If you enable and
blic Folder Favorites option must be turned on.
Advanced Options dialog for Search and Indexing Options in the Control Panel. This is the default for this policy setting.
llow list of add-ins by providing the classID or ProgId string. For example if you plan to deploy a particular iFilter make sure that this iFilter
review pane functionality is only available for Office documents in Office XP or later.When this policy is disabled or not configured the prev
n see snippets related to their desktop search query.When this policy is disabled or not configured the default is small icon view.
and videos but not text from search results; -Off: Don't filter adult content from search results.If you disable or don't configure this polic
h and other Microsoft experiences. -User info only: Share a user's search history and some Microsoft account info to personalize their
ot configured Windows Desktop Search automatically manages your index size.
ns a status section where the user can get recommendations to help increase the computer's security. When Security Center is not enable
meout value is 3 minutes for workstations and 15 minutes for servers.
n interface.If you disable or do not configure this policy setting the system creates the named pipe remote shutdown interface.
o modify that restriction.If you enable this policy setting certificates with the following attributes can also be used to log on with a smart ca
ard cannot be used to log on to a domain. Note: This policy setting only affects a user's ability to log on to a domain. ECC certificates on a s
e this policy setting the integrated unblock feature will be available.If you disable or do not configure this policy setting then the integrate
signature key-based certificates will not be listed on the logon screen.
nly controls the displaying of the certificate on the client machine. If you enable this policy setting certificates will be listed on the logon sc
me or user name and domain will be displayed.If you disable or do not configure this policy setting an optional field that allows users to en
of logon.If you disable or do not configure this policy setting the default message will be displayed to the user when the smart card is bloc
en a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued from the
his can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if your sma
will not be displayed when a smart card device driver is installed.Note: This policy setting is applied only for smart cards that have passed t
nt certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affected by
1 OU=Users DN=example DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@example.co
will not be made available to applications such as Outlook.
nabled: Turn on certificate propagation from smart card.If you disable this policy setting then root certificates will not be propagated from
is policy setting Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smart Card R
when this device activates. Policy Options: - Not Configured (default -- data will be automatically sent to Microsoft) - Disabled
s policy setting Sound Recorder can be run.
f enabled (default) the device will periodically check for updated speech models and then download them from a Microsoft service using t
crosoft Store.
d and installation of app updates is determined by a registry setting that the user can change using Settings in the Microsoft Store.
etermined by a registry setting that the user can change using Settings in the Microsoft Store.
g on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting "sync your settings" is on by default an
ned off by default but not disabled.If you do not set or disable this setting syncing of the "app settings" group is on by default and configur
ault but not disabled.If you do not set or disable this setting syncing of the "AppSync" group is on by default and configurable by the user.
s will not be synced.Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disabled.If you
ersonalization syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting syncing of the "d
his PC is on a metered connection.If you do not set or disable this setting syncing on metered connections is configurable by the user.
dows settings syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting syncing of the "O
ff by default but not disabled.If you do not set or disable this setting syncing of the "passwords" group is on by default and configurable by
d off by default but not disabled.If you do not set or disable this setting syncing of the "personalize" group is on by default and configurabl
turned off by default but not disabled. If you do not set or disable this setting syncing of the "Start layout" group is on by default and
gure this policy users will be able to use this feature to print to a Journal Note.
l be shown unless the user disables them in Control Panel.
is policy applications can be launched from a hardware button.If you do not configure this policy applications can be launched from a hard
administrator."If you disable this policy press and hold actions for buttons will be available.If you do not configure this policy press and ho
d OEM defined button actions will occur when the buttons are pressed.
board and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortc
mbols numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to text entry areas when using a tablet pe
bers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to any text entry area when a user is using touch in
hen these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 a
PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Panel tab will
plication auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel Option
keys are tapped when entering a password.Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keybo
Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numb
d that the pen flicks notification will never be displayed. However pen flicks the pen flicks tray icon and pen flicks training (that can be acce
cy pen flicks and related features are available.
-specific features.If you disable this setting the user can produce input with touch by using gestures the touch pointer and other-touch spe
by touch. If you disable this setting the user can pan windows by touch.If you do not configure this setting Touch Panning is on by default.N
erty sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task characteristics suc
pear in Detail view and in the task preview.This setting prevents users from viewing and changing characteristics such as the program the
d User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in Us
box that determine the program and path for a task.As a result when users create a task they must select a program from the list in the S
s cannot add new scheduled tasks by dragging moving or copying a document or program into the Scheduled tasks folder.This setting doe
nfiguration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configu
er.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Co
eded. When this policy setting is disabled language features remain on the userâ€™s machine when the language is uninstalled.
default is for Windows Calendar to be turned on.

files that they previously installed. Administrators will be able to uninstall all color profiles.
Manager server.
w me app recommendations - Warn me before installing apps from outside the Store - Allow apps from Store onlyIf you disable or don
net and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.Some information is se
indows Defender SmartScreen is turned on and employees can't turn it off.If you disable this setting Windows Defender SmartScreen is tu
e this setting employees can ignore Windows Defender SmartScreen warnings and continue to the site.
mps generated for error reports by Microsoft Windows are automatically uploaded without notification to the user.If you disable this polic
Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.Important: If th
errors are logged to the system event log as with other Windows-based programs.
ditionally solution information is not available in Security and Maintenance in Control Panel.If you disable or do not configure this policy se
ort the error.If you disable this policy setting users are not notified that errors have occurred. If the Configure Error Reporting policy setting
not configure this policy setting then consent policy settings in Computer Configuration/Administrative Templates/Windows Components/
can contain data about the same event types as an earlier uploaded report.If you disable or do not configure this policy setting WER thrott
messages or dialog boxes for critical errors.
e.If you enable this policy setting WER does not determine whether the computer is running on battery power but checks for solutions and
or do not configure this policy setting WER does not send data but will check the network cost policy again if the network profile is changed
using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection and specify a port number on the destination server for tr
parameters only only the minimum information required to check for an existing solution is stored. The Maximum number of reports to st
report should be placed in the reporting queue or the user should be prompted to send it immediately. When Queuing behavior is set to
e Report all errors in Microsoft applications check box is filled all errors in Microsoft applications are reported regardless of the setting in t
on file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are not report
rts errors click Show and then add or remove applications from the list of application file names in the Show Contents dialog box (example
ports errors click Show under the Exclude errors for applications on this list setting and then add or remove applications from the list of ap
s policy setting users can change this setting in Control Panel. By default Windows Error Reporting settings in Control Panel are set to uploa
re this policy setting users can adjust this setting using the control panel which is set to "Upload unplanned shutdown events" by default.A
data: Windows prompts users for consent to send reports.- Send parameters: Only the minimum data that is required to check for an exis
rrors: crash no response and kernel fault errors. For each specified event type you can set a consent level of 0 1 2 3 or 4.- 0 (Disable): Wind
ent policy settings for error reporting determine the consent level for specified event types and the default consent setting determines onl
r authentication.If you disable or do not configure this policy setting Windows does not allow the enumeration of provisioned Windows He
type to be verified.If you enable this policy setting the user will have to use one factor from each list to successfully unlock.If you disable
more information see: https://go.microsoft.com/fwlink/?linkid=849684
ure this policy setting Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card applicatio
prevents Windows Hello for Business provisioning from using those devices.If you disable or do not configure this policy setting the TPM is
able this policy setting Windows Hello for Business prevents the use of biometric gestures.NOTE: Disabling this policy prevents the user of
ello for Business enrolls a key that is used for on-premises authentication.NOTE: Disabling or not configuring this policy setting and enablin
ecret which is stored on the device and requires both the PIN recovery service and the device to decrypt. PIN recovery requires the user to
disable this policy setting the device does not provision Windows Hello for Business for any user.If you do not configure this policy setting
rd certificates.If you disable or do not configure this policy setting applications do not use Windows Hello for Business certificates as smart
e or do not configure this policy setting the security features of Windows Installer prevent users from changing installation options typical
se the installation is running with elevated system privileges users can browse through directories that their own permissions would not al
easily be vehicles for malicious programs some installations prohibit their use.If you disable or do not configure this policy setting by defau
icy setting does not affect installations that run in the user's security context. By default users can install from removable media when the
ter (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install programs
ompts for source media when new updates are applied. If you enable this policy setting you can modify the maximum size of the Wind
feature.This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed
stallation.If you enable this policy setting the warning is suppressed and allows the installation to proceed.This policy setting is designed fo
programs some installations prohibit their use.Note: This policy setting applies only to installations that run in the user's security context.
patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for spec
ng only administrators or users with administrative privileges can apply updates to Windows Installer based applications.If you disable or
r administrators.If you enable this policy setting updates cannot be removed from the computer by a user or an administrator. The Windo
ts Windows Installer from retaining files it intends to delete later. As a result Windows Installer cannot restore the computer to its origina
control file in use detection behavior.-- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to detect fil
at are installed per user and products that are installed per computer. If the installer finds a per-user install of an application this hides a p
ource from the "Use features from" list that the system administrator configures. This policy setting applies even when the installation
tting on Windows Server 2003 Windows Installer requires the transform file in order to repeat an installation in which the transform file wa
recorded type the letter representing the event type. You can type the letters in any order and list as many or as few event types as you w
not generate System Restore checkpoints when installing applications.If you disable or do not configure this policy setting by default the W
o control automatic logging via package settings behavior.-- The "Logging via package settings on" option instructs Windows Installer to aut
ared component functionality is allowed.
etting.-- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default behav
e configured.If you enable this policy setting you can choose one of the following two options:1. â€œEnabled if BitLocker is on and not sus
ou set this policy setting to "Ease of Access applications" Ease of Access applications can simulate the SAS.If you set this policy setting to "S
e date and time of the last successful logon by that user the date and time of the last unsuccessful logon attempted with that user name a
figured no popup will be displayed to the user.
ory this policy only applies to Windows Update restarts. Otherwise this will apply to both Windows Update restarts and user-initiated resta
tent upgrade Windows Media DRM security components or restore backed up content licenses. Secure content that is already licensed to
r window displays is not available.If you disable or do not configure this policy setting users can show or hide the anchor window when the
privacy file types and other desktop options from being displayed when the Player is first started. Some of the options can be configured b
ows Media Player or from programs that depend on the Player's media sharing feature.If you disable or do not configure this policy setting
ayer to the Quick Launch bar.
d and is not available.If you disable this policy setting video smoothing occurs if necessary and the Use Video Smoothing check box is selec
Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present the Computer Configu
simply prevents Windows Messenger from running initially. If the user invokes and uses Windows Messenger from that point on Windows
Center and the .exe file launches it.If you do not configure this policy setting Windows Mobility Center is on by default.
SourcePath parameter on the Update-Help cmdlet.If this policy setting is disabled or not configured this policy setting does not set a defau
pelineExecutionDetails property of the module to True. If you disable this policy setting logging of execution events is disabled for all W
If you disable this policy setting logging of PowerShell script input is disabled. If you enable the Script Block Invocation Logging Pow
werShell engine. By default Windows PowerShell will record transcript output to each users' My Documents directory with a file name
ow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must be sig
e listed providers will respond to WMI queries and Reliability Monitor will display system reliability information.If you disable this policy se
u disable or do not configure this policy setting the WinRM client does not use Basic authentication.
ng the WinRM client sends or receives only encrypted messages over the network.
g the Negotiate authentication and Kerberos is selected.If you disable or do not configure this policy setting the WinRM client uses the Ker
st is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the host.If y
nRM service does not accept Basic authentication from a remote client.
he WinRM service does not accept CredSSP authentication from a remote client.
port over the default HTTP port.To allow WinRM service to receive requests over the network configure the Windows Firewall policy settin
tting the WinRM client sends or receives only encrypted messages over the network.
WinRM service accepts Kerberos authentication from a remote client.
icy setting the WinRM service accepts Negotiate authentication from a remote client.
has already set the RunAsUser and RunAsPassword configuration values the RunAsPassword configuration value will be erased from the c
lied channel binding token. If you disable or do not configure this policy setting you can configure the hardening level locally on each c
hen certain port 80 listeners are migrated to WinRM 2.0 the listener port number changes to 5985. A listener might be automatically c
When certain port 443 listeners are migrated to WinRM 2.0 the listener port number changes to 5986. A listener might be automatic
setting the default number is five users.

pecified amount of time since the last received message from the client before terminating the open shell.If you do not configure or disab
available virtual memory.If you enable this policy setting the remote operation is terminated when a new allocation exceeds the specified
y setting the limit is five processes per shell.
.If you disable or do not configure this policy setting by default the limit is set to two remote shells per user.
user. Applications using a microphone may not function properly with this setting.If you do not configure this policy setting audio input wil
g will be enabled.
icy setting networking is disabled in Windows Sandbox.If you do not configure this policy setting networking will be enabled. Note that en
tion will be disabled.
ed. Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox.
is policy setting video input will be disabled. Applications that use video input may not function properly in Windows Sandbox. Note that t
a TPM with vulnerable firmware. Not configured: Same as Disabled.

ast one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Sp
one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID -Specify
ecurity or any notifications that it creates. Not configured: Same as Disabled.
e Options section. Disabled: A contact email address or email ID will not be shown in either Windows Security or any notifications i
Disabled: A contact phone number or Skype ID will not be shown in either Windows Security or any notifications it creates. Not c
n either Windows Security or any notifications it creates. Not configured: Same as Disabled.
nformation. Disabled: Local users will see all types of notifications from Windows Security. Not configured: Same as Disable
shown. Not configured: Same as Disabled.
will not be installed immediately.Note: If the "Configure Automatic Updates" policy is disabled this policy has no effect.
hould receive update notifications. Non-administrative users will be able to install all optional recommended and important content for w
e location if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.If you disable or do no
d even if the PC has signed-in users.If you disable or do not configure this policy Windows Update will not alter its restart behavior.If the "N
isabled or Not Configured Windows will check for available updates at the default interval of 22 hours. Note: The "Specify intranet Mic
e of the four options in the Group Policy Setting: 2 = Notify before downloading and installing any updates. When Windows finds u
the notification.If you disable or do not configure this policy the default method will be used.
start to display the warning reminder to the user.You can specify the amount of time prior to a scheduled restart to notify the user that th
policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automatic Upd
d and installed.Important: if you choose not to get update notifications and also define other Group policy so that devices arenâ€™t autom
f whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.If you disable or do no
oft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft update serv
at functionality and may cause connection to public services such as the Windows Store to stop working.Note: This policy applies only whe
n the user selects the Shut Down option in the Start menu.If you disable or do not configure this policy setting the 'Install Updates and Shu
the intranet Microsoft update service supports multiple target groups this policy can specify multiple group names separated by semicolon
tem is in sleep when the scheduled install time occurs and there are updates to be applied then Windows Update will use the Windows Po
a user is logged in to the computer. Instead Automatic Updates will notify the user to restart the computer.Be aware that the computer n
efault interval is 10 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installations o
If the status is set to Disabled a missed scheduled installation will occur with the next scheduled installation.If the status is set to Not Confi
olicies will override the above policy: 1. No auto-restart with logged on users for scheduled automatic updates installations. 2. Always a
oon as they are offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed restarts will occur
restart reminder notifications. The snooze period can be set between 1 and 3 days.You can specify the deadline in days before automatica
ates that apply to the computers on your network. To use this setting you must set two server name values: the server from which the
ours will be in effect.If any of the following two policies are enabled this policy has no effect: 1. No auto-restart with logged on users for
ed Automatic Updates will continue to deliver important updates if it is already configured to do so.
aged environments in which you allow the end user access to the Microsoft Update service.If you enable this policy setting a notification m
e Feature Update to devices for testing or to deploy the Feature Update without blocking on safeguard holds.
10 release.Beta ChannelIdeal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especially imp
a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified. Note:
me receiving Quality Updates which are paused clear the start date field.If you disable or do not configure this policy Windows Update will
vents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified in the "
d.This policy has two modes: it can either specify a list of settings pages to show or a list of pages to hide. To specify a list of pages to show
h the keyboard or by dragging it with the mouse.
path and name of the file that stores the default lock screen and logon image. You can type a local path such as C:\Windows\Web\Screen
ows then those colors take precedence over this policy.If the "Force a specific Start background" policy is also set on a supported version
s part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task.
cal administrator.If you disable or do not configure this policy setting there is no restriction of a specific language used for the Windows m
turesâ€¯isâ€¯preventedâ€¯for all users. If you disable or do not configure this policy setting there is noâ€¯language packs or featureâ€
he system UI languages.If you disable or do not configure this policy setting the user can specify which UI language is used.
rnet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriti
guest.jpg. If the default pictures do not exist an empty frame is displayed.If you enable this policy setting the default user account picture
oup such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the LocalAcco
er embedded object.2. "Block embedding/linking allow other activation" prevents the Flash control from being loaded when directly refere
ITo restore the default behavior for client-side SMBv1 protocol processing do ALL of the following:* Set the SMBv1 client driver to "Manua
setting.To restore default SMBv1 client-side behavior select "Enabled" and choose the correct default from the dropdown:* "Manual start
ps://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates
s. If the NodeType value is present it overrides any DhcpNodeType value.If neither NodeType nor DhcpNodeType is present the computer
hat legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.If Disabled or Not Configured JScript will fu
ust first be installed to disable WDigest authentication using this setting in Windows 7 Windows 8 Windows Server 2008 R2 and Windows
default value of 15 minutes applies.Note: The minimum value you can select is 15 minutes. If you try to set this setting to a value less than
rom its peers in the same IP subnet. If none of the peers in the subnet have the requested files BITS downloads them from the origin serve
Note: This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting does not
server. However the computer will still make files available to its peers. If you disable or do not configure this policy setting the comp
es from peers. If you disable or do not configure this policy setting the computer will offer downloaded and cached files to its peers.
ble or do not configure this policy setting files that have not been accessed for the past 90 days will be removed from the peer cache.
pace to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. If you disable or do not configure t
ng you can set the maximum job download time to a specified number of seconds. If you disable or do not configure this policy settin
If you enable this policy setting BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits per seco
tive BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS and specify a fixed maximum ba
s policy setting BITS will use the default user BITS job limit of 300 jobs. Note: This limit must be lower than the setting specified in the
e this policy setting BITS will use the default BITS job limit of 300 jobs. Note: BITS jobs created by services and the local administrator
the maximum number of files a job can contain. Note: BITS Jobs created by services and the local administrator account do not coun
mit ranges to 500 ranges per file. Note: BITS Jobs created by services and the local administrator account do not count toward this lim
policy explicitly configured by the application that created the BITS job but does apply to jobs that are created by specifying only a priority
pecify a limit to use for background jobs during a maintenance schedule. For example if normal priority jobs are currently limited to 256 K
a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined you can set the bandw
this timeout. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pending j
s the maximum round trip network latency allowed before caching begins clients do not cache content until the network latency reaches t
ng all clients use the version of BranchCache that you specify in "Select from the following versions."If you do not configure this setting al
puters that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.If you enable
ervers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies.If you
are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want
ranchCache distributed cache mode clients in the branch office.Policy configurationSelect one of the following:- Not Configured. With this
when the hosted cache client obtains content from a content server the client can upload the content to the hosted cache server for acce
nfigured. With this selection BranchCache client computer cache settings are not applied to client computers by this policy. In the circumst
configurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by
rp.contoso.com or PING:2002:836b:1::1. Note We recommend that you use FQDNs instead of IPv6 addresses wherever possible.Importan
sec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunne
sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users c
g the message.
if attaching suffixes is allowed an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query s
multi-label and fully qualified domain names.
rform DoH queries if the configured DNS servers support it. If they don't support it try classic name resolution.Require DoH: Allow only Do
you do not configure this policy setting computers will use the local or DHCP supplied connection specific DNS suffix if configured.
s is applied to all network connections used by computers that receive this policy setting. If you disable this policy setting or if you do not
ple a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS serve
e enabled on a network connection the connection-specific configuration must allow dynamic DNS registration and this policy setting mus
preferred over DNS responses if the local responses are from a network with a higher binding order.If you disable this policy setting or if y
d in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.You can use this policy setting to prevent user
ication submits a query for a single-label domain name.The DNS client appends DNS suffixes to the single-label unqualified domain name
tion can be used when a user or application submits a query for a single-label domain name.The DNS client appends DNS suffixes to the sin
me and the primary DNS suffix. For example a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registere
and then select one of the following options from the drop-down list:Do not register: Computers will not attempt to register PTR resource
d should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.Warning: If record scavenging
mic update of resource records in a zone that does not use Secure Dynamic Updates an A resource record might exist that associates the cl
setting.If you disable this policy setting or if you do not configure this policy setting computers will use the TTL settings specified in DNS. B
cenarios in which conventional DNS name resolution is not possible.If you enable this policy setting LLMNR will be disabled on all available
lient will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queri
l networks. If you disable this policy setting or if you do not configure this policy setting the DNS client will prefer link local responses for fl
at attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.If you disable this policy setting o
updates to any zone that is authoritative for the resource records that the computer needs to update except the root zone.If you disable t
nt provider and only enumerates locally-installed fonts. If you do not configure this policy setting the default behavior depends on the
setting or if you do not configure this policy setting WLAN hotspots are automatically probed for WISPR protocol support.If you disable th
cipher suites:AES_128_CCMHow to modify this setting:Arrange the desired cipher suites in the edit box one cipher suite per line in order
ttings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCac
ype of content information that can be retrieved by client computers. For example if you enable support for V1 hashes BranchCache gene
erver-supported cipher suites.Note: When configuring this security setting changes will not take effect until you restart Windows.
cipher suites:AES_128_CCMHow to modify this setting:Arrange the desired cipher suites in the edit box one cipher suite per line in order f
environment insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file servers. W
ble or do not configure this policy setting Windows will prevent use of cached handles to files opened through CA shares. Note: This po
ble or do not configure this policy setting Windows will prevent use of Offline Files with CA-enabled shares. Note: Microsoft does not re
while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand if
able to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a ne
this validation will not be performed and any password will be allowed. If set to 0 the validation will be performed.
r PNRP names and cannot help other computers perform PNRP lookups.If you disable or do not configure this policy setting this computer
the added flexibility of allowing your users to use their peer-to-peer applications at home as well. Here are the four ways in which you ca
an find it when needed.If you enable this setting PNRP will not use multicast for bootstrapping. Specifying this registry key will break scena
ers so that a node in the PNRP cloud can resolve names published by other nodes.PNRP creates a global cloud if the computer has a globa
emicolon-delimited list of IPV6 addresses in the available field. If you enable this setting and you donâ€™t enter any address no seed serve
s can find it when needed.If you enable this setting PNRP will not use multicast for bootstrapping. Specifying this registry key will break sce
emicolon-delimited list of DNS names or IPV6 addresses in the available field. If you enable this setting and you donâ€™t enter any addres
s can find it when needed.If you enable this setting PNRP will not use multicast for bootstrapping. Specifying this registry key will break sce
k Bridge allows users to create a layer 2 MAC bridge enabling them to connect two or more network segements together. This connection
ter. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed this setti
ed or configured by administrators and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box for a LA
ault gateway.If you enable this policy setting all traffic between a remote client computer running DirectAccess and the Internet is routed t
If you disable or do not configure this policy setting Windows Defender Firewall makes no exception for messages sent by computers that
lock outbound echo request messages sent by Ping running on this computer.If you enable this policy setting you must specify which ICMP
omponent of Control Panel the "File and Printer Sharing" check box is selected and administrators cannot clear it.If you disable this policy
h at least SP2 and Windows Server 2003 with at least SP1 this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited
Remote Desktop" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firewall bloc
messages are allowed. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is selected and adm
ptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not allow administrators to de
cal program exceptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not allow ad
s (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to
e policy setting and then click the Show button. To add a port enable the policy setting note the syntax click the Show button. In the Show
us to Enabled that program can receive unsolicited incoming messages on any port that it asks Windows Defender Firewall to open even i
ewall: Protect all network connections" policy setting; otherwise administrators who log on locally can work around the "Windows Defende
nent of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected and administrators ca
ters Windows Defender Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later r
does not run and administrators who log on locally cannot start it.If you do not configure this policy setting administrators can use the Win
lock outbound echo request messages sent by Ping running on this computer.If you enable this policy setting you must specify which ICMP
omponent of Control Panel the "File and Printer Sharing" check box is selected and administrators cannot clear it.If you disable this policy
h at least SP2 and Windows Server 2003 with at least SP1 this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive unsolicited
Remote Desktop" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firewall bloc
messages are allowed. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is selected and adm
ptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not allow administrators to de
cal program exceptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not allow ad
s (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an option to
e policy setting and then click the Show button. To add a port enable the policy setting note the syntax click the Show button. In the Show
us to Enabled that program can receive unsolicited incoming messages on any port that it asks Windows Defender Firewall to open even i
ewall: Protect all network connections" policy setting; otherwise administrators who log on locally can work around the "Windows Defende
nent of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected and administrators ca
ters Windows Defender Firewall waits as long as three seconds for unicast responses from the other computers and then blocks all later r
does not run and administrators who log on locally cannot start it.If you do not configure this policy setting administrators can use the Win
the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used for this pu
uations Windows Network Isolation will be able to correctly discover proxies. By default any proxies configured with this setting are merge
cy setting Windows Network Isolation attempts to discover proxies and configures them as Internet nodes. This setting should NOT be use
to automatically discover private network hosts. By default the addresses configured with this policy setting are merged with the hosts tha
this policy setting Windows Network Isolation attempts to automatically discover your proxy server addresses. For more information see
ou disable or do not configure this policy setting Windows Network Isolation attempts to automatically discover your private network host
s that the computer can use local copies of network files while the server is inaccessible.-- "Never go offline" indicates that network files a
n Windows client computers and disabled on computers running Windows Server unless changed by the user.Note: Changes to this policy
Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost.
nc Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to set a pe
old value that will be used to determine a slow network connection.If this setting is disabled or not configured the default threshold value
If you enable this policy setting Offline Files uses the slow-link mode if the network throughput between the client and the server is below
copy of the file on the user's computer.This setting does not limit the disk space available for files that user's make available offline manu
ot run in the background on network folders when the user's network is roaming near or over the plan's data limit. The network folder mu
ble to the user when offline. The cached files are not kept in sync with the version on the server and the most current version from the ser
uter is affected but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface.If you disable th
vents you want the system to log. The levels are cumulative; that is each level includes the events in all preceding levels."0" records an err
nization Manager progress dialog box: "Files of this type cannot be made available offline."This setting is designed to protect files that can
This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer
che. This prevents users from trying to change the option while a policy setting controls it.If you enable this policy setting you can specify t
ne when they are disconnected from this server or type "1" if they cannot.This setting appears in the Computer Configuration and User Co
ffline. Also it does not prevent them from using other programs such as Windows Explorer to view their offline files.This setting appears in
ng that locks down the configuration you establish by using other settings in this folder.This setting appears in the Computer Configuration
and are displayed for 15 seconds. You can use this setting to change the update interval.This setting appears in the Computer Configuratio
the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes pr
e available offline.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings ar
alue column field blank.If you disable this policy setting the list of files and folders is deleted including any lists inherited from lower prece
lder. Leave the Value column field blank.If you disable this policy setting the list of files or folders made always available offline (including t
er that is available offline are made available offline when the parent folder is synchronized.If you disable this setting or do not configure it
ly performs a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are current.If you
ally enables logon synchronization in Synchronization Manager.If this setting is disabled and Synchronization Manager is configured for log
figuring this setting files are not synchronized when the computer is suspended.Note: If the computer is suspended by closing the display o
ble the setting the system displays the reminder balloons and prevents users from hiding them.If this setting is not configured reminder ba
limit the number of outstanding packets.If you disable this setting or do not configure it then the setting has no effect on the system.Impo
ystem can reserve.If you disable this setting or do not configure it the system uses the default value of 80 percent of the connection.Impor
effect on the system.Important: If a timer resolution is specified in the registry for a particular network adapter then this setting is ignored
ble this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the registry for
type.If you disable this setting the system uses the default DSCP value of 24 (0x18).Important: If the DSCP value for this service type is spe
disable this setting the system uses the default DSCP value of 40 (0x28).Important: If the DSCP value for this service type is specified in th
ce type.If you disable this setting the system uses the default DSCP value of 48 (0x30).Important: If the DSCP value for this service type is s
sable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the registry fo
ou disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the regis
service type.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is spec
e.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the
ol service type.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is sp
you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the re
priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that n
t: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when c
er-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring t
ant: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when
or nonconforming packets is specified in the registry for a particular network adapter this setting is ignored when configuring that network
2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that
d routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets from the ne
he manager's role is to poll the agents for certain requested information.If you enable this policy setting the SNMP agent only accepts req
SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchronously.I
d:CertUtil.exe -DisplayEccCurve
a relay name for a 6to4 host.
policy setting the local host setting is used.If you enable this policy setting you can configure 6to4 with one of the following settings:Policy
d when there are no other connectivity options.Policy Enabled State: The IP-HTTPS interface is always present even if the host has other co
ATAP with one of the following settings:Policy Default State: If the ISATAP router name is resolved successfully the host will have ISATAP co
tion immediately and remain qualified if the qualification process succeeds.

n specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device Teredo might stop
n the host.Client: The Teredo interface is present only when the host is not on a network that includes a domain controller.Enterprise Clien
to identify connectivity and throughput problems and take appropriate measures.If you disable this policy setting Window Scaling Heuris
choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled over all me
uter or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
d no longer be connected to a network.When soft disconnect is enabled:- When Windows decides that the computer should no longer be
ny metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8. If this p
non-domain networks are blocked.- When the computer is already connected to a non-domain based network automatic connection atte
e Broadband networks.
of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is coste
d by my contacts" enables Windows to automatically connect to networks that the user's contacts have shared with them and enables use
hether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.If you choose the "Force Allow
not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is costed on a per byte basis.
is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is costed on a per byte bas
s showed by default.
ed and printing support and this setting must be enabled. Note: This setting affects the server side of Internet printing only. It does n
ay the default number of printers of each type: Directory printers: 20 TCP/IP printers: 0 Web Services printers: 0 Bluet
ype:TCP/IP printers: 50Web Services printers: 50Bluetooth printers: 10Shared printers: 50If you would like to not display printers of a cert
ote: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
setting or do not configure it the domain controller prunes this computer's printers when the computer does not respond. If you dis
sing the load on the server.If you disable this policy setting on a client machine the client itself will process print jobs into printer device co
h shared printers in Active Directory. Note: This setting is ignored if the "Allow printers to be published" setting is disabled.
erval. To disable verification disable this setting or enable this setting and select "Never" for the verification interval.
value you type here overrides the actual location of the computer conducting the search. Type the location of the user's computer. W
n alternate Internet address the default link will appear in the Printers folder. Note: Web pages links only appear in the Printers folde
the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from Active
ed by higher priority threads. By default the pruning thread runs at normal priority. However you can adjust the priority to improve t
s to respond then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. By defau
not configure this setting on Windows Server 2003 family products the installation of kernel-mode printer drivers will be blocked.If you e
t configure it then all printer extensions that have been installed will be allowed to run.
ctions to printing based on connection type or printer Make/Model.
oler will execute print drivers in the print spooler process.Notes:-Other system or driver policy settings may alter the process in which a pr
ver driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver then the Point and Print connection will fa
isolating print drivers depending on whether they are configured for it.If you enable or do not configure this policy setting then applicatio
ated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid/pid w
"Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Directory Pr
s the Driver Isolation compatibility flag value reported by the print driver.Notes:-Other system or driver policy settings may alter the proce
print connection anytime a package point and print connection fails including attempts that are blocked by this policy. Administrators may
ailable on the client a printer connection will be made. If a compatible print driver is not available on the client no connection will be made
.If you enable this setting users can browse for printers by location without knowing the printer's location or location naming scheme. Ena
ot available.If you do not configure this setting shared printers are announced to browse master servers only when Active Directory is not
tive Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 Professio
ortcuts at the bottom of the File menu. In addition the Jump Lists off of programs in the Start Menu and Taskbar do not show lists of recen
ow app list in Start menu" in Settings so users cannot turn it to On.Selecting "Remove and disable setting" will remove the all apps list from
er button is also removed from the Windows Security screen which appears when you press CTRL+ALT+DELETE and from the logon screen
figure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is default behavior.N
let on that same device. The cmdlet will generate an XML file representing the layout you configured.Once the XML file is generated and m
ot be able receive notifications from the network from WNS or via notification polling APIs. If you enable this policy setting notificatio
er activated.If you do not configure this policy setting the default behavior for the System State Data feature occurs.Note: By default the Sy
uld not be set unless the DLT server is running on all domain controllers in the domain.
user during these processes.Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff status messages"" policy se
nd choose "Server Only" from the drop-down menu list the Shutdown Event Tracker is displayed when you shut down a computer running
o other volumes or if you create a new file in an encrypted folder File Explorer encrypts those files automatically.
this page at logon" option at the bottom of the Manage Your Server page the page is not displayed.
programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown().If you enable this policy setting th
on is missing the system searches for it in Active Directory and if it is found downloads it. The resulting searches might make some progra
amp is turned off and the timing of unexpected shutdowns is not recorded.If you do not configure this policy setting the Persistent System
folders and their subfolders. To restrict the commands to one or more folders enable the policy setting and enter the desired folders
Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configu
alified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is separa
urned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. If you disable
this policy setting is applied. If you disable this policy setting users see a standard Access Denied message that doesn't provide any of the f
lUnit. To disable package refresh select 0. Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23 Day 0-31).
e the server load. Repeat reporting for every (days): The periodical interval in days for sending the reporting data. Data Cache
s and servers on which this policy setting is applied.If you disable or do not configure this policy setting the process's command line inform
olicy becomes effective the next time the user signs on to a computer running Windows.If you disable or do not configure (by default) this
ult) this policy setting delegation of default credentials is not permitted to any machine.Note: The "Allow delegating default credentials wit
ou do not configure (by default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remo
this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remote Desktop Session Host runnin
al manager).If you do not configure (by default) this policy setting after proper mutual authentication delegation of saved credentials is pe
gure (by default) this policy setting after proper mutual authentication delegation of saved credentials is permitted to Remote Desktop Ses
he "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the t
Note: The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents
ecify any server.Note: The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). Th
e this policy setting CredSSP version support will be selected based on the following options:Force Updated Clients: Client applications whi
n and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
ps:Remote Desktop ClientIf you enable this policy setting the following options are supported:Â Restrict credential delegation: Participati
e\ShareName\SIPolicy.p7b) or a locally valid path (for example C:\FolderName\SIPolicy.p7b). The local machine account (LOCAL SYSTEM)
tting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled kernel mode memory protections are enfo
to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device man
ndows does not create a system restore point when one would normally be created.If you disable or do not configure this policy setting W
re this policy setting the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata from th
at requests additional software is installed.
ublisher certificate and drivers that are signed by other Authenticode certificates are prioritized equally during the driver selection process
updates. This setting is used to ensure that the best software will be found for the device even if the network is temporarily available.If the
will Windows then also search Windows Update.If you disable or do not configure this policy setting members of the Administrators group
affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not configure t
ny device whose Plug and Play hardware ID or compatible ID appears in the list you create unless another policy setting specifically preven
ose Plug and Play device instance ID appears in the list you create unless another policy setting specifically prevents that installation (for ex
or update device drivers whose device setup class GUIDs appear in the list you create unless another policy setting specifically prevents in
tion when a policy setting prevents device installation.
ice installation.
vices that match any of these device instance IDs" policy setting.If you disable or do not configure this policy setting Windows is allowed to
g on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote des
ver the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable
enable this policy setting on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop
s Windows to install a device.If you enable this policy setting Windows is prevented from installing removable devices and existing remova
take effect until the system is restarted.
s stored in the NV cache during shutdown and hibernate respectively. This might cause a slight increase in the time taken for shutdown an
e default behavior is to allow the hybrid hard disks to be in power save mode.Note: This policy setting is applicable only if the NV cache fea
y keeping the disks spun down while satisfying reads and writes from the cache.If you enable this policy setting the system will not manag
ve power. Note that this can cause increased wear of the NV cache.If you do not configure this policy setting the default behavior of the sy
t administrators can turn it on.To prevent users from changing the setting while a setting is in effect the system disables the "Enable quota
while the setting is in effect.If you do not configure this policy setting the disk quota limit is not enforced by default but administrators can
vent when a user exceeds their quota limit" option on the Quota tab so administrators cannot change the setting while a setting is in effec
o that administrators cannot change logging while a policy setting is in effect.If you do not configure this policy setting no event is recorded
usersâ€™ settings for the disk quota limit and warning level on their volumes and it disables the corresponding options in the "Select the d
ctor) many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this scenario w
disable or do not configure this policy setting GDI DPI Scaling might still be turned on for legacy applications.If GDI DPI Scaling is configured
ng ApplicationCompatibility database ApplicationCompatibility UI System (Enhanced) setting or an application manifest.If GDI DPI Scaling is
cally configured DCOM activation security check exemption list.If you do not configure this policy setting DCOM will only look in the locally
abled.DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133
f you disable or do not configure this policy setting only members of the Administrators group are allowed to install new device drivers on
ch Windows Update.If you disable or do not configure this setting and "Turn off Windows Update device driver searching" is disabled or n
ot allow known bad drivers to be initialized.- Bad but required for boot: The driver has been identified as malware but the computer cann
anced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
usable on your computer.
erver Resource Manager role service.If you enable this policy setting the Classification tab is displayed.If you disable or do not configure th
rvice.If you enable this policy setting you can select which list of properties is available for classification on the affected computers. If you
changes to this setting effective you must restart Volume Shadow Copy (VSS) Service .
ct the types of symbolic links to be evaluated.

el flushThe default value and limit for this setting varies based on the number of available processors on a given system: - Default value c
on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable shor
a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting also requ
directing the Start Menu or legacy My Documents folder.If you disable or not configure this policy setting Windows Vista Windows 7 Wind
ly when logging on through Remote Desktop Services.If you disable or do not configure this policy setting Windows Server applies user Gro
ve their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user and an
lly created the GPO with for example an English system the GPO contains English ADM files.- If you later edit the GPO from a different-lan
t computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credenti
e Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a s
f the Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing acros
objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network c
aluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected Group Policy will default to
es provided to change the options. If you disable or do not configure this policy setting it has no effect on the system.The "Allow processin
Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slo
ptions. If you disable or do not configure this policy setting it has no effect on the system.The "Allow processing across a slow network con
to process even if the Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow
GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection
ied during background processing and to process even if the Group Policy objects (GPOs) are unchanged. By default background processin
am implementing the folder redirection policy setting set when it was installed.If you enable this policy setting you can use the check boxe
objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network co
p Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or async
specify the response to a slow link. Also the policy processing settings in this folder lets you override the programs' specified responses to
y objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network
policy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has no eff
g you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has no effect on the s
round processing and to process even if the Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle
before running logon scripts. If you disable this policy setting Group Policy will run scripts immediately after logon. If you do not co
d during background processing and to process even if the Group Policy objects (GPOs) are unchanged. By default background processing
ss even if the Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processi
background processing and to process even if the Group Policy objects (GPOs) are unchanged. By default background processing priority i
e applied during background processing and to process even if the Group Policy objects (GPOs) are unchanged. By default background pro
ocess even if the Group Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow proc
his policy setting it has no effect on the system.The "Do not apply during periodic background processing" option prevents the system from
licy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow netwo
uring background processing and to process even if the Group Policy objects (GPOs) are unchanged. By default background processing prio
not configure this setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the polici
able or do not configure this policy setting it has no effect on the system.The "Do not apply during periodic background processing" option
y objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network
Policy objects (GPOs) are unchanged. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow netw
ized settings that the program implementing the software installation policy set when it was installed.If you enable this policy setting you
g is enabled then when a user logs on to this computer the computer's Group Policy Objects determine which set of Group Policy Objects
ows edition. Changes to this policy take effect on reboot.
ptions.If you disable this setting or do not configure it it has no effect on the system.The "Allow processing across a slow network connecti
nge the options.If you disable this setting or do not configure it it has no effect on the system.The "Allow processing across a slow network
evice experiences.If you do not configure this policy setting the default behavior depends on the Windows edition. Changes to this policy ta
le this policy setting by default administrators can view RSoP data.Note: To view RSoP data on a client computer use the RSoP snap-in for
read Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mod
the device list of any linked Phones and cannot participate in Continue on PC experiences.If you do not configure this policy setting the de
at a specified refresh interval or when manually invoked by the user.Note: This policy setting applies only to non-administrators. Administr
a random offset of 0 to 30 minutes.If you enable this setting you can specify an update rate from 0 to 64800 minutes (45 days). If you sele
domain controller tries to update Group Policy every 7 seconds. However because updates might interfere with users' work and increase n
cy setting overrides any system-computed wait times.If you enable this policy setting Group Policy will use this administratively configured
his policy setting overrides any system-computed wait times.If you enable this policy setting Group Policy uses this administratively configu
of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy
ocess and apply any Local GPOs.If you disable or do not configure this policy setting Local GPOs continue to be applied.Note: For computer
configure this setting RSoP logging is turned on. By default RSoP logging is always on.Note: To view the RSoP information logged on a clien
cy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1
olicy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes
default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Configu
setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. U
olicy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes
ent logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Configuration tra
this policy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.N
efault event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Configur
efault event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Configur
default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Config
ers.If you disable or do not configure this policy setting by default event logging for this extension includes only warnings and errors and tr
figure this policy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turn
ure this policy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned o
this policy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.N
default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Configu
figure this policy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turn
gure this policy setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned
g by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. User Co
setting by default event logging for this extension includes only warnings and errors and tracing for this extension is turned off.Notes:1. Us
at their respective features can access the Internet.If you do not configure this policy setting all of the the policy settings in the "Internet C
nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing
he Open With dialog is removed.If you disable or do not configure this policy setting the user is allowed to use the Store service and the St
ts of companies and organizations that it considers trusted authorities.If you enable this policy setting when you are presented with a certi
wnloaded over HTTP.If you disable or do not configure this policy setting users can download print drivers over HTTP.
he event to Microsoft and allows users to learn more about why that event occurred.If you enable this policy setting event description hy
crosoft over a secure connection.If you enable this policy Tablet PC users cannot choose to share writing samples from the handwriting rec
ecognition error reporting tool or send error reports to Microsoft.If you disable this policy Tablet PC users can report handwriting recogniti
configure this policy setting the Help and Support Center retrieves and displays "Did you know?" content.You might want to enable this p
port Center "Set search options" page and only Help content on the local computer is searched. If you disable or do not configure this pol
users can connect to Microsoft to download a list of ISPs for their area.
s does not download providers and only the service providers that are cached in the local registry are displayed.If you disable or do not co
ce to open an unhandled file association are removed.If you disable or do not configure this policy setting the user is allowed to use the W
nting to Internet printers over HTTP.If you disable or do not configure this policy setting users can choose to print to Internet printers over
ation is optional and involves submitting some personal information to Microsoft. However Windows Product Activation is required but do
pdates during searches.If you disable or do not configure this policy setting Search Companion downloads content updates unless the use
s.If you disable or do not configure this policy setting the tasks are shown.
ollect usage information and the user settings to enable the collection of usage information are not shown.If you disable this policy setting
ll call and you can continue working without interruption. It is simple and user-friendly.If you enable this policy setting all users are opted
or to a corporate file share.This policy setting overrides any user setting made from the Control Panel for error reporting.Also see the "Confi
CSI does not run either of the two active tests. This may reduce the ability of NCSI and of other components that use NCSI to determine Int
hen installing a device.Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System" which gove
be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this pol
s supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identi
nts also needs to be enabled.If you disable or do not configure this policy setting the domain controller does not provide information abou
uthentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent ap
to the client for the appropriate domain.If you disable or do not configure this policy setting the KDC will not search the listed forests to re
o low then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Ker
s policy setting and the resource domain requests compound authentication devices that support compound authentication always send a
en click Show. In the Show Contents dialog box in the Value Name column type a realm name. In the Value column type the list of DNS hos
the policy setting note the syntax and then click Show. In the Show Contents dialog box in the Value Name column type the interoperable
d. If you disable or do not configure this policy setting the Kerberos client enforces the revocation check for the SSL certificate. The connec
rs in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchan
ompound authentication for Dynamic Access Control and Kerberos armoring.If you disable or do not configure this policy setting the client
name of the domain. If the computer is joined to a domain the Kerberos client requires that the KDC's X.509 certificate must be signed by a
em or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkServi
u enable this policy setting the Kerberos client or server uses the configured value or the locally allowed maximum value whichever is sma
NS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column type a
upport this policy.If you enable this policy setting the device's Active Directory account will be configured for compound authentication by
evice will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then
s client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not fo
not configure this policy setting at the computer level restrictions are based on per-user policy settings.To set this policy setting on a per-u
page. If the policy is Disabled or Not Configured then the user will be able to use input methods enabled for their user account on the
g "Restrict user locales" can also be enabled to disallow selection of a custom locale even if this policy setting is not configured.If you enab
unable to customize those choices. The user cannot customize their user locale with user overrides.If this policy setting is disabled or not c
en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada)
olicy setting.The locale list is specified using language tags separated by a semicolon (;). For example en-US is English (United States). Speci
m idle time before a device locks. Additionally if a password is required when a screensaver turns on the screensaver timeout will limit the
in shorter logon times. Group Policy is applied in the background after the network becomes available. Note that because this is a backgro
CAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.
tting the default logon domain is set to the specified domain which might be different than the domain to which the computer is joined. If
screen is displayed each time a user logs on to the computer.This setting applies only to Windows 2000 Professional. It does not affect th
Windows XP Professional and Windows 2000 Professional.If you disable or do not configure this policy setting Windows Vista adds any cust
m runs the programs in the run-once list.This policy setting appears in the Computer Configuration and User Configuration folders. If both
to support biometric authentication).If you enable this policy an administrator can specify the CLSIDsof the credential providers to exclud
policy setting the Switch User interface is accessible to the user in the three locations.
le or document file. To specify another name press ENTER and type the name. Unless the file is located in the %Systemroot% directory yo
sers will see the opt-in prompt for services and users with other accounts will see the sign-in animation.If you disable this policy setting us
s use the Administrative Template policies under Windows Hello for Business.
sting value prior to GPO evaluation). The recognized bit locations are: PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x000
y usability or compatibility issues.
otiation of cryptography algorithms. Therefore computers running Windows NT 4.0 will not be able to establish a connection to this doma
policy setting the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate
re this policy setting the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the calle
al. 15 minutes is optimal in all but extreme cases. For instance if a DC is separated from a trusted domain by an expensive (e.g. ISDN) line t
onfigured the SYSVOL share will grant shared read access to files on the share when exclusive access is requested and the caller has only re
an optimal setting.If you specify zero for this policy setting the default behavior occurs as described above.If you disable this policy setting
e specified.If you disable or do not configure this policy setting the default behavior occurs as indicated above.
or this setting is 0.Warning: If the value for this setting is too large a client will not attempt to find any DCs that were initially unavailable. If
The maximum value for this setting is (4294967200) while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600).
Directory.If you do not configure this policy setting it is not applied to any computers and computers use their local configuration.
m DC discovery retry interval policy setting the value for Use maximum DC discovery retry interval policy setting is used.The default value
have specified the DS_BACKGROUND_ONLY flag.If the value of this setting is less than the value specified in the NegativeCachePeriod sub
Setting is reached.The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x49*24*60*60
600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
essive about trying to locate a DC in such an environment by pinging DCs at a higher frequency. Enabling this setting may result in addition
nds to the mailslot message.This policy setting is recommended to reduce the attack surface on a DC and can be used in an environment w
tion. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if th
ning DC Locator will continue to return it. If a new domain controller is introduced existing clients will only discover it when a Force Redisc
icy is provided to support such scenarios.By default DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken
e first reachable host with the lowest priority number listed.To specify the Priority in the DC Locator DNS SRV resource records click Enabl
lied to any DCs and DCs use their local configuration.
get field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is
y then be used to compute a matching site for the client. The allowable values for this setting result in the following behaviors:0 - DCs will
me>Ldap SRV _ldap._tcp.<DnsDomainName>LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName>Pdc SRV
ns.If you disable this policy setting DCs will not register DC Locator DNS resource records.If you do not configure this policy setting it is not
r their records with DNS servers even if their recordsâ€™ data has not changed. If authoritative DNS servers are configured to perform sca
hose sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV records a
registered by the Net Logon service and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP sub
ific SRV records are dynamically registered by the Net Logon service and they are used to locate the GC. An Active Directory site is one or m
in the same site. If none are found in the same site a DC in another site which might be several site-hops away could be returned by DC Lo
er DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain or no Global Catalog for the same fores
icy the behavior is the same as explicitly enabling this policy unless the AllowSingleLabelDnsDomain policy setting is enabled.If you enable
icy setting computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specifie
ntial manual cleanup procedures see the link below.If disabled domain controllers will use their configured DNS host name as-is when regi
not configure this policy setting the PIN length must be less than or equal to 127.NOTE: If the above specified conditions for the maximum
or do not configure this policy setting the PIN length must be greater than or equal to 4.NOTE: If the above specified conditions for the min
ng the power plan to be active.If you disable or do not configure this policy setting users can see and change this setting.
on Action" policy setting is configured to "No Action".If you disable or do not configure this policy setting users can control this setting.
Windows should automatically sleep.

Windows should automatically sleep.
ntrol this setting.

ntrol this setting.
is locked this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to d
is locked this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to d
this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable th
this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to disable th
sable or do not configure this policy setting users control this setting.If the user has configured a slide show to run on the lock screen when
sable or do not configure this policy setting users control this setting.If the user has configured a slide show to run on the lock screen when
figure this policy setting users control this setting.

figure this policy setting users control this setting.
olicy setting users control this setting.

olicy setting users control this setting.
revent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show fea
revent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show fea
pears on the "Advanced recovery methods" page of Recovery (in Control Panel) and will allow the user to restore the computer to the orig
ter versions) of the operating system can connect to this computer.If you disable this policy setting computers running this version and a p
do not configure this policy setting users on this computer cannot get help from their corporate technical support staff using Offer (Unsolic
email or file transfer to ask someone for help. Also users cannot use instant messaging programs to allow connections to this computer.If y
the warning message you specify overrides the default message that is seen by the novice.If you disable this policy setting the user sees th
t color in Windows Vista)-Turn off font smoothing (not supported in Windows Vista)-No full window drag-Turn off backgroundIf you enabl
e able to communicate with the Endpoint Mapper Service on Windows NT4 Server.If you enable this policy setting RPC clients will authenti
the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when co
ou enable this policy setting you can use the drop-down box to determine which systems maintain RPC state information.-- "None" indica
disable this policy setting the RPC Runtime only generates a status code to indicate an error condition.If you do not configure this policy se
policy setting should never be applied to a domain controller.If you disable this policy setting the RPC server runtime uses the value of "Au
nd the RPC/HTTP Proxy to use a lower connection timeout.This policy setting is only applicable when the RPC Client the RPC Server and the
r Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."

not take effect until the operating system is restarted.
ng user account cross-forest interactive logging cannot run logon scripts if NetBIOS or WINS is disabled and the DNS suffixes are not config
not configure this policy setting the instructions are suppressed.
you disable or do not configure this policy setting the instructions are suppressed.Note: Starting with Windows Vista operating system scr
figure this policy setting the logon scripts and File Explorer are not synchronized and can run simultaneously.This policy setting appears in
setting a startup cannot run until the previous script is complete.Note: Starting with Windows Vista operating system scripts that are confi
utdown. For example assume the following scenario: There are three GPOs (GPO A GPO B and GPO C). This policy setting is enabled in GPO
g scenario: There are three GPOs (GPO A GPO B and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the followin
umber from 1 to 32000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait
upported:Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.Audit: during authe
cy setting instead of the â€œConfigure Refresh Intervalâ€ setting (in Windows Server 2008 and Windows Server 2008 R2) or the â€œRef
ou do not configure this policy setting the Initial Configuration Tasks window is displayed when an administrator logs on to the server. How
"Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or â€œDo not start Server Manager automa
stricter security settings will not be applied.
ally terminated during shutdown.If you disable or do not configure this setting these applications will be automatically terminated during s
lt cadence as â€˜during low free disk spaceâ€™. Users cannot disable Storage Sense but they can adjust the cadence (unless you also con
ettings.Not Configured:By default Storage Sense will delete the userâ€™s temporary files. Users can configure this setting in Storage settin
is set to â€œduring low free disk spaceâ€. Users can configure this setting in Storage settings.
orage Sense will not dehydrate any cloud-backed content. The default value is 0 or never dehydrating cloud-backed content.Disabled or No
elete files in the userâ€™s Recycle Bin. The default is 30 days.Disabled or Not Configured:By default Storage Sense will delete files in the u
alue to zero Storage Sense will not delete files in the userâ€™s Downloads folder. The default is 0 or never deleting files in the Downloads
etting the option to configure System Restore through System Protection is disabled.If you disable or do not configure this policy setting us
stem Restore or create a restore point through System Protection is also disabled.If you disable or do not configure this policy setting user
select detection troubleshooting and resolution the DPS will attempt to automatically fix problems it detects or indicate to the user that a
n size.No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.This policy setting w
p online through a Microsoft website.If you disable this policy setting the PCA does not detect compatibility issues for applications and dri
es will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is recomm
rts are required for this policy setting to take effect: changes take effect immediately. This policy setting only takes effect if the Disk Diagn
DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. If you disable this
PS.If you do not configure this policy setting the DPS enables Fault Tolerant Heap for resolution by default.This policy setting takes effect on
policy setting MSDT is turned on by default.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not con
use of the problem.If you enable this policy setting for remote troubleshooting MSDT prompts the user to download additional tools to dia
annot run in support mode and no data can be collected or sent to the support provider.If you do not configure this policy setting MSDT s
Do not allow users system features or Microsoft to apply troubleshooting.1 = Only automatically apply troubleshooting for critical problem
plication to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that s
me of these problems silently without requiring user input.If you disable this policy setting Windows will not be able to detect troubleshoo
ooting tools from the Control Panel.Note that this setting also controls a user's ability to launch standalone troubleshooting packs such as
etting users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content servers
orrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows Boot Performance probl
onfigured. -- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios are no
detected but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows Resou
d but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows Shutdown Pe
when detected but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows
d but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows System Respo
erating system store either the full TPM owner authorization value the TPM administrative delegation blob plus the TPM user delegation b
find the command number associated with each TPM command with TPM 1.2 run "tpm.msc" and navigate to the "Command Managemen
up for the system. The prompt can be dismissed but will reappear after every reboot and login until the policy is disabled or until the TPM i
M maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken e
nning "tpm.msc" navigating to the "Command Management" section and making visible the "On Default Block List" column. The local list o
scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related pol
prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring autho
dware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM.A
administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands r
ontrol or read and write access for the user and no file access for the administrators group.By configuring this policy setting you can alter t
s in this folder together define the system's response when roaming user profiles are slow to load.If you enable this policy setting you can
on again. The local copy is also used when the remote copy of the roaming user profile is slow to load.If you enable this policy setting any l
ber of days. If you disable or do not configure this policy setting User Profile Service will not automatically delete any profiles on the next sy
tions as being slow. As a result the system does not respond to slow connections to user profiles and it ignores the policy settings that tell t
are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions if the p
oaming user profile.If you enable this policy setting Windows will not forcefully unload the users registry at logoff but will unload the regis
ill not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded.If you disable this policy setting or
r must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain Services
server-based profiles when users log on or off.-- Users' local profiles are newer than their server-based profiles.If you enable this policy s
on that client logs on they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting t
NT_USER) into a file (NTUSER.DAT) and updates it. However if another program or service is reading or editing the registry the system can
de is merged with the server copy of their profile.Using the setting you can prevent users configured to use roaming profiles from receiving
profile including any changes is merged with the server copy of the profile.Using this policy setting you can prevent changes made to a ro
shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote copy of
mputer (if the media is disconnected or the network adapter is not available).If you enable this policy setting Windows waits for the networ
o this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate s
chosen then an interval must be set with a value of 1-720 hours. Once set Windows uploads the profile's registry file at the specified inte
e in the Path box (for example \\ComputerName\ShareName) and then choose the drive letter to assign to the file share. If you choose â€
n apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN SIP/URI and DNS."
etting the system waits for the remote copy of the roaming user profile to load even when loading is slow.If you disable this policy setting o
ount of disk space to be used (in MB). To indicate that the cache size is unlimited select "4294967295" as the maximum amount of disk sp
can during startup" also scans files each time you start Windows XP. This setting delays each startup.If you disable or do not configure this
ons of flags see https://go.microsoft.com/fwlink/?linkid=847809. FrequencyCorrectRateThis parameter controls the rate at which the
of ""dnsNameflags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information see the NTP Client Group Po
the local computer clock does not synchronize time with NTP servers.
y setting ActiveX controls prompt the user for administrative credentials before installation. Note: Wild card characters cannot be used wh
ertificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are aware that a
y previously shared app data will remain in the SharedLocal folder.

ows Store apps.
emporary user profiles which are created when an error prevents the correct profile from loadingUser profiles for the Guest account and m
and the user will be able to configure this setting themselves.
her policies. If you disable or do not configure this policy all users will be able to initiate installation of Windows app packages.
ecide whether Windows apps can access account information by using Settings > Privacy on the device.If you choose the "Force Allow" op
whether Windows apps can access the eye tracker by using Settings > Privacy on the device.If you choose the "Force Allow" option Windo
ether Windows apps can access call history by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps
er Windows apps can access contacts by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are
ol" option employees in your organization can decide whether Windows apps can get diagnostic information about other apps using Settin
Windows apps can access email by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowe
er Windows apps can access location by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are a
tion can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.If you choose the "Force Allow
hether Windows apps can access motion data by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows ap
hether Windows apps can access notifications by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows ap
Windows apps can access tasks by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed
hether Windows apps can access the calendar by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows a
ether Windows apps can access the camera by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows app
e whether Windows apps can access the microphone by using Settings > Privacy on the device.If you choose the "Force Allow" option Win
whether Windows apps can access trusted devices by using Settings > Privacy on the device.If you choose the "Force Allow" option Windo
overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows ap
ou choose the "Force Deny" option Windows apps are not allowed to be activated with a voice keyword and employees in your organizatio
ed and employees in your organization cannot change it.If you choose the "Force Deny" option users cannot interact with applications usin
organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the device
de whether Windows apps have access to control radios by using Settings > Privacy on the device.If you choose the "Force Allow" option W
ther Windows apps can make phone calls by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps a
whether Windows apps can run in the background by using Settings > Privacy on the device.If you choose the "Force Allow" option Windo
ur organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy on the d
n decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.If you choose the "Force Allo
gn in with a Microsoft account.
or a file type; they can open files only in other Windows Store apps.If you disable or do not configure this policy setting Windows Store app
for a URI scheme; they can open URIs only in other Windows Store apps.If you disable or do not configure this policy setting Windows Stor
ffected. If you disable or do not configure this policy setting all Universal Windows apps can be launched. This policy should not be
able or don't set this policy setting Windows Store apps will only use the static Content URI Rules.
The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running any subsequent 16-bit
the context-menus but does not affect previous compatibility settings applied to application using this interface.
ne will boost system performance. However this will degrade the compatibility of many popular legacy applications and will not block kno
is set.Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all appli
tibility Assistant is also disabled.If you disable or do not configure this policy setting the Inventory Collector will be turned on.Note: This po
e PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning o
data collection.If you enable this policy setting Steps Recorder will be disabled.If you disable or do not configure this policy setting Steps R
This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using.
hout user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. T
Autoplay is enabled for removable drives as well including Zip drives and some USB mass storage devices. If you enable this policy se
Windows 10 not configuring this policy setting would have prevented domain users from using biometrics to log on.
he Windows Biometric Service is unavailable and users cannot use any biometric feature in Windows.Note: Users who log on using biomet
ter and can elevate permissions with UAC using biometrics.If you disable this policy setting biometrics cannot be used by any users to log
re this policy setting a default value of 10 seconds is used for fast-user switch event timeouts.
e enhanced anti-spoofing for Windows Hello face authentication.Note that enhanced anti-spoofing for Windows Hello face authentication
assword in a folder. You can specify either a fully qualified path or include the target computer's environment variables in the path. If the
es and removable data drives individually. For fixed and operating system drives we recommend that you use the XTS-AES algorithm. For r
icy is only applicable to computers running Windows 8 and later.If you enable this policy setting you will be able to choose an encryption a
icy is only applicable to computers running Windows Server 2008 Windows Vista Windows Server 2008 R2 or Windows 7.If you enable thi
ther can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key.If you enable this policy
e already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hibernated.
performance but will increase the risk of exposing BitLocker secrets.If you disable or do not configure this policy setting BitLocker secrets a
protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based data re
nformation is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied whe
th the object identifier that is defined by this policy setting.Default object identifier is 1.3.6.1.4.1.311.67.1.1Note: BitLocker does not requ
dows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 and their content can be viewed. These operating system
es item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployme
ker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryptio
ted in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.Note: These s
BitLocker not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you disable
read and write access.
he drive used to store data is encrypted when BitLocker is turned on.If you enable this policy setting the encryption type that BitLocker wil
ant devices will have the choice to turn on BitLocker without pre-boot authentication.If this policy is not enabled the options of "Require a
n the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.If you disable or do not
ork Key Protectors.To use a Network Key Protector to unlock the computer both the computer and the BitLocker Drive Encryption Networ
figure this policy setting BitLocker will use Secure Boot for platform integrity if the platform is capable of Secure Boot-based integrity valid
d it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Cons
figure this policy setting users can configure a startup PIN of any length between 6 and 20 digits. NOTE: If minimum PIN length is set b
ert to the default message you must keep the policy enabled and select the "Use default recovery message and URL" option.If you select th
e unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in
tibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Confi
ware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Use the "
BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based en
uirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enable
BitLocker PINs and passwords.
oot input (such as an attached USB keyboard).If this policy is not enabled the Windows Recovery Environment must be enabled on tablets
without a TPM select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is required
entication methods can be used at startup to provide added protection for encrypted data. When the computer starts it can require users
e this policy setting platform validation data will be refreshed when Windows is started following BitLocker recovery.
efault Windows BCD settings. Note: When BitLocker is using Secure Boot for platform and Boot Configuration Data (BCD) integrity validatio
unning Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 and their content can be viewed. These opera
c Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryptio
BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based enc
dows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.Note: These settings are enforced when turning o
ning on BitLocker not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you
pend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or suspend
only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive
ative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry" policy setting with a level of "Basic" or below
y applies to Enterprise and Education SKUs.
the password reveal button is displayed after a user types a password in the password entry text box. To display the password click the pa
always be required to type a user name and password to elevate.
y means of the trusted path mechanism.If you disable or do not configure this policy setting users will enter Windows credentials within th
will be the controller of Windows diagnostic data collected from this device.This policy only controls if Microsoft is a processor for Window
sktop Analytics.
off (not recommended). Using this value no diagnostic data is sent from the device. This value is only supported on Enterprise Education a
ed by Update Compliance.
nostic data from this device will not be processed by Windows Update for Business cloud.
emetry service from automatically using an authenticated proxy.
olicy setting Connected User Experience and Telemetry data will be sent to Microsoft using the default proxy configuration.The format for
opt-in change notifications appear at first logon and when the changes occur in Settings.
mount of diagnostic data that is sent to Microsoft by your organization use the "Allow Diagnostic Data" policy setting.
able or do not configure this policy setting then Microsoft will not be able to use this identifier to associate this machine and its diagnostic
people to erase all diagnostic data collected by Microsoft from that device.
ettings page.
ers can control how often they receive feedback questions.

wnload configuration settings from the OneSettings service to the EventLog.
been configured to send optional diagnostic data.
p dumps if the user has opted to send optional diagnostic data.
on" policyWhen these policies are configured Microsoft will collect only required diagnostic data and the events required by Desktop Analy
e Settings app.This policy is only supported up to Windows 10 Version 1703. Please use 'Manage preview builds' under 'Windows Update
ted peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.3 = HTTP blended with Internet Peering.9
cy will be ignored.For option 3 - DHCP Option ID the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID
ual version of the desktop is presented and items can be flipped through to select. Changing this policy setting requires a logoff for it to be
for window frames that cannot be changed by users.
olor changes of window frames" setting to enforce a specific color for window frames that cannot be changed by users.
across all subscriptions for the forwarder (source computer).

man/SubscriptionManager/WECRefresh=<Refresh interval in seconds>IssuerCA=<Thumb print of the client authentication certificate>. W
events are discarded and old events are retained.If you do not configure this policy setting and the "Retain old events" policy setting is ena
The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
write read or clear this log.If you do not configure this policy setting the previous policy setting configuration remains in effect.
full"Â policy setting.
tor using the Log Properties dialog and it defaults to 1 megabyte.

he log.If you disable or do not configure this policy setting only system software and administrators can read or clear this log.Note: If you e
nfigure this policy setting the previous policy setting configuration remains in effect.
strator using the Log Properties dialog and it defaults to 20 megabytes.

The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
write read or clear this log.If you do not configure this policy setting the previous policy setting configuration remains in effect.
m software and administrators can write or clear this log and any authenticated user can read events from it.Note: If you enable this polic
icy setting the previous policy setting configuration remains in effect.

pted messages provided that you have access to the private key corresponding to the public key that they were encrypted with.If you disa
picious.Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.If you enable this policy Smart
unexpected behavior could occur.
th defined.If you disable or do not configure this policy setting no changes are made to the location of the default Library definition files.
be processed and default associations will be applied at logon time.If the group policy is not configured disabled or the client machine is n
ower Options Control Panel.
o leave this protocol in the protected mode to increase the security of Windows.If you enable this policy setting the protocol is fully enabl
e the target path is updated and files are not copied or deleted. The temporary file is deleted.If you disable or do not configure this policy
ers can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.If you do
e button Windows attempts to restore the file from the local disk.If you do not configure this policy setting it is disabled by default. The Re
sponding to a backup. If the Restore button is clicked Windows attempts to restore the file from the backup media.If you do not configure
user clicks the Restore button Windows attempts to restore the file from the file share.If you do not configure this policy setting it is disab
er's device after each use of their active digitizer.When Find My Device is off the device and its location are not registered and the Find M
computer is not shared with the homegroup.This policy setting is not configured by default.You must restart the computer for this policy
ders (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created from a cus
?linkid=2102115
utdown (default behavior in Internet Explorer 9).
setting users won't receive enhanced suggestions while typing in the Address bar. In addition users won't be able to change the Suggestion
bars. ActiveX controls are referred to as plug-ins and are not part of this definition.If you enable this policy setting newly installed add-ons
led the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge Stable channel is used. This is the default be
ol which components the user installs.

rer Maintenance under Admin Templates using group policy editor.If you disable or do no configure this policy setting the user will have th
ntrol Panel) you do not need to set this policy because the "Disable the Connections page" policy removes the Connections tab from the in
setting the user can add secondary home pages.Note: If the â€œDisable Changing Home Page Settingsâ€ policy is enabled the user cann
port favorites feeds and cookies to a file.If you enable this policy setting the user will not be able to use the Import/Export Settings wizard
r 11.If you disable or donâ€™t configure this policy all sites are opened using the current active browser settings. Note: Microsoft Edge Sta
ed to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new versions of
or do not configure it users will be notified before their programs are updated.This policy is intended for administrators who want to use S
wlink/?linkid=2102115
s menus that open lists of commands for printing customizing Internet Explorer copying and pasting text managing favorites and accessing
Note: This policy is deprecated starting with Windows 10 version 1703.
gure this policy all intranet sites are automatically opened in Microsoft Edge.We strongly recommend keeping this policy in sync with the
a report location Enterprise Mode will still be available to your users but you won't get any reports.If you disable or don't configure this po
covery.To configure the domain(s) included in data collection for the IE Site Discovery Toolkit Add one domain per line to the text box. For
ry.To configure zone(s) included in site discovery a binary number is formed based on the selected zones. The decimal representation of t
*.contoso.com is also valid.If you disable this or do not configure this policy setting you will not be able to provide a default Pop-up Blocke
s policy setting the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access Help.
the user can bypass SmartScreen Filter warnings.
o not configure this policy setting the user can manage pop-ups by changing the filter level.You may also want to enable the "Prevent man
scenario. â€¢ Open a new Internet Explorer window.If you disable or do not configure this policy setting the user can configure how win
isable or do not configure this policy setting the user can configure how new tabs are created by default.
Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on users can install s
ess's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
ting the user.If you disable or do not configure this policy setting the user is prompted to decide whether to turn on SmartScreen Filter dur
and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled all website addresses that are not on the
ot configure this policy setting the user can choose to participate in the CEIP.
8 the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.If y
cy setting the user cannot configure the list of search providers on his or her computer and any default providers installed do not appear (
ites to or remove sites from the Trusted Sites and Restricted Sites zones and alter settings for the Local Intranet zone.This policy prevents
by the administrator.Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Com
ply uniformly to the same computer and do not vary from user to user.Also see the "Security zones: Do not allow users to change policies"
rprise Mode Site List in Microsoft Edge.Disabling or not configuring this setting opens all sites based on the currently active browser.Note:
mory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical memory. We
tional page appears.
mission to load an ActiveX control and Internet Explorer loads the control if it passes all other internal security checks.If you disable or do n
isable add-ons and configure the threshold.If you enable this policy setting users are not notified when the average time to load all the use
or do not configure this policy setting Internet Explorer uses the user's setting for pop-up windows in tabbed browsing.
-on management will be functional.
er's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setting the user i
off screen will continue to be re-positioned onscreen.If you disable or do not configure this policy setting the popup management feature
ear on the user interface for Internet Explorer and the user cannot turn them off.If you do not configure this policy setting the user can tur
r web-address setting.If you do not configure this policy setting a user will have the freedom to choose to turn the auto-complete setting f
g ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
ser cannot turn on logging.If you do not configure this policy setting the user can change the logging settings.
t. The user can turn on or turn off the menu bar.
g the entry points and functionality associated with this feature are turned off.If you do not configure this policy setting the user can turn o
you disable or don't configure this policy setting Internet Explorer opens all websites using Standards mode.
e provided through first use of the browser.
at are provided through first use of the browser.
disable this policy setting the user is prompted when a script that is running in any process on the computer attempts to perform a Clipboa
s currently set to prompt it will be bypassed and enabled.If you disable this policy setting the user is prompted when a script that is runnin
etting is enabled the processes configured in this policy setting take precedence over that policy setting.If you enable this policy setting an
nd users will not see printers under the Devices charm.If you disable or do not configure this policy setting the Print menu in Internet Explo
ditionally the user cannot activate the feature by using the Compatibility View Settings dialog box.If you do not configure this policy setting
nal string appended). Additionally all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option results in the
nnot change this behavior through the Compatibility View Settings dialog box.If you disable this policy setting Internet Explorer uses an Int
t configure this policy setting the user can specify the download path for the code.
ry on exit is turned off.If you do not configure this policy setting it can be configured on the General tab in Internet Options.If the "Prevent
ory List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete browsin
ngs charm.If you disable or do not configure this policy setting the user can access the Delete Browsing History dialog box. Starting with W
t least Internet Explorer 11:This policy setting prevents users from deleting ActiveX Filtering data Tracking Protection data and Do Not Trac
t access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
ory when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled b
n he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect.
Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
cks Delete.If you disable this policy setting InPrivate Filtering data is deleted when the user clicks Delete.If you do not configure this policy
e "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
emporary Internet files when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy
r can choose whether to delete or preserve visited websites when he or she clicks Delete.If the "Prevent access to Delete Browsing History
figuration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the Advanced tab from the in
"Disable Internet Connection Wizard""Disable changing connection settings""Prevent changing proxy settings""Disable changing Automati
Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the General tab from the interface:"Dis
ace:"Disable changing Messaging settings""Disable changing Calendar and Contact settings""Disable the Reset Web Settings feature""Disab
he Security tab from the interface:"Security zones: Do not allow users to change policies""Security zones: Do not allow users to add/delete
verted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN format only fo
e this behavior on the Internet Explorer Tools menu: Click Internet Options click the Advanced tab and then under International select the
e prompted when non-Internet Explorer components would be installed.If you do not configure this policy setting non-Internet Explorer co
nts such as fonts will be automatically installed as necessary.If you disable this policy setting users will be prompted when Web Componen
urn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
setting users can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
signature.If you do not configure this policy users can choose to run or install files with an invalid signature.
licy setting browser helper objects do not launch.If you do not configure this policy Internet Explorer automatically launches any browser
Private Browsing mode is used.For at least Internet Explorer 11:If you disable this policy setting Internet Explorer only sends the Do Not Tra
s when they are available.If you disable this policy setting Internet Explorer does not check the Internet for new versions of the browser so
e this policy setting Internet Explorer will not check server certificates to see if they have been revoked.If you do not configure this policy s
omputers.If you disable this policy setting Internet Explorer will not check the digital signatures of executable programs or display their ide
tes to run in Enhanced Protected Mode.Enhanced Protected Mode provides additional protection against malicious websites by using 64-b
er Settings.
ed pages containing secure (HTTPS) information to the cache.If you do not configure this policy Internet Explorer will save encrypted page
Files folder when all browser windows are closed.If you disable this policy setting Internet Explorer will not delete the contents of the use
g pages display more quickly.If you do not configure this policy setting Internet Explorer will play animated pictures found in Web content.
splay more quickly.If you enable this policy setting Internet Explorer will play sounds found in Web content.
ou do not configure this policy setting Internet Explorer will play videos found in Web content.
er and server attempt to match each otherâ€™s list of supported protocols and versions and they select the most preferred match.If you e
ent in the background.If you don't configure this policy setting users can turn this behavior on or off using Internet Explorer settings. This
oose to allow this information to be shared with the Web site in the future without being prompted.If you do not configure this policy setti
hat are in the Intranet zone. 3) Always encode query strings.If you disable or don't configure this policy setting users can turn this behavio
ou disable this policy setting flip ahead with page prediction is turned on and the next webpage is loaded into the background.If you don't
ed Protected Mode on 64-bit versions of Windows.If you disable this policy setting Internet Explorer 11 will use 32-bit tab processes when
n.If you disable this policy setting Caret Browsing is turned off.If you do not configure this policy setting Caret Browsing support can be turn
e Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.If you disable this policy setting Enhanced Protec
Internet Options dialog box.Note: This policy is no longer supported starting with Windows 10 Version 1607.
n to start with the home page.If you disable this policy setting Internet Explorer starts a new browsing session with the home page. Users c
on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store application c
caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store an ind
licy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting you provide the cache limit
If you disable or do not configure this policy setting Internet Explorer will use the default application cache expiration time limit for all app
the maximum data storage limit for domains that are trusted by users. When you set this policy setting you provide the cache limit in MB.
ernet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size set in th
urce limit as a number. The default is 1000 resources.If you enable this policy setting Internet Explorer will allow the creation of applicatio
et the maximum storage limit for all application caches. The default is 1 GB.If you disable or do not configure this policy setting Internet Ex
u can set the maximum storage limit for all indexed databases. The default is 4 GB.If you disable or do not configure this policy setting Inte
template policy setting no security level is configured.Note. Local Machine Zone Lockdown Security and Network Protocol Lockdown oper
be in the Internet Zone).If you do not configure this policy setting users choose whether to force local sites into the Intranet Zone.
anet Zone.
whether sites which bypass the proxy server are mapped into the Intranet Zone.
y settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low template)
ured.If this policy setting is not configured the user can choose whether or not to automatically detect the intranet through the intranet se
cy setting the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Internet Con
cation bar notification does not appear when the user loads content from an intranet site that is being treated as though it is in the Interne
the zone that uses MSXML or ADO to access data from another site in the zone.If you disable this policy setting users cannot load a page
estricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over questionable content acc
etting script code on pages in the zone can run automatically.
f you disable this policy setting binary and script behaviors are not available unless applications have implemented a custom security man
his policy setting a script can perform a clipboard operation.
asting files from this zone.If you do not configure this policy setting users can drag files or copy and paste files from this zone automaticall
es can be downloaded from the zone.
g HTML fonts can be downloaded automatically.
om this zone.If you do not configure this policy setting users are queried to choose whether to install desktop items from this zone.
r cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XBAPs.If you disable this policy se
ot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XAML files.If you disable this policy setti
ing XPS files.If you disable this policy setting XPS files are not loaded inside Internet Explorer. The user cannot change this behavior.If you
containing an active Meta Refresh setting cannot be redirected to another Web page.If you do not configure this policy setting a user's bro
ActiveX prompt and ActiveX controls can run from all sites in this zone.
le this policy setting users are prevented from performing OpenSearch queries in this zone using Search Connectors.If you do not configur
plication-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in File Explo
ontrol is allowed only in the Local Machine and Intranet zones.
that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the Scripte
e this policy setting VBScript is prevented from running.

ou enable this policy setting video and animation can be played through older media players in specified zones.If you disable this policy setti
ose whether websites can open new Internet Explorer Windows that have no status bar or Address bar.
gure this policy setting ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar to allo
bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
cure items?) and nonsecure content can be displayed.If the drop-down box is set to Prompt the user will receive the security information
sage when they connect to a Web site that has no certificate or only one certificate.If you do not configure this policy setting Internet Expl
instance of the ActiveX control.If you don't configure this policy setting Internet Explorer always checks with your antimalware program to
ned controls cannot be downloaded.If you do not configure this policy setting users are queried whether to download controls signed by p
ng users cannot run unsigned controls.If you do not configure this policy setting users cannot run unsigned controls.
ag content from one domain to a different domain when both the source and destination are in different windows. Users cannot change t
ag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this setti
tions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the feature cont
you disable this policy setting path information is removed when the user is uploading a file via an HTML form.If you do not configure this p
e for scripting option.If you enable this policy setting and select Prompt in the drop-down box users are queried whether to allow the cont
ure storage area on the client computer) and user-controlled file I/O.High Safety enables applets to run in their sandbox. Disable Java to pr
es from IFRAMEs on the pages in this zone.If you disable this policy setting users are prevented from running applications and downloading
ainder of the session.Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is querie
etting users cannot open windows and frames to access applications from different domains.If you do not configure this policy setting use
he Internet Options dialog box. Filters are not rendered by default in this zone.
t Explorer will prompt the user to determine whether to execute unsigned managed components.If you disable this policy setting Internet
rer will prompt the user to determine whether to execute signed managed components.If you disable this policy setting Internet Explorer
gure this policy setting controls and plug-ins can run without user intervention.
policy setting script interaction can occur automatically without user intervention.
pts can access applets automatically without user intervention.
s open.If you disable this policy setting these files do not open.If you do not configure this policy setting the user can configure how the co
oftware updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.High safety to
hether to allow information using HTML forms on pages in this zone to be submitted.If you disable this policy setting information using HT
work Setup is turned off. The user cannot change this behavior.If you disable this policy setting .NET Framework Setup is turned on. The us
prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned off by default.
Mode.If you do not configure this policy setting the user can turn on or turn off Protected Mode.
content.Note: In Internet Explorer 7 this policy setting controls whether Phishing Filter scans pages in this zone for malicious content.
ented from appearing.
Web page saved to disk.If you disable this policy setting users cannot preserve information in the browser's history in favorites in an XML st
n box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possibly harmfu
e this policy setting VBScript will run without user intervention.

gure this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
instance of the ActiveX control.If you don't configure this policy setting Internet Explorer won't check with your antimalware program to s
he Internet Options dialog box. Filters are rendered by default in this zone.
prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned on by default.
om this zone.If you do not configure this policy setting users can install desktop items from this zone automatically.

ned controls cannot be downloaded.If you do not configure this policy setting users can download signed controls without user interventi
ng users cannot run unsigned controls.If you do not configure this policy setting users can run unsigned controls without user intervention
ox a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possibly harmful n
etting users are queried to choose whether to allow script code on pages in the Local Machine zone to run.

gure this policy setting controls and plug-ins are prevented from running.
e this policy setting users are asked to choose whether to allow VBScript to run.
etting script code on pages in the zone is prevented from running.
his policy setting a script cannot perform a clipboard operation.
asting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files from this zo
es are prevented from being downloaded from the zone.
g users are queried whether to allow HTML fonts to download.
om this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.
ned controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
ou disable this policy setting users cannot open other windows and frames from other domains or access applications from different doma
policy setting script interaction is prevented from occurring.
pts are prevented from accessing applets.
tocols on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over questionab
etting script code on pages in the zone is prevented from running.
his policy setting a script cannot perform a clipboard operation.
asting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files from this zo
es are prevented from being downloaded from the zone.
g users are queried whether to allow HTML fonts to download.
om this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

ned controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
ou disable this policy setting users cannot open other windows and frames from other domains or access applications from different doma
policy setting script interaction is prevented from occurring.
pts are prevented from accessing applets.

ng users cannot run unsigned controls.If you do not configure this policy setting users are queried to choose whether to allow the unsigne
er can be configured by the user.

setting users can turn this behavior on or off using Internet Explorer settings. The default is on.
nts" setting on the Advanced tab in the Internet Options dialog box.
€¢ Display the results in the main window: When the user searches on the Address bar the list of search results is displayed in the main w
s directed to an external top result website determined by the search provider if available.If you enable this policy setting you can choose
will be turned on. Users will not be able to turn off URL Suggestions.If you do not configure this policy setting URL Suggestions will be turne
oviding relevant results in the Address bar. The user cannot change this setting.If you disable this policy setting Internet Explorer uses Win
ser cannot specify the cipher strength update information URL. You must specify the cipher strength update information URL.If you disable
lorer and Internet Tools.
through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting the user can
3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting the user c
e this policy setting toolbars and BHOs are loaded by default during an InPrivate Browsing session.If you do not configure this policy setting
turned on.If you do not configure this policy setting InPrivate Filtering data collection can be turned on or off on the Privacy tab in Internet
g can be turned on or off through the registry.
iltering data is not collected.If you disable this policy setting InPrivate Filtering is available for use.If you do not configure this policy setting
ing Protection data is not collected.If you disable this policy setting Tracking Protection is available for use.If you do not configure this poli
will not be able to depend on the reveal password button being displayed in any web form or web application.If you disable or do not confi
function to turn on Data Execution Prevention on platforms that support the function.This policy setting has no effect if Windows has bee
d as a failed URL.If you disable this policy setting Data URI support is turned on.If you do not configure this policy setting Data URI support
add-ons not listed here are assumed to be denied.If you enable this policy setting you can enter a list of add-ons to be allowed or denied b
nces and policy settings.If you disable or do not configure this policy setting all processes will not respect add-on management user prefere
p Policy. However users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'Add-on List' po
le this policy setting and enter a Value of 1 the process entered will respect the add-on management user preferences and policy settings.
ing message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outdated A
" in the Internet Explorer TechNet library.
or example if you want to include *.contoso.com/* use "contoso.com"2. "hostname". For example if you want to include http://example u
egardless of the "Turn off blocking of outdated ActiveX controls for Internet Explorer" or "Turn off blocking of outdated ActiveX controls fo
before Internet Explorer 8 the default connection limit for HTTP 1.1 was 2.
you enable this policy setting websites cannot request data across domains by using the WebSocket object.If you disable or do not config
the XDomainRequest object.If you disable or do not configure this policy setting websites can request data across domains by using the XD
hich Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation e.g. #default#vml.If
nfigure this policy setting binary behaviors are allowed for all processes.
do not configure this policy setting Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies.
are allowed for the File Explorer and Internet Explorer processes.If you do not configure this policy setting binary behaviors are prevented
d enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name is the name o
es the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Consistent Mime Handling
es the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Internet Explorer requires c
es the file by saving it in the Internet Explorer cache and changing its extension.This policy setting allows administrators to define applicati
ck vector to load malicious HTML code.If you enable this policy setting the Local Machine zone security applies to all local files and conten
Machine zone is used as an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone security app
n attack vector to load malicious HTML code.If you enable this policy setting and enter a value of 1 Local Machine Zone security applies. If
icy setting MIME sniffing will never promote a file of one type to a more dangerous file type.
us file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignore
r the File Explorer and Internet Explorer processes.If you do not configure this policy setting the MK Protocol is prevented for File Explorer
allowed. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in thi
his policy setting restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or Interne
ple you can restrict active content from pages served over the http and https protocols by adding the value names http and https.If you dis
nable this policy setting and enter a Value of 1 restricting content obtained through restricted protocols is allowed. If you enter a Value of
the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active content over restricted protocols to access m
will be displayed for all processes.If you disable or do not configure this policy setting the Notification bar will not be displayed for all proc
es.If you do not configure this policy setting the Notification bar will be displayed for Internet Explorer Processes.
f you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name is empty or t
you do not configure this policy setting an object reference is no longer accessible when navigating within or across domains for Internet E
re still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the p
ected from zone elevation for all processes.If you disable or do not configure this policy setting processes other than Internet Explorer or t
context.If you enable this policy setting any zone can be protected from zone elevation by Internet Explorer processes.If you disable this p
ecurity context.This policy setting allows administrators to define applications for which they want this security feature to be prevented or
o determine whether to block ActiveX control installations for Internet Explorer processes.
0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes poli
ated for all processes.
o prompt for file downloads that are not user initiated for Internet Explorer processes.
the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explor
ot configure this policy setting scripted windows are not restricted.
net Explorer processes.If you disable this policy setting scripts can continue to create popup windows and windows that obfuscate other w
e to be prevented or allowed.If you enable this policy setting and enter a Value of 1 such windows may not be opened. If you enter a Valu
mand buttons have only text; some have icons and text.Show only icons: All command buttons have only icons.If you disable or do not confi
ons are next to the Address bar by default and the user can choose to move them.
ble this policy setting the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted and incompatible toolb
ser can make them bigger (20 x 20 pixels).
Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. If you disable or do not configure this policy s
e daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
delay will be applied to Automatic Maintenance. If you disable this policy setting no random delay will be applied to Automatic Main
ake a wake request for the daily scheduled time if required. If you disable or do not configure this policy setting the wake setting as s
MDM Enrollment will be enabled for all users.

not be initiated. If you enable this policy setting a task is created to initiate enrollment of the device to MDM service specified in the
ng this setting until the authentication cache expires. It is recommended to enable this setting before any user signs in to a device to preve
service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted the service will b
have blocked access if it were set to Block then a record of the event will be in the event logs. Disabled: Potentially unwanted soft
Settings will override preference settings. If you disable this setting only items defined by Group Policy will be used in the resulting effecti
todetect If you enable this setting the proxy setting will be set to use the specified proxy .pac according to the order specified above.
t If you enable this setting the proxy will be set to the specified URL according to the order specified above. The URL should be proceed
this setting scheduled tasks will begin at a random time within an interval of 4 hours after the specified start time. If you disable this setti
nder Antivirus. If you install another antivirus program Windows automatically disables Microsoft Defender Antivirus. Otherwise Microsoft
users to choose from the actions available for each threat. If you disable or do not configure this policy setting Microsoft Defender Antivi
be displayed. If you disable or do not configure this setting there will be no additional text displayed.
this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended t
image. Note that only executables can be excluded. For example a process might be defined as: "c:\windows\app.exe". The value is not u
be set as follows: MAPS -> The â€œJoin Microsoft MAPSâ€ must be enabled or the â€œBlock at First Sightâ€ feature will not function
is information can include things like location of detected items on your computer if harmful software was removed. The information will
applied and the end-user will have the option to bypass the block Unless the ASR rule is disabled a subsample of audit events are collecte
fic file in that specific folder - Value column: Enter ""0"" for each item Disabled: No exclusions will be applied to the ASR rules. Not c
No additional applications will be added to the trusted list. Not configured: Same as Disabled. You can enable controlled folder acce
matically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications
in the Options section. Disabled: No additional folders will be protected. Not configured: Same as Disabled. You can enable contro
ct to dangerous domains however if this feature would have blocked access if it were set to Block then a record of the event will be in the
NetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNetworkP
ud check feature and will raise the total time to 60 seconds. Note: This feature depends on three other MAPS settings - "Configure the
ender Antivirus documentation site. Note: This feature requires the "Join Microsoft MAPS" setting enabled in order to function. Possi
value is not used and it is recommended that this be set to 0.
NetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNetworkP
n that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the lates
nly honored for NTFS volumes. For any other file system type full monitoring of file and program activity will be present on those volumes
Antivirus will prompt users to take actions on malware detections.
default) If you enable this setting a scheduled full scan to complete remediation will run at the frequency specified. If you disable or do
he time of day specified. If you disable or do not configure this setting a scheduled full scan to complete remediation will run at a default
do not configure this setting the scan will start using the existing security intelligence.
missed scheduled scans.
g quick scan and custom scan.

cheduled scan will run at the frequency specified. If you disable or do not configure this setting a scheduled scan will run at a default freq
an will run at a default time.
tion will not exceed the default value.
day specified. If you disable or do not configure this setting a daily quick scan will run at a default time.
day specified. If you disable or do not configure this setting a scheduled scan will run at a default time.
p scan is started the next time someone logs on to the computer. If there is no scheduled scan configured there will be no catch-up scan ru
h-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured there will be no catch-up sca
not configure this setting e-mail scanning will be disabled.
If you disable or do not configure this setting items will be kept in the scan history folder for the default number of days.
you disable or do not configure this setting reparse point scanning will be disabled.
ure the antimalware service will receive notifications to disable security intelligence. If you disable this setting the antimalware service w
Microsoft MAPS for this functionality to work. If you enable or do not configure this setting real-time security intelligence updates will be
gured download source.
gence updates. Once security intelligence updates have been successfully downloaded from one specified source the remaining sources in
ence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure
ll be considered out of date after the number of days specified have passed without an update. If you disable or do not configure this se
Server | MicrosoftUpdateServer | MMPC } If you enable this setting security intelligence update sources will be contacted in the order s
this setting the check for security intelligence updates will occur at the frequency specified. If you disable or do not configure this setting
will occur at the default interval.
s occurring. If you enable this setting the check for security intelligence updates will occur at the time of day specified. If you disable or
ere Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore
tly in Windows Security.- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell cmdlet
ate with Windows Hello.
ays connected to the settings storage location.When SyncMethod is set to â€œNoneâ€ the UE-V Agent uses no sync provider. Settings are
pps. If you do not configure this policy setting any defined values are deleted.Note: If the user connects their Microsoft account for their c
disabled no notification appears.If you do not configure this policy setting any defined values are deleted.
tion before synchronizing settings packages.If you disable this policy setting the sync provider doesnâ€™t ping the settings storage location
disable or do not configure this policy setting no event is written to the event log to report settings package size.
egistered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.If you specify a UNC path and le
this policy setting any defined values are deleted.
ng.With this setting disabled the UE-V Agent will not synchronize settings over a metered connection that is roaming.If you do not configur
sabled only the settings of the Windows apps set to synchronize in the Windows App List are synchronized.If you do not configure this pol
users' sign-in information for certain apps networks and certificates.If you enable this policy setting only the selected Windows settings syn
isible the UE-V notifications display and the Company Settings Center is accessible from the tray icon.With this setting disabled the tray ico
e this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that reset to
n user settings of Microsoft Access 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
n user settings of Microsoft Access 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
onization settings.If you do not configure this policy setting any defined values will be deleted.
tain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.If you disable th
tain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.If you disable th
settings of Microsoft Excel 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
settings of Microsoft Excel 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
g certain user settings of Microsoft InfoPath 2013 will not be backed up.If you do not configure this policy setting any defined values will be
orer 10 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be de
rer 11 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be del
8 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted
9 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted
on between the versions of Internet Explorer continue to synchronize.If you disable this policy setting the user settings which are common
ttings of Microsoft Lync 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
ttings of Microsoft Lync 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
ft Access 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values w
ft Access 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values wi
ft Access 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values wi
l 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values will be de
2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be del
2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be del
Microsoft InfoPath 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined
Microsoft InfoPath 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined
010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values will be delet
13 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be delete
16 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be delete
omputers. If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2010 applications conti
omputers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2013 applications contin
e to synchronize.If you disable this policy setting Microsoft Office 2013 Upload Center user settings are excluded from the synchronization
omputers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2016 applications contin
e to synchronize.If you disable this policy setting Microsoft Office 2016 Upload Center user settings are excluded from the synchronization
ngs of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
ngs of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
ters with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2013
ters with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 2016
of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office 3
of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office 3
ettings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.If you enable this policy setting Microso
f Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office 365
f Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office 365
settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.If you enable this policy setting Micro
settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.If you enable this policy setting Micro
ttings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
ttings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.If you enable this policy settin
user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.If you enable this policy settin
ngs of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft O
ngs of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft O
settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.If you enable this policy setting Micro
settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.If you enable this policy setting Micro
ng to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.If yo
of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office 36
of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office 36
s of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office
s of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office
olicy setting OneDrive for Business 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setti
olicy setting OneDrive for Business 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setti
Microsoft OneNote 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any define
rosoft Outlook 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined val
licy setting Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setti
oft Project 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
g Microsoft Publisher 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defin
o synchronize.If you disable this policy setting Microsoft SharePoint Designer 2010 user settings are excluded from the synchronization setti
o synchronize.If you disable this policy setting Microsoft SharePoint Designer 2013 user settings are excluded from the synchronization setti
ontinue to synchronize.If you disable this policy setting Microsoft SharePoint Workspace 2010 user settings are excluded from the synchro
010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be delet
ord 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be d
n settings.If you do not configure this policy setting any defined values will be deleted.
ng certain user settings of Microsoft OneNote 2013 will not be backed up.If you do not configure this policy setting any defined values will
ng certain user settings of Microsoft OneNote 2016 will not be backed up.If you do not configure this policy setting any defined values will
ertain user settings of Microsoft Outlook 2013 will not be backed up.If you do not configure this policy setting any defined values will be d
ertain user settings of Microsoft Outlook 2016 will not be backed up.If you do not configure this policy setting any defined values will be d
policy setting certain user settings of Microsoft PowerPoint 2013 will not be backed up.If you do not configure this policy setting any define
policy setting certain user settings of Microsoft PowerPoint 2016 will not be backed up.If you do not configure this policy setting any define
in user settings of Microsoft Project 2013 will not be backed up.If you do not configure this policy setting any defined values will be delete
in user settings of Microsoft Project 2016 will not be backed up.If you do not configure this policy setting any defined values will be delete
tting certain user settings of Microsoft Publisher 2013 will not be backed up.If you do not configure this policy setting any defined values wi
tting certain user settings of Microsoft Publisher 2016 will not be backed up.If you do not configure this policy setting any defined values wi
o be backed up.If you disable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will not be backed up.If you d
ettings of Microsoft Visio 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
ettings of Microsoft Visio 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
r settings of Microsoft Word 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
r settings of Microsoft Word 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
ation settings.If you do not configure this policy setting any defined values will be deleted.
ure this policy setting any defined values will be deleted.
his policy setting any defined values will be deleted.
icy setting any defined values will be deleted.
gure this policy setting any defined values will be deleted.
icy setting any defined values will be deleted.
policy setting any defined values will be deleted.
olicy setting any defined values will be deleted.
onfigure this policy setting any defined values will be deleted.
ed the OneDrive sync client will start automatically when users sign in to Windows.If you enable or disable this setting do not return the se
tos and videos from the camera roll folder.If you disable or do not configure this policy setting apps and features can work with OneDrive fi
cally upload photos and videos from the camera roll folder.If you disable or do not configure this policy setting apps and features can wor
e to access OneDrive using the WinRT API. If you enable or do not configure this policy setting users with a connected account will save do
default behavior applies (Help viewer renders trusted assistance content with active elements).
hoose their privacy settings after an upgrade.If this policy is disabled or not configured then the privacy experience may launch for newly-
tions Control Panel item.If you disable this setting booting to Windows To Go when a USB device is connected will not be enabled unless a
blanking adjust speaker volume and apply a custom background image.Note: Users will be able to customize their system settings for pres
tting and this policy setting is applied to a Remote Desktop license server the license server will only respond to RDS CAL requests from RD
ws Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008 and will try to issue a Windows Server 2003
want to connect.If you disable this policy setting users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client
gs (for example when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).If you enable or do
uthentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated the
s to investigate. If you disable this setting or leave it not configured the Remote Desktop client will use hardware accelerated decoding if s
g or leave it not configured the user will be able to save passwords using Remote Desktop Connection.
he user will not be prompted to provide credentials.Note: If you enable this policy setting in releases of Windows Server 2008 R2 with SP1
he file. To obtain the thumbprint view the certificate details and then click the Thumbprint field.If you disable or do not configure this poli
or do not configure this policy setting other supported RemoteFX USB devices are not available for RDP redirection by using any user accou
ot available.
nfigure this policy setting Remote Desktop IP Virtualization is turned off. A network adapter must be configured for Remote Desktop IP Virt
do not configure this policy setting Windows Installer RDS Compatibility is turned on and multiple per user application installation requests
k lines between programs). For example:explorer.exemstsc.exeIf you disable or do not configure this policy setting Remote Desktop IP Virt
8. If you are using Windows Server 2012 you can configure this in the Collection properties sheet by using Server Manager.By default only
arget computer will maintain any current connections but will not accept any new incoming connections.If you do not configure this polic
atus is set to Disabled automatic reconnection of clients is prohibited.If the status is set to Not Configured automatic reconnection is not s
he client logs on to the same RD Session Host server again a new session might be established (if the RD Session Host server is configured t
nnected administrator is not allowed.If you disable or do not configure this policy setting logging off the connected administrator is allowe
se fewer sessions are demanding system resources. By default RD Session Host servers allow an unlimited number of Remote Desktop Ser
owed to make unlimited simultaneous remote connections by using Remote Desktop Services.If you do not configure this policy setting th
to this server originates from a low-speed connection.If you disable Continuous Network Detect Remote Desktop Protocol will not try to a
l use UDP.If the UDP connection is not successful or if you select "Use only TCP" all of the RDP traffic will use TCP.If you disable or do not c
nt.3. Full Control without user's permission: Allows the administrator to interact with the session without the user's consent.4. View Sessio
n use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. If you disable or do not configure this
can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Protocol (
dio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is a
icy setting the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.N
ers cannot redirect Clipboard data.If you disable this policy setting Remote Desktop Services always allows Clipboard redirection.If you do
setting users cannot redirect server data to the local COM port.If you disable this policy setting Remote Desktop Services always allows CO
tting client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed on comp
irect server data to the local LPT port.If you disable this policy setting LPT port redirection is always allowed.If you do not configure this po
nection.Note: The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional
uter. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play de
emote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture d
andwidth. If you select Medium the audio will be sent with some compression and with minimum latency as determined by the codec that
mber of days until the licensing grace period for the RD Session Host server will expire.If you enable this policy setting these notifications w
Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from
ssion Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Desktop licen
ote computer to a local client printer in Remote Desktop Services sessions.If you disable this policy setting users can redirect print jobs with
ecified on the remote computer.If you disable this policy setting the RD Session Host server automatically maps the client default printer a
the RD Session Host server to find a suitable printer driver. If one is not found the client's printer is not available. You can choose to chang
matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer the client prin
setting you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. Th
e network share for user profiles.If you enable this policy setting Remote Desktop Services uses the specified path as the root directory for
select the drive letter to which you want the network share to be mapped.If you choose to keep the home directory on the local compute
erver use the same user profile.If you disable or do not configure this policy setting mandatory user profiles are not used by users connecti
ou specify a new farm name a new farm is created in RD Connection Broker. If you specify an existing farm name the server joins that farm
the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012 for a high availability setup wi
Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Bro
n Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. T
is configured to use RD Connection Broker users who have an existing session are redirected to the RD Session Host server where their se
sessions can reduce connection performance particularly over slow links and increase the load on the remote computer. If you enable thi
tting the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy
andwidth. If you select the algorithm that is optimized to use less network bandwidth this option uses less network bandwidth but is mor
s the lowest amount of network bandwidth of the quality modes. If you enable this policy setting and set quality to Medium RemoteFX
timize for server scalability3. Optimize for minimum bandwidth usageIf you disable or do not configure this policy setting the RemoteFX ex
ons can improve connection performance particularly over slow links. By default font smoothing is allowed for remote connections. You c
2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 R
r more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessions.If the
owed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client com
esolution that can be used by each monitor used to display a Remote Desktop Services session.If you disable or do not configure this policy
You can specify a number from 1 to 16.If you disable or do not configure this policy setting the number of monitors that can be used to di
or do not configure this policy setting "Disconnect" is not removed from the list in the Shut Down Windows dialog box.Note: This policy setti
ity dialog box on the client computer.If the status is set to Disabled or Not Configured Windows Security remains in the Settings menu.
setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are not displa
ou disable this policy setting RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You m
ou do not configure this policy setting Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Dr
ke effect you must restart Windows.
server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1.When deployed on an RD Session Host server Remo
isual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.If you d
ork bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed).If you have a higher t
p Connection client.If you enable this policy setting users cannot automatically log on to Remote Desktop Services by supplying their passw
ting groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.If you disable or do not configure
cured communication with untrusted clients.If the status is set to Disabled Remote Desktop Services always requests security for all RPC t
* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) versi
rver.To determine whether a client computer supports Network Level Authentication start Remote Desktop Connection on the client com
tificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authen
ll communications between clients and RD Session Host servers during remote connections must use the encryption method specified in t
t locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services ses
wo minutes before the session disconnects which allows the user to press a key or move the mouse to keep the session active. If you have
Desktop Services session disconnects which allows the user to save open files and close programs. If you have a console session active ses
ng programs are kept active even though the user is no longer actively connected. By default these disconnected sessions are maintained f
ogram associated with a session the RemoteApp session will remain in a disconnected state until the time limit that you specify is reached.
ained when the user logs off from a session.If you disable this policy setting temporary folders are deleted when a user logs off even if the
ote computer in a Temp folder under the user's profile folder and are named with the sessionid.If you enable this policy setting per-session
nload an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
figure this policy setting the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and delete a feed
eeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.A developer cannot change t
r query should resemble the following:http://sitename/Search.aspx?k=$wIf your intranet search service is Windows SharePoint Services (W
vice. Use $w in place of the query term for the search service URL.If your intranet search service is SharePoint Portal Server your query sho
ng the local setting configured through Control Panel will be used. By default the Control Panel setting is set to not index encrypted conte
Control Panel will be used. Note: By default the Control Panel setting is set to treat words that differ only because of diacritics as the sam
le or do not configure this policy setting Windows will use automatic language detection only when it can determine the language of a doc
rch.If you don't configure this policy setting a user can choose whether or not Search can perform queries on the web and if the web resul
nnections and web results will be displayed when a user performs a query in Search.If you don't configure this policy setting a user can cho
that for Microsoft Outlook 2007 no portions of the delegate mailbox are cached locally. The default behavior for Search is to not index on
gate mailboxes. To stop indexing of online and delegate mailboxes you must disable both policies.
his policy then online mail items will be indexed at the speed that the Microsoft Exchange server can support. If you set this policy to not co
hen the policy is disabled both the Add and Remove locations options as well as any previously specified user locations will be visible.
n this computer and automatically adds them to or removes them from the index.
d file types. If you enable and then disable this policy the user's original list is restored.If you want to specify an initial default list of exclud
lter make sure that this iFilter is on the allow list either as a GUID such as {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} (include the braces) or a
led or not configured the preview pane shows automatically to the right of the Desktop Search results and your users can choose the loca
ult is small icon view.
ble or don't configure this policy setting users can specify the SafeSearch setting.Windows 10 users should use Search/DoNotUseWebResul
ount info to personalize their search and other Microsoft experiences. -Anonymous info: Share usage information but don't share sear
n Security Center is not enabled on the domain neither the notifications nor the Security Center status section are displayed. Note that Sec
hutdown interface.
used to log on with a smart card:- Certificates with no EKU- Certificates with an All Purpose EKU- Certificates with a Client Authentication E
domain. ECC certificates on a smart card that are used for other applications such as document signing are not affected by this policy settin
licy setting then the integrated unblock feature will not be available.
es will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired.If you disable or do n
nal field that allows users to enter their user name or user name and domain will not be displayed.
er when the smart card is blocked if the integrated unblock feature is enabled.
ame if they are issued from the same template with the same major version and they are for the same user (determined by their UPN).
ndor to determine if your smart card and associated CSP supports the required behavior.If you enable this setting then Windows will attem
smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
hether you will be affected by this policy setting.
ong with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls the appea
s will not be propagated from the smart card.

rd is inserted in a Smart Card Reader.Note: This policy setting is applied only for smart cards that have passed the Windows Hardware Qua
t to Microsoft) - Disabled (data will be automatically sent to Microsoft) - Enabled (data will not be sent to Microsoft)
om a Microsoft service using the Background Internet Transfer Service (BITS).
n the Microsoft Store.
our settings" is on by default and configurable by the user.

p is on by default and configurable by the user.
and configurable by the user.
default but not disabled.If you do not set or disable this setting syncing of the "browser" group is on by default and configurable by the us
e this setting syncing of the "desktop personalization" group is on by default and configurable by the user.
configurable by the user.
e this setting syncing of the "Other Windows settings" group is on by default and configurable by the user.
y default and configurable by the user.
on by default and configurable by the user.
ut" group is on by default and configurable by the user.
s can be launched from a hardware button.

nfigure this policy press and hold actions will be available.
s numbers or keyboard shortcuts.If you enable this policy Input Panel will not provide text prediction suggestions. Users will not be able to
ry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog box.If
when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this p
PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text symbols numbers
this policy Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Input Pane
tting in the Input Panel Options dialog box.If you disable this policy application auto complete lists will appear next to Input Panel in applic
writing or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy and choose â€œLowâ€ f
rd to enter text symbols numbers or keyboard shortcuts. If you enable this policy and choose â€œAllâ€ from the drop-down menu no
flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy.If you
h pointer and other-touch specific features.If you do not configure this setting touch input is on by default.Note: Changes to this setting w
ouch Panning is on by default.Note: Changes to this setting will not take effect until the user logs off.
hange task characteristics such as: the program the task runs details of its schedule idle time and power management settings and its secu
stics such as the program the task runs its schedule details idle time and power management settings and its security context.Note: This se
cedence over the setting in User Configuration.
program from the list in the Scheduled Task Wizard which displays only the tasks that appear on the Start menu and its submenus. Once a
d tasks folder.This setting does not prevent users from using other methods to create new tasks and it does not prevent users from deletin
over the setting in User Configuration.Important: This setting does not prevent administrators of a computer from using At.exe to create ne
are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Important: This setting does
uage is uninstalled.
Store onlyIf you disable or don't configure this setting users will be able to install apps from anywhere including files downloaded from the
picious.Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.If you enable this policy Smart
ws Defender SmartScreen is turned off and employees can't turn it on.If you don't configure this setting employees can choose whether to
he user.If you disable this policy setting then all memory dumps are uploaded according to the default consent and notification settings.
cation settings.Important: If the Turn off Windows Error Reporting policy setting is not configured then Control Panel settings for Windows
do not configure this policy setting the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative Templa
e Error Reporting policy setting is also enabled errors are reported but users receive no notification. Disabling this policy setting is useful fo
lates/Windows Components/Windows Error Reporting/Consent take precedence.
this policy setting WER throttles data by default; that is WER does not upload more than one CAB file for a report that contains data abou
er but checks for solutions and uploads report data normally.If you disable or do not configure this policy setting WER checks for solutions
the network profile is changed.
on the destination server for transmission.If you disable or do not configure this policy setting Windows Error Reporting sends error report
mum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.If you di
en Queuing behavior is set to Always queue all reports are added to the queue until the user is prompted to send the reports or until the u
ed regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled all errors in Windows
tions in this list are not reported even if the Default Application Reporting Settings policy setting is configured to report all application erro
Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an application from
applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must always includ
Control Panel are set to upload operating system errors.See also the Configure Error Reporting policy setting.
hutdown events" by default.Also see the "Configure Error Reporting" policy setting.
s required to check for an existing solution is sent automatically and Windows prompts users for consent to send any additional data that i
0 1 2 3 or 4.- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.- 1 (Always ask before sending data): Win
onsent setting determines only the consent level of any other error reports.
on of provisioned Windows Hello for Business credentials for other users on the same device.This policy setting is designed for a single use
cessfully unlock.If you disable or do not configure this policy setting users can continue to unlock with existing unlock options.For more info
ble with smart card applications.NOTE: This policy affects Windows Hello for Business credentials at the time of creation. Credentials crea
e this policy setting the TPM is still preferred but all devices may provision Windows Hello for Business using software if the TPM is non-fu
his policy prevents the user of biometric gestures on the device for all account types.
this policy setting and enabling the "Use Windows Hello for Business" policy setting requires the environment to have one or more Windo
N recovery requires the user to perform multi-factor authentication to Azure Active Directory.If you enable this policy setting Windows He
ot configure this policy setting users can provision Windows Hello for Business as a convenience credential that encrypts their domain pas
Business certificates as smart card certificates and biometric factors are available when a user is asked to authorize the use of the certific
ing installation options typically reserved for system administrators such as specifying the directory to which files are installed.If Windows
own permissions would not allow.This policy setting does not affect installations that run in the user's security context. Also see the "Remo
ure this policy setting by default only system administrators can apply patches during installations with elevated privileges such as installati
m removable media when the installation runs in their own security context.If you disable or do not configure this policy setting by default
tting lets users install programs that require access to directories that the user might not have permission to view or change including direct
he maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0 the Windows Installer will stop po
l GUID appears to be removed and the component as identified by the new GUID appears as a new component.(2) Add a new feature to t
his policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However because this po
in the user's security context.If you disable or do not configure this policy setting by default users who are not system administrators cann
will analyze the patch for specific changes to determine if optimization is possible. If so the patch will be applied using a minimal set of pro
applications.If you disable or do not configure this policy setting users without administrative privileges can install non-administrator upd
r an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.If you disable or do not co
re the computer to its original state if the installation does not complete.This policy setting is designed to reduce the amount of temporar
e Restart Manager to detect files in use and mitigate a system restart when possible.-- The "Restart Manager Off" option turns off Restart M
of an application this hides a per-computer installation of that same product.If you enable this policy setting and "Hide User Installs" is sele
ies even when the installation is running in the user's security context. If you disable or do not configure this policy setting the Browse
n which the transform file was used therefore the user must be using the same computer or be connected to the original or identical med
or as few event types as you want. To disable logging delete all of the letters from the box. If you disable or do not configure this p
policy setting by default the Windows Installer automatically creates a System Restore checkpoint each time an application is installed so
ructs Windows Installer to automatically generate log files for packages that include the MsiLogging property.-- The "Logging via package
ware. This is the default behavior for Windows Installer on Windows 2000 Professional Windows XP Professional and Windows Vista when
d if BitLocker is on and not suspendedâ€ specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended
ou set this policy setting to "Services and Ease of Access applications" both services and Ease of Access applications can simulate the SAS.I
empted with that user name and the number of unsuccessful logons since the last successful logon by that user. This message must be ack
estarts and user-initiated restarts and shutdowns.â€‹If you donâ€™t configure this policy setting it is enabled by default. When the policy i
tent that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a CD and
e the anchor window when the Player is in skin mode by using the Player tab in the Player.If you do not configure this policy setting and th
e options can be configured by using other Windows Media Player group policies.If you disable or do not configure this policy setting the d
ot configure this policy setting anyone using Windows Media Player can turn media sharing on or off.
Smoothing check box is selected and is not available.If you do not configure this policy setting video smoothing occurs if necessary. Users
present the Computer Configuration version of this policy setting takes precedence.
er from that point on Windows Messenger will be loaded.The user can also configure this behavior on the Preferences tab on the Tools me
cy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.Note: This policy setting exists under both
tion events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the LogPipelin
t Block Invocation Logging PowerShell additionally logs events when invocation of a command script block function or script starts or s
directory with a file name that includes 'PowerShell_transcript' along with the computer name and time started. Enabling this policy is
from the Internet must be signed by a trusted publisher.The "Allow all scripts" policy setting allows all scripts to run.If you disable this poli
on.If you disable this policy setting Reliability Monitor will not display system reliability information and WMI-capable applications will be
he WinRM client uses the Kerberos authentication directly.
ate the identity of the host.If you disable or do not configure this policy setting and the WinRM client needs to use the list of trusted hosts
Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).If you disable or do not configure this policy setting t
alue will be erased from the credential store on this computer.If you disable or do not configure this policy setting the WinRM service will
rdening level locally on each computer. If HardeningLevel is set to Strict any request not containing a valid channel binding token is rej
ener might be automatically created on port 80 to ensure backward compatibility.
A listener might be automatically created on port 443 to ensure backward compatibility.
you do not configure or disable this policy setting the default value of 900000 or 15 min will be used.
location exceeds the specified quota.If you disable or do not configure this policy setting the value 150 is used by default.
s policy setting audio input will be enabled. Note that there may be security implications of exposing host audio input to the container.
will be enabled. Note that enabling networking can expose untrusted applications to the internal network.
Windows Sandbox. Note that there may be security implications of exposing host video input to the container.
ail number or email ID -Specify contact website Disabled: No contact information will be shown in Windows Security. Not c
umber or email ID -Specify contact website Please note that in some cases we will be limiting the contact options that are displaye
Security or any notifications it creates. Not configured: Same as Disabled.

tifications it creates. Not configured: Same as Disabled.
onfigured: Same as Disabled.
s no effect.
d and important content for which they received a notification. Users will not see a User Account Control window and do not need elevate
mputer.If you disable or do not configure this policy setting updates from an intranet Microsoft update service location must be signed by
er its restart behavior.If the "No auto-restart with logged on users for scheduled automatic updates installations" policy is enabled then th
Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. Note: If the "Confi
es. When Windows finds updates that apply to this computer users will be notified that updates are ready to be downloaded. After go
start to notify the user that the auto restart is imminent to allow them time to save their work.If you disable or do not configure this policy
he "Configure Automatic Updates" policy is disabled this policy has no effect.
o that devices arenâ€™t automatically getting updates neither you nor device users will be aware of critical security quality or feature upda
do?' list.If you disable or do not configure this policy setting the 'Install Updates and Shut Down' option will be the default option in the Sh
ntranet Microsoft update service location" policy is disabled or not configured this policy has no effect.
e: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update
ng the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when the use
names separated by semicolons. Otherwise a single group must be specified.If the status is set to Disabled or Not Configured no target gro
pdate will use the Windows Power management features to automatically wake the system up to install the updates.Windows update wil
Be aware that the computer needs to be restarted for the updates to take effect.If the status is set to Disabled or Not Configured Automa
form scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled this policy has no effect. This policy has no
If the status is set to Not Configured a missed scheduled installation will occur one minute after the computer is next started.Note: This po
ates installations. 2. Always automatically restart at scheduled time.

has passed restarts will occur regardless of active hours and users will not be able to reschedule. If the deadline is set to 0 days the update
ine in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set between 2
ues: the server from which the Automatic Updates client detects and downloads updates and the server to which updated workstations u
estart with logged on users for scheduled automatic updates installations. 2. Always automatically restart at scheduled time.Note that th
policy setting a notification message will appear on the user's computer when featured software is available. The user can click the notific
eedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release.Release Preview
ervice can be specified. Note: If you set both policies the version specified will take precedence and the deferrals will not be in effect. Plea
s policy Windows Update will not alter its behavior.
e the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windows Com
specify a list of pages to show the policy string must begin with "showonly:" (without quotes) and to specify a list of pages to hide it must
h as C:\Windows\Web\Screen\img104.jpg or a UNC path such as \\Server\Share\Corp.jpg.This can be used in conjunction with the "Preve
so set on a supported version of Windows then that background takes precedence over this policy.
ed clean up task.
uage used for the Windows menus and dialogs.
€¯language packs or featureâ€¯installationâ€¯restrictionâ€¯forâ€¯any user.â€¯â€¯
guage is used.
ready known to the handwriting recognition engines (for example proper names and acronyms). Deleting email content or the browser his
default user account picture will display for all users on the system with no customization allowed.If you disable or do not configure this p
. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows.Disabled: Allows local acc
ng loaded when directly referenced by the document but does not prevent activation through another object.3. "Allow all activation" rest
SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanW
he dropdown:* "Manual start" for Windows 7 and Windows Servers 2008 2008R2 and 2012;* "Automatic start" for Windows 8.1 and Win
lying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 for additional information.
Type is present the computer uses B-node if there are no WINS servers configured for the network or H-node if there is at least one WINS
Not Configured JScript will function without any restrictions.The values are set in hexadecimal and should be converted prior to changing
Server 2008 R2 and Windows Server 2012.Enabled: Enables WDigest authentication.Disabled (recommended): Disables WDigest authentic
his setting to a value less than 15 minutes the default value of 15 minutes is applied.
ads them from the origin server. If you enable this policy setting BITS downloads files from peers caches the files and responds to con
S. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings for Wind
ure this policy setting the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the origin serv
and cached files to its peers. Note: This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
ved from the peer cache. Note: This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or not config
u disable or do not configure this policy setting the default size of the BITS peer cache is 1 percent of the total system disk size. Note:
not configure this policy setting the default value of 90 days (7776000 seconds) will be used.
fy the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits BITS will continue to use approximately 2 kilobits. To pre
d specify a fixed maximum bandwidth that BITS will use for peer caching. If you enable this policy setting you can enter a value in bit
han the setting specified in the "Maximum number of BITS jobs for this computer" policy setting or 300 if the "Maximum number of BITS jo
es and the local administrator account do not count toward this limit.
nistrator account do not count toward this limit.
nt do not count toward this limit.
ed by specifying only a priority. For example you can specify that background jobs are by default to transfer only when on uncosted n
are currently limited to 256 Kbps on a work schedule you can further limit the network bandwidth of normal priority jobs to 0 Kbps from 8
defined you can set the bandwidth usage limits for each of the three BITS background priority levels: high normal and low. You can sp
of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk space.
the network latency reaches the specified value; when network latency is greater than the value clients begin caching content after they r
do not configure this setting all clients will use the version of BranchCache that matches their operating system.Policy configurationSelect o
the branch office.If you enable this policy setting and specify valid computer names of hosted cache servers hosted cache mode is enabled
by other group policies.If you enable this policy setting in addition to the "Turn on BranchCache" policy setting BranchCache clients attem
members but you do not want to configure a BranchCache client computer cache age setting on all client computers you can specify Not Co
ng:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy. In the circumstance where
e hosted cache server for access by other hosted cache clients at the branch office.Policy configurationSelect one of the following:- Not Co
by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client c
applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to enab
es wherever possible.Important At least one of the entries must be a PING: resource.-A Uniform Resource Locator (URL) that NCA queries
e one endpoint for each tunnel. Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example:
sting IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than na
e DNS client first. If the query succeeds the response is returned to the client. If the query fails the unqualified multi-label name is appende
on.Require DoH: Allow only DoH name resolution. If there are no DoH capable DNS servers configured name resolution will fail.If you disab
NS suffix if configured.
policy setting or if you do not configure this policy setting computers will use the local or DHCP supplied list of DNS servers if configured.
nding the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."To use this policy setting click Enabled and
tion and this policy setting must not be disabled.If you disable this policy setting computers may not use dynamic DNS registration for any o
isable this policy setting or if you do not configure this policy setting then DNS responses from networks lower in the binding order will be
policy setting to prevent users including local administrators from changing the primary DNS suffix.If you disable this policy setting or if yo
bel unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append par
ppends DNS suffixes to the single-label unqualified domain name based on the state of the Append primary and connection specific DNS s
microsoft.com will be registered as: mycomputer.microsoft.com.If you enable this policy setting a computer will register A and PTR resourc
ttempt to register PTR resource records.Register: Computers will attempt to register PTR resource records even if registration of the corres
.Warning: If record scavenging is enabled on the zone the value of this policy setting should never be longer than the value of the DNS zon
ght exist that associates the client's host name with an IP address different than the one currently in use by the client. By default the DNS
TL settings specified in DNS. By default the TTL is 1200 seconds (20 minutes).
will be disabled on all available network adapters on the client computer.If you disable this policy setting or you do not configure this policy
will be issued if the DNS queries fail followed by NetBT queries if LLMNR queries fail.If you disable this policy setting or if you do not config
refer link local responses for flat name queries on non-domain networks. Note: This policy setting is applicable only if the turn off smart m
ou disable this policy setting or if you do not configure this policy setting computers will use local settings. By default DNS clients attempt t
the root zone.If you disable this policy setting or if you do not configure this policy setting computers do not send dynamic updates to the
fault behavior depends on the Windows edition. Changes to this policy take effect on reboot.
tocol support.If you disable this policy setting WLAN hotspots are not probed for WISPr protocol support and users can only authenticate w
e cipher suite per line in order from most to least preferred with the most preferred cipher suite at the top. Remove any cipher suites you
not want to enable BranchCache on all file servers you can specify Not Configured for this domain Group Policy setting and then configure
r V1 hashes BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.Policy configurationSelect one of the
ou restart Windows.
cipher suite per line in order from most to least preferred with the most preferred cipher suite at the top. Remove any cipher suites you d
ances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since insecure gu
h CA shares. Note: This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft do
Note: Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times betw
etwork. On the other hand if a network interface is connected to an unmanaged network you may choose the "Allow operation while in p
Responder to operate on a network interface that's connected to a managed network. On the other hand if a network interface is connec
formed.
is policy setting this computer can publish PNRP names and help other computers perform PNRP lookups.
the four ways in which you can use this setting to control the seed server used in your corporation.1. In order to use the global well known
is registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disable this setti
ud if the computer has a global IPv6 address but creates a site-local cloud if the computer has a site-local address.If you enable this policy s
nter any address no seed server will be used.If this setting is not configured the protocol will revert to using a public registry key to determ
this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disable this
ou donâ€™t enter any address no seed server will be used.If this setting is not configured the protocol will revert to using a public registry
this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disable this
ents together. This connection appears in the Network Connections folder.If you disable this setting or do not configure it the user will be
setting was refreshed this setting does not apply.The Internet Connection Firewall is a stateful packet filter for home and small office users
Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from the New
ess and the Internet is routed through the internal network.If you disable this policy setting traffic between remote client computers runni
sages sent by computers that authenticate using IPsec. If you enable this policy setting and add systems to the list upon disabling this poli
g you must specify which ICMP message types Windows Defender Firewall allows this computer to send or receive.If you disable this polic
ear it.If you disable this policy setting Windows Defender Firewall blocks these ports which prevents this computer from sharing files and p
ASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports typically in the
ndows Defender Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrator attem
" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firewall blocks these ports w
not allow administrators to define a local port exceptions list. However local administrators will still be allowed to create firewall rules in t
ntrol Panel does not allow administrators to define a local program exceptions list. However local administrators will still be allowed to cr
does not provide an option to log successful incoming messages.If you are configuring the log file name ensure that the Windows Defend
the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port click its definition
fender Firewall to open even if that port is blocked by another policy setting such as the "Windows Defender Firewall: Define inbound por
around the "Windows Defender Firewall: Do not allow exceptions" policy setting by turning off the firewall.If you disable this policy setting
elected and administrators cannot clear it.If you do not configure this policy setting Windows Defender Firewall behaves as if the policy se
ters and then blocks all later responses.Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Confi
dministrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off unless the
g you must specify which ICMP message types Windows Defender Firewall allows this computer to send or receive.If you disable this polic
ear it.If you disable this policy setting Windows Defender Firewall blocks these ports which prevents this computer from sharing files and p
ASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports typically in the
ndows Defender Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrator attem
" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firewall blocks these ports w
not allow administrators to define a local port exceptions list. However local administrators will still be allowed to create firewall rules in t
ntrol Panel does not allow administrators to define a local program exceptions list. However local administrators will still be allowed to cr
does not provide an option to log successful incoming messages.If you are configuring the log file name ensure that the Windows Defend
the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port click its definition
fender Firewall to open even if that port is blocked by another policy setting such as the "Windows Defender Firewall: Define inbound por
around the "Windows Defender Firewall: Do not allow exceptions" policy setting by turning off the firewall.If you disable this policy setting
elected and administrators cannot clear it.If you do not configure this policy setting Windows Defender Firewall behaves as if the policy se
ters and then blocks all later responses.Note: This policy setting has no effect if the unicast message is a response to a Dynamic Host Confi
dministrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off unless the
A proxy server used for this purpose must also be configured using the Intranet proxy servers for apps policy.Example: [cloudresource]|[c
red with this setting are merged with proxies that are auto-discovered. To make this policy configuration the sole list of allowed proxies en
This setting should NOT be used to configure Internet proxies.Example: [3efe:3022::1000]; 18.0.0.1; 18.0.0.2For more information see: htt
are merged with the hosts that are declared as private through automatic discovery.To ensure that these addresses are the only addresse
ses. For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
ver your private network hosts in the domain corporate environment. For more information see: http://go.microsoft.com/fwlink/p/?LinkI
" indicates that network files are not available while the server is inaccessible.If you disable this setting or select the "Work offline" option
er.Note: Changes to this policy setting do not take effect until the affected computer is restarted.
'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' value to e
ed the default threshold value of 64000 bps is used to determine if a network connection is considered to be slow.Note: Use the following
client and the server is below (slower than) the Throughput threshold parameter or if the round-trip network latency is above (slower tha
s make available offline manually.If you enable this setting you can specify an automatic-cache disk space limit.If you disable this setting th
a limit. The network folder must also be in "slow-link" mode as specified by the "Configure slow-link mode" policy to avoid network usage.
t current version from the server is always available for subsequent reads.This policy setting is triggered by the configured round trip netw
user interface.If you disable this policy setting all files in the Offline Files cache are unencrypted. This includes existing files as well as files
eding levels."0" records an error when the offline storage cache is corrupted."1" also records an event when the server hosting the offline
igned to protect files that cannot be separated such as database components.To use this setting type the file name extension in the "Exten
ured the setting in Computer Configuration takes precedence over the setting in User Configuration.
policy setting you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can be used b
uter Configuration and User Configuration folders. If both settings are configured for a particular server the setting in Computer Configurati
ne files.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Com
in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes
s in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration take
mputer Configuration takes precedence over the setting in User Configuration.
lders. If both policy settings are configured the policy setting in Computer Configuration takes precedence.The "Make Available Offline" co
ts inherited from lower precedence GPOs and the "Make Available Offline" command is displayed for all files and folders.If you do not con
ys available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for offline
s setting or do not configure it the system asks users whether they want subfolders to be made available offline when they make a parent
ure that they are current.If you do not configure this setting the system performs a quick synchronization by default but users can change
n Manager is configured for logon synchronization the system performs only a quick synchronization. Quick synchronization ensures that fi
ended by closing the display on a portable computer files are not synchronized. If multiple users are logged on to the computer at the tim
is not configured reminder balloons are displayed by default when you enable offline files but users can change the setting.To prevent use
s no effect on the system.Important: If the maximum number of outstanding packets is specified in the registry for a particular network ad
rcent of the connection.Important: If a bandwidth limit is set for a particular network adapter in the registry this setting is ignored when c
ter then this setting is ignored when configuring that network adapter.
is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
alue for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network a
s service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
P value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that networ
pe is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
ce type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
lue for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network ad
service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network
vice type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
nored when configuring that network adapter.
this setting is ignored when configuring that network adapter.
is ignored when configuring that network adapter.
er this setting is ignored when configuring that network adapter.
when configuring that network adapter.
ignored when configuring that network adapter.
ves SNMP packets from the network.If you enable this policy setting the SNMP agent only accepts requests from management systems wi
SNMP agent only accepts requests from the list of permitted managers that you configure using this setting.If you disable or do not config
ment systems asynchronously.If you enable this policy setting the SNMP service sends trap messages to the hosts within the "public" comm
of the following settings:Policy Default State: 6to4 is enabled if the host has only link-local IPv6 connectivity and a public IPv4 address. If n
nt even if the host has other connectivity options.Policy Disabled State: No IP-HTTPS interfaces are present on the host.
y the host will have ISATAP configured with a link-local address and an address for each prefix received from the ISATAP router through st
NAT device Teredo might stop working or connectivity might be intermittent.If you disable or do not configure this policy setting the refres
main controller.Enterprise Client: The Teredo interface is always present even if the host is on a network that includes a domain controller.
etting Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued by Firew
ations are disabled over all media. If you do not configure this policy setting operations are enabled over all media. The default for this pol
l WCN wizards.
omputer should no longer be connected to a network it waits for traffic to settle on that network. The existing TCP session will continue u
able in Windows 8. If this policy setting is set to 1 any new automatic internet connection is blocked when the computer has at least o
ork automatic connection attempts to domain based networks are blocked.Manual connection attempts- When the computer is already co
iable: This connection is costed on a per byte basis.If this policy setting is disabled or is not configured the cost of Wireless LAN connection
ed with them and enables users on this device to share networks with their contacts."Enable paid services" enables Windows to temporar
.If you choose the "Force Allow" option Windows apps are allowed to access cellular data and employees in your organization cannot chan
n is costed on a per byte basis.If this policy setting is disabled or is not configured the cost of 3G connections is Fixed by default.
tion is costed on a per byte basis.If this policy setting is disabled or is not configured the cost of 4G connections is Fixed by default.
ternet printing only. It does not prevent the print client on the computer from printing across the Internet. Also see the "Custom sup
Services printers: 0 Bluetooth printers: 10 Shared printers: 0 In order to view available Web Services printers on your netw
o not display printers of a certain type enable this policy and set the number of printers to display to 0.In Windows 10 and later only TCP/I
s not respond. If you disable this setting the domain controller does not prune this computer's printers. This setting is designed to p
rint jobs into printer device commands. These commands will then be sent to the print server and the server will simply pass the comman
tting is disabled.
ation interval.
tion of the user's computer. When users search for printers the system uses the specified location (and other search criteria) to find a prin
ly appear in the Printers folder when Web view is enabled. If Web view is disabled the setting has no effect. (To enable Web view open the
deleting printers from Active Directory. If you enable this setting you can change the interval between contact attempts. If yo
adjust the priority to improve the performance of this service. Note: This setting is used only on domain controllers.
has published. By default the pruning service contacts computers every eight hours and allows two retries before deleting printers f
drivers will be blocked.If you enable this setting installation of a printer using a kernel-mode driver will not be allowed.Note: By applying th
alter the process in which a print driver is executed.-This policy setting applies only to print drivers loaded by the print spooler. Print driver
nt and Print connection will fail.This policy setting is not configured by default and the behavior depends on the version of Windows that y
s policy setting then applications that are configured to support driver isolation will be isolated.If you disable this policy setting then print d
er queue the device vid/pid will be compared to the approved list.
two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight hours.
y settings may alter the process in which a print driver is executed.-This policy setting applies only to print drivers loaded by the print spoo
his policy. Administrators may need to set both policies to block all print connections to a specific print server.If this setting is enabled user
nt no connection will be made. -You can configure Windows Vista clients so that security warnings and elevated command prompts d
location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing Location
y when Active Directory is not available.Note: A client license is used each time a client computer announces a printer to a print browse m
nning Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However because non-Wind
kbar do not show lists of recently or frequently used files folders or websites.If you disable or do not configure this setting the system will s
l remove the all apps list from Start and disable the "Show app list in Start menu" in Settings so users cannot turn it to On. Select this optio
ETE and from the logon screen.If you disable or do not configure this policy setting the Power button and the Shut Down Restart Sleep and
app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede any po
he XML file is generated and moved to the desired file path type the fully qualified path and name of the XML file. You can type a local pat
e this policy setting notifications can still be raised by applications running on the machine via local API calls from within the application.
occurs.Note: By default the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all supported v
off status messages"" policy setting is enabled.

hut down a computer running Windows Server. (See "Supported on" for supported versions.)If you enable this policy setting and choose "
ou enable this policy setting the computer system safely shuts down and remains in a powered state ready for power to be safely removed
ches might make some programs start or run slowly.If you disable or do not configure this policy setting the program continues without th
setting the Persistent System Timestamp is refreshed according the default which is every 60 seconds beginning with Windows Server 20
and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. F
available in Computer Configuration\Security Settings. Note: This policy setting is available under Computer Configuration and Use
fied when each path is separated by a semicolon. The network location can be either a folder or a WIM file. If it is a WIM file the location s
Executable. If you disable or do not configure this policy setting DEP is turned on for HTML Help Executable. This provides an addition
at doesn't provide any of the functionality controlled by this policy setting regardless of the file server configuration.If you do not configur
l unit (Hour 0-23 Day 0-31). User Publishing Refresh: Enables user publishing refresh (Boolean). User Publishing Refresh On Lo
orting data. Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporting infor
rocess's command line information will not be included in Audit Process Creation events.Default: Not configuredNote: When this policy se
not configure (by default) this policy setting delegation of default credentials is not permitted to any computer. Applications depending up
egating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs)
edentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setting delegation o
e Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setting delegation of fresh credentials is not permitt
ation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setti
mitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the
PNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is per
es (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character
ce Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wi
Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not acce
dential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts.Â Requi
hine account (LOCAL SYSTEM) must have access permission to the policy file. If using a signed and protected policy then disabling this poli
e memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature.The "Di
at are initiated by device manageability solutions (like MDM or SCCM) and will not interfere with their workflows.
configure this policy setting Windows creates a system restore point as it normally would.
eves device metadata from the Internet.
ng the driver selection process. Selection is based on other criteria such as version number or when the driver was created. If you disable t
k is temporarily available.If the setting for searching only if needed is specified then Windows will search for a driver only if a driver is not l
rs of the Administrators group can determine the server used in the search for device drivers.
u disable or do not configure this policy setting members of the Administrators group are subject to all policy settings that restrict device i
olicy setting specifically prevents that installation (for example the "Prevent installation of devices that match any of these device IDs" poli
events that installation (for example the "Prevent installation of devices that match any of these device IDs" policy setting the "Prevent in
setting specifically prevents installation (for example the "Prevent installation of devices that match these device IDs" policy setting the "P
setting Windows is allowed to install or update the device driver for any device that is not described by the "Prevent installation of device
sktop client to the remote desktop server.If you disable or do not configure this policy setting devices can be installed and updated as allow
desktop server.If you disable or do not configure this policy setting devices can be installed and updated as allowed or prevented by othe
evices from a remote desktop client to the remote desktop server.If you disable or do not configure this policy setting Windows can instal
le devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server t
he time taken for shutdown and hibernate.If you do not configure this policy setting the default behavior is observed and the NV cache is u
icable only if the NV cache feature is on.
tting the system will not manage the NV cache and will not enable NV cache power saving mode.If you disable this policy setting the system
the default behavior of the system is observed and frequently written files will be stored in the NV cache.Note: This policy setting is appli
em disables the "Enable quota management" option on the Quota tab of NTFS volumes.Note: This policy setting turns on disk quota mana
efault but administrators can change the setting.Enforcement is optional. When users reach an enforced disk quota limit the system respo
etting while a setting is in effect.If you do not configure this policy setting no events are recorded but administrators can use the Quota tab
cy setting no event is recorded but administrators can use the Quota tab option to change the logging setting.This policy setting does not a
ng options in the "Select the default quota limit for new users of this volume" section on the Quota tab.This policy setting applies to all ne
play properly in this scenario will be blurry until the user logs out and back in to Windows. When you enable this policy some blurry applica
f GDI DPI Scaling is configured to both turn off and turn on an application the application will be turned off.
n manifest.If GDI DPI Scaling is configured to both turn off and turn on an application the application will be turned off.
OM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured.
1-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking
o install new device drivers on the system.
ver searching" is disabled or not configured the administrator will be prompted for consent before going to Windows Update to search for
alware but the computer cannot successfully boot without loading this driver.- Unknown: This driver has not been attested to by your ma
disable or do not configure this policy setting the Classification tab is hidden.
he affected computers. If you disable or do not configure this policy setting the Global Resource Property List in AD DS provides the defaul
ven system: - Default value calculation is: (([NumProcessors]/2) + 1) - Default max value calculation is: ([NumProcessors]*2)
en volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system
S). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.If you enable this policy se
ndows Vista Windows 7 Windows 8 and Windows Server 2012 will use the standard English names for these subfolders when redirecting t
ndows Server applies user Group Policy settings synchronously.Note: This policy setting applies only to computers running Remote Deskto
age appears to the user and an event log message (1529) is posted.- Loopback Group Policy processing is applied using the Group Policy O
t the GPO from a different-language system you get the English ADM files as they were in the GPO.You can change this behavior by using t
gged on using cached credentialswhich will result in shorter logon times. Group Policy will be applied in the background after the network
e "Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slo
1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitted across
essing across a slow network connection" option updates preference items even when the update is transmitted across a slow network co
ted Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default t
e system.The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted
e "Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow
ing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network conn
y is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is tr
oss a slow network connection" option updates preference items even when the update is transmitted across a slow network connection
default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates prefere
ng you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has no effect on the
ssing across a slow network connection" option updates preference items even when the update is transmitted across a slow network con
in background mode or asynchronous foreground mode it continues to download the latest version of the policy information and it uses a
ograms' specified responses to slow links.If you enable this setting you can in the "Connection speed" box type a decimal number between
cessing across a slow network connection" option updates preference items even when the update is transmitted across a slow network c
this policy setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies eve
"Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow
setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies even when the
und processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference items even w
fter logon. If you do not configure this policy setting Group Policy will wait five minutes before running logon scripts.
efault background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preferen
"Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transmitte
ckground processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference items
ed. By default background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates p
dle."Notes:1. The "Allow processing across a slow network connection" option updates preference items even when the update is transm
tion prevents the system from updating affected policies in the background while the computer is in use. When background updates are d
ocessing across a slow network connection" option updates preference items even when the update is transmitted across a slow network
ult background processing priority is "Idle."Notes:1. The "Allow processing across a slow network connection" option updates preference it
tion" option updates the policies even when the update is being transmitted across a slow network connection such as a telephone line. U
background processing" option prevents the system from updating affected policies in the background while the computer is in use. When
cessing across a slow network connection" option updates preference items even when the update is transmitted across a slow network c
processing across a slow network connection" option updates preference items even when the update is transmitted across a slow netwo
enable this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting
"Allow processing across a slow network connection" option updates preference items even when the update is transmitted across a slow
h set of Group Policy Objects applies.If you enable this setting you can select one of the following modes from the Mode box:"Replace" in
across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connectio
ocessing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network
dition. Changes to this policy take effect on reboot.
uter use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSO
Policy runs in background mode or asynchronous foreground mode it continues to download the latest version of the policy information an
figure this policy setting the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
non-administrators. Administrators can still invoke a refresh of computer policy at any time no matter how this policy setting is configured
minutes (45 days). If you select 0 minutes the computer tries to update Group Policy every 7 seconds. However because updates might in
ith users' work and increase network traffic very short update intervals are not appropriate for most installations.If you disable or do not c
his administratively configured maximum wait time and override any default or system-computed wait time.If you disable or do not config
es this administratively configured maximum wait time for workplace connectivity and overrides any default or system-computed wait tim
resh interval for users" policy settings.Note: If you make changes to this policy setting you must restart your computer for it to take effect.
e applied.Note: For computers joined to a domain it is strongly recommended that you only configure this policy setting in domain-based
P information logged on a client computer you can use the RSoP snap-in in the Microsoft Management Console (MMC).
xtension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Confi
s extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Co
ned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration you
nsion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configu
extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Co
otes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration you must pro
or this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under Us
ned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration you m
ned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration you
urned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration yo
nly warnings and errors and tracing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this
acing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed u
g for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed unde
or this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under U
rned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration you
acing for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed un
urned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration you
ng for this extension is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed und
urned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuration yo
is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configuratio
nsion is turned off.Notes:1. User Configuration tracing: To perform tracing for items in this preference extension listed under User Configu
licy settings in the "Internet Communication settings" section are set to not configured.
er from automatically installing driver updates from the Windows Update website.If you disable or do not configure this policy setting user
e the Store service and the Store item is available in the Open With dialog.
you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update website to
y setting event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description.If yo
mples from the handwriting recognition personalization tool with Microsoft.If you disable this policy Tablet PC user writing samples from th
n report handwriting recognition errors to Microsoft.If you do not configure this policy Tablet PC users can report handwriting recognition
ou might want to enable this policy setting for users who do not have Internet access because the content in the "Did you know?" section
le or do not configure this policy setting the Knowledge Base is searched if the user has a connection to the Internet and has not disabled
yed.If you disable or do not configure this policy setting a list of providers are downloaded when the user uses the web publishing or onlin
he user is allowed to use the Web service.
print to Internet printers over HTTP.Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates
ct Activation is required but does not involve submitting any personal information (except the country/region you live in).
ontent updates unless the user is using Classic Search.Note: Internet searches still send the search text and information about the search t
you disable this policy setting Windows Messenger collects anonymous usage information and the setting is not shown.If you do not confi
icy setting all users are opted out of the Windows Customer Experience Improvement Program.If you disable this policy setting all users ar
or reporting.Also see the "Configure Error Reporting" "Display Error Notification" and "Disable Windows Error Reporting" policy settings un
that use NCSI to determine Internet access. If you disable or do not configure this policy setting NCSI runs one of the two active tests.
emplates/System" which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is
le or do not configure this policy setting the domain controller does not support claims compound authentication or armoring.If you confi
get the fresh public key identity SID.Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which
not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is
rollers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting domain controllers
t search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found NTLM authentication
t to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in y
d authentication always send a compound authentication request. If you disable or do not configure this policy setting and the resource do
olumn type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list click the m
column type the interoperable Kerberos V5 realm name. In the Value column type the realm flags and host names of the host KDCs using t
he SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
service (TGS) message exchanges with the domain controllers. Note: The Kerberos Group Policy "Kerberos client support for claims comp
e this policy setting the client devices will not request claims provide information required to create compounded authentication and arm
certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain the Kerberos client
LocalSystem or NetworkService might fail to authenticate.If you disable or do not configure this policy setting any service is allowed to ac
ximum value whichever is smaller.If you disable or do not configure this policy setting the Kerberos client or server uses the locally configu
the Value Name column type a DNS suffix name. In the Value column type the list of proxy servers using the appropriate syntax format. To
compound authentication by the following options:Never: Compound authentication is never provided for this computer account.Automa
cation using certificates then authentication with password will be attempted.Force: Device will always authenticate using its certificate. I
PN because the name is not found NTLM authentication might be used.
t this policy setting on a per-user basis make sure that the per-computer policy setting is not configured.
for their user account on the sign-in page.
g is not configured.If you enable this policy setting the user cannot select a custom locale as their user locale but they can still select a rep
olicy setting is disabled or not configured then the user can customize their user locale overrides.If this policy is set to Enabled at the comp
d States) and English (Canada).If you enable this policy setting administrators can select a system locale only from the specified system loca
English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).If you enable this
ensaver timeout will limit the options the user may choose.If you disable this policy setting a user cannot change the amount of time after
that because this is a background refresh extensions such as Software Installation and Folder Redirection take two logons to apply change
hich the computer is joined. If you disable or do not configure this policy setting the default logon domain is always set to the domain to
fessional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server.Note: This setting ap
Windows Vista adds any customized run list configured to its run list.This policy setting appears in the Computer Configuration and User C
Configuration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence over the policy
credential providers to exclude from the set of installedcredential providers available for authentication purposes.If you disable or do not
e %Systemroot% directory you must specify the fully qualified path to the file.If you disable or do not configure this policy setting the user
u disable this policy setting users will not see the animation and Microsoft account users will not see the opt-in prompt for services.If you
_POLICY_DEP_ENABLE (0x00000001) Enables data execution prevention (DEP) for the child process PROCESS_CREATION_MITIGAT
lish a connection to this domain controller. If you enable this policy setting Net Logon will allow the negotiation and use of older cryptogra
ulator if the DC fails to validate the password.If you disable this policy setting the DCs will not attempt to verify any passwords with the PDC
cess is requested and the caller has only read permission.By default the Netlogon share will grant shared read access to files on the share
an expensive (e.g. ISDN) line this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.T
sted and the caller has only read permission.By default the SYSVOL share will grant shared read access to files on the share when exclusiv
you disable this policy setting or do not configure it the default behavior occurs as described above.
at were initially unavailable. If the value for this setting is too small clients will attempt to find DCs even when none are available.
ays (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
r local configuration.
tting is used.The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=423
the NegativeCachePeriod subkey the value in the NegativeCachePeriod subkey is used.Warning: If the value for this setting is too large a c
ng is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.If the value for this setting is smaller than the value speci
s setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the sa
n be used in an environment without WINS in an IPv6-only environment and whenever DC location based on a NetBIOS domain name is n
ver a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons NetBIOS-base
scover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carr
some applications are broken due to the returned IPv6 DC address this policy can be used to disable the default behavior and enforce to re
V resource records click Enabled and then enter a value. The range of values is from 0 to 65535.If you do not configure this policy setting i
target host to be contacted is proportional to the Weight field value in the SRV record.To specify the Weight in the DC Locator DNS SRV re
llowing behaviors:0 - DCs will never perform address lookups.1 - DCs will perform an exhaustive address lookup to discover additional clie
sDomainName>Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName>Gc SRV _ldap._tcp.gc._msdcs.<DnsForestName>GcAt
ure this policy setting it is not applied to any DCs and DCs use their local configuration.
are configured to perform scavenging of the stale records this reregistration is required to instruct the DNS servers configured to automati
the site-specific SRV records are dynamically registered by the Net Logon service and they are used to locate the application directory par
ore well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specify the sites cover
Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and repli
way could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is clos
bal Catalog for the same forest exists.If you disable this policy setting the DCs will not register site-specific DC Locator DNS SRV records for
etting is enabled.If you enable this policy setting when the AllowSingleLabelDnsDomain policy is not enabled computers to which this polic
tive Directory domain specified with a single-label name using DNS name resolution.If you disable this policy setting computers to which th
NS host name as-is when registering domain controller SRV records.If not configured domain controllers will default to using their local co
d conditions for the maximum PIN length are not met default values will be used for both the maximum and minimum PIN lengths.
pecified conditions for the minimum PIN length are not met default values will be used for both the maximum and minimum PIN lengths.
e this setting.
ers can control this setting.
policy setting can be used to disable the slide show feature.

policy setting can be used to disable the slide show feature.
tting can be used to disable the slide show feature.
tting can be used to disable the slide show feature.
o run on the lock screen when the machine is locked this can prevent the sleep transition from occuring. The "Prevent enabling lock scree
o run on the lock screen when the machine is locked this can prevent the sleep transition from occuring. The "Prevent enabling lock scree
d to disable the slide show feature.

d to disable the slide show feature.
store the computer to the original state or from a user-created system image. This is the default setting. If you disable this policy setting
ers running this version and a previous version of the operating system can connect to this computer.If you do not configure this policy setti
pport staff using Offer (Unsolicited) Remote Assistance.If you enable this policy setting you have two ways to allow helpers to provide Rem
nnections to this computer.If you do not configure this policy setting users can turn on or turn off Solicited (Ask for) Remote Assistance the
s policy setting the user sees the default warning message.If you do not configure this policy setting the user sees the default warning mes
urn off backgroundIf you enable this policy setting bandwidth optimization occurs at the level specified.If you disable this policy setting app
etting RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients making such
_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.If you disable this policy setting the RPC Runtime will g
information.-- "None" indicates that the system does not maintain any RPC state information. Note: Because the basic state information
do not configure this policy setting it remains disabled. It will only generate a status code to indicate an error condition.If you enable this
runtime uses the value of "Authenticated" on Windows Client and the value of "None" on Windows Server versions that support this poli
C Client the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If either t
ta Drives."
he DNS suffixes are not configured.
ws Vista operating system scripts that are configured to run asynchronously are no longer visible on startup whether this policy setting is e
.This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuratio
ng system scripts that are configured to run asynchronously are no longer visible on startup whether the ""Run startup scripts visible"" pol
policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts:GPO B: B.cmd B.ps1GPO C: C.cmd C.ps
nd GPO C include the following user logon scripts:GPO B: B.cmd B.ps1GPO C: C.cmd C.ps1Assume also that there are two users Qin Hong a
h. To direct the system to wait until the scripts have finished no matter how long they take type 0. This interval is particularly important wh
lnerability.Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vulnerabil
erver 2008 R2) or the â€œRefresh the data shown in Server Manager every [x] [minutes/hours/days]â€ setting (in Windows Server 2012)
ator logs on to the server. However if an administrator selects the "Do not show this window at logon" option the window is not displayed
t start Server Manager automatically at logonâ€ (Windows Server 2012) option is selected the console is not displayed automatically at lo
omatically terminated during shutdown helping to ensure that Windows can shut down faster and more smoothly.
cadence (unless you also configure the "Configure Storage Sense cadence" group policy).Disabled:Storage Sense is turned off the machine
e this setting in Storage settings.
backed content.Disabled or Not Configured:By default Storage Sense will not dehydrate any cloud-backed content. Users can configure thi
Sense will delete files in the userâ€™s Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settin
eleting files in the Downloads folder.Disabled or Not Configured:By default Storage Sense will not delete files in the userâ€™s Downloads
configure this policy setting users can change the System Restore settings through System Protection. Also see the "Turn off System Restor
nfigure this policy setting users can perform System Restore and configure System Restore settings through System Protection.Also see th
s or indicate to the user that assisted resolution is available.If you disable this policy setting Windows cannot detect troubleshoot or resolv
mediately.This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped o
issues for applications and drivers.If you do not configure this policy setting the PCA is configured to detect failures during application inst
ired. This behavior is recommended for headless operation.Troubleshooting Only: Detection and troubleshooting of corrupted files will au
y takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the run
tial data loss. If you disable this policy S.M.A.R.T. faults are still detected and logged but no corrective action is taken. If you do not configu
is policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.This policy setting takes effect only wh
ario execution policy is not configured.No reboots or service restarts are required for this policy setting to take effect. Changes take effect
wnload additional tools to diagnose problems on remote computers only. If you enable this policy setting for local and remote troublesho
ure this policy setting MSDT support mode is enabled by default.No reboots or service restarts are required for this policy setting to take e
leshooting for critical problems by system features and Microsoft.2 = Automatically apply troubleshooting for critical problems by system
suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery beha
be able to detect troubleshoot or resolve problems on a scheduled basis.If you do not configure this policy setting local troubleshooting pr
roubleshooting packs such as those found in .diagcab files.

on Microsoft content servers from within the Troubleshooting Control Panel user interface.If you disable this policy setting users can only
dows Boot Performance problems and indicate to the user that assisted resolution is available.If you disable this policy setting Windows w
led diagnostic scenarios are not executed.Note: The DPS can be configured with the Services snap-in to the Microsoft Management Conso
DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.If you disable this polic
detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.If you disable this policy setti
the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available.If you d
etect Windows System Responsiveness problems and indicate to the user that assisted resolution is available.If you disable this policy setti
plus the TPM user delegation blob or none.If you enable this policy setting Windows will store the TPM owner authorization in the registry
o the "Command Management" section.If you disable or do not configure this policy setting only those TPM commands specified through t
y is disabled or until the TPM is in a Ready state.
d on a system and has taken effect (after a system restart) disabling it will have no impact and the system's TPM will remain configured usi
ck List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting a
Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands.If you disable or do not configure thi
nd commands requiring authorization to the TPM.An authorization failure occurs each time a standard user sends a command to the TPM
ng authorization to the TPM.An authorization failure occurs each time a standard user sends a command to the TPM and receives an error
rd users can send commands requiring authorization to the TPM.An authorization failure occurs each time a standard user sends a comma
is policy setting you can alter this behavior.If you enable this policy setting the administrator group is also given full control to the user's pr
ble this policy setting you can change how long Windows waits for a response from the server before considering the connection to be slo
enable this policy setting any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile still remains
lete any profiles on the next system restart.
es the policy settings that tell the system how to respond to a slow connection.If you disable this policy setting or do not configure it slow l
he correct permissions if the profile folder already exists. For Windows Server 2003 family Windows 2000 Professional SP4 and Windows
ogoff but will unload the registry when all open handles to the per-user registry keys are closed.If you disable or do not configure this polic
ou disable this policy setting or do not configure it Windows logs on the user with a temporary profile when Windows cannot load their us
tive Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema t
files.If you enable this policy setting you can override the amount of time Windows waits for user input before using a default user profile
ou can use this policy setting to change this behavior.If you enable this policy setting Windows will not delete Windows Installer or Group
ng the registry the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the registry se
oaming profiles from receiving their profile on a specific computer.If you enable this setting the following occurs on the affected computer
prevent changes made to a roaming profile on a particular computer from being persisted.If you enable this policy setting changes a user m
download the remote copy of the user profile. In Microsoft Windows Vista a check box appears on the logon screen and the user must cho
Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value to zero
you have set the appropriate security on the folder to allow all users to access the profile.If you enable this policy setting all users logging o
gistry file at the specified interval after the user logs on. For example with a value of 6 hours the registry file of the roaming user profile is
the file share. If you choose â€œOn the local computerâ€ enter a local path (for example C:\HomeFolder) in the Path box.Do not specify
user's UPN SIP/URI and DNS."Always off" - users will not be able to change this setting and the user's name and account picture will not be
you disable this policy setting or do not configure it when a remote profile is slow to load the system loads the local copy of the roaming us
e maximum amount of disk space.If you disable this policy setting or do not configure it the default value is set to 50 MB on Windows XP P
isable or do not configure this policy setting by default files are scanned only during setup.Note: This policy setting affects file scanning on
controls the rate at which the W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values cause mo
n see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The
characters cannot be used when specifying the host URLs.

criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate errors that
es for the Guest account and members of the Guests groupIf you enable this policy setting Group Policy allows deployment operations (ad
indows app packages.
u choose the "Force Allow" option Windows apps are allowed to access account information and employees in your organization cannot c
he "Force Allow" option Windows apps are allowed to access the eye tracker and employees in your organization cannot change it.If you c
e Allow" option Windows apps are allowed to access the call history and employees in your organization cannot change it.If you choose the
w" option Windows apps are allowed to access contacts and employees in your organization cannot change it.If you choose the "Force De
about other apps using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to get diagnosti
tion Windows apps are allowed to access email and employees in your organization cannot change it.If you choose the "Force Deny" optio
w" option Windows apps are allowed to access location and employees in your organization cannot change it.If you choose the "Force Den
.If you choose the "Force Allow" option Windows apps can read or send messages and employees in your organization cannot change it.If
rce Allow" option Windows apps are allowed to access motion data and employees in your organization cannot change it.If you choose th
orce Allow" option Windows apps are allowed to access notifications and employees in your organization cannot change it.If you choose th
tion Windows apps are allowed to access tasks and employees in your organization cannot change it.If you choose the "Force Deny" option
orce Allow" option Windows apps are allowed to access the calendar and employees in your organization cannot change it.If you choose th
e Allow" option Windows apps are allowed to access the camera and employees in your organization cannot change it.If you choose the "
the "Force Allow" option Windows apps are allowed to access the microphone and employees in your organization cannot change it.If you
he "Force Allow" option Windows apps are allowed to access trusted devices and employees in your organization cannot change it.If you c
n decide whether Windows apps can access the user's movements while the apps are running in the background by using Settings > Privac
employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can d
interact with applications using speech while the system is locked and employees in your organization cannot change it.If you disable or d
ettings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to communicate with unpaired wireless d
ose the "Force Allow" option Windows apps will have access to control radios and employees in your organization cannot change it.If you
Allow" option Windows apps are allowed to make phone calls and employees in your organization cannot change it.If you choose the "For
he "Force Allow" option Windows apps are allowed to run in the background and employees in your organization cannot change it.If you c
sing Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to take screenshots of various wind
e.If you choose the "Force Allow" option Windows apps are allowed to turn off the screenshot border and employees in your organization
icy setting Windows Store apps can open files in the default desktop app for a file type.
his policy setting Windows Store apps can open URIs in the default desktop app for a URI scheme.Note: Enabling this policy setting does no
This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app compatib
running any subsequent 16-bit applications launch faster but overall resource usage on the system is increased.If the status is set to Enable
cations and will not block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old anti-vir
ection has stopped for all applications please reboot your machine.
will be turned on.Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Colle
unning applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware o
gure this policy setting Steps Recorder will be enabled.
he applications they are using. If you disable or do not configure this policy setting the Switchback will be turned on.Please reboot the syste
orun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this policy settin
If you enable this policy setting Autoplay is disabled on CD-ROM and removable media drives or disabled on all drives. This policy
Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets th
ot be used by any users to log on to a local Windows-based computer.Note: Users who log on using biometrics should create a password r
dows Hello face authentication is not required on unmanaged devices.

nt variables in the path. If the path is not valid the BitLocker setup wizard will display the computer's top-level folder view.If you disable or
e the XTS-AES algorithm. For removable drives you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices
able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.If you disable or do not configure thi
r Windows 7.If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to u
y key.If you enable this policy setting you can configure the options that the setup wizard displays to users for recovering BitLocker encryp
em is rebooted or hibernated. This policy setting is only enforced when BitLocker or device encryption is enabled.Note: Some PCs may not
licy setting BitLocker secrets are removed from memory when the computer restarts.
nt of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reader. BitLoc
is policy setting is applied when you turn on BitLocker.Note: You might need to set up appropriate schema extensions and access control s
Note: BitLocker does not require that a certificate have an EKU attribute but if one is configured for the certificate it must be set to an obje
ewed. These operating systems have read-only access to BitLocker-protected drives.When this policy setting is enabled select the "Do not
er Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.In "Configure user s
ort hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based e
be also enabled.Note: These settings are enforced when turning on BitLocker not when unlocking a volume. BitLocker will allow unlocking
ble on the drive.If you disable this policy setting users are not allowed to use smart cards to authenticate their access to BitLocker-protect
ryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the B
bled the options of "Require additional authentication at startup" policy apply.
setup.If you disable or do not configure this policy setting enhanced PINs will not be used.
ocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is us
ure Boot-based integrity validation.If you disable this policy setting BitLocker will use legacy platform integrity validation even on systems
ocal Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about add
If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the default wh
nd URL" option.If you select the "Use custom recovery message" option the message you type in the "Custom recovery message option" t
hile BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead display
values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmware confi
tion Registers (PCRs). Use the "Configure TPM platform validation profile for BIOS-based firmware configurations" group policy setting to co
ot support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-
rd Policy\ must be also enabled.Note: These settings are enforced when turning on BitLocker not when unlocking a volume. BitLocker will
nt must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environment is not
ord or a USB drive is required for start-up. When using a startup key the key information used to encrypt the drive is stored on the USB dr
uter starts it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-digit star
ecovery.
n Data (BCD) integrity validation as defined by the "Allow Secure Boot for integrity validation" group policy the "Use enhanced Boot Config
nt can be viewed. These operating systems have read-only access to BitLocker-protected drives.When this policy setting is enabled select t
the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.In "Con
t support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-b
s are enforced when turning on BitLocker not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors av
rs available on the drive.If you disable this policy setting users are not allowed to use smart cards to authenticate their access to BitLocker
tion from the drive or suspend the encryption while maintenance is performed. Consult the BitLocker Drive Encryption Deployment Guide
When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are d
with a level of "Basic" or below users may see a limited set of tips.Also this setting only applies to Enterprise and Education SKUs.
play the password click the password reveal button.The policy applies to all Windows components and applications that use the Windows
Windows credentials within the userâ€™s desktop session potentially allowing malicious code access to the userâ€™s Windows credential
osoft is a processor for Windows diagnostic data from this device. Configuring this setting does not change whether diagnostic data is colle
rted on Enterprise Education and Server editions. - Send required diagnostic data. This is the minimum diagnostic data necessary to keep
configuration.The format for this setting is <server>:<port>
cy setting.
his machine and its diagnostic data data with your organization.
nts required by Desktop Analytics which can be viewed at https://go.microsoft.com/fwlink/?linkid=2116020.If you disable or do not config
ilds' under 'Windows Update for Business' for newer Windows 10 versions.
ended with Internet Peering.99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does no
ed GUID value as the Group ID.
ng requires a logoff for it to be applied.

d by users.
authentication certificate>. When using the HTTP protocol use port 5985.If you disable or do not configure this policy setting the Event Col
ld events" policy setting is enabled new events are discarded and the old events are retained.
e across all tools and APIs.
n remains in effect.
or clear this log.Note: If you enable this policy setting some tools and APIs may ignore it. The same change should be made to the "Configu
e across all tools and APIs.
n remains in effect.
.Note: If you enable this policy setting some tools and APIs may ignore it. The same change should be made to the "Configure log access (l
ere encrypted with.If you disable or do not configure this policy setting components will not encrypt event log messages before writing th
If you enable this policy SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:â€¢ Warn and
efault Library definition files.
bled or the client machine is not domain-joined no default associations will be applied at logon time.If the policy is enabled disabled or no
tting the protocol is fully enabled allowing the opening of folders and files.If you disable this policy setting the protocol is in the protected m
or do not configure this policy setting Folder Redirection does not create a temporary file and functions as if both new and old locations po
on-disk restore points.If you do not configure this policy setting it is disabled by default.
t is disabled by default. The Restore button is active when the previous version is of a local file.
media.If you do not configure this policy setting it is disabled by default. The Restore button is active when the previous version is of a loc
ure this policy setting it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
not registered and the Find My Device feature will not work.The user will also not be able to view the location of the last use of their active
t the computer for this policy setting to take effect.

list can be created from a custom administrative template file. For information about creating this custom administrative template file se
able to change the Suggestions setting on the Settings charm.If you don't configure this policy setting users can change the Suggestions se
etting newly installed add-ons are automatically activated in the browser.If you disable or do not configure this policy setting newly installe
el is used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in up to three of the following ch
icy setting the user will have the freedom to automatically configure these settings.
he Connections tab from the interface.
policy is enabled the user cannot add secondary home pages.
mport/Export Settings wizard.If you disable or do not configure this policy setting the user will be able to use the Import/Export Settings w
ttings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect.
otified about new versions of the browser.
ministrators who want to use Software Distribution Channels to update their users' programs without user intervention.
naging favorites and accessing Help. The Command bar enables the user to access and manage favorites feeds shortcuts to home page an
ng this policy in sync with the â€˜Send all intranet sites to Internet Explorerâ€™ (â€˜SendIntranetToInternetExplorerâ€™) policy. Additiona
able or don't configure this policy setting the menu option won't appear and users won't be able to run websites in Enterprise Mode.
in per line to the text box. For example:microsoft.sharepoint.comoutlook.comonedrive.comtimecard.contoso.comLOBApp.contoso.com
he decimal representation of this number is used to represent this number in policy. For example:â€¢Â 2 - Intranet site zone onlyÂ Â Bina
ovide a default Pop-up Blocker exception list.Note: You can disable users from adding or removing websites to the exception list by enabli
bar and F1 to access Help.
nt to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the user from co
e user can configure how windows open when he or she clicks links from other applications.
e turned on users can install search providers as Accelerators to include them on the Accelerator menu.
turn on SmartScreen Filter during the first-run experience.

e addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not co
s of which option is chosen.If you disable or do not configure this policy setting Internet Explorer may run the First Run wizard the first tim
iders installed do not appear (including providers installed from other applications). The only providers that appear are those in the list of
net zone.This policy prevents users from changing site management settings for security zones established by the administrator.Note: The
ative Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Security tab from Internet Explorer in
llow users to change policies" policy.
urrently active browser.Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all intrane
mount of physical memory. We recommend the default setting.The second algorithm must be explicitly enabled through the creation of an
ty checks.If you disable or do not configure this policy setting the ActiveX Opt-In prompt appears.
average time to load all the user's enabled add-ons exceeds the threshold.If you disable or do not configure this policy setting users are no
browsing.
re this policy setting the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience.
popup management feature will be functional.
policy setting the user can turn on or turn off tabbed browsing.
rn the auto-complete setting for web-addresses on or off.
licy setting the user can turn on and turn off the Suggested Sites feature.
attempts to perform a Clipboard operation.If you do not configure this policy setting current values of the URL action for the application o
ed when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation.If you do not configure this po
ou enable this policy setting and enter a value of 1 prompts are bypassed. If you enter a value of 0 prompts are not bypassed. Value Name
he Print menu in Internet Explorer will be available. Starting with Windows 8 the Print flyout for Internet Explorer will be available and user
not configure this policy setting the Microsoft-provided website lists are not active. The user can activate the feature by using the Compatib
ode. This option results in the greatest compatibility with existing webpages but newer content written to common Internet standards ma
g Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Additionall
ternet Options.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect.
. Users can not delete browsing history.If you disable or do not configure this policy setting a user can set the number of days that Interne
ory dialog box. Starting with Windows 8 users can click the Delete Browsing History button on the Settings charm.
otection data and Do Not Track exceptions stored for visited websites.This feature is available in the Delete Browsing History dialog box.If
this policy setting is enabled by default.

cy setting has no effect.
ou do not configure this policy setting the user can choose whether to delete or preserve InPrivate Filtering data when he or she clicks Dele
y setting is enabled this policy setting is enabled by default.

ess to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
s the Advanced tab from the interface.

s""Disable changing Automatic Configuration settings"
ral tab from the interface:"Disable changing home page settings""Disable changing Temporary Internet files settings""Disable changing his
et Web Settings feature""Disable changing default browser check"

o not allow users to add/delete sites"
nverted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to IDN format.If
under International select the "Use UTF-8 for mailto links" check box.
etting non-Internet Explorer components will be automatically installed as necessary.
ompted when Web Components such as fonts would be downloaded.If you do not configure this policy users will be prompted when Web
e default is on.
atically launches any browser helper objects that are installed on the user's computer.
orer only sends the Do Not Track header if inPrivate Browsing mode is used.If you don't configure the policy setting users can select the Al
new versions of the browser so does not prompt users to install them.If you do not configure this policy setting Internet Explorer does not
u do not configure this policy setting Internet Explorer will not check server certificates to see if they have been revoked.
e programs or display their identities before downloading them to user computers.If you do not configure this policy Internet Explorer will
alicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8 Enhanced Protected
orer will save encrypted pages containing secure (HTTPS) information to the cache.
delete the contents of the user's Temporary Internet Files folder when browser windows are closed.If you do not configure this policy Inte
ictures found in Web content.
most preferred match.If you enable this policy setting the browser negotiates or does not negotiate an encryption tunnel by using the enc
ternet Explorer settings. This feature is turned on by default
o not configure this policy setting a user will have the freedom to accept requests from Web sites for Profile Assistant information.
tting users can turn this behavior on or off using Internet Explorer Advanced Options settings. The default is to encode all query strings in U
o the background.If you don't configure this setting users can turn this behavior on or off using the Settings charm.
use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.If you don't configure this policy settin
Browsing support can be turned on or off through the registry.
policy setting Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Protected M
n with the home page. Users cannot change this option to start with the tabs from the last browsing session.If you do not configure this po
l be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be available to
tes will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings will be ava
ng you provide the cache limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow trusted domains to s
expiration time limit for all application caches. The default is 30 days.
provide the cache limit in MB. The default is 500 MB.If you enable this policy setting Internet Explorer will allow trusted domains to store
n or equal to the size set in this policy setting.If you disable or do not configure this policy setting Internet Explorer will use the default app
llow the creation of application caches whose manifest file contains the number of resources including the page that referenced the mani
this policy setting Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB.
onfigure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databases. The default is 4 GB.
work Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent zone. If
nto the Intranet Zone.
ted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (High tem
tranet through the intranet settings dialog in Control Panel.
anced page in the Internet Control panel).
ed as though it is in the Internet zone.If this policy setting is not configured a Notification bar notification appears for intranet content load
tting users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.If you do not configure thi
over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you disable this policy setti
mented a custom security manager.If you do not configure this policy setting binary and script behaviors are available.
es from this zone automatically.
p items from this zone.

Ps.If you disable this policy setting XBAPs are not loaded inside Internet Explorer. The user cannot change this behavior.If you do not confi
s.If you disable this policy setting XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.If you do not co
ot change this behavior.If you do not configure this policy setting the user can decide whether to load XPS files inside Internet Explorer.
this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web page.
nectors.If you do not configure this policy setting users can perform OpenSearch queries in this zone using Search Connectors.
d as search results in File Explorer will be affected. MAPI items reside in the Internet zone so disabling this policy for the Internet zone will
zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.If you do not configure this policy se
es.If you disable this policy setting video and animation cannot be played through older media players.If you do not configure this policy se
on the Notification bar to allow the ActiveX control prompt.
eive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.If you disable
his policy setting Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has no certifi
your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off using Inter
download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
ndows. Users cannot change this setting.In Internet Explorer 10 if you disable this policy setting or do not configure it users cannot drag co
. Users cannot change this setting in the Internet Options dialog.In Internet Explorer 10 if you disable this policy setting or do not configure
s dictated by the feature control setting for the process.If you do not configure this policy setting the MIME Sniffing Safety Feature will not
m.If you do not configure this policy setting the user can choose whether path information is sent when he or she is uploading a file via an
ied whether to allow the control to be loaded with parameters or scripted.If you disable this policy setting ActiveX controls that cannot be
eir sandbox. Disable Java to prevent any applets from running.If you disable this policy setting Java applets cannot run.If you do not config
applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are queried to
er zones. After a user is queried these values can be used silently for the remainder of the session.Automatic logon with current user name
onfigure this policy setting users can open windows and frames from othe domains and access applications from other domains.
ble this policy setting Internet Explorer will not execute unsigned managed components.If you do not configure this policy setting Internet
olicy setting Internet Explorer will not execute signed managed components.If you do not configure this policy setting Internet Explorer w
user can configure how the computer handles these files. By default these files are blocked in the Restricted zone enabled in the Intranet a
sers' computers.High safety to prevent users from being notified of software updates by e-mail software packages from being automatica
y setting information using HTML forms on pages in this zone is prevented from being submitted.If you do not configure this policy setting
work Setup is turned on. The user cannot change this behavior.If you do not configure this policy setting .NET Framework Setup is turned o
pt is turned off by default.
one for malicious content.
istory in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users can preserve
cy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection

ve installed.
his policy setting Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web site that ha
our antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off using Interne
pt is turned on by default.
ve installed.
ntrols without user intervention.
rols without user intervention.
applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users can run applica
setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection fr
mented a custom security manager.If you do not configure this policy setting only behaviors listed in the Admin-approved Behaviors under

s dictated by the feature control setting for the process.If you do not configure this policy setting the actions that may be harmful cannot r

mented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unless applicatio
drag or copy files from this zone.
m this zone.
this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page
nectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connectors.
applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are prevented
plications from different domains.If you do not configure this policy setting users cannot open other windows and frames from different d
istory in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users cannot prese
allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you disable
mented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unless applicatio
drag or copy files from this zone.
m this zone.
this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another Web page
nectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connectors.
applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are prevented
plications from different domains.If you do not configure this policy setting users cannot open other windows and frames from different d
istory in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users cannot prese
ve installed.
whether to allow the unsigned control to run.
ults is displayed in the main window.If you disable or do not configure this policy setting the user can specify what action applies to search
policy setting you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results webpage
g URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By default URL
ng Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot change this settin
information URL.If you disable or do not configure this policy setting the user can specify the cipher strength update information URL.
this policy setting the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate Filtering.
e this policy setting the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Tracking Protec
not configure this policy setting it can be configured on the Privacy tab in Internet Options.
ff on the Privacy tab in Internet Options.
ot configure this policy setting it can be configured through the registry.

you do not configure this policy setting it can be configured through the registry.
n.If you disable or do not configure this policy setting the reveal password button can be shown by the application as a user types in a pas
no effect if Windows has been configured to enable Data Execution Prevention.
olicy setting Data URI support can be turned on or off through the registry.
ons to be allowed or denied by Internet Explorer. For each entry that you add to the list enter the following information:Name of the Valu
d-on management user preferences or policy settings.
ted within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assumed to be de
eferences and policy settings. If you enter a Value of 0 the add-on management user preferences and policy settings are ignored by the sp
s the user run the outdated ActiveX control once.For more information see "Outdated ActiveX Controls" in the Internet Explorer TechNet
nt to include http://example use "example"3. "file:///path/filename.htm". For example use "file:///C:/Users/contoso/Desktop/index.htm"

f outdated ActiveX controls for Internet Explorer on specific domains" policy settings.For more information see "Outdated ActiveX Control
If you disable or do not configure this policy setting websites can request data across domains by using the WebSocket object. By default
across domains by using the XDomainRequest object.
r notation e.g. #default#vml.If you disable this policy setting no behaviors will be allowed in zones set to 'admin-approved' just as if those
ning technologies.
nary behaviors are prevented for the File Explorer and Internet Explorer processes.
The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not ente
ng Consistent Mime Handling is enabled for all processes.If you disable or do not configure this policy setting Consistent Mime Handling is
ng Internet Explorer requires consistent MIME data for all received files.If you disable this policy setting Internet Explorer will not require c
ministrators to define applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and
es to all local files and content processed by any process other than Internet Explorer or those defined in a process list.If you disable or do
cal Machine zone security applies to all local files and content processed by Internet Explorer.If you disable this policy setting Local Machi
chine Zone security applies. If you enter a value of 0 Local Machine Zone security does not apply. If a Value Name is empty or the Value is
or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy
is prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.
ernet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes
r than File Explorer or Internet Explorer.If you do not configure this policy setting no policy is enforced for processes other than File Explor
ames http and https.If you disable this policy setting restricting content obtained through restricted protocols is prevented for File Explore
lowed. If you enter a Value of 0 restricting content obtained through restricted protocols is blocked. The Value Name is the name of the ex
stricted protocols to access my computer."If you disable or do not configure this policy setting for a zone no protocols are restricted for th
ll not be displayed for all processes other than Internet Explorer or those listed in the Process List.
. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: us
across domains for Internet Explorer processes.

or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Expl
her than Internet Explorer or those listed in the Process List receive no such protection.
r processes.If you disable this policy setting no zone receives such protection for Internet Explorer processes.If you do not configure this po
ity feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 elevation to more privileged zones can be pr
ternet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in
use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the process
indows that obfuscate other windows.If you do not configure this policy setting popup windows and other restrictions apply for File Explo
be opened. If you enter a Value of 0 windows have none of these restrictions. The Value Name is the name of the executable. If a Value Na
ns.If you disable or do not configure this policy setting the command buttons show selective text by default and the user can change this.
mpted and incompatible toolbars run unless previously disabled through policy settings or user choice.If you disable or do not configure th
do not configure this policy setting IIS can be installed as well as all the programs and applications that require IIS to run.
be applied to Automatic Maintenance.

y setting the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
o MDM service specified in the Azure AD. If you disable this policy setting MDM will be unenrolled.
er signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured applications and services ca
r is restarted the service will be started if it is set to Automatic startup. After the service has started there will be a check to see if antivirus
Potentially unwanted software will not be blocked. Not configured: Same as Disabled.
be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrator.
the order specified above. If you disable or do not configure this setting the proxy will skip over this fallback step according to the orde
e. The URL should be proceeded with either http:// or https://. If you disable or do not configure this setting the proxy will skip over this
t time. If you disable this setting scheduled tasks will begin at the specified start time.
Antivirus. Otherwise Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software. Enab
tting Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five se
used and it is recommended that this be set to 0.
ws\app.exe". The value is not used and it is recommended that this be set to 0.
htâ€ feature will not function. MAPS -> The â€œSend file samples when further analysis is requiredâ€ should be set to 1 (Send safe sa
emoved. The information will be automatically collected and sent. In some instances personal information might unintentionally be sent t
ple of audit events are collected for ASR rules will the value of not configured. Enabled: Specify the state for each ASR rule under the O
pplied to the ASR rules. Not configured: Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reduction rule
n enable controlled folder access in the Configure controlled folder access GP setting. Default system folders are automatically guarded b
onfigure allowed applications GP setting. Default system folders are automatically protected but you can add folders in the Configure p
abled. You can enable controlled folder access in the Configure controlled folder access GP setting. Microsoft Defender Antivirus autom
ord of the event will be in the event logs. Disabled: Users and applications will not be blocked from connecting to dangerous domains.
n the value of EnableNetworkProtection.
MAPS settings - "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is required" all
d in order to function. Possible options are: (0x0) Default Microsoft Defender Antivirus blocking level (0x1) Moderate Microsoft De
n the value of EnableNetworkProtection.

is up-to-date with all the latest security updates network protection will have no impact on network performance. If you enable or do no
be present on those volumes. The options for this setting are mutually exclusive: 0 = Scan incoming and outgoing files (default) 1 = S
pecified. If you disable or do not configure this setting a scheduled full scan to complete remediation will run at a default frequency.
mediation will run at a default time.
d scan will run at a default frequency.

ere will be no catch-up scan run. If you disable or do not configure this setting catch-up scans for scheduled full scans will be turned off.
d there will be no catch-up scan run. If you disable or do not configure this setting catch-up scans for scheduled quick scans will be turne
mber of days.
tting the antimalware service will not receive notifications to disable security intelligence.
y intelligence updates will be enabled. If you disable this setting real-time security intelligence updates will disabled.
ource the remaining sources in the list will not be contacted. If you disable or do not configure this setting the list will remain empty by d
ou disable or do not configure this setting spyware security intelligence will be considered out of date after the default number of days ha
ble or do not configure this setting virus security intelligence will be considered out of date after the default number of days have passed w
will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source t
r do not configure this setting the check for security intelligence updates will occur at a default frequency.
y specified. If you disable or do not configure this setting the check for security intelligence updates will occur at the default time.
Mitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security.- Place the gene
s no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. Set SyncMethod to
r Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to whatev
g the settings storage location before synchronizing settings packages. If you do not configure this policy any defined values will be delete
you specify a UNC path and leave the option to replace the default Microsoft templates unchecked the UE-V Agent will use the default Mi
roaming.If you do not configure this policy setting any defined values are deleted.
f you do not configure this policy setting any defined values are deleted.
selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.If you disable this policy
his setting disabled the tray icon does not appear in the system tray UE-V never displays notifications and the user cannot access Company
DI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V was instal
defined values will be deleted.
be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 2013 application
be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 2016 application
values will be deleted.
tting any defined values will be deleted.
g any defined values will be deleted.
any defined values will be deleted.
er settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version of the
ues will be deleted.
ues will be deleted.
y setting any defined values will be deleted.
setting any defined values will be deleted.
this policy setting any defined values will be deleted.
ny defined values will be deleted.
y defined values will be deleted.
Suite 2010 applications continue to synchronize.If you disable this policy setting the user settings which are common between the Micros
ded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
ded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
his policy setting Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offic
his policy setting Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offic
e Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.If you enable this policy setting user settin
e Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.If you enable this policy setting user settin
olicy setting Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365
olicy setting Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365
able this policy setting Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.If you disable this policy setting Microso
cy setting Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 Lyn
cy setting Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 Lyn
nable this policy setting Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.If you disable this policy setting Micro
nable this policy setting Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.If you disable this policy setting Micro
le this policy setting Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft
le this policy setting Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft
If you enable this policy setting Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.If you disable this policy se
If you enable this policy setting Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.If you disable this policy se
this policy setting Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offi
this policy setting Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offi
enable this policy setting Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.If you disable this policy setting Micr
enable this policy setting Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.If you disable this policy setting Micr
een computers with UE-V.If you enable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings continue to sync wit
icy setting Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 V
icy setting Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 V
policy setting Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 36
policy setting Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 36
o not configure this policy setting any defined values will be deleted.
re this policy setting any defined values will be deleted.
s policy setting any defined values will be deleted.
cy setting any defined values will be deleted.
from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
ng any defined values will be deleted.

will not be backed up.If you do not configure this policy setting any defined values will be deleted.
lues will be deleted.
lues will be deleted.
ed values will be deleted.
ed values will be deleted.
his setting do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting will rema
ures can work with OneDrive file storage.
ng apps and features can work with OneDrive file storage.
onnected account will save documents to OneDrive by default.
erience may launch for newly-created user accounts or for accounts that should be prompted to choose their privacy settings after an upg
ed will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration.If you do not configure th
their system settings for presentations in Windows Mobility Center.If you do not configure this policy setting Windows presentation settin
to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the lice
o issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003.By default if the most app
known publishers on the client computer. If the user tries to start an RDP session the user receives a message that the publisher has been
an .rdp file).If you enable or do not configure this policy setting users can run .rdp files that are signed with a valid certificate. Users can als
rver can be authenticated the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authen
ware accelerated decoding if supported hardware is available.
dows Server 2008 R2 with SP1 or Windows Server 2008 R2 and a user is prompted on both the client computer and on the RD Session Hos
e or do not configure this policy setting no publisher is treated as a trusted .rdp publisher.Notes:You can define this policy setting in the Co
ection by using any user account.For this change to take effect you must restart Windows.
ed for Remote Desktop IP Virtualization to work.

pplication installation requests are queued and handled by the msiexec process in the order in which they are received.
setting Remote Desktop IP Virtualization is turned off.
erver Manager.By default only programs in the RemoteApp Programs list can be started when a user starts a Remote Desktop Services ses
ou do not configure this policy setting Remote Desktop Services uses the Remote Desktop setting on the target computer to determine w
utomatic reconnection is not specified at the Group Policy level. However users can configure automatic reconnection using the "Reconne
ion Host server is configured to allow multiple sessions) and the original session might still be active.If you enable this policy setting you m
nected administrator is allowed.Note: The console session is also known as Session 0. Console access can be obtained by using the /consol
umber of Remote Desktop Services sessions and Remote Desktop for Administration allows two Remote Desktop Services sessions.To use
configure this policy setting this policy setting is not specified at the Group Policy level.
ktop Protocol will not try to adapt the remote user experience to varying network quality. If you disable Connect Time Detect and Continu
TCP.If you disable or do not configure this policy setting RDP will choose the optimal protocols for delivering the best user experience.
e user's consent.4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the user's con
disable or do not configure this policy setting the Start screen is shown and apps are registered in the background.
n a Remote Desktop Protocol (.rdp) file. By default video playback is enabled.By default audio and video playback redirection is not allowe
udio recording redirection is allowed by default when connecting to a computer running at least Windows 7 or Windows Server 2008 R2. I
ame as the server time zone.Note: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 te
Clipboard redirection.If you do not configure this policy setting Clipboard redirection is not specified at the Group Policy level.
ktop Services always allows COM port redirection.If you do not configure this policy setting COM port redirection is not specified at the Gr
ection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP.If you disable this policy setting client drive
If you do not configure this policy setting LPT port redirection is not specified at the Group Policy level.
soft Windows XP Professional and the target server must be joined to a domain.
he supported Plug and Play devices to redirect to the remote computer.If you enable this policy setting users cannot redirect their support
to choose the video capture devices to redirect to the remote computer.
determined by the codec that is being used. If you select Dynamic the audio will be sent with a level of compression that is determined by
cy setting these notifications will not be displayed on the RD Session Host server.If you disable or do not configure this policy setting these
RDS Per Device CAL issued from an RD Licensing server. If you enable this policy setting the Remote Desktop licensing mode that you s
der: 1. Remote Desktop license servers that are published in Active Directory Domain Services. 2. Remote Desktop license servers that
ers can redirect print jobs with client printer mapping.If you do not configure this policy setting client printer mapping is not specified at th
aps the client default printer and sets it as the default printer upon connection.If you do not configure this policy setting the default printe
able. You can choose to change this default behavior. The available options are:"Do nothing if one is not found" - If there is a printer driver
he client printer the client printer is not available for the Remote Desktop session.If you disable this policy setting the RD Session Host ser
roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. Wh
path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user.To confi
irectory on the local computer type the Home Dir Root Path in the form "Drive:\Path" (without quotes) without environment variables or
are not used by users connecting remotely to the RD Session Host server.Note:For this policy setting to take effect you must also enable an
ame the server joins that farm in RD Connection Broker.If you enable this policy setting you must specify the name of a farm in RD Connec
for a high availability setup with multiple RD Connection Broker servers you must provide a semi-colon separated list of the FQDNs of all t
xists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting.If you disable
er where their session exists. To use this redirection method client computers must be able to connect directly by IP address to RD Session
on Host server where their session exists. If you disable this policy setting users who do not have an existing session log on to the first RD
te computer. If you enable this policy setting desktop composition will be allowed for remote desktop sessions. On the client computer yo
ides any initial program policy settings.If you disable or do not configure this policy setting an initial program can be specified that runs on
network bandwidth but is more memory-intensive. Additionally a third option is available that balances memory usage and network bandw
quality to Medium RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides
policy setting the RemoteFX experience will change dynamically based on the network condition."
for remote connections. You can configure font smoothing on the Experience tab in Remote Desktop Connection (RDC) or by using the "al
Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not configure this policy setting non-Windows thin clients that only sup
Desktop Services sessions.If the status is set to Enabled wallpaper never appears in a Remote Desktop Services session.If the status is set to
port available on the client computer. If you select Client Compatible the highest color depth supported by the client will be used.If you di
or do not configure this policy setting the maximum resolution that can be used by each monitor to display a Remote Desktop Services se
monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
ialog box.Note: This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to
mains in the Settings menu.
indows Desktop are not displayed and when the user exits the program the session is automatically logged off.To use this setting in Progra
ese advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not su
the Microsoft Basic Render Driver as the default adapter. In all other cases Remote Desktop Services sessions use the hardware graphics re
RD Session Host server RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme.If you enable this
ch multimedia or Text.If you disable or do not configure this policy setting Remote Desktop Services sessions are optimized for rich multim
formed).If you have a higher than average bandwidth network you can maximize the utilization of bandwidth by selecting the highest setti
vices by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.If you disable th
ou disable or do not configure this policy setting server administrators have full read/write permissions to the user security descriptors by u
requests security for all RPC traffic. However unsecured communication is allowed for RPC clients that do not respond to the request.If th
sport Layer Security (TLS) version 1.0 is supported it is used to authenticate the RD Session Host server. If TLS is not supported native Remo
Connection on the client computer click the icon in the upper-left corner of the Remote Desktop Connection dialog box and then click Abo
d when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when
cryption method specified in this setting. By default the encryption level is set to High. The following encryption methods are available:* H
Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.If you enable this
the session active. If you have a console session idle session time limits do not apply.If you disable or do not configure this policy setting t
ve a console session active session time limits do not apply.If you disable or do not configure this policy setting this policy setting is not spe
cted sessions are maintained for an unlimited time on the server.If you enable this policy setting disconnected sessions are deleted from t
mit that you specify is reached. When the time limit specified is reached the RemoteApp session will be logged off from the RD Session Hos
hen a user logs off even if the server administrator specifies otherwise.If you do not configure this policy setting Remote Desktop Services
e this policy setting per-session temporary folders are not created. Instead a user's temporary files for all sessions on the remote compute
he Feed APIs.
net Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice by using the Fe
n.A developer cannot change this policy setting through the Feed APIs.
Windows SharePoint Services (WSS) the query should resemble the following where XXXX is the locale ID of your WSS Service. For example
nt Portal Server your query should resemble the following:http://sitename/Search.aspx?k=$wIf your intranet search service is Windows Sh
to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as
ecause of diacritics as the same word.

termine the language of a document with high confidence.
the web and if the web results are displayed in Search.
his policy setting a user can choose whether or not Search can perform queries on the web over metered connections and if the web result
or for Search is to not index online delegate mailboxes. Disabling this policy will block any indexing of online delegate mailboxes. Online de
. If you set this policy to not configured then online mail items will be indexed at the speed of 120 items per minute. This policy has no effe
r locations will be visible.
an initial default list of excluded file types that users can change later see the administration guide for information about how to set up th
xxx} (include the braces) or a ProgID such as VisFilter.CFilter.1.If you maintain a locked desktop environment this setting is redundant beca
our users can choose the location of the preview pane
e Search/DoNotUseWebResults
ormation but don't share search history Microsoft account info or specific location. If you disable or don't configure this policy setting us
on are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a computer
s with a Client Authentication EKUIf you disable or do not configure this policy setting only certificates that contain the smart card logon ob
ot affected by this policy setting. Note: If you use an ECDSA key to log on you must also have an associated ECDH key to permit logons whe
expired.If you disable or do not configure this policy setting certificates which are expired or not yet valid will not be listed on the logon s
determined by their UPN). If there are two or more of the "same" certificate on a smart card and this policy is enabled then the certi
etting then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP.If you disable or do n
This setting controls the appearance of that subject name and might need to be adjusted per organization.If you enable this policy setting
d the Windows Hardware Quality Labs (WHQL) testing process.

sent to Microsoft)
ult and configurable by the user.
stions. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Panel will provide
ut Panel Options dialog box.If you disable this policy Input Panel will appear next to any text entry area in applications where this behavior
dialog box.If you disable this policy Input Panel will appear next to text entry areas in applications where this behavior is available. Users w
o enter text symbols numbers or keyboard shortcuts.If you enable this policy rarely used Chinese Kanji and Hanja characters will be includ
e this setting in the Input Panel Options dialog box.If you do not configure this policy Input Panel tab will appear on the edge of the Tablet
ar next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input Panel
licy and choose â€œLowâ€ from the drop-down box password security is set to â€œLow.â€ At this setting all password security settings
from the drop-down menu no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the In
Disable pen flicks policy.If you disable or do not configure this policy all the features described above will be available.
ote: Changes to this setting will not take effect until the user logs off.
nagement settings and its security context. Beginning users will often not be interested or confused by having the property sheet displaye
s security context.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured
enu and its submenus. Once a task is created users cannot change the program a task runs.Important: This setting does not prevent users
not prevent users from deleting tasks.Note: This setting appears in the Computer Configuration and User Configuration folders. If both setti
from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers.
n.Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks.
ing files downloaded from the Internet.
If you enable this policy SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:â€¢ Warn and
oyees can choose whether to use Windows Defender SmartScreen.
nt and notification settings.

rol Panel settings for Windows Error Reporting override this policy setting.If you enable this policy setting the setting overrides any user ch
uration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes precedence. If Tu

g this policy setting is useful for servers that do not have interactive users.If you do not configure this policy setting users can change this s
eport that contains data about the same event types.
tting WER checks for solutions while a computer is running on battery power but does not upload report data until the computer is connec
r Reporting sends error reports to Microsoft.

automatically deleted.If you disable or do not configure this policy setting no Windows Error Reporting information is stored.
send the reports or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing behavior is
x is filled all errors in Windows applications are reported regardless of the setting in the Default dropdown list. The Windows applications c
d to report all application errors.If you enable this policy setting you can create a list of applications that are always included in error repo
To remove an application from the list click the name and then press DELETE. If this policy setting is enabled the Exclude errors for applicati
File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported even if
send any additional data that is requested by Microsoft.- Send parameters and safe additional data: the minimum data that is required to
ask before sending data): Windows prompts the user for consent to send reports.- 2 (Send parameters): Windows Error Reporting autom
tting is designed for a single user who has enrolled privileged and non-privileged on a single device. The user owns both credentials which e
g unlock options.For more information see: https://go.microsoft.com/fwlink/?linkid=849684
e of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an existing cre
software if the TPM is non-functional or unavailable.
nt to have one or more Windows Server 2016 domain controllers to prevent Windows Hello for Business authentication from failing.
his policy setting Windows Hello for Business uses the PIN recovery service. If you disable or do not configure this policy setting Windows d
hat encrypts their domain password.Select "Do not start Windows Hello provisioning after sign-in" when you use a third-party solution to p
uthorize the use of the certificate's private key.This policy setting is incompatible with Windows Hello for Business credentials provisioned
h files are installed.If Windows Installer detects that an installation package has permitted the user to change a protected option it stops th
ty context. Also see the "Remove browse dialog box for new source" policy setting.If you disable or do not configure this policy setting by
ted privileges such as installations offered on the desktop or displayed in Add or Remove Programs.This policy setting does not affect insta
e this policy setting by default users can install programs from removable media only when the installation runs in the user's security cont
iew or change including directories on highly restricted computers.If you disable or do not configure this policy setting the system applies
Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be delete
ent.(2) Add a new feature to the top or middle of an existing feature tree.The new feature must be added as a new leaf feature to an existi
yees. However because this policy setting can pose a security risk it should be applied cautiously.
ot system administrators cannot apply patches to installations that run with elevated system privileges such as those offered on the deskt
lied using a minimal set of processing.
install non-administrator updates.
uct.If you disable or do not configure this policy setting a user can remove an update from the computer only if the user has been granted
duce the amount of temporary disk space required to install programs. Also it prevents malicious users from interrupting an installation to
Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used.-- The "Restart Manager Off for L
and "Hide User Installs" is selected the installer ignores per-user applications. This causes a per-computer installed application to be visible
this policy setting the Browse button is enabled when an installation is running in the user's security context. But only system administrat
o the original or identical media to reinstall remove or repair the installation.This policy setting is designed for enterprises to prevent unau
able or do not configure this policy setting Windows Installer logs the default event types represented by the letters "iweap."
e an application is installed so that users can restore their computer to the state it was in before installing the application.
y.-- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log fil
onal and Windows Vista when the policy is not configured.-- The "For non-managed applications only" option permits users to install only
r is active and not suspended during the reboot or shutdown. Personal data can be accessed on the deviceâ€™s hard drive at this time if B
cations can simulate the SAS.If you disable or do not configure this setting only Ease of Access applications running on the secure desktop
ser. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.For domain user a
d by default. When the policy is enabled the user is automatically signed in and the session is automatically locked with all lock screen apps
that they copy from a CD and play this protected content on their computer since the license is generated locally in this scenario.When th
gure this policy setting and the "Set and lock skin" policy setting is enabled some options in the anchor window are not available.
nfigure this policy setting the dialog boxes are displayed when the user starts the Player for the first time.
hing occurs if necessary. Users can change the setting for the Use Video Smoothing check box.Video smoothing is available only on the Win
eferences tab on the Tools menu in the Windows Messenger user interface.Note: If you do not want users to use Windows Messenger ena
olicy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration po
valent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured the LogPipeline
unction or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. Note: This policy setting e
started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. If you disable
s to run.If you disable this policy setting no scripts are allowed to run.Note: This policy setting exists under both "Computer Configuration"
MI-capable applications will be unable to access reliability information from the listed providers.
to use the list of trusted hosts you must configure the list of trusted hosts locally on each computer.
configure this policy setting the WinRM service will not respond to requests from a remote computer regardless of whether or not any W
etting the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsPassword
id channel binding token is rejected. If HardeningLevel is set to Relaxed (default value) any request containing an invalid channel bindi
ed by default.
dio input to the container.
n Windows Security. Not configured: Same as Disabled.

ntact options that are displayed based on the notification space available. Disabled: No contact information will be shown on n
ndow and do not need elevated permissions to install these updates except in the case of updates that contain User Interface End User Li
ce location must be signed by Microsoft.Note: Updates from a service other than an intranet Microsoft update service must always be sign
tions" policy is enabled then this policy has no effect.

effect. Note: If the "Configure Automatic Updates" policy is disabled this policy has no effect. Note: This policy is not supported on
dy to be downloaded. After going to Windows Update users can download and install any available updates. 3 = (Default setting) Down
or do not configure this policy the default notification behaviors will be used.
ecurity quality or feature updates and your devices may be at risk.

be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the Shut Do
cify intranet Microsoft update service location" policy.

tes are available when the user selects the Shut Down option in the Start menu.
r Not Configured no target group information will be sent to the intranet Microsoft update service.Note: This policy applies only when the
updates.Windows update will also wake the system up and install an update if an install deadline occurs.The system will not wake unless
ed or Not Configured Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete the ins
as no effect. This policy has no effect on Windows RT

er is next started.Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the
ine is set to 0 days the update will be installed immediately upon offering but might not finish within the day due to device availability and
deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured the pending restart will transition fro
which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specifi
t scheduled time.Note that the default max active hours range is 18 hours from the active hours start time unless otherwise configured via
e. The user can click the notification to open the Windows Update Application and get more information about the software or install it. Th
major release.Release Preview Channel (default)Insiders in the Release Preview Channel will have access to the upcoming release of Windo
errals will not be in effect. Please see the Windows Release Information page for OS version information.Pause Updates | To prevent Featu
tive Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user Work Fo
a list of pages to hide it must begin with "hide:". If a page in a showonly list would normally be hidden for other reasons (such as a missing
n conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image t
mail content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and store
sable or do not configure this policy setting users will be able to customize their account pictures.
ows.Disabled: Allows local accounts to have full administrative rights when authenticating via network logon by configuring the LocalAccou
ct.3. "Allow all activation" restores Office's default behavior allowing the Flash control to be activated.Because this setting is not a true Gro
;* In the "Configure LanmanWorkstation dependencies" text box enter the following four lines of text:BowserMRxSmb10MRxSmb20NSIW
art" for Windows 8.1 and Windows Server 2012R2 and newer.Changes to this setting require a reboot to take effect.For more information
e if there is at least one WINS server configured.
e converted prior to changing the setting value. To learn more about Internet Explorer Feature Control Key and the Restrict JScript proces
d): Disables WDigest authentication. For this setting to work on Windows 7 Windows 8 Windows Server 2008 R2 or Windows Server 2012 K
s the files and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server" and "D
dministrative settings for Windows Branch Cache disable its use entirely.
re reverting to the origin server. Note: This policy setting has no effect if the "Allow BITS peer caching" policy setting is disabled or no
disabled or not configured.
etting is disabled or not configured.
al system disk size. Note: This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured.
pproximately 2 kilobits. To prevent BITS transfers from occurring specify a limit of 0. If you disable or do not configure this policy setti
ng you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth used for
"Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local administrat
nsfer only when on uncosted network connections but foreground jobs should proceed only when not roaming. The values that can be ass
l priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. If you disable or do not configure this policy setting
ormal and low. You can specify a limit to use for background jobs during a work schedule. For example you can limit the network band
d jobs occupying disk space. If you enable this policy setting you can configure the inactive job timeout to specified number of days.
in caching content after they receive it from the file servers.Policy configurationSelect one of the following:- Not Configured. With this sele
m.Policy configurationSelect one of the following:- Not Configured. With this selection this policy setting is not applied to client computer
hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect you must
tting BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache serve
mputers you can specify Not Configured for this domain Group Policy setting and then configure local computer policy to enable BranchCac
icy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client computers
t one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy. In the c
nfigure a BranchCache client computer cache setting on all client computers you can specify Not Configured for this domain Group Policy s
but you do not want to enable BranchCache on all client computers you can specify Not Configured for this domain Group Policy setting a
cator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax
ec tunnel endpoint. Example: PING:2002:836b:1::836b:1.You must configure this setting to have complete NCA functionality.
IPv6 addresses rather than names.The ability to disconnect allows users to specify single-label unqualified names (such as â€œPRINTSVRâ
d multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary dom
resolution will fail.If you disable this policy setting or if you do not configure this policy setting computers will use locally configured settin
of DNS servers if configured.

olicy setting click Enabled and then enter a string value representing the DNS suffixes that should be appended to single-label names. You m
amic DNS registration for any of their network connections regardless of the configuration for individual network connections.
er in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.Note
sable this policy setting or if you do not configure this policy setting each computer uses its local primary DNS suffix which is usually the DN
s radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet
and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Adva
will register A and PTR resource records with its connection-specific DNS suffix in addition to the primary DNS suffix. This applies to all netw
en if registration of the corresponding A records was not successful.Register only if A record registration succeeds: Computers will attemp
than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the D
the client. By default the DNS client attempts to replace the existing A resource record with an A resource record that has the client's curre
ou do not configure this policy setting LLMNR will be enabled on all available network adapters.
y setting or if you do not configure this policy setting name resolution will be optimized when issuing DNS LLMNR and NetBT queries.
ble only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
default DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused clients try to use secure update.
t send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer need
d users can only authenticate with WLAN hotspots using a web browser.
Remove any cipher suites you don't want to use.Note: When configuring this security setting changes will not take effect until you restart W
cy setting and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setti
configurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by
emove any cipher suites you don't want to use.Note: When configuring this security setting changes will not take effect until you restart W
s by default. Since insecure guest logons are unauthenticated important security features such as SMB Signing and SMB Encryption are dis
Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failov
ery long transition times between the online and offline states.
he "Allow operation while in public network" and "Prohibit operation while in private network" options instead.If you disable or do not co
a network interface is connected to an unmanaged network you may choose the "Allow operation while in public network" and "Prohibit
er to use the global well known seed server on the Internet only; enable the setting leave the seed server list empty leave the checkbox un
enarios).If you disable this setting PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured the protoc
dress.If you enable this policy setting PNRP does not create a cloud and applications cannot use this cloud to publish or resolve names rega
a public registry key to determine the seed server to bootstrap from.

g scenarios).If you disable this setting PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured the pro
evert to using a public registry key to determine the seed server to bootstrap from.
g scenarios).If you disable this setting PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured the pro
t configure it the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remove an e
or home and small office users to protect them from Internet network security threats.If you enable this setting Internet Connection Firew
age is removed from the New Connection Wizard. The Network Setup Wizard is disabled.If you disable this setting or do not configure it a
emote client computers running DirectAccess and the Internet is not routed through the internal network.If you do not configure this poli
he list upon disabling this policy Windows Defender Firewall deletes the list.Note: You define entries in this list by using Security Descripto
eceive.If you disable this policy setting Windows Defender Firewall blocks all the listed incoming and outgoing ICMP message types. As a re
mputer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions lis
-assigned ports typically in the range of 1024 to 1034. On Windows Vista this policy setting does not control connections to SVCHOST.EXE
uests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Defender Firewall does not open t
Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open th
wed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to prevent all locally created rul
ators will still be allowed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to prevent
ure that the Windows Defender Firewall service account has write permissions to the folder containing the log file. Default path for the lo
move a port click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a ne
r Firewall: Define inbound port exceptions" policy setting. To view the program list enable the policy setting and then click the Show button
you disable this policy setting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the W
wall behaves as if the policy setting were disabled except that in the Windows Defender Firewall component of Control Panel the "Notify m
ponse to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Defender Firewall always per
er Firewall on or off unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.
eceive.If you disable this policy setting Windows Defender Firewall blocks all the listed incoming and outgoing ICMP message types. As a re
mputer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port exceptions lis
-assigned ports typically in the range of 1024 to 1034. On Windows Vista this policy setting does not control connections to SVCHOST.EXE
uests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Defender Firewall does not open t
Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to open th
wed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to prevent all locally created rul
ators will still be allowed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to prevent
ure that the Windows Defender Firewall service account has write permissions to the folder containing the log file. Default path for the lo
move a port click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a ne
r Firewall: Define inbound port exceptions" policy setting. To view the program list enable the policy setting and then click the Show button
you disable this policy setting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the W
wall behaves as if the policy setting were disabled except that in the Windows Defender Firewall component of Control Panel the "Notify m
ponse to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Defender Firewall always per
er Firewall on or off unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides.
y.Example: [cloudresource]|[cloudresource]|[cloudresource][proxy]|[cloudresource]|[cloudresource][proxy]|For more information see: h

sole list of allowed proxies enable the "Proxy definitions are authoritative" setting.If you disable or do not configure this policy setting app
For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
ddresses are the only addresses ever classified as private enable the "Subnet definitions are authoritative" policy setting.If you disable or d
microsoft.com/fwlink/p/?LinkId=234043
lect the "Work offline" option users can work offline if disconnected.If you do not configure this setting users can work offline by default b
ime Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis.You can a
slow.Note: Use the following formula when entering the slow link value: [ bps / 100]. For example if you want to set a threshold value of
rk latency is above (slower than) the Latency threshold parameter.You can configure the slow-link mode by specifying threshold values fo
mit.If you disable this setting the system limits the space that automatically cached files occupy to 10 percent of the space on the system d
olicy to avoid network usage.

he configured round trip network latency value. We recommend using this policy setting when the network connection to the server is slo
es existing files as well as files added later even if the files were stored using NTFS encryption or BitLocker Drive Encryption while on the se
the server hosting the offline file is disconnected from the network."2" also records events when the local computer is connected and disc
e name extension in the "Extensions" box. To type more than one extension separate the extensions with a semicolon (;).Note: To make ch
f that disk space can be used by automatically cached files.If you disable this policy setting the system limits the space that offline files occ
etting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration take pr
e configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To view the Offline Files F
Computer Configuration takes precedence over the setting in User Configuration.Tip: This setting provides a quick method for locking dow
Computer Configuration takes precedence over the setting in User Configuration.Tip: To set reminder balloon frequency without establis
he "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012 Windows Server 200
s and folders.If you do not configure this policy setting the "Make Available Offline" command is available for all files and folders.Notes:Th
are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).If you do not co
ine when they make a parent folder available offline.
default but users can change this option.This setting appears in the Computer Configuration and User Configuration folders. If both setting
ynchronization ensures that files are complete but does not ensure that they are current.If you do not configure this setting and Synchron
on to the computer at the time the computer is suspended a synchronization is not performed.
nge the setting.To prevent users from changing the setting while a setting is in effect the system disables the "Enable reminders" option on
try for a particular network adapter this setting is ignored when configuring that network adapter.
this setting is ignored when configuring that network adapter.
work adapter.
hen configuring that network adapter.
ring that network adapter.
etwork adapter.
hat network adapter.
en configuring that network adapter.
ng that network adapter.
that network adapter.
rom management systems within the communities it recognizes and only SNMP Read operation is allowed for the community.If you disab
If you disable or do not configure this policy setting SNMP service takes the permitted managers configured on the local computer instead
osts within the "public" community.If you disable or do not configure this policy setting the SNMP service takes the trap configuration con
and a public IPv4 address. If no global IPv6 address is present and no global IPv4 address is present the host will not have a 6to4 interface
n the host.
m the ISATAP router through stateless address auto-configuration. If the ISATAP router name is not resolved successfully ISATAP connectivi
e this policy setting the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds.
includes a domain controller.
hput problems casued by Firewalls or other middle boxes.

media. The default for this policy setting allows operations over all media.
ng TCP session will continue uninterrupted.- Windows then checks the traffic level on the network periodically. If the traffic level is above
n the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from most pre
hen the computer is already connected to either a non-domain based network or a domain based network over media other than Etherne
ost of Wireless LAN connections is Unrestricted by default.

enables Windows to temporarily connect to open hotspots to determine if paid services are available.If this policy setting is disabled both
your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access cellular data and empl
is Fixed by default.
ns is Fixed by default.
Also see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site to find
ervices printers on your network ensure that network discovery is turned on. To turn on network discovery click "Start" click "Control Pan
ndows 10 and later only TCP/IP printers can be shown in the wizard. If you enable this policy setting only TCP/IP printer limits are applicab
s. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the network.
r will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server.If you do
r search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers that you w
(To enable Web view open the Printers folder and on the Tools menu click Folder Options click the General tab and then click "Enable Web
n contact attempts. If you do not configure or disable this setting the default values will be used. Note: This setting is used only
n controllers.
tries before deleting printers from Active Directory. You can use this setting to change the number of retries. If you enable this settin
e allowed.Note: By applying this policy existing kernel-mode drivers will be disabled upon installation of service packs or reinstallation of th
the print spooler. Print drivers loaded by applications are not affected.-This policy setting takes effect without restarting the print spooler
the version of Windows that you are using.By default Windows Ultimate Professional and Home SKUs will continue to search for compatib
this policy setting then print drivers will be loaded within all associated application processes.Notes:-This policy setting applies only to ap
ult value is every eight hours. If the computer has not responded by the last contact attempt its printers are pruned from the directory.
rivers loaded by the print spooler. Print drivers loaded by applications are not affected.-This policy setting takes effect without restarting t
r.If this setting is enabled users will only be able to package point and print to print servers approved by the network administrator. When
elevated command prompts do not appear when users Point and Print or when printer connection drivers need to be updated. If you
er Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Computer
s a printer to a print browse master on the domain.
k. However because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory automa
re this setting the system will store and display shortcuts to recently and frequently used files folders and websites.Note: The system saves
t turn it to On. Select this option for compatibility with earlier versions of Windows.If you disable or do not configure this setting the all ap
Shut Down Restart Sleep and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logo
dows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of Start men
ML file. You can type a local path such as C:\StartLayouts\myLayout.xml or a UNC path such as \\Server\Share\Layout.xml. If the specified fi
from within the application. If you disable or do not configure this policy setting the client computer will connect to WNS at user logi
ported on" for all supported versions.
his policy setting and choose "Workstation Only" from the drop-down menu list the Shutdown Event Tracker is displayed when you shut d
or power to be safely removed.If you disable or do not configure this policy setting the computer system safely shuts down to a fully powe
program continues without the registration. As a result the program might not perform all its functions or it might stop.This setting appear
nning with Windows Server 2003.Note: This feature might interfere with power configuration settings that turn off hard disks after a period
micolon to separate folders. For example to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder add
mputer Configuration and User Configuration. If both are settings are used any programs listed in either of these locations cannot launche
If it is a WIM file the location should be specified by prefixing the path with â€œwim:â€ and include the index of the image to use in the W
able. This provides an additional security benefit but HTLM Help stops if DEP detects system memory abnormalities.
uration.If you do not configure this policy setting users see a standard Access Denied message unless the file server is configured to displa
User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Specifies
che for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reached the l
uredNote: When this policy setting is enabled any user with access to read the security events will be able to read the command line argum
ter. Applications depending upon this delegation behavior might fail authentication. For more information see KB.FWlink for KB:http://go.
ervice Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single w
his policy setting delegation of fresh credentials is not permitted to any machine.Note: The "Allow delegating fresh credentials" policy setti
resh credentials is not permitted to any machine.Note: The "Allow delegating fresh credentials with NTLM-only server authentication" pol
*).If you disable this policy setting delegation of saved credentials is not permitted to any machine.Note: The "Allow delegating saved cred
member of any domain. If the client is domain-joined by default the delegation of saved credentials is not permitted to any machine.If you
ngle wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Deskto
of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote D
egated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam
es using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the newest ver
nect to remote hosts.Â Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to rem
policy then disabling this policy setting doesn't remove the feature from the computer. Instead you must either: 1) first update the polic
Based Security feature.The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previously turned
er was created. If you disable this policy setting drivers that are signed by a Microsoft Windows Publisher certificate are selected for install
a driver only if a driver is not locally available on the system.If you disable or do not configure this policy setting members of the Administr
y settings that restrict device installation.

h any of these device IDs" policy setting the "Prevent installation of devices for these device classes" policy setting the "Prevent installatio
policy setting the "Prevent installation of devices for these device classes" policy setting the "Prevent installation of devices that match an
evice IDs" policy setting the "Prevent installation of devices for these device classes" policy setting the "Prevent installation of devices tha
"Prevent installation of devices that match any of these device IDs" "Prevent installation of devices for these device classes" policy setting
installed and updated as allowed or prevented by other policy settings.
allowed or prevented by other policy settings.
cy setting Windows can install and update devices as allowed or prevented by other policy settings.
on a remote desktop server the policy setting affects redirection of removable devices from a remote desktop client to the remote deskto
observed and the NV cache is used for boot and resume optimizations.Note: This policy setting is applicable only if the NV cache feature is
e this policy setting the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately config
ote: This policy setting is applicable only if the NV cache feature is on.
tting turns on disk quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota limit use the "
k quota limit the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit the
strators can use the Quota tab option to change the setting.This policy setting is independent of the enforcement policy settings for disk qu
g.This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event users can detect that they
policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users or affect cu
this policy some blurry applications will be crisp after they are restarted without requiring the user to log out and back in to Windows. Be
turned off.
s" policy is not configured.
it to the list without checking for errors.If you enable this policy setting you can view and change the list of DCOM activation security che
Windows Update to search for device drivers.

t been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.If
t in AD DS provides the default set of properties.

NumProcessors]*2)
or files created on the system volume.
tion.If you enable this policy setting and the user has redirected folders such as the Documents and Pictures folders the folders are redirec
subfolders when redirecting the Start Menu or legacy My Documents folder.Note: This policy is valid only on Windows Vista Windows 7 W
puters running Remote Desktop Services.
plied using the Group Policy Objects (GPOs) that are scoped to the computer.- An event log message (1109) is posted stating that loopback
hange this behavior by using this setting.If you enable this setting the Group Policy Object Editor snap-in always uses local ADM files in you
background after the network becomes available.Note that because this is a background refresh extensions requiring synchronous process
date is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delay
e update is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant d
tted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do
ption to override the default to slow network connection and instead default to using a fast network connection in the case that no netwo
he update is being transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause sign
ate is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delay
ed across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays.The "Do not a
ms even when the update is transmitted across a slow network connection such as a telephone line. Updates across slow connections can
ss a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply
ection" option updates preference items even when the update is transmitted across a slow network connection such as a telephone line.
y setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies even when th
tted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do n
policy information and it uses a bandwidth estimate to determine slow link thresholds. (See the â€œConfigure Group Policy Slow Link Dete
pe a decimal number between 0 and 4294967200 indicating a transfer rate in kilobits per second. Any connection slower than this rate is c
mitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do
ption updates the policies even when the update is being transmitted across a slow network connection such as a telephone line. Updates
te is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays
es the policies even when the update is being transmitted across a slow network connection such as a telephone line. Updates across slow
dates preference items even when the update is transmitted across a slow network connection such as a telephone line. Updates across s
gon scripts.
tion" option updates preference items even when the update is transmitted across a slow network connection such as a telephone line. U
when the update is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause sig
tion updates preference items even when the update is transmitted across a slow network connection such as a telephone line. Updates a
connection" option updates preference items even when the update is transmitted across a slow network connection such as a telephon
en when the update is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause
hen background updates are disabled policy changes will not take effect until the next user logon or system restart.The "Process even if th
smitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "
" option updates preference items even when the update is transmitted across a slow network connection such as a telephone line. Upda
on such as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic background p
the computer is in use. When background updates are disabled policy changes will not take effect until the next user logon or system rest
mitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do
ansmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The
ot configure this policy setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the
ate is transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays
m the Mode box:"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user settings norm
ross a slow network connection such as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply
mitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays.The "Do n
e command line by typing RSOP.mscNote: This policy setting exists as both a User Configuration and Computer Configuration setting.Also s
on of the policy information and it uses a bandwidth estimate to determine slow link thresholds. (See the â€œConfigure Group Policy Slow
ffect on reboot.
his policy setting is configured.Also see the "Set Group Policy refresh interval for computers" policy setting to change the policy refresh int
ever because updates might interfere with users' work and increase network traffic very short update intervals are not appropriate for mo
tions.If you disable or do not configure this setting the domain controller updates Group Policy every 5 minutes (the default). To specify th
If you disable or do not configure this policy setting Group Policy will use the default wait time of 30 seconds on computers running Windo
or system-computed wait time.If you disable or do not configure this policy setting Group Policy will use the default wait time of 60 secon
computer for it to take effect.
olicy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
ole (MMC).
tension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be crea
extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be cr
under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on the clie
nsion listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created
extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be cre
er Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on the client compu
ence extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can
nder User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on the clien
under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on the clie
d under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on the cl
erform tracing for items in this preference extension listed under User Configuration you must provide a path in the "User trace" box to th
preference extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace fi
ference extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file c
ence extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can
under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on the cli
preference extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace fi
reference extension listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file
isted under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created on th
sion listed under User Configuration you must provide a path in the "User trace" box to the location where a user trace file can be created
nfigure this policy setting users can access the Windows Update website and enable automatic updating to receive notifications and critica
e Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.If you disable or do not configure this poli
the end of the description.If you disable or do not configure this policy setting the user can click the hyperlink which prompts the user and
C user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.If you do not con
eport handwriting recognition errors to Microsoft.
the "Did you know?" section will remain static indefinitely without an Internet connection.
nternet and has not disabled the Knowledge Base search from the Search Options page.
es the web publishing or online ordering wizards.See the documentation for the web publishing and online ordering wizards for more info
tion/Administrative Templates/Printers.
n you live in).
nformation about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion featur
not shown.If you do not configure this policy setting users have the choice to opt in and allow information to be collected.
e this policy setting all users are opted into the Windows Customer Experience Improvement Program.If you do not configure this policy se
r Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Reporting.
ne of the two active tests.
for device drivers if a driver is not found locally.Note: This policy setting is replaced by "Specify Driver Source Search Order" in "Administra
ation or armoring.If you configure the "Not supported" option the domain controller does not support claims compound authentication o
cation. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials.If you disab
g user logon" policy setting is enabled.Note: Information about previous logons is provided only if the domain functional level is Windows
licy setting domain controllers will return service tickets that contain compound authentication any time the client sends a compound aut
t found NTLM authentication might be used.To ensure consistent behavior this policy setting must be supported and set identically on all
mallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this poli
cy setting and the resource domain requests compound authentication devices will send a non-compounded authentication request first t
apping from the list click the mapping entry to be removed and then press the DELETE key. To edit a mapping remove the current entry fr
names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value entry fr
client support for claims compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. If you disa
unded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerb
o a domain the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509 certific
ng any service is allowed to accept incoming connections by using this system-generated SPN.
server uses the locally configured value or the default value. Note: This policy setting configures the existing MaxTokenSize registry value i
appropriate syntax format. To view the list of mappings enable the policy setting and then click the Show button. To remove a mapping fro
his computer account.Automatic: Compound authentication is provided for this computer account when one or more applications are con
henticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authenticatio
e but they can still select a replacement locale if one is installed.If you disable or do not configure this policy setting the user can select a cu
is set to Enabled at the computer level then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer leve
from the specified system locale list.If you disable or do not configure this policy setting administrators can select any system locale shipp
ch (Canada).If you enable this policy setting only locales in the specified locale list can be selected by users.If you disable or do not configu
ange the amount of time after the device's screen turns off before a password is required when waking the device. Instead a password is r
ke two logons to apply changes. To be able to operate safely these extensions require that no users be logged on. Therefore they must be
s always set to the domain to which the computer is joined.
00 Server.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setti
puter Configuration and User Configuration folders. If both policy settings are configured the policy setting in Computer Configuration take
kes precedence over the policy setting in User Configuration.Note: Customized run-once lists are stored in the registry in HKEY_LOCAL_MA
poses.If you disable or do not configure this policy all installed and otherwise enabled credential providers are available for authentication
ure this policy setting the user will have to start the appropriate programs after logon.Note: This setting appears in the Computer Configur
-in prompt for services.If you do not configure this policy setting the user who completes the initial Windows setup will see the animation
PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) Enables DEP-ATL thunk emulation for the child pr
tion and use of older cryptography algorithms compatible with Windows NT 4.0. However using the older algorithms represents a potentia
fy any passwords with the PDC emulator. If you do not configure this policy setting it is not applied to any DCs.
ad access to files on the share when exclusive access is requested.Note: The Netlogon share is a share created by the Net Logon service for
ry of DCs in a trusted domain.To enable the setting click Enabled and then specify the interval in seconds.
es on the share when exclusive access is requested.Note: The SYSVOL share is a share created by the Net Logon service for use by Group P
n none are available.

is to always refresh (0).
49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.Warning: If the value for this setting is too small a client will s
for this setting is too large a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very sma
s smaller than the value specified for the Initial DC Discovery Retry Setting the Initial DC Discovery Retry Setting is used.Warning: If the val
once all DCs are running the same OS version.The allowable values for this setting result in the following behaviors:1 - Computers will ping
n a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.If you enable this policy setti
or these reasons NetBIOS-based discovery is not recommended.Note that this policy setting does not affect NetBIOS-based discovery for D
DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of client
ault behavior and enforce to return only IPv4 DC address. Once applications are fixed this policy can be used to enable the default behavio
t configure this policy setting it is not applied to any DCs and DCs use their local configuration.
in the DC Locator DNS SRV records click Enabled and then enter a value. The range of values is from 0 to 65535.If you do not configure th
kup to discover additional client IP addresses.2 - DCs will perform a fast DNS-only address lookup to discover additional client IP addresses
msdcs.<DnsForestName>GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>DcByGuid SRV _ldap._tcp.<D
ervers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the databas
e the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow adminis
tion.To specify the sites covered by the DC Locator DNS SRV records click Enabled and then enter the sites names in a space-delimited form
tive Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.To spec
st between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. If you enable this policy setting
C Locator DNS SRV records for any other sites but their own.If you do not configure this policy setting it is not applied to any DCs and DCs u
computers to which this policy is applied will locate a domain controller hosting an Active Directory domain specified with a single-label n
setting computers to which this setting is applied will use the AllowDnsSuffixSearch policy if it is not disabled or perform NetBIOS name re
l default to using their local configuration.The default local configuration is enabled.A reboot is not required for changes to this setting to t
minimum PIN lengths.

m and minimum PIN lengths.
e "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
e "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
you disable this policy setting the items "Use a system image you created earlier to recover your computer" and "Reinstall Windows" (or "
o not configure this policy setting users can configure the setting in System Properties in the Control Panel.
allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the comput
Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.If you en
sees the default warning message.
disable this policy setting application-based settings are used.If you do not configure this policy setting application-based settings are use
mation. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.If you do not c
setting the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using
se the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory this
or condition.If you enable this policy setting the RPC runtime will generate extended error information. You must select an error response
versions that support this policy setting. If you do not configure this policy setting it remains disabled. The RPC server runtime will behave
1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows this policy settin
whether this policy setting is enabled or not.

set in Computer Configuration takes precedence over the policy setting set in User Configuration.
un startup scripts visible"" policy setting is enabled or not.
.cmd B.ps1GPO C: C.cmd C.ps1Assume also that there are two computers DesktopIT and DesktopSales. For DesktopIT GPOs A B and C are
here are two users Qin Hong and Tamara Johnston. For Qin GPOs A B and C are applied. Therefore the scripts for GPOs B and C run in the f
al is particularly important when other system tasks must wait while the scripts complete. By default each startup script must complete b
ubject to the ROCA vulnerability (authentications will still succeed).Block: during authentication the domain controller will block the use o
tting (in Windows Server 2012) that is configured in the Server Manager console.If you disable this policy setting Server Manager does not
on the window is not displayed on subsequent logons.
ot displayed automatically at logon.Note: Regardless of the status of this policy setting Server Manager is available from the Start menu or
ense is turned off the machine. Users cannot enable Storage Sense.Not Configured:By default Storage Sense is turned off until the user ru
ontent. Users can configure this setting in Storage settings.

e this setting in Storage settings.
s in the userâ€™s Downloads folder. Users can configure this setting in Storage settings.
ee the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled the "Turn off System Restore con
System Protection.Also see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy setting is dis
detect troubleshoot or resolve any problems that are handled by the DPS.If you do not configure this policy setting the DPS enables all sc
When the service is stopped or disabled diagnostic scenario data will not be deleted. The DPS can be configured with the Services snap-in
failures during application installation failures during application runtime and drivers blocked due to compatibility issues.Note: This policy
oting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an administrator ev
olicy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios are not executed. The DPS can be c
is taken. If you do not configure this policy setting the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes effect on
cy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic sc
ke effect. Changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running
or local and remote troubleshooting MSDT always prompts for additional tool downloading.If you disable this policy setting MSDT never do
for this policy setting to take effect. Changes take effect immediately.
or critical problems by system features and Microsoft. Notify users when troubleshooting for other problems is available and allow users to
nd is the default recovery behavior on Windows server.Troubleshooting Only: Detection and verification of file corruption will be performe
etting local troubleshooting preferences will take precedence as configured in the control panel. If no local troubleshooting preference is
is policy setting users can only access and search troubleshooting content that is available locally on their computers even if they are conn
this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Boot Performance problems that are handled
Microsoft Management Console.No operating system restart or service restart is required for this policy to take effect. Changes take effect
vailable.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Resource Exhaustion pro
le.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Shutdown Performance probl
d resolution is available.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Standby/
e.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows System Responsiveness proble
er authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose.C
commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-confi
PM will remain configured using the legacy Dictionary Attack Prevention parameters regardless of the value of this group policy. The only
pm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked
disable or do not configure this policy setting Windows will block the TPM commands found in the local list in addition to commands in the
sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older tha
the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this duration are ign
standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization fai
ven full control to the user's profile folder.If you disable or do not configure this policy setting only the user is given full control of their use
ering the connection to be slow.If you disable or do not configure this policy setting Windows considers the network connection to be slow
e roaming profile still remains on the network server that stores it.If you disable or do not configure this policy setting Windows keeps a c
ng or do not configure it slow link detection is enabled. The system measures the speed of the connection between the user's computer an
rofessional SP4 and Windows XP SP1 the default behavior is to check the folder for the correct permissions if the profile folder already exis
e or do not configure this policy setting Windows will always unload the users registry at logoff even if there are any open handles to the p
Windows cannot load their user profile.Also see the "Delete cached copies of roaming profiles" policy setting.
the Active Directory schema to function.If you enable this policy setting and the user has a roaming profile the roaming profile is downloa
re using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting type the numbe
e Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will imp
oad and update the registry settings. By default the system repeats its periodic attempts 60 times (over the course of one minute).If you e
curs on the affected computer: At first logon the user receives a new local profile rather than the roaming profile. At logoff changes are sa
policy setting changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off.If you di
screen and the user must choose whether to download the remote user profile before Windows detects the network connection speed.
tting. Setting the value to zero causes Windows to proceed without waiting for the network.If you disable or do not configure this policy se
olicy setting all users logging on this computer will use the roaming profile path specified in this policy.If you disable or do not configure th
of the roaming user profile is uploaded to the server every six hours while the user is logged on.If "Run at specified time of day" is chosen
n the Path box.Do not specify environment variables or ellipses in the path. Also do not specify a placeholder for the user name because th
and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authenti
e local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when slow link
et to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.

setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection provides.
ections; larger values cause more frequent corrections. Default: 4 (scalar). HoldPeriodThis parameter indicates how many consistent tim
vice Group Policy Settings. The default value is ""time.windows.com0x09"". TypeThis value controls the authentication that W32time uses
ect the certificate errors that you want to ignore. Note: This policy setting applies to all sites in Trusted zones.
ws deployment operations (adding registering staging updating or removing an app package) of Windows Store apps when using a special p
in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access account information
ation cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the eye tracker and employees in yo
not change it.If you choose the "Force Deny" option Windows apps are not allowed to access the call history and employees in your organ
it.If you choose the "Force Deny" option Windows apps are not allowed to access contacts and employees in your organization cannot ch
ps are allowed to get diagnostic information about other apps and employees in your organization cannot change it.If you choose the "Fo
choose the "Force Deny" option Windows apps are not allowed to access email and employees in your organization cannot change it.If you
t.If you choose the "Force Deny" option Windows apps are not allowed to access location and employees in your organization cannot chan
ganization cannot change it.If you choose the "Force Deny" option Windows apps cannot read or send messages and employees in your o
not change it.If you choose the "Force Deny" option Windows apps are not allowed to access motion data and employees in your organiza
nnot change it.If you choose the "Force Deny" option Windows apps are not allowed to access notifications and employees in your organiz
hoose the "Force Deny" option Windows apps are not allowed to access tasks and employees in your organization cannot change it.If you
nnot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the calendar and employees in your organiz
t change it.If you choose the "Force Deny" option Windows apps are not allowed to access the camera and employees in your organization
nization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the microphone and employees i
ation cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access trusted devices and employees in y
ound by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to access user movement
yees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the devi
ot change it.If you disable or do not configure this policy setting employees in your organization can decide whether users can interact wit
nicate with unpaired wireless devices and employees in your organization cannot change it.If you choose the "Force Deny" option Window
zation cannot change it.If you choose the "Force Deny" option Windows apps will not have access to control radios and employees in your
hange it.If you choose the "Force Deny" option Windows apps are not allowed to make phone calls and employees in your organization can
ation cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to run in the background and employees in yo
ke screenshots of various windows or displays and employees in your organization cannot change it.If you choose the "Force Deny" option
mployees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to turn off the screen
ling this policy setting does not block Windows Store apps from opening the default desktop app for the http https and mailto URI scheme
an cause severe app compatibility issues.
ed.If the status is set to Enabled the MS-DOS subsystem is prevented from running which then prevents any 16-bit applications from runn
a blue screen if an old anti-virus application is installed.)The Windows Resource Protection and User Account Control features of Window
turned off. The Inventory Collector will be off.

mance and are already aware of application compatibility issues. If you disable or do not configure this policy setting the PCA will be turned
ned on.Please reboot the system after changing the setting to ensure that your system accurately reflects those changes.
If you enable this policy setting an Administrator can change the default Windows Vista or later behavior for autorun to: a) Complete
d on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on dr
event that someone forgets their logon credentials.

cs should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
el folder view.If you disable or do not configure this policy setting the BitLocker setup wizard will display the computer's top-level folder vi
e will be used in other devices that are not running Windows 10 (Version 1511).If you disable or do not configure this policy setting BitLoc
disable or do not configure this policy setting BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive en
her strength for BitLocker to use to encrypt drives.If you disable or do not configure this policy setting BitLocker will use the default encryp
or recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit r
bled.Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt devices
BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive matches th
xtensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS backup
ficate it must be set to an object identifier (OID) that matches the OID configured for BitLocker.If you enable this policy setting the object i
is enabled select the "Do not install BitLocker To Go Reader on FAT formatted fixed drives" check box to help prevent users from running
ery agents.In "Configure user storage of BitLocker recovery information" select whether users are allowed required or not allowed to gene
s used with hardware-based encryption.If you disable this policy setting BitLocker cannot use hardware-based encryption with operating s
BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you enable this policy setting users can configure
eir access to BitLocker-protected fixed data drives.If you do not configure this policy setting smart cards can be used to authenticate user a
will not be presented in the BitLocker setup wizard.If you disable or do not configure this policy setting the BitLocker setup wizard will ask
etwork Unlock certificate is used to create Network Key Protectors and protects the information exchanged with the server to unlock the c
ty validation even on systems capable of Secure Boot-based integrity validation.When this policy is enabled and the hardware is capable o
r more information about adding data recovery agents.In "Configure user storage of BitLocker recovery information" select whether users
be greater than the default when a PIN is changed. If successful Windows will only reset the TPM lockout period back to default if the TPM
m recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available include it in the m
computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided t
for native UEFI firmware configurations" group policy setting to configure the TPM PCR profile for computers using native UEFI firmware.I
ons" group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with
er suites used with hardware-based encryption.If you disable this policy setting BitLocker cannot use hardware-based encryption with ope
cking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you enable this policy setting user
Recovery Environment is not enabled and this policy is not enabled you cannot turn on BitLocker on a device that uses the Windows touc
e drive is stored on the USB drive creating a USB key. When the USB key is inserted the access to the drive is authenticated and the drive is
enter a 4-digit to 20-digit startup personal identification number (PIN).A USB flash drive containing a startup key is needed on computers
he "Use enhanced Boot Configuration Data validation profile" group policy is ignored.The setting that controls boot debugging (0x1600001
olicy setting is enabled select the "Do not install BitLocker To Go Reader on FAT formatted removable drives" check box to help prevent us
data recovery agents.In "Configure user storage of BitLocker recovery information" select whether users are allowed required or not allow
r suites used with hardware-based encryption.If you disable this policy setting BitLocker cannot use hardware-based encryption with oper
e with any of the protectors available on the drive.If you enable this policy setting users can configure a password that meets the requirem
ticate their access to BitLocker-protected removable data drives.If you do not configure this policy setting smart cards are available to auth
Encryption Deployment Guide on Microsoft TechNet for more information on suspending BitLocker protection.If you do not configure this
ation fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.If you disable or do not con
and Education SKUs.
cations that use the Windows system controls including Internet Explorer.
userâ€™s Windows credentials.

hether diagnostic data is collected or the ability of the user to change the level. To configure collection level please use the "Allow Diagno
gnostic data necessary to keep Windows secure up to date and performing as expected.â€¯Using this value disables the "Optional diagnos
.If you disable or do not configure this policy setting diagnostic data collection is determined by the "Allow Diagnostic Data" policy setting
s using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
his policy setting the Event Collector computer will not be specified.
hould be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
og messages before writing them to the event log.
llowing options:â€¢ Warn and prevent bypassâ€¢ WarnIf you enable this policy with the "Warn and prevent bypass" option SmartScreen's
olicy is enabled disabled or not configured users will still be able to override default file type and protocol associations.
e protocol is in the protected mode allowing applications to only open a limited set of folders.If you do not configure this policy setting the
both new and old locations point to different shares when their network paths are different.Note: If the paths point to different network s
he previous version is of a local file and stored on the backup.

file on a file share.
n of the last use of their active digitizer on their device.
administrative template file see the Internet Explorer documentation on search providers.If you disable or do not configure this policy setti
can change the Suggestions setting on the Settings charm.

his policy setting newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user when newly ins
up to three of the following channels where: 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge
e the Import/Export Settings wizard.
tervention.
eds shortcuts to home page and more. Full-screen mode disables not only these three bars but also the shortcuts to these bars.If you enab
Explorerâ€™) policy. Additionally itâ€™s best to enable this policy only if your intranet sites have known compatibility problems with Micr
sites in Enterprise Mode.
o.comLOBApp.contoso.com
ntranet site zone onlyÂ Â Binary Representation - 00010â€¢Â 0 - Restricted Sites Zoneâ€¢Â 0 - Internet Zoneâ€¢Â 0 - Trusted Sites Zoneâ€
to the exception list by enabling "Turn off Managing Pop-up Allow list" policy.
gs to prevent the user from configuring pop-up behavior.
ser.If you disable or do not configure this policy setting the user is prompted to decide the mode of operation for the phishing filter.
e First Run wizard the first time the browser is started after installation.
appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative template file
by the administrator.Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windows Com
y tab from Internet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.Also see the "Security
Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting then all intranet sites will continue to open in Internet Explorer 1
led through the creation of an integer setting. In this case each Internet Explorer isolation setting will quickly grow to use the specified inte
his policy setting users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is the default
st-run experience.
RL action for the application or process on the computer prevail.
f you do not configure this policy setting current values of the URL action for the Internet Explorer process prevail.
re not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1 the policy setting is ignor
orer will be available and users will see installed printers under the Devices charm.
feature by using the Compatibility View Settings dialog box.
mmon Internet standards may be displayed incorrectly.If you disable this policy setting Internet Explorer uses a current user agent string.
al intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user cannot ch
has no effect.
e number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
Browsing History dialog box.If you enable this policy setting ActiveX Filtering Tracking Protection and Do Not Track data is preserved when
ata when he or she clicks Delete.
settings""Disable changing history settings""Disable changing color settings""Disable changing link color settings""Disable changing font se
ys converted to IDN format.If you disable or do not configure this policy setting the user can control this setting by using Advanced Option
s will be prompted when Web Components such as fonts would be downloaded.
setting users can select the Always send Do Not Track header option in Internet Explorer settings. By selecting this option Internet Explore
ng Internet Explorer does not check the Internet for new versions of the browser so does not prompt users to install them.
een revoked.
s policy Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading them
indows 8 Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.When Enh
o not configure this policy Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windows are
yption tunnel by using the encryption methods that you select from the drop-down list.If you disable or do not configure this policy settin
Assistant information.
o encode all query strings in UTF-8.
on't configure this policy setting users can turn this feature on or off using Internet Explorer settings. This feature is turned off by default.
use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.If you do not configure this policy users will be able
.If you do not configure this policy setting Internet Explorer starts with the home page. Users can change this option to start with the tabs
ta Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
ebsite Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
will allow trusted domains to store additional files in application caches up to the limit set in this policy setting.If you disable or do not con
low trusted domains to store additional data in indexed databases up to the limit set in this group policy.If you disable or do not configure
plorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB.
page that referenced the manifest that are less than or equal to the limit set in this policy setting.If you disable or do not configure this pol
e default is 1 GB.
ases. The default is 4 GB.
ked-Down equivalent zone. If you select a security level for any zone (including selecting no security) the same change should be made to
Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that protect y
pears for intranet content loaded on a browser on a computer that is not a domain member until the user turns off the Notification bar.
one.If you do not configure this policy setting users cannot load a page in the zone that uses MSXML or ADO to access data from another s
d.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you do not configure this p
is behavior.If you do not configure this policy setting the user can decide whether to load XBAPs inside Internet Explorer.
this behavior.If you do not configure this policy setting the user can decide whether to load XAML files inside Internet Explorer.
es inside Internet Explorer.
ected to another Web page.
earch Connectors.
olicy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails it is the zone of th
do not configure this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that include th
do not configure this policy setting video and animation can be played through older media players in specified zones.
(http://) content.If you disable this policy setting users cannot receive the security information message and nonsecure content cannot be
o a Web site that has no certificate or only one certificate.
behavior on or off using Internet Explorer Security settings.
nfigure it users cannot drag content from one domain to a different domain when the source and destination are in different windows. Us
licy setting or do not configure it users cannot drag content from one domain to a different domain when the source and destination are i
Sniffing Safety Feature will not apply in this zone.
r she is uploading a file via an HTML form. By default path information is sent.
ctiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting ActiveX con
annot run.If you do not configure this policy setting the permission is set to High Safety.
cy setting users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authenticatio
rom other domains.
ure this policy setting Internet Explorer will execute unsigned managed components.
cy setting Internet Explorer will execute signed managed components.
zone enabled in the Intranet and Local Computer zones and set to prompt in the Internet and Trusted zones.
ckages from being automatically downloaded to users' computers and software packages from being automatically installed on users' com
ot configure this policy setting users are queried to choose whether to allow information using HTML forms on pages in this zone to be sub
Framework Setup is turned on by default. The user can change this behavior.
licy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page saved to disk
n this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from less privilege
one.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone that uses MSXM
earch Connectors.
do not configure this policy setting Windows Restrictions security will not apply in this zone. The security zone runs without the added lay
connect to a Web site that has no certificate or only one certificate.
ehavior on or off using Internet Explorer Security settings.
annot run.If you do not configure this policy setting the permission is set to Medium Safety.
rom other domains.
ot configure this policy setting information using HTML forms on pages in this zone can be submitted automatically.
n this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from less privilege
one.If you do not configure this policy setting users can load a page in the zone that uses MSXML or ADO to access data from another site i
earch Connectors.
ctiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting users are q
annot run.If you do not configure this policy setting the permission is set to Medium Safety.
cy setting users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
rom other domains.
ure this policy setting Internet Explorer will not execute unsigned managed components.
cy setting Internet Explorer will not execute signed managed components.
his zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting the possibly harmful navigation
in-approved Behaviors under Binary Behaviors Security Restriction policy are available.
earch Connectors.
that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the feature control se
annot run.If you do not configure this policy setting Java applets are disabled.
rom other domains.
one.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone that uses MSXM
earch Connectors.
rom other domains.
earch Connectors.
rom other domains.
not available unless applications have implemented a custom security manager.
directed to another Web page.
ng Search Connectors.
cy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
ws and frames from different domains or access applications from different domains.
licy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web page saved to d
earch Connectors.
rom other domains.
ls is unaffected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you do not c
not available unless applications have implemented a custom security manager.
directed to another Web page.
ng Search Connectors.
cy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
ws and frames from different domains or access applications from different domains.
licy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web page saved to d
earch Connectors.
ctiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting users are q
annot run.If you do not configure this policy setting the permission is set to Low Safety.
rom other domains.
n this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting a warning is issued to the use
what action applies to searches on the Address bar.

e or a search-results webpage in the main window.If you disable or do not configure this policy setting the user can select their preference
Options dialog. By default URL Suggestions are turned on.
user cannot change this setting.If you do not configure this policy setting the user can choose to turn the Use Windows Search setting on
h update information URL.
en clicking InPrivate Filtering.

d then clicking Tracking Protection.
cation as a user types in a password. The reveal password button is visible by default.On at least Windows 8 if the "Do not display the reve
information:Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brackets for
add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting.If you enable this policy setti
settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Value is not
he Internet Explorer TechNet library.
/contoso/Desktop/index.htm"If you disable or don't configure this policy setting the list is deleted and Internet Explorer continues to block
see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
WebSocket object. By default the WebSocket object is enabled.
min-approved' just as if those zones were set to 'disable'.If you do not configure this policy setting only VML will be allowed in zones set to
setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or
Consistent Mime Handling is prevented for all processes.
rnet Explorer will not require consistent MIME data for all received files.If you do not configure this policy setting Internet Explorer require
u enable this policy setting and enter a Value of 1 MIME handling is in effect. If you enter a Value of 0 file-type information is allowed to be
process list.If you disable or do not configure this policy setting Local Machine zone security is not applied to local files or content processe
this policy setting Local Machine zone security is not applied to local files or content processed by Internet Explorer.If you do not configure
Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the relate
rnet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in th
processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disab
rocesses other than File Explorer and Internet Explorer.
ls is prevented for File Explorer and Internet Explorer processes.If you do not configure this policy setting the policy setting is ignored.
ue Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Fi
protocols are restricted for that zone regardless of the setting for "Allow active content over restricted protocols to access my computer."
plorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Processes pol
: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the proc
If you do not configure this policy setting any zone can be protected from zone elevation by Internet Explorer processes.
ore privileged zones can be prevented. If you enter a Value of 0 elevation to any zone is allowed. The Value Name is the name of the execu
ed the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security f
setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setti
estrictions apply for File Explorer and Internet Explorer processes.
of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer proces
nd the user can change this.
disable or do not configure this policy setting the toolbar upgrade tool checks for incompatible toolbars. The user can enable or disable in
uire IIS to run.
will apply.
ed applications and services can use Microsoft accounts for authentication. By default this setting is Disabled. This setting does not affect
ill be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled the service will remain running. I
the local administrator.
ack step according to the order specified above.

ng the proxy will skip over this fallback step according to the order specified above.
ly unwanted software. Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you le
delay of approximately five seconds.
hould be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Se
might unintentionally be sent to Microsoft. However Microsoft will not use this information to identify you or contact you. Possible option
for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: - Name column: Enter a
Attack Surface Reduction rules GP setting.
rs are automatically guarded but you can add folders in the configure protected folders GP setting.
add folders in the Configure protected folders GP setting. Block: The following will be blocked: - Attempts by untrusted apps t
soft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Co
ecting to dangerous domains. Not configured: Same as Disabled.
urther analysis is required" all need to be enabled.
(0x1) Moderate Microsoft Defender Antivirus blocking level delivers verdict only for high confidence detections (0x2) High blocking lev
mance. If you enable or do not configure this setting definition retirement will be enabled. If you disable this setting definition retireme
outgoing files (default) 1 = Scan incoming files only 2 = Scan outgoing files only Any other value or if the value does not exist resolves
un at a default frequency.
ed full scans will be turned off.
duled quick scans will be turned off.
the list will remain empty by default and no sources will be contacted.
he default number of days have passed without an update.

number of days have passed without an update.
ed from one specified source the remaining sources in the list will not be contacted. If you disable or do not configure this setting security
ccur at the default time.
dows Security.- Place the generated XML file in a shared or local path. Note: Endpoints that have this GP setting set to Enabled must be ab
ync later. Set SyncMethod to â€œExternalâ€ when an external synchronization engine is being deployed for settings sync. This could use
ws apps will default to whatever settings are configured in the Sync your settings configuration in Windows.
Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog. If there
ation.If you disable this policy setting all Windows Settings are excluded from the settings synchronization.If you do not configure this poli
e user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the Control
he state when UE-V was installed or to â€œlast-known-goodâ€ configurations. Only enable this policy setting on computers running in a n
ft Office Suite 2013 applications will not be backed up. If you do not configure this policy setting any defined values will be deleted.
ft Office Suite 2016 applications will not be backed up. If you do not configure this policy setting any defined values will be deleted.
nization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled.If you do not configure this p
common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Microsoft Offi
s policy setting Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V.If you do not configure this po
s policy setting Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V.If you do not configure this po
e this policy setting user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize with UE
e this policy setting user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize with UE
y setting Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setti
y setting Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy setti
able this policy setting Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V.If you do not configu
etting Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setting
etting Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy setting
isable this policy setting Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V.If you do not confi
isable this policy setting Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V.If you do not confi
le this policy setting Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V.If you do not configure
le this policy setting Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V.If you do not configure
-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V.If you
-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V.If you
his policy setting Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V.If you do not configure this p
his policy setting Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V.If you do not configure this p
disable this policy setting Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V.If you do not con
disable this policy setting Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V.If you do not con
er settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings are excl
setting Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy settin
setting Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy settin
icy setting Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy s
icy setting Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy s
will be deleted.
st configured setting will remain in effect.
r privacy settings after an upgrade.
ation.If you do not configure this setting users who are members of the Administrators group can make changes using the Windows To Go
g Windows presentation settings can be invoked.
point Servers group on the license server.By default the RDS Endpoint Servers group is empty.If you disable or do not configure this policy
003.By default if the most appropriate RDS CAL is not available for a connection a Windows Server 2008 license server will issue a Window
e that the publisher has been blocked.
valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RD
n Host server cannot be authenticated the user is prompted to choose whether to connect to the RD Session Host server without authentic
ter and on the RD Session Host server to provide credentials clear the Always prompt for password check box on the Log on Settings tab in
fine this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the com
e received.
Remote Desktop Services session.If you enable this policy setting remote users can start any program on the RD Session Host server when
get computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System properties s
connection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection.
nable this policy setting you must enter a keep-alive interval. The keep-alive interval determines how often in minutes the server checks th
obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
ktop Services sessions.To use this setting enter the number of connections you want to specify as the maximum for the server. To specify
nnect Time Detect and Continuous Network Detect Remote Desktop Protocol will not try to determine the network quality at the connect
g the best user experience.
emote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a remote
back redirection is not allowed when connecting to a computer running Windows Server 2008 R2 Windows Server 2008 or Windows Serv
or Windows Server 2008 R2. If you enable this policy setting audio recording redirection is allowed.If you disable this policy setting audio r
osoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
roup Policy level.
ction is not specified at the Group Policy level.
e this policy setting client drive redirection is always allowed. In addition Clipboard file copy redirection is always allowed if Clipboard redir
s cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting users can redirec
pression that is determined by the bandwidth of the remote connection.The audio playback quality that you specify on the remote compu
figure this policy setting these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
top licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. If you disable or do not con
e Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.If you disable or do no
r mapping is not specified at the Group Policy level.
olicy setting the default printer is not specified at the Group Policy level.
nd" - If there is a printer driver mismatch the server will attempt to find a suitable driver. If one is not found the client's printer is not availa
etting the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not ha
er profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified the o
nt name of each user.To configure this policy setting type the path to the network share in the form of \\Computername\Sharename. Do n
out environment variables or ellipses. Do not specify a placeholder for user alias because Remote Desktop Services automatically appends
effect you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting.
name of a farm in RD Connection Broker.If you disable or do not configure this policy setting the farm name is not specified at the Group
rated list of the FQDNs of all the RD Connection Broker servers.If you disable or do not configure this policy setting the policy setting is not
e policy setting.If you disable this policy setting the server does not join a farm in RD Connection Broker and user session tracking is not pe
tly by IP address to RD Session Host servers in the farm.If you disable this policy setting the IP address of the RD Session Host server is not
session log on to the first RD Session Host server to which they connect.If you do not configure this policy setting you can configure the RD
ns. On the client computer you can configure desktop composition on the Experience tab in Remote Desktop Connection (RDC) or by usin
can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified
ory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used.Yo
y images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. If you enable this polic
ction (RDC) or by using the "allow font smoothing" setting in a Remote Desktop Protocol (.rdp) file. If you enable this policy setting font sm
dows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy
es session.If the status is set to Disabled wallpaper might appear in a Remote Desktop Services session depending on the client configurati
he client will be used.If you disable or do not configure this policy setting the color depth for connections is not specified at the Group Poli
a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session H
from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected
off.To use this setting in Program path and file name type the fully qualified path and file name of the executable file to be run when the us
emoteApp programs do not support these advanced graphics.
s use the hardware graphics renderer by default.NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a c
sion scheme.If you enable this policy setting RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1.If
are optimized for rich multimedia.
h by selecting the highest setting for screen capture rate and the highest setting for image quality.By default Remote Desktop Connection
word to log on.If you disable this policy setting users can always log on to Remote Desktop Services automatically by supplying their passwo
e user security descriptors by using the Remote Desktop Session WMI Provider.Note: The preferred method of managing user access is by
ot respond to the request.If the status is set to Not Configured unsecured communication is allowed.Note: The RPC interface is used for ad
S is not supported native Remote Desktop Protocol (RDP) encryption is used to secure communications but the RD Session Host server is n
n dialog box and then click About. In the About Remote Desktop Connection dialog box look for the phrase Network Level Authentication s
te selection only occurs when a specific certificate has not been selected.If no certificate can be found that was created with the specified
tion methods are available:* High: The High setting encrypts data sent from the client to the server and from the server to the client by usi
olicy settings.If you enable this policy setting Remote Desktop Services ends any session that reaches its time-out limit.If you disable this p
t configure this policy setting the time limit is not specified at the Group Policy level. By default Remote Desktop Services allows sessions t
ng this policy setting is not specified at the Group Policy level. By default Remote Desktop Services allows sessions to remain active for an
ed sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are
d off from the RD Session Host server. If the user starts a RemoteApp program before the time limit is reached the user will reconnect to t
tting Remote Desktop Services deletes the temporary folders from the remote computer at logoff unless specified otherwise by the server
sions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.If you disable
ed or Web Slice by using the Feed APIs.
our WSS Service. For example the English locale ID is 1033.http://sitename/_layouts/XXXX/searchresults.aspx?SearchString=$wThis adds i
search service is Windows SharePoint Services (WSS) the query should resemble the following where XXXX is the locale ID of your WSS Se
ll volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to mainta
nnections and if the web results are displayed in Search.Note: If you enable the "Don't search the web or display web results in Search" po
delegate mailboxes. Online delegate mailboxes are managed separately from online mailboxes. The "Enable Indexing of Uncached Exchan
minute. This policy has no effect on mail items when using Microsoft Office Outlook in cached mode.
mation about how to set up the initial machine preference.
t this setting is redundant because non-administrative users do not have permission to install new components. If your users have Adminis
configure this policy setting users can choose what information is shared in Search.
ws domain. When a computer is not joined to a Windows domain the policy setting will have no effect.If you do not congifure this policy se
ontain the smart card logon object identifier can be used to log on with a smart card.
CDH key to permit logons when you are not connected to the network.
ill not be listed on the logon screen.
policy is enabled then the certificate that is used for logon on Windows 2000 Windows XP and Windows 2003 Server will be shown otherw
the CSP.If you disable or do not configure this setting Windows will only attempt to read the default certificate from those cards that do n
you enable this policy setting or do not configure this setting then the subject name will be reversed. If you disable the subject name will
policy Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog
plications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do no
behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configure this polic
Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to configure thi
pear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.Caution: If y
this setting in the Input Panel Options dialog box.If you do not configure this policy application auto complete lists will appear next to Inpu
all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. If you e
configure this setting in the Input Panel Options dialog box. If you enable this policy and choose â€œTolerant" users will be able to use
e available.
ng the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled or Not Con
f both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: This setti
etting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To prevent th
llowing options:â€¢ Warn and prevent bypassâ€¢ WarnIf you enable this policy with the "Warn and prevent bypass" option SmartScreen's
e setting overrides any user changes made to Windows Error Reporting settings in Control Panel and default values are applied for any Win
ettings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured user settings in Control Panel for W
setting users can change this setting in Control Panel which is set to enable notification by default on computers that are running Windows
a until the computer is connected to a more permanent power source.
mation is stored.
Panel. If Queuing behavior is set to Always queue for administrator reports are queued until an administrator is prompted to send them o
t. The Windows applications category is a subset of Microsoft applications.If you disable or do not configure this policy setting users can e
always included in error reporting. To add applications to the list click Show under the Report errors for applications on this list setting an
the Exclude errors for applications on this list setting takes precedence.If you disable or do not configure this policy setting errors are repo
s list are not reported even if the Default Application Reporting Settings policy setting is configured to report all application errors.If this p
mum data that is required to check for an existing solution along with data which Windows has determined (within a high probability) doe
ndows Error Reporting automatically sends the minimum data required to check for an existing solution and Windows prompts the user fo
owns both credentials which enables them to sign-in using non-privileged credentials but can performed elevated tasks without signing-ou
tion. To change an existing credential enable this policy setting and select "I forgot my PIN" from Settings.
thentication from failing.
e this policy setting Windows does not create or store the PIN recovery secret. If the user forgets their PIN they must delete their existing P
u use a third-party solution to provision Windows Hello for Business.If you select "Do not start Windows Hello provisioning after sign-in" W
siness credentials provisioned when the "Turn off smart card emulation" is enabled.Windows requires a user to lock and unlock their sessi
e a protected option it stops the installation and displays a message. These security features operate only when the installation program is
onfigure this policy setting by default only system administrators can browse during installations with elevated privileges such as installatio
cy setting does not affect installations that run in the user's security context. By default users can install patches to programs that run in th
uns in the user's security context. During privileged installations such as those offered on the desktop or displayed in Add or Remove Prog
icy setting the system applies the current user's permissions when it installs programs that a system administrator does not distribute or o
main on disk and will be deleted when the product is removed. If you set the baseline cache to 100 the Windows Installer will use availa
s a new leaf feature to an existing feature tree.If you disable or do not configure this policy setting the Windows Installer will use less restr
as those offered on the desktop or in Add or Remove Programs.Also see the "Enable user to patch elevated products" policy setting.
y if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator whether "Disable
m interrupting an installation to gather data about the internal state of the computer or to search secure system files. However because an
he "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.
stalled application to be visible to users even if those users have a per-user install of the product registered in their user profile.
t. But only system administrators can browse when an installation is running with elevated system privileges such as installations offered o
or enterprises to prevent unauthorized or malicious editing of transform files.If you disable this policy setting Windows Installer stores tran
e letters "iweap."
e application.
a the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.If you disable or do no
on permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add
€™s hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for
unning on the secure desktop can simulate the SAS.
ws desktop.For domain user accounts in Windows Server 2003 Windows 2000 native or Windows 2000 mixed functional level domains if y
ocked with all lock screen apps configured for that user after the device boots.â€‹After enabling this policy you can configure its settings th
cally in this scenario.When this policy is either disabled or not configured Windows Media DRM functions normally and will connect to the
ow are not available.
ng is available only on the Windows XP Home Edition and Windows XP Professional operating systems.
o use Windows Messenger enable the "Do not allow Windows Messenger to run" policy setting.Note: This policy setting is available under
he Computer Configuration policy setting takes precedence over the User Configuration policy setting.
not configured the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a module or
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer C
Shell session. If you disable this policy setting transcripting of PowerShell-based applications is disabled by default although transcriptin
oth "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence o
dless of whether or not any WinRM listeners are configured.The service listens on the addresses specified by the IPv4 and IPv6 filters. The
ug-ins and the RunAsPassword value will be stored securely.If you enable and then disable this policy settingany values that were previous
aining an invalid channel binding token is rejected. However a request that does not contain a channel binding token is accepted (though i
nformation will be shown on notifications. Not configured: Same as Disabled.

ain User Interface End User License Agreement or Windows Update setting changes.There are two situations where the effect of this setti
te service must always be signed by Microsoft and are not affected by this policy setting.Note: This policy is not supported on Windows RT
This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds updates t
me the user selects the Shut Down option in the Start menu.Note that this policy setting has no impact if the Computer Configuration\Adm
s policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side targeting.
e system will not wake unless there are updates to be installed. If the system is on battery power when Windows Update wakes it up it wi
5 minutes to complete the installation.Note: This policy applies only when Automatic Updates is configured to perform scheduled installati
installations of updates. If the "Configure Automatic Updates" policy is disabled this policy has no effect.
y due to device availability and network connectivity.Set a grace period for feature updates and quality updates to guarantee users a minim
nding restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed within the specified pe
ver name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of
nless otherwise configured via the Specify active hours range for auto-restarts policy.
ut the software or install it. The user can also click "Close this message" or "Show me later" to defer the notification as appropriate.In Win
he upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release Preview
se Updates | To prevent Feature Updates from being received on their scheduled time you can temporarily pause Feature Updates. The p
es not apply to a user Work Folders is not automatically set up. If you disable or do not configure this policy setting Work Folders uses th
her reasons (such as a missing hardware device) this policy will not force that page to appear. After this the policy string must contain a se
lock screen and logon image to be shown.Note: This setting only applies to Enterprise Education and Server SKUs.
ut Panel is collected and stored. Note: Automatic learning of both text and ink might not be available for all languages even when handwr
by configuring the LocalAccountTokenFilterPolicy registry value to 1.For more information about local accounts and credential theft see "
se this setting is not a true Group Policy setting and "tattoos" the registry enabling the "Allow all activation" option is the only way to resto
erMRxSmb10MRxSmb20NSIWARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!Changes to this se
e effect.For more information see https://support.microsoft.com/kb/2696547
and the Restrict JScript process-level policy for Windows please refer to: https://docs.microsoft.com/en-us/previous-versions/windows/int
8 R2 or Windows Server 2012 KB2871997 must first be installed.For more information see http://support.microsoft.com/kb/2871997 and h
TS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings it is possible to control BITS pe
policy setting is disabled or not configured.
bled or not configured.
o not configure this policy setting BITS uses all available unused bandwidth. Note: You should base the limit on the speed of the netwo
network bandwidth used for peer caching. If you disable this policy setting or do not configure it the default value of 30 percent of th
vices and the local administrator account do not count toward this limit.
ng. The values that can be assigned are: - Always transfer - Transfer unless roaming - Transfer unless surcharg
not configure this policy setting the limits defined for work or nonwork schedules will be used. Note: The bandwidth limits that are se
you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday and then set
o specified number of days. If you disable or do not configure this policy setting the default value of 90 (days) will be used for the ina
Not Configured. With this selection BranchCache latency settings are not applied to client computers by this policy. In the circumstance w
not applied to client computers and the clients run the version of BranchCache that is included with their operating system.- Enabled. With
etting to take effect you must also enable the "Turn on BranchCache" policy setting.This policy setting can only be applied to client comput
ers detect hosted cache servers hosted cache mode is turned on. If they do not detect hosted cache servers hosted cache mode is not tur
ter policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setti
hCache on all client computers you can specify Not Configured for this domain Group Policy setting and then configure local computer poli
mputers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on
for this domain Group Policy setting and then configure local computer policy to enable BranchCache client computer cache settings on in
domain Group Policy setting and then configure local computer policy to enable BranchCache on individual client computers. Because the
age do not matter. The syntax is â€œHTTP:â€ followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web se
CA functionality.
ames (such as â€œPRINTSVRâ€) for local resources when connected to a different intranet and for temporary access to intranet resource
ocal DNS client's primary domain suffix a connection-specific domain suffix and a DNS suffix search list.If attaching suffixes is allowed and
ll use locally configured settings.
ed to single-label names. You must specify at least one suffix. Use a comma-delimited string such as "microsoft.comserverua.microsoft.com
work connections.
her in the binding order.Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disa
S suffix which is usually the DNS name of Active Directory domain to which it is joined.
CP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.Devolution is not enabled if a global suffix search list is configured u
ck box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.Devolution is not enabled if a gl
S suffix. This applies to all network connections used by computers that receive this policy setting.For example with a computer name of m
ceeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.If you di
an the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.To specify the registration refr
cord that has the client's current IP address.If you enable this policy setting or if you do not configure this policy setting DNS clients mainta
MNR and NetBT queries.
s try to use secure update.

ecords that the computer needs to update.
t take effect until you restart Windows.

the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual servers where you w
applied to client computers by this policy setting. In this circumstance which is the default both V1 and V2 hash generation and retrieval ar
take effect until you restart Windows.

ng and SMB Encryption are disabled. As a result clients that allow insecure guest logons are vulnerable to a variety of man-in-the-middle a
s hosted on a Windows Failover Cluster with the File Server for General Use role as it can lead to adverse failover times and increased mem
ead.If you disable or do not configure this policy setting the default behavior of LLTDIO will apply.
public network" and "Prohibit operation while in private network" options instead.If you disable or do not configure this policy setting the
empty leave the checkbox unchecked.2. In order to use a corporate seed server only enable the setting; insert the fully qualified domain n
ng is not configured the protocol will revert to using a public registry key to determine whether it will publish the computer or will use mul
publish or resolve names regardless of whether the computer has an IPv6 address that matches the cloud scope.If you disable or do not c
tting is not configured the protocol will revert to using a public registry key to determine whether it will publish the computer or will use m
tting is not configured the protocol will revert to using a public registry key to determine whether it will publish the computer or will use m
setting does not remove an existing Network Bridge from the user's computer.
tting Internet Connection Firewall cannot be enabled or configured by users (including administrators) and the Internet Connection Firewall
etting or do not configure it and have two or more connections administrators can enable ICS. The Advanced tab in the properties dialog b
you do not configure this policy setting traffic between remote client computers running DirectAccess and the Internet is not routed throu
ist by using Security Descriptor Definition Language (SDDL) strings. For more information about the SDDL format see the Windows Defend
g ICMP message types. As a result utilities that use the blocked ICMP messages will not be able to send those messages to or from this co
m to a local port exceptions list Windows Defender Firewall does not open the port. In the Windows Defender Firewall component of Cont
l connections to SVCHOST.EXE and LSASS.EXE.If you enable this policy setting Windows Defender Firewall allows the computer to receive t
ender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" check box is
nistrator attempts to open these ports by adding them to a local port exceptions list Windows Defender Firewall does not open the ports.
prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration\Window
nap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer C
og file. Default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.If you disable this policy setting Windows De
tion from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that i
and then click the Show button. To add a program enable the policy setting note the syntax click the Show button. In the Show Contents d
d incoming messages. In the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is cle
of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected by default and administra
Defender Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS messages tha
policy setting overrides.
g ICMP message types. As a result utilities that use the blocked ICMP messages will not be able to send those messages to or from this co
m to a local port exceptions list Windows Defender Firewall does not open the port. In the Windows Defender Firewall component of Cont
l connections to SVCHOST.EXE and LSASS.EXE.If you enable this policy setting Windows Defender Firewall allows the computer to receive t
ender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" check box is
nistrator attempts to open these ports by adding them to a local port exceptions list Windows Defender Firewall does not open the ports.
prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration\Window
nap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer C
og file. Default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.If you disable this policy setting Windows De
tion from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions list that i
and then click the Show button. To add a program enable the policy setting note the syntax click the Show button. In the Show Contents d
d incoming messages. In the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is cle
of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected by default and administra
Defender Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS messages tha
policy setting overrides.
]|For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043

onfigure this policy setting apps will use the Internet proxies auto-discovered by Windows Network Isolation.Example: [3efe:3022::1000];1
olicy setting.If you disable or do not configure this policy setting Windows Network Isolation attempts to automatically discover your priva
s can work offline by default but they can change this option.This setting appears in the Computer Configuration and User Configuration fo
er on a regular basis.You can also configure Background Sync for network shares that are in user selected Work Offline mode. This mode i
ant to set a threshold value of 128000 bps enter a value of 1280.
specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recommend th
t of the space on the system drive.If you do not configure this setting disk space for automatically cached files is limited to 10 percent of th
connection to the server is slow. For example you can configure a value of 60 ms as the round trip latency of the network above which file
ive Encryption while on the server. The cached copy on the local computer is affected but the associated network copy is not. The user can
omputer is connected and disconnected from the network."3" also records an event when the server hosting the offline file is reconnected
semicolon (;).Note: To make changes to this setting effective you must log off and log on again.
the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit for autom
and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions through the
Tip: To view the Offline Files Folder in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then click "V
quick method for locking down the default settings for Offline Files. To accept the defaults just enable this setting. You do not have to disa
on frequency without establishing a setting in Windows Explorer on the Tools menu click Folder Options and then click the Offline Files tab
rver 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Windows 7 or Windows Vista.
r all files and folders.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy setting
or offline use).If you do not configure this policy setting no files or folders are made available for offline use by Group Policy.Note: This setti
guration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configura
gure this setting and Synchronization Manager is configured for logon synchronization the system performs a quick synchronization by def
"Enable reminders" option on the Offline Files tabThis setting appears in the Computer Configuration and User Configuration folders. If bo
or the community.If you disable or do not configure this policy setting the SNMP service takes the Valid Communities configured on the lo
on the local computer instead.Best practice: For security purposes it is recommended to restrict the HKLM\SOFTWARE\Policies\SNMP\Pa
kes the trap configuration configured on the local computer instead.Note: This setting has no effect if the SNMP agent is not installed on th
will not have a 6to4 interface. If no global IPv6 address is present and a global IPv4 address is present the host will have a 6to4 interface.P
successfully ISATAP connectivity is not available on the host using the corresponding IPv4 address.Policy Enabled State: If the ISATAP name
sh rate is 30 seconds.
lly. If the traffic level is above a certain threshold no further action is taken. The computer stays connected to the network and continues t
of preference (from most preferred to least preferred): Ethernet WLAN then cellular. Ethernet is always preferred when connected. Users
ver media other than Ethernet and a user attempts to create a manual connection to an additional network in violation of this policy settin
policy setting is disabled both "Connect to suggested open hotspots" "Connect to networks shared by my contacts" and "Enable paid servi
access cellular data and employees in your organization cannot change it.If you disable or do not configure this policy setting employees i
se a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
click "Start" click "Control Panel" and then click "Network and Internet". On the "Network and Internet" page click "Network and Sharing C
P/IP printer limits are applicable. On Windows 10 only if you disable or do not configure this policy setting the default limit is applied.
cted from the network. Note: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust the cont
e load on the server.If you do not enable this policy setting the behavior is the same as disabling it.Note: This policy does not determine w
or group of printers that you want them to use. If you disable this setting or do not configure it and the user does not type a location a
ab and then click "Enable Web content in folders.") Also see the "Activate Internet printing" setting in this setting folder and the "Bro
Note: This setting is used only on domain controllers.
. If you enable this setting you can change the interval between attempts. If you do not configure or disable this setting the de
ice packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as they ca
ut restarting the print spooler service.

ntinue to search for compatible Point and Print drivers from Windows Update if needed. However you must explicitly enable this policy se
olicy setting applies only to applications opted into isolation.-This policy setting applies only to print drivers loaded by applications. Print dr
pruned from the directory. If you enable this policy setting the contact events are recorded in the event log. If you disable or do
kes effect without restarting the print spooler service.

network administrator. When using package point and print client computers will check the driver signature of all drivers that are downlo
need to be updated. If you do not configure this policy setting: -Windows Vista client computers can point and print to any serve
le the Group Policy Computer location setting the default location you entered appears in the Location field by default.If you disable this s
ers in Active Directory automatically by default the system never prunes their printer objects. You can enable this setting to change t
bsites.Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Also see the "R
onfigure this setting the all apps list will be visible by default and the user can change "Show app list in Start" in Settings.
he Windows Security and logon screens is also available.
anages same part of Start menu but with fewer options).

e\Layout.xml. If the specified file is not available when the user logs on the layout won't be changed. Users cannot customize their Start sc
ll connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. No reboots or
is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.)If you dis
ely shuts down to a fully powered-off state.

might stop.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in
urn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel.
older and D:\somefolder add the following string to the edit box: "%windir%\help;D:\somefolder". Note: An environment variable ma
hese locations cannot launched from Help
dex of the image to use in the WIM file. For example â€œwim:\\server\share\install.wim:3â€.If you disable or do not configure this policy
malities.
e server is configured to display the customized Access Denied message. By default users see the standard Access Denied message.
ng Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh select 0.
When the limit is reached the log file will roll over. When a new record is to be added (bottom of the list) one or more of the oldest records
read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private inform
ee KB.FWlink for KB:http://go.microsoft.com/fwlink/?LinkId=301508Note: The "Allow delegating default credentials" policy setting can be
egated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrika
g fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which
nly server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to
"Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the targ
rmitted to any machine.If you disable this policy setting delegation of saved credentials is not permitted to any machine.Note: The "Allow
fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Sessio
urces.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop S
host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* R
e hosts support the newest version.Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version bu
ential Guard to connect to remote hosts.Â Require Restricted Admin: Participating applications must use Restricted Admin to connect to r
ther: 1) first update the policy to a non-protected policy and then disable the setting or 2) disable the setting and then remove the polic
otely if it was previously turned on with the "Enabled without lock" option. The "Enabled with UEFI lock" option ensures that Virtualization
tificate are selected for installation over drivers that are signed by other Authenticode certificates.
tting members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers
etting the "Prevent installation of devices that match any of these device instance IDs" policy setting or the "Prevent installation of remov
ation of devices that match any of these device instance IDs" policy setting or the "Prevent installation of removable devices" policy settin
ent installation of devices that match any of these device instance IDs" policy setting or the "Prevent installation of removable devices" po
e device classes" policy setting "Prevent installation of devices that match any of these device instance IDs" or "Prevent installation of rem
op client to the remote desktop server.If you disable or do not configure this policy setting Windows can install and update device drivers
only if the NV cache feature is on.
cache are appropriately configured.Note: This policy setting will take effect on next boot.If you do not configure this policy setting the defa
ify a disk quota limit use the "Default quota limit and warning level" policy setting. Otherwise the system uses the physical space on the vo
reach an unenforced limit their status in the Quota Entries window changes but they can continue to write to the volume as long as physi
ment policy settings for disk quotas. As a result you can direct the system to log an event regardless of whether or not you choose to enfor
ent users can detect that they have reached their warning level because their status in the Quota Entries window changes.Note: To find th
s for current users or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).If you dis
t and back in to Windows. Be aware of the following:Per Process System DPI will only improve the rendering of desktop applications that a
DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1 DCOM w
timalware boot-start driver.If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time th
folders the folders are redirected on the user's primary computer only.If you disable or do not configure this policy setting and the user ha
n Windows Vista Windows 7 Windows 8 and Windows Server 2012 when it processes a legacy redirection policy already deployed for thes
s posted stating that loopback was invoked in Replace mode.If you enable this policy setting the behavior is exactly the same as in Window
ways uses local ADM files in your %windir%\inf directory when editing GPOs.This leads to the following behavior:- If you had originally crea
equiring synchronous processing such as Software Installation Folder Redirectionand Drive Maps preference extension will not be applied
ons can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating a
nections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updati
significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected prefer
tion in the case that no network bandwidth speed is determined.Note: When Group Policy detects a slow network connection Group Polic
ow connections can cause significant delays.The "Do not apply during periodic background processing" option prevents the system from u
ons can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating aff
gnificant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected policies in t
across slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the sy
t delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected preference item
ction such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic backgrou
ates the policies even when the update is being transmitted across a slow network connection such as a telephone line. Updates across slo
significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected prefere
e Group Policy Slow Link Detectionâ€ policy setting to configure asynchronous foreground behavior.) The slow link value that is defin
ction slower than this rate is considered to be slow. If you type 0 all connections are considered to be fast.If you disable this setting or do n
e significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected prefe
h as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic background process
ns can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating aff
hone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic background processing" option
ephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" o
on such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic backgroun
low connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system fro
as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic background proces
connection such as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic ba
ss slow connections can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system
restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have
use significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected pre
uch as a telephone line. Updates across slow connections can cause significant delays. 2. The "Do not apply during periodic background pr
during periodic background processing" option prevents the system from updating affected policies in the background while the compute
next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the polici
e significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected prefe
cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating affected
onnection" option updates the policies even when the update is being transmitted across a slow network connection such as a telephone l
ns can cause significant delays. 2. The "Do not apply during periodic background processing" option prevents the system from updating aff
eplace the user settings normally applied to the user."Merge" indicates that the user settings defined in the computer's Group Policy Obje
cant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the b
se significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected policie
ter Configuration setting.Also see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administrative Tem
œConfigure Group Policy Slow Link Detectionâ€ policy setting to configure asynchronous foreground behavior.) The slow link value th
o change the policy refresh interval.Note: If you make changes to this policy setting you must restart your computer for it to take effect.
als are not appropriate for most installations.If you disable this setting Group Policy is updated every 90 minutes (the default). To specify t
tes (the default). To specify that Group Policies for users should never be updated while the computer is in use select the "Turn off backgr
s on computers running Windows Vista operating system.
default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace con
re a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items unde
here a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items un
file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Config
a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under U
here a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items un
e created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Configuration in
on where a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference item
file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Configu
file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Configu
ce file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Confi
h in the "User trace" box to the location where a user trace file can be created on the client computer and you must turn on the "Tracing"
e location where a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no prefere
cation where a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference
on where a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference ite
e file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Config
e location where a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no prefere
e file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Confi
ocation where a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preferenc
ce file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User Confi
trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under User C
a user trace file can be created on the client computer and you must turn on the "Tracing" option. If there are no preference items under U
eceive notifications and critical updates from Windows Update.Note: This policy applies only when this PC is configured to connect to an i
e or do not configure this policy setting your computer will contact the Windows Update website.
k which prompts the user and then sends information about the event over the Internet to Microsoft. Also see "Events.asp URL" "Events.a
th Microsoft.If you do not configure this policy Tablet PC users can choose whether or not they want to share their writing samples from th
ordering wizards for more information including details on specifying service providers in the registry.
the Search Companion feature completely.
o be collected.
do not configure this policy setting the administrator can use the Problem Reports and Solutions component in Control Panel to enable W
s/Windows Error Reporting.
e Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
ms compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier o
lic key credentials.If you disable or not configure this policy setting then the DC will never offer the PKInit Freshness Extension and accept
in functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003 Windows 2000 native or W
client sends a compound authentication request regardless of the account configuration.
rted and set identically on all domain controllers in the domain.
e or do not configure this policy setting the threshold value defaults to 12000 bytes which is the default Kerberos MaxTokenSize for Windo
d authentication request first then a compound authentication request when the service requests compound authentication.
ng remove the current entry from the list and add a new one with different parameters.If you disable this policy setting the host name-to-K
Value Name or Value entry from the list click the entry and then press the DELETE key. To edit a mapping remove the current entry from t
Kerberos armoring. If you disable or do not configure this policy setting the client computers in the domain enforce the use of Kerberos ar
ve claims for clients using Kerberos protocol transition.
tion of the KDC's X.509 certificate.If you disable or do not configure this policy setting the Kerberos client requires only that the KDC certific
MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters which was added i

tton. To remove a mapping from the list click the mapping entry to be removed and then press the DELETE key. To edit a mapping remove
e or more applications are configured for Dynamic Access Control.Always: Compound authentication is always provided for this computer
certificates then authentication will fail.If you disable this policy setting certificates will never be used.If you do not configure this policy se
setting the user can select a custom locale as their user locale.If this policy setting is enabled at the machine level it cannot be disabled by
Disabled at the computer level then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level then r
select any system locale shipped with the operating system.
you disable or do not configure this policy setting users can select any locale installed on the computer unless restricted by the "Disallow
evice. Instead a password is required immediately after the screen turns off.If you don't configure this policy setting on a domain-joined d
ed on. Therefore they must be processed in the foreground before users are actively using the computer. In addition changes that are mad
ettings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To display the w
Computer Configuration takes precedence over the policy setting in User Configuration.Note: To create a customized run list by using a po
e registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.Also see the ""Do not process the legacy run
re available for authentication purposes.
ears in the Computer Configuration and User Configuration folders. If both settings are configured the system starts the programs specifie
s setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not
unk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Active Tem
orithms represents a potential security risk.If you disable this policy setting Net Logon will not allow the negotiation and use of older crypt
d by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no applicati
gon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only r
tting is too small a client will stop trying to find a DC too soon.
e set in this setting is very small and the DC is not available the traffic caused by periodic DC discoveries may be excessive.
tting is used.Warning: If the value for this setting is too large a client may take very long periods to try to find a DC.If the value for this settin
aviors:1 - Computers will ping DCs at the normal frequency.2 - Computers will ping DCs at the higher frequency.To specify this behavior cli
s.If you enable this policy setting this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC l
NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.If you enable or do not configure this policy setting th
fficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Redisco
to enable the default behavior.If you enable this policy setting DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavi
535.If you do not configure this policy setting it is not applied to any DCs and DCs use their local configuration.
additional client IP addresses.To specify this behavior in the DC Locator DNS SRV records click Enabled and then enter a value. The range
yGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>GcIpAddress A gc._msdcs.<DnsForestName>DsaCnam
ld be preserved in the database.Warning: If the DNS resource records are registered in zones with scavenging enabled the value of this setti
IP subnets that allow administrators to configure Active Directory access and replication.To specify the sites covered by the DC Locator ap
ames in a space-delimited format.If you do not configure this policy setting it is not applied to any DCs and DCs use their local configuratio
ain in Active Directory.To specify the sites covered by the GC Locator DNS SRV records click Enabled and enter the sites' names in a space-
you enable this policy setting Try Next Closest Site DC Location will be turned on for the computer.If you disable this policy setting Try Nex
t applied to any DCs and DCs use their local configuration.
specified with a single-label name by appending different registered DNS suffixes to perform DNS name resolution. The single-label name
d or perform NetBIOS name resolution otherwise to attempt to locate a domain controller that hosts an Active Directory domain specified
for changes to this setting to take effect.More information is available at https://aka.ms/lowercasehostnamesrvrecord
and "Reinstall Windows" (or "Return your computer to factory condition") in Recovery (in Control Panel) will be unavailable. However with
o remotely control the computer." When you configure this policy setting you also specify the list of users or user groups that are allowed t
te Assistance settings.If you enable this policy setting you have two ways to allow helpers to provide Remote Assistance: "Allow helpers to
ication-based settings are used.
Mapper Service.If you do not configure this policy setting it remains disabled. RPC clients will not authenticate to the Endpoint Mapper Se
n and connect to servers using constrained delegation. If you do not configure this policy setting it remains disabled and will generate RPC_
only about 4K of memory this setting is not recommended for most installations.-- "Auto1" directs RPC to maintain basic state information
must select an error response type in the drop-down box.-- "Off" disables all extended error information for all processes. RPC only gener
PC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value of "None
n of Windows this policy setting will be ignored.The minimum allowed value for this policy setting is 90 seconds. The maximum is 7200 seco
DesktopIT GPOs A B and C are applied. Therefore the scripts for GPOs B and C run in the following order for DesktopIT:Within GPO B: B.ps1
s for GPOs B and C run in the following order for Qin:Within GPO B: B.ps1 B.cmdWithin GPO C: C.ps1 C.cmd For Tamara GPOs B and C are
tartup script must complete before the next one runs. Also you can use the ""Run logon scripts synchronously"" setting to direct the syste
controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).This setting only takes effec
tting Server Manager does not refresh automatically. If you do not configure this policy setting Server Manager uses the refresh interval setti
ilable from the Start menu or the Windows taskbar.
is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings.
"Turn off System Restore configuration" policy setting is overwritten.

m Restore" policy setting is disabled or not configured the "Turn off System Restore configuration" policy setting is used to determine whet
setting the DPS enables all scenarios for resolution by default unless you configure separate scenario-specific policy settings.This policy se
ured with the Services snap-in to the Microsoft Management Console.
tibility issues.Note: This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. The Diagnosti
ws will log an administrator event with instructions if manual recovery is possible.If you enable this setting the recovery behavior for corrup
ot executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. Note: For Windows Server syste
s policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or service restarts are requ
pped or disabled diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Managemen
Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios will not be executed. The DPS can be co
s policy setting MSDT never downloads tools and is unable to diagnose problems on remote computers.If you do not configure this policy
is available and allow users to choose to apply or ignore.3 = Automatically apply troubleshooting for critical and other problems by system
le corruption will be performed without UI. Recovery is not attempted.If you enable this policy setting the recovery behavior for corrupte
troubleshooting preference is configured scheduled diagnostics are enabled for detection troubleshooting and resolution by default.No re
mputers even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Windows O
ce problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windows Boot Performance for res
ake effect. Changes take effect immediately.
dows Resource Exhaustion problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windows R
Shutdown Performance problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windows Shu
esolve any Windows Standby/Resume Performance problems that are handled by the DPS.If you do not configure this policy setting the D
System Responsiveness problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windows Syste
ntication setting you choose.Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner auth
d TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc" navigating to the "Command Manage
of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disab
e Group Policy list of blocked TPM commands.If you disable or do not configure this policy setting Windows will block the TPM commands
n addition to commands in the Group Policy and default lists of blocked TPM commands.
uthorization failures older than the duration are ignored.For each standard user two thresholds apply. Exceeding either threshold will prev
older than this duration are ignored.For each standard user two thresholds apply. Exceeding either threshold will prevent the standard use
re occurred. Authorization failures older than the duration are ignored.For each standard user two thresholds apply. Exceeding either thre
s given full control of their user profile and the administrators group has no file system access to this folder.Note: If the policy setting is en
network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider
icy setting Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off.Important: Do not e
tween the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout for user profi
the profile folder already exists and not copy files to or from the roaming folder if the permissions are not correct.By configuring this poli
are any open handles to the per-user registry keys at user logoff.
he roaming profile is downloaded on the user's primary computer only.If you disable or do not configure this policy setting and the user ha
policy setting type the number of seconds Windows should wait for user input. The minumum value is 0 seconds and the maximum is 600
rom the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is d
course of one minute).If you enable this policy setting you can adjust the number of times the system tries to unload and update the user'
rofile. At logoff changes are saved to the local profile. All subsequent logons use the local profile. If you disable this setting or do not confi
when the user logs off.If you disable or not configure this policy setting the default behavior occurs as indicated above.Note: This policy setti
e network connection speed. If you disable or do not configure this policy setting the system does not consult the user. Instead the system
do not configure this policy setting Windows waits for the network for a maximum of 30 seconds.
disable or do not configure this policy setting users logging on this computer will use their local profile or standard roaming user profile.N
pecified time of day" is chosen then a time of day must be specified. Once set Windows uploads the registry file at the same time every da
r for the user name because the user name will be appended at logon.Note: The Drive letter box is ignored if you choose â€œOn the local
t have the enterprise authentication capability will not be able to retrieve the user's UPN SIP/URI and DNS. Selecting this option may have
"Prompt user when slow link is detected" policy setting) but does not respond in the time allowed (as set in the "Timeout for dialog boxes
ows File Protection provides.
cates how many consistent time samples the client computer must receive in a series before subsequent time samples are evaluated as p
hentication that W32time uses. The default value is NT5DS.CrossSiteSyncFlagsThis value expressed as a bitmask controls how W32time cho
ore apps when using a special profile.If you disable or do not configure this policy setting Group Policy blocks deployment operations of Wi
to access account information and employees in your organization cannot change it.If you disable or do not configure this policy setting e
ye tracker and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your org
and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization
n your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide wheth
hange it.If you choose the "Force Deny" option Windows apps are not allowed to get diagnostic information about other apps and employ
nization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether Window
your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whethe
ages and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organiza
nd employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization ca
nd employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization c
ation cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows a
and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization c
employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can d
e microphone and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your
ed devices and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your org
wed to access user movements while the apps are running in the background and employees in your organization cannot change it.If you
Settings > Privacy on the device.This policy is applied to Windows apps and Cortana.
whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.This policy is
"Force Deny" option Windows apps are not allowed to communicate with unpaired wireless devices and employees in your organization
radios and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organi
oyees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decid
ckground and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your org
hoose the "Force Deny" option Windows apps are not allowed to take screenshots of various windows or displays and employees in your o
t allowed to turn off the screenshot border and employees in your organization cannot change it.If you disable or do not configure this pol
p https and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted source
16-bit applications from running. In addition any 32-bit applications with 16-bit installers or other 16-bit components cannot run.If the sta
nt Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is tu
setting the PCA will be turned on. To configure the diagnostic settings for the PCA go to System->Troubleshooting and Diagnostics->Applic
ose changes.
autorun to: a) Completely disable autorun commands or b) Revert back to pre-Windows Vista behavior of automatically executi
tting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting AutoPlay is e
r logon credentials.
computer's top-level folder view when the user chooses the option to save the recovery password in a folder.Note: This policy setting doe
figure this policy setting BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption method and
6-bit) as the "Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7)" policy setting if it is
ker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.
as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printin
attached Thunderbolt devices before exposing the new devices to Windows.
field on the drive matches the value configured in the identification field. In a similar manner BitLocker will only update the BitLocker To G
bout setting up AD DS backup for BitLocker is available on Microsoft TechNet.BitLocker recovery information includes the recovery passwo
this policy setting the object identifier specified in the "Object identifier" box must match the object identifier in the smart card certificate
p prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is present on a
equired or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Select "Omit recovery options from the BitLocke
ed encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted.If
cy setting users can configure a password that meets the requirements you define. To require the use of a password select "Require passw
be used to authenticate user access to a BitLocker-protected drive.
BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
with the server to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\Security Setting
and the hardware is capable of using Secure Boot for BitLocker scenarios the "Use enhanced Boot Configuration Data validation profile" gr
rmation" select whether users are allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Sel
iod back to default if the TPM is reset.
L is available include it in the message.If you select the "Use custom recovery URL" option the URL you type in the "Custom recovery URL o
or recovery key be provided to unlock the drive.If you disable or do not configure this policy setting the TPM uses the default platform val
s using native UEFI firmware.If you enable this policy setting before turning on BitLocker you can configure the boot components that the
uters with UEFI firmware with a CSM enabled.If you enable this policy setting before turning on BitLocker you can configure the boot comp
are-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encr
enable this policy setting users can configure a password that meets the requirements you define. To enforce complexity requirements o
e that uses the Windows touch keyboard.Note that if you do not enable this policy setting options in the "Require additional authenticatio
authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will need to
p key is needed on computers without a compatible TPM. Without a TPM BitLocker-encrypted data is protected solely by the key material
s boot debugging (0x16000010) will always be validated and will have no effect if it is included in the provided fields.
" check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bitlockerto
e allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Select "Omit recovery options from
e-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encryp
word that meets the requirements that you define. To require the use of a password select "Require password for removable data drive".
art cards are available to authenticate user access to a BitLocker-protected removable data drive.
n.If you do not configure this policy setting users can use BitLocker on removable disk drives.If you disable this policy setting users cannot
ng.If you disable or do not configure this policy setting all removable data drives on the computer will be mounted with read and write acc
please use the "Allow Diagnostic Data" policy and to restrict users on this device from changing the diagnostic data level please use the "C
disables the "Optional diagnostic data" control in the Settings app. - Send optional diagnostic data. Additional diagnostic data is collected
iagnostic Data" policy setting or by the end user from the Settings app.
bypass" option SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen wi
sociations.
onfigure this policy setting the protocol is in the protected mode allowing applications to only open a limited set of folders.
hs point to different network shares this policy setting is not required. If the paths point to the same network share any data contained in
o not configure this policy setting the user can configure their list of search providers unless another policy setting restricts such configurati
otifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the notification us
7 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or laterIf the Windows Update for the next v
tcuts to these bars.If you enable this policy setting the navigation bar the menu bar and the Command bar are not visible and the user can
mpatibility problems with Microsoft Edge.Related policies:- Send all intranet sites to Internet Explorer (â€˜SendIntranetToInternetExplorerâ
eâ€¢Â 0 - Trusted Sites Zoneâ€¢Â 1 - Local Intranet Zoneâ€¢Â 0 - Local Machine Zoneâ€¢Â 6 - Intranet and Trusted site zones onlyÂ Â Bina
n for the phishing filter.
m administrative template file. For information about creating this custom administrative template file see the Internet Explorer documen
ative Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Security tab from the interface takes
gnored.Also see the "Security zones: Use only machine settings" policy.
e to open in Internet Explorer 11.

y grow to use the specified integer number of tab processes regardless of the physical memory on the computer or how many Internet Exp
e threshold. This is the default.

or 1 the policy setting is ignored.If you enable this policy setting for an application or process in the list a script can perform a Clipboard o
es a current user agent string. Additionally all Standards Mode webpages appear in the Standards Mode available in the latest version of In
rds Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.If you do not configure this policy setti
Track data is preserved when the user clicks Delete.If you disable this policy setting ActiveX Filtering Tracking Protection and Do Not Track
ngs""Disable changing font settings""Disable changing language settings""Disable changing accessibility settings"
tting by using Advanced Options in Internet Control Panel. By default domain names are converted to IDN format only for addresses that ar
ng this option Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exception. In
to install them.
ties before downloading them to user computers.

and the file system.When Enhanced Protected Mode is enabled and a user encounters a website that attempts to load an ActiveX control
er when browser windows are closed.
not configure this policy setting the user can select which encryption method the browser supports.Note: SSL 2.0 is off by default and is no
ture is turned off by default.
re this policy users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog.
s option to start with the tabs from the last session.

eir computers.
ta on their computers.
ng.If you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all application cach
ou disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databases. Th
default is 50 MB.
le or do not configure this policy setting Internet Explorer will use the default maximum application cache resource list size for all applicati
me change should be made to the Locked-Down equivalent.Note. It is recommended to configure template policy settings in one Group Po
security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone numb
rns off the Notification bar.

to access data from another site in the zone.
.If you do not configure this policy setting the Notification bar will appear to allow control over questionable content accessed over any re
net Explorer.
e Internet Explorer.
thumbnails it is the zone of the thumbnail that is checked not the zone of item. Typically these are the same but a source is able to define
s and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictate
fied zones.
nonsecure content cannot be displayed.If you do not configure this policy setting the user will receive the security information message o
n are in different windows. Users can change this setting in the Internet Options dialog.In Internet Explorer 9 and earlier versions if you dis
e source and destination are in the same window. Users can change this setting in the Internet Options dialog.In Internet Explorer 9 and e
e this policy setting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
pages in this zone.

known as NTLM authentication). If Windows NT Challenge Response is supported by the server the logon uses the user's network user nam
atically installed on users' computers.If you disable this policy setting permissions are set to high safety.If you do not configure this policy s
on pages in this zone to be submitted.
thin a Web page saved to disk.

g Web sites from less privileged zones can open new windows in or navigate into this zone.
ed in the zone that uses MSXML or ADO to access data from another site in the zone.
net Explorer.
ne runs without the added layer of security provided by this feature.
fied zones.
pages in this zone.


g Web sites from less privileged zones can open new windows in or navigate into this zone.
ccess data from another site in the zone.
net Explorer.
fied zones.
e this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.
r intervention.

he possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from Zone
net Explorer.
fied zones.
ated by the feature control setting for the process.
pages in this zone.

ed in the zone that uses MSXML or ADO to access data from another site in the zone.
net Explorer.
fied zones.
pages in this zone.


net Explorer.
fied zones.
r intervention.

net Explorer.
fied zones.
n this zone.
y within a Web page saved to disk.

net Explorer.
fied zones.
r intervention.

cols is blocked.If you do not configure this policy setting all attempts to access such content over the restricted protocols is blocked when
net Explorer.
fied zones.
n this zone.
y within a Web page saved to disk.

net Explorer.
fied zones.
e this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.
r intervention.

g a warning is issued to the user that potentially risky navigation is about to occur.
ser can select their preference for this behavior. Browsing to the top-result website is the default.
e Windows Search setting on or off.Note: If you enable this policy setting feeds do not appear in the Address bar. This does not affect subs
if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Templates\Windows C
LSID should be in brackets for example â€˜{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained by re
g.If you enable this policy setting Internet Explorer only allows add-ons that are specifically listed (and allowed) through the 'Add-on List' p
me is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter Internet Explorer processes in this list because these proces
net Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.For more information see "Outdated
will be allowed in zones set to 'admin-approved'.Note. If this policy is set in both Computer Configuration and User Configuration both list
Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take pr
tting Internet Explorer requires consistent MIME data for all received files.
e information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0
local files or content processed by any process other than Internet Explorer or those defined in a process list.
xplorer.If you do not configure this policy setting the Local Machine zone security applies to all local files and content processed by Interne
esses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is en
the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security fea
over that setting.If you disable or do not configure this policy setting the policy setting is ignored.
e policy setting is ignored.
is ignored.Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processes policy to en
ocols to access my computer."Note. If policy for a zone is set in both Computer Configuration and User Configuration both lists of protoco
cesses. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting. If you disable o
icy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy se
er processes.
Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Inter
his policy setting the security feature is allowed.
o not configure this policy setting the security feature is allowed.

er the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All
e user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo these checks.
d. This setting does not affect whether users can sign in to devices by using Microsoft accounts or the ability for users to provide Microsoft
e service will remain running. If both are disabled the service will be stopped.
t is recommended that you leave this policy setting unconfigured.

tection state of the device. Setting to 2 (Never send) means the â€œBlock at First Sightâ€ feature will not function. Real-time Protectio
contact you. Possible options are: (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic membershi
pair: - Name column: Enter a valid ASR rule ID - Value column: Enter the status ID that relates to state you want to specify for the assoc
Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors The
trusted applications in the Configure allowed applications GP setting.
tions (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positives) (
his setting definition retirement will be disabled.
value does not exist resolves to the default (0). If you enable this setting the specified type of monitoring will be enabled. If you disabl
t configure this setting security intelligence update sources will be contacted in a default order.
tting set to Enabled must be able to access the XML file otherwise the settings will not be applied.EnabledSpecify the location of the XML fi
or settings sync. This could use OneDrive Work Folders SharePoint or any other engine that uses a local folder to synchronize data between
ttings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Microsoft temp
you do not configure this policy setting any defined values will be deleted.
accessible through the Control Panel and the Start menu or Start screen.If you do not configure this policy setting any defined values are d
ng on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collection

d.If you do not configure this policy setting any defined values will be deleted.
ngs. If any of the Microsoft Office Suite 2010 applications are enabled this policy setting should not be disabled If you do not configure this
gs. If any of the Microsoft Office Suite 2013 applications are enabled this policy setting should not be disabled.If you do not configure this
gs. If any of the Microsoft Office Suite 2016 applications are enabled this policy setting should not be disabled.If you do not configure this
If you do not configure this policy setting any defined values will be deleted.
If you do not configure this policy setting any defined values will be deleted.
ontinue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office Suite 2013
ontinue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office Suite 2016
ith UE-V.If you do not configure this policy setting any defined values will be deleted.
ot configure this policy setting any defined values will be deleted.
n with UE-V.If you do not configure this policy setting any defined values will be deleted.
n with UE-V.If you do not configure this policy setting any defined values will be deleted.
h UE-V.If you do not configure this policy setting any defined values will be deleted.
nchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
nchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
V.If you do not configure this policy setting any defined values will be deleted.
on with UE-V.If you do not configure this policy setting any defined values will be deleted.
ner 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setting any defined values will be de
not configure this policy setting any defined values will be deleted.
not configure this policy setting any defined values will be deleted.
ges using the Windows To Go Startup Options Control Panel item.
or do not configure this policy setting the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests on
nse server will issue a Windows Server 2008 TS CAL if available to the following:* A client connecting to a Windows Server 2003 terminal se
ient. When a user starts an RDP session the user is asked to confirm whether they want to connect.If you disable this policy setting users c
Host server without authenticating the RD Session Host server.Do not connect if authentication fails: The client establishes a connection t
ox on the Log on Settings tab in Remote Desktop Session Host Configuration.If you disable or do not configure this policy setting the version
e this policy setting for the computer the list of certificate thumbprints trusted for a user is a combination of the list defined for the compu
e RD Session Host server when they start a Remote Desktop Services session. For example a remote user can do this by specifying the prog
tab in the System properties sheet. By default remote connections are not allowed. Note: You can limit which clients are able to connect r
op Connection.
n minutes the server checks the session state. The range of values you can enter is 1 to 999999.If you disable or do not configure this polic
m the command line.
mum for the server. To specify an unlimited number of connections type 999999.If the status is set to Enabled the maximum number of con
etwork quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection and it will no
watch the session of a remote user without the user's consent.If you disable this policy setting administrators can interact with a user's Rem
Server 2008 or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running
sable this policy setting audio recording redirection is not allowed even if audio recording redirection is specified in RDC.If you do not confi
ways allowed if Clipboard redirection is allowed.If you do not configure this policy setting client drive redirection and Clipboard file copy red
policy setting users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R
specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services sessio
s a local administrator.
If you disable or do not configure this policy setting the licensing mode is not specified at the Group Policy level.
t server.If you disable or do not configure this policy setting the RD Session Host server does not specify a license server at the Group Polic
the client's printer is not available. This is the default behavior."Default to PCL if one is not found" - If no suitable printer driver can be foun
ession Host server does not have a printer driver that matches the client printer the server tries to use the Remote Desktop Easy Print driv
e that you have specified the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user pro
mputername\Sharename. Do not specify a placeholder for the user account name because Remote Desktop Services automatically adds th
ervices automatically appends this at logon.Note: The Drive Letter field is ignored if you choose to specify a local path. If you choose to spe
policy setting.
is not specified at the Group Policy level. Notes: 1. This policy setting is not effective unless both the Join RD Connection Broker and the
setting the policy setting is not specified at the Group Policy level.Notes: 1. For Windows Server 2008 this policy setting is supported on a
user session tracking is not performed. If the policy setting is disabled you cannot use either the Remote Desktop Session Host Configurati
RD Session Host server is not sent to the client. Instead the IP address is embedded in a token. When a client reconnects to the load balan
etting you can configure the RD Session Host server to participate in RD Connection Broker load balancing by using the Remote Desktop Se
p Connection (RDC) or by using the "allow desktop composition" setting in a Remote Desktop Protocol (.rdp) file. In addition the client com
nitial program is not specified the desktop is always displayed on the remote computer after the client connects to the remote computer.
age and bandwidth is used.You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algori
ality. If you enable this policy setting and set quality to High RemoteFX Adaptive Graphics uses an encoding mechanism that results in hi
nable this policy setting font smoothing will not be allowed for remote connections even if font smoothing is enabled in RDC or in the .rdp
nnect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1 and does not affect clients
nding on the client configuration.If the status is set to Not Configured the default behavior applies.
not specified at the Group Policy level.Note:1.Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows X
he Remote Desktop Session Host Configuration tool.
oes not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by con
able file to be run when the user logs on. If necessary in Working Directory type the fully qualified path to the starting directory for the pro
processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by thi
N connections and RDP 7.1.If you disable this policy setting RemoteFX will be disabled.If you do not configure this policy setting the defaul
Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or d
cally by supplying their passwords in the Remote Desktop Connection client.If you do not configure this policy setting automatic logon is n
of managing user access is by adding a user to the Remote Desktop Users group.
he RPC interface is used for administering and configuring Remote Desktop Services.
he RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.* RDP: The RD
etwork Level Authentication supported.If you disable this policy setting Network Level Authentication is not required for user authenticati
was created with the specified certificate template the RD Session Host server will issue a certificate enrollment request and will use the cu
the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for
e-out limit.If you disable this policy setting Remote Desktop Services always disconnects a timed-out session even if specified otherwise by
ktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instea
ssions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when
hat disconnected sessions are maintained for an unlimited time select Never. If you have a console session disconnected session time limi
ed the user will reconnect to the disconnected session on the RD Session Host server.If you disable or do not configure this policy setting w
cified otherwise by the server administrator.Note: This setting only takes effect if per-session temporary folders are in use on the server. I
mote computer.If you disable this policy setting per-session temporary folders are always created even if the server administrator specifie
x?SearchString=$wThis adds intranet search location to:1) The Windows Deskbar2) The Desktop Search results search box3) The WDS sea
is the locale ID of your WSS Service. For example the English locale ID is 1033.http://sitename/_layouts/XXXX/searchresults.aspx?SearchSt
ocation of the index to maintain security for encrypted files.

play web results in Search" policy setting queries won't be performed on the web over metered connections and web results won't be disp
Indexing of Uncached Exchange Folders" policy has no effect on online delegate mailboxes. To stop indexing of online mailboxes and onlin
nts. If your users have Administrator permissions or can install software this policy prevents them from specifically using Windows Desktop
do not congifure this policy setting the Security Center is turned off for domain members. If you enable this policy setting Security Center i
3 Server will be shown otherwise the the certificate with the expiration time furthest in the future will be shown. Note: This setting will be
ate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be available
disable the subject name will be displayed as it appears in the certificate.

the Input Panel Options dialog box.If you do not configure this policy Input Panel will provide text prediction suggestions. Users will be ab
Options dialog box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where this behavior is
you do not configure this policy Input Panel will appear next to text entry areas in applications where this behavior is available. Users will
will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy rarely used Chinese Kanji and Hanja c
put Panel Options.Caution: If you enable both the â€œPrevent Input Panel from appearing next to text entry areasâ€ policy and the â€œ
e lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting on the
el Options dialog box. If you enable this policy and choose â€œMedium-Lowâ€ from the drop-down box password security is set to â€œM
erant" users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will
setting is Disabled or Not Configured.Note: This setting appears in the Computer Configuration and User Configuration folders. If both setti
er Configuration.Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created tasks use the
ed Tasks folder. To prevent this action use the "Prohibit Drag-and-Drop" setting.Note: This setting appears in the Computer Configuration
over the setting in User Configuration.
bypass" option SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen wi
values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by using C
settings in Control Panel for Windows Error Reporting are applied.

ers that are running Windows XP Personal Edition and Windows XP Professional Edition and disable notification by default on computers
or is prompted to send them or until the administrator sends them by using the Solutions to Problems page in Control Panel.The Maximum
this policy setting users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Upload all
plications on this list setting and edit the list of application file names in the Show Contents dialog box. The file names must include the .ex
s policy setting errors are reported on all Microsoft and Windows applications by default.
t all application errors.If this policy setting is enabled the Exclude errors for applications on this list setting takes precedence. If an applicati
(within a high probability) does not contain personally-identifiable information is sent automatically and Windows prompts the user for co
Windows prompts the user for consent to send any additional data requested by Microsoft.- 3 (Send parameters and safe additional data
vated tasks without signing-out.This policy setting is incompatible with Windows Hello for Business credentials provisioned when the "Tur
hey must delete their existing PIN and create a new one and they will have to to re-register with any services to which the old PIN provided
o provisioning after sign-in" Windows Hello for Business does not automatically start provisioning after the user has signed in.If you do not
r to lock and unlock their session after changing this setting if the user is currently signed in.
hen the installation program is running in a privileged security context in which it has access to directories denied to the user.This policy se
ed privileges such as installations offered on the desktop or displayed in Add or Remove Programs.
hes to programs that run in their own security context. Also see the "Prohibit patching" policy setting.
played in Add or Remove Programs only system administrators can install from removable media.Also see the "Prevent removable media s
trator does not distribute or offer.Note: This policy setting appears both in the Computer Configuration and User Configuration folders. To
indows Installer will use available free space for the baseline file cache. If you disable or do not configure this policy setting the Windo
ows Installer will use less restrictive rules for component upgrades.
products" policy setting.
dministrator whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set and whether the upd
em files. However because an incomplete installation can render the system or a program inoperable do not use this policy setting unless
nstaller versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detec
n their user profile.
such as installations offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only. It does n
g Windows Installer stores transform files in the Application Data directory in the user's profile.If you do not configure this policy setting on
g policy.If you disable or do not configure this policy setting Windows Installer will automatically generate log files for those packages that
r publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family whe
orarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critic
ed functional level domains if you enable this setting a warning message will appear that Windows could not retrieve the information and t
ou can configure its settings through the ConfigAutomaticRestartSignOn policy which configures the mode of automatically signing in and
ormally and will connect to the Internet (or intranet) to acquire licenses download security upgrades and perform license restoration.
olicy setting is available under both Computer Configuration and User Configuration. If both are present the Computer Configuration versio
ecution events of a module or snap-in are logged. By default the LogPipelineExecutionDetails property of all modules and snap-ins is set to
Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
y default although transcripting can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirectory settin
nfiguration" has precedence over "User Configuration."If you disable or do not configure this policy setting it reverts to a per-machine pref
y the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses and the IPv6 filter specifies one or more ranges of
any values that were previously configured for RunAsPassword will need to be reset.
ng token is accepted (though it is not protected from credential-forwarding attacks). If HardeningLevel is set to None all requests are a
ns where the effect of this setting depends on the operating system: Hide/Restore updates and Cancel an install.On XP: If you enable this p
not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
d Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interrupted du
Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Dow
support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured this policy has
dows Update wakes it up it will not install updates and the system will automatically return to sleep in 2 minutes.
to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled this policy has no effect.
tes to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts during
ecuted within the specified period.If you do not specify a deadline or if the deadline is set to 0 the PC won't automatically restart and will
e download server instead of the intranet update service. If the status is set to Enabled the Automatic Updates client connects to the
tification as appropriate.In Windows 7 this policy setting will only control detailed notifications for optional applications. In Windows Vista
icrosoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases before br
pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality Update
cy setting Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine whethe
policy string must contain a semicolon-delimited list of settings page identifiers. The identifier for any given settings page is the published
languages even when handwriting personalization is available. See Tablet PC Help for more information.If you enable this policy setting au
unts and credential theft see "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques": http://www.microsoft.com/
option is the only way to restore default behavior after either of the "Block" options has been applied. We do not recommend configuring
MSTANCES!Changes to this setting require a reboot to take effect.For more information see https://support.microsoft.com/kb/2696547
previous-versions/windows/internet-explorer/ie-developer/general-info/ee330734(v=vs.85)#restrict-jscript-at-a-process-level
crosoft.com/kb/2871997 and http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx .

t is possible to control BITS peer caching functionality at a more detailed level. However it should be noted that the "Allow BITS peer cach
mit on the speed of the network link not the computer's network interface card (NIC). This policy setting does not affect Peercaching trans
efault value of 30 percent of the slowest active network interface will be used. Note: This setting has no effect if the "Allow BITS peer
- Transfer unless surcharge applies (when not roaming or overcap) - Transfer unless nearing limit (when not roaming or near
e bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
y through Friday and then set the limit to 512 Kbps for nonwork hours. If you disable or do not configure this policy setting BITS uses
(days) will be used for the inactive job timeout.
policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache latency setting
erating system.- Enabled. With this selection this policy setting is applied to client computers based on the value of the option setting "Sele
nly be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7
s hosted cache mode is not turned on and the client uses any other configuration that is specified manually or by Group Policy.When this p
the domain Group Policy setting is not configured it will not over-write the client computer cache age setting that you use on individual c
configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting is not con
nt to enable BranchCache on all client computers you can specify Not Configured for this domain Group Policy setting and then configure
computer cache settings on individual client computers. Because the domain Group Policy setting is not configured it will not over-write th
client computers. Because the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on indi
o an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:83
ary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is co
aching suffixes is allowed and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS clien
oft.comserverua.microsoft.comoffice.microsoft.com" to specify multiple suffixes.If you enable this policy setting one DNS suffix is attached
resolution policy setting is disabled or not configured.
uffix search list is configured using Group Policy.If a global suffix search list is not configured and the Append primary and connection spec
evolution is not enabled if a global suffix search list is configured using Group Policy.If a global suffix search list is not configured and the A
le with a computer name of mycomputer a primary DNS suffix of microsoft.com and a connection specific DNS suffix of VPNconnection a c
ecords was successful.If you disable this policy setting or if you do not configure this policy setting computers will use locally configured se
To specify the registration refresh interval click Enabled and then enter a value of 1800 or greater. The value that you specify is the numbe
olicy setting DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.I
ndividual servers where you want to enable BranchCache.- Enabled. With this selection hash publication is turned on for all file servers wh
sh generation and retrieval are supported.- Enabled. With this selection the policy setting is applied and the hash version(s) that are specifi
variety of man-in-the-middle attacks that can result in data loss data corruption and exposure to malware. Additionally any data written to
lover times and increased memory and CPU usage.
nfigure this policy setting the default behavior for the Responder will apply.
ert the fully qualified domain name or IPv6 address of the corporate seed server; and check the checkbox. Using the corporate seed server
h the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrapping is SSD
cope.If you disable or do not configure this policy setting all PNRP clouds are turned on by default and PNRP creates a cloud if the compute
ish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrapping is
lish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrapping is
e Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through the Adv
d tab in the properties dialog box for a LAN or remote access connection is available. In addition the user is presented with the option to e
he Internet is not routed through the internal network.

mat see the Windows Defender Firewall deployment information at the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=2513
e messages to or from this computer. If you enable this policy setting and allow certain message types then later disable this policy setting
er Firewall component of Control Panel the "File and Printer Sharing" check box is cleared and administrators cannot select it.If you do not
ows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresse
emote Desktop" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Fire
ewall does not open the ports. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is cleared
mputer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security to specify that local firewall
p-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security to spe
this policy setting Windows Defender Firewall does not record information in the log file. If you enable this policy setting and Windows De
ocal port exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Windows Defende
utton. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program click its definition and th
connections" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Firewa
cted by default and administrators can change it.
with the NetBIOS messages that detect name conflicts.
e messages to or from this computer. If you enable this policy setting and allow certain message types then later disable this policy setting
er Firewall component of Control Panel the "File and Printer Sharing" check box is cleared and administrators cannot select it.If you do not
ows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP addresse
emote Desktop" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Fire
ewall does not open the ports. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is cleared
mputer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security to specify that local firewall
p-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security to spe
this policy setting Windows Defender Firewall does not record information in the log file. If you enable this policy setting and Windows De
ocal port exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Windows Defende
utton. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program click its definition and th
connections" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Firewa
cted by default and administrators can change it.
with the NetBIOS messages that detect name conflicts.
.Example: [3efe:3022::1000];18.0.0.1;18.0.0.2 For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043

omatically discover your private network hosts.Example: 3efe:1092::/9618.1.1.1/10 For more information see: http://go.microsoft.com/fw
tion and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the settin
ork Offline mode. This mode is in effect when a user selects the Work Offline button for a specific share. When selected all configured setti
UNC paths. We recommend that you always specify a value for Latency since the round-trip network latency detection is faster. You can us
s is limited to 10 percent of the system drive by default but users can change it.Tip: To change the amount of disk space used for automati
f the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network is less th
twork copy is not. The user cannot encrypt Offline Files through the user interface.If you do not configure this policy setting encryption of
g the offline file is reconnected to the network.Note: This setting appears in the Computer Configuration and User Configuration folders. If
is located. The limit for automatically cached files is 100 percent of the total disk space limit.If you do not configure this policy setting the
g custom actions through the Offline Files tab. However users are unable to change any custom actions established via this setting.Tip: To
ffline Files tab and then click "View Files."
etting. You do not have to disable any other settings in this folder.
then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
n folders. If both policy settings are configured the policy settings are combined and the "Make Available Offline" command is unavailable
by Group Policy.Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are config
r the setting in User Configuration.Tip: To change the synchronization method without changing a setting in Windows Explorer on the Tool
a quick synchronization by default but users can change this option.This setting appears in the Computer Configuration and User Configura
ser Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User C
mmunities configured on the local computer instead.Best practice: For security purposes it is recommended to restrict the HKLM\SOFTWAR
SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control.Note: This policy setting h
MP agent is not installed on the client computer.Also see the other two SNMP settings: "Specify permitted managers" and "Specify Comm
ost will have a 6to4 interface.Policy Enabled State: If a global IPv4 address is present the host will have a 6to4 interface. If no global IPv4 ad
bled State: If the ISATAP name is resolved successfully the host will have ISATAP configured with a link-local address and an address for ea
o the network and continues to use it. For example if the network connection is currently being used to download files from the Internet t
ferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setting. This
in violation of this policy setting the existing network connection is disconnected and the manual connection is allowed.- When the compu
ntacts" and "Enable paid services" will be turned off and users on this device will be prevented from enabling them.If this policy setting is n
this policy setting employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network
el\Printers.
e click "Network and Sharing Center". On the Network and Sharing Center page click "Change advanced sharing settings". On the Advance
e default limit is applied. In Windows 8 and later Bluetooth printers are not shown so its limit does not apply to those versions of Win
ry" settings to adjust the contact interval and number of contact attempts.
s policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print jobs whe
user does not type a location as a search criterion the system searches for a nearby printer based on the IP address and subnet mask of th
his setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Control Pa
e or disable this setting the default values are used. Note: This setting is used only on domain controllers.
mode printer drivers as they cannot be installed and associated with a print queue.
explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise and all versions of Windows Server 20
oaded by applications. Print drivers loaded by the print spooler are not affected.-This policy setting is only checked once during the lifetime
t log. If you disable or do not configure this policy setting the contact events are not recorded in the event log. Note: This setting
of all drivers that are downloaded from print servers.If this setting is disabled or not configured package point and print will not be restric
n point and print to any server. -Windows Vista computers will show a warning and an elevated command prompt when users create
by default.If you disable this setting or do not configure it Location Tracking is disabled. Printer proximity is estimated using the standard m
enable this setting to change the default behavior. To use this setting select one of the following options from the "Prune non-republishing
\Recent folder.Also see the "Remove Recent Items menu from Start Menu" and "Clear history of recently opened documents on exit" poli
" in Settings.
annot customize their Start screen while this setting is enabled.If you disable this setting or do not configure it the Start screen layout won
ckground. No reboots or service restarts are required for this policy setting to take effect.
supported versions.)If you disable this policy setting the Shutdown Event Tracker is not displayed when you shut down the computer.If yo
gs are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
ntrol Panel.
: An environment variable may be used (for example %windir%) as long as it is defined on the system. For example %programfiles% is not
or do not configure this policy setting or if the required files cannot be found at the locations specified in this policy setting the files will be
ccess Denied message.
ackage refresh select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23 Day 0-31).
or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the event log th
ain sensitive or private information such as passwords or user data.

dentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user c
/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* R
ents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN.Fo
represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when spec
). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted
ny machine.Note: The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more
SRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host ru
TERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session H
m.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote D
ack to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about th
stricted Admin to connect to remote hosts.If you disable or do not configure this policy setting Restricted Admin and Remote Credential Gu
ng and then remove the policy from each computer with a physically present user.
on ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature you must se
ce locations for device drivers.
"Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server the policy setting aff
movable devices" policy setting). If you enable this policy setting on a remote desktop server the policy setting affects redirection of the sp
tion of removable devices" policy setting). If you enable this policy setting on a remote desktop server the policy setting affects redirection
or "Prevent installation of removable devices" policy setting.
tall and update device drivers for removable devices as allowed or prevented by other policy settings.
ure this policy setting the default behavior is to turn on support for the NV cache.
es the physical space on the volume as the quota limit.Note: To turn on or turn off disk quota management without specifying a setting in
to the volume as long as physical space is available.Note: This policy setting overrides user settings that enable or disable quota enforceme
her or not you choose to enforce the disk quota limit.Also this policy setting does not affect the Quota Entries window on the Quota tab. E
ndow changes.Note: To find the logging option in My Computer right-click the name of an NTFS file system volume click Properties and th
Volume Properties).If you disable or do not configure this policy setting the disk space available to users is not limited. The disk quota ma
of desktop applications that are positioned on the primary display. Some desktop applications can still be blurry on secondary displays th
and set its value to 1 DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its
ers to initialize the next time the computer is started.If you disable or do not configure this policy setting the boot start drivers determined
policy setting and the user has redirected folders the folders are redirected on every computer that the user logs on to.Note: If you enabl
olicy already deployed for these folders in your existing localized environment.
exactly the same as in Windows 2000: user policy is applied and a roaming user profile is allowed from the trusted forest.If you disable thi
vior:- If you had originally created the GPO with an English system and then you edit the GPO with a Japanese system the Group Policy Ob
e extension will not be applied.Note: There are two conditions that will cause Group Policy to be processed synchronously even if this polic
ts the system from updating affected preference items in the background while the computer is in use. When background updates are dis
events the system from updating affected preference items in the background while the computer is in use. When background updates ar
from updating affected preference items in the background while the computer is in use. When background updates are disabled prefere
etwork connection Group Policy will only process those client side extensions configured for processing across a slow link (slow network co
on prevents the system from updating affected policies in the background while the computer is in use. When background updates are disa
s the system from updating affected preference items in the background while the computer is in use. When background updates are disa
updating affected policies in the background while the computer is in use. When background updates are disabled policy changes will not
essing" option prevents the system from updating affected preference items in the background while the computer is in use. When backg
ating affected preference items in the background while the computer is in use. When background updates are disabled preference item c
apply during periodic background processing" option prevents the system from updating affected preference items in the background whi
phone line. Updates across slow connections can cause significant delays.The "Process even if the Group Policy objects have not changed"
rom updating affected preference items in the background while the computer is in use. When background updates are disabled preferen
he slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controll
you disable this setting or do not configure it the system uses the default value of 500 kilobits per second.This setting appears in the Comp
m from updating affected preference items in the background while the computer is in use. When background updates are disabled prefer
g periodic background processing" option prevents the system from updating affected policies in the background while the computer is in
the system from updating affected preference items in the background while the computer is in use. When background updates are disab
ackground processing" option prevents the system from updating affected policies in the background while the computer is in use. When
odic background processing" option prevents the system from updating affected preference items in the background while the computer i
ply during periodic background processing" option prevents the system from updating affected preference items in the background while
ption prevents the system from updating affected preference items in the background while the computer is in use. When background up
g periodic background processing" option prevents the system from updating affected preference items in the background while the com
o not apply during periodic background processing" option prevents the system from updating affected preference items in the backgroun
g" option prevents the system from updating affected preference items in the background while the computer is in use. When background
olicies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However you
em from updating affected preference items in the background while the computer is in use. When background updates are disabled prefe
during periodic background processing" option prevents the system from updating affected preference items in the background while the
ackground while the computer is in use. When background updates are disabled policy changes will not take effect until the next user log
dates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only wh
m from updating affected preference items in the background while the computer is in use. When background updates are disabled prefer
stem from updating affected preference items in the background while the computer is in use. When background updates are disabled pr
nnection such as a telephone line. Updates across slow connections can cause significant delays.The "Process even if the Group Policy obje
s the system from updating affected preference items in the background while the computer is in use. When background updates are disa
computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict the user settings
ating affected policies in the background while the computer is in use. When background updates are disabled policy changes will not take
from updating affected policies in the background while the computer is in use. When background updates are disabled policy changes wi
nfiguration\Administrative Templates\System\GroupPolicy.
vior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the doma
mputer for it to take effect.

utes (the default). To specify that Group Policy should never be updated while the computer is in use select the "Turn off background refre
use select the "Turn off background refresh of Group Policy" setting.This setting also lets you specify how much the actual update interval v
7 configured for workplace connectivity.
are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This p
ere are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This
ence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference exte
e no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This pref
re are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This
ms under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference extension is a
If there are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing
ence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference exten
ence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference exte
erence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference ex
ou must turn on the "Tracing" option. If there are no preference items under User Configuration in this extension no user trace file is creat
option. If there are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration
on. If there are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration trac
If there are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing
rence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference ext
option. If there are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration
erence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference ext
tion. If there are no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tra
erence items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preference ex
preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This preferenc
e no preference items under User Configuration in this extension no user trace file is created.2. Computer Configuration tracing: This prefe
s configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
ee "Events.asp URL" "Events.asp program" and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/W
e their writing samples from the handwriting recognition personalization tool with Microsoft.
t in Control Panel to enable Windows Customer Experience Improvement Program for all users.
ows Server 2008 R2 or earlier operating systems.Note: For the following options of this KDC policy to be effective the Kerberos Group Polic
eshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key id
03 Windows 2000 native or Windows 2000 mixed domain controllers cannot provide information about previous logons and enabling this
beros MaxTokenSize for Windows 7 Windows Server 2008 R2 and prior versions.
d authentication.
licy setting the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.If you do not configure this policy setting the
move the current entry from the list and add a new one with different parameters.If you disable this policy setting the interoperable Kerb
enforce the use of Kerberos armoring when possible as supported by the target domain.
uires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be issued t
Parameters which was added in Windows XP and Windows Server 2003 with a default value of 12000 bytes. Beginning with Windows 8 the
key. To edit a mapping remove the current entry from the list and add a new one with different parameters.If you disable or do not configu
ys provided for this computer account.If you disable this policy setting Never will be used.If you do not configure this policy setting Autom
do not configure this policy setting Automatic will be used.
level it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level the per-user policy setting will
d at the computer level then restrictions will be based on per-User policies.To set this policy on a per-user basis make sure that the per-co
ess restricted by the "Disallow selection of Custom Locales" policy setting.If this policy setting is enabled at the computer level it cannot be
y setting on a domain-joined device a user cannot change the amount of time after the device's screen turns off before a password is requ
addition changes that are made to the user object such as adding a roaming profile path home directory or user object logon script may ta
guration.Tip: To display the welcome screen click Start point to Programs point to Accessories point to System Tools and then click ""Getti
ustomized run list by using a policy setting use the ""Run these applications at startup"" policy setting.Also see the ""Do not process the run
"Do not process the legacy run list"" policy setting.
m starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration
p and this policy setting is not configured users new to this computer will not see the animation. Note: The first sign-in animation will
originate from the Active Template Library (ATL) thunk layer. PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x0000000
otiation and use of older cryptography algorithms. If you do not configure this policy setting Net Logon will not allow the negotiation and u
hare ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read ac
that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access which might
be excessive.
a DC.If the value for this setting is too small and the DC is not available the frequent retries may produce excessive network traffic.
ncy.To specify this behavior click Enabled and then enter a value. The range of values is from 1 to 2.If you do not configure this policy settin
BIOS domain name based DC location.If you disable or do not configure this policy setting this DC processes incoming mailslot messages. T
configure this policy setting the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based dis
time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FO
ress. This is the default behavior of the DC Locator.If you disable this policy setting DC Locator APIs will ONLY return IPv4 DC address if any
then enter a value. The range of values is from 0 to 2.If you do not configure this policy setting it is not applied to any DCs and DCs use the
cs.<DnsForestName>DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName>Kdc SRV _kerberos._tcp.dc._msdcs.<DnsDoma
g enabled the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interva
covered by the DC Locator application directory partition-specific DNS SRV records click Enabled and then enter the site names in a space
Cs use their local configuration.
er the sites' names in a space-delimited format.If you do not configure this policy setting it is not applied to any GCs and GCs use their loca
able this policy setting Try Next Closest Site DC Location will not be used by default for the computer. However if a DC Locator call is made
olution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-labe
ve Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case unless the computer i
esrvrecord
be unavailable. However with this policy setting disabled users can still restore the computer to the original state or from a user-created s
user groups that are allowed to offer remote assistance.To configure the list of helpers click "Show." In the window that opens you can en
Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."The "Maximum ticket time" p
te to the Endpoint Mapper Service but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.Note: Th
sabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained d
aintain basic state information only if the computer has at least 64 MB of memory.-- "Auto2" directs RPC to maintain basic state informati
r all processes. RPC only generates an error code.-- "On with Exceptions" enables extended error information but lets you disable it for sel
s Client and the value of "None" used for Server SKUs that support this policy setting. If you enable this policy setting it directs the RPC serv
ds. The maximum is 7200 seconds (2 hours).If you disable this policy setting the idle connection timeout on the IIS server running the RPC
DesktopIT:Within GPO B: B.ps1 B.cmdWithin GPO C: C.ps1 C.cmd For DesktopSales GPOs B and C are applied but not GPO A. Therefore the
For Tamara GPOs B and C are applied but not GPO A. Therefore the scripts for GPOs B and C run in the following order for Tamara:Within
ly"" setting to direct the system to wait for the logon scripts to complete before loading the desktop. An excessively long interval can dela
l).This setting only takes effect on domain controllers.If not configured domain controllers will default to using their local configuration. Th
er uses the refresh interval settings that are specified in the Server Manager console.Note: The default refresh interval for Server Manager
setting in Storage settings.
tting is used to determine whether the option to configure System Restore is available.
fic policy settings.This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Scenario-sp
tting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. Thes
e recovery behavior for corrupted files will be set to either the regular (default) silent or troubleshooting only state.If you disable this setti
ote: For Windows Server systems this policy setting applies only if the Desktop Experience optional component is installed and the Remote
ots or service restarts are required for this policy setting to take effect: changes take effect immediately. This policy setting takes effect onl
n to the Microsoft Management Console.No system restart or service restart is required for this policy setting to take effect: changes take e
e executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
u do not configure this policy setting MSDT prompts the user before downloading any additional tools.No reboots or service restarts are re
and other problems by system features and Microsoft. Notify users when troubleshooting has solved a problem.4 = Automatically apply t
ecovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client) Silent (default on Windows serv
nd resolution by default.No reboots or service restarts are required for this policy to take effect: changes take effect immediately.This polic
rvers that host the Windows Online Troubleshooting Service.

ows Boot Performance for resolution by default.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not
he DPS will enable Windows Resource Exhaustion for resolution by default.This policy setting takes effect only if the diagnostics-wide scen
DPS will enable Windows Shutdown Performance for resolution by default.This policy setting takes effect only if the diagnostics-wide scen
figure this policy setting the DPS will enable Windows Standby/Resume Performance for resolution by default.This policy setting takes effe
DPS will enable Windows System Responsiveness for resolution by default.This policy setting takes effect only if the diagnostics-wide scena
store the full TPM owner authorization the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This
ting to the "Command Management" section and making visible the "On Default Block List" column. The local list of blocked TPM comman
was once enabled is to a) disable it from group policy and b)clear the TPM on the system.
will block the TPM commands in the default list in addition to commands in the Group Policy and local lists of blocked TPM commands.
ding either threshold will prevent the standard user from sending a command to the TPM that requires authorization.This value is the ma
will prevent the standard user from sending a command to the TPM that requires authorization.The Standard User Lockout Threshold Ind
ds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization.The S
Note: If the policy setting is enabled after the profile is created the policy setting has no effect.Note: The policy setting must be configured
liseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles a
er logs off.Important: Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link the system
nnection timeout for user profiles" policy setting) the system applies the other policy settings set in this folder to determine how to procee
orrect.By configuring this policy setting you can alter this behavior.If you enable this policy setting Windows will not check the permission
s policy setting and the user has a roaming profile the roaming profile is downloaded on every computer that the user logs on to.
onds and the maximum is 600 seconds.If you disable or do not configure this policy setting Windows waits 30 seconds for user input befor
logon when a user profile is deleted and that user subsequently logs on to the machine.If you disable or do not configure this policy settin
o unload and update the user's registry settings. (You cannot adjust the retry rate.)If you disable this policy setting or do not configure it th
ble this setting or do not configure it the default behavior occurs as indicated above.If you enable both the "Prevent Roaming Profile chang
ed above.Note: This policy setting only affects roaming profile users.
lt the user. Instead the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" policy setting
andard roaming user profile.Note: There are four ways to configure a roaming profile for a user. Windows reads profile configuration in th
file at the same time every day as long as the user is logged on.For both scheduling options there is a random one hour delay attached pe
you choose â€œOn the local computerâ€ from the Location list. If you choose â€œOn the local computerâ€ and enter a file share the u
Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain in
the "Timeout for dialog boxes" policy setting).Waiting for the remote profile is appropriate when users move between computers frequen
me samples are evaluated as potential spikes. Default: 5 LargePhaseOffsetIf a time sample differs from the client computer's local clock
ask controls how W32time chooses time sources outside its own site. The possible values are 0 1 and 2. Setting this value to 0 (None) indic
deployment operations of Windows Store apps when using a special profile.
configure this policy setting employees in your organization can decide whether Windows apps can access account information by using S
setting employees in your organization can decide whether Windows apps can access the eye tracker by using Settings > Privacy on the de
mployees in your organization can decide whether Windows apps can access the call history by using Settings > Privacy on the device.If an
organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.If an app is open when this G
about other apps and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in y
can decide whether Windows apps can access email by using Settings > Privacy on the device.If an app is open when this Group Policy ob
ganization can decide whether Windows apps can access location by using Settings > Privacy on the device.If an app is open when this Gro
ng employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device
ployees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.If an app
ployees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.If an app
an decide whether Windows apps can access tasks by using Settings > Privacy on the device.If an app is open when this Group Policy objec
ployees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.If an app
ees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.If an app is op
licy setting employees in your organization can decide whether Windows apps can access the microphone by using Settings > Privacy on th
setting employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy on the d
zation cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access user movements while the apps ar
cy on the device.This policy is applied to Windows apps and Cortana. It takes precedence of the â€œAllow Cortana above lockâ€ policy.
mployees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can dec
tting employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy on the de
n your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.If an app is open w
setting employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy on the de
plays and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organiza
le or do not configure this policy setting employees in your organization can decide whether Windows apps can turn off the screenshot bo
abilities from untrusted sources reducing the associated risk.
mponents cannot run.If the status is set to Disabled the MS-DOS subsystem runs for all users on this computer.If the status is set to Not Co
n problems. If the engine is turned off these mitigations will not be applied to applications and their installers and these applications may f
ooting and Diagnostics->Application Compatibility Diagnostics.Note: The Diagnostic Policy Service (DPS) and Program Compatibility Assistan
havior of automatically executing the autorun command. If you disable or not configure this policy setting Windows Vista or later will
his policy setting AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration fo
er.Note: This policy setting does not prevent the user from saving the recovery password in another folder.
drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7)" and "Choose drive encryption method a
indows 7)" policy setting if it is set. If neither policy is set BitLocker will use the default encryption method of AES 128-bit or the encryption
by the setup script.
password as a text file. Printing will send the 48-digit recovery password to the default printer. For example not allowing the 48-digit recov
only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identification field
includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive
er in the smart card certificate.If you disable or do not configure this policy setting a default object identifier is used.
ockertogo.exe) is present on a drive that does not have an identification field specified or if the drive has the same identification field as sp
very options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a drive. T
when the drive is encrypted.If you do not configure this policy setting BitLocker will use software-based encryption irrespective of hardwa
assword select "Require password for fixed data drive". To enforce complexity requirements on the password select "Require complexity"
dows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate" on the domain controller to dis
tion Data validation profile" group policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot policy settin
d or a 256-bit recovery key.Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery optio
n the "Custom recovery URL option" text box will replace the default URL in the default recovery message which will be displayed in the p
M uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile co
he boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these
u can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system driv
default when the drive is encrypted.If you do not configure this policy setting BitLocker will use software-based encryption irrespective of
ce complexity requirements on the password select "Require complexity".When set to "Require complexity" a connection to a domain con
equire additional authentication at startup" policy might not be available on such devices. These options include:- Configure TPM startup P
ssword then you will need to use one of the BitLocker recovery options to access the drive.On a computer with a compatible TPM four typ
ted solely by the key material on this USB flash drive.If you enable this policy setting the wizard will display the page to allow the user to co
ed fields.
cker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified or if the drive has the same i
"Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker o
efault when the drive is encrypted.If you do not configure this policy setting BitLocker will use software-based encryption irrespective of h
ord for removable data drive". To enforce complexity requirements on the password select "Require complexity".When set to "Require com
his policy setting users cannot use BitLocker on removable disk drives.
ounted with read and write access.Note: This policy setting can be overridden by the policy settings under User Configuration\Administrati
tic data level please use the "Configure diagnostic data opt-in settings user interface" policy.
nal diagnostic data is collected that helps us to detect diagnose and fix issues as well as make product improvements. Required diagnostic
run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.If you enable this policy with the "W
set of folders.
k share any data contained in the redirected folders is deleted if this policy setting is not enabled.
etting restricts such configuration.
sponding to the notification using Manage Add-ons or using other methods.

Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed the following behaviors occur:-
re not visible and the user cannot access them.If you disable or do not configure this policy setting the user can view and access the naviga
ndIntranetToInternetExplorerâ€™)- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (â€˜RestrictIEâ€™)For mo
rusted site zones onlyÂ Â Binary Representation - 00110â€¢Â 0 - Restricted Sites Zoneâ€¢Â 0 - Internet Zoneâ€¢Â 1 - Trusted Sites Zoneâ€
he Internet Explorer documentation on search providers.If you disable or do not configure this policy setting the user can configure his or
y tab from the interface takes precedence over this policy. If it is enabled this policy is ignored.Also see the "Security zones: Use only mach
uter or how many Internet Explorer isolation settings are running.If you enable this policy setting you set the rate at which Internet Explore
ipt can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to prompt it will b
lable in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer.If you do not configure this p
o not configure this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for lo
g Protection and Do Not Track data is deleted when the user clicks Delete.If you don't configure this policy setting users can turn this featu
mat only for addresses that are not in the Intranet zone.
nts a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default this option is turned on.
pts to load an ActiveX control that is not compatible with Enhanced Protected Mode Internet Explorer notifies the user and gives the optio
L 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol and enab
nternet Options dialog.
ge limit for all application caches. The default is 50 MB.
t for all indexed databases. The default is 500 MB.
source list size for all application caches. The default is 1000 resources.
policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then use Gr
s and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone are app
content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled.
e but a source is able to define a specific location of a thumbnail that is different than the location of the item.If you enable this policy setti
ill be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
ecurity information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.
9 and earlier versions if you disable this policy or do not configure it users can drag content from one domain to a different domain when t
g.In Internet Explorer 9 and earlier versions if you disable this policy setting or do not configure it users can drag content from one domain
es the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server the user is qu
u do not configure this policy setting permissions are set to Medium safety.
u do not configure this policy setting permissions are set to Medium safety.
u do not configure this policy setting permissions are set to Low safety.
as set by Protection from Zone Elevation feature control.



ted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
u do not configure this policy setting permissions are set to High safety.
s bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center.
strative Templates\Windows Components\Credential User Interface is enabled for the system it will override this policy setting.
add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.Value - A number indicating whet
ed) through the 'Add-on List' policy setting.If you disable or do not configure this policy setting users may use Add-on Manager to allow or
this list because these processes always respect add-on management user preferences and policy settings. If the All Processes policy setti
ore information see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
nd User Configuration both lists of behaviors will be allowed as appropriate.
configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security feature is allowe
is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Inte
content processed by Internet Explorer.

l Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configu
policy setting the security feature is allowed.

Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled the processes configured in this
figuration both lists of protocols will be restricted for that zone.
er that setting. If you disable or do not configure this policy setting the Notification bar is not displayed for the specified processes.
do not configure this policy setting the security feature is allowed.
gnored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE p
disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If y
do not undergo these checks.
for users to provide Microsoft accounts via the browser for authentication with web-based applications.
unction. Real-time Protection -> The â€œScan all downloaded files and attachmentsâ€ policy must be enabled or the â€œBlock at First
embership Basic membership will send basic information to Microsoft about software that has been detected including where the softw
u want to specify for the associated rule The following status IDs are permitted under the value column: - 1 (Block) - 0 (Off) - 2 (Aud
o write to disk sectors The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Windows >
chance of false positives) (0x4) High+ blocking level â€“ aggressively block unknowns and apply additional protection measures (may im
will be enabled. If you disable or do not configure this setting monitoring for incoming and outgoing files will be enabled.
cify the location of the XML file in the Options section. You can use a local (or mapped) path a UNC path or a URL such as the following:- C
r to synchronize data between usersâ€™ computers. In this mode UE-V writes settings data to the local folder specified in the settings stor
as the default Microsoft templates they will be ignored.If you specify a UNC path and check the option to replace the default Microsoft te
tting any defined values are deleted.
f the virtual desktop collection containing the virtual computers. If you enable this policy setting the UE-V rollback state is copied to the se
ed If you do not configure this policy setting any defined values will be deleted.
he Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V.If you do not configure this policy setting any de
he Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V.If you do not configure this policy setting any de
n Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this
ndows Server 2003 terminal server* A client connecting to a Windows 2000 terminal serverIf you enable this policy setting the license serv
sable this policy setting users cannot run .rdp files that are signed with a valid certificate. Additionally users cannot start an RDP session by
ent establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated.If you disable or do not
e this policy setting the version of the operating system on the RD Session Host server will determine when a user is prompted to provide
the list defined for the computer and the list defined for the user.This policy setting overrides the behavior of the "Allow .rdp files from va
n do this by specifying the program's executable path at connection time by using the Remote Desktop Connection client.If you disable or
h clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configuration\Adm
e or do not configure this policy setting a keep-alive interval is not set and the server will not check the session state.
d the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remot
peed connection and it will not try to adapt the user experience to varying network quality.If you disable or do not configure this policy se
can interact with a user's Remote Desktop Services session with the user's consent.
necting to a computer running Windows 8 Windows Server 2012 Windows 7 Windows Vista or Windows XP Professional.If you enable this
fied in RDC.If you do not configure this policy setting Audio recording redirection is not specified at the Group Policy level.
tion and Clipboard file copy redirection are not specified at the Group Policy level.
nning Windows Server 2012 R2 and earlier versions.Note: You can disable redirection of specific types of supported Plug and Play devices
emote Desktop Services session regardless of the audio playback quality configured on the client computer. For example if the audio play
y level.
ense server at the Group Policy level.
able printer driver can be found default to the Printer Control Language (PCL) fallback printer driver."Default to PS if one is not found" - If
emote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used
of the entire roaming user profile cache is less than the maximum size specified.If you disable or do not configure this policy setting no rest
Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist Remote Des
ocal path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path Remote Desktop Service
RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Po
policy setting is supported on at least Windows Server 2008 Standard. 2. This policy setting is not effective unless the Join RD Connection
sktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.If the poli
nt reconnects to the load balancer the routing token is used to redirect the client to their existing session on the correct RD Session Host se
using the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI provider.Note: If you enable this policy s
file. In addition the client computer must have the necessary hardware to support Windows Aero features.Note: Additional configuration
ects to the remote computer.Note: If this policy setting is enabled then the "Start a program on connection" policy setting is ignored.
use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is d
g mechanism that results in high quality images and consumes moderate network bandwidth. If you enable this policy setting and set q
enabled in RDC or in the .rdp file. If you disable or do not configure this policy setting font smoothing is allowed for remote connection
7.1 and does not affect clients that are using other RDP versions.
s Server 2003 and Windows XP Professional.2.The value specified in this policy setting is not applied to connections from client computers
ns active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Se
e starting directory for the program. If you leave Working Directory blank the program runs with its default working directory. If the specifi
l session is not affected by this policy setting.
e this policy setting the default behavior will be used. By default RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Ses
conditions. If you disable or do not configure this policy setting Remote Desktop Connection sessions that use RemoteFX will be the same
cy setting automatic logon is not specified at the Group Policy level.
recommended.* RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host se
required for user authentication before allowing remote connections to the RD Session Host server.If you do not configure this policy setti
ent request and will use the current certificate until the request is completed. If more than one certificate is found that was created with t
ontain only 128-bit clients (for example clients that run Remote Desktop Connection). Clients that do not support this encryption level can
even if specified otherwise by the server administrator.If you do not configure this policy setting Remote Desktop Services disconnects a ti
Desktop Services to end instead of disconnect a session when the time limit is reached you can configure the policy setting Computer Con
d of disconnect a session when the time limit is reached you can configure the policy setting Computer Configuration\Administrative Temp
disconnected session time limits do not apply.If you disable or do not configure this policy setting this policy setting is not specified at the G
t configure this policy setting when a user closes the last RemoteApp program the session will be disconnected from the RD Session Host s
ders are in use on the server. If you enable the Do not use temporary folders per session policy setting this policy setting has no effect.
e server administrator specifies otherwise.If you do not configure this policy setting per-session temporary folders are created unless the s
ults search box3) The WDS search box in Search Companion

X/searchresults.aspx?SearchString=$wThese additional intranet search locations are added to the All Locations list in the Desktop Search r
and web results won't be displayed when a user performs a query in Search.
g of online mailboxes and online delegate mailboxes you must disable both policies.
ifically using Windows Desktop Search-related add-ins.Note: Because of a limitation in the Group Policy editor you must add at least one e
policy setting Security Center is turned on for all users. If you disable this policy setting Security Center is turned off for domain members.W
own. Note: This setting will be applied after the following policy: "Allow time invalid certificates"If you enable or do not configure this poli
e default will not be available for logon.
n suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Windows Vis
cations where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.Caution: If yo
ehavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
used Chinese Kanji and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Users will
y areasâ€ policy and the â€œPrevent Input Panel tab from appearingâ€ policy and disable the â€œShow Input Panel taskbar iconâ€ po
o configure this setting on the Text completion tab in Input Panel Options.
ssword security is set to â€œMedium-Low.â€ At this setting when users enter passwords from Input Panel they use the on-screen keybo
P Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and ch
f newly created tasks use the "Remove Advanced Menu" setting.
n the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes p
run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.If you enable this policy with the "W
ve changed settings by using Control Panel). If you enable this policy setting you can configure the following settings in the policy setting:- "
tion by default on computers that are running Windows Server.See also the Configure Error Reporting policy setting.
n Control Panel.The Maximum number of reports to queue setting determines how many reports can be queued before older reports are
in Control Panel is Upload all applications.This policy setting is ignored if the Configure Error Reporting policy setting is disabled or not con
e names must include the .exe file name extension (for example notepad.exe). Errors that are generated by applications on this list are alw
kes precedence. If an application is listed both in the List of applications to always report errors for policy setting and in the exclusion list in
ndows prompts the user for consent to send any additional data that is requested by Microsoft.- Send all data: any error reporting data req
eters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing solution
als provisioned when the "Turn off smart card emulation" is enabled.Windows requires a reboot after you apply this setting to a computer
to which the old PIN provided access.NOTE: This policy is only applicable to devices which are registered with Azure Active Directory.
ser has signed in.If you do not select "Do not start Windows Hello provisioning after sign-in" Windows Hello for Business automatically sta
nied to the user.This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installation progr
e "Prevent removable media source for any install" policy setting.

User Configuration folders. To make this policy setting effective you must enable it in both folders.Caution: Skilled users can take advanta
e this policy setting the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
s are set and whether the update was installed in a per-user managed per-user unmanaged or per-machine context."
t use this policy setting unless it is essential.This policy setting appears in the Computer Configuration and User Configuration folders. If the
sing Restart Manager for detection.If you disable or do not configure this policy setting Windows Installer will use Restart Manager to dete
indows Installer only. It does not prevent users from selecting other browsers such as File Explorer or Network Locations to search for inst
configure this policy setting on Windows 2000 Professional Windows XP Professional and Windows Vista when a user reinstalls removes o
g files for those packages that include the MsiLogging property.
ndows Server 2003 family when the policy is not configured.-- The "Always" option indicates that Windows Installer is disabled.This polic
successfully update boot-critical components. BitLocker is suspended during updates if: - The device doesnâ€™t have TPM 2.0 and P
retrieve the information and the user will not be able to log on. Therefore you should not enable this policy setting if the domain is not at
f automatically signing in and locking the last interactive user after a restart or cold bootâ€‹.If you disable this policy setting the device doe
form license restoration.
Computer Configuration version of this policy setting takes precedence.
modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list click Show and then type the module name
y setting.
use the OutputDirectory setting to enable transcript logging to a shared location be sure to limit access to that directory to prevent users
reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
pecifies one or more ranges of IPv6addresses. If specified the service enumerates the available IP addresses on the computer and uses only
set to None all requests are accepted (though they are not protected from credential-forwarding attacks).
tall.On XP: If you enable this policy setting users will not see a User Account Control window and do not need elevated permissions to do e
not notified or interrupted during this process). When the downloads are complete users will be notified that they are ready to install. Aft
'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
not configured this policy has no effect.Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on W
olicy has no effect.
le to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose not to sc
automatically restart and will require the person to schedule it prior to restart.If you disable or do not configure this policy the PC will rest
pdates client connects to the specified intranet Microsoft update service (or alternate download server) instead of Windows Update to se
pplications. In Windows Vista this policy setting controls detailed notifications for optional applications and updates.If you disable or do no
Windows 10 releases before broad deployment within their organization.Note: Preview Build enrollment requires a telemetry level setting
field is cleared (Quality Updates will still be offered).

y setting to determine whether to automatically set up Work Folders for a given user.
settings page is the published URI for that page minus the "ms-settings:" protocol part.Example: to specify that only the About and Bluetoo
ou enable this policy setting automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.If
": http://www.microsoft.com/en-us/download/details.aspx?id=36036.For more information about LocalAccountTokenFilterPolicy see http

o not recommend configuring this setting to "Disabled" nor to "Not Configured" after it has been enabled.
microsoft.com/kb/2696547
at-a-process-level
97.aspx .
hat the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. If you disable or
es not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximum netw
effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
mit (when not roaming or nearing cap) - Transfer only if unconstrained - Custom--allows you to specify a bitmask in whic
schedules.
e this policy setting BITS uses all available unused bandwidth for background job transfers.
a BranchCache latency setting on all client computers you can specify Not Configured for this domain Group Policy setting and then config
alue of the option setting "Select from the following versions" that you specify.- Disabled. With this selection this policy setting is not applie
rs that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied in addition to the "Set BranchCac
or by Group Policy.When this policy setting is applied the client computer performs or does not perform automatic hosted cache server dis
g that you use on individual client computers.- Enabled. With this selection the BranchCache client computer cache age setting is enabled
Group Policy setting is not configured it will not over-write the enabled setting that you use on individual client computers where you wan
cy setting and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Pol
figured it will not over-write the client computer cache setting that you use on individual client computers.- Enabled. With this selection th
ed setting that you use on individual client computers where you want to enable BranchCache.- Enabled. With this selection BranchCache
o.com/ or HTTP:http://2002:836b:1::1/.-A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents o
ctAccess client computer is connected to its own intranet.To restore the DirectAccess rules to the NRPT and resume normal DirectAccess
or "server.corp" the DNS client will send a query for "server.corp" first and then a query for "server.corp.contoso.com." second if the first
tting one DNS suffix is attached at a time for each query. If a query is unsuccessful a new DNS suffix is added in place of the failed suffix and
primary and connection specific DNS suffixes radio button is selected the DNS client appends the following names to a single-label name w
ist is not configured and the Append primary and connection specific DNS suffixes radio button is selected the DNS client appends the follo
NS suffix of VPNconnection a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.micros
s will use locally configured settings.
e that you specify is the number of seconds to use for the registration refresh interval. For example 1800 seconds is 30 minutes.If you enab
ords during dynamic update.If you disable this policy setting existing A resource records that contain conflicting IP addresses will not be re
urned on for all file servers where Group Policy is applied. For example if Hash Publication for BranchCache is enabled in domain Group Po
hash version(s) that are specified in "Hash version supported" are generated and retrieved.- Disabled. With this selection both V1 and V2
dditionally any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Microsoft rec
sing the corporate seed server only will prevent your mobile users from being able to use their peer to peer applications at home.3. In ord
l used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must be enabled (which it is by default) for this poli
creates a cloud if the computer has an IPv6 address compatible with the cloudâ€™s scope.
ocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must enabled (which it is by default) for this poli
ocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must be enabled (which it is by default) for this p
ction Firewall through the Advanced tab is removed. In addition the Internet Connection Firewall is not enabled for remote access connec
presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard. (The Ne
osoft.com/fwlink/?LinkId=25131).
later disable this policy setting Windows Defender Firewall deletes the list of message types that you had enabled.If you do not configure
s cannot select it.If you do not configure this policy setting Windows Defender Firewall does not open these ports. Therefore the compute
u must specify the IP addresses or subnets from which these incoming messages are allowed.If you disable or do not configure this policy s
etting Windows Defender Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unless an ad
mework" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Firewall do
ty to specify that local firewall rules should not apply.
with Advanced Security to specify that local firewall rules should not apply.
policy setting and Windows Defender Firewall creates the log file and adds information then upon disabling this policy setting Windows De
enable the "Windows Defender Firewall: Allow local port exceptions" policy setting.If you disable this policy setting the port exceptions list
gram click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a new one w
tting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Defender Firewall
later disable this policy setting Windows Defender Firewall deletes the list of message types that you had enabled.If you do not configure
s cannot select it.If you do not configure this policy setting Windows Defender Firewall does not open these ports. Therefore the compute
u must specify the IP addresses or subnets from which these incoming messages are allowed.If you disable or do not configure this policy s
etting Windows Defender Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unless an ad
mework" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Firewall do
ty to specify that local firewall rules should not apply.
with Advanced Security to specify that local firewall rules should not apply.
policy setting and Windows Defender Firewall creates the log file and adds information then upon disabling this policy setting Windows De
enable the "Windows Defender Firewall: Allow local port exceptions" policy setting.If you disable this policy setting the port exceptions list
gram click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a new one w
tting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Defender Firewall
?LinkId=234043
e: http://go.microsoft.com/fwlink/p/?LinkId=234043
kes precedence over the setting in User Configuration.Tip: To configure this setting without establishing a setting in Windows Explorer on
en selected all configured settings will apply to shares in user selected Work Offline mode as well.If you disable or do not configure this po
detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you do not specify a Latency or Throughput value comp
of disk space used for automatic caching without specifying a setting in Windows Explorer on the Tools menu click Folder Options click the
tency of the network is less than 60ms reads to remote files will not be cached.If you enable this policy setting transparent caching is enab
s policy setting encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is retaine
d User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in Use
onfigure this policy setting the system limits the space that offline files occupy to 25 percent of the total space on the drive where the Offl
ablished via this setting.Tip: To configure this setting without establishing a setting in Windows Explorer on the Tools menu click Folder Op
ine" command is unavailable for all specified files and folders.The "Make Available Offline" command is called "Always available offline" o
both policy settings are configured the policy settings will be combined and all specified files will be available for offline use.
Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select the "Synchronize all offline files before
nfiguration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over th
ence over the setting in User Configuration.Tip: To display or hide reminder balloons without establishing a setting in Windows Explorer on
o restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full control.Note: I
trol.Note: This policy setting has no effect if the SNMP agent is not installed on the client computer.Also see the other two SNMP policy se
managers" and "Specify Community Name".
4 interface. If no global IPv4 address is present the host will not have a 6to4 interface.Policy Disabled State: 6to4 is turned off and connecti
address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If the ISATAP name
nload files from the Internet the files will continue to be downloaded using that network connection.- When the network traffic drops bel
ate for this policy setting. This option was first available in Windows 8. If this policy setting is set to 2 the behavior is similar to 1. Howe
n is allowed.- When the computer is already connected to either a non-domain based network or a domain based network over Ethernet a
g them.If this policy setting is not configured or is enabled users can choose to enable or disable either "Connect to suggested open hotspo
a by using Settings > Network - Internet > Cellular on the device.If an app is open when this Group Policy object is applied on a device emp
ing settings". On the Advanced sharing settings page click the arrow next to "Domain" arrow click "turn on network discovery" and then cl
apply to those versions of Windows.
n always queue print jobs when not connected to the print server. Upon reconnecting to the server the client will submit any pending prin
ddress and subnet mask of the user's computer.

strative Templates\Control Panel\Printers. Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Options to be
versions of Windows Server 2008 R2 and later) to have the same behavior.
ecked once during the lifetime of a process. After changing the policy a running application must be relaunched before settings take effec
ent log. Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged. Note: Th
int and print will not be restricted to specific print servers.

and prompt when users create a printer connection to any server using Point and Print. -Windows Vista computers will show a warnin
estimated using the standard method (that is based on IP address and subnet mask).
m the "Prune non-republishing printers" box: -- "Never" specifies that printer objects that are not automatically republished are nev
ened documents on exit" policies in this folder.If you enable this setting but do not enable the "Remove Recent Items menu from Start Me
it the Start screen layout won't be changed and users will be able to customize it.
shut down the computer.If you do not configure this policy setting the default behavior for the Shutdown Event Tracker occurs.Note: By d
ample %programfiles% is not defined on some early versions of Windows. The "Shortcut" command is used to add a link to a Help top
s policy setting the files will be downloaded from Windows Update if that is allowed by the policy settings for the computer.
y 0-31).
y 0-31).
y 0-31).
y 0-31).
y 0-31).
Client log and the event log the first time this occurs and will not be logged again until after the cache has been successfully cleared on tra
rget server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.Fo
am.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote D
ed when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.comRemote Desktop Session Host running on host.hum
racter is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host ru
wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Sess
tting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be d
emote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be used in combination with
om Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be used in combination
urces.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be use
mportant information about the risk posed by remaining unpatched clients.Vulnerable: Client applications which use CredSSP will expose t
min and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices.Note: To disa
sable the feature you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer with a phy
op server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you d
ng affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not configure
olicy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not
without specifying a setting in My Computer right-click the name of an NTFS volume click Properties click the Quota tab and then click "Ena
ble or disable quota enforcement on their volumes.Note: To specify a disk quota limit use the "Default quota limit and warning level" polic
s window on the Quota tab. Even without the logged event users can detect that they have reached their limit because their status in the
volume click Properties and then click the Quota tab.
not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.When you sel
urry on secondary displays that have different display scale factors. Per Process System DPI will not work for all applications as some olde
an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local
boot start drivers determined to be Good Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be
r logs on to.Note: If you enable this policy setting in Computer Configuration and User Configuration the Computer Configuration policy se
rusted forest.If you disable this policy setting the behavior is the same as if it is not configured.
e system the Group Policy Object Editor snap-in uses the local Japanese ADM files and you see the text in Japanese under Administrative T
ynchronously even if this policy setting is enabled:1 - At the first computer startup after the client computer has joined the domain.2 - If th
en background updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process
When background updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Pro
updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the Gr
ss a slow link (slow network connection).If you enable this policy when Group Policy cannot determine the bandwidth speed across Direct
n background updates are disabled policy changes will not take effect until the next user logon or system restart.The "Process even if the G
n background updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process
sabled policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objects have no
mputer is in use. When background updates are disabled preference item changes do not take effect until the next user logon or system r
are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Polic
e items in the background while the computer is in use. When background updates are disabled preference item changes do not take effec
icy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementatio
updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the Gro
onse from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout value that is defi
is setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link
d updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the G
ound while the computer is in use. When background updates are disabled policy changes will not take effect until the next user logon or s
background updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process e
the computer is in use. When background updates are disabled policy changes will not take effect until the next user logon or system resta
kground while the computer is in use. When background updates are disabled preference item changes do not take effect until the next u
tems in the background while the computer is in use. When background updates are disabled preference item changes do not take effect
s in use. When background updates are disabled preference item changes do not take effect until the next user logon or system restart.3.
he background while the computer is in use. When background updates are disabled preference item changes do not take effect until the
erence items in the background while the computer is in use. When background updates are disabled preference item changes do not tak
er is in use. When background updates are disabled preference item changes do not take effect until the next user logon or system restart
y when changed. However you might want to update unchanged policies such as reapplying a desired policy setting in case a user has chan
und updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the
s in the background while the computer is in use. When background updates are disabled preference item changes do not take effect unti
e effect until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and re
that they be updated only when changed. However you might want to update unchanged policies such as reapplying a desired policy setti
d updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if the G
round updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process even if
s even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Man
n background updates are disabled preference item changes do not take effect until the next user logon or system restart.3. The "Process e
ttings conflict the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.If you disable this se
ed policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objects have not ch
are disabled policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objects hav
for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout value t
the "Turn off background refresh of Group Policy" policy.The Set Group Policy refresh interval for computers policy also lets you specify ho
ch the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneousl
r Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracing is not appli
ter Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracing is not ap
n tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Group
onfiguration tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicab
ter Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracing is not ap
This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Group Policy M
omputer Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracing is n
tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Group
n tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Group
on tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Gro
sion no user trace file is created.2. Computer Configuration tracing: This preference extension is available under User Configuration only s
ed.2. Computer Configuration tracing: This preference extension is available under User Configuration only so computer configuration trac
. Computer Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracing
omputer Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracing is n
n tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Grou
ed.2. Computer Configuration tracing: This preference extension is available under User Configuration only so computer configuration trac
on tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Grou
.2. Computer Configuration tracing: This preference extension is available under User Configuration only so computer configuration tracin
on tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3. Gro
uration tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicable.3.
onfiguration tracing: This preference extension is available under User Configuration only so computer configuration tracing is not applicab
cation" policy.
"Administrative Templates/Windows Components/Event Viewer".

ctive the Kerberos Group Policy "Kerberos client support for claims compound authentication and Kerberos armoring" must be enabled on
receive the fresh public key identity SID.
vious logons and enabling this policy setting does not affect anything.
onfigure this policy setting the system uses the host name-to-Kerberos realm mappings that are defined in the local registry if they exist.
setting the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.If you do not configure this policy setting the syst
ensions which can be issued to any server.
Beginning with Windows 8 the default is 48000 bytes. Due to HTTP's base64 encoding of authentication context tokens it is not advised to
f you disable or do not configure this policy setting the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
gure this policy setting Automatic will be used.
he per-user policy setting will be ignored. If this policy setting is not configured at the machine level restrictions will be based on per-user p
asis make sure that the per-computer policy is set to Not Configured.
he computer level it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level the per-user policy is ign
off before a password is required when waking the device. Instead a password is required immediately after the screen turns off.If you do
user object logon script may take up to two logons to be detected.If a user with a roaming profile home directory or user object logon scrip
em Tools and then click ""Getting Started."" To suppress the welcome screen without specifying a setting clear the ""Show this screen at st
e the ""Do not process the run once list"" policy setting.
cified in the User Configuration setting.Also see the ""Do not process the legacy run list"" and the ""Do not process the run once list"" setti
he first sign-in animation will not be shown on Server so this policy will have no effect.
_SEHOP_ENABLE (0x00000004) Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP block
ot allow the negotiation and use of older cryptography algorithms.
y requesting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setti
usive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled an
cessive network traffic.

not configure this policy setting it is not applied to any computers and computers use their local configuration.
incoming mailslot messages. This is the default behavior of DC Locator.
echanism when DNS-based discovery fails. This is the default behavior.If you disable this policy setting the DC location algorithm can use N
l to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.If you enable
return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses DC Locator APIs will return IPv4 address.
ed to any DCs and DCs use their local configuration.

os._tcp.dc._msdcs.<DnsDomainName>KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>Dc SR
es. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the unde
nter the site names in a space-delimited format.If you do not configure this policy setting it is not applied to any DCs and DCs use their loc
any GCs and GCs use their local configuration.

ver if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly the Try Next Closest Site behavior is honored.If you do
a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name o
his case unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this
state or from a user-created system image by restarting the computer and accessing the System Recovery Options menu if it is available.
window that opens you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the helper u
"The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using email o
point Mapper Service.Note: This policy will not be applied until the system is rebooted.
to servers using constrained delegation. If you enable this policy setting then:-- "Off" directs the RPC Runtime to generate RPC_S_SEC_PK
maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server Windows 2000
n but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect the
y setting it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine. A client
the IIS server running the RPC HTTP proxy will be used.If you do not configure this policy setting it will remain disabled. The idle connectio
but not GPO A. Therefore the scripts for GPOs B and C run in the following order for DesktopSales:Within GPO B: B.cmd B.ps1Within GPO
wing order for Tamara:Within GPO B: B.cmd B.ps1Within GPO C: C.cmd C.ps1Note: This policy setting determines the order in which user lo
essively long interval can delay the system and inconvenience users. However if the interval is too short prerequisite tasks might not be do
ng their local configuration. The default local configuration is Audit.A reboot is not required for changes to this setting to take effect.Note:
sh interval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2 or 10 minutes in Windows Server 201
abled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured.No reboots or service restarts are
nning for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
ly state.If you disable this setting the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attem
nt is installed and the Remote Desktop Services role is not installed.
policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled diagnostic scenarios are not
g to take effect: changes take effect immediately.
boots or service restarts are required for this policy setting to take effect. Changes take effect immediately.This policy setting will take effe
blem.4 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Do not notify users when t
lent (default on Windows server) or Troubleshooting Only. If you disable this policy setting the troubleshooting and recovery behavior for
e effect immediately.This policy setting will only take effect when the Task Scheduler service is in the running state. When the service is st
cenario execution policy is not configured.No system restart or service restart is required for this policy to take effect: changes take effect
y if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy to take e
nly if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy to take
lt.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restar
y if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy to take e
blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization
l list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win32_Tpm i
of blocked TPM commands.
horization.This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send
rd User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user
at requires authorization.The Standard User Individual Lockout value is the maximum number of authorization failures each standard user
cy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the file shar
computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enab
pond to a slow link the system requires a local copy of the user's roaming profile.
er to determine how to proceed. By default when the connection is slow the system loads the local copy of the user profile.
will not check the permissions for the folder in the case where the folder exists.If you disable or do not configure this policy setting AND t
t the user logs on to.

0 seconds for user input before applying the default user profile .
not configure this policy setting Windows will delete the entire profile for roaming users including the Windows Installer and Group Policy
etting or do not configure it the system repeats its attempt 60 times.If you set the number of retries to 0 the system tries just once to unlo
Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting roaming profiles a
ote user profile" policy setting the system downloads the remote copy of the user profile without consulting the user. In Microsoft Window
eads profile configuration in the following order and uses the first configured policy setting it reads.1. Terminal Services roaming profile pa
m one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example if the settings dictate that
â€ and enter a file share the user's home folder will be placed in the network location without mapping the file share to a drive letter.If yo
that depend on the domain information protected by this setting to connect with network resources.If you do not configure or disable thi
e between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when quick logg
e client computer's local clock by more than LargePhaseOffset the local clock is deemed to have drifted considerably or in other words spi
ng this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcO
account information by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employ
ng Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app o
s > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device fo
e.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to
s policy setting employees in your organization can decide whether Windows apps can get diagnostic information about other apps by usi
pen when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to t
f an app is open when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to b
ettings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or de
rivacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for th
Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for th
n when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to the
Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for t
y on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for the po
y using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the a
ng Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app
movements while the apps are running in the background and employees in your organization cannot change it.If you disable or do not co
Cortana above lockâ€ policy. This policy is applicable only when â€œAllow voice activationâ€ policy is configured to allow applications to
es in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on
the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for the policy ch
ng employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settin
can turn off the screenshot border by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a
er.If the status is set to Not Configured the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentControlSe
s and these applications may fail to install or run properly.This option is useful to server administrators who require faster performance an
Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in
ng Windows Vista or later will prompt the user whether autorun command is to be run.
tion and User Configuration folders. If the policy settings conflict the policy setting in Computer Configuration takes precedence over the p
ose drive encryption method and cipher strength" policy settings (in that order) if they are set. If none of the policies are set BitLocker will
f AES 128-bit or the encryption method specified by the setup script.
not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder.If you disa
red for the identification field.The allowed identification field is used in combination with the "Deny write access to removable drives not
ns a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help perform sp
is used.
same identification field as specified in the "Provide unique identifiers for your organization" policy setting the user will be prompted to u
urn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLocker inste
ryption irrespective of hardware-based encryption availability.Note: The â€œChoose drive encryption method and cipher strengthâ€ pol
rd select "Require complexity".When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabl
n the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer
o the Secure Boot policy setting which is configured separately from BitLocker.Note: If the group policy setting "Configure TPM platform va
from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery op
hich will be displayed in the pre-boot key recovery screen.Note: Not all characters and languages are supported in pre-boot. It is strongly
A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23 The default platform val
g system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption key to un
crypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the enc
sed encryption irrespective of hardware-based encryption availability.Note: The â€œChoose drive encryption method and cipher strengthâ
a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow
ude:- Configure TPM startup PIN: Required/Allowed- Configure TPM startup key and PIN: Required/Allowed- Configure use of passwords f
with a compatible TPM four types of authentication methods can be used at startup to provide added protection for encrypted data. When
he page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for computers wit
d or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting the use
when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on Bit
d encryption irrespective of hardware-based encryption availability.Note: The â€œChoose drive encryption method and cipher strengthâ€
xity".When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the comple
er Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting
vements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic data ca
enable this policy with the "Warn" option SmartScreen's dialogs will warn the user that the app appears suspicious but will permit the use
he following behaviors occur:- If you disable or don't configure this policy Microsoft Edge version 45 or earlier is automatically used. This is
an view and access the navigation bar the menu bar and the Command bar.
dge (â€˜RestrictIEâ€™)For more info about how to use this policy together with other related policies to create the optimal configuration
eâ€¢Â 1 - Trusted Sites Zoneâ€¢Â 1 - Local Intranet Zoneâ€¢Â 0 - Local Machine Zoneâ€¢Â 22 - Trusted Intranet and Restricted site zones
g the user can configure his or her list of search providers.

Security zones: Use only machine settings" policy.
rate at which Internet Explorer creates new tab processes to low medium or high or to an integer.If you disable or do not configure this p
urrently set to prompt it will be bypassed and enabled.If you disable this policy setting for an application or process in the list a script that
.If you do not configure this policy setting the user can turn on and turn off Internet Explorer 7 Standards Mode.
ditional string appended) for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explorer 7 Stan
etting users can turn this feature on and off determining whether to delete ActiveX Filtering Tracking Protection and Do Not Track data wh
efault this option is turned on.
es the user and gives the option to disable Enhanced Protected Mode for that particular website.If you enable this policy setting Internet E
ed security protocol and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
ate GPO. You can then use Group Policy management features (for example precedence inheritance or enforce) to apply individual setting
for the specified zone are applied to the site.Â For each entry that you add to the list enter the following information:Valuename â€“ A
m.If you enable this policy setting users can preview items and get custom thumbnails from OpenSearch query results in this zone using Fil
to a different domain when the source and destination are in different windows. Users cannot change this setting.
drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change this s
ed by the server the user is queried to provide the user name and password.If you disable this policy setting logon is set to Automatic logo
e this policy setting.
ue - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should be de
e Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting.Note: If an add-on is listed in the 'A
f the All Processes policy setting is enabled the processes configured in this policy setting take precedence over that setting.If you do not c
g the security feature is allowed.
in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled
f you disable or do not configure this policy setting the security feature is allowed.
he processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security featu
e specified processes.
policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence o
ecedence over that setting.If you disable or do not configure this policy setting the security feature is allowed.
abled or the â€œBlock at First Sightâ€ feature will not function. Real-time Protection -> Do not enable the â€œTurn off real-time protec
ted including where the software came from the actions that you apply or that are applied automatically and whether the actions were su
- 1 (Block) - 0 (Off) - 2 (Audit) - 5 (Not Configured) - 6 (Warn) Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0 xxxxxxxx
Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. Disabled: The following will not be blocked and will be a
l protection measures (may impact client performance) (0x6) Zero tolerance blocking level â€“ block all unknown executables
a URL such as the following:- C:\MitigationSettings\Config.XML- \\Server\Share\Config.xml- https://localhost:8080/Config.xmlThe settings
er specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. U
eplace the default Microsoft templates all of the default Microsoft templates installed by the UE-V Agent will be deleted from the compute
lback state is copied to the settings storage location on logout and restored on login.If you disable this policy setting no UE-V rollback stat

sabling or not configuring this policy setting.Note: You should only enable this policy setting when the license server is a member of a dom
policy setting the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server
cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RD
ticated.If you disable or do not configure this policy setting the authentication setting that is specified in Remote Desktop Connection or in
a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2
of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.If the list contains a string that is not a certificat
ection client.If you disable or do not configure this policy setting remote users can only start programs that are listed in the RemoteApp pr
Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Secu
dows and the mode of Remote Desktop Services running on the server.If the status is set to Disabled or Not Configured limits to the numb
do not configure this policy setting Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior
Professional.If you enable this policy setting audio and video playback redirection is allowed.If you disable this policy setting audio and vide
p Policy level.
ported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation R
For example if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the r
t to PS if one is not found" - If no suitable printer driver can be found default to the PostScript (PS) fallback printer driver."Show both PCL a
printer driver cannot be used the client printer is not available for the Remote Desktop Services session.Note: If the "Do not allow client p
gure this policy setting no restriction is placed on the size of the entire roaming user profile cache on the local drive.Note: This policy setti
are does not exist Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally
Path Remote Desktop Services places user home directories in the network location.If the status is set to Enabled Remote Desktop Service
configured by using Group Policy. 2. For Windows Server 2008 this policy setting is supported on at least Windows Server 2008 Standar
unless the Join RD Connection Broker policy setting is enabled. 3. To be an active member of an RD Session Host server farm the compu
Connection Broker.If the policy setting is not configured the policy setting is not specified at the Group Policy level. Notes: 1. If you enab
the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD
Note: If you enable this policy setting you must also enable the Join RD Connection Broker the Configure RD Connection Broker farm name
Note: Additional configuration might be necessary on the remote computer to make Windows Aero features available for remote desktop
policy setting is ignored.
ng a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm some grap
le this policy setting and set quality to Lossless RemoteFX Adaptive Graphics uses lossless encoding. In this mode the color integrity of the
llowed for remote connections.

ections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Se
mponents\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
working directory. If the specified program path file name or working directory is not the name of a valid directory the RD Session Host ser
bled and RemoteFX for RD Session Host is disabled.
se RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the defau
client and RD Session Host server. If you select this setting the RD Session Host server is not authenticated. Native RDP encryption (as opp
o not configure this policy setting the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8 Netw
found that was created with the specified certificate template the certificate that will expire latest and that matches the current name of
pport this encryption level cannot connect to RD Session Host servers.* Client Compatible: The Client Compatible setting encrypts data sen
sktop Services disconnects a timed-out session unless specified otherwise in local settings.Note: This policy setting only applies to time-ou
e policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Ses
guration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\E
setting is not specified at the Group Policy level. Be y default Remote Desktop Services disconnected sessions are maintained for an unlim
ed from the RD Session Host server but it is not logged off.Note: This policy setting appears in both Computer Configuration and User Con
olicy setting has no effect.
olders are created unless the server administrator specifies otherwise.
ns list in the Desktop Search results.

or you must add at least one entry in the allow list even if you want to enable this policy without an allow list. Create a list entry by putting
ned off for domain members.Windows XP SP2----------------------In Windows XP SP2 the essential security settings that are monitored by Sec
e or do not configure this policy setting filtering will take place.If you disable this policy setting no filtering will take place.
n Windows 7 and Windows Vista.
ut Panel Options.Caution: If you enable both the â€œPrevent Input Panel from appearing next to text entry areasâ€ policy and the â€œP
erted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configure this policy
nput Panel taskbar iconâ€ policy the user will then have no way to access Input Panel.
they use the on-screen keyboard by default skin switching is allowed and Input Panel displays the cursor and which keys are tapped. User
If you enable this policy and choose â€œNoneâ€ users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratc
ver the setting in User Configuration.
omputer Configuration takes precedence over the setting in User Configuration.

enable this policy with the "Warn" option SmartScreen's dialogs will warn the user that the app appears suspicious but will permit the use
settings in the policy setting:- ""Do not display links to any Microsoft â€˜More informationâ€™ websites"": Select this option if you do not
eued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the in
y setting is disabled or not configured.For related information see the Configure Error Reporting and Report Operating System Errors polic
applications on this list are always reported even if the Default dropdown in the Default application reporting policy setting is set to repor
tting and in the exclusion list in this policy setting the application is excluded from error reporting. You can also use the exclusion list in thi
a: any error reporting data requested by Microsoft is sent automatically.If this policy setting is disabled or not configured then the consen
o check for an existing solution as well as data which Windows has determined (within a high probability) does not contain personally iden
pply this setting to a computer.
th Azure Active Directory.

for Business automatically starts provisioning after the user has signed in.
t errors in an installation program that prevents software from being installed.
Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access to restri
maximum size.
context."
er Configuration folders. If the policy setting is enabled in either folder it is considered be enabled even if it is explicitly disabled in the oth
l use Restart Manager to detect files in use and mitigate a system restart when possible.
ork Locations to search for installation files. Also see the "Enable user to browse for source while elevated" policy setting.
en a user reinstalls removes or repairs an installation the transform file is available even if the user is on a different computer or is not con
Installer is disabled.This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and up
oesnâ€™t have TPM 2.0 and PCR7 or - The device doesnâ€™t use a TPM-only protector2. â€œAlways Enabledâ€ specifies that autom
setting if the domain is not at the Windows Server 2008 domain functional level.If you disable or do not configure this setting messages ab
s policy setting the device does not configure automatic sign in. The userâ€™s lock screen apps are not restarted after the system restarts
d then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. Note: This policy setti
at directory to prevent users from viewing the transcripts of other users or computers. Note: This policy setting exists under both C
on the computer and uses only addresses that fall within one of the filter ranges.You should use an asterisk (*) to indicate that the service
d elevated permissions to do either of these update-related tasks.On Vista: If you enable this policy setting users will not see a User Accou
at they are ready to install. After going to Windows Update users can install them. 4 = Automatically download updates and install the
y will not have any effect on Windows RT PCs.
hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number of days
gure this policy the PC will restart following the default schedule.Enabling any of the following policies will override the above policy: 1. N
ead of Windows Update to search for and download updates. Enabling this setting means that end users in your organization don't have t
updates.If you disable or do not configure this policy setting Windows 7 users will not be offered detailed notification messages for optiona
uires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on Preview B
hat only the About and Bluetooth pages should be shown (their respective URIs are ms-settings:about and ms-settings:bluetooth) and all o
this setting in Control Panel.If you disable this policy setting automatic learning is turned on. Users cannot configure this policy setting in C
ountTokenFilterPolicy see http://support.microsoft.com/kb/951016.

ny effect. If you disable or do not configure this policy setting the BITS peer caching feature will be disabled and BITS will download fil
the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider using thi
ou to specify a bitmask in which the bits describe cost states allowed or disallowed for this priority: (bits described here) 0x1 - The cos
Policy setting and then configure local computer policy to enable BranchCache latency settings on individual client computers. Because th
this policy setting is not applied to client computers and the clients run the version of BranchCache that is included with their operating sy
addition to the "Set BranchCache Hosted Cache mode" policy setting use the hosted cache servers that are specified in this policy setting a
omatic hosted cache server discovery under the following circumstances:If no other BranchCache mode-based policy settings are applied t
r cache age setting is enabled for all client computers where the policy is applied. For example if this policy setting is enabled in domain G
ent computers where you want to enable BranchCache.- Enabled. With this selection BranchCache distributed cache mode is enabled for
ecause the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual client compu
Enabled. With this selection the BranchCache client computer cache setting is enabled for all client computers where the policy is applied.
h this selection BranchCache is turned on for all client computers where the policy is applied. For example if this policy is enabled in doma
s for existence. The contents of the file do not matter. The syntax is â€œFILE:â€ followed by a UNC path. The ComputerName portion of t
resume normal DirectAccess functionality the user clicks Connect.Note If the DirectAccess client computer is on the intranet and has corr
ntoso.com." second if the first query fails.If you enable this policy setting suffixes are allowed to be appended to an unqualified multi-label
n place of the failed suffix and this new query is submitted. The values are used in the order they appear in the string starting with the left
names to a single-label name when it sends DNS queries:The primary DNS suffix as specified on the Computer Name tab of the System con
he DNS client appends the following names to a single-label name when it sends DNS queries:The primary DNS suffix as specified on the Co
ction and mycomputer.microsoft.com when this policy setting is enabled.Important: This policy setting is ignored on a DNS client compute
onds is 30 minutes.If you enable this policy setting registration refresh interval that you specify will be applied to all network connections u
ting IP addresses will not be replaced during a dynamic update and an error will be recorded in Event Viewer.
s enabled in domain Group Policy hash publication is turned on for all domain member file servers to which the policy is applied. The file s
this selection both V1 and V2 hash generation and retrieval are supported.In circumstances where this setting is enabled you can also sele
on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated access."
applications at home.3. In order to use a corporate seed server and the global seed server enable the setting; insert the fully qualified dom
ch it is by default) for this policy to have effect.
ch it is by default) for this policy to have effect.

which it is by default) for this policy to have effect.
bled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.Note: If you
w Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)By default ICS is disabled when you create
abled.If you do not configure this policy setting Windows Defender Firewall behaves as if you had disabled it.Note: If any policy setting op
ports. Therefore the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports.
r do not configure this policy setting Windows Defender Firewall does not open TCP port 135 or 445. Also on Windows XP Professional wit
Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Defender Firewall component of Co
Windows Defender Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an administ
his policy setting Windows Defender Firewall leaves the log file intact.If you do not configure this policy setting Windows Defender Firewa
setting the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also if a loc
m the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that
e Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is cleared by default but admin
abled.If you do not configure this policy setting Windows Defender Firewall behaves as if you had disabled it.Note: If any policy setting op
ports. Therefore the computer cannot share files or printers unless an administrator uses other policy settings to open the required ports.
r do not configure this policy setting Windows Defender Firewall does not open TCP port 135 or 445. Also on Windows XP Professional wit
Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Defender Firewall component of Co
Windows Defender Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an administ
his policy setting Windows Defender Firewall leaves the log file intact.If you do not configure this policy setting Windows Defender Firewa
setting the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Also if a loc
m the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions list that
e Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is cleared by default but admin
tting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab click Advanced and then select an option in the
ble or do not configure this policy setting Windows performs a background sync of offline folders in the slow-link mode at a default interva
ncy or Throughput value computers running Windows Vista or Windows Server 2008 will not use the slow-link mode.If you do not configu
click Folder Options click the Offline Files tab and then use the slider bar associated with the "Amount of disk space to use for temporary
ng transparent caching is enabled and configurable.If you disable or do not configure this policy setting remote files will be not be transpa
current cache state is retained and if the cache is only partially encrypted the operation completes so that it is fully encrypted. The cache
edence over the setting in User Configuration.
ce on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk space limit.
he Tools menu click Folder Options click the Offline Files tab and then click Advanced. This setting corresponds to the settings in the "Excep
ed "Always available offline" on computers running Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Win
e for offline use.
chronize all offline files before logging off" option.

tion takes precedence over the setting in User Configuration.Tip: To change the synchronization method without setting a setting in Windo
setting in Windows Explorer on the Tools menu click Folder Options and then click the Offline Files tab. This setting corresponds to the "En
dmin group full control.Note: It is good practice to use a cryptic community name.Note: This policy setting has no effect if the SNMP agent
the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name".
6to4 is turned off and connectivity with 6to4 will not be available.
figuration. If the ISATAP name is not resolved successfully the host will have an ISATAP interface configured with a link-local address.Policy
n the network traffic drops below this threshold the computer will be disconnected from the network. Apps that keep a network connectio
behavior is similar to 1. However if a cellular data connection is available it will always stay connected for services that require a cellular c
based network over Ethernet and a user attempts to create a manual connection to an additional network in violation of this policy setting
nect to suggested open hotspots" or "Connect to networks shared by my contacts".

ect is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
etwork discovery" and then click "Save changes". If you would like to not display printers of a certain type enable this policy and set t
nt will submit any pending print jobs.Note: Some printer drivers require a custom print processor. In some cases the custom print processo
not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Administrati
hed before settings take effect.
s always logged. Note: This setting is used only on domain controllers.
computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated. -
omatically republished are never pruned. "Never" is the default. -- "Only if Print Server is found" prunes printer objects that are not
ent Items menu from Start Menu" setting the Recent Items menu appears on the Start menu but it is empty.If you enable this setting but
vent Tracker occurs.Note: By default the Shutdown Event Tracker is only displayed on computers running Windows Server.
sed to add a link to a Help topic and runs executables that are external to the Help file. The "WinHelp" command is used to add a link to a
r the computer.
een successfully cleared on transmission and the log has filled up again. Data Block Size: This value specifies the maximum size in bytes
ed when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.hu
urces.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
sion Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TER
mote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on
am.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host
h the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSR
n be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers that are ot
ng can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers that are
mThis policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions for specifi
hich use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will
remote devices.Note: To disable most credential delegation it may be sufficient to deny delegation in Credential Security Support Provide
om each computer with a physically present user in order to clear configuration persisted in UEFI. The "Enabled without lock" option allow
emote desktop server.If you disable or do not configure this policy setting and no other policy setting describes the device the "Prevent in
ou disable or do not configure this policy setting and no other policy setting describes the device the "Prevent installation of devices not d
server.If you disable or do not configure this policy setting and no other policy setting describes the device the "Prevent installation of dev
Quota tab and then click "Enable quota management."

limit and warning level" policy setting. Otherwise the system uses the physical space on the volume as the quota limit.
mit because their status in the Quota Entries window changes.Note: To find the logging option in My Computer right-click the name of an N
nd warning level.When you select a limit remember that the same limit applies to all users on all volumes regardless of actual volume size.
r all applications as some older desktop applications will always be blurry on high DPI displays. In some cases you may see some odd behav
OM server regardless of local settings.If you disable this policy setting the appid exemption list defined by Group Policy is deleted and the
on of drivers determined to be Bad is skipped.If your malware detection application does not include an Early Launch Antimalware boot-s
mputer Configuration policy setting takes precedence.
panese under Administrative Templates.If you disable or do not configure this setting the Group Policy Object Editor snap-in always loads
has joined the domain.2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled.If you disable or do
system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even
n or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items
.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the prefere
andwidth speed across Direct Access Group Policy will evaluate the network connection as a fast link and process all client side extensions
tart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have n
ystem restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even
e Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy imp
he next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the p
rocess even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the preference item
tem changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not chang
ed. Many policy implementations specify that they are updated only when changed. However you might want to update unchanged policie
3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the preferen
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain control
onfiguration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for s
rt.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the prefe
t until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies
stem restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even i
ext user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policie
not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updat
m changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed
ser logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preferenc
es do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option
ence item changes do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not
xt user logon or system restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the prefe
setting in case a user has changed it.

art.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the pref
hanges do not take effect until the next user logon or system restart.3. The "Process even if the Group Policy objects have not changed" op
anged" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are
eapplying a desired policy setting in case a user has changed it.
rt.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the prefe
estart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even if the p
olicies have not changed. Many policy setting implementations specify that they are updated only when changed. However you might wan
ystem restart.3. The "Process even if the Group Policy objects have not changed" option updates and reapplies the preference items even
al settings.If you disable this setting or do not configure it the user's Group Policy Objects determines which user settings apply.Note: This s
oup Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implem
if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many polic
conds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the dom
policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from requesting
esting updates simultaneously the system varies the update interval for each controller by a random number of minutes. The number you
nfiguration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension whe
configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension w
acing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perform
guration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when y
configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension wh
t applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perform a Group
uter configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extensi
cing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perform
cing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perform
racing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perfor
nder User Configuration only so computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracin
o computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference
omputer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference exte
puter configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extens
acing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you perform
o computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference
computer configuration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference ex
on tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when you pe
guration tracing is not applicable.3. Group Policy Modeling query tracing: To perform tracing for items in this preference extension when y
armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled Kerberos authentication messages will not
he local registry if they exist.

gure this policy setting the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry if they exist.
text tokens it is not advised to set this value more than 48000 bytes.
ngs defined by Group Policy.
ons will be based on per-user policy settings.To set this policy setting on a per-user basis make sure that you do not configure the per-mac
level the per-user policy is ignored. If this policy setting is not configured at the computer level restrictions are based on per-user policies.
r the screen turns off.If you don't configure this policy setting on a workgroup device a user on a Connected Standby device can change the
ctory or user object logon script logs on to a computer computers always wait for the network to be initialized before logging the user on.
ar the ""Show this screen at startup"" check box on the welcome screen.
rocess the run once list"" settings.
the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. PROCESS_CREATION_M
in the domain. When this setting is enabled an application that relies on the ability to lock files on the Netlogon share with only read perm
When this setting is enabled an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able
C location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
ontroller entries.If you enable this policy setting DC Locator on the machine will carry out Force Rediscovery periodically according to the
APIs will return IPv4 address. But if the domain controller supports only IPv6 address then DC Locator APIs will fail.If you do not configure
sDomainName>Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName>DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._msdcs.<D
zones may result in the undesired deletion of DNS resource records.To specify the Refresh Interval of the DC records click Enabled and th
any DCs and DCs use their local configuration.
behavior is honored.If you do not configure this policy setting Try Next Closest Site DC Location will not be used by default for the machine
med on the single-label name only in the event that DNS resolution fails.If you disable this policy setting when the AllowSingleLabelDnsDom
Directory forest to which this computer is joined.If you do not configure this policy setting it is not applied to any computers and compute
Options menu if it is available.
nter the name of the helper user or user groups use the following format:<Domain Name>\<User Name> or<Domain Name>\<Group Nam
ation created by using email or file transfer can remain open.The "Select the method for sending email invitations" setting specifies which
me to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation but the created security context does not support delegation.-- "O
ws 2000 Server Windows 2000 Advanced Server or Windows 2000 Datacenter Server. -- "Server" directs RPC to maintain basic state infor
s policy setting is in effect the command that starts the process must begin with one of the strings in the Extended Error Information Excep
running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server or if it us
n disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used.If you enable this policy setting and the
PO B: B.cmd B.ps1Within GPO C: C.cmd C.ps1Note: This policy setting determines the order in which computer startup and shutdown scrip
mines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific scri
requisite tasks might not be done and the system can appear to be ready prematurely.If you disable or do not configure this setting the sys
his setting to take effect.Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have be
inutes in Windows Server 2012.
eboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
nagement Console.
ng or resolution will be attempted.If you do not configure this setting the recovery behavior for corrupted files will be set to the regular re
d diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. Note
his policy setting will take effect only when MSDT is enabled.This policy setting will only take effect when the Diagnostic Policy Service (DP
oft. Do not notify users when troubleshooting has solved a problem.5 = Allow the user to choose their own troubleshooting settings.After s
ting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted.If you do not configure
g state. When the service is stopped or disabled scheduled diagnostics will not be executed. The Task Scheduler service can be configured
ke effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Service is in the running state
equired for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Se
equired for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Se
ystem restart or service restart is required for this policy to take effect: changes take effect immediately.This policy setting will only take e
quired for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Ser
the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-ha
pting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM command
he user is not allowed to send commands requiring authorization to the TPM.The Standard User Lockout Total Threshold value is the maxi
user may have before the user is not allowed to send commands requiring authorization to the TPM.The Standard User Lockout Total Thre
on failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM.This value is
ent computer sets the file share permissions for the roaming profile at creation time.Note: In the default case administrators have no file a
ections" policy setting is enabled this policy setting is ignored. Also if the "Delete cached copies of roaming profiles" policy setting is enabl
he user profile.
figure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folder Windo
ows Installer and Group Policy software installation data when those profiles are deleted.Note: If this policy setting is enabled for a machin
system tries just once to unload and update the user's registry settings. It does not try again.Note: This policy setting is particularly impor
les" setting roaming profiles are disabled.Note: This setting only affects roaming profile users.
the user. In Microsoft Windows Vista the system will ignore the user choice made on the logon screen.Note: This policy setting and relate
al Services roaming profile path specified by Terminal Services policy2. Terminal Services roaming profile path specified by the user object
ple if the settings dictate that the user's registry file is to be uploaded at 6pm it will actually upload at a random time between 6pm and 7p
file share to a drive letter.If you disable or do not configure this policy setting the user's home folder is configured as specified in the user'
do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may h
y is desirable when quick logging on is a priority.Important: If the "Do not detect slow network connections" policy setting is enabled this p
siderably or in other words spiked. Default: 50000000 100-nanosecond units (ns) or 5 seconds. MaxAllowedPhaseOffsetIf a response is
e. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operation
is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
ployees must restart the app or device for the policy changes to be applied to the app.
ust restart the app or device for the policy changes to be applied to the app.
evice for the policy changes to be applied to the app.
ation about other apps by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device em
licy changes to be applied to the app.
ce for the policy changes to be applied to the app.
ees must restart the app or device for the policy changes to be applied to the app.
estart the app or device for the policy changes to be applied to the app.
restart the app or device for the policy changes to be applied to the app.
y changes to be applied to the app.
restart the app or device for the policy changes to be applied to the app.
rt the app or device for the policy changes to be applied to the app.
employees must restart the app or device for the policy changes to be applied to the app.
ge it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows apps can access the
figured to allow applications to be activated with voice.
by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the
app or device for the policy changes to be applied to the app.
ows or displays by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees m
up Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
KLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0 this prevents all 16-bit applications from run
require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server w
d by using the Services snap-in to the Microsoft Management Console.
n takes precedence over the policy setting in User Configuration.
policies are set BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the setup scrip
rmation to a folder.If you disable or do not configure this policy setting the BitLocker setup wizard will present users with ways to store rec
ccess to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organization. It is a
ords and may help perform specialized recovery when the disk is damaged or corrupted.If you select the option to "Require BitLocker back
he user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation for the fixed driv
en you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting.In "Save BitLocker recovery
od and cipher strengthâ€ policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based
essary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain contr
uses the TPM on the computer so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with N
ng "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and has PCR 7 omitted Bitlocker will be p
e to specify which recovery option to use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by t
rted in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on
to 23 The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM
lease the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either
e TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and req
n method and cipher strengthâ€ policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware
assword. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adheres to the
- Configure use of passwords for operating system drives.
tion for encrypted data. When the computer starts it can use only the TPM for authentication or it can also require insertion of a USB flash
tting options for computers with and without a TPM.If you disable or do not configure this policy setting the BitLocker setup wizard will disp
nization" policy setting the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situ
n to use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting.In "Save BitLock
method and cipher strengthâ€ policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-
nabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to
ny write access" policy setting is enabled this policy setting will be ignored.
a. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Diagnosti
picious but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app i
er is automatically used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in up to three of t
ate the optimal configuration for your organization see https://go.microsoft.com/fwlink/?linkid=2094210.

anet and Restricted site zones onlyÂ Â Binary Representation - 10110â€¢Â 1 - Restricted Sites Zoneâ€¢Â 0 - Internet Zoneâ€¢Â 1 - Trusted
able or do not configure this policy setting the tab process growth is set to the default. The user can change this value by using the registry
process in the list a script that is running in the application or process cannot bypass the prompt for delete copy or paste operations from t
ear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages but newer content wri
tion and Do Not Track data when clicking Delete.

le this policy setting Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode websites
orce) to apply individual settings to specific targets.

nformation:Valuename â€“ A host for an intranet site or a fully qualified domain name for other sites. The valuename may also includeÂ
ry results in this zone using File Explorer.If you disable this policy setting users will be prevented from previewing items and get custom thu
ow. Users cannot change this setting in the Internet Options dialog.
ogon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Automatic logon only in Intra
ogon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Automatic logon with current
ogon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Prompt for username and pa
ogon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Prompt for username and pa
y that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed enter a 1 (one) into this field
: If an add-on is listed in the 'Add-on List' policy setting the user cannot change its state through Add-on Manager (unless its value has bee
ver that setting.If you do not configure this policy processes other than the Internet Explorer processes will not be affected by add-on man
esses policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure thi
policy setting the security feature is allowed.
d in this box take precedence over that setting.If you disable or do not configure this policy setting the security feature is allowed.
e â€œTurn off real-time protectionâ€ policy or the â€œBlock at First Sightâ€ feature will not function.
d whether the actions were successful. Advanced membership in addition to basic information will send more information to Microsoft a
xxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: No ASR ru
ill not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts
unknown executables
:8080/Config.xmlThe settings in the XML file will be applied to the endpoint.DisabledCommon settings will not be applied and the locally c
rnal synchronization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-
be deleted from the computer and only the templates located in the settings template catalog will be used.If you disable this policy settin
y setting no UE-V rollback state is copied to the settings storage location.If you do not configure this policy no UE-V rollback state is copied
e server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group wh
for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has e
hen a user tries to start an RDP session the user receives a message that the publisher has been blocked.Note: You can define this policy s
mote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the
ws Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. F
a string that is not a certificate thumbprint it is ignored.
are listed in the RemoteApp programs list when they start a Remote Desktop Services session.
te Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You can lim
Configured limits to the number of connections are not enforced at the Group Policy level.Note: This setting is designed to be used on RD
mine the network quality prior to the connection and it will continuously try to adapt the user experience to varying network quality.
is policy setting audio and video playback redirection is not allowed even if audio playback redirection is specified in RDC or video playback
stallation\Device Installation Restrictions policy settings.
ack quality configured on the remote computer the lower level of audio playback quality will be used.Audio playback quality can be configu
rinter driver."Show both PCL and PS if one is not found" - If no suitable driver can be found show both PS and PCL-based fallback printer d
e: If the "Do not allow client printer redirection" policy setting is enabled the "Use Remote Desktop Easy Print printer driver first" policy se
al drive.Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located
l store the user profiles locally on the RD Session Host server.If you disable or do not configure this policy setting user profiles are stored l
abled Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network. The hom
Windows Server 2008 Standard.

n Host server farm the computer account for each RD Session Host server in the farm must be a member of one of the following local grou
cy level. Notes: 1. If you enable this policy setting you must also enable the Configure RD Connection Broker farm name and Configure RD
olution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Sessi
Connection Broker farm name and the Configure RD Connection Broker server name policy settings.
s available for remote desktop sessions. For example the Desktop Experience feature must be installed on the remote computer and the m
mpression algorithm some graphics data will still be compressed.If you disable or do not configure this policy setting the default RDP compr
mode the color integrity of the graphics data is not impacted. However this setting results in a significant increase in network bandwidth co
ast Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.3.For connections from clien
ssions" policy setting.
ectory the RD Session Host server connection fails with an error message.If the status is set to Enabled Remote Desktop Services sessions a
ttings were selected (the default behavior).
Native RDP encryption (as opposed to SSL encryption) is not recommended.* SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to a
ver 2012 and Windows 8 Network Level Authentication is enforced by default.Important: Disabling this policy setting provides less security
matches the current name of the RD Session Host server will be selected.If you disable or do not configure this policy the certificate temp
tible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this encryptio
setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that
Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting appears in
on Host\Session Time Limits\End session when time limits are reached.Note: This policy setting appears in both Computer Configuration a
s are maintained for an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User Configuratio
er Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes precedence
t. Create a list entry by putting a space in the name field and a space in the value field and then save it. This will create a placeholder entry
ngs that are monitored by Security Center include firewall antivirus and Automatic Updates. Note that Security Center might not be availa
ill take place.

areasâ€ policy and the â€œPrevent Input Panel tab from appearingâ€ policy and disable the â€œShow Input Panel taskbar iconâ€ poli
u do not configure this policy rarely used Chinese Kanji and Hanja characters will not be included in recognition results when handwriting
d which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and
tures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you
picious but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app i
elect this option if you do not want error dialog boxes to display links to Microsoft websites.- ""Do not collect additional files"": Select this
k reminders determines the interval time between the display of system notifications that remind the user to check for solutions to proble
Operating System Errors policy settings.
ng policy setting is set to report no application errors.If the Report all errors in Microsoft applications or Report all errors in Windows comp
so use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for these ca
ot configured then the consent level defaults to the highest-privacy setting: Always ask before sending data.
es not contain personally identifiable data and prompts the user for consent to send any additional data requested by Microsoft.- 4 (Send
ain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guaranteed to be
s explicitly disabled in the other folder.
d" policy setting.

fferent computer or is not connected to the network.
ther methods to install and upgrade programs.

abledâ€ specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is
figure this setting messages about the previous logon or logon failures are not displayed.
arted after the system restarts.
puter. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Comp
licy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configuration polic
*) to indicate that the service listens on all available IP addresses on the computer. When * is used other ranges in the filter are ignored. If
users will not see a User Account Control window and do not need elevated permissions to do either of these tasks. If you do not enable th
wnload updates and install them on the schedule specified below. When "Automatic" is selected as the scheduled install time Window
more than the number of days set as grace period to manage their restart based on deadline configurations.You can set the device to delay
verride the above policy: 1. No auto-restart with logged on users for scheduled automatic updates installations 2. Always automatically
your organization don't have to go through a firewall to get updates and it gives you the opportunity to test updates before deploying them
tification messages for optional applications and Windows Vista users will not be offered detailed notification messages for optional applic
onal information on Preview Builds see: https://aka.ms/wipforbizIf you disable or do not configure this policy Windows Update will not off
s-settings:bluetooth) and all other pages hidden:showonly:about;bluetoothExample: to specify that only the Bluetooth page (which has U
onfigure this policy setting in Control Panel. Collected data is only used for handwriting recognition if handwriting personalization is turned
led and BITS will download files directly from the origin server.
rpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client computer has a f
cribed here) 0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and capac
l client computers. Because the domain Group Policy setting is not configured it will not over-write the latency setting that you use on ind
ncluded with their operating system.In circumstances where this setting is enabled you can also select and configure the following option:S
pecified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Hosted Cach
ed policy settings are applied the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers
setting is enabled in domain Group Policy the BranchCache client computer cache age that you specify in the policy is turned on for all dom
ed cache mode is enabled for all client computers where the policy is applied. For example if this policy is enabled in domain Group Policy
use on individual client computers where you want to enable BranchCache.- Enabled. With this selection BranchCache hosted cache mode
rs where the policy is applied. For example if Set percentage of disk space used for client computer cache is enabled in domain Group Polic
this policy is enabled in domain Group Policy BranchCache is turned on for all domain member client computers to which the policy is app
e ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshar
s on the intranet and has correctly determined its network location the Disconnect option has no effect because the rules for DirectAccess
d to an unqualified multi-label name if the original name query fails.If you disable this policy setting no suffixes are appended to unqualifie
he string starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.If you disable this po
er Name tab of the System control panel.Each connection-specific DNS suffix assigned either through DHCP or specified in the DNS suffix fo
NS suffix as specified on the Computer Name tab of the System control panel.Each connection-specific DNS suffix assigned either through D
ored on a DNS client computer if dynamic DNS registration is disabled.If you disable this policy setting or if you do not configure this policy
ed to all network connections used by computers that receive this policy setting.If you disable this policy setting or if you do not configure t
the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file
ng is enabled you can also select and configure the following option:Hash version supported:- To support V1 content information only confi
e authenticated access."
g; insert the fully qualified domain name or IPv6 address of the corporate seed server leave the checkbox unchecked. This is the setting wh
Wizard is disabled.Note: If you enable the "Windows Firewall: Protect all network connections" policy setting the "Prohibit use of Internet
CS is disabled when you create a remote access connection but administrators can use the Advanced tab to enable it. When running the N
t.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound echo requests even if the "Windows Defender
gs to open the required ports. In the Windows Defender Firewall component of Control Panel the "File and Printer Sharing" check box is cl
Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1 Windows Defender Firewall prevents SVCHOST.EX
der Firewall component of Control Panel the "Remote Desktop" check box is cleared. Administrators can change this check box."
messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows
ng Windows Defender Firewall behaves as if the policy setting were disabled.

pen or block ports. Also if a local port exceptions list exists it is ignored unless you enable the "Windows Defender Firewall: Allow local por
al program exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Windows Defend
cleared by default but administrators can change it.
t.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound echo requests even if the "Windows Defender
gs to open the required ports. In the Windows Defender Firewall component of Control Panel the "File and Printer Sharing" check box is cl
Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1 Windows Defender Firewall prevents SVCHOST.EX
der Firewall component of Control Panel the "Remote Desktop" check box is cleared. Administrators can change this check box."
messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the Windows
ng Windows Defender Firewall behaves as if the policy setting were disabled.

pen or block ports. Also if a local port exceptions list exists it is ignored unless you enable the "Windows Defender Firewall: Allow local por
al program exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Windows Defend
cleared by default but administrators can change it.
nd then select an option in the "When a network connection is lost" section.Also see the "Non-default server disconnect actions" setting.
-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Windows Serve
nk mode.If you do not configure this policy setting computers running Windows Vista or Windows Server 2008 will not transition a shared
sk space to use for temporary offline files" option.
ote files will be not be transparently cached on client computers.

t is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer to encry
t of the total disk space limit. However the users can change these values using the Offline Files control applet.If you enable this setting a
ds to the settings in the "Exception list" section.
s Server 2008 Windows 8 Windows 7 or Windows Vista.This policy setting does not prevent files from being automatically cached if the ne
hout setting a setting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select the "Synchroni
setting corresponds to the "Enable reminders" check box.

s no effect if the SNMP agent is not installed on the client computer.Also see the other two SNMP settings: "Specify permitted managers"
with a link-local address.Policy Disabled State: No ISATAP interfaces are present on the host.
hat keep a network connection active even when theyâ€™re not actively using it (for example email apps) might lose their connection. If t
rvices that require a cellular connection. When the user is connected to a WLAN or Ethernet connection no internet traffic will be routed o
violation of this policy setting the existing Ethernet connection is maintained and the manual connection attempt is blocked.If this policy s
he app.
pe enable this policy and set the number of printers to display to 0. In Windows 10 and later only TCP/IP printers can be shown in the
ases the custom print processor may not be installed on the client machine such as when the print server does not support transferring pri
er Configuration\Administrative Templates\Windows Components\Windows Explorer and by the "Enable Active Desktop" setting in User
er needs to be updated. -Windows Server 2003 and Windows XP client computers can create a printer connection to any server in th
es printer objects that are not automatically republished only when the print server responds but the printer is unavailable. -- "Whe
.If you enable this setting but then later disable it or set it to Not Configured the document shortcuts saved before the setting was enabled
ndows Server.
mand is used to add a link to a Help topic and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinHelp" command
es the maximum size in bytes to transmit to the server at once on a reporting upload to avoid permanent transmission failures when the l
ssion Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TE
st running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanre
sktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all mach
Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running
the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabri
for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" server list.
ns for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" server list.
to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating saved crede
nd services using CredSSP will accept unpatched clients.For more information about the vulnerability and servicing requirements for prote
ential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrati
bled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy. The "Not C
bes the device the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can
nt installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
he "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
quota limit.
ter right-click the name of an NTFS file system volume click Properties and then click the Quota tab.
gardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.This
you may see some odd behavior in some desktop applications. If that happens Per Process System DPI should be disabled.Enabling this se
roup Policy is deleted and the one defined by local computer administrators is used.If you do not configure this policy setting the appid ex
y Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled this setting has no effect a
ct Editor snap-in always loads all ADM files from the actual GPO.Note: If the ADMs that you require are not all available locally in your %wi
is enabled.If you disable or do not configure this policy setting detecting a slow network connection will not affect whether Group Policy p
lies the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only
eapplies the preference items even if the preference items have not changed. Many policy implementations specify that they are updated
ence items even if the preference items have not changed. Many policy implementations specify that they are updated only when change
ocess all client side extensions.If you disable this setting or do not configure it Group Policy will evaluate the network connection as a slow
ies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However you m
ies the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only
not changed. Many policy implementations specify that they are updated only when changed. However you might want to update unchan
on updates and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that
ms even if the preference items have not changed. Many policy implementations specify that they are updated only when changed. Howev
Policy objects have not changed" option updates and reapplies the preference items even if the preference items have not changed. Man
nt to update unchanged policies such as reapplying a desired setting in case a user has changed it.
ence items even if the preference items have not changed. Many policy implementations specify that they are updated only when changed
onse from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing
ration defines a slow link for settings in the User Configuration folder.Also see the "Do not detect slow network connections" and related p
erence items even if the preference items have not changed. Many policy implementations specify that they are updated only when chang
" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are upda
es the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only w
dates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only wh
ve not changed" option updates and reapplies the preference items even if the preference items have not changed. Many policy impleme
olicy objects have not changed" option updates and reapplies the preference items even if the preference items have not changed. Many
es and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they are
ects have not changed" option updates and reapplies the preference items even if the preference items have not changed. Many policy im
Group Policy objects have not changed" option updates and reapplies the preference items even if the preference items have not changed
dates and reapplies the preference items even if the preference items have not changed. Many policy implementations specify that they a
eference items even if the preference items have not changed. Many policy implementations specify that they are updated only when cha
y objects have not changed" option updates and reapplies the preference items even if the preference items have not changed. Many poli
entations specify that they are updated only when changed. However you might want to update unchanged policies such as reapplying a
erence items even if the preference items have not changed. Many policy implementations specify that they are updated only when chang
preference items even if the preference items have not changed. Many policy implementations specify that they are updated only when c
nged. However you might want to update unchanged policy settings such as reapplying a desired policies in case a user has changed it.
es the preference items even if the preference items have not changed. Many policy implementations specify that they are updated only
user settings apply.Note: This setting is effective only when both the computer account and the user account are in at least Windows 2000
changed. Many policy implementations specify that they are updated only when changed. However you might want to update unchanged
have not changed. Many policy implementations specify that they are updated only when changed. However you might want to update un
for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy p
date interval from requesting updates simultaneously the system varies the update interval for each client by a random number of minute
er of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example if you type 30 minu
this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the loc
n this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the
e extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location where a
s preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the locati
n this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the l
n when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location where a planning
ems in this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to
extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location where a
extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location where a
ce extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location where
uery tracing: To perform tracing for items in this preference extension when you perform a Group Policy Modeling query you must provide
g for items in this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace"
or items in this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" bo
ems in this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to
e extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location where a
g for items in this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace"
for items in this preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" b
erence extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the location wh
preference extension when you perform a Group Policy Modeling query you must provide a path in the "Planning trace" box to the locati
hentication messages will not use these features. If you configure "Supported" the domain controller supports claims compound authenti
ocal registry if they exist.

do not configure the per-machine policy setting.
re based on per-user policies.

Standby device can change the amount of time after the device's screen turns off before a password is required when waking the device. T
d before logging the user on. If a user has never logged on to this computer before computers always wait for the network to be initialized
e. PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) The force Address Space La
gon share with only read permission will be able to deny Group Policy clients from reading the files and in general the availability of the Ne
y read permission will be able to deny Group Policy clients from reading the files and in general the availability of the SYSVOL share on the
periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network tra
will fail.If you do not configure this policy setting DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Lo
iteName>._sites.dc._msdcs.<DnsDomainName>Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName>Rfc1510KdcAtSite SRV _kerbero
C records click Enabled and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for
sed by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly the Next Closest Site behavior will be used.
n the AllowSingleLabelDnsDomain policy is not enabled computers to which this policy is applied will only use NetBIOS name resolution to
o any computers and computers use their local configuration.
<Domain Name>\<Group Name>If you enable this policy setting you should also enable firewall exceptions to allow Remote Assistance co
ations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program you can use
s not support delegation.-- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation wa
C to maintain basic state information on the computer regardless of its capacity.-- "Full" directs RPC to maintain complete RPC state inform
ended Error Information Exception field.-- "Off with Exceptions" disables extended error information but lets you enable it for selected pr
cate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated clients m
able this policy setting and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout the timeout on the
ter startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a sp
s policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: User Configuration\P
ot configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
ppropriate mitigations have been performed for example patching of vulnerable TPMs.More information is available at https://go.microso
es will be set to the regular recovery behavior.No system or service restarts are required for changes to this policy to take immediate effe
ft Management Console. Note: For Windows Server systems this policy setting applies only if the Desktop Experience optional component
e Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios are not executed. Th
oubleshooting settings.After setting this policy you can use the following instructions to check devices in your domain for available trouble
mpted.If you do not configure this policy setting the recovery behavior for corrupted files will be set to the default recovery behavior.No sy
duler service can be configured with the Services snap-in to the Microsoft Management Console.
Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be executed. The DPS can be configu
when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be execute
when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be execut
s policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diag
when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be execute
nting reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require t
ists of blocked TPM commands.
tal Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not all
ndard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all sta
ation to the TPM.This value is the maximum total number of authorization failures all standard users may have before all standard users a
e administrators have no file access to the user's profile but they may still take ownership of this folder to grant themselves file permission
profiles" policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
he owner of the folder Windows will not copy files to or from the roaming folder. The user will be shown an error message and an entry w
setting is enabled for a machine local administrator action is required to remove the Windows Installer or Group Policy software installatio
cy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users' registry
: This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow to download
th specified by the user object3. A per-computer roaming profile path specified in this policy4. A per-user roaming profile path specified in
om time between 6pm and 7pm.Note: If "Run at set interval" is selected the "Time of day" option is disregarded. Likewise if "Run at set ti
gured as specified in the user's Active Directory Domain Services account.If the "Set Remote Desktop Services User Home Directory" polic
n. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domai
policy setting is enabled this policy setting is ignored. Also if the "Delete cached copies of roaming profiles" policy setting is enabled there
wedPhaseOffsetIf a response is received that has a time variation that is larger than this parameter value W32time sets the client compute
oller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time
ject is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
Windows apps can access the user's movements while the apps are running in the background by using Settings > Privacy on the device.If
ce employees must restart the app or device for the policy changes to be applied to the app.
plied on a device employees must restart the app or device for the policy changes to be applied to the app.
applied to the app.
all 16-bit applications from running. If that value is 0 16-bit applications are allowed to run. If that value is also not present on Windows 10
ularly useful for a web server where applications may be launched several hundred times a second and the performance of the loader is e
od specified by the setup script.â€
nt users with ways to store recovery options.Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker setup TP
ves in your organization. It is a comma separated list of identification fields from your organization or other external organizations.You can
tion to "Require BitLocker backup to AD DS" BitLocker cannot be turned on unless the computer is connected to the domain and the backu
his situation for the fixed drive to be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Wind
ng.In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to store in A
ithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on the dr
connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy but if no domain con
to automatically unlock with Network Unlock.If you disable or do not configure this policy setting BitLocker clients will not be able to creat
R 7 omitted Bitlocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.Warning
the drive are determined by the policy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choose which
ge or URL appear correctly on the pre-boot recovery screen.

Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (P
onsole and require that either the recovery password or recovery key be provided to unlock the drive.If you disable or do not configure thi
cker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.If you disable or do n
n algorithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on
the complexity adheres to the rules set by the policy but if no domain controllers are found the password will still be accepted regardless
equire insertion of a USB flash drive containing a startup key the entry of a 6-digit to 20-digit personal identification number (PIN) or both
BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard no additi
eted from the drive. In this situation for the removable drive to be unlocked on computers running Windows Server 2008 Windows Vista W
policy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information t
algorithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on
ontroller will be attempted to validate the complexity adheres to the rules set by the policy but if no domain controllers are found the pas
ction" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent.If you disable or
n the user again for that app if the user tells SmartScreen to run the app.If you disable this policy SmartScreen will be turned off for all use
tes to open in up to three of the following channels where: 0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge Stable 2 = Mic
nternet Zoneâ€¢Â 1 - Trusted Sites Zoneâ€¢Â 1 - Local Intranet Zoneâ€¢Â 0 - Local Machine Zone
his value by using the registry key. Note: On Terminal Server the default value is the integer â€œ1â€.
opy or paste operations from the Clipboard.If you do not configure this policy setting current values of the URL action for an application or
bpages but newer content written to common Internet standards may be displayed incorrectly. This option matches the default behavior o
All Protected Mode websites will run in Enhanced Protected Mode.If you disable or do not configure this policy setting Internet Explorer n
aluename may also includeÂ a specificÂ protocol. For example if you enter http://www.contoso.comÂ as the valuename other protocols a
wing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.If you do not configure this policy se
Automatic logon only in Intranet zone.
Automatic logon with current username and password.



Prompt for username and password.

Prompt for username and password.

d enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through Add-o
nager (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
disable or do not configure this policy setting the security feature is allowed.
ty feature is allowed.
ore information to Microsoft about malicious software spyware and potentially unwanted software including the location of the software
2 Disabled: No ASR rules will be configured. Not configured: Same as Disabled. You can exclude folders or files in the ""Exclu
otected folders - Attempts by untrusted apps to write to disk sectors These attempts will not be recorded in the Windows event lo
ot be applied and the locally configured settings will be used instead.Not configuredSame as Disabled.
ngs data when the normal UE-V triggers take place.With notifications enabled UE-V users receive a message when the settings sync is dela
If you disable this policy setting the UE-V Agent will not use the custom settings location templates. If you disable this policy setting after i
o UE-V rollback state is copied to the settings storage location.
DS Endpoint Servers group when the license server is a member of a domain.
d the temporary RDS CAL has expired the client will not be able to connect to the RD Session Host server unless the RD Licensing grace per
te: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setti
Session Host server when the client cannot authenticate the RD Session Host server.
als for a remote connection. For Windows Server 2008 and Windows Server 2008 R2 a user will be prompted on the client computer to pr
el Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Computer Config
is designed to be used on RD Session Host servers (that is on servers running Windows with Remote Desktop Session Host role service ins
varying network quality.
cified in RDC or video playback is specified in the .rdp file.If you do not configure this policy setting audio and video playback redirection is
playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file.
d PCL-based fallback printer drivers.If you disable this policy setting the RD Session Host server fallback driver is disabled and the RD Sessi
nt printer driver first" policy setting is ignored.
server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
tting user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services
puter or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias.If the status is set to D
one of the following local groups on the RD Connection Broker server: Session Directory Computers Session Broker Computers or RDS End
r farm name and Configure RD Connection Broker server name policy settings. 2. For Windows Server 2008 this policy setting is supporte
nect by IP address to RD Session Host servers in the load-balanced farm.If you do not configure this policy setting the Use IP address redir
e remote computer and the maximum color depth on the remote computer must be set to 32 bits per pixel. Also the Themes service mus
setting the default RDP compression algorithm will be used.
ease in network bandwidth consumption. We recommend that you set this for very specific cases only. If you disable or do not configur
s.3.For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computer
ote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default dir
equires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported the connection fails. This is the recommende
y setting provides less security because user authentication will occur later in the remote connection process.
his policy the certificate template name is not specified at the Group Policy level. By default a self-signed certificate is used to authenticat
y the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.* Low: The Low setting e
apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and U
This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured the Computer Co
oth Computer Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes
guration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes precedence.
olicy setting takes precedence.
will create a placeholder entry that is ignored by the program.
rity Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP2 compu
put Panel taskbar iconâ€ policy the user will then have no way to access Input Panel.
tion results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion tab in Inp
x. If you enable this policy and choose â€œMediumâ€ from the drop-down box password security is set to â€œMedium.â€ At this settin
l Options dialog box. If you disable this policy users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch
n the user again for that app if the user tells SmartScreen to run the app.If you disable this policy SmartScreen will be turned off for all use
t additional files"": Select this option if you do not want additional files to be collected and included in error reports.- ""Do not collect add
o check for solutions to problems. A value of 0 disables the reminder.If you disable or do not configure this policy setting Windows Error Re
ort all errors in Windows components check boxes in the Default Application Reporting policy setting are filled Windows Error Reporting re
f the check boxes for these categories are filled in the Default application reporting settings policy setting.If you disable or do not configur
uested by Microsoft.- 4 (Send all data): Any data requested by Microsoft is sent automatically.If you disable or do not configure this policy
etting is not guaranteed to be secure.
shutdown. When BitLocker is not enabled personal data is accessible on the hard drive. Automatic restart and sign on should only be run u
Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
Computer Configuration policy setting takes precedence over the User Configuration policy setting.
nges in the filter are ignored. If the filter is left blank the service does not listen on any addresses.For example if you want the service to lis
e tasks. If you do not enable this policy setting then users will always see an Account Control window and require elevated permissions to d
cheduled install time Windows will automatically check download and install updates. The device will reboot as per Windows default setti
You can set the device to delay restarting until both the deadline and grace period have expired.If you disable or do not configure this polic
tions 2. Always automatically restart at scheduled time 3. Specify deadline before auto-restart for update installation
updates before deploying them. If the status is set to Disabled or Not Configured and if Automatic Updates is not disabled by policy or
n messages for optional applications or updates.By default this policy setting is disabled.If you are not using the Microsoft Update service t
y Windows Update will not offer you any pre-release updates and you will receive such content once released to the world. Disabling this
Bluetooth page (which has URI ms-settings:bluetooth) should be hidden:hide:bluetoothThe availability of per-user support is documente
riting personalization is turned on.If you do not configure this policy users can choose to enable or disable automatic learning either from
en the client computer has a fast network card (10Mbs) but is connected to the network via a slow link (56Kbs).
ed of usage charges and capacity constraints. 0x2 - The usage of this connection is unrestricted up to a certain data limit 0x4 - Th
cy setting that you use on individual client computers.- Enabled. With this selection the BranchCache maximum round trip latency setting
onfigure the following option:Select from the following versions- Windows Vista with BITS 4.0 installed Windows 7 or Windows Server 200
Set BranchCache Hosted Cache Mode."If you do not configure this policy setting or if you disable this policy setting client computers that a
or more hosted cache servers is found the client computer self-configures for hosted cache mode.If the policy setting "Set BranchCache Di
policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selection BranchCache clie
abled in domain Group Policy BranchCache distributed cache mode is turned on for all domain member client computers to which the pol
nchCache hosted cache mode is enabled for all client computers where the policy is applied. For example if this policy is enabled in domai
enabled in domain Group Policy the BranchCache client computer cache setting that you specify in the policy is turned on for all domain m
uters to which the policy is applied.- Disabled. With this selection BranchCache is turned off for all client computers where the policy is app
mples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.You must configure this setting to have complete NCA f
ause the rules for DirectAccess are already removed from the NRPT.If this setting is not configured users do not have Connect or Disconne
es are appended to unqualified multi-label name queries if the original name query fails.If you do not configure this policy setting compute
are tried.If you disable this policy setting or if you do not configure this policy setting the primary DNS suffix and network connection-spec
or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.For ex
uffix assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings d
ou do not configure this policy setting a DNS client computer will not register any A and PTR resource records using a connection-specific D
tting or if you do not configure this policy setting computers will use the local or DHCP supplied setting. By default client computers configur
d in BranchCache-enabled file shares.- Disabled. With this selection hash publication is turned off for all file servers where Group Policy is a
content information only configure "Hash version supported" with the value of 1.- To support V2 content information only configure "Has
checked. This is the setting which will allow your mobile users to use peer to peer applications at both work and home seamlessly.4. In ord
g the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that are runnin
enable it. When running the New Connection Wizard or Network Setup Wizard administrators can choose to enable ICS.Note: Internet Con
en if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445
Printer Sharing" check box is cleared. Administrators can change this check box.Note: If any policy setting opens TCP port 445 Windows De
Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages and prevents hosted services from opening a
ange this check box."
ed programs. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is cleared. Administrators
ender Firewall: Allow local port exceptions" policy setting.If you do not configure this policy setting Windows Defender Firewall uses only t
o enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you disable this policy setting the program exce
en if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445
Printer Sharing" check box is cleared. Administrators can change this check box.Note: If any policy setting opens TCP port 445 Windows De
Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages and prevents hosted services from opening a
ange this check box."
ed programs. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is cleared. Administrators
ender Firewall: Allow local port exceptions" policy setting.If you do not configure this policy setting Windows Defender Firewall uses only t
o enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you disable this policy setting the program exce
r disconnect actions" setting.
indows 7 and Windows Server 2008 R2 the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012 the default sync
08 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use the defaul
on the local computer to encrypt or decrypt the Offline Files cache.Note: By default this cache is protected on NTFS partitions by ACLs.This
let.If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache and that drive is t
automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available Offline"
nd then select the "Synchronize all offline files before logging on" option.
"Specify permitted managers" and "Specify trap configuration".
might lose their connection. If this happens these apps should re-establish their connection over a different network.This policy setting dep
internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). If this policy se
empt is blocked.If this policy setting is not configured or is disabled computers are allowed to connect simultaneously to both domain and
P printers can be shown in the wizard. If you enable this policy setting only TCP/IP printer limits are applicable. On Windows 10 only if you
es not support transferring print processors during point-and-print. In the case of a print processor mismatch the client spooler will always
ctive Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop.
connection to any server in their forest using Point and Print. If you disable this policy setting: -Windows Vista client computers c
r is unavailable. -- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever the hos
before the setting was enabled reappear in the Recent Items menu and program File menus and Jump Lists.This setting does not hide or pr
cut" and "WinHelp" commands on the entire local system enable the policy setting and leave the text box on the Settings tab of the Policy
ansmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the server on
ost running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanre
g on all machines in .humanresources.fabrikam.com

ssion Host running on all machines in humanresources.fabrikam.com
Desktop Session Host running on all machines in humanresources.fabrikam.com
on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanres
fault credentials" server list.
fresh credentials" server list.
"Allow delegating saved credentials" server list.
rvicing requirements for protection see https://go.microsoft.com/fwlink/?linkid=866660
er Configuration\Administrative Templates\System\Credentials Delegation).Note: On Windows 8.1 and Windows Server 2012 R2 enabling
using Group Policy. The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy setting to the
rmines whether the device can be installed.

e can be installed.
the device can be installed.
of volumes in the group.This policy setting is effective only when disk quota management is enabled on the volume. Also if disk quotas ar
uld be disabled.Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application overrides. I
his policy setting the appid exemption list defined by local computer administrators is used.Notes:The DCOM Activation security check is d
bled this setting has no effect and all boot-start drivers are initialized.
all available locally in your %windir%\inf directory you might not be able to see all the settings that have been configured in the GPO that y
affect whether Group Policy processing will be synchronous or asynchronous.
cify that they are updated only when changed. However you might want to update unchanged preference items such as reapplying a desir
specify that they are updated only when changed. However you might want to update unchanged preference items such as reapplying a d
are updated only when changed. However you might want to update unchanged preference items such as reapplying a desired preference
network connection as a slow link and process only those client side extensions configured to process over a slow link.
when changed. However you might want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
fy that they are updated only when changed. However you might want to update unchanged preference items such as reapplying a desire
might want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
implementations specify that they are updated only when changed. However you might want to update unchanged preference items such
ed only when changed. However you might want to update unchanged preference items such as reapplying a desired preference setting in
items have not changed. Many policy implementations specify that they are updated only when changed. However you might want to up
re updated only when changed. However you might want to update unchanged preference items such as reapplying a desired preference
rrent Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Se
ork connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profile server
are updated only when changed. However you might want to update unchanged preference items such as reapplying a desired preferenc
ons specify that they are updated only when changed. However you might want to update unchanged policies such as reapplying a desired
y that they are updated only when changed. However you might want to update unchanged preference items such as reapplying a desired
that they are updated only when changed. However you might want to update unchanged policies such as reapplying a desired policy setti
hanged. Many policy implementations specify that they are updated only when changed. However you might want to update unchanged p
ems have not changed. Many policy implementations specify that they are updated only when changed. However you might want to upda
ntations specify that they are updated only when changed. However you might want to update unchanged preference items such as reapp
e not changed. Many policy implementations specify that they are updated only when changed. However you might want to update uncha
rence items have not changed. Many policy implementations specify that they are updated only when changed. However you might want
mentations specify that they are updated only when changed. However you might want to update unchanged preference items such as re
ey are updated only when changed. However you might want to update unchanged preference items such as reapplying a desired prefere
have not changed. Many policy implementations specify that they are updated only when changed. However you might want to update u
policies such as reapplying a desired policy setting in case a user has changed it.
are updated only when changed. However you might want to update unchanged preference items such as reapplying a desired preferenc
they are updated only when changed. However you might want to update unchanged preference items such as reapplying a desired prefe
case a user has changed it.
fy that they are updated only when changed. However you might want to update unchanged preference items such as reapplying a desire
are in at least Windows 2000 domains.
ht want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
r you might want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
ops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is esta
y a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example
or example if you type 30 minutes the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and m
"Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you must tur
e "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you must
e" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn on the "Tra
anning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn o
e "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you must t
the location where a planning trace file can be created on the computer where you run modeling and you must turn on the "Tracing" optio
in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you m
" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn on the "Trac
e" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn on the "Trac
ce" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn on the "Tr
deling query you must provide a path in the "Planning trace" box to the location where a planning trace file can be created on the comput
a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling an
ath in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and yo
h in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you m
ce" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn on the "Tra
a path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling an
path in the "Planning trace" box to the location where a planning trace file can be created on the computer where you run modeling and
g trace" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn on the
anning trace" box to the location where a planning trace file can be created on the computer where you run modeling and you must turn o
orts claims compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the dom
red when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a device lo
or the network to be initialized.If you enable this policy setting computers wait for the network to be fully initialized before users are logge
The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as
neral the availability of the Netlogon share on the domain will be decreased.If you enable this policy setting domain administrators should
ty of the SYSVOL share on the domain will be decreased.If you enable this policy setting domain administrators should ensure that the onl
to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds while any value greater th
e default behavior of the DC Locator.
1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName>GenericGc SRV _gc._tcp.<DnsForestName>GenericGcAtSi
he DC records in seconds (for example the value 3600 is 60 minutes).If you do not configure this policy setting it is not applied to any DCs
behavior will be used.
e NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name
o allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend on the ve
our email program you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAPI (Simple
legation even if delegation was asked for.Note: This policy setting will not be applied until the system is rebooted.
tain complete RPC state information on the system regardless of its capacity. Because this level can degrade performance it is recommend
s you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect the comman
e by unauthenticated clients may be exempt from this restriction depending on the selected value for this policy setting.-- "None" allows
on timeout the timeout on the IIS server is used. Otherwise the provided timeout value is used. The timeout is given in seconds.Note: Thi
pecific script types within a specific GPO by configuring the following policy settings for the GPO: Computer Configuration\Policies\Window
he GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogonUser Configuration\Policies\Windows Settings\Scripts
his is the default.
available at https://go.microsoft.com/fwlink/?linkid=2116430.
policy to take immediate effect after a Group Policy refresh.Note: This policy setting will take effect only when the Diagnostic Policy Servi
perience optional component is installed and the Remote Desktop Services role is not installed.
cenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
ur domain for available troubleshooting from Microsoft:1. Create a bat script with the following contents:rem The following batch script tr
efault recovery behavior.No system or service restarts are required for changes to this policy setting to take immediate effect after a Group
uted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
c scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
tic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
ice is stopped or disabled diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft
scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
sed applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used.Choose
e all standard users are not allowed to send commands requiring authorization to the TPM.The TPM is designed to protect itself against pa
d users may have before all standard users are not allowed to send commands requiring authorization to the TPM.The TPM is designed to
ave before all standard users are not allowed to send commands requiring authorization to the TPM.The TPM is designed to protect itself a
ant themselves file permissions.Note: The behavior when this policy setting is enabled is exactly the same behavior as in Windows NT 4.0.
ts a slow connection.
error message and an entry will be written to the event log. The user's cached profile will be used or a temporary profile issued if no cach
oup Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
rvices edits the users' registry settings when they log off the system's first few attempts to unload the user settings are more likely to fail.T
r profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier than Mic
aming profile path specified in the user object

rded. Likewise if "Run at set time of day" is chosen the "Interval (hours)" option is disregarded.If you enable this policy setting Windows u
es User Home Directory" policy setting is enabled the â€œSet user home folderâ€ policy setting has no effect.
pps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting
policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
2time sets the client computer's local clock immediately to the time that is accepted as accurate from the Network Time Protocol (NTP) se
client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can b
the app.
ttings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or devi
so not present on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated administrato
performance of the loader is essential.NOTE: Many system processes cache the value of this setting for performance reasons. If you make
during the BitLocker setup TPM owner information will be saved or printed with the BitLocker recovery information.Note: The 48-digit rec
external organizations.You can configure the identification fields on existing drives by using manage-bde.exe.If you enable this policy settin
d to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure tha
Windows XP with SP3 or Windows XP with SP2 BitLocker To Go Reader must be installed on the computer. If this check box is not selected
overy information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package" both the BitLocker rec
lgorithm configured on the drive to encrypt the drive. The â€œRestrict encryption algorithms and cipher suites allowed for hardware-base
he policy but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive
lients will not be able to create and use Network Key Protectors.Note: For reliability and security computers should also have a TPM startu
D) integrity validation.Warning: Disabling this policy may result in BitLocker recovery when firmware is updated. If you disable this policy su
omain Services" choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup recover
er Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLock
disable or do not configure this policy setting BitLocker uses the default platform validation profile or the platform validation profile specifi
the drive.If you disable or do not configure this policy setting BitLocker uses the default platform validation profile for the available hardw
es the algorithm configured on the drive to encrypt the drive. The â€œRestrict encryption algorithms and cipher suites allowed for hardwa
ll still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set
fication number (PIN) or both.If you enable this policy setting users can configure advanced startup options in the BitLocker setup wizard.I
. In this basic wizard no additional startup key or startup PIN can be configured.
s Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 BitLocker To Go Reader must be installed on the computer. If
tLocker recovery information to store in AD DS for removable data drives. If you select "Backup recovery password and key package" both
the algorithm configured on the drive to encrypt the drive. The â€œRestrict encryption algorithms and cipher suites allowed for hardwar
n controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using t
c data is sent.If you disable or do not configure this policy setting the device will send required diagnostic data and the end user can choos
en will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.If you do not configure this
Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary
RL action for an application or process in the list prevail.
matches the default behavior of Internet Explorer.

olicy setting Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular Protected
e valuename other protocols are not affected.Â If you enter just www.contoso.comÂ then all protocolsÂ are affected for that site includin
do not configure this policy setting users can preview items and get custom thumbnails from OpenSearch query results in this zone using F
do not configure this policy setting users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using
do not configure this policy setting users cannot preview items or get custom thumbnails from OpenSearch query results in this zone using
age the add-on through Add-on Manager enter a 2 (two) into this field.If you disable this policy setting the list is deleted. The 'Deny all add
g the location of the software file names how the software operates and how it has impacted your computer. If you enable this setting yo
e folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.
orded in the Windows event log. Audit Mode: The following will not be blocked and will be allowed to run: - Attempts by untru
when the settings sync is delayed. The notification delay policy setting defines the delay before a notification appears.If you disable this po
sable this policy setting after it has been enabled the UE-V Agent will not restore the default Microsoft templates. If you do not configure
ess the RD Licensing grace period for the RD Session Host server has not expired.If you disable or do not configure this policy setting the lic
If you configure this policy setting for the computer all users on the computer are affected.
d on the client computer to provide credentials for a remote connection.

icy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Sessio
p Session Host role service installed).
d video playback redirection is not specified at the Group Policy level.
e Desktop Protocol (.rdp) file. By default audio playback quality is set to Dynamic.If you disable or do not configure this policy setting audio
er is disabled and the RD Session Host server will not attempt to use the fallback printer driver.If you do not configure this policy setting th
ofiles is enabled.
n the Remote Desktop Services Profile tab on the user's account Properties dialog box.Notes:1. The roaming user profiles enabled by the p
er's alias.If the status is set to Disabled or Not Configured the user's home directory is as specified at the server.
Broker Computers or RDS Endpoint Servers.

8 this policy setting is supported on at least Windows Server 2008 Standard.
etting the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This s
Also the Themes service must be started on the remote computer.If you disable or do not configure this policy setting desktop compositio
you disable or do not configure this policy setting RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium qualit
at are connecting to computers running at least Windows 8 or Windows Server 2012 the minimum of the following values is used as the co
ry (or the program default directory if Working Directory is not specified) as the working directory for the program.If the status is set to Di
n fails. This is the recommended setting for this policy.If you disable or do not configure this policy setting the security method to be used f
rtificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the RD Sess
ption.* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.If you disable or do not config
Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting takes precedence.
e configured the Computer Configuration policy setting takes precedence.
nfiguration policy setting takes precedence.
tting takes precedence.
ed for Windows XP SP2 computers. Windows Vista---------------------In Windows Vista this policy setting monitors essential security settings
k to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
â€œMedium.â€ At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is
ures and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you
en will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.If you do not configure this
reports.- ""Do not collect additional computer data"": Select this if you do not want additional information about the computer to be colle
olicy setting Windows Error Reporting reports are not queued and users can only send reports at the time that a problem occurs.
d Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (Note: The M
you disable or do not configure this policy setting the Default application reporting settings policy setting takes precedence.
or do not configure this policy setting then the default consent settings that are applied are those specified by the user in Control Panel or
nd sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.If you disa
n policy setting.
e if you want the service to listen only on IPv4 addresses leave the IPv6 filter empty.Ranges are specified using the syntax IP1-IP2. Multiple
quire elevated permissions to do either of these tasks.On Windows 7 : This policy setting has no effect. Users will always see an Account Co
t as per Windows default settings unless configured by group policy. (Applies to Windows 10 version 1809 and higher) Specify the sche
e or do not configure this policy devices will get updates and will restart according to the default schedule.This policy will override the follo
installation
tes is not disabled by policy or user preference the Automatic Updates client connects directly to the Windows Update site on the Internet
the Microsoft Update service then the Software Notifications policy setting has no effect.If the "Configure Automatic Updates" policy settin
d to the world. Disabling this policy will cause any devices currently on a pre-release build to opt out and stay on the latest Feature Updat
er-user support is documented here: https://go.microsoft.com/fwlink/?linkid=2102995
utomatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.This policy setting is rela
certain data limit 0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 percent of
um round trip latency setting is enabled for all client computers where the policy is applied. For example if Configure BranchCache for net
ows 7 or Windows Server 2008 R2. If you select this version later versions of Windows run the version of BranchCache that is included in t
setting client computers that are configured with hosted cache mode still function correctly.Policy configurationSelect one of the following
y setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy the client computer performs automatic hosted c
his selection BranchCache client computers use the default client computer cache age setting of 28 days on the client computer.In circums
nt computers to which the policy is applied.- Disabled. With this selection BranchCache distributed cache mode is turned off for all client c
this policy is enabled in domain Group Policy BranchCache hosted cache mode is turned on for all domain member client computers to wh
y is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selection BranchCache client com
puters where the policy is applied.* This policy setting is supported on computers that are running Windows Vista Business Enterprise and
etting to have complete NCA functionality.
not have Connect or Disconnect options.

ure this policy setting computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
and network connection-specific DNS suffixes are appended to the unqualified queries.
ox for each connection.For example when a user submits a query for a single-label name such as "example" the DNS client attaches a suffi
he Advanced TCP/IP Settings dialog box for each connection.For example when a user submits a query for a single-label name such as "exa
s using a connection-specific DNS suffix.
ault client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clie
ervers where Group Policy is applied.In circumstances where this policy setting is enabled you can also select the following configuration o
formation only configure "Hash version supported" with the value of 2.- To support both V1 and V2 content information configure "Hash v
and home seamlessly.4. In order to not use any seed server enable the setting; do not insert a seed server name; and check the check box
on computers that are running Windows Firewall which replaces Internet Connection Firewall when you install Windows XP Service Pack
enable ICS.Note: Internet Connection Sharing is only available when two or more network connections are present.Note: When the "Proh
ngs that can open TCP port 445 include "Windows Defender Firewall: Allow file and printer sharing exception" "Windows Defender Firewal
ens TCP port 445 Windows Defender Firewall allows inbound ICMP echo requests (the message sent by the Ping utility) even if the "Windo
osted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445 it doe
box is cleared. Administrators can change this check box."
Defender Firewall uses only the local port exceptions list that administrators define by using the Windows Defender Firewall component
olicy setting the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists it is ignored unless you
ngs that can open TCP port 445 include "Windows Defender Firewall: Allow file and printer sharing exception" "Windows Defender Firewal
ens TCP port 445 Windows Defender Firewall allows inbound ICMP echo requests (the message sent by the Ping utility) even if the "Windo
osted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 445 it doe
box is cleared. Administrators can change this check box."
Defender Firewall uses only the local port exceptions list that administrators define by using the Windows Defender Firewall component
olicy setting the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists it is ignored unless you
Server 2012 the default sync interval is 120 minutes.
er 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers running Win
n NTFS partitions by ACLs.This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon is requi
e Files cache and that drive is the system drive the total size limit is automatically adjusted downward to 75 percent of the size of the drive
of the "Make Available Offline" command in File Explorer.If the "Remove 'Make Available Offline' command" policy setting is enabled this s
etwork.This policy setting depends on other group policy settings. For example if 'Minimize the number of simultaneous connections to th
rsion 1703). If this policy setting is set to 3 the behavior is similar to 2. However if there's an Ethernet connection Windows won't allow
taneously to both domain and non-domain networks.
le. On Windows 10 only if you disable or do not configure this policy setting the default limit is applied. In Windows 8 and later
h the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override this behavio
ndows Vista client computers can create a printer connection to any server using Point and Print. -Windows Vista computers will not s
epublished whenever the host computer does not respond just as it does with Windows 2000 printers. Note: This setting applies to
his setting does not hide or prevent the user from pinning files folders or websites to the Jump Lists. See the "Do not allow pinning items i
n the Settings tab of the Policy Properties dialog box blank. If you disable or do not configure this policy setting these commands are fu
ng report data to the server one block at a time of application records that is less than or equal to the block size in bytes of XML data will b
ng on all machines in .humanresources.fabrikam.com
achines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fabrikam.co
dows Server 2012 R2 enabling this policy will enforce Restricted Administration mode regardless of the mode chosen. These versions do n
write the policy setting to the registry and so it has no impact on computers or users. If there is a current setting in the registry it will not b
volume. Also if disk quotas are not enforced users can exceed the quota limit you set. When users reach the quota limit their status in the
as per-application overrides. If you disable or do not configure this setting Per Process System DPI will not apply to any processes on the s
M Activation security check is done after a DCOM server process is started but before an object activation request is dispatched to the serv
n configured in the GPO that you are editing.
ems such as reapplying a desired preference setting in case a user has changed it.
ce items such as reapplying a desired preference setting in case a user has changed it.
eapplying a desired preference setting in case a user has changed it.
a slow link.
n case a user has changed it.
ms such as reapplying a desired preference setting in case a user has changed it.
hanged preference items such as reapplying a desired preference setting in case a user has changed it.
a desired preference setting in case a user has changed it.
owever you might want to update unchanged preference items such as reapplying a desired preference setting in case a user has changed
applying a desired preference setting in case a user has changed it.

ain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 millise
ofile. Note: If the profile server has IP connectivity the connection speed setting is used. If the profile server does not have IP connectivity t
reapplying a desired preference setting in case a user has changed it.
es such as reapplying a desired policy setting in case a user has changed it.
eapplying a desired policy setting in case a user has changed it.
t want to update unchanged preference items such as reapplying a desired preference setting in case a user has changed it.
wever you might want to update unchanged preference items such as reapplying a desired preference setting in case a user has changed it
preference items such as reapplying a desired preference setting in case a user has changed it.
u might want to update unchanged preference items such as reapplying a desired preference setting in case a user has changed it.
ged. However you might want to update unchanged preference items such as reapplying a desired preference setting in case a user has ch
ed preference items such as reapplying a desired preference setting in case a user has changed it.
s reapplying a desired preference setting in case a user has changed it.

er you might want to update unchanged preference items such as reapplying a desired preference setting in case a user has changed it.
reapplying a desired preference setting in case a user has changed it.

h as reapplying a desired preference setting in case a user has changed it.
to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5
nge of variance. For example if you type 30 minutes the system selects a variance of 0 to 30 minutes. Typing a large number establishes a
tablishes a broad range and makes it less likely that update requests overlap. However updates might be delayed significantly.Note: This s
un modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference item
u run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference ite
and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this exten
modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in
u run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference ite
ust turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this extension no pl
re you run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preferen
nd you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this extens
nd you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this extens
and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this exte
can be created on the computer where you run modeling and you must turn on the "Tracing" option. If you are not performing Group Poli
er where you run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no pr
where you run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no prefe
re you run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preferen
and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this exten
er where you run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no pr
where you run modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no pref
eling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in this
modeling and you must turn on the "Tracing" option. If you are not performing Group Policy Modeling or there are no preference items in
lient computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. D
um idle time before a device locks. Additionally if a password is required when a screensaver turns on the screensaver timeout will limit th
itialized before users are logged on. Group Policy is applied in the foreground synchronously. On servers running Windows Server 2008 or
c base compatible by acting as though an image base collision happened at load time. If relocations are required images that do not have
domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by th
ors should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
nds while any value greater than 4294967 seconds (~49 days) will be treated as infinity.If you disable this policy setting Force Rediscovery
nsForestName>GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName>Rfc1510UdpKdc SRV _kerberos._udp.<DnsDomain
ng it is not applied to any DCs and DCs use their local configuration.
cified with a single-label name. The computers will not attempt DNS name resolution in this case unless the computer is searching for a do
e Assistance depend on the version of Windows you are running.Windows Vista and laterEnable the Remote Assistance exception for the d
net link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not available in Win
performance it is recommended for use only while you are investigating an RPC problem.Note: To retrieve the RPC state information from
etting is in effect the command that starts the process must begin with one of the strings in the Extended Error Information Exception fiel
olicy setting.-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is applied.-- "A
t is given in seconds.Note: This policy setting will not be applied until the system is rebooted.
Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\StartupComputer Configuration\Policies\Windows Settings\Scripts (S

cies\Windows Settings\Scripts (Logon/Logoff)\LogoffThis policy setting appears in the Computer Configuration and User Configuration fold
hen the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled system file recovery will not be atte
ent Console.
m The following batch script triggers Recommended Troubleshootingschtasks /run /TN "\Microsoft\Windows\Diagnosis\RecommendedTro
mmediate effect after a Group Policy refresh.Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in th
agement Console.
agement Console.
vices snap-in to the Microsoft Management Console.
gement Console.
ring logic can be used.Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM administra
ned to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with a
e TPM.The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too m
M is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many comman
ehavior as in Windows NT 4.0.
orary profile issued if no cached profile exists. Note: The policy setting must be configured on the client computer not the server for it to h
ettings are more likely to fail.This policy setting does not affect the system's attempts to update the files in the user profile.Tip: Consider in
ating systems earlier than Microsoft Windows Vista use the "Timeout for dialog boxes" policy setting.Important: If the "Do not detect slow
this policy setting Windows uploads the registry file of the user's roaming user profile in the background according to the schedule set he
sers choose to turn the setting off.

connection.
etwork Time Protocol (NTP) server. If the time variation is less than this value the client computer's local clock is corrected gradually. Defa
synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal
s must restart the app or device for the policy changes to be applied to the app.
allow an elevated administrator to make the decision; on windows 7 and downlevel the OS will allow 16-bit applications to run.Note: This
rmance reasons. If you make changes to this setting please reboot to ensure that your system accurately reflects those changes.
rmation.Note: The 48-digit recovery password will not be available in FIPS-compliance mode.Important: This policy setting provides an adm
.If you enable this policy setting you can configure the identification field on the BitLocker-protected drive and any allowed identification fi
by default to help ensure that BitLocker recovery is possible. If this option is not selected AD DS backup is attempted but network or othe
this check box is not selected BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on computers
ckage" both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering data from
tes allowed for hardware-based encryptionâ€ option enables you to restrict the encryption algorithms that BitLocker can use with hardw
word complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity" no password
should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup
ed. If you disable this policy suspend BitLocker prior to applying firmware updates.
If you select "Backup recovery password and key package" both the BitLocker recovery password and key package are stored in AD DS. St
ager (PCR 10) and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible Firmware I
tform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR)
profile for the available hardware or the platform validation profile specified by the setup script. A platform validation profile consists of a
pher suites allowed for hardware-based encryptionâ€ option enables you to restrict the encryption algorithms that BitLocker can use with
word as a protector. When set to "Do not allow complexity" no password complexity validation will be done.Passwords must be at least 8 c
in the BitLocker setup wizard.If you disable or do not configure this policy setting users can configure only basic options on computers with
installed on the computer. If this check box is not selected BitLocker To Go Reader will be installed on the removable drive to enable user
sword and key package" both the BitLocker recovery password and key package are stored in AD DS. If you select "Backup recovery passw
er suites allowed for hardware-based encryptionâ€ option enables you to restrict the encryption algorithms that BitLocker can use with h
drive will be encrypted using that password as a protector. When set to "Do not allow complexity" no password complexity validation will
ta and the end user can choose whether to send optional diagnostic data from the Settings app.Note:The "Configure diagnostic data opt-in
et.If you do not configure this policy SmartScreen will be enabled by default but users may change their settings.
er 4 = Microsoft Edge Canary version 77 or later*For more information about the Windows update for the next version of Microsoft Edge
X controls in regular Protected Mode. This is the default behavior.
e affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127
uery results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
st is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons not in
. If you enable this setting you will join Microsoft MAPS with the membership specified. If you disable or do not configure this setting y
o run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sect
n appears.If you disable this policy setting the sync provider is used to synchronize settings between computers and the settings storage lo
lates. If you do not configure this policy setting any defined values will be deleted.
figure this policy setting the license server will exhibit the default behavior noted earlier.
ervices\Remote Desktop Session Host\Connections\Limit number of connections or by configuring the policy setting Maximum Connection
nfigure this policy setting audio playback quality will be set to Dynamic.
configure this policy setting the fallback printer driver behavior is off by default.Note: If the "Do not allow client printer redirection" setting
user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming
the default will be used. This setting is enabled by default.Notes: 1. For Windows Server 2008 this policy setting is supported on at least
licy setting desktop composition is not allowed for remote desktop sessions even if desktop composition is enabled in RDC or in the .rdp fi
m that results in medium quality images.

owing values is used as the color depth format:a.Value specified by this policy settingb.Maximum color depth supported by the clientc.Va
ogram.If the status is set to Disabled or Not Configured Remote Desktop Services sessions start with the full desktop unless the server adm
e security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
d to authenticate the RD Session Host server that certificate will take precedence over this policy setting.
.If you disable or do not configure this setting the encryption level to be used for remote connections to RD Session Host servers is not enf
setting takes precedence.
ors essential security settings to include firewall antivirus antispyware Internet security settings User Account Control and Automatic Upda
ard by default skin switching is not allowed and Input Panel displays the cursor and which keys are tapped. Users will not be able to config
Options dialog box. If you do not configure this policy users will be able to use both the tolerant scratch-out gestures and the Z-shaped
et.If you do not configure this policy SmartScreen will be enabled by default but users may change their settings.
about the computer to be collected and included in error reports.- ""Force queue mode for application errors"": Select this option if you do
at a problem occurs.
his policy setting. (Note: The Microsoft applications category includes the Windows components category.)If you disable this policy setting
es precedence.
by the user in Control Panel or in the Configure Default Consent policy setting.
re physical location.If you disable or donâ€™t configure this setting automatic sign on will default to the â€œEnabled if BitLocker is on and
ng the syntax IP1-IP2. Multiple ranges are separated using "" (comma) as the delimiter.Example IPv4 filters:\n2.0.0.1-2.0.0.20 24.0.0.1-24.
will always see an Account Control window and require elevated permissions to do either of these tasks.On Windows 8 and Windows RT:
nd higher) Specify the schedule using the options in the Group Policy Setting. For version 1709 and above there is an additional choice
his policy will override the following policies:1. Specify deadline before auto restart for update installation2. Specify Engaged restart trans
ws Update site on the Internet. The alternate download server configures the Windows Update Agent to download files from an altern
utomatic Updates" policy setting is disabled or is not configured then the Software Notifications policy setting has no effect.
ay on the latest Feature Update once released.

ialog.This policy setting is related to the "Turn off handwriting personalization" policy setting.Note: The amount of stored ink is limited to
sage is less than 80 percent of the limit. 0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usage is betw
Configure BranchCache for network files is enabled in domain Group Policy the BranchCache latency setting that you specify in the policy is
anchCache that is included in these operating systems rather than later versions of BranchCache.- Windows 8. If you select this version Wi
tionSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this polic
performs automatic hosted cache server discovery. If one or more hosted cache servers are found the client computer self-configures for
the client computer.In circumstances where this setting is enabled you can also select and configure the following option:- Specify the age
de is turned off for all client computers where the policy is applied.* This policy setting is supported on computers that are running Windo
ember client computers to which the policy is applied.- Disabled. With this selection BranchCache hosted cache mode is turned off for all c
ection BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the client com
s Vista Business Enterprise and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
unqualified multi-label names.
the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com" before sending the query to a DN
ingle-label name such as "example" the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com
every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
t the following configuration options:- Allow hash publication for all shared folders. With this option BranchCache generates content infor
information configure "Hash version supported" with the value of 3.
ame; and check the check box.If this setting is disabled or not configured the protocol will revert to using a public registry key to determine
tall Windows XP Service Pack 2.If you disable this setting or do not configure it the Internet Connection Firewall is disabled when a LAN Co
present.Note: When the "Prohibit access to properties of a LAN connection" "Ability to change properties of an all user remote access conn
" "Windows Defender Firewall: Allow remote administration exception" and "Windows Defender Firewall: Define inbound port exceptions
Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open
s not block TCP port 445 it does not conflict with the "Windows Defender Firewall: Allow file and printer sharing exception" policy setting.
Defender Firewall component in Control Panel. Other policy settings can continue to open or block ports.Note: If you type an invalid defini
t exists it is ignored unless you enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you do not config
" "Windows Defender Firewall: Allow remote administration exception" and "Windows Defender Firewall: Define inbound port exceptions
Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open
s not block TCP port 445 it does not conflict with the "Windows Defender Firewall: Allow file and printer sharing exception" policy setting.
Defender Firewall component in Control Panel. Other policy settings can continue to open or block ports.Note: If you type an invalid defini
t exists it is ignored unless you enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you do not config
mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitioning a fo
user logoff and logon is required for this setting to take effect.
percent of the size of the drive. If the cache is located on a drive other than the system drive the limit is automatically adjusted downward
policy setting is enabled this setting has no effect.

multaneous connections to the Internet or a Windows Domain' is disabled Windows will not disconnect from any networks.
nnection Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually) when th
In Windows 8 and later Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
does not override this behavior.Note: In cases where the client print driver does not match the server print driver (mismatched connectio
ows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any server using
Note: This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply to printer
e "Do not allow pinning items in Jump Lists" setting. This policy also does not hide Tasks that the application has provided for their Jump Lis
setting these commands are fully functional for all Help files. Note: Only folders on the local computer can be specified in this policy se
ize in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and global pac
n humanresources.fabrikam.com
e chosen. These versions do not support Remote Credential Guard.
tting in the registry it will not be modified.The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based Protecti
e quota limit their status in the Quota Entries window changes but users can continue to write to the volume.
pply to any processes on the system.
quest is dispatched to the server process. This access check is done against the DCOM server's custom launch permission security descrip
tting in case a user has changed it.
on. The default is 5000 milliseconds. If you disable this policy setting the Group Policy client will not cache applicable GPOs or settings
does not have IP connectivity the SMB timing is used.
has changed it.
g in case a user has changed it.
a user has changed it.

ce setting in case a user has changed it.
case a user has changed it.

boot or logon. The default is 5000 milliseconds. If you disable or do not configure this policy setting the Group Policy client will not cac
g a large number establishes a broad range and makes it less likely that client requests overlap. However updates might be delayed signific
layed significantly.Note: This setting is used only when you are establishing policy for a domain site organizational unit (OU) or customized
there are no preference items in this extension no planning trace file is created.
or there are no preference items in this extension no planning trace file is created.
preference items in this extension no planning trace file is created.
ere are no preference items in this extension no planning trace file is created.
or there are no preference items in this extension no planning trace file is created.
e items in this extension no planning trace file is created.
eling or there are no preference items in this extension no planning trace file is created.
reference items in this extension no planning trace file is created.
o preference items in this extension no planning trace file is created.
are not performing Group Policy Modeling or there are no preference items in this extension no planning trace file is created.
cy Modeling or there are no preference items in this extension no planning trace file is created.
Modeling or there are no preference items in this extension no planning trace file is created.
eling or there are no preference items in this extension no planning trace file is created.
cy Modeling or there are no preference items in this extension no planning trace file is created.
Modeling or there are no preference items in this extension no planning trace file is created.
re no preference items in this extension no planning trace file is created.
ere are no preference items in this extension no planning trace file is created.
trol and Kerberos armoring. Domain functional level requirementsFor the options "Always provide claims" and "Fail unarmored authentica
eensaver timeout will limit the options the user may choose.
ning Windows Server 2008 or later this policy setting is ignored during Group Policy processing at computer startup and Group Policy proc
ired images that do not have a base relocation section will not be loaded. PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_A
main are those approved by the administrator.
oved by the administrator.

olicy setting Force Rediscovery will be used by default for the machine at every 12 hour interval.If you do not configure this policy setting F
_kerberos._udp.<DnsDomainName>Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName>Rfc1510UdpKpwd SRV _kpasswd._udp.<
computer is searching for a domain with a single label DNS name to which this computer is joined in the Active Directory forest.
Assistance exception for the domain profile. The exception must contain:Port 135:TCP%WINDIR%\System32\msra.exe%WINDIR%\System
setting is not available in Windows Vista since SMAPI is the only method supported.If you enable this policy setting you should also enable
the RPC state information from a system that maintains it you must use a debugging tool.Note: This policy setting will not be applied until
ror Information Exception field.-- "On" enables extended error information for all processes.Note: For information about the Extended Er
policy setting is applied.-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Servers run
es\Windows Settings\Scripts (Startup/Shutdown)\Shutdown

on and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configur
m file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
s\Diagnosis\RecommendedTroubleshootingScanner"2. To create a new immediate task navigate to the Group Policy Management Editor >
stic Policy Service (DPS) is in the running state. When the service is stopped or disabled system file recovery will not be attempted. The DP
store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use
es too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including adm
ut mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for
it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users includ
mputer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile at creatio
he user profile.Tip: Consider increasing the number of retries specified in this policy setting if there are many user profiles stored in the co
ant: If the "Do not detect slow network connections" setting is enabled this policy setting is ignored. Also if the "Delete cached copies of ro
cording to the schedule set here while the user is logged on. Regular profiles are not affected.If this setting is disabled or not configured th
ck is corrected gradually. Default: 300 seconds. MaxNegPhaseCorrectionIf a time sample is received that indicates a time in the past (a
2 decimal (0x02 hexadecimal).ResolvePeerBackoffMinutesThis value expressed in minutes controls how long W32time waits before it atte
applications to run.Note: This setting appears in only Computer Configuration.
flects those changes.
s policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key inform
nd any allowed identification field used by your organization.When a BitLocker-protected drive is mounted on another BitLocker-enabled c
ttempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery passw
unlock the drive on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 that do not ha
supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only" only the recover
BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardware-b
low complexity" no password complexity validation will be done.Passwords must be at least 8 characters. To configure a greater minimum
etwork or the server at startup.
ackage are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If you selec
t use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS.Warning
m Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against chan
validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. On PCs that lack Secure Boot State
ms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hard
Passwords must be at least 8 characters. To configure a greater minimum length for the password enter the desired number of characters
asic options on computers with a TPM.Note: If you want to require the use of a startup PIN and a USB flash drive you must configure BitLoc
emovable drive to enable users to unlock the drive on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or W
select "Backup recovery password only" only the recovery password is stored in AD DS.Select the "Do not enable BitLocker until recovery i
s that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardw
ord complexity validation will be done.Passwords must be at least 8 characters. To configure a greater minimum length for the password
onfigure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data collection s
next version of Microsoft Edge including how to disable it see https://go.microsoft.com/fwlink/?linkid=2102115. This update applies only t
g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such a
rom Windows.
rom Windows.
rom Windows.
rom Windows.
rom Windows.
rom Windows.
from Windows.
rom Windows.
from Windows.
rom Windows.
mine whether add-ons not in this list are assumed to be denied.
do not configure this setting you will not join Microsoft MAPS. In Windows 10 Basic membership is no longer available so setting the va
sted apps to write to disk sectors The Windows event log will record these attempts under Applications and Services Logs > Microsoft
ters and the settings storage location.If you do not configure this policy setting any defined values will be deleted.
setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
ent printer redirection" setting is enabled this policy setting is ignored and the fallback printer driver is disabled.
also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Re
setting is supported on at least Windows Server 2008 Standard.
nabled in RDC or in the .rdp file.

th supported by the clientc.Value requested by the clientIf the client does not support at least 16 bits the connection is terminated.
desktop unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logo
p Policy level.
Session Host servers is not enforced through Group Policy.ImportantFIPS compliance can be configured through the System cryptography.
nt Control and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect.
Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose to â€œMedium-H
out gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options.
s"": Select this option if you do not want users to report errors. When this option is selected errors are stored in a queue directory and the
you disable this policy setting or do not configure it the Default application reporting settings policy setting takes precedence.Also see the
œEnabled if BitLocker is on and not suspendedâ€ behavior.
n2.0.0.1-2.0.0.20 24.0.0.1-24.0.0.22Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:1245:BA98:
Windows 8 and Windows RT: This policy setting has no effect. Users will always see an Account Control window and require elevated perm
there is an additional choice of limiting updating to a weekly bi-weekly or monthly occurrence. If no schedule is specified the default sche
Specify Engaged restart transition and notification schedule for updates3. Always automatically restart at the scheduled time4. Configur
download files from an alternative download server instead of the intranet update service. The option to download files with missing
g has no effect.
unt of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new d
ata limit and plan usage is between 80 percent and 100 percent of the limit. 0x10 - Usage of this connection is unrestricted up to a ce
hat you specify in the policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selec
8. If you select this version Windows 8 will run the version of BranchCache that is included in the operating system.
client computers by this policy setting.- Enabled. With this selection the policy setting is applied to client computers which are configured
t computer self-configures for hosted cache mode only.If the policy setting "Set BranchCache Hosted Cache Mode" is applied the client co
owing option:- Specify the age in days for which segments in the data cache are valid.
puters that are running Windows Vista Business Enterprise and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 in
che mode is turned off for all client computers where the policy is applied.In circumstances where this setting is enabled you can also sele
al disk space on the client computer.In circumstances where this setting is enabled you can also select and configure the following option:
alled.
ore sending the query to a DNS server.If a DNS suffix search list is not specified the DNS client attaches the primary DNS suffix to a single-la
query "example.microsoft.com" before sending the query to a DNS server.If a DNS suffix search list is not specified the DNS client attache
anted or renewed.
Cache generates content information for all content in all shares on the file server. - Allow hash publication only for shared folders on whic
ublic registry key to determine the seed server to bootstrap from.

wall is disabled when a LAN Connection or VPN connection is created but users can use the Advanced tab in the connection properties to e
an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny acc
efine inbound port exceptions."Note: Other Windows Defender Firewall policy settings affect only incoming messages but several of the o
m. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Wind
ring exception" policy setting.Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommen
e: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors and therefore you can a
icy setting.If you do not configure this policy setting Windows Defender Firewall uses only the local program exceptions list that administra
efine inbound port exceptions."Note: Other Windows Defender Firewall policy settings affect only incoming messages but several of the o
m. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Wind
ring exception" policy setting.Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We recommen
e: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors and therefore you can a
icy setting.If you do not configure this policy setting Windows Defender Firewall uses only the local program exceptions list that administra
econds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans it may be necessary to
omatically adjusted downward to 100 percent of the size of the drive.If you enable this setting and specify a total size limit less than the am
m any networks.
matically or manually) when there's no Ethernet connection. This policy setting is related to the "Enable Windows to soft-disconnect a c
of Windows.
driver (mismatched connection) the client will always process the print job regardless of the setting of this policy.
connection to any server using Point and Print. -Windows Vista computers will not show a warning or an elevated command prompt w
bs. It does not apply to printers published by using Printers in Control Panel. Tip: If you disable automatic pruning remember to dele
has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdo
n be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files tha
eral Client data and global package list data prepended and these will not factor into the block size calculations; the potential exists for an
ch permission security descriptor if it exists or otherwise against the configured defaults.If the DCOM server's custom launch permission co
he applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously it downloads the latest version
Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously it
dates might be delayed significantly.This setting establishes the update rate for computer Group Policy. To set an update rate for user polic
tional unit (OU) or customized group. If you are establishing policy for a local computer only the system ignores this setting.
ce file is created.
nd "Fail unarmored authentication requests" when the domain functional level is set to Windows Server 2008 R2 or earlier then domain c
startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup). If t
TION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAY

configure this policy setting Force Rediscovery will be used by default for the machine at every 12 hour interval unless the local machine s
Kpwd SRV _kpasswd._udp.<DnsDomainName>If you disable this policy setting DCs configured to perform dynamic registration of DC Lo
ve Directory forest.
2\msra.exe%WINDIR%\System32\raserver.exeWindows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition with Servic
setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
etting will not be applied until the system is rebooted.

mation about the Extended Error Information Exception field see the Windows Software Development Kit (SDK).Note: Extended error info
to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces that have r
he setting set in User Configuration.

Management Console.
p Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. 3. Under Control Panel settings rig
will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
is setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic.Choose the operating system
bal for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM
a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of auth
e it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failu
the roaming profile at creation time.Note: The behavior when this policy setting is enabled is exactly the same behavior as in Windows 20
y user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile.Also check the App
he "Delete cached copies of roaming profiles" policy setting is enabled there is no local copy of the roaming profile to load when the syste
s disabled or not configured the registry file for a roaming user profile will not be uploaded in the background while the user is logged on.
indicates a time in the past (as compared to the client computer's local clock) that has a time difference that is greater than the MaxNegP
g W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes.ResolvePeerB
a loss due to lack of key information. If you do not allow both user recovery options you must enable the "Store BitLocker recovery informa
n another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether the drive
retried and the recovery password may not have been stored in AD DS during BitLocker setup.If you disable or do not configure this policy
ws XP with SP2 that do not have BitLocker To Go Reader installed.If this policy setting is disabled fixed data drives formatted with the FAT
ssword only" only the recovery password is stored in AD DS.Select the "Do not enable BitLocker until recovery information is stored in AD
disable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC
o configure a greater minimum length for the password enter the desired number of characters in the "Minimum password length" box.If y
ysically corrupted. If you select "Backup recovery password only" only the recovery password is stored in AD DS.Select the "Do not enable
use a standard BIOS.Warning: Changing from the default platform validation profile affects the security and manageability of your compu
he encryption key against changes to the Core Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option RO
Cs that lack Secure Boot State (PCR 7) support the default platform validation profile secures the encryption key against changes to the co
ker will disable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 12
desired number of characters in the "Minimum password length" box.If you disable or do not configure this policy setting the default leng
rive you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption setup wizar
sta Windows XP with SP3 or Windows XP with SP2 that do not have BitLocker To Go Reader installed.If this policy setting is disabled remo
able BitLocker until recovery information is stored in AD DS for removable data drives" check box if you want to prevent users from enabli
r will disable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128
mum length for the password enter the desired number of characters in the "Minimum password length" box.If you disable this policy setti
hanging their data collection settings.

115. This update applies only to Windows 10 version 1709 and higher.
acters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/ma
ger available so setting the value to 1 or 2 enrolls the device into Advanced membership.
and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. Block disk modification only: The followin
ways takes precedence in a Remote Desktop Services session.2. To configure a mandatory Remote Desktop Services roaming user profile f
nnection is terminated.
ative Templates\System\Logon\Run these programs at user logon" setting.)Note: This setting appears in both Computer Configuration and
ugh the System cryptography. Use FIPS compliant algorithms for encryption hashing and signing settings in Group Policy (under Computer
and choose to â€œMedium-Highâ€ from the drop-down box password security is set to â€œMedium-High.â€ At this setting when users
es tab in Input Panel Options.
d in a queue directory and the next administrator to log on to the computer can send the error reports to Microsoft.- ""Corporate file path
takes precedence.Also see the ""Default Application Reporting"" and ""Application Exclusion List"" policies.This setting will be ignored if th
E:FFFF:7654:FEDA:1245:BA98:3210:4562
dow and require elevated permissions to do either of these tasks.If you disable this policy setting then only administrative users will receiv
le is specified the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete the install
he scheduled time4. Configure Automatic Updates
o download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no download Ur
e limits are reached and new data is collected old data is deleted to make room for more recent data.Note: Handwriting personalization w
tion is unrestricted up to a certain data limit which has been exceeded. Surcharge applied or unknown. 0x20 - Usage of this connecti
ied.- Disabled. With this selection BranchCache client computers use the default latency setting of 80 milliseconds.In circumstances where
ystem.
mputers which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache servers."-
Mode" is applied the client computer does not perform automatic hosted cache discovery. This is also true in cases where the policy settin
t Transfer Service (BITS) 4.0 installed.

g is enabled you can also select and configure the following option:- Type the name of the hosted cache server. Specifies the computer na
onfigure the following option:- Specify the percentage of total disk space allocated for the cache. Specifies an integer that is the percentag
rimary DNS suffix to a single-label name. If this query fails the connection-specific DNS suffix is attached for a new query. If none of these
ecified the DNS client attaches the primary DNS suffix to a single-label name. If this query fails the connection-specific DNS suffix is attache
only for shared folders on which BranchCache is enabled. With this option content information is generated only for shared folders on whi
the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Internet Conne
n" settings are set to deny access to the Connection Properties dialog box the Advanced tab for the connection is blocked.Note: Nonadmin
messages but several of the options of the "Windows Defender Firewall: Allow ICMP exceptions" policy setting affect outgoing communic
nter sharing exception" "Windows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall:
RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST
errors and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope paramete
exceptions list that administrators define by using the Windows Defender Firewall component in Control Panel.Note: If you type an invalid
messages but several of the options of the "Windows Defender Firewall: Allow ICMP exceptions" policy setting affect outgoing communic
nter sharing exception" "Windows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall:
RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by SVCHOST
errors and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope paramete
exceptions list that administrators define by using the Windows Defender Firewall component in Control Panel.Note: If you type an invalid
d plans it may be necessary to configure the latency threshold to be lower than the round-trip network latency.In Windows Vista or Windo
total size limit less than the amount of space currently used by the Offline Files cache the total size limit is automatically adjusted upward
Windows to soft-disconnect a computer from a network" policy setting.
n elevated command prompt when an existing printer connection driver needs to be updated. -Windows Server 2003 and Windows X
atic pruning remember to delete printer objects manually whenever you remove a printer or print server.
box. See the "Hide the dropdown list of recent files" setting.Note: It is a requirement for third-party applications with Windows 2000 or la
p" commands for .chm files that are stored on mapped drives or accessed using UNC paths. For additional options see the "Restrict the
ons; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable connections
s custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded fo
downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the â€
up Policy runs synchronously it downloads the latest version of the policy from the network and uses bandwidth estimates to determine sl
et an update rate for user policies use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative
res this setting.
08 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is set to Windo
during computer startup). If the server is configured as follows this policy setting takes effect during Group Policy processing at user logon
Y_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) The bottom-up randomization policy which includes stack randomization options c
rval unless the local machine setting in the registry is a different value.
dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.If you do not configure this policy setting DC
ssional x64 Edition with Service Pack 1 (SP1)Port 135:TCP%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe%WINDIR%\PCHealth\HelpCt
DK).Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems
anted to interfaces that have requested them.-- "Authenticated without exceptions" allows only authenticated RPC Clients (per the defini
nder Control Panel settings right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).4. Provide name an
Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems and applic
of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode fo
ncryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs ma
number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockou
me behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional.

the profile.Also check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenever it trie
profile to load when the system detects a slow connection.
d while the user is logged on.
t is greater than the MaxNegPhaseCorrection value the time sample is discarded. Default: 172800 seconds. MaxPosPhaseCorrectionIf
e is 15 minutes.ResolvePeerBackoffMaxTimesThis value controls how many times W32time attempts to resolve a DNS name before the di
ore BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)" policy setting to preve
o determine whether the drive is from an outside organization.If you disable or do not configure this policy setting the identification field is
or do not configure this policy setting BitLocker recovery information is not backed up to AD DS.Note: Trusted Platform Module (TPM) initi
drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Server 2008 W
ry information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the compute
. For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
mum password length" box.If you disable this policy setting the user is not allowed to use a password.If you do not configure this policy setti
DS.Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if you want to
manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depe
ensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Blo
key against changes to the core system firmware executable code (PCR 0) extended or pluggable executable code (PCR 2) boot manager (
rs (OID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
policy setting the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will o
r Drive Encryption setup wizard.
policy setting is disabled removable data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on com
t to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery informa
(OID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
x.If you disable this policy setting the user is not allowed to use a password.If you do not configure this policy setting passwords will be sup
m and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value -
fication only: The following will be blocked: - Attempts by untrusted apps to write to disk sectors The Windows event log will re
Services roaming user profile for all users connecting remotely to the RD Session Host server use this policy setting together with the "Use
h Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting overrides.
Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compliant setti
â€ At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is allowed and
icrosoft.- ""Corporate file path"": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location inst
his setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured.
administrative users will receive update notifications.Note: On Windows 8 and Windows RT this policy setting is enabled by default. In all p
restart to complete the installation Windows will restart the computer automatically. (If a user is signed in to the computer when Window
hen there are no download Urls for files in the update metadata. This option should only be used when the intranet update service does n
Handwriting personalization works only for Microsoft handwriting recognizers and not with third-party recognizers.
0x20 - Usage of this connection is unrestricted up to a certain data limit which has been exceeded. No surcharge applies but speeds are li
conds.In circumstances where this policy setting is enabled you can also select and configure the following option:- Type the maximum ro
ify in "Hosted cache servers."- Disabled. With this selection this policy is not applied to client computers.In circumstances where this settin
n cases where the policy setting "Configure Hosted Cache Servers" is applied.This policy setting can only be applied to client computers tha
ver. Specifies the computer name of the hosted cache server. Because the hosted cache server name is also specified in the certificate enr
n integer that is the percentage of total client computer disk space to use for the BranchCache client computer cache.* This policy setting
a new query. If none of these queries are resolved the client devolves the primary DNS suffix of the computer (drops the leftmost label of
n-specific DNS suffix is attached for a new query. If none of these queries are resolved the client devolves the primary DNS suffix of the co
only for shared folders on which BranchCache is enabled. If you use this setting you must enable BranchCache for individual shares in Shar
tion for which Internet Connection Sharing is enabled. In addition remote access connections created through the Make New Connection
tion is blocked.Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing regardless of this setting.Note
tting affect outgoing communication.

"Windows Defender Firewall: Define inbound port exceptions."
f they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not then do not enable this p
Status values. Scope parameters are combined for multiple entries. If entries have different Status values any definition with the Status se
nel.Note: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors. This allows you t
tting affect outgoing communication.

"Windows Defender Firewall: Define inbound port exceptions."
f they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not then do not enable this p
Status values. Scope parameters are combined for multiple entries. If entries have different Status values any definition with the Status se
nel.Note: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors. This allows you t
cy.In Windows Vista or Windows Server 2008 once transitioned to slow-link mode users will continue to operate in slow-link mode until th
utomatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full.If you enable this se
ws Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "Users can
tions with Windows 2000 or later certification to adhere to this setting.

al options see the "Restrict these programs from being launched from Help" policy.
dth or unreliable connections.

have previously succeeded for such specified users once the DCOM server process was up and running might now fail instead. The prope
ow link thresholds. (See the â€œConfigure Group Policy Slow Link Detectionâ€ policy setting to configure asynchronous foreground beha
dth estimates to determine slow link thresholds. (See the â€œConfigure Group Policy Slow Link Detectionâ€ policy setting to configure a
r Configuration\Administrative Templates\System\Group Policy).This setting is only used when the "Turn off background refresh of Group
unctional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capab
Policy processing at user logon:â€¢ The server is configured as a terminal server (that is the Terminal Server role service is installed and co
stack randomization options causes a random location to be used as the lowest user address. For instance to enable PROCESS_CREATI
onfigure this policy setting DCs use their local configuration.
e%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe%WINDIR%\System32\Sessmgr.exeFor computers running Windows Server 2003 with
Microsoft operating systems but only newer Microsoft operating systems can read and respond to the information.Note: The default poli
ted RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied. No exc
Windows 7).4. Provide name and description as appropriate then under Security Options set the user account to System and select the Run
s operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this settin
Ms may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPM
manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on
Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures.
ords an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to update t
MaxPosPhaseCorrectionIf a time sample is received that indicates a time in the future (as compared to the client computer's local clock
olve a DNS name before the discovery process is restarted. Each time DNS name resolution fails the amount of time to wait before the nex
Vista)" policy setting to prevent a policy error.
etting the identification field is not required.Note: Identification fields are required for management of certificate-based data recovery age
d Platform Module (TPM) initialization might occur during BitLocker setup. Enable the "Turn on TPM backup to Active Directory Domain Se
nning Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2. Bitlockertogo.exe will not be installed.Note: Th
BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.Note: If th
1.3.4.1.42
do not configure this policy setting passwords will be supported with the default settings which do not include password complexity requir
rives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of B
s increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

ctor (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLocker Access Control (PCR 11).Warning: Changing from th
e code (PCR 2) boot manager (PCR 4) and the BitLocker access control (PCR 11).When Secure Boot State (PCR7) support is available the def
0.1.101.3.4.1.42
nd no complexity checks will occur.Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use FIPS-com
ed cannot be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2. Bitloc
of BitLocker recovery information to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery information is stored in AD DS fo
.1.101.3.4.1.42
y setting passwords will be supported with the default settings which do not include password complexity requirements and require only 8
herefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Ex
The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defender > O
etting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Admini
on setting overrides.
ons.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client with the Fe
t skin switching is allowed and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this se
d at the specified location instead of being sent directly to Microsoft and the next administrator to log onto the computer can send the err
g is enabled by default. In all prior versions of windows it is disabled by default.If the "Configure Automatic Updates" policy setting is disab
o the computer when Windows is ready to restart the user will be notified and given the option to delay the restart.) On Windows 8 an
ntranet update service does not provide download Urls in the update metadata for files which are present on the alternate download serv
harge applies but speeds are likely reduced. 0x40 - The connection is costed on a per-byte basis. 0x80 - The connection is roamin
option:- Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time in milliseco
ircumstances where this setting is enabled you can also select and configure the following option:- Hosted cache servers. To add hosted ca
pplied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Windows 7 or Wi
specified in the certificate enrolled to the hosted cache server the name that you enter here must match the name of the hosted cache se
ter cache.* This policy setting is supported on computers that are running Windows Vista Business Enterprise and Ultimate editions with B
r (drops the leftmost label of the primary DNS suffix) attaches this devolved primary DNS suffix to the single-label name and submits this n
e primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix) attaches this devolved primary DNS suffix to the
he for individual shares in Share and Storage Management on the file server.- Disallow hash publication on all shared folders. With this opti
gh the Make New Connection Wizard have the Internet Connection Firewall enabled.
regardless of this setting.Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for DHCP se
not then do not enable this policy setting.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound ICMP
y definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled" and the port does not receive messa
ng for errors. This allows you to add programs that you have not installed yet but be aware that you can accidentally create multiple entri
not then do not enable this policy setting.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound ICMP
y definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled" and the port does not receive messa
ng for errors. This allows you to add programs that you have not installed yet but be aware that you can accidentally create multiple entri
rate in slow-link mode until the user clicks the Work Online button on the toolbar in Windows Explorer. Data will only be synchronized to
dered full.If you enable this setting and specify an auto-cached space limit greater than the total size limit the auto-cached limit is automati
nd Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and Window
ht now fail instead. The proper action in this situation is to re-configure the DCOM server's custom launch permission settings for correct
synchronous foreground behavior.)
policy setting to configure asynchronous foreground behavior.)
background refresh of Group Policy" setting is not enabled.Note: Consider notifying users that their policy is updated periodically so that
uters that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring and: - If you
role service is installed and configured on the server); andâ€¢ The â€œAllow asynchronous user Group Policy processing when logging on
ce to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_

ng Windows Server 2003 with Service Pack 1 (SP1)Port 135:TCP%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe%WINDIR%\PCHealth\
mation.Note: The default policy setting "Off" is designed for systems where extended error information is considered to be sensitive and i
olicy setting is applied. No exceptions are allowed.Note: This policy setting will not be applied until the system is rebooted.
t to System and select the Run with highest privileges checkbox.5. In the Actions tab create a new action select Start a Program as its type
stored locally. Using this setting might cause issues with some TPM-based applications.Note: If the operating system managed TPM authen
ding on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so e
rization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require th
es depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to b
event when it fails to update the files in a user profile.
he client computer's local clock) that has a time difference greater than the MaxPosPhaseCorrection value the time sample is discarded. De
of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts.SpecialPollIntervalThis NTP
ficate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data recovery ag
to Active Directory Domain Services" policy setting in System\Trusted Platform Module Services to ensure that TPM information is also ba
e will not be installed.Note: This policy setting does not apply to drives that are formatted with the NTFS file system.
n to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" check box is s
e password complexity requirements and require only 8 characters.Note: Passwords cannot be used if FIPS-compliance is enabled. The "S
he domain and the backup of BitLocker recovery information to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery inform
11).Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker's sen
R7) support is available the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the BitLocke
em cryptography: Use FIPS-compliant algorithms for encryption hashing and signing" policy setting in Computer Configuration\Windows S
r Windows XP with SP2. Bitlockertogo.exe will not be installed.Note: This policy setting does not apply to drives that are formatted with th
ormation is stored in AD DS for fixed data drives" check box is selected a recovery password is automatically generated.If you enable this p
quirements and require only 8 characters.Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Use
curity settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their ow
ows > Windows Defender > Operational > ID 1123. The following will not be blocked and will be allowed to run: - Attempts by untr
mputer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set
server to the client with the Federal Information Processing Standard (FIPS) 140 encryption algorithms by using Microsoft cryptographic m
not be able to configure this setting in the Input Panel Options dialog box.If you enable this policy and choose â€œHighâ€ from the drop-d
the computer can send the error reports to Microsoft.- ""Replace instances of the word â€˜Microsoftâ€™ with"": You can specify text with
Updates" policy setting is disabled or is not configured then the Elevate Non-Admin policy setting has no effect.
restart.) On Windows 8 and later you can set updates to install during automatic maintenance instead of a specific schedule. Automati
n the alternate download server. Note: If the "Configure Automatic Updates" policy is disabled then this policy has no effect. Note
80 - The connection is roaming. 0x80000000 - Ignore congestion.
he amount of time in milliseconds after which BranchCache client computers begin to cache content locally.
ache servers. To add hosted cache server computer names to this policy setting click Enabled and then click Show. The Show Contents dial
are running Windows 7 or Windows Vista. If you disable or do not configure this setting a client will not attempt to discover hosted cache
e name of the hosted cache server that is specified in the server certificate. Hosted cache clients must trust the server certificate that is iss
e and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
-label name and submits this new query to a DNS server.For example if the primary DNS suffix ooo.aaa.microsoft.com is attached to the no
ved primary DNS suffix to the single-label name and submits this new query to a DNS server.For example if the primary DNS suffix ooo.aaa
l shared folders. With this option BranchCache does not generate content information for any shares on the computer and does not send
ng the ICS service for DHCP services. To prevent the ICS service from running on the Network Permissions tab in the network's policy prop
Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firewall: Allow
e port does not receive messages. Therefore if you set the Status of a port to "disabled" you can prevent administrators from using the Wi
identally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multipl
Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firewall: Allow
e port does not receive messages. Therefore if you set the Status of a port to "disabled" you can prevent administrators from using the Wi
identally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined for multipl
a will only be synchronized to the server if the user manually initiates synchronization by using Sync Center.In Windows 7 Windows Server
e auto-cached limit is automatically adjusted downward to equal the total size limit.This setting replaces the Default Cache Size setting use
ows Server 2003 and Windows XP SP1 (and later service packs).
ermission settings for correct security settings but this policy setting may be used in the short-term as an application compatibility deploym
s updated periodically so that they recognize the signs of a policy update. When Group Policy is updated the Windows desktop is refreshed
rberos armoring and: - If you set the "Always provide claims" option always returns claims for accounts and supports the RFC behavior fo
cy processing when logging on through Terminal Servicesâ€ policy setting is enabled. This policy setting is located under Computer Config
N_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OF

svc.exe%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exeAllow Remote Desktop Exception
onsidered to be sensitive and it should not be made available remotely.Note: This policy setting will not be applied until the system is rebo
m is rebooted.
ect Start a Program as its type then enter the file created in step 1.6. Configure the task to deploy to your domain.
g system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will be regene
quire the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administrator with the TPM owner pas
de. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administrator w
s may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administrator with the TPM o
e time sample is discarded. Default: 172800 seconds. PhaseCorrectRateThis parameter controls how quickly W32time corrects the clie
pts.SpecialPollIntervalThis NTP client value expressed in seconds controls how often a manually configured time source is polled when the
tificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on the compu
hat TPM information is also backed up.
system.
xed data drives" check box is selected a recovery password is automatically generated.If you enable this policy setting you can control the
compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing" policy setting in Com
BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected a recovery password is automati
your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclus
State (PCR 7) and the BitLocker access control (PCR 11). Warning: Changing from the default platform validation profile affects the security
uter Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
ves that are formatted with the NTFS file system.

generated.If you enable this policy setting you can control the methods available to users to recover data from BitLocker-protected remo
e "System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing" policy setting in Computer Configuration\Win
licy users may choose their own site-to-zone assignments.
to run: - Attempts by untrusted apps to modify or delete files in protected folders These attempts will not be recorded in the Win
on Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the manda
ing Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host servers requir
e â€œHighâ€ from the drop-down box password security is set to â€œHigh.â€ At this setting when users enter passwords from Input Pa
th"": You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified t
f a specific schedule. Automatic maintenance will install updates when the computer is not in use and avoid doing so when the computer
policy has no effect. Note: If the "Alternate Download Server" is not set it will use the intranet update service by default to download
Show. The Show Contents dialog box opens. Click Value and then type the computer names of the hosted cache servers.
empt to discover hosted cache servers by service connection point.Policy configurationSelect one of the following:- Not Configured. With t
he server certificate that is issued to the hosted cache server. Ensure that the issuing CA certificate is installed in the Trusted Root Certific
osoft.com is attached to the non-dot-terminated single-label name "example" and the DNS query for example.ooo.aaa.microsoft.com fails
he primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example" and the DNS query for e
computer and does not send content information to client computers that request content.
b in the network's policy properties select the "Don't use hosted networks" check box.
dows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Win
ministrators from using the Windows Defender Firewall component in Control Panel to enable the port.Note: The only effect of setting the
eters are combined for multiple entries.Note: If you set the Status parameter of a definition string to "disabled" Windows Defender Firewa
dows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Win
ministrators from using the Windows Defender Firewall component in Control Panel to enable the port.Note: The only effect of setting the
eters are combined for multiple entries.Note: If you set the Status parameter of a definition string to "disabled" Windows Defender Firewa
n Windows 7 Windows Server 2008 R2 Windows 8 or Windows Server 2012 when operating in slow-link mode Offline Files synchronizes th
Default Cache Size setting used by pre-Windows Vista systems.

plication compatibility deployment aid.DCOM servers added to this exemption list are only exempted if their custom launch permissions d
Windows desktop is refreshed; it flickers briefly and closes open menus. Also restrictions imposed by Group Policies such as those that lim
d supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmored authentica
ocated under Computer Configuration\Policies\Administrative templates\System\Group Policy\.If this configuration is not implemented on
TTOM_UP_ASLR_ALWAYS_OFF and to leave all other options at their default values specify a value of: ???????????????0???????1????
pplied until the system is rebooted.
horization value will be regenerated and any copies of the original TPM owner authorization value will be invalid.
rator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Eac
kout mode.An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management
administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.
ckly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the NTP serv
time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPSe
alue configured on the computer. The identification field can be any value of 260 characters or fewer.
cy setting you can control the methods available to users to recover data from BitLocker-protected fixed data drives.If this policy setting is
d signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether F
ecovery password is automatically generated.If you enable this policy setting you can control the methods available to users to recover da
reased depending upon inclusion or exclusion (respectively) of the PCRs.

tion profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authoriz
-compliance is enabled.
om BitLocker-protected removable data drives.If this policy setting is not configured or disabled the default recovery options are supporte
Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled
ill not be recorded in the Windows event log. Audit disk modification only: The following will not be blocked and will be allowed to
tting should contain the mandatory profile.
RD Session Host servers requires the highest level of encryption.
nter passwords from Input Panel they use the on-screen keyboard by default skin switching is not allowed and Input Panel does not displa
s replaced with the specified text.If you do not configure this policy setting users can change Windows Error Reporting settings in Control P
doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days Windows Upda
ervice by default to download updates. Note: The option to "Download files with no Url..." is only used if the "Alternate Download Ser
che servers.
owing:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy setting and client comp
ed in the Trusted Root Certification Authorities certificate store on all hosted cache client computers.* This policy setting is supported on c
e.ooo.aaa.microsoft.com fails the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level an
mple" and the DNS query for example.ooo.aaa.microsoft.com fails the DNS client devolves the primary DNS suffix (drops the leftmost labe
en TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Firewall: Allo
: The only effect of setting the Status value to "disabled" is that Windows Defender Firewall ignores other definitions for that port that set
ed" Windows Defender Firewall ignores port requests made by that program and ignores other definitions that set the Status of that progr
en TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Firewall: Allo
: The only effect of setting the Status value to "disabled" is that Windows Defender Firewall ignores other definitions for that port that set
ed" Windows Defender Firewall ignores port requests made by that program and ignores other definitions that set the Status of that progr
de Offline Files synchronizes the user's files in the background at regular intervals or as configured by the "Configure Background Sync" pol
custom launch permissions do not contain specific LocalLaunch RemoteLaunch LocalActivate or RemoteActivate grant or deny entries for
Policies such as those that limit the programs users can run might interfere with tasks in progress.
he "Fail unarmored authentication requests" option rejects unarmored Kerberos messages.Warning: When "Fail unarmored authenticatio
uration is not implemented on the server this policy setting is ignored. In this case Group Policy processing at user logon is synchronous (t
?????????????0???????1???????1 Setting flags not specified here to any value other than ? results in undefined behavior.
ement Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization fa
using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard us
M Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM autho
as accurate from the NTP server. Lower values cause the clock to correct more slowly; larger values cause the clock to correct more quick
l flag is enabled on the NTPServer setting the client uses the value that is set as the SpecialPollInterval instead of a variable interval betwe
a drives.If this policy setting is not configured or disabled the default recovery options are supported for BitLocker recovery. By default a D
ty Options specifies whether FIPS-compliance is enabled.
vailable to users to recover data from BitLocker-protected operating system drives.If this policy setting is disabled or not configured the de
fications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Specifically s
recovery options are supported for BitLocker recovery. By default a DRA is allowed the recovery options can be specified by the user inclu
her FIPS-compliance is enabled.

blocked and will be allowed to run: - Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to modify o
nd Input Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Opti
Reporting settings in Control Panel. By default these settings are Enable Reporting on computers that are running Windows XP and Report
ates for 2 days Windows Update will install updates right away. Users will then be notified about an upcoming restart and that restart will
the "Alternate Download Server" is set. Note: This policy is not supported on Windows RT. Setting this policy will not have any effect o
policy setting and client computers do not perform hosted cache server discovery.- Enabled. With this selection the policy setting is applie
olicy setting is supported on computers that are running Windows Vista Business Enterprise and Ultimate editions with Background Intelli
he specified devolution level and submits a query for example.aaa.microsoft.com. If this query fails the primary DNS suffix is devolved furth
suffix (drops the leftmost label) till the specified devolution level and submits a query for example.aaa.microsoft.com. If this query fails the
ndows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall: Define inbound port excepti
finitions for that port that set the Status to "enabled." If another policy setting opens a port or if a program in the program exceptions list
hat set the Status of that program to "enabled." Therefore if you set the Status to "disabled" you prevent administrators from allowing the
ndows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall: Define inbound port excepti
finitions for that port that set the Status to "enabled." If another policy setting opens a port or if a program in the program exceptions list
hat set the Status of that program to "enabled." Therefore if you set the Status to "disabled" you prevent administrators from allowing the
onfigure Background Sync" policy. While in slow-link mode Windows periodically checks the connection to the folder and brings the folder
tivate grant or deny entries for any users or groups. Also note exemptions for DCOM Server Appids added to this list will apply to both 32-
"Fail unarmored authentication requests" is set then client computers which do not support Kerberos armoring will fail to authenticate to
t user logon is synchronous (these servers wait for the network to be initialized during user logon).If you disable or do not configure this p
ndefined behavior.
dard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately.If this value is not co
kout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediate
rior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately.If this value
he clock to correct more quickly. Default: 7 (scalar). PollAdjustFactorThis parameter controls how quickly W32time changes polling inte
ad of a variable interval between MinPollInterval and MaxPollInterval values to determine how frequently to poll the time source. SpecialP
Locker recovery. By default a DRA is allowed the recovery options can be specified by the user including the recovery password and recove
abled or not configured the default recovery options are supported for BitLocker recovery. By default a DRA is allowed the recovery option
vely) of the PCRs. Specifically setting this policy with PCR 7 omitted will override the "Allow Secure Boot for integrity validation" group polic
be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS
by untrusted apps to modify or delete files in protected folders Only attempts to write to protected disk sectors will be recorded in the
setting in the Input Panel Options dialog box. If you disable this policy password security is set to â€œMedium-High.â€ At this setting wh
nning Windows XP and Report to Queue on computers that are running Windows Server 2003.If you disable this policy setting configuratio
ng restart and that restart will only take place if there is no potential for accidental data loss. 5 = Allow local administrators to select th
policy will not have any effect on Windows RT PCs. To ensure the highest level of security Microsoft recommends securing WSUS with T
tion the policy setting is applied to client computers which perform automatic hosted cache server discovery and which are configured as h
ditions with Background Intelligent Transfer Service (BITS) 4.0 installed.

ary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fa
soft.com. If this query fails the primary DNS suffix is devolved further if it is under specified devolution level and the query example.micros
ll: Define inbound port exceptions."
in the program exceptions list asks Windows Defender Firewall to open a port Windows Defender Firewall opens the port.Note: If any poli
ministrators from allowing the program to ask Windows Defender Firewall to open additional ports. However even if the Status is "disable
ll: Define inbound port exceptions."
in the program exceptions list asks Windows Defender Firewall to open a port Windows Defender Firewall opens the port.Note: If any poli
ministrators from allowing the program to ask Windows Defender Firewall to open additional ports. However even if the Status is "disable
e folder and brings the folder back online if network speeds improve.In Windows 8 or Windows Server 2012 set the Latency threshold to 1
this list will apply to both 32-bit and 64-bit versions of the server if present.
ing will fail to authenticate to the domain controller.To ensure this feature is effective deploy enough domain controllers that support clai
able or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and tha
mediately.If this value is not configured a default value of 4 is used.A value of zero means the OS will not allow standard users to send com
TPM normally again immediately.If this value is not configured a default value of 480 minutes (8 hours) is used.
again immediately.If this value is not configured a default value of 9 is used.A value of zero means the OS will not allow standard users to
W32time changes polling intervals. When responses are considered to be accurate the polling interval lengthens automatically. When res
poll the time source. SpecialPollInterval must be in the range of [MinPollInterval MaxPollInterval] else the nearest value of the range is pi
recovery password and recovery key and recovery information is not backed up to AD DS
is allowed the recovery options can be specified by the user including the recovery password and recovery key and recovery information i
ntegrity validation" group policy preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integrity valida
backed up to AD DS
sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Defender > O
m-High.â€ At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is allo
this policy setting configuration settings in the policy setting are left blank.See related policy settings Display Error Notification (same folde
cal administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option has not been ca
mmends securing WSUS with TLS/SSL protocol thereby using HTTPS based intranet servers to keep systems secure. If a proxy is required w
and which are configured as hosted cache mode clients.- Disabled. With this selection this policy is not applied to client computers.
m is submitted. If this query fails devolution continues if it is under specified devolution level and the query example.microsoft.com is subm
and the query example.microsoft.com is submitted. If this query fails devolution continues if it is under specified devolution level and the q
pens the port.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound ICMP echo request messages (the
r even if the Status is "disabled" the program can still receive unsolicited incoming messages through a port if another policy setting opens
pens the port.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound ICMP echo request messages (the
r even if the Status is "disabled" the program can still receive unsolicited incoming messages through a port if another policy setting opens
set the Latency threshold to 1ms to keep users always working offline in slow-link mode.If you disable this policy setting computers will n
n controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the
s Server 2008 or later and that is configured as described earlier the computer typically does not wait for the network to be fully initialized
w standard users to send commands to the TPM which may cause an authorization failure.
ed.
ll not allow standard users to send commands to the TPM which may cause an authorization failure.
hens automatically. When responses are considered to be inaccurate the polling interval shortens automatically. Default: 5 (scalar). Sp
earest value of the range is picked. Default: 1024 seconds.EventLogFlagsThis value is a bitmask that controls events that may be logged to
ey and recovery information is not backed up to AD DS.
tion Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when firmware is updated. If you set this policy to i
ows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be recorded. N
y default skin switching is allowed and Input Panel does not display the cursor or which keys are tapped. Users will not be able to configur
Error Notification (same folder as this policy setting) and Turn off Windows Error Reporting in Computer Configuration/Administrative Te
s. (This option has not been carried over to any Win 10 Versions) With this option local administrators will be allowed to use the Wind
ecure. If a proxy is required we recommend configuring system proxy. To ensure highest levels of security additionally leverage WSUS TLS
ied to client computers.
example.microsoft.com is submitted corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devo
fied devolution level and the query example.microsoft.com is submitted corresponding to a devolution level of two. The primary DNS suffi
P echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions" policy se
if another policy setting opens that port.Note: Windows Defender Firewall opens ports for the program only when the program is running
P echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions" policy se
if another policy setting opens that port.Note: Windows Defender Firewall opens ports for the program only when the program is running
policy setting computers will not use the slow-link mode.
os armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authenti
e network to be fully initialized. In this case users are logged on with cached credentials. Group Policy is applied asynchronously in the bac
cally. Default: 5 (scalar). SpikeWatchPeriodThis parameter specifies the amount of time that samples with time offset larger than Large
s events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whene
dated. If you set this policy to include PCR 0 suspend BitLocker prior to applying firmware updates.It is recommended to not configure this
ers will not be recorded. Not configured: Same as Disabled.
ers will not be able to configure this setting in the Input Panel Options dialog box. If you do not configure this policy password security is se
nfiguration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.
ill be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators will not be al
dditionally leverage WSUS TLS certificate pinning on all devices. In order to keep clients inherently secure we are no longer allowing in
not be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level pol
of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this po
ow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allo
when the program is running and "listening" for incoming messages. If the program is not running or is running but not listening for those
ow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allo
when the program is running and "listening" for incoming messages. If the program is not running or is running but not listening for those
rt this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is the "Supported" o
ied asynchronously in the background.Notes: -If you want to guarantee the application of Folder Redirection Software Installation or roam
h time offset larger than LargePhaseOffset are received before these samples are accepted as accurate. SpikeWatchPeriod is used in conju
me will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever
mended to not configure this policy to allow Windows to select the PCR profile for the best combination of security and usability based on
s policy password security is set to â€œMedium-Highâ€ by default. At this setting when users enter passwords from Input Panel they use
al administrators will not be allowed to disable the configuration for Automatic Updates. 7 = Notify for install and notify for restart. (W
e we are no longer allowing intranet servers to leverage user proxy by default for detecting updates. If you need to leverage user proxy for
DNS suffix devolution level policy setting. The default devolution level is two.If you enable this policy setting or if you do not configure this
an be configured using this policy setting. The default devolution level is two.If you enable this policy setting and DNS devolution is also en
ndows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Firewall: Allow inbound remote administ
ning but not listening for those messages Windows Defender Firewall does not open its ports.
ndows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Firewall: Allow inbound remote administ
ning but not listening for those messages Windows Defender Firewall does not open its ports.
uired (that is the "Supported" option is enabled).Impact on domain controller performance when this policy setting is enabled: - Secure Ke
n Software Installation or roaming user profile settings in just one logon enable this policy setting to ensure that Windows waits for the net
eWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic inaccurate time samples that are returned from a peer. D
will create an event whenever a time source change is made. Because it is a bitmask value setting 0x3 (the addition of 0x1 and 0x2) indicat
security and usability based on the available hardware on each PC.
ords from Input Panel they use the on-screen keyboard by default skin switching is allowed and Input Panel does not display the cursor or w
stall and notify for restart. (Windows Server only) With this option from Windows Server 2016 applicable only to Server SKU devices lo
eed to leverage user proxy for detecting updates while using an intranet server despite the vulnerabilities it presents you must configure t
or if you do not configure this policy setting DNS clients attempt to resolve single-label names using concatenations of the single-label nam
and DNS devolution is also enabled DNS clients use the DNS devolution level that you specify.If this policy setting is disabled or if this poli
low inbound remote administration exception" and "Windows Defender Firewall: Define inbound port exceptions."
low inbound remote administration exception" and "Windows Defender Firewall: Define inbound port exceptions."
setting is enabled: - Secure Kerberos domain capability discovery is required resulting in additional message exchanges. - Claims and com
hat Windows waits for the network to be available before applying policy. -If Folder Redirection policy will apply during the next logon sec
at are returned from a peer. Default: 900 seconds. UpdateIntervalThis parameter specifies the amount of time that W32time waits be
ddition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged.
does not display the cursor or which keys are tapped. Users will be able to configure this setting on the Advanced tab in Input Panel Option
e only to Server SKU devices local administrators will be allowed to use Windows Update to proceed with installations or reboots manually
presents you must configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fails". De
nations of the single-label name to be resolved and the devolved primary DNS suffix.If you disable this policy setting DNS clients do not att
etting is disabled or if this policy setting is not configured DNS clients use the default devolution level of two provided that DNS devolution
e exchanges. - Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the mess
pply during the next logon security policies will be applied asynchronously during the next update cycle if network connectivity is available
nced tab in Input Panel Options in Windows 7 and Windows Vista.Caution: If you lower password security settings people who can see the
tallations or reboots manually.If the status for this policy is set to Disabled any updates that are available on Windows Update must be do
ing system proxy fails". Detection for updates against intranet servers will fail when user proxy is needed as a fallback and the alternat
y setting DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved pr
provided that DNS devolution is enabled.
plexity of the data in the message which results in more processing time and greater Kerberos service ticket size. - Kerberos armoring full
twork connectivity is available.
ttings people who can see the userâ€™s screen might be able to see their passwords.
Windows Update must be downloaded and installed manually. To do this search for Windows Update using Start.If the status is set to No
d as a fallback and the alternate proxy behavior is not configured.

resolved and the devolved primary DNS suffix.
size. - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time but does
ased processing time but does not change the service ticket size.
Policy Path
Control Panel
Control Panel
Control Panel
Control Panel
Control Panel
Control Panel\Add or Remove Programs
Control Panel\Display
Control Panel\Display
Control Panel\Printers
Control Panel\Programs
Control Panel\Regional and Language Options\Handwriting personalization
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop\Active Directory
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Shared Folders
Shared Folders
System
System
System
System
System
System
System
System
System
System
System\Ctrl+Alt+Del Options
System\Display
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Internet Communication Management
System\Logon
System\Logon
System\Logon
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
Windows Components\Add features to Windows 10
Windows Components\Attachment Manager
Windows Components\Calculator
Windows Components\Digital Locker
Windows Components\File Explorer\Common Open File Dialog
Windows Components\File Explorer\Explorer Frame Pane
Windows Components\File Explorer\Explorer Frame Pane
Windows Components\File Revocation
Windows Components\IME
Windows Components\Instant Search

Windows Components\Internet Explorer\Administrator Approved Controls
Windows Components\Internet Explorer\Internet Control Panel\Content Page
Windows Components\Internet Explorer\Internet Control Panel\General Page
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Interne
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intrane
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restrict
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Internet Connection Wi
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Printing
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Signup Settings
Windows Components\Internet Explorer\Internet Settings\Display settings
Windows Components\Internet Explorer\Internet Settings\Display settings\General Colors
Windows Components\Internet Explorer\Internet Settings\Display settings\Link Colors
Windows Components\Internet Explorer\Internet Settings\URL Encoding
Windows Components\Internet Explorer\Offline Pages
Windows Components\Internet Explorer\Persistence Behavior
Windows Components\Internet Explorer\Security Features\Network Protocol Lockdown\Restricted Pr
Windows Components\Microsoft Management Console
Windows Components\Microsoft Management Console
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extension sna
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\G
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\P
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Policy\Res
Windows Components\Multitasking
Windows Components\NetMeeting\Application Sharing
Windows Components\NetMeeting\Audio & Video
Windows Components\NetMeeting\Options Page
Windows Components\Network Sharing
Windows Components\OOBE
Windows Components\Presentation Settings
Windows Components\Remote Desktop Services\RD Gateway
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Env
Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections
Windows Components\Sound Recorder
Windows Components\Tablet PC\Cursors
Windows Components\Tablet PC\Pen Flicks Learning
Windows Components\Tablet PC\Pen UX Behaviors
Windows Components\Tablet PC\Tablet PC Pen Training
Windows Components\Windows Calendar
Windows Components\Windows Color System
Windows Components\Windows Media Player\Networking
Windows Components\Windows Media Player\Playback
Windows Components\Windows Media Player\Playback
Windows Components\Windows Media Player\User Interface
Windows Components\Windows Mobility Center
Policy Setting Name
Always open All Control Panel Items when opening Control Panel
Hide specified Control Panel items
Prohibit access to Control Panel and PC settings
Settings Page Visibility
Show only specified Control Panel items
Go directly to Components Wizard
Hide Add New Programs page
Hide Add/Remove Windows Components page
Hide Change or Remove Programs page
Hide the "Add a program from CD-ROM or floppy disk" option
Hide the "Add programs from Microsoft" option
Hide the "Add programs from your network" option
Hide the Set Program Access and Defaults page
Remove Add or Remove Programs
Remove Support Information
Specify default category for Add New Programs
Disable the Display Control Panel
Hide Settings tab
Enable screen saver
Force a specific visual style file or force Windows Classic
Force specific screen saver
Load a specific theme
Password protect the screen saver
Prevent changing color and appearance
Prevent changing color scheme
Prevent changing desktop background
Prevent changing desktop icons
Prevent changing mouse pointers
Prevent changing screen saver
Prevent changing sounds
Prevent changing theme
Prevent changing visual style for windows and buttons
Prohibit selection of visual style font size
Screen saver timeout
Browse a common web site to find printers
Browse the network to find printers
Default Active Directory path when searching for printers
Enable Device Control Printing Restrictions
List of Approved USB-connected print devices
Only use Package Point and print
Package Point and print - Approved servers
Point and Print Restrictions
Prevent addition of printers
Prevent deletion of printers
Turn off Windows default printer management
Hide "Get Programs" page
Hide "Installed Updates" page
Hide "Programs and Features" page
Hide "Set Program Access and Computer Defaults" page
Hide "Windows Features"
Hide "Windows Marketplace"
Hide the Programs Control Panel
Hide Regional and Language Options administrative options
Hide the geographic location option
Hide the select language group options
Hide user locale selection and customization options
Restrict Language Pack and Language Feature Installation
Restrict selection of Windows menus and dialogs language
Restricts the UI languages Windows should use for the selected user
Turn off autocorrect misspelled words
Turn off highlight misspelled words
Turn off insert a space after selecting a text prediction
Turn off offer text predictions as I type
Turn off automatic learning
Do not add shares of recently opened documents to Network Locations
Don't save settings at exit
Hide and disable all items on the desktop
Hide Internet Explorer icon on desktop
Hide Network Locations icon on desktop
Prevent adding dragging dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
Prohibit User from manually redirecting Profile Folders
Remove Computer icon on the desktop
Remove My Documents icon on the desktop
Remove Properties from the Computer icon context menu
Remove Properties from the Documents icon context menu
Remove Properties from the Recycle Bin context menu
Remove Recycle Bin icon from desktop
Remove the Desktop Cleanup Wizard
Turn off Aero Shake window minimizing mouse gesture
Enable filter in Find dialog box
Hide Active Directory folder
Maximum size of Active Directory searches
Add/Delete items
Allow only bitmapped wallpaper
Desktop Wallpaper
Disable Active Desktop
Disable all items
Enable Active Desktop
Prohibit adding items
Prohibit changes
Prohibit closing items
Prohibit deleting items
Prohibit editing items
Ability to change properties of an all user remote access connection
Ability to delete all user remote access connections
Ability to Enable/Disable a LAN connection
Ability to rename all user remote access connections
Ability to rename LAN connections
Ability to rename LAN connections or remote access connections available to all users
Enable Windows 2000 Network Connections settings for Administrators
Prohibit access to properties of a LAN connection
Prohibit access to properties of components of a LAN connection
Prohibit access to properties of components of a remote access connection
Prohibit access to the Advanced Settings item on the Advanced menu
Prohibit access to the New Connection Wizard
Prohibit access to the Remote Access Preferences item on the Advanced menu
Prohibit adding and removing components for a LAN or remote access connection
Prohibit changing properties of a private remote access connection
Prohibit connecting and disconnecting a remote access connection
Prohibit deletion of remote access connections
Prohibit Enabling/Disabling components of a LAN connection
Prohibit renaming private remote access connections
Prohibit TCP/IP advanced configuration
Prohibit viewing of status for an active connection
Turn off notifications when a connection has only limited or no connectivity
Action on server disconnect
Event logging level
Initial reminder balloon lifetime
Non-default server disconnect actions
Prevent use of Offline Files folder
Prohibit user configuration of Offline Files
Reminder balloon frequency
Reminder balloon lifetime
Remove "Make Available Offline" command
Remove "Make Available Offline" for these files and folders
Remove "Work offline" command
Specify administratively assigned Offline Files
Synchronize all offline files before logging off
Synchronize all offline files when logging on
Synchronize offline files before suspend
Turn off reminder balloons
Prohibit access of the Windows Connect Now wizards
Allow DFS roots to be published
Allow shared folders to be published
Add "Run in Separate Memory Space" check box to Run dialog box
Add Logoff to the Start Menu
Add Search Internet link to Start Menu
Add the Run command to the Start Menu
Change Start Menu power button
Clear history of recently opened documents on exit
Clear the recent programs list for new users
Clear tile notifications during log on
Disable context menus in the Start Menu
Disable showing balloon notifications as toasts.
Do not allow pinning items in Jump Lists
Do not allow pinning programs to the Taskbar
Do not allow pinning Store app to the Taskbar
Do not allow taskbars on more than one display
Do not display any custom toolbars in the taskbar
Do not display or track items in Jump Lists from remote locations
Do not keep history of recently opened documents
Do not search communications
Do not search for files
Do not search Internet
Do not search programs and Control Panel items
Do not use the search-based method when resolving shell shortcuts
Do not use the tracking-based method when resolving shell shortcuts
Force classic Start Menu
Force Start to be either full screen size or menu size
Go to the desktop instead of Start when signing in
Gray unavailable Windows Installer programs Start Menu shortcuts
Hide the notification area
List desktop apps first in the Apps view
Lock all taskbar settings
Lock the Taskbar
Pin Apps to Start when installed
Prevent changes to Taskbar and Start Menu Settings
Prevent grouping of taskbar items
Prevent users from adding or removing toolbars
Prevent users from customizing their Start Screen
Prevent users from moving taskbar to another screen dock location
Prevent users from rearranging toolbars
Prevent users from resizing the taskbar
Prevent users from uninstalling applications from Start
Remove "Recently added" list from Start Menu
Remove access to the context menus for the taskbar
Remove All Programs list from the Start menu
Remove and prevent access to the Shut Down Restart Sleep and Hibernate commands
Remove Balloon Tips on Start Menu items
Remove Clock from the system notification area
Remove common program groups from Start Menu
Remove Default Programs link from the Start menu.
Remove Documents icon from Start Menu
Remove Downloads link from Start Menu
Remove Favorites menu from Start Menu
Remove frequent programs list from the Start Menu
Remove Games link from Start Menu
Remove Help menu from Start Menu
Remove Homegroup link from Start Menu
Remove links and access to Windows Update
Remove Logoff on the Start Menu
Remove Music icon from Start Menu
Remove Network Connections from Start Menu
Remove Network icon from Start Menu
Remove Notifications and Action Center
Remove Pictures icon from Start Menu
Remove pinned programs from the Taskbar
Remove pinned programs list from the Start Menu
Remove programs on Settings menu
Remove Recent Items menu from Start Menu
Remove Recorded TV link from Start Menu
Remove Run menu from Start Menu
Remove Search Computer link
Remove Search link from Start Menu
Remove See More Results / Search Everywhere link
Remove the "Undock PC" button from the Start Menu
Remove the battery meter
Remove the Meet Now icon
Remove the networking icon
Remove the People Bar from the taskbar
Remove the Security and Maintenance icon
Remove the volume control icon
Remove user folder link from Start Menu
Remove user name from Start Menu
Remove user's folders from the Start Menu
Remove Videos link from Start Menu
Search just apps from the Apps view
Show "Run as different user" command on Start
Show additional calendar
Show or hide "Most used" list from Start menu
Show QuickLaunch on Taskbar
Show Start on the display the user is using when they press the Windows logo key
Show the Apps view automatically when the user goes to Start
Show Windows Store apps on the taskbar
Start Layout
Turn off all balloon notifications
Turn off automatic promotion of notification icons to the taskbar
Turn off feature advertisement balloon notifications
Turn off notification area cleanup
Turn off personalized menus
Turn off taskbar thumbnails
Turn off user tracking
Set the time Quiet Hours begins each day
Set the time Quiet Hours ends each day
Turn off calls during Quiet Hours
Turn off notification mirroring
Turn off Quiet Hours
Turn off tile notifications
Turn off toast notifications
Turn off toast notifications on the lock screen
Century interpretation for Year 2000
Custom User Interface
Do not display the Getting Started welcome screen at logon
Don't run specified Windows applications
Download missing COM components
Prevent access to registry editing tools
Prevent access to the command prompt
Restrict these programs from being launched from Help
Run only specified Windows applications
Windows Automatic Updates
Remove Change Password
Remove Lock Computer
Remove Logoff
Remove Task Manager
Configure Per-Process System DPI settings
Code signing for device drivers
Configure driver search locations
Turn off Windows Update device driver search prompt
Do not automatically make all redirected folders available offline
Do not automatically make specific redirected folders available offline
Enable optimized move of contents in Offline Files cache on Folder Redirection server path change
Redirect folders on primary computers only
Use localized subfolder names when redirecting Start Menu and My Documents
Configure Group Policy domain controller selection
Configure Group Policy slow link detection
Create new Group Policy Object links disabled by default
Determine if interactive users can generate Resultant Set of Policy data
Enforce Show Policies Only
Set default name for new Group Policy objects
Set Group Policy refresh interval for users
Turn off automatic update of ADM files
Restrict Internet communication
Turn off access to the Store
Turn off downloading of print drivers over HTTP
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Help Experience Improvement Program
Turn off Help Ratings
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Online
Disallow changing of geographic location
Disallow selection of Custom Locales
Disallow user override of locale settings
Restrict user locales
Do not process the legacy run list
Do not process the run once list
Run these programs at user logon
Process Mitigation Options
Prompt for password on resume from hibernate/suspend
All Removable Storage classes: Deny all access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny read access
Removable Disks: Deny write access
Set time (in seconds) to force reboot
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
Display instructions in logoff scripts as they run
Display instructions in logon scripts as they run
Run legacy logon scripts hidden
Run logon scripts synchronously
Run Windows PowerShell scripts first at user logon logoff
Connect home directory to root of the share
Exclude directories in roaming profile
Limit profile size
Specify network directories to sync at logon/logoff time only
Prevent the wizard from running.
Block launching desktop apps associated with a file.
Block launching desktop apps associated with a URI scheme
Turn off Program Compatibility Assistant
Default risk level for file attachments
Do not preserve zone information in file attachments
Hide mechanisms to remove zone information
Inclusion list for high risk file types
Inclusion list for low file types
Inclusion list for moderate risk file types
Notify antivirus programs when opening attachments
Trust logic for file attachments
Disallow Autoplay for non-volume devices
Prevent AutoPlay from remembering user choices.
Set the default behavior for AutoRun
Turn off Autoplay
Allow Graphing Calculator
Configure Windows spotlight on lock screen
Do not suggest third-party content in Windows spotlight
Do not use diagnostic data for tailored experiences
Turn off all Windows spotlight features
Turn off the Windows Welcome Experience
Turn off Windows Spotlight on Action Center
Turn off Windows Spotlight on Settings
Do not display the password reveal button
Allow Diagnostic Data
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
Do not allow Flip3D invocation
Do not allow window animations
Do not allow color changes
Specify a default color
Do not allow Digital Locker to run
Allow edge swipe
Disable help tips
Do not show recent apps when the mouse is pointing to the upper-left corner of the screen
Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the
Search Share Start Devices and Settings don't appear when the mouse is pointing to the upper-right corner of the screen
Turn off switching between recent apps
Turn off tracking of app usage
Allow only per user or approved shell extensions
Disable binding directly to IPropertySetStorage without intermediate layers.
Disable Known Folders
Display confirmation dialog when deleting files
Display the menu bar in File Explorer
Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon
Do not display the Welcome Center at user logon
Do not move deleted files to the Recycle Bin
Do not request alternate credentials
Do not track Shell shortcuts during roaming
Hide these specified drives in My Computer
Hides the Manage item on the File Explorer context menu
Location where all default Library definition files for users/machines reside.
Maximum allowed Recycle Bin size
Maximum number of recent documents
No Computers Near Me in Network Locations
No Entire Network in Network Locations
Pin Internet search sites to the "Search again" links and the Start menu
Pin Libraries or Search Connectors to the "Search again" links and the Start menu
Prevent access to drives from My Computer
Prevent users from adding files to the root of their Users Files folder.
Remove "Map Network Drive" and "Disconnect Network Drive"
Remove CD Burning features
Remove DFS tab
Remove File Explorer's default context menu
Remove File menu from File Explorer
Remove Hardware tab
Remove Search button from File Explorer
Remove Security tab
Remove Shared Documents from My Computer
Remove the Search the Internet "Search again" link
Remove UI to change keyboard navigation indicator setting
Remove UI to change menu animation setting
Request credentials for network installations
Start File Explorer with ribbon minimized
Turn off caching of thumbnail pictures
Turn off common control and window animations
Turn off display of recent search entries in the File Explorer search box
Turn off numerical sorting in File Explorer
Turn off shell protocol protected mode
Turn off the caching of thumbnails in hidden thumbs.db files
Turn off the display of snippets in Content view mode
Turn off the display of thumbnails and only display icons on network folders
Turn off the display of thumbnails and only display icons.
Turn off Windows Key hotkeys
Turn off Windows Libraries features that rely on indexed file data
Turn on Classic Shell
Hide the common dialog back button
Hide the common dialog places bar
Hide the dropdown list of recent files
Items displayed in Places Bar
Turn off Preview Pane
Turn on or off details pane
Hide previous versions list for local files
Hide previous versions list for remote files
Hide previous versions of files on backup location
Prevent restoring local previous versions
Prevent restoring previous versions from backups
Prevent restoring remote previous versions
Allow Windows Runtime apps to revoke enterprise data
Configure Japanese IME version
Configure Korean IME version
Configure Simplified Chinese IME version
Configure Traditional Chinese IME version
Do not include Non-Publishing Standard Glyph in the candidate list
Restrict character code range of conversion
Turn off custom dictionary
Turn off history-based predictive input
Turn off Internet search integration
Turn off Open Extended Dictionary
Turn off saving auto-tuning data to file
Turn on cloud candidate
Turn on cloud candidate for CHS
Turn on lexicon update
Turn on Live Sticker
Turn on misconversion logging for misconversion report
Custom Instant Search Internet search provider
Add a specific list of search providers to the user's list of search providers
Allow "Save Target As" in Internet Explorer mode
Allow Internet Explorer 8 shutdown behavior
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Automatically activate newly installed add-ons
Configure Media Explorer Bar
Configure Outlook Express
Configure which channel of Microsoft Edge to use for opening redirected sites
Customize user agent string
Disable AutoComplete for forms
Disable caching of Auto-Proxy scripts
Disable changing accessibility settings
Disable changing Advanced page settings
Disable changing Automatic Configuration settings
Disable changing Calendar and Contact settings
Disable changing certificate settings
Disable changing color settings
Disable changing connection settings
Disable changing default browser check
Disable changing font settings
Disable changing home page settings
Disable changing language settings
Disable changing link color settings
Disable changing Messaging settings
Disable changing Profile Assistant settings
Disable changing ratings settings
Disable changing secondary home page settings
Disable changing Temporary Internet files settings
Disable external branding of Internet Explorer
Disable Import/Export Settings wizard
Disable Internet Connection wizard
Disable Internet Explorer 11 as a standalone browser
Disable the Reset Web Settings feature
Display error message on proxy script download failure
Do not allow users to enable or disable add-ons
Enable extended hot keys in Internet Explorer mode
Enforce full-screen mode
Identity Manager: Prevent users from using Identities
Keep all intranet sites in Internet Explorer
Let users turn on and use Enterprise Mode from the Tools menu
Limit Site Discovery output by Domain
Limit Site Discovery output by Zone
Notify users if Internet Explorer is not the default web browser
Pop-up allow list
Position the menu bar above the navigation bar
Prevent "Fix settings" functionality
Prevent access to Internet Explorer Help
Prevent bypassing SmartScreen Filter warnings
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Prevent changing pop-up filter level
Prevent changing proxy settings
Prevent changing the default search provider
Prevent configuration of how windows open
Prevent configuration of new tab creation
Prevent Internet Explorer Search box from appearing
Prevent managing pop-up exception list
Prevent managing SmartScreen Filter
Prevent managing the phishing filter
Prevent participation in the Customer Experience Improvement Program
Prevent per-user installation of ActiveX controls
Prevent running First Run wizard
Restrict search providers to a specific list
Search: Disable Find Files via F3 within the browser
Search: Disable Search Customization
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge.
Set tab process growth
Show message when opening sites in Microsoft Edge using Enterprise Mode
Specify default behavior for a new tab
Specify use of ActiveX Installer Service for installation of ActiveX controls
Turn off ability to pin sites in Internet Explorer on the desktop
Turn off ActiveX Opt-In prompt
Turn off add-on performance notifications
Turn off Automatic Crash Recovery
Turn off browser geolocation
Turn off configuration of pop-up windows in tabbed browsing
Turn off Crash Detection
Turn off Favorites bar
Turn off Managing SmartScreen Filter for Internet Explorer 8
Turn off page-zooming functionality
Turn off pop-up management
Turn off Quick Tabs functionality
Turn off Reopen Last Browsing Session
Turn off suggestions for all user-installed providers
Turn off Tab Grouping
Turn off tabbed browsing
Turn off the auto-complete feature for web addresses
Turn off the quick pick menu
Turn off the Security Settings Check feature
Turn on ActiveX Filtering
Turn on compatibility logging
Turn on menu bar by default
Turn on Site Discovery WMI output
Turn on Site Discovery XML output
Turn on Suggested Sites
Turn on the auto-complete feature for user names and passwords on forms
Use Automatic Detection for dial-up connections
Use the Enterprise Mode IE website list
Add default Accelerators
Add non-default Accelerators
Restrict Accelerators to those deployed through Group Policy
Turn off Accelerators
Audio/Video Player
Carpoint
DHTML Edit Control
Investor
Menu Controls
Microsoft Agent
Microsoft Chat
Microsoft Scriptlet Component
Microsoft Survey Control
MSNBC
NetShow File Transfer Control
Shockwave Flash
Bypass prompting for Clipboard access for scripts running in any process
Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
Define applications and processes that can access the Clipboard without prompting
Disable Open in New Window menu option
Disable Save this program to disk option
File menu: Disable closing the browser and Explorer windows
File menu: Disable New menu option
File menu: Disable Open menu option
File menu: Disable Save As Web Page Complete
File menu: Disable Save As... menu option
Help menu: Remove 'For Netscape Users' menu option
Help menu: Remove 'Send Feedback' menu option
Help menu: Remove 'Tip of the Day' menu option
Help menu: Remove 'Tour' menu option
Hide Favorites menu
Tools menu: Disable Internet Options... menu option
Turn off Print Menu
Turn off Shortcut Menu
Turn off the ability to launch report site problems using a menu option
View menu: Disable Full Screen menu option
View menu: Disable Source menu option
Include updated website lists from Microsoft
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for local intranet
Use Policy List of Internet Explorer 7 sites
Use Policy List of Quirks Mode sites
Allow deleting browsing history on exit
Disable "Configuring History"
Prevent access to Delete Browsing History
Prevent deleting ActiveX Filtering Tracking Protection and Do Not Track data
Prevent deleting cookies
Prevent deleting download history
Prevent deleting favorites site data
Prevent deleting form data
Prevent deleting InPrivate Filtering data
Prevent deleting passwords
Prevent deleting temporary Internet files
Prevent deleting websites that the user has visited
Prevent the deletion of temporary Internet files and cookies
Disable the Advanced page
Disable the Connections page
Disable the Content page
Disable the General page
Disable the Privacy page
Disable the Programs page
Disable the Security page
Prevent ignoring certificate errors
Send internationalized domain names
Use UTF-8 for mailto links
Allow active content from CDs to run on user machines
Allow Install On Demand (except Internet Explorer)
Allow Install On Demand (Internet Explorer)
Allow Internet Explorer to use the HTTP2 network protocol
Allow Internet Explorer to use the SPDY/3 network protocol
Allow software to run or install even if the signature is invalid
Allow third-party browser extensions
Always send Do Not Track header
Automatically check for Internet Explorer updates
Check for server certificate revocation
Check for signatures on downloaded programs
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Do not allow resetting Internet Explorer settings
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Play animations in web pages
Play sounds in web pages
Play videos in web pages
Turn off ClearType
Turn off encryption support
Turn off loading websites and content in the background to optimize performance
Turn off Profile Assistant
Turn off sending UTF-8 query strings for URLs
Turn off the flip ahead with page prediction feature
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Turn on Caret Browsing support
Turn on Enhanced Protected Mode
Use HTTP 1.1
Use HTTP 1.1 through proxy connections
Show Content Advisor on Internet Options
Start Internet Explorer with tabs from last browsing session
Allow websites to store application caches on client computers
Allow websites to store indexed databases on client computers
Set application cache storage limits for individual domains
Set application caches expiration time limit for individual domains
Set default storage limits for websites
Set indexed database storage limits for individual domains
Set maximum application cache individual resource size
Set maximum application cache resource list size
Set maximum application caches storage limit for all domains
Set maximum indexed database storage limit for all domains
Internet Zone Template
Intranet Sites: Include all local (intranet) sites not listed in other zones
Intranet Sites: Include all network paths (UNCs)
Intranet Sites: Include all sites that bypass the proxy server
Intranet Zone Template
Local Machine Zone Template
Locked-Down Internet Zone Template
Locked-Down Intranet Zone Template
Locked-Down Local Machine Zone Template
Locked-Down Restricted Sites Zone Template
Locked-Down Trusted Sites Zone Template
Restricted Sites Zone Template
Site to Zone Assignment List
Trusted Sites Zone Template
Turn on automatic detection of intranet
Turn on certificate address mismatch warning
Turn on Notification bar notification for intranet content
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Open Internet Explorer tiles on the desktop
Set how links are opened in Internet Explorer
Go to an intranet site for a one-word entry in the Address bar
Hide the button (next to the New Tab button) that opens Microsoft Edge
Turn off configuring underline links
Turn off details in messages about Internet connection problems
Turn off page transitions
Turn off phone number detection
Turn off smooth scrolling
Turn on script debugging
Turn on the display of script errors
Start the Internet Connection Wizard automatically
Allow Internet Explorer to play media files that use alternative codecs
Allow the display of image download placeholders
Turn off automatic image resizing
Turn off image display
Turn off smart image dithering
Turn on printing of background colors and images
Prevent configuration of search on Address bar
Prevent configuration of top-result search on Address bar
Turn on automatic signup
Turn off inline AutoComplete in File Explorer
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Turn on inline AutoComplete
Prevent choosing default text size
Prevent specifying background color
Prevent specifying text color
Prevent the use of Windows colors
Prevent specifying the color of links that have already been clicked
Prevent specifying the color of links that have not yet been clicked
Prevent specifying the hover color
Turn on the hover color option
Turn off sending URL path as UTF-8
Disable adding channels
Disable adding schedules for offline pages
Disable all scheduled offline pages
Disable channel user interface completely
Disable downloading of site subscription content
Disable editing and creating of schedule groups
Disable editing schedules for offline pages
Disable offline page hit logging
Disable removing channels
Disable removing schedules for offline pages
Subscription Limits
File size limits for Internet zone
File size limits for Intranet zone
File size limits for Local Machine zone
File size limits for Restricted Sites zone
File size limits for Trusted Sites zone
Establish InPrivate Filtering threshold
Establish Tracking Protection threshold
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
Turn off collection of InPrivate Filtering data
Turn off InPrivate Browsing
Turn off InPrivate Filtering
Turn off Tracking Protection
Do not display the reveal password button
Turn off Data URI support
Add-on List
All Processes
Deny all add-ons unless specifically allowed in the Add-on List
Process List
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Turn off automatic download of the ActiveX VersionList
Turn off blocking of outdated ActiveX controls for Internet Explorer
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
Turn on ActiveX control logging in Internet Explorer
Allow native XMLHTTP support
Change the maximum number of connections per host (HTTP 1.1)
Maximum number of connections per server (HTTP 1.0)
Set the maximum number of WebSocket connections per server
Turn off cross-document messaging
Turn off the WebSocket Object
Turn off the XDomainRequest object
Admin-approved behaviors
All Processes
Install binaries signed by MD2 and MD4 signing technologies
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Internet Zone Restricted Protocols
Intranet Zone Restricted Protocols
Local Machine Zone Restricted Protocols
Restricted Sites Zone Restricted Protocols
Trusted Sites Zone Restricted Protocols
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Configure Toolbar Buttons
Customize command labels
Disable customizing browser toolbar buttons
Disable customizing browser toolbars
Display tabs on a separate row
Hide the Command bar
Hide the status bar
Lock all toolbars
Lock location of Stop and Refresh buttons
Turn off Developer Tools
Turn off toolbar upgrade tool
Use large icons for command buttons
Turn off location
Turn off location scripting
Turn off sensors
Restrict the user from entering author mode
Restrict users to the explicitly permitted list of snap-ins
.Net Framework Configuration
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ActiveX Control
ADSI Edit
Certificate Templates
Certificates
Certification Authority
Component Services
Computer Management
Device Manager
DFS Management
Disk Defragmenter
Disk Management
Distributed File System
Enterprise PKI
Event Viewer
Event Viewer (Windows Vista)
Failover Clusters Manager
FAX Service
File Server Resource Manager
FrontPage Server Extensions
Health Registration Authority (HRA)
Indexing Service
Internet Authentication Service (IAS)
Internet Information Services
IP Security Monitor
IP Security Policy Management
Link to Web Address
Local Users and Groups
NAP Client Configuration
Network Policy Server (NPS)
Online Responder
Performance Logs and Alerts
QoS Admission Control
Remote Desktop Services Configuration
Remote Desktops
Removable Storage Management
Routing and Remote Access
Security Configuration and Analysis
Security Templates
Server Manager
Services
Share and Storage Management
Shared Folders
Storage Manager for SANs
System Information
Telephony
TPM Management
Windows Firewall with Advanced Security
Wireless Monitor
WMI Control
AppleTalk Routing
Authorization Manager
Certification Authority Policy Settings
Connection Sharing (NAT)
DCOM Configuration Extension
Device Manager
DFS Management Extension
DHCP Relay Management
Disk Management Extension
Event Viewer
Event Viewer (Windows Vista)
Extended View (Web View)
File Server Resource Manager Extension
IAS Logging
IGMP Routing
IP Routing
IPX RIP Routing
IPX Routing
IPX SAP Routing
Logical and Mapped Drives
OSPF Routing
Public Key Policies
RAS Dialin - User Node
Remote Access
Removable Storage
RIP Routing
Routing
Send Console Message
Service Dependencies
Share and Storage Management Extension
Shared Folders Ext
SMTP Protocol
SNMP
Storage Manager for SANS Extension
System Properties
Group Policy Management
Group Policy Management Editor
Group Policy Object Editor
Group Policy Starter GPO Editor
Group Policy tab for Active Directory Tools
Resultant Set of Policy snap-in
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
IP Security Policy Management
NAP Client Configuration
Remote Installation Services
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Windows Firewall with Advanced Security
Wired Network (IEEE 802.3) Policies
Wireless Network (IEEE 802.11) Policies
Permit use of Application snap-ins
Permit use of Applications preference extension
Permit use of Control Panel Settings (Computers)
Permit use of Control Panel Settings (Users)
Permit use of Data Sources preference extension
Permit use of Devices preference extension
Permit use of Drive Maps preference extension
Permit use of Environment preference extension
Permit use of Files preference extension
Permit use of Folder Options preference extension
Permit use of Folders preference extension
Permit use of Ini Files preference extension
Permit use of Internet Settings preference extension
Permit use of Local Users and Groups preference extension
Permit use of Network Options preference extension
Permit use of Network Shares preference extension
Permit use of Power Options preference extension
Permit use of Preferences tab
Permit use of Printers preference extension
Permit use of Regional Options preference extension
Permit use of Registry preference extension
Permit use of Scheduled Tasks preference extension
Permit use of Services preference extension
Permit use of Shortcuts preference extension
Permit use of Start Menu preference extension
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Configure Sync Method
Do not synchronize Windows Apps
Ping the settings storage location before sync
Settings package size warning threshold
Settings storage path
Sync settings over metered connections
Sync settings over metered connections even when roaming
Synchronization timeout
Synchronize Windows settings
Use User Experience Virtualization (UE-V)
VDI Configuration
Calculator
InfoPath 2013 backup only
Internet Explorer 8
Internet Explorer 9
Internet Explorer Common Settings
Microsoft Lync 2010
Microsoft Lync 2013
Microsoft Lync 2016
Microsoft Office 365 InfoPath 2013
Microsoft Office 365 SharePoint Designer 2013
Microsoft SharePoint Workspace 2010
Microsoft Word 2010
Microsoft Word 2013
Microsoft Word 2016
Notepad
SharePoint Designer 2013 backup only
WordPad
Finance
Games
Maps
Music
News
Reader
Sports
Travel
Video
Weather
Configure the inclusion of Edge tabs into Alt-Tab
Allow persisting automatic acceptance of Calls
Disable Chat
Disable Directory services
Disable NetMeeting 2.x Whiteboard
Disable Whiteboard
Enable Automatic Configuration
Limit the size of sent files
Prevent adding Directory servers
Prevent automatic acceptance of Calls
Prevent changing Call placement method
Prevent receiving files
Prevent sending files
Prevent viewing Web directory
Set Call Security options
Set the intranet support Web page
Disable application Sharing
Prevent Application Sharing in true color
Prevent Control
Prevent Desktop Sharing
Prevent Sharing
Prevent Sharing Command Prompts
Prevent Sharing Explorer windows
Disable Audio
Disable full duplex Audio
Limit the bandwidth of Audio and Video
Prevent changing DirectSound Audio setting
Prevent receiving Video
Prevent sending Video
Disable the Advanced Calling button
Hide the Audio page
Hide the General page
Hide the Security page
Hide the Video page
Prevent users from sharing files within their profile.
Don't launch privacy settings experience on user logon
Turn off Windows presentation settings
Enable connection through RD Gateway
Set RD Gateway authentication method
Set RD Gateway server address
Allow .rdp files from unknown publishers
Allow .rdp files from valid publishers and user's default .rdp settings
Do not allow passwords to be saved
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Set rules for remote control of Remote Desktop Services user sessions
Allow time zone redirection
Do not allow Clipboard redirection
Redirect only the default client printer
Use Remote Desktop Easy Print printer driver first
Always show desktop on connection
Remove remote desktop wallpaper
Start a program on connection
End session when time limits are reached
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for active Remote Desktop Services sessions
Set time limit for disconnected sessions
Set time limit for logoff of RemoteApp sessions
Specify default connection URL
Prevent access to feed list
Prevent automatic discovery of feeds and Web Slices
Prevent downloading of enclosures
Prevent subscribing to or deleting a feed or a Web Slice
Turn off background synchronization for feeds and Web Slices
Turn on Basic feed authentication over HTTP
Default excluded paths
Default indexed paths
Prevent adding UNC locations to index from Control Panel
Prevent customization of indexed locations in Control Panel
Prevent indexing certain paths
Turn off storage and display of search history
Do not allow Sound Recorder to run
Only display the private store within the Microsoft Store
Turn off the offer to update to the latest version of Windows
Turn off the Store application
Do not allow Inkball to run
Do not allow printing to Journal Note Writer
Do not allow Snipping Tool to run
Do not allow Windows Journal to be run
Turn off pen feedback
Prevent Back-ESC mapping
Prevent launch an application
Prevent press and hold
Turn off hardware buttons
Disable text prediction
For tablet pen input donâ€™t show the Input Panel icon
For touch input donâ€™t show the Input Panel icon
Include rarely used Chinese Kanji or Hanja characters
Prevent Input Panel tab from appearing
Turn off AutoComplete integration with Input Panel
Turn off password security in Input Panel
Turn off tolerant and Z-shaped scratch-out gestures
Prevent Flicks Learning Mode
Prevent flicks
Turn off Tablet PC Pen Training
Turn off Tablet PC touch input
Turn off Touch Panning
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
Hide Property Pages
Prevent Task Run or End
Prohibit Browse
Prohibit Drag-and-Drop
Prohibit New Task Creation
Prohibit Task Deletion
Turn off Windows Calendar
Prohibit installing or uninstalling color profiles
Prevent bypassing Windows Defender SmartScreen prompts for sites
Automatically send memory dumps for OS-generated error reports
Disable logging
Disable Windows Error Reporting
Do not send additional data
Do not throttle additional data
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Configure Report Archive
Configure Report Queue
List of applications to be excluded
Configure Default consent
Customize consent settings
Ignore custom consent settings
Use certificate for on-premises authentication
Use cloud trust for on-premises authentication
Use Windows Hello for Business
Always install with elevated privileges
Prevent removable media source for any installation
Prohibit rollback
Specify the order in which Windows Installer searches for installation files
Remove logon hours expiration warnings
Report when logon server was not available during user logon
Set action to take when logon hours expire
Prevent CD and DVD Media Information Retrieval
Prevent Music File Media Information Retrieval
Prevent Radio Station Preset Retrieval
Configure HTTP Proxy
Configure MMS Proxy
Configure Network Buffering
Configure RTSP Proxy
Hide Network Tab
Streaming Media Protocols
Allow Screen Saver
Prevent Codec Download
Do Not Show Anchor
Hide Privacy Tab
Hide Security Tab
Set and Lock Skin
Do not allow Windows Messenger to be run
Do not automatically start Windows Messenger initially
Turn off Windows Mobility Center
Set the default source path for Update-Help
Turn on Module Logging
Turn on PowerShell Script Block Logging
Turn on PowerShell Transcription
Turn on Script Execution
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Remove access to use all Windows Update features
Enables the use of Token Broker for AD FS authentication
Specify Work Folders settings
nu they see when they right-click the lower-left corner or press the Windows logo key+X
upper-right corner of the screen
oaded from the Internet
Prompt me to save passwords = False Prompt me to save passwords = False
Prompt me to save passwords = Disabled Prompt me to save passwords = Disabled
Prompt me to save passwords = [Multiple Prompt me to save passwords = [Multiple
possible: Enabled, Disabled] possible: Enabled, Disabled]
ns of Windows
Browsing starts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceClassicControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowCpl; HKCU\Software\M
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SettingsPageVisibility
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictCpl; HKCU\Software\Mi
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoWindowsSetupPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoRemovePage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromCDorFloppy
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromInternet
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromNetwork
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoChooseProgramsPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddRemovePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoSupportInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!DefaultCategory
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispCPL
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispSettingsPage
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveActive
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!SetVisualStyle
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!SCRNSAVE.EXE
HKCU\Software\Policies\Microsoft\Windows\Personalization!ThemeFile
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaverIsSecure
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispAppearancePage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoColorChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoChangingWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispBackgroundPage
HKCU\Software\Policies\Microsoft\Windows\Personalization!NoChangingMousePointers
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispScrSavPage
HKCU\Software\Policies\Microsoft\Windows\Personalization!NoChangingSoundScheme
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThemesTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoVisualStyleChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoSizeChoice
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveTimeOut
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Printers Page URL
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Downlevel Browse
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Default Search Scope
HKCU\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKCU\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPri
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrin
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted; HKCU\Software\
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAddPrinter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDeletePrinter
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows!LegacyDefaultPrinterMode
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoGetPrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoInstalledUpdates
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoProgramsAndFeatures
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoDefaultPrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoWindowsFeatures
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoWindowsMarketplace
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoProgramsCPL
HKCU\Software\Policies\Microsoft\Control Panel\International!HideAdminOptions
HKCU\Software\Policies\Microsoft\Control Panel\International!HideCurrentLocation
HKCU\Software\Policies\Microsoft\Control Panel\International!HideLanguageSelection
HKCU\Software\Policies\Microsoft\Control Panel\International!HideLocaleSelectAndCustomize
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesIns
HKCU\Software\Policies\Microsoft\Control Panel\Desktop!MultiUILanguageID
HKCU\Software\Policies\Microsoft\Control Panel\Desktop!PreferredUILanguages
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffAutocorrectMisspelledWords
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffHighlightMisspelledWords
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffInsertSpace
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffOfferTextPredictions
HKCU\SOFTWARE\Policies\Microsoft\InputPersonalization!RestrictImplicitTextCollection HKCU\SOFTWA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsNetHood
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSaveSettings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetIcon
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetHood
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCloseDragDropBands
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMovingBands
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisablePersonalDirChange
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{20D04FE0-3AEA-1069-A2D
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{450D8FBA-AD25-11D0-98A
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyComputer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyDocuments
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesRecycleBin
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{645FF040-5081-101B-9F08
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktopCleanupWizard
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoWindowMinimizingShortcuts
HKCU\Software\Policies\Microsoft\Windows\Directory UI!EnableFilter
HKCU\Software\Policies\Microsoft\Windows\Directory UI!HideDirectoryFolder
HKCU\Software\Policies\Microsoft\Windows\Directory UI!QueryLimit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent!Add
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Wallpaper HKCU\Software\Micr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktopChanges
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoClosingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoEditingComponents
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasAllUserProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteAllUserConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanConnect
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameAllUserRasConnecti
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameLanConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_EnableAdminProhibits
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanChangeProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasChangeProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AdvancedSettings
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_NewConnectionWizard
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DialupPrefs
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AddRemoveComponents
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasMyProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasConnect
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_ChangeBindState
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameMyRasConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowAdvancedTCPIPConfig
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_Statistics
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_IpStateChecking
HKCU\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
HKCU\Software\Policies\Microsoft\Windows\NetCache!EventLoggingLevel
HKCU\Software\Policies\Microsoft\Windows\NetCache!InitialBalloonTimeoutSeconds
HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoCacheViewer
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
HKCU\Software\Policies\Microsoft\Windows\NetCache!ReminderFreqMinutes
HKCU\Software\Policies\Microsoft\Windows\NetCache!ReminderBalloonTimeoutSeconds
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoMakeAvailableOffline
HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
HKCU\Software\Policies\Microsoft\Windows\NetCache!WorkOfflineDisabled
HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoReminders
HKCU\Software\Policies\Microsoft\Windows\WCN\UI!DisableWcnUi
HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishDfsRoots
HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishSharedFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MemCheckBoxInRunDlg
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceStartMenuLogOff
HKCU\Software\Policies\Microsoft\Windows\Explorer!AddSearchInternetLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceRunOnStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!PowerButtonAction
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentDocsOnExit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentProgForNewUser
HKCU\Software\Policies\Microsoft\Windows\Explorer!ClearTilesOnExit
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableContextMenusInStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!EnableLegacyBalloonNotifications
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningToDestinations
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningToTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningStoreToTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!TaskbarNoMultimon
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarsOnTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoRemoteDestinations
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsHistory
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchCommInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchFilesInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchInternetInStartMen
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchProgramsInStartMe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveSearch
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveTrack
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSimpleStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!ForceStartSize
HKCU\Software\Policies\Microsoft\Windows\Explorer!GoToDesktopOnSignIn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!GreyMSIAds
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayItemsDisplay
HKCU\Software\Policies\Microsoft\Windows\Explorer!DesktopAppsFirstInAppsView
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarLockAll
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LockTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!StartPinAppsWhenInstalled; HKCU\Software\P
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetTaskbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTaskGrouping
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoAddRemoveToolba
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoRedock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoDragToolbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoResize
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoUninstallFromStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!HideRecentlyAddedApps
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayContextMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMorePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoClose
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMBalloonTip
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCommonGroups
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMConfigurePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyDocs
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuDownloads
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFavoritesMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMFUprogramsLi
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyGames
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMHelp
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuHomegroup
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWindowsUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!StartMenuLogOff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyMusic
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetworkConnections
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuNetworkPlaces
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableNotificationCenter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyPictures
HKCU\Software\Policies\Microsoft\Windows\Explorer!TaskbarNoPinnedList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuPinnedList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuRecordedTV
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchComputerLinkInSta
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFind
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSearchEverywhereLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuEjectPC
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAPower
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAMeetNow
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCANetwork
HKCU\Software\Policies\Microsoft\Windows\Explorer!HidePeopleBar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAHealth
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAVolume
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserFolderInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserNameInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuSubFolders
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuVideos
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableGlobalSearchOnAppsView
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowRunAsDifferentUserInStart
HKCU\Software\Policies\Microsoft\Windows\Settings!AllowConfigureTaskbarCalendar; HKCU\Softwar
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!QuickLaunchEnabled
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowStartOnDisplayWithForegroundOnWinK
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowAppsViewOnStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowWindowsStoreAppsOnTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!LockedStartLayout; HKCU\Software\Policies\M
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoNotification
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSystraySystemPromotion
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoBalloonFeatureAdvertisements
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoTrayNotify
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!Intellimenus
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoThumbnail
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInstrumentation
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!EntryTime
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!ExitTime
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!AllowCalls
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!DisallowNotificati
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!Enable
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoTileApplicationNo
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplication
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplicatio
HKCU\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax!1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowRun; HKCU\Software\
HKCU\Software\Policies\Microsoft\Windows\App Management!COMClassStore
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableRegistryTools
HKCU\Software\Policies\Microsoft\Windows\System!DisableCMD
HKCU\Software\Policies\Microsoft\Windows\System!DisableInHelp
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictRun; HKCU\Software\M
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoLogoff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!EnablePerProcessSystemDPI HK
HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing!BehaviorOnFailedVerify
HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchFloppies HKCU\Software\P
HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
HKCU\Software\Policies\Microsoft\Windows\NetCache!DisableFRAdminPin
HKCU\Software\Policies\Microsoft\Windows\NetCache\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!FolderRedirectionEnableCacheRenam
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!PrimaryComputerEnabledFR
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!LocalizeXPRelativePaths
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DCOption
HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!NewGPOLinksDisabled
HKCU\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!ShowPoliciesOnly
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!GPODisplayName
HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime HKCU\Software\Polic
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DisableAutoADMUpdate
HKCU\Software\Policies\Microsoft\InternetManagement!RestrictCommunication; HKCU\Software\Mic
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoUseStoreOpenWith
HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
HKCU\Software\Policies\Microsoft\Windows\TabletPC!PreventHandwritingDataSharing
HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports!PreventHandwritingErrorRep
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoImplicitFeedback
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoExplicitFeedback
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
HKCU\Software\Policies\Microsoft\Messenger\Client!CEIP
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoOnlineAssist
HKCU\Software\Policies\Microsoft\Control Panel\International!PreventGeoIdChange
HKCU\Software\Policies\Microsoft\Control Panel\International!CustomLocalesNoSelect
HKCU\Software\Policies\Microsoft\Control Panel\International!PreventUserOverrides
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictUserLocales; HKCU\Software\P
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions
HKCU\Software\Policies\Microsoft\Windows\System\Power!PromptPasswordOnResume
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read!Deny_R
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write!Deny_W
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!RebootTimeinSeconds_stat
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA8
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogoffScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogonScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLegacyLogonScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunUserPSScriptsFirst
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ConnectHomeDirToRoot
HKCU\Software\Policies\Microsoft\Windows\System!ExcludeProfileDirs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableProfileQuota; HKCU\Sof
HKCU\Software\Policies\Microsoft\Windows\System!CscSuspendDirs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU!Disabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockFileElevation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation
HKCU\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!DefaultFileTypeRisk
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!SaveZoneInformation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!HideZoneInfoOnPropertie
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!HighRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!LowRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!ModRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!ScanWithAntiVirus
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!UseTrustedHandlers
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoAutoplayfornonVolume
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DontSetAutoplayCheckbox
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutorun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Calculator!AllowGraphingCalculator
HKCU\Software\Policies\Microsoft\Windows\CloudContent!ConfigureWindowsSpotlight; HKCU\Softwa
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableThirdPartySuggestions
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableTailoredExperiencesWithDiagnost
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightFeatures
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightWindowsWelc
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightOnActionCente
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightOnSettings
HKCU\Software\Policies\Microsoft\Windows\CredUI!DisablePasswordReveal
HKCU\Software\Policies\Microsoft\Windows\DataCollection!AllowTelemetry
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUnsignedGa
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffSidebar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUserInstalle
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowFlip3d
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowAnimations
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowColorizationColorChanges
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DefaultColorizationColorState; HKCU\SOFTWAR
HKCU\SOFTWARE\Policies\Microsoft\Windows\Digital Locker!DoNotRunDigitalLocker
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!AllowEdgeSwipe
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableHelpSticker
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableRecentApps
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!ShowCommandPromptOnWinX
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableCharms
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!TurnOffBackstack
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableMFUTracking
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!EnforceShellExtensionSecurit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableBindDirectlyToPropert
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableKnownFolders; HKCU\Software\Polici
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ConfirmFileDelete
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AlwaysShowClassicMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictWelcomeCenter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecycleFiles
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRunasInstallPrompt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LinkResolveIgnoreLinkInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoManageMyComputerVerb
HKCU\Software\Policies\Microsoft\Windows\Explorer!DefaultLibrariesLocation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RecycleBinSize
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MaxRecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoComputersNearMe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoEntireNetwork
HKCU\Software\Policies\Microsoft\Windows\Explorer!TryHarderPinnedOpenSearch; HKCU\Software\
HKCU\Software\Policies\Microsoft\Windows\Explorer!TryHarderPinnedLibrary; HKCU\Software\Polic
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewOnDrive
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreventItemCreationInUsersFi
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetConnectDisconnect
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCDBurning
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDFSTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewContextMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFileMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoHardwareTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSecurityTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSharedDocuments
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSearchInternetTryHarderButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeKeyboardNavigation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeAnimation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PromptRunasInstallNetPath
HKCU\Software\Policies\Microsoft\Windows\Explorer!ExplorerRibbonStartsMinimized; HKCU\Softwa
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThumbnailCache
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TurnOffSPIAnimations
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableSearchBoxSuggestions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStrCmpLogical
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavi
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableThumbsDBOnNetworkFolders
HKCU\Software\Policies\Microsoft\Windows\Explorer!HideContentViewModeSnippets
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableThumbnailsOnNetwork
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableThumbnails
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWinKeys
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableIndexedLibraryExperience
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoBackButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoPlacesBar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoFileMru
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place0 HKCU\Soft
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoReadingPane
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPreviewPane
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableLocalPage
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableRemotePage
HKCU\Software\Policies\Microsoft\PreviousVersions!HideBackupEntries
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableLocalRestore
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableBackupRestore
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableRemoteRestore
HKCU\Software\Policies\Microsoft\Windows\FileRevocation!DelegatedTuples
HKCU\Software\Policies\Microsoft\InputMethod\Settings\JPN!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\InputMethod\Settings\KOR!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHS!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHT!ConfigureImeVersion
HKCU\software\policies\microsoft\ime\imejp!ShowOnlyPublishingStandardGlyph
HKCU\software\policies\microsoft\ime\imejp!CodeAreaForConversion
HKCU\software\policies\microsoft\ime\shared!UserDict
HKCU\software\policies\microsoft\ime\imejp!UseHistorybasedPredictiveInput
HKCU\software\policies\microsoft\ime\shared!SearchPlugin
HKCU\software\policies\microsoft\ime\shared!OpenExtendedDict
HKCU\software\policies\microsoft\ime\imejp!SaveAutoTuneDataToFile
HKCU\Software\Policies\Microsoft\InputMethod\Settings\Shared!Enable Cloud Candidate
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHS!Enable Cloud Candidate
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHS!Enable Lexicon Update
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHS!EnableLiveSticker
HKCU\software\policies\microsoft\ime\shared!misconvlogging
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions!InternetEx
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!AddPolicySearchProvi
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!AllowSaveTargetAsInIE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ShutdownWaitForOnUnload
HKCU\Software\Policies\Microsoft\Internet Explorer!AllowServicePoweredQSA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!IgnoreFrameApprovalCheck
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!No_LaunchMediaBar HKCU\Softwa
HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!NeedEdgeBrowser HKCU
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!Version
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest; HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableAutoProxyResu
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Accessibility
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Advanced
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Autoconfig
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!CalendarContact
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Colors
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connection Settings
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Check_If_Default
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Fonts
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!HomePage; HKCU\Software\Polici
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Languages
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!links
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Messaging
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Profiles
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Ratings
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Cache
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding
HKCU\Software\Policies\Microsoft\Internet Explorer!DisableImportExportFavorites
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NotifyDisableIEOptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisplayScriptDownloa
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!EnableExtendedIEMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus; HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Identities!Locked Down
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!KeepIntranetSitesInInter
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!Enable
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!DomainAllowList
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!ZoneAllowList
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Check_Associations
HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows!ListBox_Support_Allow; HKCU\So
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar\WebBrowser!ITBar7Position
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!DisableFixSecuritySettings
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpMenu
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverride
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverrideAppRepUnknow
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!DisablePopupFilterLevel
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Proxy
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChangeDefaultSea
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AllowWindowReuse
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!OpenInForeground
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchBox
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!RestrictPopupExceptionList
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV9
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram
HKCU\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX!BlockNonAdminActiveXInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableFirstRunCustomize
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!UsePolicySearchProvi
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFindFiles
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchCustomizati
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!RestrictIE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!TabProcGrowth
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!ShowMessageWhenOpen
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!NewTabPageShow
HKCU\Software\Policies\Microsoft\Windows\AxInstaller!OnlyUseAXISForActiveXInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableAddSiteMode
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!NoFirsttimeprompt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!DisableAddonLoadTimePerformance
HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery!AutoRecover
HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation!PolicyDisableGeolocation
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!PopupsUseNewWindow
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
HKCU\Software\Policies\Microsoft\Internet Explorer\LinksBar!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV8
HKCU\Software\Policies\Microsoft\Internet Explorer\ZOOM!ZoomDisabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPopupManagement
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!QuickTabsThreshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery!NoReopenLastSession
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!ShowSearchSuggestionsGlobal
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Groups
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Enabled
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!AutoSuggest
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!DisplayQuickPick
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!DisableSecuritySettingsCheck
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering!IsEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!Active
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!XMLPath
HKCU\Software\Policies\Microsoft\Internet Explorer\Suggested Sites!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords; HKCU\Software\P

HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DialupAutodetect
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!SiteList
HKCU\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesDefaultInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions!UsePolicyActivitiesOnly
HKCU\Software\Policies\Microsoft\Internet Explorer\Activities!NoActivities
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_P
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_Featur
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoOpeninNewWnd
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserClose
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFileNew
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFileOpen
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoBrowserSaveWeb
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserSaveAs
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemNetscapeHelp
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemSendFeedback
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemTipOfTheDay
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemTutorial
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFavorites
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserOptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPrinting
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserContextMenu
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoReportSiteProblems
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoTheaterMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoViewSource
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!MSCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!DisableSiteListEditing
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowCompatibilityViewButton
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!AllSitesCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!IntranetCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!ClearBrowsingHistoryOnExit
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!History; HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteBrowsingHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTrackingProtection
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanCookies
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanDownloadHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!UseAllowList
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteForms
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanInPrivateBlocking
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeletePasswords
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTIF
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Settings
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!AdvancedTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ConnectionsTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ContentTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!GeneralTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!PrivacyTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ProgramsTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!SecurityTab
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!PreventIgnoreCertErr
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnablePunyCode
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols\Mailto!UT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMA
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoWebJITSetup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHTTP2
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableSPDY3_0
HKCU\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DoNotTrack
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoUpdateCheck
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CertificateRevocation
HKCU\Software\Policies\Microsoft\Internet Explorer\Download!CheckExeSignatures
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableEPMCompat
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableRIED
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisableCachingOfSSL
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache!Persistent
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Play_Animations
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Play_Background_Sounds
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Videos
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!UseClearType
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!SecureProtocols
HKCU\Software\Policies\Microsoft\Internet Explorer\PrefetchPrerender!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Security\P3Global!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!UTF8URLQuery
HKCU\Software\Policies\Microsoft\Internet Explorer\FlipAhead!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation64Bit
HKCU\Software\Policies\Microsoft\Internet Explorer\CaretBrowsing!EnableOnStartup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHttp1_1
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxyHttp1.1
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ShowContentAdvisor
HKCU\Software\Policies\Microsoft\Internet Explorer\ContinuousBrowsing!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!AllowWebsiteCache
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!AllowWebsiteData
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!MaxTrustedDomai
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!GarbageCollectionT
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage!DefaultDomainCacheLimitInM
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!MaxTrustedDomai
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestSingleRe
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestResource
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!TotalLimitInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!TotalLimitInMB
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies!Int
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!IntranetN
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!UNCAsIntr
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!ProxyByPas
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies!Int
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template P
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template P
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Tem
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Templa
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Polic
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_Zo
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policie
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!AutoDetec
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnBadCertRecv
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnIntranet
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1406
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120b
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120c
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180E
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180F
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!140C
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120A
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A04
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1C00
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270B
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1E05
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!1
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ApplicationTileImmersiveActivation
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AssociationActivationMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!GotoIntranetSiteForSingleWordEntry
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!HideNewEdgeButton
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Anchor Underline
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Friendly http errors
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FormatDetection!PhoneNumberEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!SmoothScroll
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Disable Script Debugger
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Error Dlg Displayed On Every Error
HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!EnableAlternativeCodec
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Show image placeholders
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Enable AutoImageResize
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Images
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer!SmartDithering
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Print_Background
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AutoSearch
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!TopResult
HKCU\Software\Policies\Microsoft\IEAK!NoAutomaticSignup
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!Use AutoCo
HKCU\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch!EnabledScopes
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!Append Com
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoDefaultTextSize; HKCU\Software\
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Background Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Text Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use_DlgBox_Colors
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color Visited
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color Hover
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Use Anchor Hover Color
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!UrlEncoding
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoAddingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoAddingSubscription
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoScheduledUpdates
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChannelUI
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSubscriptionConten
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoEditingScheduleGr
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoEditingSubscription
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChannelLogging
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoRemovingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoRemovingSubscript
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!MaxSubscriptionSize
HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence\3!DomainLimit HKCU\Software\Poli
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!Threshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!TrackingProtectionThreshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableToolbars
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableLogging
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!EnableInPrivateBrowsing
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableInPrivateBlocking
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableTrackingProtection
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisablePasswordReveal
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI!iexpl
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID; HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RunThisTimeEnabled
HKCU\Software\Microsoft\Internet Explorer\VersionManager!DownloadVersionList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!VersionCheckEnabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_DomainAllowlist; HKCU\So
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!AuditModeEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!XMLHTTP
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET!ie
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQU
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_All
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!ENABLE_MD2_MD4
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!(Re
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEAT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDL
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMAC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFIN
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_L
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAN
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACH
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVAT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACT
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_F
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FI
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RES
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_REST
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SpecifyDefaultButtons; HKCU
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!TextOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarCustomize
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoBandCustomize
HKCU\Software\Policies\Microsoft\Internet Explorer\MINIE!ShowTabsBelowAddressBar
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!CommandBarEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!StatusBarWeb
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar!Locked
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowLeftAddressToolbar
HKCU\Software\Policies\Microsoft\Internet Explorer\IEDevTools!Disabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions!DisableToolbarUpgrader
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!SmallIcons
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocation
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocationScripting
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableSensors
HKCU\Software\Policies\Microsoft\MMC!RestrictAuthorMode
HKCU\Software\Policies\Microsoft\MMC!RestrictToPermittedSnapins
HKCU\Software\Policies\Microsoft\MMC\{18BA7139-D98B-43c2-94DA-2604E34E175D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{A994E107-6854-4F3D-917C-E6F01670F6D3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{53D6AB1D-2488-11D1-A28C-00C04FB94F17}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{671ee405-c969-4af9-ad1b-65e96b3b9a10}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{43668E21-2636-11D1-A1CE-0080C88593A5}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{634BDE40-E5E1-49A1-B2CD-140FFFC830F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{D2779945-405B-4ACE-8618-508F3E3054AC}!Restrict_
HKCU\Software\Policies\Microsoft\MMC\{753EDB4D-2E1B-11D1-9064-00A0C90AB504}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{f8abd46c-1297-4474-9cdf-831ebb245f49}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{89cc9588-7628-4d29-8e4a-6550d0087059}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\{95AD72F0-44CE-11D0-AE29-00AA004B9986}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{57C596D0-9370-40C0-BA0D-AB491B63255D}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA2-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{C96401D1-0E17-11D3-885B-00C04F72C717}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{a1bc4eca-66b2-44e8-9915-be02e84438ba}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\FX:{6630f2d7-bd52-4072-bfa7-863f3d0c5da0}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{6d8880af-e518-43a8-986c-1ad21c4c976e}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{FD57D297-4FD9-11D1-854E-00C04FC31FD3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B91B6008-32D2-11D2-9888-00A0C925F917}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3D5D035E-7721-4B83-A645-6C07A3D403B7}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{3CB6973D-3E6F-11D0-95DB-00A024D77700}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{18ea3f92-d6aa-41d9-a205-2023400c8fbb}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{813C1B01-6624-4922-9C6C-03C315646584}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\FX:{317cdc35-c09e-486f-ab09-90dd2e3fdd7d}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{45ac8c63-23e2-11d1-a696-00c04fd58bc3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{23DC5869-BD9F-46fd-AADD-1F869BA64FC3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1F5EEC01-1214-4D94-80C5-4BDCD2014DDD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{3F276EB4-70EE-11D1-8A0F-00C04FB93753}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{9EC88934-C774-11d1-87F4-00C04FC2C17B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{f78fbadd-c21a-4e0a-b53d-c879a9c8f002}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{dbfca500-8c31-11d0-aa2c-00a0c92749a3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{B708457E-DB61-4C55-A92F-0D4B5E9B1224}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{f8abd46e-1297-4474-9cdf-831ebb245f49}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{2E19B602-48EB-11d2-83CA-00104BCA42CF}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{90810502-38F1-11D1-9345-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{6E8E0081-19CD-11D1-AD91-00AA00B8E05A}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{243E20B0-48ED-11D2-97DA-00A024D77700}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{DAB1A262-4FD7-11D1-842C-00C04FB6C218}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{f9f63d92-6225-410b-bb02-26239b8f1f59}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{03f1f940-a0f2-11d0-bb77-00aa00a1eab7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7AF60DD3-4979-11D1-8A6C-00C04FC33566}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{317cdc37-c09e-486f-ab09-90dd2e3fdd7d}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{C11D2F3B-E2F4-4e5b-824B-84A87AB0F666}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{9FE24B92-C23D-451c-8045-73038D99E620}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}!Restrict_Run;
HKCU\Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\FX:{a1bc4ecb-66b2-44e8-9915-be02e84438ba}!Restrict_R
HKCU\Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{06993B16-A5C7-47EB-B61C-B1CB7EE600AC}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{6A712058-33C6-4046-BCF9-0EA3A8808EDC}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0DA274B5-EB93-47A7-AAFB-65BA532D3FE6}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{17C6249E-BA57-4F69-AE93-4FB3D25CD9D7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{127537A8-C1ED-40BC-9AE5-C5891DF6B2D4}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{1612b55c-243c-48dd-a449-ffc097b19776}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1b767e9a-7be4-4d35-85c1-2e174a7ba951}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{35141B6B-498A-4cc7-AD59-CEF93D89B2CE}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3BAE7E51-E3F4-41D0-853D-9BB9FD47605F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{3EC4E9D3-714D-471F-88DC-4DD4471AAB47}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{516FC620-5D34-4B08-8165-6A06B623EDEB}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5C935941-A954-4F7C-B507-885941ECE5C4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{79F92669-4224-476c-9C5C-6EFB4D87DF4A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{949FB894-E883-42C6-88C1-29169720E8CA}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{BFCBBEB0-9DF4-4c0c-A728-434EA66A0373}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{9AD2BAFE-63B4-4883-A08C-C3C6196BCAFD}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{45B01F1C-5AC2-458c-9457-42A81B34A26D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{A8C42CEA-CDB8-4388-97F4-5831F933DA84}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B9CCA4DE-E2B9-4CBD-BF7D-11B6EBFBDDF7}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}!Restrict_Ru
HKCU\Software\Policies\Microsoft\MMC\{CC5746A9-9B74-4be5-AE2E-64379C86E0E4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{CEFFA6E2-E3BD-421B-852C-6F6A79A59BC1}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{CF848D48-888D-4F45-B530-6A201E62A605}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}!Restrict_Run
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncMethod HKCU\Software\Policies\Mi
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!DontSyncWindows8AppSettings
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncProviderPingEnabled
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!MaxPackageSizeInBytes
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SettingsStoragePath
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetwork
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetworkWhenRoami
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncTimeoutInMilliseconds
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!DesktopSettings HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncEnabled
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!VdiState; HKCU\Softw
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Back
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftCalculator6
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Ba
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplore
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplore
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplorer
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplorer
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplor
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Backu
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Backu
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win3
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2010
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Win32
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Win32
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Wi
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Offi
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Of
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Of
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Offic
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Offic
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Offic
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Off
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftNotepad6
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Bac
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftWordpad6
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingFin
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.XboxLI
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingMap
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneMus
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingNew
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.Reader_
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingSpo
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingTrav
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneVid
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingWea
HKCU\Software\Policies\Microsoft\Windows\Explorer!MultiTaskingAltTabFilter
HKCU\Software\Policies\Microsoft\Conferencing!PersistAutoAcceptCalls
HKCU\Software\Policies\Microsoft\Conferencing!NoChat
HKCU\Software\Policies\Microsoft\Conferencing!NoDirectoryServices
HKCU\Software\Policies\Microsoft\Conferencing!NoOldWhiteBoard
HKCU\Software\Policies\Microsoft\Conferencing!NoNewWhiteBoard
HKCU\Software\Policies\Microsoft\Conferencing!Use AutoConfig; HKCU\Software\Policies\Microsoft
HKCU\Software\Policies\Microsoft\Conferencing!MaxFileSendSize
HKCU\Software\Policies\Microsoft\Conferencing!NoAddingDirectoryServers
HKCU\Software\Policies\Microsoft\Conferencing!NoAutoAcceptCalls
HKCU\Software\Policies\Microsoft\Conferencing!NoChangingCallMode
HKCU\Software\Policies\Microsoft\Conferencing!NoReceivingFiles
HKCU\Software\Policies\Microsoft\Conferencing!NoSendingFiles
HKCU\Software\Policies\Microsoft\Conferencing!NoWebDirectory
HKCU\Software\Policies\Microsoft\Conferencing!CallSecurity
HKCU\Software\Policies\Microsoft\Conferencing!IntranetSupportURL
HKCU\Software\Policies\Microsoft\Conferencing!NoAppSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoTrueColorSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoAllowControl
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingDesktop
HKCU\Software\Policies\Microsoft\Conferencing!NoSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingDosWindows
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingExplorer
HKCU\Software\Policies\Microsoft\Conferencing!NoAudio
HKCU\Software\Policies\Microsoft\Conferencing!NoFullDuplex
HKCU\Software\Policies\Microsoft\Conferencing!MaximumBandwidth
HKCU\Software\Policies\Microsoft\Conferencing!NoChangeDirectSound
HKCU\Software\Policies\Microsoft\Conferencing!NoReceivingVideo
HKCU\Software\Policies\Microsoft\Conferencing!NoSendingVideo
HKCU\Software\Policies\Microsoft\Conferencing!NoAdvancedCalling
HKCU\Software\Policies\Microsoft\Conferencing!NoAudioPage
HKCU\Software\Policies\Microsoft\Conferencing!NoGeneralPage
HKCU\Software\Policies\Microsoft\Conferencing!NoSecurityPage
HKCU\Software\Policies\Microsoft\Conferencing!NoVideoPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInplaceSharing
HKCU\Software\Policies\Microsoft\Windows\OOBE!DisablePrivacyExperience
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings!NoPresentationSe
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseProxy; HKCU\SOFTWARE\Polic
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowExplicitLogonMethod HK
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowExplicitProxyName HKCU
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowUnsignedFiles
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowSignedFiles
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!TrustedCertThumbprints
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableTimeZoneRedirection
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableClip
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RedirectOnlyDefaultClientPrint
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseUniversalPrinterDriverFirst
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fTurnOffSingleAppMode
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoRemoteDesktopWallpaper
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fInheritInitialProgram; HKCU\S
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!RemoteAppLogoffTimeLimit
HKCU\SOFTWARE\Policies\Microsoft\Workspaces!DefaultConnectionURL
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableFeedPane
HKCU\Software\Policies\Microsoft\Internet Explorer\Feed Discovery!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableEnclosureDownload
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableAddRemove
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!BackgroundSyncStatus
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!AllowBasicAuthInClear
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultExcludedPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultIndexedPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search!HideUNCTab
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventModifyingIndexedLocations
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchHistory
HKCU\SOFTWARE\Policies\Microsoft\SoundRecorder!Soundrec
HKCU\Software\Policies\Microsoft\WindowsStore!RequirePrivateStoreOnly
HKCU\Software\Policies\Microsoft\WindowsStore!DisableOSUpgrade
HKCU\Software\Policies\Microsoft\WindowsStore!RemoveWindowsStore
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableInkball
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableNoteWriterPrinting
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableJournal
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPenFeedback
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonBackEscapeMapping
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonApplicationLaunch
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonPressAndHold
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffButtons
HKCU\software\policies\microsoft\TabletTip\1.7!DisablePrediction
HKCU\software\policies\microsoft\TabletTip\1.7!HideIPTIPTarget
HKCU\software\policies\microsoft\TabletTip\1.7!HideIPTIPTouchTarget
HKCU\software\policies\microsoft\TabletTip\1.7!IncludeRareChar
HKCU\software\policies\microsoft\TabletTip\1.7!DisableEdgeTarget
HKCU\software\policies\microsoft\TabletTip\1.7!DisableACIntegration
HKCU\software\policies\microsoft\TabletTip\1.7!PasswordSecurityState; HKCU\software\policies\mi
HKCU\software\policies\microsoft\TabletTip\1.7!ScratchOutState; HKCU\software\policies\microsoft
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicksLearningMode
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicks
HKCU\SOFTWARE\Policies\Microsoft\PenTraining!DisablePenTraining
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffTouchInput
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPanning
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows!TurnOffWinCal
HKCU\Software\Policies\Microsoft\Windows\WindowsColorSystem!ProhibitInstallUninstall
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!EnabledV9
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverride
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!AutoApproveOSDumps
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!LoggingDisabled
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!Disabled
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassDataThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassPowerThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassNetworkCostThrottl
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableArchive; HKCU\SOF
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableQueue; HKCU\SOFT
HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultConsent
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultOverrideB
HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!UseCertificateForOnPremAuth
HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!UseCloudTrustForOnPremAuth
HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!Enabled; HKCU\SOFTWARE\Policies\Microsoft
HKCU\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
HKCU\Software\Policies\Microsoft\Windows\Installer!DisableMedia
HKCU\Software\Policies\Microsoft\Windows\Installer!DisableRollback
HKCU\Software\Policies\Microsoft\Windows\Installer!SearchOrder
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DontDisplayLogonHoursWarni
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ReportControllerMissing
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonHoursAction
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventCDDVDMetadataRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventMusicFileMetadataRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventRadioPresetsRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP!ProxyPolicy; HKCU\Softwa
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS!ProxyPolicy; HKCU\Softwa
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!NetworkBufferingPolicy; HKCU\Software\P
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\RTSP!ProxyPolicy; HKCU\Softwa
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HideNetworkTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols!WindowsMediaStreamingProtocol
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!EnableScreenSaver
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventCodecDownload
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!DoNotShowAnchor
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HidePrivacyTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HideSecurityTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!SetAndLockSkin; HKCU\Software\Policies\
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventRun
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter!NoMobilityCenter
HKCU\Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp!EnableUpdateHelpDefaultS
HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging!EnableModuleLogging; HK
HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging!EnableScriptBlockLoggin
HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription!EnableTranscripting; HKCU\S
HKCU\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts; HKCU\Software\Policies\Mic
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate!DisableWindowsUpda
HKCU\Software\Policies\Microsoft\Windows\WorkFolders!EnableTokenBroker
HKCU\Software\Policies\Microsoft\Windows\WorkFolders!SyncUrl HKCU\Software\Policies\Microso
Supported On
At least Windows Server 2003 operating systems or Windows XP Professional
At least Windows 2000
At least Windows Server 2016 Windows 10 Version 1703
Windows Server 2003 Windows XP and Windows 2000 only
At least Windows 2000 Service Pack 1
At least Windows Server 2008 R2 or Windows 7
Windows Server 2008 Windows Server 2003 Windows Vista and Windows XP
At least Windows Server 2016 Windows 10
Windows Server 2008 and Windows Vista
Supported Windows XP SP1 through Windows Server 2008 RTM
At least Windows Vista
Windows Vista only
Windows Server 2003 and Windows XP only
Windows 2000 only
Microsoft Windows Server 2003 Windows XP and Windows 2000 Service Pack 1 operating systems on
Microsoft Windows XP Professional with SP2 and Windows Server 2003 family only
At least Windows Server 2012 Windows 8 or Windows RT
Windows Server 2008 Windows Server 2003 Windows Vista Windows XP and Windows 2000
Windows Server 2008 R2 and Windows 7
Windows Server 2008 Windows 7 and Windows Vista
Windows Server 2008 Windows 7 Windows Vista and Windows 10
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1
At least Windows Server 2016 or Windows 10
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista Windows XP and Windows 2
Windows Server 2012 R2 Windows 8.1 Windows RT 8.1 Windows Server 2008 Windows Server 2003 Wi
At least Windows 2000 through Windows 8.1 or Windows Server 2012 R2
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista and Windows XP
Windows Server 2012 R2 Windows 8.1 Windows RT 8.1 Windows Server 2008 Windows Server 2003
Windows Server 2012 R2 Windows 8.1 Windows RT 8.1 Windows Server 2008 Windows Server 2003
Windows Vista only
At least Windows Server 2008 R2 or Windows 7. Not supported on Windows 10 or later
Unknown
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista Windows XP Windows 2000
Windows Vista only
Windows Vista only
Windows 2000 only
Windows XP Professional only
Windows Server 2008 Windows Server 2003 Windows Vista and Windows XP SP2
At least Windows XP Professional with SP2
At least Windows Server 2003 operating systems or Windows XP Professional with SP2
Unknown
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows Server 2012 Windows 8 or Windows RT or at least Internet Explorer 10
Windows Vista only
Windows XP Professional only
Windows Vista Service Pack 1
At least Windows Server 2003
Supported Windows Vista through Windows 7
Unknown
Unknown
Unknown
Unknown
At least Internet Explorer 7.0
Only Internet Explorer 6.0
At least Internet Explorer 5.0. Not supported on Windows Vista
Only Internet Explorer 5.0 through Internet Explorer 9.0
Only Internet Explorer 5.0 and Internet Explorer 6.0
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic
At least Internet Explorer 11.0 on Windows 10 vertion 1607 or later
Internet Explorer 7.0 to Internet Explorer 10.0

Only Internet Explorer 6.0 in Windows 2003 Service Pack 1
At least Internet Explorer 11.0 on Windows 10
Only Internet Explorer 11.0 on Windows 8.1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1. Not supported on Windows Vista
Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 throu
At least Internet Explorer 7.0 in Windows Vista
At least Internet Explorer 11.0 on Windows 10 version 1703 or later
Only Internet Explorer 9.0 through 11.0. Not supported on Windows 10
At least Windows Server 2003 R2
Windows Server 2003 only
at least Windows NetMeeting v3.0
At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2
At least Windows Vista with Service Pack 1
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista an
Any version of Microsoft Windows with Windows Search 4.0 or later
Microsoft Windows 8 or later
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
Unknown
Unknown
Windows Server 2016 Version 1703 Windows 10 Version 1703 Windows 10 Windows 8.1 Windows 8
Windows 8.1 Windows 8 Windows 7 and Windows Vista only
At least Windows 10
At least Windows 10
At least Windows 10
Windows Media Player 9 Series and later.
Windows Media Player for Windows XP and later.
At least Microsoft Windows 7 or Windows Server 2008 family
Windows 7 Windows Server 2008 R2 Windows Vista Windows XP SP2
Windows 7 Windows Server 2008 R2 Windows Vista Windows XP SP2
At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through W
Help Text
This policy setting controls the default Control Panel view whether by category or icons. If this policy setting is enabled the Con
This setting allows you to display or hide specified Control Panel items such as Mouse System or Personalization from the Cont
Disables all Control Panel programs and the PC settings app.This setting prevents Control.exe and SystemSettings.exe the prog
Specifies the list of pages to show or hide from the System Settings app.This policy allows an administrator to block a given set
This policy setting controls which Control Panel items such as Mouse System or Personalization are displayed on the Control P
Prevents users from using Add or Remove Programs to configure installed services.This setting removes the "Set up services" s
Removes the Add New Programs button from the Add or Remove Programs bar. As a result users cannot view or change the a
Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result users cannot view
Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result users cannot view or cha
Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from
Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using
Prevents users from viewing or installing published programs.This setting removes the "Add programs from your network" sec
Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result users cannot view o
Prevents users from using Add or Remove Programs.This setting removes Add or Remove Programs from Control Panel and re
Removes links to the Support Info dialog box from programs on the Change or Remove Programs page.Programs listed on the
Specifies the category of programs that appears when users open the "Add New Programs" page.If you enable this setting onl
Disables the Display Control Panel.If you enable this setting the Display Control Panel does not run. When users try to start Dis
Removes the Settings tab from Display in Control Panel.This setting prevents users from using Control Panel to add configure o
Enables desktop screen savers.If you disable this setting screen savers do not run. Also this setting disables the Screen Saver se
This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.This can be a loc
Specifies the screen saver for the user's desktop.If you enable this setting the system displays the specified screen saver on the
Specifies which theme file is applied to the computer the first time a user logs on.If you enable this setting the theme that you
Determines whether screen savers used on the computer are password protected.If you enable this setting all screen savers a
Disables the Color (or Window Color) page in the Personalization Control Panel or the Color Scheme dialog in the Display Cont
This setting forces the theme color scheme to be the default color scheme.If you enable this setting a user cannot change the
Prevents users from adding or changing the background design of the desktop.By default users can use the Desktop Backgroun
Prevents users from changing the desktop icons.By default users can use the Desktop Icon Settings dialog in the Personalizatio
Prevents users from changing the mouse pointers.By default users can use the Pointers tab in the Mouse Control Panel to add
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users fr
Prevents users from changing the sound scheme.By default users can use the Sounds tab in the Sound Control Panel to add re
This setting disables the theme gallery in the Personalization Control Panel.If you enable this setting users cannot change or sa
Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.When ena
Prevents users from changing the size of the font in the windows and buttons displayed on their screens.If this setting is enabl
Specifies how much user idle time must elapse before the screen saver is launched.When configured this idle time can be set f
Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a We
Allows users to use the Add Printer Wizard to search the network for shared printers.If you enable this setting or do not config
Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option o
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
This policy restricts clients computers to use package point and print only.If this setting is enabled users will only be able to po
Restricts package point and print to approved servers.This policy setting restricts package point and print connections to appro
This policy setting controls the client Point and Print behavior including the security prompts for Windows Vista computers. Th
Prevents users from using familiar methods to add local and network printers. If this policy setting is enabled it removes t
If this policy setting is enabled it prevents users from deleting local and network printers. If a user tries to delete a printer
This preference allows you to change default printer management.If you enable this setting Windows will not manage the def
Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing th
This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task."Installed Updates
This setting prevents users from accessing "Programs and Features" to view uninstall change or repair programs that are curre
This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result users cannot vie
This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Cate
This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control P
This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View
This policy setting removes the Administrative options from the Region settings control panel. Administrative options include
This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control pan
This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional O
This policy setting removes the regional formats interface from the Region settings control panel.This policy setting is used onl
This policy setting restrictsâ€¯the user from installing language packs and language features on demand.â€¯This policy do
This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region setting
This policy setting restricts the Windows UI language for specific users.This policy setting applies to computers with more than
This policy turns off the autocorrect misspelled words option. This does not however prevent the user or an application fr
This policy turns off the highlight misspelled words option. This does not however prevent the user or an application from
This policy turns off the insert a space after selecting a text prediction option. This does not however prevent the user or a
This policy turns off the offer text predictions as I type option. This does not however prevent the user or an application fr
This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic lear
Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.If you disable
Prevents users from saving certain changes to the desktop.If you enable this setting users can change the desktop but some ch
Removes icons shortcuts and other default and user-defined items from the desktop including Briefcase Recycle Bin Computer
Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.This setting does not prev
Removes the Network Locations icon from the desktop.This setting only affects the desktop icon. It does not prevent users fro
Prevents users from manipulating desktop toolbars.If you enable this setting users cannot add or remove toolbars from the de
Prevents users from adjusting the length of desktop toolbars. Also users cannot reposition items or toolbars on docked toolba
Prevents users from changing the path to their profile folders.By default a user can change the location of their individual profi
This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view o
Removes most occurrences of the My Documents icon.This setting removes the My Documents icon from the desktop from Fi
This setting hides Properties on the context menu for Computer.If you enable this setting the Properties option will not be pre
This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.If you enable this po
Removes the Properties option from the Recycle Bin context menu.If you enable this setting the Properties option will not be p
Removes most occurrences of the Recycle Bin icon.This setting removes the Recycle Bin icon from the desktop from File Explo
Prevents users from using the Desktop Cleanup Wizard.If you enable this setting the Desktop Cleanup wizard does not automa
Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If y
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional
Hides the Active Directory folder in Network Locations.The Active Directory folder displays Active Directory objects in a brows
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory
Adds and deletes specified Web content items.You can use the "Add" box in this setting to add particular Web-based items or
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If u
Specifies the desktop background ("wallpaper") displayed on all users' desktops.This setting lets you specify the wallpaper on
Disables Active Desktop and prevents users from enabling it.This setting prevents users from trying to enable or disable Active
Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desk
Enables Active Desktop and prevents users from disabling it.This setting prevents users from trying to enable or disable Active
Prevents users from adding Web content to their Active Desktop.This setting removes the "New" button from Web tab in Disp
Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.This is a comprehen
Prevents users from removing Web content from their Active Desktop.In Active Desktop you can add items to the desktop but
Prevents users from deleting Web content from their Active Desktop.This setting removes the Delete button from the Web tab
Prevents users from changing the properties of Web content items on their Active Desktop.This setting disables the Properties
Determines whether a user can view and change the properties of remote access connections that are available to all users of
Determines whether users can delete all user remote access connections.To create an all-user remote access connection on th
Determines whether users can enable/disable LAN connections.If you enable this setting the Enable and Disable options for LA
Determines whether nonadministrators can rename all-user remote access connections.To create an all-user connection on th
Determines whether nonadministrators can rename a LAN connection.If you enable this setting the Rename option is enabled
Determines whether users can rename LAN or all user remote access connections.If you enable this setting the Rename option
Determines whether settings that existed in Windows 2000 Server family will apply to Administrators.The set of Network Conn
Determines whether users can change the properties of a LAN connection.This setting determines whether the Properties men
Determines whether Administrators and Network Configuration Operators can change the properties of components used by
Determines whether users can view and change the properties of components used by a private or all-user remote access con
Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators
Determines whether users can use the New Connection Wizard which creates new network connections.If you enable this setti
Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled.T
Determines whether administrators can add and remove network components for a LAN or remote access connection. This se
Determines whether users can view and change the properties of their private remote access connections.Private connections
Determines whether users can connect and disconnect remote access connections.If you enable this setting (and enable the "
Determines whether users can delete remote access connections.If you enable this setting (and enable the "Enable Network C
Determines whether administrators can enable and disable the components used by LAN connections.If you enable this settin
Determines whether users can rename their private remote access connections.Private connections are those that are availab
Determines whether users can configure advanced TCP/IP settings.If you enable this setting (and enable the "Enable Network
Determines whether users can view the status for an active connection.Connection status is available from the connection sta
This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is u
Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files
Determines which events the Offline Files feature records in the event log.Offline Files records events in the Application log in
Determines how long the first reminder balloon for a network status change is displayed.Reminder balloons appear when the
Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the
Disables the Offline Files folder.This setting disables the "View Files" button on the Offline Files tab. As a result users cannot us
Prevents users from enabling disabling or changing the configuration of Offline Files.This setting removes the Offline Files tab f
Determines how often reminder balloon updates appear.If you enable this setting you can select how often reminder balloons
Determines how long updated reminder balloons are displayed.Reminder balloons appear when the user's connection to a ne
This policy setting prevents users from making network files and folders available offline.If you enable this policy setting users
This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" com
This policy setting removes the "Work offline" command from Explorer preventing users from manually changing whether Offl
This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files an
Determines whether offline files are fully synchronized when users log off.This setting also disables the "Synchronize all offline
Determines whether offline files are fully synchronized when users log on.This setting also disables the "Synchronize all offline
Determines whether offline files are synchonized before a computer is suspended.If you enable this setting offline files are syn
Hides or displays reminder balloons and prevents users from changing the setting.Reminder balloons appear above the Offline
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting the wizards are t
This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).If you enab
This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).If you e
Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.All DOS and 16-bit programs r
This policy only applies to the classic version of the start menu and does not affect the new style start menu.Adds the "Log Off
If you enable this policy a "Search the Internet" link is shown when the user performs a search in the start menu search box. T
If you enable this setting the Run command is added to the Start menu. If you disable or do not configure this setting the Run
Set the default action of the power button on the Start menu.If you enable this setting the Start Menu will set the power butto
Clear history of recently opened documents on exit.If you enable this setting the system deletes shortcuts to recently used do
If you enable this policy setting the recent programs list in the start menu will be blank for each new user.If you disable or do n
If you enable this setting the system deletes tile notifications when the user logs on. As a result the Tiles in the start view will a
This policy allows you to prevent users from being able to open context menus in the Start Menu.If you enable this policy then
This policy disables the functionality that converts balloons to toast notifications. If you enable this policy setting system and a
This policy setting allows you to control pinning items in Jump Lists.If you enable this policy setting users cannot pin files folde
This policy setting allows you to control pinning programs to the Taskbar.If you enable this policy setting users cannot change
This policy setting allows you to control pinning the Store app to the Taskbar.If you enable this policy setting users cannot pin
This policy setting allows you to prevent taskbars from being displayed on more than one monitor.If you enable this policy setti
This setting affects the taskbar.The taskbar includes the Start button buttons for currently running tasks custom toolbars the n
This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations.The Start Menu and T
Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.I
If you enable this policy the start menu search box will not search for communications.If you disable or do not configure this p
If you enable this policy setting the Start menu search box will not search for files.If you disable or do not configure this policy
If you enable this policy the start menu search box will not search for internet history or favorites.If you disable or do not confi
If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.If you disable or
This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.If you
This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.If you enable this policy setting
This setting affects the presentation of the Start menu.The classic Start menu in Windows 2000 Professional allows users to be
If you enable this policy and set it to Start menu or full screen Start Start will be that size and users will be unable to change th
This policy setting allows users to go to the desktop instead of the Start screen when they sign in.If you enable this policy setti
Displays Start menu shortcuts to partially installed programs in gray text.This setting makes it easier for users to distinguish be
This setting affects the notification area (previously called the "system tray") on the taskbar.Description: The notification area
This policy setting allows desktop apps to be listed first in the Apps view in Start.If you enable this policy setting desktop apps
This policy setting allows you to lock all taskbar settings.If you enable this policy setting the user cannot access the taskbar con
This setting affects the taskbar which is used to switch between running applications.The taskbar includes the Start button list
This policy setting allows pinning apps to Start by default when they are included by AppID on the list.
This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.If you enable this policy setting The user
This setting affects the taskbar buttons used to switch between running programs.Taskbar grouping consolidates similar applic
This policy setting allows you to prevent users from adding or removing toolbars.If you enable this policy setting the user is no
This policy setting allows you to prevent users from changing their Start screen layout.If you enable this setting you will preven
This policy setting allows you to prevent users from moving taskbar to another screen dock location.If you enable this policy se
This policy setting allows you to prevent users from rearranging toolbars.If you enable this policy setting users are not able to
This policy setting allows you to prevent users from resizing the taskbar.If you enable this policy setting users are not be able t
If you enable this setting users cannot uninstall apps from Start.If you disable this setting or do not configure it users can acces
This policy allows you to prevent the Start Menu from displaying a list of recently installed applications.If you enable this polic
This policy setting allows you to remove access to the context menus for the taskbar.If you enable this policy setting the menu
If you enable this setting the Start Menu will either collapse or remove the all apps list from the Start menu.Selecting "Collapse
This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen:
Hides pop-up text on the Start menu and in the notification area.When you hold the cursor over an item on the Start menu or
Prevents the clock in the system notification area from being displayed.If you enable this setting the clock will not be displayed
Removes items in the All Users profile from the Programs menu on the Start menu.By default the Programs menu contains ite
This policy setting allows you to remove the Default Programs link from the Start menu.If you enable this policy setting the De
This policy setting allows you to remove the Documents icon from the Start menu and its submenus.If you enable this policy se
This policy setting allows you to remove the Downloads link from the Start Menu.If you enable this policy setting the Start Men
Prevents users from adding the Favorites menu to the Start menu or classic Start menu.If you enable this setting the Display Fa
If you enable this setting the frequently used programs list is removed from the Start menu.If you disable this setting or do not
If you enable this policy the start menu will not show a link to the Games folder.If you disable or do not configure this policy th
This policy setting allows you to remove the Help command from the Start menu.If you enable this policy setting the Help com
If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Star
This policy setting allows you to remove links and access to Windows Update.If you enable this policy setting users are preven
This policy setting allows you to removes the "Log Off <username>" item from the Start menu and prevents users from restori
This policy setting allows you to remove the Music icon from Start Menu.If you enable this policy setting the Music icon is no lo
This policy setting allows you to remove Network Connections from the Start Menu.If you enable this policy setting users are p
This policy setting allows you to remove the Network icon from Start Menu.If you enable this policy setting the Network icon i
This policy setting removes Notifications and Action Center from the notification area on the taskbar.The notification area is lo
This policy setting allows you to remove the Pictures icon from Start Menu.If you enable this policy setting the Pictures icon is
This policy setting allows you to remove pinned programs from the taskbar.If you enable this policy setting pinned programs a
If you enable this setting the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start m
This policy setting allows you to remove programs on Settings menu.If you enable this policy setting the Control Panel Printers
Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu.The Recen
This policy setting allows you to remove the Recorded TV link from the Start Menu.If you enable this policy setting the Start M
Allows you to remove the Run command from the Start menu Internet Explorer and Task Manager.If you enable this setting th
If you enable this policy the "See all results" link will not be shown when the user performs a search in the start menu search b
This policy setting allows you to remove the Search link from the Start menu and disables some File Explorer search elements.
If you enable this policy a "See more results" / "Search Everywhere" link will not be shown when the user performs a sea
If you enable this setting the "Undock PC" button is removed from the simple Start Menu and your PC cannot be undocked.If y
This policy setting allows you to remove the battery meter from the system control area.If you enable this policy setting the ba
This policy setting allows you to remove the Meet Now icon from the system control area.If you enable this policy setting the M
This policy setting allows you to remove the networking icon from the system control area.If you enable this policy setting the
This policy allows you to remove the People Bar from the taskbar and disables the My People experience.If you enable this po
This policy setting allows you to remove Security and Maintenance from the system control area.If you enable this policy settin
This policy setting allows you to remove the volume control icon from the system control area.If you enable this policy setting
If you enable this policy the start menu will not show a link to the user's storage folder.If you disable or do not configure this p
This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003.If
Hides all folders on the user-specific (top) section of the Start menu. Other items appear but folders are hidden.This setting is
This policy setting allows you to remove the Videos link from the Start Menu.If you enable this policy setting the Start Menu do
This policy setting prevents the user from searching apps files settings (and the web if enabled) when the user searches from t
This policy setting shows or hides the "Run as different user" command on the Start application bar.If you enable this setting u
By default the calendar is set according to the locale of the operating system and users can show an additional calendar. For z
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.If you enable this policy setting the QuickL
This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. Th
This policy setting allows the Apps view to be opened by default when the user goes to Start.If you enable this policy setting th
This policy setting allows users to see Windows Store apps on the taskbar. If you enable this policy setting users will see Windo
Specifies the Start layout for users.This setting lets you specify the Start layout for users and prevents them from changing its
This policy setting allows you to turn off all notification balloons.If you enable this policy setting no notification balloons are sh
This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.If you enable this policy setti
This policy setting allows you to turn off feature advertisement balloon notifications.If you enable this policy setting certain no
This setting affects the notification area also called the "system tray."The notification area is located in the task bar generally a
Disables personalized menus.Windows personalizes long menus by moving recently used items to the top of the menu and hid
This policy setting allows you to turn off taskbar thumbnails.If you enable this policy setting the taskbar thumbnails are not dis
This policy setting allows you to turn off user tracking.If you enable this policy setting the system does not track the programs
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If y
This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting voice and video call
This policy setting turns off notification mirroring. If you enable this policy setting notifications from applications an
This policy setting turns off Quiet Hours functionality. If you enable this policy setting toast notifications will not b
This policy setting turns off tile notifications. If you enable this policy setting applications and system features will no
This policy setting turns off toast notifications for applications. If you enable this policy setting applications will not b
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting applications will not
This policy setting determines how programs interpret two-digit years.This policy setting affects only the programs that use th
Specifies an alternate user interface.The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface bu
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.If you
Prevents Windows from running the programs you specify in this policy setting.If you enable this policy setting users cannot ru
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that
Disables the Windows registry editor Regedit.exe.If you enable this policy setting and the user tries to start Regedit.exe a mes
This policy setting prevents users from running the interactive command prompt Cmd.exe. This policy setting also determines
This policy setting allows you to restrict programs from being run from online Help. If you enable this policy settin
Limits the Windows programs that users have permission to run on the computer.If you enable this policy setting users can on
This setting controls automatic updates to a user's computer.Whenever a user connects to the Internet Windows searches for
This policy setting prevents users from changing their Windows password on demand.If you enable this policy setting the 'Cha
This policy setting prevents users from locking the system.While locked the desktop is hidden and the system cannot be used.
This policy setting disables or removes all menu items and buttons that log the user off the system.If you enable this policy setti
This policy setting prevents users from starting Task Manager.Task Manager (taskmgr.exe) lets users start and stop programs;
Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a disp
Determines how the system responds when a user tries to install device driver files that are not digitally signed.This setting est
This setting configures the location that Windows searches for drivers when a new piece of hardware is found.By default Wind
Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the In
This policy setting allows you to control whether all redirected shell folders such as Contacts Documents Desktop Favorites Mu
This policy setting allows you to control whether individual redirected shell folders are available offline by default.For the folde
This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or si
This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to im
This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Progra
This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.If you enable this setting yo
This policy setting defines a slow connection for purposes of applying and updating Group Policy.If the rate at which data is tra
This policy setting allows you to create new Group Policy object links in the disabled state.If you enable this setting you can cre
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.By default interactively logged o
This policy setting prevents administrators from viewing or using Group Policy preferences.A Group Policy administration (.adm
This policy setting allows you to set the default display name for new Group Policy objects.This setting allows you to specify th
This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This
Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy O
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.If yo
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file typ
This policy setting specifies whether to allow this client to download print driver packages over HTTP.To set up HTTP printing n
Turns off data sharing from the handwriting recognition personalization tool.The handwriting recognition personalization tool
Turns off the handwriting recognition error reporting tool.The handwriting recognition error reporting tool enables users to re
This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience
This policy setting specifies whether users can provide ratings for Help content.If you enable this policy setting ratings controls
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering w
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandl
This policy setting specifies whether to allow printing over HTTP from this client.Printing over HTTP allows a client to print to p
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.The Orde
This policy setting specifies whether the tasks "Publish this file to the Web" "Publish this folder to the Web" and "Publish the s
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger so
This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows O
This policy setting prevents users from changing their user geographical location (GeoID).If you enable this policy setting users
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to th
This policy setting prevents the user from customizing their locale by changing their user overrides.Any existing overrides in pl
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty it locks all user locales to
This policy setting ignores the customized run list.You can create a customized list of additional programs and documents that
This policy setting ignores customized run-once lists.You can create a customized list of additional programs and documents th
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the s
This security feature provides a means to override individual process MitigationOptions settings. This can be used to enfo
This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hiberna
Configure access to all removable storage classes.This policy setting takes precedence over any individual removable storage p
This policy setting denies read access to the CD and DVD removable storage class.If you enable this policy setting read access i
This policy setting denies write access to the CD and DVD removable storage class.If you enable this policy setting write access
This policy setting denies read access to custom removable storage classes.If you enable this policy setting read access is denie
This policy setting denies write access to custom removable storage classes.If you enable this policy setting write access is den
This policy setting denies read access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable t
This policy setting denies write access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable t
This policy setting denies read access to removable disks.If you enable this policy setting read access is denied to this removab
This policy setting denies write access to removable disks.If you enable this policy setting write access is denied to this remova
This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a c
This policy setting denies read access to the Tape Drive removable storage class.If you enable this policy setting read access is
This policy setting denies write access to the Tape Drive removable storage class.If you enable this policy setting write access i
This policy setting denies read access to removable disks which may include media players cellular phones auxiliary displays an
This policy setting denies write access to removable disks which may include media players cellular phones auxiliary displays a
This policy setting displays the instructions in logoff scripts as they run.Logoff scripts are batch files of instructions that run wh
This policy setting displays the instructions in logon scripts as they run.Logon scripts are batch files of instructions that run whe
This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files o
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface progr
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during us
This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in
This policy setting lets you exclude folders that are normally included in the user's profile. As a result these folders do not need
This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reach
This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline File
By default Add features to Windows 10 is available for all administrators. If you enable this policy setting the wizard will not ru
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Be
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI schem
This setting exists only for backward compatibility and is not valid for this version of Windows. To configure the Program Comp
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachment
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachmen
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types Wind
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk fi
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are reg
This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.Preferring th
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting AutoPlay is
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected.
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.i
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert
This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disab
This policy setting lets you configure Windows spotlight on the lock screen.If you enable this policy setting "Windows spotlight
If you enable this policy Windows spotlight features like lock screen spotlight suggested apps in Start menu or Windows tips w
This policy setting lets you prevent Windows from using diagnostic data to provide tailored experiences to the user.If you enab
This policy setting lets you turn off all Windows Spotlight features at once.If you enable this policy setting Windows spotlight o
This policy setting lets you turn off the Windows Spotlight Windows Welcome experience. This feature helps onboard users to
If you enable this policy Windows Spotlight notifications will no longer be shown on Action Center.If you disable or do not con
If you enable this policy Windows Spotlight suggestions will no longer be shown in Settings app.If you disable or do not configu
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.If you
By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restric
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the
This policy setting allows you to turn off desktop gadgets that have been installed by the user.If you enable this setting Window
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the W
This policy setting controls the appearance of window animations such as those found when restoring minimizing and maximiz
This policy setting controls the ability to change the color of window frames. If you enable this policy setting you prevent users
This policy setting controls the default color for window frames when the user does not specify a color. If you enable this polic
Specifies whether Digital Locker can run.Digital Locker is a dedicated download manager associated with Windows Marketplac
If you disable this policy setting users will not be able to invoke any system UI by swiping in from any screen edge.If you enabl
Disables help tips that Windows shows to the user.By default Windows will show the user help tips until the user has successfu
This policy setting allows you to prevent the last app and the list of recent apps from appearing when the mouse is pointing to
This policy setting allows you to prevent users from replacing the Command Prompt with Windows PowerShell in the menu th
This policy setting allows you to prevent Search Share Start Devices and Settings from appearing when the mouse is pointing t
If you enable this setting users will not be allowed to switch between recent apps. The App Switching option in the PC settings
This policy setting prevents Windows from keeping track of the apps that are used and searched most frequently. If you enabl
This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting Windows is d
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorag
This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent t
Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin.If you en
This policy setting configures File Explorer to always display the menu bar.Note: By default the menu bar is not displayed in Fil
This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explor
This policy setting prevents the display of the Welcome Center at user logon.If you enable this policy setting the Welcome Cen
When a file or folder is deleted in File Explorer a copy of the file or folder is placed in the Recycle Bin. Using this setting you ca
Prevents users from submitting alternate logon credentials to install a program.This setting suppresses the "Install Program As
This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the u
This policy setting allows you to hide these specified drives in My Computer.This policy setting allows you to remove the icons
Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer
This policy setting allows you to specify a location where all default Library definition files for users/machines reside.If you ena
Limits the percentage of a volume's disk space that can be used to store deleted files.If you enable this setting the user has a m
This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on th
This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File
Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Ne
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search resul
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu
Prevents users from using My Computer to gain access to the content of selected drives.If you enable this setting users can br
This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Us
Prevents users from using File Explorer or Network Locations to map or disconnect network drives.If you enable this setting th
This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if y
This policy setting allows you to remove the DFS tab from File Explorer.If you enable this policy setting the DFS (Distributed File
Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.If you enab
Removes the File menu from My Computer and File Explorer.This setting does not prevent users from using other methods to
Removes the Hardware tab.This setting removes the Hardware tab from Mouse Keyboard and Sounds and Audio Devices in Co
This policy setting allows you to remove the Search button from the File Explorer toolbar.If you enable this policy setting the S
Removes the Security tab from File Explorer.If you enable this setting users opening the Properties dialog box for all file system
This policy setting allows you to remove the Shared Documents folder from My Computer.When a Windows client is in a work
If you enable this policy the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer w
Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel.When this Display
This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the mo
Prompts users for alternate logon credentials during network-based installations.This setting displays the "Install Program As O
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are o
This policy setting allows you to turn off caching of thumbnail pictures.If you enable this policy setting thumbnail views are not
This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with
Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the regist
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical orde
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full fun
Turns off the caching of thumbnails in hidden thumbs.db files.This policy setting allows you to configure File Explorer to cache
This policy setting allows you to turn off the display of snippets in Content view mode.If you enable this policy setting File Expl
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.File Explore
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.File Exp
Turn off Windows Key hotkeys.Keyboards with a Windows key provide users with shortcuts to common shell features. For exa
This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If y
This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.If you enable this settin
Hide the Back button in the Open dialog box.This policy setting lets you remove new features added in Microsoft Windows 200
Removes the shortcut bar from the Open dialog box.This setting and others in this folder lets you remove new features added
Removes the list of most recently used files from the Open dialog box.If you disable this setting or do not configure it the "File
Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify f
Hides the Preview Pane in File Explorer.If you enable this policy setting the Preview Pane in File Explorer is hidden and cannot
This policy setting shows or hides the Details Pane in File Explorer.If you enable this policy setting and configure it to hide the p
This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come fr
This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from th
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backu
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a p
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a p
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous
Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID) but can only
This policy setting controls the version of Microsoft IME.â€‹If you donâ€™t configure this policy setting user can control IME ve
This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Gly
This policy setting allows you to restrict character code range of conversion by setting character filter.If you enable this policy
This policy setting allows you to turn off the ability to use a custom dictionary.If you enable this policy setting you cannot add e
This policy setting allows you to turn off history-based predictive input.If you enable this policy setting history-based predictive
This policy setting allows you to turn off Internet search integration.Search integration includes both using Search Provider (Ja
This policy setting allows you to turn off Open Extended Dictionary.If you enable this policy setting Open Extended Dictionary i
This policy setting allows you to turn off saving the auto-tuning result to file.If you enable this policy setting the auto-tuning da
This policy setting controls the cloud candidates feature which uses an online service to provide input suggestions that don't e
This policy setting controls the cloud candidates feature which uses an online service to provide input suggestions that don't e
This policy setting controls the lexicon update feature which downloads hot and popular words lexicon to local PC.If you enabl
This policy setting controls the live sticker feature which uses an online service to provide stickers online.If you enable this pol
This policy setting allows you to turn on logging of misconversion for the misconversion report.If you enable this policy setting
Set up the menu name and URL for the custom Internet search provider.If you enable this setting the specified menu name an
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally se
This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.If you enable this policy "
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI d
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide e
This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explore
Allows Administrators to enable and disable the Media Explorer Bar and set the auto-play default.The Media Explorer Bar play
Allows Administrators to enable and disable the ability for Outlook Express users to save or open attachments that can potenti
Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this pol
This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Ag
This AutoComplete feature suggests possible matches when users are filling up forms.If you enable this setting the user is not
Prevents automatic proxy scripts which interact with a server to automatically configure users' proxy settings from being store
If you enable this policy the user cannot modify the Accessibility options. All options in the "Accessibility" window on the Gene
Prevents users from changing settings on the Advanced tab in the Internet Options dialog box.If you enable this policy users ar
This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet
Prevents users from changing the default programs for managing schedules and contacts.If you enable this policy the Calenda
Prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify the identity of software pu
Prevents users from changing the default Web page colors.If you enable this policy the color settings for Web pages appear di
Prevents users from changing dial-up settings.If you enable this policy the Settings button on the Connections tab in the Intern
Prevents Microsoft Internet Explorer from checking to see whether it is the default browser.If you enable this policy the Intern
Prevents users from changing font settings.If you enable this policy users will not be able to change font settings for viewing W
The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer
Prevents users from changing language preference settings.If you enable this policy users will not be able to set language pref
Prevents users from changing the colors of links on Web pages.If you enable this policy the color settings for links appear dimm
Prevents users from changing the default programs for messaging tasks.If you enable this policy the E-mail Newsgroups and In
Prevents users from changing Profile Assistant settings.If you enable this policy the My Profile button appears dimmed in the P
Prevents users from changing ratings that help control the type of Internet content that can be viewed.If you enable this polic
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page wheneve
Prevents users from changing the browser cache settings such as the location and amount of disk space to use for the Tempor
Prevents branding of Internet programs such as customization of Internet Explorer and Outlook Express logos and title bars by
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browse
Prevents users from running the Internet Connection Wizard.If you enable this policy the Setup button on the Connections tab
This policy lets you restrict launching of Internet Explorer as a standalone browser.If you enable this policy it:- Prevents Intern
Prevents users from restoring default settings for home and search pages.If you enable this policy the Reset Web Settings butt
Specifies that error messages will be displayed to users if problems occur with proxy scripts.If you enable this policy error mes
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.If y
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as "Ctrl+S" to have "Save
This policy setting allows you to enforce full-screen mode which disables the navigation bar the menu bar and the Command b
Prevents users from configuring unique identities by using Identity Manager.Identity Manager enables users to create multiple
Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the â€˜Send all sites not in
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionall
This policy setting allows you to control which Domains are included in the discovery functionality of the Internet Explorer Site
This policy setting allows you to control which site zones are included in the discovery functionality of the Internet Explorer Sit
This policy setting allows you to choose whether users will be notified if Internet Explorer is not the default web browser.If you
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Intern
This policy setting positions the menu bar above the navigation bar. The navigation bar contains icons for a variety of features
This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check.If you enable
This policy setting prevents the user from accessing Help in Internet Explorer.If you enable this policy setting the following occ
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the us
This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Bloc
This policy setting specifies if a user can change proxy settings.If you enable this policy setting the user will not be able to confi
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applic
This policy setting allows you to configure how new tabs are created by default in Internet Explorer.If you enable this policy se
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available it includes al
You can allow pop-ups from specific websites by adding the sites to the exception list.If you enable this policy setting the user
This policy setting prevents the user from managing SmartScreen Filter which warns the user if the website being visited is kno
This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudu
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).If you enable
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.If you enable this policy setting
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after in
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those define
Disables using the F3 key to search in Internet Explorer and File Explorer.If you enable this policy the search functionality of th
Makes the Customize button in the Search Assistant appear dimmed.The Search Assistant is a tool that appears in the Search b
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms th
This policy setting lets you decide whether employees see an additional page in Internet Explorer 11 stating that a site has bee
This policy setting allows you to specify what is displayed when the user opens a new tab.If you enable this policy setting you c
This policy setting allows you to specify how ActiveX controls are installed.If you enable this policy setting ActiveX controls are
This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed such as the taskbar
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX
This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enable
This policy setting turns off Automatic Crash Recovery.If you enable this policy setting Automatic Crash Recovery does not pro
This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data
This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Inte
This policy setting allows you to manage the crash detection feature of add-on Management.If you enable this policy setting a
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer.If you enable this p
This policy setting allows the user to enable the SmartScreen Filter which warns the user if the website being visited is known
This policy setting prevents the user from zooming in to or out of a page to better see the content.If you enable this policy setti
This policy setting allows you to manage pop-up management functionality in Internet Explorer.If you enable this policy setting
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer.If you enable this policy setting the e
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Ex
This policy setting allows you to turn off suggestions for all user-installed search providers.If you enable this policy setting the
This policy setting allows you to manage whether the user has access to Tab Grouping in Internet Explorer.If you enable this p
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. S
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.If y
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box.If you enabl
This policy setting turns off the Security Settings Check feature which checks Internet Explorer security settings to determine w
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to
This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information i
This policy setting allows you to turn on or turn off the earlier menus (for example File Edit and View) in Internet Explorer.If yo
This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site discovery Toolkit(SDTK). W
This policy setting allows you to manage the XML output functionality of the Internet Explorer Site discovery Toolkit(SDTK). Wh
This policy setting controls the Suggested Sites feature which recommends websites based on the userâ€™s browsing activity.
This AutoComplete feature can remember and suggest User names and passwords on Forms.If you enable this setting the use
Specifies that Automatic Detection will be used to configure dial-up settings for users.Automatic Detection uses a DHCP (Dyna
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE instead of Stan
This policy setting allows you to add default Accelerators.If you enable this policy setting the specified Accelerators are added
This policy setting allows you to add non-default Accelerators.If you enable this policy setting the specified Accelerators are ad
This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy.If yo
This policy setting allows you to manage whether users can access Accelerators.If you enable this policy setting users cannot a
Designates the Audio/Video Player ActiveX control as administrator-approved.This control is used for playing sounds videos an
Designates the Microsoft Network (MSN) Carpoint automatic pricing control as administrator-approved.This control enables e
This ActiveX control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser. Th
Designates a set of Microsoft Network (MSN) Investor controls as administrator-approved.These controls enable users to view
Designates a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as administrator-approved.If
Designates the Microsoft Agent ActiveX control as administrator-approved.Microsoft Agent is a set of software services that su
Designates the Microsoft Chat ActiveX control as administrator-approved.This control is used by Web authors to build text-bas
Designates Microsoft Scriptlet Component as an administrator approved control. It is an Active X control which is used to rend
Designates Microsoft Survey Control as an administrator approved control.If you enable this policy this control can be run in se
Designates a set of MSNBC controls as administrator-approved.These controls enable enhanced browsing of news reports on
Designates NetShow File Transfer Control as an administrator approved control.If you enable this policy this control can be run
Designates Shockwave flash as an administrator approved control.If you enable this policy this control can be run in security zo
This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to pe
This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to pe
This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user.N
Prevents using the shortcut menu to open a link in a new browser window.If you enable this policy users cannot point to a link
Prevents users from saving a program or file that Microsoft Internet Explorer has downloaded to the hard disk.If you enable th
Prevents users from closing Microsoft Internet Explorer and File Explorer.If you enable this policy the Close command on the F
Prevents users from opening a new browser window from the File menu.If this policy is enabled users cannot open a new brow
Prevents users from opening a file or Web page from the File menu in Internet Explorer.If you enable this policy the Open dial
Prevents users from saving the complete contents that are displayed on or run from a Web page including the graphics scripts
Prevents users from saving Web pages from the browser File menu to their hard disk or to a network share.If you enable this p
Prevents users from displaying tips for users who are switching from Netscape.If you enable this policy the For Netscape Users
Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the Help menu.If you enable t
Prevents users from viewing or changing the Tip of the Day interface in Microsoft Internet Explorer.If you enable this policy th
Prevents users from running the Internet Explorer Tour from the Help menu in Internet Explorer.If you enable this policy the T
Prevents users from adding removing editing or viewing the list of Favorite links.The Favorites list is a way to store popular link
Prevents users from opening the Internet Options dialog box from the Tools menu in Microsoft Internet Explorer.If you enable
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8 this policy setting
This policy setting prevents the shortcut menu from appearing when a user right-clicks a webpage while using Internet Explore
This policy setting allows you to manage whether users can launch the report site problems dialog using a menu option.If you
Prevents users from displaying the browser in full-screen (kiosk) mode without the standard toolbar.If you enable this policy t
Prevents users from viewing the HTML source of Web pages by clicking the Source command on the View menu.If you enable
This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Window
This policy setting controls the Compatibility View feature which allows the user to fix website display problems that he or she
This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Exp
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage t
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.If you enable
Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rend
This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences sele
This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Tempor
This policy setting prevents the user from performing actions which will delete browsing history. For more information on brow
In Internet Explorer 9 and Internet Explorer 10:This policy setting prevents users from deleting ActiveX Filtering and Tracking P
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing
This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History d
This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog bo
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data du
This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing His
This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history avail
Removes the Advanced tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented
Removes the Connections tab from the interface in the Internet Options dialog box.If you enable this policy users are prevente
If you enable this policy setting users are prevented from seeing and changing ratings certificates AutoComplete Wallet and Pr
Removes the General tab from the interface in the Internet Options dialog box.If you enable this policy users are unable to see
Removes the Privacy tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented fro
Removes the Programs tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented
Removes the Security tab from the interface in the Internet Options dialog box.If you enable this policy it prevents users from
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors th
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized dom
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mai
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to ru
This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Exp
This policy setting allows you to manage whether users can automatically download and install Web components (such as fon
This policy setting determines whether Internet Explorer uses the HTTP2 network protocol. HTTP2 requests help optimize the
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests
This policy setting allows you to manage whether software such as ActiveX controls and file downloads can be installed or run
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.If you enable this policy
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Exp
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certific
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. Wh
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings a
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) info
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder
This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Gene
This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only soun
This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only em
This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the r
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0 TLS 1.1 TLS 1.2 Secure Sockets Layer (SS
This policy setting determines whether Internet Explorer preemptively loads websites and content in the background speeding
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information.If you enable thi
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query s
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (fo
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using th
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versio
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1.If you enable this policy setting Internet Exp
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections.If you enable thi
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box.If you enable this p
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default Internet Explo
This policy setting allows websites to store file resources in application caches on client computers.If you enable this policy setti
This policy setting allows websites to store indexed database cache information on client computers.If you enable this policy s
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage lim
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set t
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage li
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an app
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting you
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting yo
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level for exa
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.If you enable thi
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.If you
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone nu
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain.If you enab
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned o
This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping ru
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Micr
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can r
This policy setting allows you to manage whether script code on pages in the zone is run.If you enable this policy setting script
This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functiona
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example cut copy and paste) i
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.If y
This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by th
This policy setting allows you to manage whether pages of the zone may download HTML fonts.If you enable this policy setting
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this op
This policy setting allows you to manage the loading of XAML Browser Applications (XBAPs). These are browser-hosted ClickOn
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-
This policy setting allows you to manage the loading of XPS files. These files contain a fixed-layout representation of paginated
This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the w
This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.If you enable this po
This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors
This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in t
This policy setting determines whether a page can control embedded WebBrowser controls via script.If you enable this policy
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and
This policy setting allows you to manage whether the user can run scriptlets.If you enable this policy setting the user can run s
This policy setting allows you to manage whether script is allowed to update the status bar within the zone.If you enable this p
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.If
This policy setting allows the playing of video and animation through older media players in specified zones. Video and animati
This policy setting controls whether websites can open new Internet Explorer windows that have no status bar or Address bar
This policy setting determines whether scripted windows are automatically displayed.If you enable this policy setting scripted
This policy setting manages whether users will be automatically prompted for ActiveX control installations.If you enable this p
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a secu
This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one ce
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls to check if they'
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.If you e
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A M
This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If
This policy setting allows you to manage ActiveX controls not marked as safe.If you enable this policy setting ActiveX controls a
This policy setting allows you to manage permissions for Java applets.If you enable this policy setting you can choose options f
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME refer
This policy setting allows you to manage settings for logon options.If you enable this policy setting you can choose from the fo
This policy setting allows you to manage the opening of windows and frames and access of applications across different doma
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone.If you enable this policy setting y
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be exec
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.If
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.If you
This policy setting allows you to manage whether applets are exposed to scripts within the zone.If you enable this policy settin
This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open ex
This policy setting allows you to manage software channel permissions.If you enable this policy setting you can choose the foll
This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent wit
This policy setting prevents the user's computer from starting Microsoft .NET Framework Setup when the user is browsing to .
This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When the user encounters a new
This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into w
This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vuln
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.If you enable this policy
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when
This policy setting allows you to manage the preservation of information in the browser's history in favorites in an XML store o
This policy setting allows you to manage whether Web sites from less privileged zones such as Restricted Sites can navigate int
This policy setting allows you to manage whether Web sites from less privileged zones such as Internet sites can navigate into
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop.If you enable this policy setting In
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide always in Inter
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.If you enable this policy se
This policy setting allows you to manage if users can see the button (next to the New Tab button) that opens Microsoft Edge.If
This policy setting specifies how you want links on webpages to be underlined.If you enable this policy setting a user cannot ch
This policy setting specifies whether when there is a problem connecting with an Internet server to provide a detailed descripti
This policy setting specifies if as you move from one Web page to another Internet Explorer fades out of the page you are leav
This policy setting determines whether phone numbers are recognized and turned into hyperlinks which can be used to invoke
This policy setting specifies whether smooth scrolling is used to display content at a predefined speed.If you enable this policy
This policy setting allows you to turn on your script debugger if one is installed. Website developers use script debuggers to te
This policy setting specifies whether to display script errors when a page does not appear properly because of problems with i
This policy setting determines whether the Internet Connection Wizard was completed. If the Internet Connection Wizard was
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional
This policy setting specifies whether placeholders appear for graphical images while the images are downloading. This allows i
This policy setting specifies that you want Internet Explorer to automatically resize large images so that they fit in the browser
This policy setting specifies whether graphical images are included when pages are displayed.Sometimes pages that contain se
This policy setting specifies whether you want Internet Explorer to smooth images so that they appear less jagged when displa
This policy setting specifies whether Internet Explorer prints background colors and images when the user prints a webpage. In
This policy setting specifies whether the user can conduct a search on the Address bar.If you enable this policy setting you mu
This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on th
This policy setting allows Internet Explorer to be started automatically to complete the signup process after the branding is co
This policy setting let you turn off Inline AutoComplete in File Explorer. Inline AutoComplete provides suggestions for what you
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on c
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Addre
This policy setting allows you to turn on inline AutoComplete in Internet Explorer and File Explorer. The AutoComplete feature
This policy setting prevents the user from choosing the default text size in Internet Explorer.If you enable this policy setting the
This policy setting prevents the user from specifying the background color in Internet Explorer.If you enable this policy setting
This policy setting prevents the user from specifying the text color in Internet Explorer.If you enable this policy setting the user
This policy setting prevents the user from using Windows colors as a part of the display settings.If you enable this policy settin
This policy setting prevents the user from specifying the color of webpage links that he or she has already clicked. Appropriate
This policy setting prevents the user from specifying the color of webpage links that he or she has not yet clicked. Appropriate
This policy setting prevents the user from specifying the color to which hyperlinks change when the mouse pointer pauses on
This policy setting makes hyperlinks change color when the mouse pointer pauses on them.If you enable this policy setting the
This policy setting specifies whether to use 8-bit Unicode Transformation Format (UTF-8) a standard that defines characters so
Prevents users from adding channels to Internet Explorer.Channels are Web sites that are updated automatically on your com
Prevents users from specifying that Web pages can be downloaded for viewing offline. When users make Web pages available
Disables existing schedules for downloading Web pages for offline viewing.When users make Web pages available for offline v
Prevents users from viewing the Channel bar interface. Channels are Web sites that are automatically updated on their compu
Prevents content from being downloaded from Web sites that users have subscribed to.When users make Web pages availabl
Prevents users from adding editing or removing schedules for offline viewing of Web pages and groups of Web pages that use
Prevents users from editing an existing schedule for downloading Web pages for offline viewing.When users make Web pages
Prevents channel providers from recording information about when their channel pages are viewed by users who are working
Prevents users from disabling channel synchronization in Microsoft Internet Explorer.Channels are Web sites that are automati
Prevents users from clearing the preconfigured settings for Web pages to be downloaded for offline viewing.When users make
Restricts the amount of information downloaded for offline viewing.If you enable this policy you can set limits to the size and
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Internet security zone.I
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Intranet security
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Computer securit
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Restricted Sites security
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Trusted Sites security z
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode.The threshold sets the number
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode.The threshold sets the numbe
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default dur
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode.The data consist
This policy setting allows you to turn off the InPrivate Browsing feature.InPrivate Browsing prevents Internet Explorer from sto
This policy setting allows you to turn off InPrivate Filtering.InPrivate Filtering helps users control whether third parties can aut
This policy setting allows you to turn off Tracking Protection.Tracking Protection helps users control whether third parties can
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The re
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are
This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Ad
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are deni
This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as enter
This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX
This setting determines whether IE automatically downloads updated versions of Microsoftâ€™s VersionList.XML. IE uses this fi
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX contr
This policy setting determines whether Internet Explorer saves log information for ActiveX controls.If you enable this policy se
This policy setting allows the user to run natively implemented scriptable XMLHTTP.If you enable this policy setting the user ca
This policy setting allows you to change the default connection limit for HTTP 1.1 from 6 connections per host to a limit of you
This policy setting allows you to change the default connection limit for HTTP 1.0 from 6 connections per host to a limit of you
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can s
This policy setting allows you to manage whether documents can request data across third-party domains embedded in the pa
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. T
This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest obje
For each zone the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved
Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elemen
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed wit
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files rece
Internet Explorer places zone restrictions on each Web page it opens which are dependent upon the location of the Web page
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more d
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources host
Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsaf
File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from ru
Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsaf
For each zone the Network Protocol Lockdown security restriction may be configured to prevent active content obtained thro
This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explor
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or
This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code insta
This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or t
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control inst
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.If you enable this po
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control inst
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that
This policy setting enables blocking of file download prompts that are not user initiated.If you enable this policy setting file dow
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that
Internet Explorer allows scripts to programmatically open resize and reposition windows of various types. The Window Restric
Specifies which buttons will be displayed on the standard toolbar in Microsoft Internet Explorer.If you enable this policy you ca
This policy setting allows you to choose among three different labels for command buttons: show all text labels show selective
Prevents users from determining which buttons appear on the Microsoft Internet Explorer and File Explorer standard toolbars
Prevents users from determining which toolbars are displayed in Microsoft Internet Explorer and File Explorer.If you enable th
This policy setting allows you to manage where tabs are displayed.If you enable this policy setting tabs are displayed on a sepa
This policy setting allows you to show or hide the Command bar.If you enable this policy setting the Command bar is hidden an
This policy setting allows you to show or hide the status bar.If you enable this policy setting the status bar is hidden and the us
This policy setting allows you to lock or unlock the toolbars on the user interface.If you enable this policy setting the toolbars a
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons.If you enable this pol
This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer.If you enable this p
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible
This policy setting allows you increase the size of icons for command buttons.If you enable this policy setting icons for comman
This policy setting turns off the location feature for this computer. If you enable this policy setting the location feature
This policy setting turns off scripting for the location feature. If you enable this policy setting scripts for the location fe
This policy setting turns off the sensor feature for this computer. If you enable this policy setting the sensor feature is
Prevents users from entering author mode.This setting prevents users from opening the Microsoft Management Console (MM
Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.-- If you enable this setting
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can
Permits or prohibits use of this snap-in.If you enable this setting the snap-in is permitted. If you disable the setting the snap-in
This policy setting permits or prohibits the use of this snap-in.If you enable this policy setting the snap-in is permitted and can
Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active D
This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference item types). When proh
This policy setting allows you to permit or prohibit use of the Applications preference extension. When a preference extension
This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all preference extensions listed in
This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all preference extensions listed in
This policy setting allows you to permit or prohibit use of the Data Sources preference extension. When a preference extensio
This policy setting allows you to permit or prohibit use of the Devices preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Drive Maps preference extension. When a preference extension
This policy setting allows you to permit or prohibit use of the Environment preference extension. When a preference extensio
This policy setting allows you to permit or prohibit use of the Files preference extension. When a preference extension is proh
This policy setting allows you to permit or prohibit use of the Folder Options preference extension. When a preference extens
This policy setting allows you to permit or prohibit use of the Folders preference extension. When a preference extension is pr
This policy setting allows you to permit or prohibit use of the Ini Files preference extension. When a preference extension is pr
This policy setting allows you to permit or prohibit use of the Internet Settings preference extension. When a preference exten
This policy setting allows you to permit or prohibit use of the Local Users and Groups preference extension. When a preferenc
This policy setting allows you to permit or prohibit use of the Network Options preference extension. When a preference exte
This policy setting allows you to permit or prohibit use of the Network Shares preference extension. When a preference exten
This policy setting allows you to permit or prohibit use of the Power Options preference extension. When a preference extens
This policy setting allows you to permit or prohibit use of the Preferences tab. When prohibited the Preferences tab does not a
This policy setting allows you to permit or prohibit use of the Printers preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Regional Options preference extension. When a preference exte
This policy setting allows you to permit or prohibit use of the Registry preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Scheduled Tasks preference extension. When a preference exten
This policy setting allows you to permit or prohibit use of the Services preference extension. When a preference extension is p
This policy setting allows you to permit or prohibit use of the Shortcuts preference extension. When a preference extension is
This policy setting allows you to permit or prohibit use of the Start Menu preference extension. When a preference extension
This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between usersâ€
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.By
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package fi
This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy se
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connec
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connec
This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settin
This policy setting configures the synchronization of Windows settings between computers.Certain Windows settings will sync
This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers r
This policy setting configures the backup of certain user settings for Microsoft Access 2013.Microsoft Access 2013 has user setti
This policy setting configures the backup of certain user settings for Microsoft Access 2016.Microsoft Access 2016 has user setti
This policy setting configures the synchronization of user settings of Calculator.By default the user settings of Calculator synch
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 a
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2016 a
This policy setting configures the backup of certain user settings for Microsoft Excel 2013.Microsoft Excel 2013 has user setting
This policy setting configures the backup of certain user settings for Microsoft Excel 2016.Microsoft Excel 2016 has user setting
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013.Microsoft InfoPath 2013 has user
This policy setting configures the synchronization of user settings of Internet Explorer 10.By default the user settings of Interne
This policy setting configures the synchronization of user settings of Internet Explorer 11.By default the user settings of Interne
This policy setting configures the synchronization of user settings for Internet Explorer 8.By default the user settings of Interne
This policy setting configures the synchronization of user settings for Internet Explorer 9.By default the user settings of Interne
This policy setting configures the synchronization of user settings which are common between the versions of Internet Explore
This policy setting configures the backup of certain user settings for Microsoft Lync 2013.Microsoft Lync 2013 has user settings
This policy setting configures the backup of certain user settings for Microsoft Lync 2016.Microsoft Lync 2016 has user settings
This policy setting configures the synchronization of user settings for Microsoft Access 2010.By default the user settings of Mic
This policy setting configures the synchronization of user settings for Microsoft Excel 2010.By default the user settings of Micro
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2013.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft Lync 2010.By default the user settings of Micro
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010
This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center.By default the user
This policy setting configures the synchronization of user settings for Microsoft Office 2016 Upload Center.By default the user
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013.Microsoft Office 365 sy
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2016.Microsoft Office 365 sy
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2016.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013.Microsoft Office 365 s
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2016.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2016.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013.Microsoft Office 365 s
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2016.Microsoft Office 365 s
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013.Microsoft Office 3
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2016.Microsoft Office 3
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013.Microsoft Office 365 sy
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2016.Microsoft Office 365 sy
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2016.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013.Microsoft
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2016.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013.Microsoft Office 365 syn
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2016.Microsoft Office 365 syn
This policy setting configures the synchronization of user settings for OneDrive for Business 2013.By default the user settings o
This policy setting configures the synchronization of user settings for OneDrive for Business 2016.By default the user settings o
This policy setting configures the synchronization of user settings for Microsoft OneNote 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft Outlook 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010.By default the user settings o
This policy setting configures the synchronization of user settings for Microsoft Project 2010.By default the user settings of Mic
This policy setting configures the synchronization of user settings for Microsoft Publisher 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010.By default the user s
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2013.By default the user s
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010.By default the use
This policy setting configures the synchronization of user settings for Microsoft Visio 2010.By default the user settings of Micro
This policy setting configures the synchronization of user settings for Microsoft Word 2010.By default the user settings of Micr
This policy setting configures the synchronization of user settings of Notepad.By default the user settings of Notepad synchron
This policy setting configures the backup of certain user settings for Microsoft OneNote 2013.Microsoft OneNote 2013 has use
This policy setting configures the backup of certain user settings for Microsoft OneNote 2016.Microsoft OneNote 2016 has use
This policy setting configures the backup of certain user settings for Microsoft Outlook 2013.Microsoft Outlook 2013 has user s
This policy setting configures the backup of certain user settings for Microsoft Outlook 2016.Microsoft Outlook 2016 has user s
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013.Microsoft PowerPoint 2013 ha
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2016.Microsoft PowerPoint 2016 ha
This policy setting configures the backup of certain user settings for Microsoft Project 2013.Microsoft Project 2013 has user se
This policy setting configures the backup of certain user settings for Microsoft Project 2016.Microsoft Project 2016 has user se
This policy setting configures the backup of certain user settings for Microsoft Publisher 2013.Microsoft Publisher 2013 has use
This policy setting configures the backup of certain user settings for Microsoft Publisher 2016.Microsoft Publisher 2016 has use
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013.Microsoft SharePoint
This policy setting configures the backup of certain user settings for Microsoft Visio 2013.Microsoft Visio 2013 has user setting
This policy setting configures the backup of certain user settings for Microsoft Visio 2016.Microsoft Visio 2016 has user setting
This policy setting configures the backup of certain user settings for Microsoft Word 2013.Microsoft Word 2013 has user settin
This policy setting configures the backup of certain user settings for Microsoft Word 2016.Microsoft Word 2016 has user settin
This policy setting configures the synchronization of user settings of WordPad.By default the user settings of WordPad synchro
This policy setting configures the synchronization of user settings for the Finance app.By default the user settings of Finance sy
This policy setting configures the synchronization of user settings for the Games app.By default the user settings of Games syn
This policy setting configures the synchronization of user settings for the Maps app.By default the user settings of Maps sync b
This policy setting configures the synchronization of user settings for the Music app.By default the user settings of Music sync
This policy setting configures the synchronization of user settings for the News app.By default the user settings of News sync b
This policy setting configures the synchronization of user settings for the Reader app.By default the user settings of Reader syn
This policy setting configures the synchronization of user settings for the Sports app.By default the user settings of Sports sync
This policy setting configures the synchronization of user settings for the Travel app.By default the user settings of Travel sync
This policy setting configures the synchronization of user settings for the Video app.By default the user settings of Video sync b
This policy setting configures the synchronization of user settings for the Weather app.By default the user settings of Weather
This setting controls the inclusion of Edge tabs into Alt+Tab.This can be set to show all tabs the most recent 3 or 5 tabs or no t
Make the automatic acceptance of incoming calls persistent.
Disables the Chat feature of NetMeeting.
Disables the directory feature of NetMeeting.Users will not logon to a directory (ILS) server when NetMeeting starts. Users wi
Disables the 2.x whiteboard feature of NetMeeting.The 2.x whiteboard is available for compatibility with older versions of Net
Disables the T.126 whiteboard feature of NetMeeting.
Configures NetMeeting to download settings for users each time it starts.The settings are downloaded from the URL listed in t
Limits the size of files users can send to others in a conference.
Prevents users from adding directory (ILS) servers to the list of those they can use for placing calls.
Prevents users from turning on automatic acceptance of incoming calls.This ensures that others cannot call and connect to Ne
Prevents users from changing the way calls are placed either directly or via a gatekeeper server.
Prevents users from receiving files from others in a conference.
Prevents users from sending files to others in a conference.
Prevents users from viewing directories as Web pages in a browser.
Sets the level of security for both outgoing and incoming NetMeeting calls.
Sets the URL NetMeeting will display when the user chooses the Help Online Support command.
Disables the application sharing feature of NetMeeting completely. Users will not be able to host or view shared applications.
Prevents users from sharing applications in true color. True color sharing uses more bandwidth in a conference.
Prevents users from allowing others in a conference to control what they have shared. This enforces a read-only mode; the ot
Prevents users from sharing the whole desktop. They will still be able to share individual applications.
Prevents users from sharing anything themselves. They will still be able to view shared applications/desktops from others.
Prevents users from sharing command prompts. This prevents users from inadvertently sharing out applications since comma
Prevents users from sharing Explorer windows. This prevents users from inadvertently sharing out applications since Explorer
Disables the audio feature of NetMeeting. Users will not be able to send or receive audio.
Disables full duplex mode audio. Users will not be able to listen to incoming audio while speaking into the microphone. Older
Limits the bandwidth audio and video will consume when in a conference. This setting will guide NetMeeting to choose the ri
Prevents user from changing the DirectSound audio setting. DirectSound provides much better audio quality but older audio h
Prevents users from receiving video. Users will still be able to send video provided they have the hardware."
Prevents users from sending video if they have the hardware. Users will still be able to receive video from others.
Disables the Advanced Calling button on the General Options page. Users will not then be able to change the call placement m
Hides the Audio page of the Tools Options dialog. Users will not then be able to change audio settings.
Hides the General page of the Tools Options dialog. Users will not then be able to change personal identification and bandwid
Hides the Security page of the Tools Options dialog. Users will not then be able to change call security and authentication setti
Hides the Video page of the Tools Options dialog. Users will not then be able to change video settings.
This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within
When logging into a new user account for the first time or after an upgrade in some scenarios that user may be presented wit
This policy setting turns off Windows presentation settings.If you enable this policy setting Windows presentation settings can
If you enable this policy setting when Remote Desktop Connection cannot connect directly to a remote computer (an RD Sessi
Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through a
Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host serve
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files fro
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signe
Controls whether a user can save passwords using Remote Desktop Connection.If you enable this setting the credential saving
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted
If you enable this policy setting administrators can interact with a user's Remote Desktop Services session based on the option
This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Se
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote co
This policy setting allows you to specify whether the default client printer is the only printer redirected in Remote Desktop Ser
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client pr
This policy setting allows you to specify whether the desktop is always displayed after a client connects to a remote computer
This policy setting allows you to specify whether desktop wallpaper is displayed to clients when they are connected to a remot
Configures Remote Desktop Services to run a specified program automatically upon connection.You can use this setting to spe
This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it.Y
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be i
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active be
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.You can use this po
This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconnected state after closing
This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Win
This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's compute
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice.If you enable this policy setting the m
This policy setting controls whether to have background synchronization for feeds and Web Slices.If you enable this policy setti
This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypte
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths
Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude the
Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Pa
If enabled Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can
If you enable this policy setting you specify a list of paths to exclude from indexing. The user cannot enter any path that starts
This policy setting prevents search queries from being stored in the registry. If you enable this policy setting search suggestion
Specifies whether Sound Recorder can run.Sound Recorder is a feature of Microsoft Windows Vista that can be used to record
Denies access to the retail catalog in the Microsoft Store but displays the private store.If you enable this setting users will not
Enables or disables the Store offer to update to the latest version of Windows.If you enable this setting the Store application w
Denies or allows access to the Store application.If you enable this setting access to the Store application is denied. Access to th
Prevents start of InkBall game.If you enable this policy the InkBall game will not run.If you disable this policy the InkBall game
Prevents printing to Journal Note Writer.If you enable this policy the Journal Note Writer printer driver will not allow printing t
Prevents the snipping tool from running.If you enable this policy setting the Snipping Tool will not run.If you disable this policy
Prevents start of Windows Journal.If you enable this policy the Windows Journal accessory will not run.If you disable this polic
Disables visual pen action feedback except for press and hold feedback.If you enable this policy all visual pen action feedback
Removes the Back->ESC mapping that normally occurs when menus are visible and for applications that subscribe to this beha
Prevents the user from launching an application from a Tablet PC hardware button.If you enable this policy applications canno
Prevents press and hold actions on hardware buttons so that only one action is available per button.If you enable this policy p
Turns off Tablet PC hardware buttons.If you enable this policy no actions will occur when the buttons are pressed and the butt
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from prov
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is availa
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is availa
Includes rarely used Chinese Kanji and Hanja characters when handwriting is converted to typed text. This policy applies only t
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.Tablet PC Input Panel is a Tablet PC accessory th
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is av
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and W
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out ge
Makes pen flicks learning mode unavailable.If you enable this policy pen flicks are still available but learning mode is not. Pen
Makes pen flicks and all related features unavailable.If you enable this policy pen flicks and all related features are unavailable
Turns off Tablet PC Pen Training.If you enable this policy setting users cannot open Tablet PC Pen Training.If you disable or do
Turn off Tablet PC touch inputTurns off touch input which allows the user to interact with their computer using their finger.If y
Turn off Panning Turns off touch panning which allows users pan inside windows by touch. On a compatible PC with a touc
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from the last page of the Sched
Prevents users from viewing and changing the properties of an existing task.This setting removes the Properties item from the
Prevents users from starting and stopping tasks manually.This setting removes the Run and End Task items from the context m
Limits newly scheduled to items on the user's Start menu and prevents the user from changing the scheduled program for exis
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.This setting disabl
Prevents users from creating new tasks.This setting removes the Add Scheduled Task item that starts the New Task Wizard. Al
Prevents users from deleting tasks from the Scheduled Tasks folder.This setting removes the Delete command from the Edit m
Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars publishing
This policy setting affects the ability of users to install or uninstall color profiles.If you enable this policy setting users cannot in
This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen pr
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about poten
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automa
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event lo
This policy setting turns off Windows Error Reporting so that reports are not collected or sent to either Microsoft or internal se
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.If you en
This policy setting determines whether Windows Error Reporting (WER) sends additional second-level report data even if a CA
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. B
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amo
This policy setting controls the behavior of the Windows Error Reporting archive.If you enable this policy setting you can config
This policy setting determines the behavior of the Windows Error Reporting report queue.If you enable this policy setting you
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is
This policy setting determines the default consent behavior of Windows Error Reporting.If you enable this policy setting you ca
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.If you enable this poli
This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.If y
Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authenticati
TBD
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Dire
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.If you ena
This policy setting prevents users from installing any programs from removable media.If you enable this policy setting if a user
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuc
This policy setting specifies the order in which Windows Installer searches for installation files.If you disable or do not configur
This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default a user
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and
This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the
This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.If you en
This policy setting allows you to prevent media information for music files from being retrieved from the Internet.If you enable
This policy setting allows you to prevent radio station presets from being retrieved from the Internet.If you enable this policy s
This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.If you enable this policy setting sele
This policy setting allows you to specify the MMS proxy settings for Windows Media Player.If you enable this policy setting sele
This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.If you en
This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.If you enable this policy setting sele
This policy setting allows you to hide the Network tab.If you enable this policy setting the Network tab in Windows Media Play
This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving stre
This policy setting allows a screen saver to interrupt playback.If you enable this policy setting a screen saver is displayed during
This policy setting allows you to prevent Windows Media Player from downloading codecs.If you enable this policy setting the
Prevents the anchor window from being displayed when Windows Media Player is in skin mode.This policy hides the anchor w
This policy setting allows you to hide the Privacy tab in Windows Media Player.If you enable this policy setting the "Update my
This policy setting allows you to hide the Security tab in Windows Media Player.If you enable this policy setting the default sec
This policy setting allows you to set and lock Windows Media Player in skin mode using a specified skin.If you enable this polic
This policy setting allows you to prevent Windows Messenger from running.If you enable this policy setting Windows Messeng
This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting Window
This policy setting turns off Windows Mobility Center.If you enable this policy setting the user is unable to invoke Windows Mo
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.If you enable th
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting pip
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
This policy setting lets you configure the script execution policy controlling which scripts are allowed to run.If you enable this p
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choic
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Wi
This setting allows you to remove access to Windows Update.If you enable this setting all Windows Update features are remov
This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OA
This policy setting specifies the Work Folders server for affected users as well as whether or not users are allowed to change s
y setting is enabled the Control Panel opens to the icon view.If this policy setting is disabled the Control Panel opens to the category view.I
sonalization from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window as well as
stemSettings.exe the program files for Control Panel and PC settings from starting. As a result users cannot start Control Panel or PC settin
strator to block a given set of pages from the System Settings app. Blocked pages will not be visible in the app and if all pages in a category
displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting
ves the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that h
nnot view or change the attached page.The Add New Programs button lets users install programs published or assigned by a system admin
a result users cannot view or change the associated page.The Add/Remove Windows Components button lets users configure installed se
t users cannot view or change the attached page.The Change or Remove Programs button lets users uninstall repair add or remove featur
ge. This prevents users from using Add or Remove Programs to install programs from removable media.If you disable this setting or do not
prevents users from using Add or Remove Programs to connect to Windows Update.If you disable this setting or do not configure it "Add
ms from your network" section from the Add New Programs page. The "Add programs from your network" section lists published program
result users cannot view or change the associated page.The Set Program Access and Defaults button lets administrators specify default pro
from Control Panel and removes the Add or Remove Programs item from menus.Add or Remove Programs lets users install uninstall repai
ge.Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked th
you enable this setting only the programs in the category you specify are displayed when the "Add New Programs" page opens. Users can u
When users try to start Display a message appears explaining that a setting prevents the action.Also see the "Prohibit access to the Contro
ol Panel to add configure or change the display settings on the computer.
isables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result users cannot change
style file.This can be a local computer visual style (aero.msstyles) or a file located on a remote server using a UNC path (\\Server\Share\ae
ecified screen saver on the user's desktop. Also this setting disables the drop-down list of screen savers in the Screen Saver dialog in the P
etting the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from ch
setting all screen savers are password protected. If you disable this setting password protection cannot be set on any screen saver.This se
dialog in the Display Control Panel on systems where the Personalization feature is not available.This setting prevents users from using Co
a user cannot change the color scheme of the current desktop theme.If you disable or do not configure this setting a user may change the
use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop.
dialog in the Personalization or Display Control Panel to show hide or change the desktop icons.If you enable this setting none of the deskt
ouse Control Panel to add remove or change the mouse pointers.If you enable this setting none of the mouse pointer scheme settings can
is setting prevents users from using Control Panel to add configure or change the screen saver on the computer. It does not prevent a scre
nd Control Panel to add remove or change the system Sound Scheme.If you enable this setting none of the Sound Scheme settings can be
users cannot change or save a theme. Elements of a theme such as the desktop background color sounds and screen saver can still be cha
on their screens.When enabled on Windows XP this setting disables the "Windows and buttons" drop-down list on the Appearance tab in D
eens.If this setting is enabled the "Font size" drop-down list on the Appearance tab in Display Properties is disabled. If you disable or do no
d this idle time can be set from a minimum of 1 second to a maximum of 86400 seconds or 24 hours. If set to zero the screen saver will not
tting to direct users to a Web page from which they can install printers. If you enable this setting and type an Internet or intranet addr
his setting or do not configure it when users choose to add a network printer by selecting the "A network printer or a printer attached to a
rd gives users the option of searching Active Directory for a shared printer. If you enable this policy setting these searches begin at th
puter. By default there are no restrictions to printing based on connection type or printer Make/Model. If you enable this setting
ble Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. When Device Control Printing is ena
sers will only be able to point and print to printers that use package-aware drivers. When using package point and print client computers w
print connections to approved servers. This setting only applies to Package Point and Print connections and is completely independent fro
ndows Vista computers. The policy setting applies only to non-Print Administrator clients and only to computers that are members of a dom
tting is enabled it removes the Add Printer option from the Start menu. (To find the Add Printer option click Start click Printers and then clic
ser tries to delete a printer such as by using the Delete option in Printers in Control Panel a message appears explaining that a setting prev
ws will not manage the default printer. If you disable this setting Windows will manage the default printer.If you do not configure this settin
ts users from accessing the "Get Programs" page from the Programs Control Panel in Category View Programs and Features in Classic View
s" task."Installed Updates" allows users to view and uninstall updates currently installed on the computer. The updates are often downloa
ir programs that are currently installed on the computer.If this setting is disabled or not configured "Programs and Features" will be availa
s a result users cannot view or change the associated page.The Set Program Access and Computer Defaults page allows administrators to
rams Control Panel in Category View Programs and Features in Classic View and Get Programs. As a result users cannot view enable or dis
om the Programs Control Panel in Category View Programs and Features in Classic View and Get Programs.Windows Marketplace allows u
nd Features in Classic View. The Programs Control Panel allows users to uninstall change and repair programs enable and disable Windows
nistrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not howeve
egion settings control panel.This policy setting is used only to simplify the Regional Options control panel.If you enable this policy setting t
e Language and Regional Options control panel.This policy setting is used only to simplify the Regional Options control panel.If you enable
s policy setting is used only to simplify the Regional and Language Options control panel.If you enable this policy setting the user does not
demand.â€¯This policy does not restrict switching theâ€¯Windowsâ€¯languageâ€¯if you want to restrict theâ€¯Windowsâ€¯languageâ€¯u
ntrols in the Region settings control panel. If the specified language is not installed on the target computer the language selection defaults
computers with more than one UI language installed.If you enable this policy setting the UI language of Windows menus and dialogs for sy
e user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or no
ser or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spe
wever prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text predictio
he user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or no
nalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting rec
hared folder.If you disable this setting or do not configure it when you open a document in a remote shared folder the system adds a con
e the desktop but some changes such as the position of open windows or the size and position of the taskbar are not saved when users lo
case Recycle Bin Computer and Network Locations.Removing icons and shortcuts does not prevent the user from using another method to
.This setting does not prevent the user from starting Internet Explorer by using other methods.
does not prevent users from connecting to the network or browsing for shared computers on the network.Note: In operating systems earl
move toolbars from the desktop. Also users cannot drag toolbars on to or off of docked toolbars.Note: If users have added or removed too
toolbars on docked toolbars.This setting does not prevent users from adding or removing toolbars on the desktop.Note: If users have adju
tion of their individual profile folders like Documents Music etc. by typing a new path in the Locations tab of the folder's Properties dialog b
mputer in the Web view of all Explorer windows and it hides Computer in the Explorer folder tree pane. If the user navigates into Comput
from the desktop from File Explorer from programs that use the File Explorer windows and from the standard Open dialog box.This settin
ties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise Alt-En
s icon.If you enable this policy setting the Properties menu command will not be displayed when the user does any of the following:Right-
perties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise Alt-Enter do
he desktop from File Explorer from programs that use the File Explorer windows and from the standard Open dialog box.This setting does n
p wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup W
rth with the mouse. If you enable this policy application windows will not be minimized or restored when the active window is shaken b
ns for applying additional filters to search results.If you enable this setting the filter bar appears when the Active Directory Find dialog box
rectory objects in a browse window.If you enable this setting the Active Directory folder does not appear in the Network Locations folder.I
or search Active Directory. This setting affects all browse displays associated with Active Directory such as those in Local Users and Group
cular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow) but the items are added again
to bitmap (.bmp) files. If users select files with other image formats such as JPEG GIF PNG or HTML through the Browse button on the Desk
specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can b
o enable or disable Active Desktop while a policy controls it.If you disable this setting or do not configure it Active Desktop is disabled by d
ng removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result users cannot
o enable or disable Active Desktop while a policy controls it.If you disable this setting or do not configure it Active Desktop is disabled by d
tton from Web tab in Display in Control Panel. As a result users cannot add Web pages or pictures from the Internet or an intranet to the d
ration.This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting rem
d items to the desktop but close them so they are not displayed.If you enable this setting items added to the desktop cannot be closed; th
e button from the Web tab in Display in Control Panel. As a result users can temporarily remove but not delete Web content from their Ac
tting disables the Properties button on the Web tab in Display in Control Panel. Also it removes the Properties item from the menu for each
are available to all users of the computer.To create an all-user remote access connection on the Connection Availability page in the New Co
te access connection on the Connection Availability page in the New Connection Wizard click the "For all users" option.If you enable this s
and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection
n all-user connection on the Connection Availability page in the New Connection Wizard click the "For all users" option.If you enable this s
Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the conn
setting the Rename option is enabled for all users. Users can rename connections by clicking the icon representing a connection or by usin
s.The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. In Win
hether the Properties menu item is enabled and thus whether the Local Area Connection Properties dialog box is available to users.If you
es of components used by a LAN connection.This setting determines whether the Properties button for components of a LAN connection is
all-user remote access connection.This setting determines whether the Properties button for components used by a private or all-user rem
enabled for administrators.The Advanced Settings item lets users view and change bindings and view and change the order in which the co
tions.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting) the Make New Connectio
ections folder is enabled.The Remote Access Preferences item lets users create and change connections before logon and configure autom
access connection. This setting has no effect on nonadministrators.If you enable this setting (and enable the "Enable Network Connections
ctions.Private connections are those that are available only to one user. To create a private connection on the Connection Availability pag
s setting (and enable the "Enable Network Connections settings for Administrators" setting) double-clicking the icon has no effect and the
ble the "Enable Network Connections settings for Administrators" setting) users (including administrators) cannot delete any remote acces
ns.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting) the check boxes for enablin
are those that are available only to one user. To create a private connection on the Connection Availability page in the New Connection W
able the "Enable Network Connections settings for Administrators" setting) the Advanced button on the Internet Protocol (TCP/IP) Properti
e from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection
configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an automatic priv
he server hosting the files.This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents
ts in the Application log in Event Viewer when it detects errors. By default Offline Files records an event only when the offline files storage
balloons appear when the user's connection to a network file is lost or reconnected and they are updated periodically. By default the first r
This setting overrides the default response a user-specified response and the response specified in the "Action on server disconnect" setti
As a result users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also they cannot use
oves the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and dis
w often reminder balloons updates appear and also prevent users from changing this setting.Reminder balloons appear when the user's co
user's connection to a network file is lost or reconnected and they are updated periodically. By default the first reminder for an event is d
le this policy setting users cannot designate files to be saved on their computer for offline use. However Windows will still cache local copi
Make Available Offline" command.If you enable this policy setting the "Make Available Offline" command is not available for the files and fo
ally changing whether Offline Files is in online mode or offline mode.If you enable this policy setting the "Work offline" command is not dis
s that the specified files and folders are available offline to users of the computer.If you enable this policy setting the files you enter are al
he "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option wh
he "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option whi
setting offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only tha
s appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are
y setting the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks including "Set u
rvices (AD DS).If you enable or do not configure this policy setting users can use the "Publish in Active Directory" option to publish DFS roo
in Services (AD DS).If you enable or do not configure this policy setting users can use the "Publish in Active Directory" option in the Shared
DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program.
rt menu.Adds the "Log Off <username>" item to the Start menu and prevents users from removing it.If you enable this setting the Log Off
e start menu search box. This button launches the default browser with the search terms.If you disable this policy there will not be a "Sear
figure this setting the Run command is not visible on the Start menu by default but it can be added from the Taskbar and Start menu prop
nu will set the power button to the chosen action and not let the user change this action.If you set the button to either Sleep or Hibernate
rtcuts to recently used document files when the user logs off. As a result the Recent Items menu on the Start menu is always empty when
user.If you disable or do not configure this policy the start menu recent programs list will be pre-populated with programs for each new u
Tiles in the start view will always show their default content when the user logs on. In addition any cached versions of these notifications w
you enable this policy then invocations of context menus within the Start Menu will be ignored.
policy setting system and application notifications will render as balloons instead of toast notifications. Enable this policy setting if a speci
sers cannot pin files folders websites or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing ite
tting users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar these program
y setting users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar it will be removed from the Taskb
you enable this policy setting users are not able to show taskbars on more than one display. The multiple display section is not enabled in
asks custom toolbars the notification area and the system clock. Toolbars include Quick Launch Address Links Desktop and other custom to
ons.The Start Menu and Taskbar display Jump Lists off of programs. These menus include files folders websites and other relevant items fo
ently opened documents.If you enable this setting the system and Windows programs do not create shortcuts to documents opened while
or do not configure this policy the start menu will search for communications unless the user chooses not to in the start menu control pa
o not configure this policy setting the Start menu will search for files unless the user chooses not to do so directly in Control Panel. If you e
you disable or do not configure this policy the start menu will search for for internet history or favorites unless the user chooses not to in t
anel items.If you disable or do not configure this policy setting the Start menu search box will search for programs and Control Panel items
to resolve a shortcut.If you enable this policy setting the system does not conduct the final drive search. It just displays a message explaini
u enable this policy setting the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search
essional allows users to begin common tasks while the new Start menu consolidates common items onto one menu. When the classic Star
will be unable to change the size of Start in Settings. If you disable or donâ€™t configure this policy setting Windows will automatically sele
ou enable this policy setting users will always go to the desktop when they sign in.If you disable this policy setting users will always go to t
for users to distinguish between programs that are fully installed and those that are only partially installed.Partially installed programs inc
tion: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system cloc
olicy setting desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would con
not access the taskbar control panel. The user is also unable to resize move or rearrange toolbars on their taskbar.If you disable or do not
ludes the Start button list of currently running tasks and the notification area. By default the taskbar is located at the bottom of the screen
his policy setting The user will be prevented from opening the Taskbar Properties dialog box.If the user right-clicks the taskbar and then cli
consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full.If you enable this setting i
olicy setting the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.If you di
this setting you will prevent a user from selecting an app resizing a tile pinning/unpinning a tile or a secondary tile entering the customize
If you enable this policy setting users are not able to drag their taskbar to another area of the monitor(s).If you disable or do not configure
tting users are not able to drag or drop toolbars to the taskbar.If you disable or do not configure this policy setting users are able to rearran
tting users are not be able to resize their taskbar.If you disable or do not configure this policy setting users are able to resize their taskbar un
onfigure it users can access the uninstall command from Start
ons.If you enable this policy the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled
his policy setting the menus that appear when you right-click the taskbar and items on the taskbar are hidden such as the Start button the
t menu.Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to o
Windows Security screen: Shut Down Restart Sleep and Hibernate. This policy setting does not prevent users from running Windows-base
tem on the Start menu or in the notification area the system displays pop-up text providing additional information about the object.If you
clock will not be displayed in the system notification area.If you disable or do not configure this setting the default behavior of the clock a
ograms menu contains items from the All Users profile and items from the user's profile. If you enable this setting only items in the user's
e this policy setting the Default Programs link is removed from the Start menu.Clicking the Default Programs link from the Start menu open
.If you enable this policy setting the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only re
policy setting the Start Menu does not show a link to the Downloads folder.If you disable or do not configure this policy setting the Downlo
e this setting the Display Favorites item does not appear in the Advanced Start menu options box.If you disable or do not configure this setti
sable this setting or do not configure it the frequently used programs list remains on the simple Start menu.
not configure this policy the start menu will show a link to the Games folder unless the user chooses to remove it in the start menu contro
policy setting the Help command is removed from the Start menu.If you disable or do not configure this policy setting the Help command is
egroup item from the Start Menu options. As a result users cannot add the homegroup link to the Start Menu. If you disable or do not c
y setting users are prevented from connecting to the Windows Update Web site.Enabling this policy setting blocks user access to the Wind
revents users from restoring it.If you enable this policy setting the Log Off <username> item does not appear in the Start menu. This policy
tting the Music icon is no longer available from Start Menu.If you disable or do not configure this policy setting the Music icon is available f
s policy setting users are prevented from running Network Connections.Enabling this policy setting prevents the Network Connections fold
setting the Network icon is no longer available from Start Menu.If you disable or do not configure this policy setting the Network icon is av
.The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock. If this
etting the Pictures icon is no longer available from Start Menu.If you disable or do not configure this policy setting the Pictures icon is avai
setting pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.If you disable or do n
in programs to the Start menu. In Windows XP and Windows Vista the Internet and email checkboxes are removed from the 'Customize S
the Control Panel Printers and Network and Connection folders are removed from Settings on the Start menu and from Computer and File
ssic Start menu.The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that u
policy setting the Start Menu does not show a link to the Recorded TV library.If you disable or do not configure this policy setting the Rec
f you enable this setting the following changes occur:(1) The Run command is removed from the Start menu.(2) The New Task (Run) comm
in the start menu search box.If you disable or do not configure this policy the "See all results" link will be shown when the user performs a
Explorer search elements. Note that this does not remove the search box from the new style Start menu.If you enable this policy setting t
en the user performs a search in the start menu search box.If you disable or do not configure this policy a "See more results" link will be sh
C cannot be undocked.If you disable this setting or do not configure it the "Undock PC" button remains on the simple Start menu and you
le this policy setting the battery meter is not displayed in the system notification area.If you disable or do not configure this policy setting t
ble this policy setting the Meet Now icon is not displayed in the system notification area.If you disable or do not configure this policy settin
able this policy setting the networking icon is not displayed in the system notification area.If you disable or do not configure this policy setti
ence.If you enable this policy the people icon will be removed from the taskbar the corresponding settings toggle is removed from the tas
ou enable this policy setting the Security and Maintenance icon is not displayed in the system notification area.If you disable or do not con
enable this policy setting the volume control icon is not displayed in the system notification area.If you disable or do not configure this po
e or do not configure this policy the start menu will display a link unless the user chooses to remove it in the start menu control panel.
d Windows Server 2003.If you enable this policy setting the user name label is removed from the Start Menu in Windows XP and Windows
are hidden.This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start me
y setting the Start Menu does not show a link to the Videos library.If you disable or do not configure this policy setting the Videos link is av
n the user searches from the Apps view.This policy setting is only applied when the Apps view is set as the default view for Start.If you ena
If you enable this setting users can access the "Run as different user" command from Start for applications which support this functionality
additional calendar. For zh-CN and zh-SG locales an additional calendar shows the lunar month and date and holiday names in Simplified
used apps regardless of user settings.Selecting "Show" will force the "Most used" list to be shown and user cannot change to hide it using
is policy setting the QuickLaunch bar will be visible and cannot be turned off.If you disable this policy setting the QuickLaunch bar will be h
the Windows logo key. This setting only applies to users who are using multiple displays.If you enable this policy setting the Start screen w
nable this policy setting the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps vie
etting users will see Windows Store apps on the taskbar. If you disable this policy setting users wonâ€™t see Windows Store apps on the ta
s them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-StartL
otification balloons are shown to the user.If you disable or do not configure this policy setting notification balloons are shown to the user.
ou enable this policy setting newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to
is policy setting certain notification balloons that are marked as feature advertisements are not shown.If you disable do not configure this
in the task bar generally at the bottom of the screen and it includes the clock and current notifications. This setting determines whether t
he top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend th
bar thumbnails are not displayed and the system uses standard text for the tooltips.If you disable or do not configure this policy setting th
es not track the programs that the user runs and does not display frequently used programs in the Start Menu.If you disable or do not con
s to begin each day. If you enable this policy setting the specified time will be used and users will not be able to customize any Quiet H
s to end each day. If you enable this policy setting the specified time will be used and users will not be able to customize any Quiet Ho
etting voice and video calls will be blocked during the designated Quiet Hours time window each day and users will not be able to customi
tions from applications and system will not be mirrored to your other devices. If you disable or do not configure this policy setting noti
ast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window e
and system features will not be able to update their tiles and tile badges in the Start screen. If you disable or do not configure this pol
tting applications will not be able to raise toast notifications. Note that this policy does not affect taskbar notification balloons. N
tting applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting to
y the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly consult
iliar Windows interface but you can use this setting to specify an alternate interface. If you enable this setting the system starts the interfa
me the user logs on.If you enable this policy setting the welcome screen is hidden from the user logging on to a computer where this polic
icy setting users cannot run programs that you add to the list of disallowed applications.If you disable this policy setting or do not configur
el (COM) components that a program requires.Many Windows programs such as the MMC snap-ins use the interfaces provided by the COM
o start Regedit.exe a message appears explaining that a policy setting prevents the action.If you disable this policy setting or do not config
cy setting also determines whether batch files (.cmd and .bat) can run on the computer.If you enable this policy setting and the user tries
ou enable this policy setting you can prevent specified programs from being run from Help. When you enable this policy setting enter the fi
policy setting users can only run programs that you add to the list of allowed applications.If you disable this policy setting or do not configu
net Windows searches for updates available for the software and hardware on their computer and automatically downloads them. This ha
this policy setting the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.Howeve
e system cannot be used. Only the user who locked the system or the system administrator can unlock it.If you enable this policy setting u
you enable this policy setting users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging o
start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers includi
ender properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen w
tally signed.This setting establishes the least secure response permitted on the systems of users in the group. Users can use System in Con
e is found.By default Windows searches the following places for drivers: local installation floppy drives CD-ROM drives Windows Update.U
device drivers using the Internet.Note: This setting only has effect if "Turn off Windows Update device driver searching" in "Administrativ
ents Desktop Favorites Music Pictures Videos Start Menu and AppData\Roaming are available offline by default.If you enable this policy se
ne by default.For the folders affected by this setting users must manually select the files they wish to make available offline.If you disable
n to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location.If you enable this policy se
policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want t
d names for the All Programs Startup My Music My Pictures and My Videos subfolders when redirecting the parent Start Menu and legacy
f you enable this setting you can which domain controller is used according to these options:"Use the Primary Domain Controller" indicate
he rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the
ble this setting you can create all new Group Policy object links in the disabled state by default. After you configure and test the new objec
fault interactively logged on users can view their own Resultant Set of Policy (RSoP) data.If you enable this policy setting interactive users
Policy administration (.adm) file can contain both true settings and preferences. True settings which are fully supported by Group Policy m
ng allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools inc
(in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.In additio
ou open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on th
re Internet resources.If you enable this setting all of the the policy settings listed in the "Internet Communication settings" section are set
with an unhandled file type or protocol association.When a user opens a file type or protocol that is not associated with any applications o
P.To set up HTTP printing non-inbox drivers need to be downloaded over HTTP.Note: This policy setting does not prevent the client from p
nition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing sam
ng tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Micro
ram. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can impr
icy setting ratings controls are not added to Help content.If you disable or do not configure this policy setting ratings controls are added to
hing and online ordering wizards.These wizards allow users to select from a list of companies that provide services such as online storage
pen a file with an unhandled file association.When a user opens a file that has an extension that is not associated with any applications on
allows a client to print to printers on the intranet as well as the Internet.Note: This policy setting affects the client side of Internet printing
Windows folders.The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.If you enabl
e Web" and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.The Web Publishing Wiza
w Windows Messenger software and service is used.With the Customer Experience Improvement program users can allow Microsoft to co
p and Support. Windows Online provides the most up-to-date Help content for Windows.If you enable this policy setting users are preven
le this policy setting users cannot change their GeoID.If you disable or do not configure this policy setting users may select any GeoID.If yo
The user is restricted to the set of locales that are installed with the operating system.This does not affect the selection of replacement loc
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides first reset the user(s) values to t
y it locks all user locales to their current values. This policy setting does not change existing user locale settings; however the next time a u
rams and documents that the system starts automatically when it runs on Windows Vista Windows XP Professional and Windows 2000 Pr
rograms and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to t
hen a user logs on to the system.If you enable this policy setting you can specify which programs can run at the time the user logs on to th
. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name inc
resuming from a hibernate or suspend state.If you enable this policy setting the client computer is locked and prompted for a password w
idual removable storage policy settings. To manage individual classes use the policy settings available for each class.If you enable this poli
policy setting read access is denied to this removable storage class.If you disable or do not configure this policy setting read access is allow
policy setting write access is denied to this removable storage class.If you disable or do not configure this policy setting write access is allo
etting read access is denied to these removable storage classes.If you disable or do not configure this policy setting read access is allowed
setting write access is denied to these removable storage classes.If you disable or do not configure this policy setting write access is allowe
ppy Drives.If you enable this policy setting read access is denied to this removable storage class.If you disable or do not configure this poli
oppy Drives.If you enable this policy setting write access is denied to this removable storage class.If you disable or do not configure this po
is denied to this removable storage class.If you disable or do not configure this policy setting read access is allowed to this removable sto
ss is denied to this removable storage class.If you disable or do not configure this policy setting write access is allowed to this removable st
boot in order to enforce a change in access rights to removable storage devices.If you enable this policy setting you can set the number of
olicy setting read access is denied to this removable storage class.If you disable or do not configure this policy setting read access is allowe
olicy setting write access is denied to this removable storage class.If you disable or do not configure this policy setting write access is allow
hones auxiliary displays and CE devices.If you enable this policy setting read access is denied to this removable storage class.If you disable
phones auxiliary displays and CE devices.If you enable this policy setting write access is denied to this removable storage class.If you disabl
of instructions that run when the user logs off. By default the system does not display the instructions in the logoff script.If you enable this
f instructions that run when the user logs on. By default the system does not display the instructions in logon scripts.If you enable this pol
on scripts are batch files of instructions that run when the user logs on. By default Windows 2000 displays the instructions in logon scripts
e Explorer interface program and creates the desktop.If you enable this policy setting File Explorer does not start until the logon scripts ha
owerShell scripts during user logon and logoff. By default Windows PowerShell scripts run after non-Windows PowerShell scripts. If you en
variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE% these variables define the home directory of a user pro
t these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers.No
when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles.If you disable this policy setting o
and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection to help resolve issues with applic
tting the wizard will not run.If you disable this policy setting or set it to Not Configured the wizard will run.
ktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps there is a risk that a Windows Store
sktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps there is a risk that a URI schem
nfigure the Program Compatibility Assistant use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Adm
k level for file attachments you may also need to configure the trust logic for file attachments.High Risk: If the attachment is in the list of h
about their zone of origin (such as restricted Internet intranet local). This requires NTFS in order to function correctly and will fail without
rom saved file attachments by clicking the Unblock button in the file's property sheet or by using a check box in the security warning dialo
e list of high-risk file types and is from the restricted zone Windows blocks the user from accessing the file. If the file is from the Internet z
of low-risk file types Windows will not prompt the user before accessing the file regardless of the file's zone information. This inclusion lis
the list of moderate-risk file types and is from the restricted or Internet zone Windows prompts the user before accessing the file. This incl
multiple programs are registered they will all be notified. If the registered antivirus program already performs on-access checks or scans fil
attachments.Preferring the file handler instructs Windows to use the file handler data over the file type data. For example trust notepad.e
s policy setting AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting A
hen a device is connected. If you enable this policy setting AutoPlay prompts the user to choose what to do when a device is connecte
nerally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista when media c
drive as soon as you insert media in the drive. As a result the setup file of programs and the music on audio media start immediately.
Calculator app. If you disable this policy setting graphing functionality will not be accessible in the Windows Calculator app. If you enable o
etting "Windows spotlight" will be set as the lock screen provider and users will not be able to modify their lock screen. "Windows spotligh
t menu or Windows tips will no longer suggest apps and content from third-party software publishers. Users may still see suggestions and
ces to the user.If you enable this policy setting Windows will not use diagnostic data from this device (this data may include browser app a
etting Windows spotlight on lock screen Windows tips Microsoft consumer features and other related features will be turned off. You shou
ure helps onboard users to Windows for instance launching Microsoft Edge with a web page highlighting new features.If you enable this po
you disable or do not configure this policy Microsoft may display notifications in Action Center that will suggest apps or features to help u
u disable or do not configure this policy Microsoft may suggest apps or features in Settings app to help users be productive on Windows o
try user experiences.If you enable this policy setting the password reveal button will not be displayed after a user types a password in the p
s policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data co
e deployed as compressed files either digitally signed or unsigned.If you enable this setting gadgets that have not been digitally signed wil
rmation or utilities on the desktop.If you enable this setting desktop gadgets will be turned off.If you disable or do not configure this setti
enable this setting Windows will not run any user-installed gadgets.If you disable or do not configure this setting Windows will run user-in
user to view items on the Windows desktop as they are being flipped through in three dimensions. If you enable this policy setting Flip 3D
ng minimizing and maximizing windows. If you enable this policy setting window animations are turned off. If you disable or do not configu
y setting you prevent users from changing the default window frame color. If you disable or do not configure this policy setting you allow u
or. If you enable this policy setting and specify a default color this color is used in glass window frames if the user does not specify a color
with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the use
y screen edge.If you enable or do not configure this policy setting users will be able to invoke system UI by swiping in from the screen edge
until the user has successfully completed the scenarios.If this setting is enabled Windows will not show any help tips to the user.
n the mouse is pointing to the upper-left corner of the screen.If you enable this policy setting the user will no longer be able to switch to r
PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key + X.If you enable this policy setti
en the mouse is pointing to the upper-right corner of the screen.If you enable this policy setting Search Share Start Devices and Settings w
g option in the PC settings app will be disabled as well.If you disable or do not configure this policy setting users will be allowed to switch b
st frequently. If you enable this policy setting apps will be sorted alphabetically in: - search results - the Search and Share panes -
e this setting Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not im
to the IPropertySetStorage implementation and to include the intermediate layers provided by the Property System. This behavior is cons
nown folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy
o the Recycle Bin.If you enable this setting a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user
u bar is not displayed in File Explorer.If you enable this policy setting the menu bar will be displayed in File Explorer.If you disable or do not
on the ribbon in File Explorer.Folder Options allows users to change the way files and folders open what appears in the navigation pane an
y setting the Welcome Center is not displayed at user logon. The user can access the Welcome Center using the Control Panel or Start men
. Using this setting you can change this behavior.If you enable this setting files and folders that are deleted using File Explorer will not be p
es the "Install Program As Other User" dialog box for local and network installations. This dialog box which prompts the current user for th
ot find the target on the user's system.Shortcut files typically include an absolute path to the original target file as well as the relative path
s you to remove the icons representing selected hard drives from My Computer and File Explorer. Also the drive letters representing the s
ou right-click File Explorer or My Computer.The Manage item opens Computer Management (Compmgmt.msc) a console tool that include
machines reside.If you enable this policy setting administrators can specify a path where all default Library definition files for users reside.
his setting the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation.If you disable or do no
Recent Items menu on the Start menu.The Recent Items menu contains shortcuts to the nonprogram files the user has most recently ope
f network resources in File Explorer and Network Locations.If you enable this policy setting the system removes the "Computers Near Me"
rces in File Explorer and Network Locations.If you enable this setting the system removes the Entire Network option and the icons represen
he bottom of search results in File Explorer and the Start menu links. The "Search again" links at the bottom of the Search Results view allo
" links and the Start menu links. The "Search again" links at the bottom of the Search Results view allow the user to reconduct a search bu
e this setting users can browse the directory structure of the selected drives in My Computer or File Explorer but they cannot open folder
ers to the root of their Users Files folder in File Explorer.If you enable this policy setting users will no longer be able to add new items such
you enable this setting the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools
modify re-writable CDs if you have a CD writer connected to your PC.If you enable this policy setting all features in the File Explorer that al
ng the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser such as
t-click an item.If you enable this setting menus do not appear when you right-click the desktop or when you right-click the items in File Ex
m using other methods to perform tasks available on the File menu.
ds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives including hard d
ble this policy setting the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs tha
dialog box for all file system objects including folders files shortcuts and drives will not be able to access the Security tab. As a result users w
Windows client is in a workgroup a Shared Documents icon appears in the File Explorer Web view under "Other Places" and also under "File
s a search in the Explorer window.If you disable this policy there will be an "Internet" "Search again" link when the user performs a search
ol Panel.When this Display Properties option is selected the underlining that indicates a keyboard shortcut character (hot key) does not app
erating system for the movement of windows menus and lists.If you enable this policy setting the "Use transition effects for menus and to
s the "Install Program As Other User" dialog box even when a program is being installed from files on a network computer across a local a
ile Explorer windows are opened. If you enable this policy setting you can set how the ribbon appears the first time users open File Explor
ng thumbnail views are not cached.If you disable or do not configure this policy setting thumbnail views are cached.Note: For shared corpo
ve usability for users with some visual disabilities as well as improving performance and battery life in some scenarios.
being stored in the registry for future references.File Explorer shows suggestion pop-ups as users type into the Search Box. These sugges
her than in numerical order.If you enable this policy setting File Explorer will sort file names by each digit in a file name (for example 111 <
ve. When using the full functionality of this protocol applications can open folders and launch files. The protected mode reduces the functi
ure File Explorer to cache thumbnails of items residing in network folders in hidden thumbs.db files.If you enable this policy setting File Ex
this policy setting File Explorer will not display snippets in Content view mode.If you disable or do not configure this policy setting File Expl
etwork folders.File Explorer displays thumbnail images on network folders by default.If you enable this policy setting File Explorer displays
he local computer.File Explorer displays thumbnail images by default. If you enable this policy setting File Explorer displays only icons and n
mon shell features. For example pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Exp
a to function properly. If you enable this policy some Windows Libraries features will be turned off to better handle included folders that h
or.If you enable this setting users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a r
in Microsoft Windows 2000 Professional so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects
move new features added in Windows 2000 Professional so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These
o not configure it the "File name" field includes a drop-down list of recently used files. If you enable this setting the "File name" field is a si
is setting you can specify from 1 to 5 items to be displayed in the Places Bar.The valid items you may display in the Places Bar are:1) Shortc
orer is hidden and cannot be turned on by the user.If you disable or do not configure this setting the Preview Pane is hidden by default an
d configure it to hide the pane the Details Pane in File Explorer is hidden and cannot be turned on by the user.If you enable this policy setti
ous versions could come from the on-disk restore points or from backup media.If you enable this policy setting users cannot list or restore
ous versions come from the on-disk restore points on the file share.If you enable this policy setting users cannot list or restore previous ver
version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.If you enable this po
n the user has selected a previous version of a local file.If you enable this policy setting the Restore button is disabled when the user select
n the user has selected a previous version of a local file in which the previous version is stored on a backup.If you enable this policy setting
ser has selected a previous version of a file on a file share.If you enable this policy setting the Restore button is disabled when the user sele
entifier (EID) but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that
ng user can control IME version to use. The new Microsoft IME is on by default.â€‹If you enable this user is not allowed to control IME ver
n Publishing Standard Glyph for the word exists.If you enable this policy setting Non-Publishing Standard Glyph is not included in the cand
r.If you enable this policy setting then only the character code ranges specified by this policy setting are used for conversion of IME. You c
cy setting you cannot add edit and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dic
ng history-based predictive input is turned off.If you disable or do not configure this policy setting history-based predictive input is on by d
using Search Provider (Japanese Microsoft IME) and performing bing search from predictive input for Japanese Microsoft IME.If you enab
Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary.For Japanese Microsoft IME an Open Extended Di
setting the auto-tuning data is not saved to file.If you disable or do not configure this policy setting auto-tuning data is saved to file by def
ut suggestions that don't exist in a PC's local dictionary.If you enable this policy setting the functionality associated with this feature is turn
ut suggestions that don't exist in a PC's local dictionary.If you enable this policy setting the functionality associated with this feature is turn
on to local PC.If you enable this policy setting the functionality associated with this feature is turned on hot and popular words lexicon can
nline.If you enable this policy setting the functionality associated with this feature is turned on the user's keyboard input is sent to Microso
u enable this policy setting misconversion logging is turned on.If you disable or do not configure this policy setting misconversion logging is
e specified menu name and URL will be used for Internet searches.If you disable or not configure this setting the default Internet search pr
rch providers. Normally search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from
e.If you enable this policy "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explor
ipt handlers to display UI during shutdown. This policy setting may be needed to fix compatibility problems with particular web application
Address bar. To provide enhanced suggestions the user's keystrokes are sent to Microsoft through Microsoft services.If you enable this po
ed in the Internet Explorer 9 browser. Any add-ons that were activated in a previous version of Internet Explorer are considered to be the
he Media Explorer Bar plays music and video content from the Internet.If you disable the Media explorer bar users cannot display the Med
achments that can potentially contain a virus.If you check the block attachments setting users will be unable to open or save attachments
f preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the c
ervers in the HTTP User Agent header.If you enable this policy setting Internet Explorer sends the specified custom string in the version por
this setting the user is not suggested matches when filling forms. The user cannot change it.If you disable this setting the user is suggested
y settings from being stored in the users' cache.If you enable this policy automatic proxy scripts will not be stored temporarily on the users
bility" window on the General Tab in the Internet Options dialog box appear dimmed.If you disable this policy or do not configure it users c
enable this policy users are prevented from changing advanced Internet settings such as security multimedia and printing. Users cannot s
et and customize Internet Explorer. This setting specifies that Internet explorer use the configuration settings provided in a file by the syste
ble this policy the Calendar and Contact combo boxes appear dimmed in the Internet Programs area. To display these options users open t
the identity of software publishers.If you enable this policy the settings in the Certificates area on the Content tab in the Internet Options d
s for Web pages appear dimmed. The settings are located in the Colors area in the dialog box that appears when the user clicks the Genera
nnections tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it users can change their setti
nable this policy the Internet Explorer Should Check to See Whether It Is the Default Browser check box on the Programs tab in the Interne
font settings for viewing Web pages. All font settings visible after pressing the "Fonts" button on the General Tab in the Internet Options d
age that Internet Explorer loads whenever it is run.If you enable this policy setting a user cannot set a custom default home page. You mu
able to set language preferences to read websites. Language preference settings visible after pressing the "Languages" button on the Gen
ttings for links appear dimmed. The settings are located in the Links area of the dialog box that appears when users click the General tab an
E-mail Newsgroups and Internet Call options in the Internet Programs area appear dimmed. To display these options users open the Inter
n appears dimmed in the Personal Information area on the Content tab in the Internet Options dialog box.If you disable this policy or do n
ed.If you enable this policy the settings in the Content Advisor area on the Content tab in the Internet Options dialog box appear dimmed
m the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.If you enable this policy
ace to use for the Temporary Internet Files folder.If you enable this policy the browser cache settings appear dimmed. These settings are f
ress logos and title bars by another party.If you enable this policy it prevents customization of the browser by another party such as an Int
ngs from another browser import settings from a file or export settings to a file. Importing settings from another browser allows the user
on on the Connections tab in the Internet Options dialog box appears dimmed.Users will also be prevented from running the wizard by cli
policy it:- Prevents Internet Explorer 11 from launching as a standalone browser.- Restricts Internet Explorer's usage to Microsoft Edge's n
e Reset Web Settings button on the Programs tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not c
nable this policy error messages will be displayed when the browser does not download or run a script to set proxy settings.If you disable t
ough Add-On Manager.If you enable this policy setting users cannot enable or disable add-ons through Add-On Manager.If you disable or
h as "Ctrl+S" to have "Save as" functionality.If you enable this policy extended hotkey functionality is enabled in Internet Explorer mode an
u bar and the Command bar. Starting with Windows 8 this policy only applies to Internet Explorer on the desktop.The navigation bar inclu
es users to create multiple accounts such as e-mail accounts on the same computer. Each user has a unique identity with a different passw
the â€˜Send all sites not included in the Enterprise Mode Site List to Microsoft Edgeâ€™ (â€˜RestrictIEâ€™) policy isnâ€™t enabled this po
mpatibility issues. Optionally this policy also lets you specify where to get reports (through post messages) about the websites for which use
f the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the domains con
of the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the zones config
default web browser.If you enable this policy setting users will be notified if Internet Explorer is not the default web browser. Users canno
ws regardless of the Internet Explorer process's Pop-Up Blocker settings.If you enable this policy setting you can enter a list of sites which
ns for a variety of features including browsing web pages searching the web by using a selection of search tools accessing and managing fa
ttings Check.If you enable this policy setting the user cannot use the "Fix settings" functionality.If you disable or do not configure this polic
y setting the following occur: â€¢ The Help menu on the menu bar is not functional. â€¢ Help is removed from the Command bar. â€¢
tScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter
tScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.If you enab
are as follows: High: Block all pop-ups. Medium: Block most automatic pop-ups. Low: Allow pop-ups from secure sites.If you enable t
er will not be able to configure proxy settings.If you disable or do not configure this policy setting the user can configure proxy settings.
and the toolbar Search box.If you enable this policy setting the user cannot change the default search provider.If you disable or do not con
cks links from other applications.If you enable this policy setting the user cannot configure how windows open in Internet Explorer when h
f you enable this policy setting the user cannot configure how new tabs are created by default. You must specify whether tabs should ope
x is available it includes all installed search providers and a link to search settings.If you enable this policy setting the Search box does not
his policy setting the user cannot add websites to or remove websites from the exception list.If you disable or do not configure this policy
website being visited is known for fraudulent attempts to gather personal information through "phishing" or is known to host malware.If y
visited is known for fraudulent attempts to gather personal information through "phishing."If you enable this policy setting the user is not
ogram (CEIP).If you enable this policy setting the user cannot participate in the CEIP and the Customer Feedback Options command does n
u enable this policy setting ActiveX controls cannot be installed on a per-user basis.If you disable or do not configure this policy setting Acti
starts the browser after installing Internet Explorer or Windows.If you enable this policy setting you must make one of the following choice
et Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Intern
e search functionality of the F3 key is disabled. Users cannot press F3 to search the Internet (from Internet Explorer) or to search the hard
hat appears in the Search bar to help users search the Internet.If you enable this policy users cannot change their Search Assistant settings
Microsoft Edge. If you use this setting you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use t
here are two algorithms that Internet Explorer uses.The default algorithm has four settings: low medium high or default. Low creates very
stating that a site has been opened using Microsoft Edge with Enterprise Mode.If you enable this setting employees see an additional pag
ble this policy setting you can choose which page to display when the user opens a new tab: blank page (about:blank) the first home page
etting ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of Activ
owed such as the taskbar the desktop or File Explorer.If you enable this policy setting users cannot pin sites.If you disable or do not config
s from loading any ActiveX control without prior approval. If a website attempts to load an ActiveX control that Internet Explorer has not u
o load all the user's enabled add-ons exceeds the threshold. The notification informs the user that add-ons are slowing his or her browsing
sh Recovery does not prompt the user to recover his or her data after a program stops responding.If you disable or do not configure this p
m requesting location data about the user.If you enable this policy setting browser geolocation support is turned off.If you disable this poli
n tabbed browsing in Internet Explorer.If you enable this policy setting the user cannot configure pop-up windows in tabbed browsing. Yo
enable this policy setting a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier nam
xplorer.If you enable this policy setting the Favorites bar is turned off.If you disable this policy setting the Favorites bar is turned on.If you
ite being visited is known for fraudulent attempts to gather personal information through "phishing" or is known to host malware.If you e
you enable this policy setting applications that host MSHTML do not respond to user input that causes the content to be re-rendered at a
u enable this policy setting the Control Panel information relating to pop-up management will be unavailable (grayed out) and all other po
le this policy setting the entry points to Quick Tabs are removed from the Internet Explorer user interface.If you disable or do not configur
sion feature in Internet Explorer.If you enable this policy setting the user cannot use the Reopen Last Browsing Session feature.If you disab
ble this policy setting the user cannot view suggestions for user-installed search providers.If you disable or do not configure this policy setti
plorer.If you enable this policy setting Tab Grouping is turned off.If you disable this policy setting Tab Grouping is turned on.If you do not c
Explorer user interface. Starting with Windows 8 this policy only applies to Internet Explorer on the desktop.If you enable this policy settin
e browser address bar.If you enable this policy setting user will not be suggested matches when entering Web addresses. The user cannot
he Search box.If you enable this policy setting when a user clicks in the Search box the quick pick menu does not appear until the user start
ty settings to determine when the settings put Internet Explorer at risk.If you enable this policy setting the feature is turned off.If you disa
ls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.If you enable this policy
compatibility information is displayed in the Windows Event Viewer.If you enable this policy setting the user can log information that is blo
) in Internet Explorer.If you enable this policy setting the menu bar appears in Internet Explorer by default and the user cannot turn it off.
discovery Toolkit(SDTK). When enabled the feature will write data collected to a WMI class which can then be aggregated using a client ma
iscovery Toolkit(SDTK). When enabled the feature will write data collected to an XML file at a location specified when setting this policy. W
serâ€™s browsing activity. Suggested Sites reports a userâ€™s browsing history to Microsoft to suggest sites that the user might want to v
enable this setting the user cannot change "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete f
ection uses a DHCP (Dynamic Host Configuration Protocol) or DNS server to customize the browser the first time it is started.If you enable
se Mode IE instead of Standard mode because of compatibility issues. Users can't edit this list.If you enable this policy setting Internet Exp
ed Accelerators are added to the user's browser. The user can append other Accelerators to this list but the user cannot remove or change
ecified Accelerators are added to the user's browser. The user can append other Accelerators to this list but the user cannot remove or ch
through Group Policy.If you enable this policy setting the user can access only Accelerators that are deployed through Group Policy. The us
licy setting users cannot access Accelerators.If you disable or do not configure this policy setting users can access Accelerators and install
r playing sounds videos and other media.If you enable this policy this control can be run in security zones in which you specify that admin
ved.This control enables enhanced pricing functionality on the Carpoint Web site where users can shop for and obtain information about v
uld look in the browser. There are two versions of the control: a more powerful version that cannot be invoked by a web site because it inc
ntrols enable users to view updated lists of stocks on their Web pages.If you enable this policy these controls can be run in security zones i
administrator-approved.If you enable this policy these controls can be run in security zones in which you specify that administrator-approv
of software services that supports the presentation of software agents as interactive personalities within the Microsoft Windows interface
b authors to build text-based and graphical-based Chat communities for real-time conversations on the Web.If you enable this policy this
ntrol which is used to render HTML pages.If you enable this policy this control can be run in security zones in which you specify that admin
his control can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy or d
wsing of news reports on the MSNBC Web site.If you enable this policy these controls can be run in security zones in which you specify tha
olicy this control can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy
ol can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy or do not co
e computer attempts to perform a Clipboard operation (delete copy or paste).If you enable this policy setting the user is not prompted wh
rer process attempts to perform a Clipboard operation (delete copy or paste) and the URL action for the zone is set to prompt.If you enab
hout prompting the user.Note: Do not enter the Internet Explorer processes in this list. To enable or disable Internet Explorer processes us
users cannot point to a link click the right mouse button and then click the Open in New Window command.If you disable this policy or do
e hard disk.If you enable this policy users cannot save a program to disk by clicking the Save This Program to Disk command while attempti
e Close command on the File menu will appear dimmed.If you disable this policy or do not configure it users are not prevented from closin
rs cannot open a new browser window by clicking the File menu pointing to the New menu and then clicking Window. The user interface i
e this policy the Open dialog box will not appear when users click the Open command on the File menu. If users click the Open command t
luding the graphics scripts linked files and other elements. It does not prevent users from saving the text of a Web page.If you enable this
k share.If you enable this policy the Save As command on the File menu will be removed.If you disable this policy or do not configure it use
icy the For Netscape Users command is removed from the Help menu.If you disable this policy or do not configure it users can display con
Help menu.If you enable this policy the Send Feedback command is removed from the Help menu.If you disable this policy or do not confi
f you enable this policy the Tip of the Day command is removed from the Help menu.If you disable this policy or do not configure it users
ou enable this policy the Tour command is removed from the Help menu.If you disable this policy or do not configure it users can run the t
a way to store popular links for future use.If you enable this policy the Favorites menu is removed from the interface and the Favorites bu
net Explorer.If you enable this policy users cannot change their Internet options such as default home page cache size and connection and
ndows 8 this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers unde
hile using Internet Explorer. Starting with Windows 8 this policy setting only applies to Internet Explorer on the desktop.If you enable this
sing a menu option.If you enable this policy setting a menu option wonâ€™t be available in Internet Explorer settings or in the tools menu
.If you enable this policy the Full Screen command on the View menu will appear dimmed and pressing F11 will not display the browser in
View menu.If you enable this policy the Source command on the View menu will appear dimmed.If you disable this policy or do not confi
s are available on Windows Update.If you enable this policy setting the Microsoft-provided website lists are used during browser navigatio
ay problems that he or she may encounter while browsing.If you enable this policy setting the user cannot use the Compatibility View butt
utton allows the user to fix website display problems that he or she may encounter while browsing.If you enable this policy setting the use
ermines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Internet Explorer 7 Standar
defined as any webpage that belongs to the local intranet security zone.If you enable this policy setting Internet Explorer uses the current
tibility View.If you enable this policy setting the user can add and remove sites from the list but the user cannot remove the entries that yo
s whether content is rendered in Quirks Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this
oses. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files cookies history form da
List. To access the Temporary Internet Files and History Settings dialog box from the Menu bar on the Tools menu click Internet Options cli
more information on browsing history Group Policy settings see "Group Policies Settings in Internet Explorer 10" in the TechNet technical
eX Filtering and Tracking Protection data which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tr
owsing History dialog box.If you enable this policy setting cookies are preserved when the user clicks Delete.If you disable this policy setting
ble in the Delete Browsing History dialog box.If you enable this policy setting download history is preserved when the user clicks Delete.If y
Delete Browsing History dialog box.If you enable this policy setting favorites site data is preserved when the user clicks Delete.If you disab
Browsing History dialog box.If you enable this policy setting form data is preserved when the user clicks Delete.If you disable this policy setti
InPrivate Filtering data during browser sessions other than InPrivate Browsing sessions to determine which third-party items should be bl
owsing History dialog box.If you enable this policy setting passwords are preserved when the user clicks Delete.If you disable this policy setti
in the Delete Browsing History dialog box.If you enable this policy setting temporary Internet files are preserved when the user clicks Dele
This feature is available in the Delete Browsing History dialog box.If you enable this policy setting websites that the user has visited are pr
net browsing history available by clicking Tools Internet Options and then Delete Browsing History in Internet Explorer.If you enable this p
olicy users are prevented from seeing and changing advanced Internet settings such as security multimedia and printing.If you disable this
s policy users are prevented from seeing and changing connection and proxy settings.If you disable this policy or do not configure it users
toComplete Wallet and Profile Assistant settings.If you disable this policy or do not configure it users can see and change these settings.
icy users are unable to see and change settings for the home page the cache history Web page appearance and accessibility.If you disable
cy users are prevented from seeing and changing default settings for privacy.If you disable this policy or do not configure it users can see a
olicy users are prevented from seeing and changing default settings for Internet programs.If you disable this policy or do not configure it u
icy it prevents users from seeing and changing settings for security zones such as scripting downloads and user authentication.If you disab
SL/TLS) certificate errors that interrupt browsing (such as "expired" "revoked" or "name mismatch" errors) in Internet Explorer.If you enab
s to internationalized domain name (IDN) format (Punycode) before sending them to Domain Name System (DNS) servers or to proxy serve
on Format (UTF-8) for mailto links.If you enable this policy setting Internet Explorer encodes mailto links in UTF-8.If you disable or do not c
ctive content on a CD to run.If you enable this policy setting active content on a CD will run without a prompt.If you disable this policy setti
ram files (non-Internet Explorer components) that are registered with Internet Explorer (such as Macromedia and Java) that are required i
components (such as fonts) that can installed by Internet Explorer Active Setup. For example if you open a Web page that requires Japan
equests help optimize the latency of network requests through compression multiplexing and prioritization.If you enable this policy setting
works with HTTP requests to optimize the latency of network requests through compression multiplexing and prioritization.If you enable
ads can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered
as browser helper objects such as toolbars. Browser helper objects may contain flaws such as buffer overruns which impact Internet Explo
er.If you enable this policy setting Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to
rsions. When Internet Explorer is set to do this the checks occur approximately every 30 days and users are prompted to install new versio
ervers' certificates. Certificates are revoked when they have been compromised or are no longer valid and this option protects users from s
ch identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloadi
cted Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website a
nternet Explorer Settings allows the user to reset all settings changed since installation delete browsing history and disable add-ons that ar
ontain secure (HTTPS) information such as passwords and credit card numbers to the Internet Explorer cache which may be insecure.If you
porary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer or storing s
und in Web content. Generally only animated GIF files are affected by this setting; active Web content such as java applets are not.If you e
ntent. Generally only sound files such as MIDI files are affected by this setting; active Web content such as java applets are not.If you enab
content. Generally only embedded video files are affected by this setting; active Web content such as java applets are not.If you enable th
nology that enhances the readability of text on LCD displays.If you enable this policy setting applications that host MSHTML do not render
2 Secure Sockets Layer (SSL) 2.0 or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browse
n the background speeding up performance such that when the user clicks a hyperlink the background page seamlessly switches into view
ormation.If you enable this policy setting Profile Assistant information will not be provided and users will not be prompted to provide info
(UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.If you enable this policy setting you must speci
e next pre-loaded page of a website.Microsoft collects your browsing history to improve how flip ahead with page prediction works. This fe
ty) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.Important: So
e to a webpage by using the keyboard to move the cursor. Caret Browsing supports standard text-editor functionality such as using the Sh
processes on 64-bit versions of Windows. For computers running at least Windows 8 Enhanced Protected Mode also limits the locations I
policy setting Internet Explorer uses HTTP 1.1.If you disable this policy setting Internet Explorer does not use HTTP 1.1.If you do not config
nnections.If you enable this policy setting Internet Explorer uses HTTP 1.1 through proxy connections.If you disable this policy setting Intern
og box.If you enable this policy setting Internet Explorer displays the Content Advisor setting on the Content tab of the Internet Options di
d. By default Internet Explorer displays the home page. In Internet Explorer 10 Internet Explorer can start a new browsing session with the
f you enable this policy setting websites will be able to store application caches on client computers. Allow website database and caches o
.If you enable this policy setting websites will be able to store an indexed database on client computers. Allow website database and cach
o exceed their storage limit. The â€œSet default storage limits for websitesâ€ policy setting sets the data storage limits for application ca
ed. If the application cache is used before the expiration time limit it will not be automatically removed. When you set this policy setting yo
websites. When you set this policy setting you provide the cache limit in MB.If you enable this policy setting Internet Explorer displays a n
to exceed their storage limit. The â€œSet default storage limits for websitesâ€ policy setting sets the data storage limits for indexed dat
The manifest file is used to create the application cache. If any file in the manifest exceeds the allowed size Internet Explorer sends an erro
file associated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed in
u set this policy setting you provide the storage limit in MB. When the limit is reached Internet Explorer notifies the user and the user must
ou set this policy setting you provide the storage limit in MB. When the limit is reached Internet Explorer notifies the user and the user mu
cted security level for example Low Medium Low Medium or High.If you enable this template policy setting and select a security level all v
e are forced into the local Intranet security zone.If you enable this policy setting local sites which are not explicitly mapped into a zone are
urity zone.If you enable this policy setting all network paths are mapped into the Intranet Zone.If you disable this policy setting network pa
tranet security zone.If you enable this policy setting sites which bypass the proxy server are mapped into the Intranet Zone.If you disable
curity zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security
gs to a domain.If you enable this policy setting automatic detection of the intranet is turned on and intranet mapping rules are applied aut
is policy setting is turned on the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different
nd the intranet mapping rules have not been configured. The Notification bar allows the user to enable intranet mappings if they require t
curity zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).If you enable this policy setting users can load a page i
in the Intranet Zone can run active content such as script ActiveX Java and Binary Behaviors. The list of restricted protocols may be set in
le this policy setting script code on pages in the zone can run automatically. If you select Prompt in the drop-down box users are queried t
apsulate specific functionality for HTML elements to which they were attached.If you enable this policy setting binary and script behaviors
mple cut copy and paste) in a specified region.If you enable this policy setting a script can perform a clipboard operation.If you select Prom
source within the zone.If you enable this policy setting users can drag files or copy and paste files from this zone automatically. If you selec
option is determined by the zone of the page with the link causing the download not the zone from which the file is delivered.If you enable
u enable this policy setting HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the dr
ne. The settings for this option are: If you enable this policy setting users can install desktop items from this zone automatically.If you selec
re browser-hosted ClickOnce-deployed applications built via WinFX. These applications run in a security sandbox and take advantage of th
ML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take adva
presentation of paginated content and are portable across platforms devices and applications.If you enable this policy setting and set the
b page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.If you enable this polic
websites other than the website that installed the ActiveX control.If you enable this policy setting the user is prompted before ActiveX con
bsites.If you enable this policy setting the TDC ActiveX control will not run from websites in this zone.If you disable this policy setting the TD
d using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search res
lay custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch quer
t.If you enable this policy setting script access to the WebBrowser control is allowed.If you disable this policy setting script access to the W
ws that include the title and status bars.If you enable this policy setting Windows Restrictions security will not apply in this zone. The securi
setting the user can run scriptlets.If you disable this policy setting the user cannot run scriptlets.If you do not configure this policy setting
e zone.If you enable this policy setting script is allowed to update the status bar.If you disable or do not configure this policy setting script
one in Internet Explorer.If you selected Enable in the drop-down box VBScript can run without user intervention.If you selected Prompt in
d zones. Video and animation playback through the object tag may still be allowed because this involves external controls or media player
status bar or Address bar.If you enable this policy setting websites can open new Internet Explorer windows that have no status bar or Ad
his policy setting scripted windows are displayed.If you disable this policy setting the user must choose to display any scripted windows by
ations.If you enable this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.If y
Regardless of this setting users will receive file download dialogs for user-initiated downloads.If you enable this setting users will receive a
hether users receive a security information message to display pages containing both secure and nonsecure items.If you enable this policy
o certificate or only one certificate exists.If you enable this policy setting Internet Explorer does not prompt users with a "Client Authentica
X controls to check if they're safe to load on pages.If you enable this policy setting Internet Explorer won't check with your antimalware pro
a page in the zone.If you enable this policy users can download signed controls without user intervention. If you select Prompt in the drop
om the zone. Such code is potentially harmful especially when coming from an untrusted zone.If you enable this policy setting users can ru
main when the source and destination are in different windows.If you enable this policy setting and click Enable users can drag content fro
main when the source and destination are in the same window.If you enable this policy setting and click Enable users can drag content from
based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.If you enable this policy
a file via an HTML form. If the local path information is sent some information may be unintentionally revealed to the server. For instance
y setting ActiveX controls are run loaded with parameters and scripted without setting object safety for untrusted data or scripts. This setti
g you can choose options from the drop-down box. Custom to control permissions settings individually.Low Safety enables applets to perfo
ded from an IFRAME reference in the HTML of the pages in this zone.If you enable this policy setting users can run applications and downl
ou can choose from the following logon options.Anonymous logon to disable HTTP authentication and use the guest account only for the C
ons across different domains.If you enable this policy setting users can open windows and frames from othe domains and access applicatio
enable this policy setting you can control whether or not Internet Explorer renders legacy filters by selecting Enable or Disable under Optio
with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag an
Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and m
from the specified zone.If you enable this policy setting controls and plug-ins can run without user intervention.If you selected Prompt in t
teract with a script.If you enable this policy setting script interaction can occur automatically without user intervention.If you select Promp
ou enable this policy setting scripts can access applets automatically without user intervention.If you select Prompt in the drop-down box u
n the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer for example).If y
ng you can choose the following options from the drop-down box.Low safety to allow users to be notified of software updates by e-mail so
submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submissi
n the user is browsing to .NET Framework content in Internet Explorer. The .NET Framework is the next-generation platform for Windows
he user encounters a new control that has not previously run in Internet Explorer he or she may be prompted to approve the control. This
site script injections into websites in this zone.If you enable this policy setting the XSS Filter is turned on for sites in this zone and the XSS F
plorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.If you e
t.If you enable this policy setting SmartScreen Filter scans pages in this zone for malicious content.If you disable this policy setting SmartSc
ws that are opened when the end user clicks a link are not blocked.If you enable this policy setting most unwanted pop-up windows are p
avorites in an XML store or directly within a Web page saved to disk. When a user returns to a persisted page the state of the page can be
cted Sites can navigate into this zone.If you enable this policy setting Web sites from less privileged zones can open new windows in or na
net sites can navigate into this zone.If you enable this policy setting Web sites from less privileged zones can open new windows in or navig
ons across different domains.If you enable this policy setting users can open additional windows and frames from other domains and acce
in the Trusted Sites Zone can run active content such as script ActiveX Java and Binary Behaviors. The list of restricted protocols may be s
ons across different domains.If you enable this policy setting users can open additional windows and frames from other domains and acce
enable this policy setting Internet Explorer opens tiles only on the desktop.If you disable this policy setting Internet Explorer does not open
orer decide always in Internet Explorer or always in Internet Explorer on the desktop.If you enable this policy setting Internet Explorer enfo
f you enable this policy setting Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar if it is available.If
at opens Microsoft Edge.If you enable this policy setting the button to open Microsoft Edge from Internet Explorer will be hidden.If you dis
cy setting a user cannot choose when to underline links. You must specify when to underline links: â€¢ Always â€¢ Never â€¢ Hover (
provide a detailed description with hints about how to correct the problem. If you clear this check box the user sees only the error code an
ut of the page you are leaving and fades into the page to which you are going.If you enable this policy setting page transitions will be turne
hich can be used to invoke the default phone application on the system.If you enable this policy setting phone number detection is turned
d.If you enable this policy setting smooth scrolling is turned off. The user cannot turn on smooth scrolling.If you disable this policy setting
use script debuggers to test programs and scripts on their webpages. You can use the script debugger to browse edit and debug .htm and
ecause of problems with its scripting. This feature is off by default but it is useful to developers when they are testing webpages.If you ena
et Connection Wizard was not completed this policy setting starts the wizard automatically.If you enable this policy setting the Internet Co
nd that require additional software.If you enable this policy setting Internet Explorer plays these files if the appropriate software is installe
downloading. This allows items on the page to be positioned where they will appear when the images are completely downloaded. This op
hat they fit in the browser window.If you enable this policy setting automatic image resizing is turned off. The user cannot change this setti
mes pages that contain several graphical images are displayed very slowly. If you want to display pages more quickly you can turn off ima
ar less jagged when displayed.If you enable this policy setting smart image dithering is turned off. The user cannot turn it on.If you disable
e user prints a webpage. Including background colors and images might reduce the speed at which a page is printed and the quality of the
this policy setting you must specify which of the following actions applies to searches on the Address bar. The user cannot change the spe
en search is enabled on the Address bar. The possible options are: â€¢ Disable top result search: When a user performs a search in the A
ss after the branding is complete for Internet service providers (ISPs) through the Internet Explorer Administration Kit (IEAK).If you enable
s suggestions for what you type by automatically completing the command inline with the closest match. By default this functionality is tu
he address bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over t
e Internet Explorer Address bar.Windows Search AutoComplete suggests possible matches when a user is entering a web address in the b
The AutoComplete feature provides suggestions for what the user types by automatically completing the address or command with the clo
nable this policy setting the user cannot choose the default text size in Internet Explorer. You must specify the default text size: â€¢ Large
enable this policy setting the user cannot specify the background color in Internet Explorer. You must specify the background color (for ex
this policy setting the user cannot specify the text color in Internet Explorer. You must specify the text color (for example: 192192192).If y
u enable this policy setting Windows colors are turned off. The user cannot turn them on.If you disable this policy setting Windows colors
ready clicked. Appropriate color choices can make links easier to see for some users especially those who use high-contrast color schemes
ot yet clicked. Appropriate color choices can make links easier to see for some users especially those who use high-contrast color schemes.
mouse pointer pauses on them.If you enable this policy setting the user cannot specify the hover color. You must specify the hover color (
able this policy setting the hover color option is turned on. The user cannot turn it off.If you disable this policy setting the hover color opti
that defines characters so they are readable in any language. By using UTF-8 you can exchange Internet addresses (URLs) that contain cha
automatically on your computer according to a schedule specified by the channel provider.If you enable this policy the Add Active Channel
make Web pages available for offline viewing they can view the content when their computer is not connected to the Internet.If you enab
ages available for offline viewing they can view content when their computer is not connected to the Internet.If you enable this policy the
ly updated on their computer according to a schedule specified by the channel provider.If you enable this policy the Channel bar interface
make Web pages available for offline viewing they can view content when their computer is not connected to the Internet.If you enable t
ups of Web pages that users have subscribed to.A subscription group is a favorite Web page plus the Web pages it links to.If you enable th
en users make Web pages available for offline viewing they can view content when their computer is not connected to the Internet.If you
by users who are working offline.If you enable this policy it disables any channel logging settings set by channel providers in the channel d
Web sites that are automatically updated on your computer according to a schedule specified by the channel provider.If you enable this po
viewing.When users make Web pages available for offline viewing they can view content when their computer is not connected to the Int
n set limits to the size and number of pages that users can download. If users attempt to exceed the number of subscriptions a prompt will
he Internet security zone.If you enable this policy you can specify the persistence storage amount per domain or per document for this sec
he Local Intranet security zone.If you enable this policy you can specify the persistence storage amount per domain or per document for th
he Local Computer security zone.If you enable this policy you can specify the persistence storage amount per domain or per document for
he Restricted Sites security zone.If you enable this policy you can specify the persistence storage amount per domain or per document for
he Trusted Sites security zone.If you enable this policy you can specify the persistence storage amount per domain or per document for th
hreshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this valu
threshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this va
are loaded by default during an InPrivate Browsing session.Toolbars and BHOs may store data about a user's browsing session. By default
atic mode.The data consists of the URLs of third-party content along with data about the first-party websites that referenced it. It is collect
Internet Explorer from storing data about a user's browsing session. This includes cookies temporary Internet files history and other data.
ether third parties can automatically collect information about their browsing based on the sites that they visit. InPrivate Filtering does thi
whether third parties can automatically collect information about their browsing based on the sites that they visit. Tracking Protection doe
sers for a password. The reveal password button is displayed during password entry. When the user clicks the button the current password
pers to encapsulate images and .css files within the body of the URL and optionally encode them by using base 64 encoding. Malware filter
er. Add-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which are specifically written to ext
rences (as reflected by Add-on Manager) or policy settings. By default any process other than the Internet Explorer processes or those list
List' policy setting are denied. Add-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which ar
user preferences (as entered into Add-on Manager) or policy settings. By default only Internet Explorer processes use the add-on managem
specific outdated ActiveX controls in Internet Explorer.If you enable this policy setting users won't see the "Run this time" button on the w
sionList.XML. IE uses this file to determine whether an ActiveX control should be stopped from loading.If you enable this setting IE stops d
Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting Internet Explorer stops blocking outdated
ng outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting you can en
f you enable this policy setting Internet Explorer logs ActiveX control information (including the source URI that loaded the control and wh
s policy setting the user can run natively implemented scriptable XMLHTTP.If you disable this policy setting the user cannot run natively im
s per host to a limit of your choice (from 2 through 128).If you enable this policy setting Internet Explorer uses the connection limit of your
s per host to a limit of your choice (from 2 through 128).If you disable or do not configure this policy setting Internet Explorer will use the d
default limit is 6; you can select a value from 2 through 128.If you enable this policy setting Internet Explorer uses the WebSocket connecti
mains embedded in the page.If you enable this policy setting documents cannot request data across third-party domains embedded in the
he WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not p
the XDomainRequest object. Note that this policy setting does not block client-side communication across domains through other feature
a list of admin-approved behaviors. This list may be configured here and applies to all processes which have opted in to the behavior and
nality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setti
d other binaries signed with MD2 and MD4 signing technologies. Internet Explorer 9 does not support MD2 and MD4 signing technologies
g procedures for files received through a Web server.This policy setting determines whether Internet Explorer requires that all file-type inf
e location of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restricti
e location of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restricti
e location of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest security re
file of one type to a more dangerous file type.If you enable this policy setting the Mime Sniffing Safety Feature is enabled for all processes.
file of one type to a more dangerous file type.If you enable this policy setting MIME sniffing will never promote a file of one type to a more
file of one type to a more dangerous file type.This policy setting allows administrators to define applications for which they want this secur
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting the MK Protocol is disabled for all processes. Any
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting the MK Protocol is prevented for File Explorer and
K protocol. Resources hosted on the MK protocol will fail.This policy setting allows administrators to define applications for which they wan
s from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is preve
estricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted
s from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is preve
tive content obtained through restricted protocols from running in an unsafe manner either by prompting the user or simply disabling the
er than the Internet Explorer processes when file or code installs are restricted. By default the Notification bar is not displayed for any proc
rer processes when file or code installs are restricted. By default the Notification bar is displayed for Internet Explorer processes.If you ena
ses when file or code installs are restricted. By default the Notification bar is not displayed for any process when file or code installs are re
thin the same domain or to a new domain.If you enable this policy setting object reference is no longer accessible when navigating within
thin the same domain or to a new domain.If you enable this policy setting an object reference is no longer accessible when navigating with
thin the same domain or to a new domain.This policy setting allows administrators to define applications for which they want this security
n the location of the Web page (Internet Intranet Local Machine zone and so on). For example Web pages on the local computer have the
n the location of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security res
n the location of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest secur
ting of ActiveX control installation.If you enable this policy setting the Web Browser Control will block automatic prompting of ActiveX cont
esses.If you enable this policy setting prompting for ActiveX control installations will be blocked for Internet Explorer processes.If you disa
ting of ActiveX control installation.If you enable this policy setting and enter a Value of 1 automatic prompting of ActiveX control installatio
ting of file downloads that are not user initiated.If you enable this policy setting the Web Browser Control will block automatic prompting o
e this policy setting file download prompts that are not user initiated will be blocked for Internet Explorer processes.If you disable this poli
ting of file downloads that are not user initiated.If you enable this policy setting and enter a Value of 1 automatic prompting of non-initiate
ypes. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title a
ou enable this policy you can specify whether or not each button will be displayed by selecting or clearing the check boxes for each button.
text labels show selective text or show only icons.If you enable this policy setting command buttons are displayed according to which one
Explorer standard toolbars. The buttons appearing on the toolbar can be customized by the "Customize" option. This is present under the T
e Explorer.If you enable this policy the list of toolbars which users can display by clicking the View menu and then pointing to the Toolbars
bs are displayed on a separate row.If you disable this policy setting tabs are not displayed on a separate row.If you do not configure this p
Command bar is hidden and the user cannot choose to show it.If you disable this policy setting the Command bar is shown and the user ca
us bar is hidden and the user cannot choose to show it.If you disable this policy setting the status bar is shown and the user cannot choose
olicy setting the toolbars are locked and the user cannot move them.If you disable this policy setting the toolbars are unlocked and the us
ttons.If you enable this policy setting the Stop and Refresh buttons are next to the Forward and Back buttons and the user cannot move th
plorer.If you enable this policy setting the user cannot access Developer Tools.If you disable or do not configure this policy setting the user
nes whether incompatible toolbars or Browser Helper Objects are installed when Internet Explorer starts. If the tool detects an incompatib
y setting icons for command buttons are 20 x 20 pixels and cannot be made smaller (16 x 16 pixels).If you disable this policy setting icons f
etting the location feature is turned off and all programs on this computer are prevented from using location information from the locatio
g scripts for the location feature will not run. If you disable or do not configure this policy setting all location scripts will run.
tting the sensor feature is turned off and all programs on this computer cannot use the sensor feature. If you disable or do not configu
Management Console (MMC) in author mode explicitly opening console files in author mode and opening any console files that open in aut
If you enable this setting all snap-ins are prohibited except those that you explicitly permit. Use this setting if you plan to prohibit use of m
ap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If yo
ble the setting the snap-in is prohibited.If this setting is not configured the setting of the "Restrict users to the explicitly permitted list of sn
ap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you
d Computers and Active Directory Sites and Services snap-ins.If you enable this setting the Group Policy tab is displayed in the property she
ce item types). When prohibited no Application preference item types appear when you attempt to create a new Application preference it
en a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this
erence extensions listed in the Group Policy Management Editor window of the GPMC under Computer Configuration\Preferences\Contro
erence extensions listed in the Group Policy Management Editor window of the GPMC under User Configuration\Preferences\Control Pan
hen a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable th
preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this poli
hen a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable thi
eference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this policy s
When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable t
. When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable
ension. When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you
. When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enabl
When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable
When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable t
Preferences tab does not appear when you view a preference extension in the Group Policy Management Editor window of the GPMC. Th
preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this pol
. When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enabl
When a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable
a preference extension is prohibited it does not appear in the Group Policy Management Editor window of the GPMC.If you enable this po
c settings between usersâ€™ computers. With Sync Method set to â€SyncProviderâ€ the UE-V Agent uses a built-in sync provider to kee
ttings for Windows apps.By default the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storage
ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize
when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file siz
f you enable this policy setting the user settings are stored in the specified location. If you disable or do not configure this policy setting th
ttings over metered connections.By default the UE-V Agent does not synchronize settings over a metered connection.With this setting enab
ttings over metered connections outside of the home provider network for example when connected via a roaming connection.By default t
ser settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable thi
Windows settings will synchronize between computers by default. These settings include Windows themes Windows desktop settings Ease
s to Windows 10 or earlier.
formation for computers running in a non-persistent pooled VDI environment. UE-V settings rollback data and checkpoints are normally s
ft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the bac
ft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the bac
ettings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization
crosoft Office Suite 2013 applications.Microsoft Office Suite 2013 has user settings which are common between applications and are back
crosoft Office Suite 2016 applications.Microsoft Office Suite 2016 has user settings which are common between applications and are back
Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
oft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the
the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet Ex
the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet Ex
he user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Exp
he user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Exp
ersions of Internet Explorer.By default the user settings which are common between the versions of Internet Explorer synchronize betwee
ync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
ync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
ult the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Micro
t the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
ault the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of M
ault the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of M
the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
Microsoft Office Suite 2010 applications.By default the user settings which are common between the Microsoft Office Suite 2010 applicatio
enter.By default the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to preve
enter.By default the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to preve
13.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 ar
16.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 ar
Microsoft Office Suite 2013 applications.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization c
Microsoft Office Suite 2016 applications.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization c
3.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are
013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365
013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 a
nt 2013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 3
nt 2016.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 3
t Designer 2013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft
default the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user setting
default the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user setting
fault the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of M
ault the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Mic
default the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user setting
ult the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Micr
fault the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of M
2010.By default the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to preven
2013.By default the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to preven
ce 2010.By default the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to pr
the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
t the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microso
ttings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization bet
oft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
oft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
oft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the b
oft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the b
rosoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppre
rosoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppre
ft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the ba
ft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the ba
soft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
soft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
013.Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy
Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
ttings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization b
user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing betwe
user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between
er settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between com
ser settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between co
er settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between com
user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between
ser settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between c
ser settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between co
ser settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between com
e user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing bet
recent 3 or 5 tabs or no tabs from Edge.If this is set to show "Open windows only" the whole feature will be disabled.
etMeeting starts. Users will also not be able to view or place calls via a NetMeeting directory.This policy is for deployers who have their ow
with older versions of NetMeeting only.Deployers who do not need it can save bandwidth by disabling it.
ed from the URL listed in the "Configuration URL:" text box.Group Policy based settings have precedence over any conflicting settings set b
not call and connect to NetMeeting when the user is not present.This policy is recommended when deploying NetMeeting to run always.
view shared applications.
conference.
s a read-only mode; the other participants cannot change the data in the shared application.
/desktops from others.

applications since command prompts can be used to launch other applications.
applications since Explorer windows can be used to launch other applications.
to the microphone. Older audio hardware does not perform well when in full duplex mode.
tMeeting to choose the right formats and send rate so that the bandwidth is limited.
o quality but older audio hardware may not support it.
o from others.
hange the call placement method and the servers used.
dentification and bandwidth settings.

ty and authentication settings.
owed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator can
ser may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this pol
presentation settings cannot be invoked.If you disable this policy setting Windows presentation settings can be invoked. The presentation
ote computer (an RD Session Host server or a computer with Remote Desktop enabled) the clients will attempt to connect to the remote c
sion Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting.
an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default when you
rdp) files and .rdp files from unknown publishers on the client computer.If you enable or do not configure this policy setting users can run
from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client such as
tting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. W
nts that represent trusted Remote Desktop Protocol (.rdp) file publishers.If you enable this policy setting any certificate with an SHA1 thum
ession based on the option selected. Select the desired level of control and permission from the options list:1. No remote control allowed:
to the Remote Desktop Services session.If you enable this policy setting clients that are capable of time zone redirection send their time z
tion) between a remote computer and a client computer during a Remote Desktop Services session.You can use this setting to prevent use
ed in Remote Desktop Services sessions.If you enable this policy setting only the default client printer is redirected in Remote Desktop Ser
d first to install all client printers. If you enable or do not configure this policy setting the RD Session Host server first tries to use the Remo
cts to a remote computer or whether an initial program can run. It can require that the desktop be displayed after a client connects to a re
are connected to a remote server using RDP. You can use this setting to enforce the removal of wallpaper during a Remote Desktop Servi
can use this setting to specify a program to run automatically when a user logs on to a remote computer.By default Remote Desktop Serv
stead of disconnecting it.You can use this setting to direct Remote Desktop Services to end a session (that is the user is logged off and the
p Services session can be idle (without user input) before it is automatically disconnected.If you enable this policy setting you must select
es session can be active before it is automatically disconnected.If you enable this policy setting you must select the desired time limit in th
ssions.You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By
nected state after closing all RemoteApp programs before the session is logged off from the RD Session Host server.By default if a user clo
he default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are
g has no impact on the Windows RSS Platform.If you enable this policy setting the user cannot access the feed list in the Favorites Center.I
ed or Web Slice is available for an associated webpage.If you enable this policy setting the user does not receive a notification on the toolb
eed to the user's computer.If you enable this policy setting the user cannot set the Feed Sync Engine to download an enclosure through th
ble this policy setting the menu command to subscribe to a feed and the menu command to delete a feed are disabled and access to Web
you enable this policy setting the ability to synchronize feeds and Web Slices in the background is turned off.If you disable or do not config
cheme over an unencrypted HTTP connection.If you enable this policy setting the Windows RSS Platform authenticates feeds to servers by
r may override these paths and include them in indexing. On a per-user basis this policy setting will work only if a protocol handler referen
ese paths and exclude them from indexing. On a per-user basis this policy setting will work only if a protocol handler referencing a SID-bas
exing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed.When this p
s dialog. Otherwise it can be opened. Disabled by default.
enter any path that starts with one of the paths you specified. On a per-user basis this policy setting will work only if a protocol handler re
setting search suggestions based on previous searches won't appear in the search pane. Search suggestions provided by apps or by Windo
that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.If you enabl
this setting users will not be able to view the retail catalog in the Microsoft Store but they will be able to view apps in the private store.If y
tting the Store application will not offer updates to the latest version of Windows.If you disable or do not configure this setting the Store ap
tion is denied. Access to the Store is required for installing app updates.If you disable or don't configure this setting access to the Store ap
is policy the InkBall game will run.If you do not configure this policy the InkBall game will run.
ver will not allow printing to it. It will remain displayed in the list of available printers but attempts to print to it will fail.If you disable this p
n.If you disable this policy setting the Snipping Tool will run.If you do not configure this policy setting the Snipping Tool will run.
un.If you disable this policy the Windows Journal accessory will run.If you do not configure this policy the Windows Journal accessory will
isual pen action feedback is disabled except for press and hold feedback. Additionally the mouse cursors are shown instead of the pen cur
that subscribe to this behavior.If you enable this policy a button assigned to Back will not map to ESC.If you disable this policy Back->ESC m
s policy applications cannot be launched from a hardware button and "Launch an application" is removed from the drop down menu for co
If you enable this policy press and hold actions are unavailable and the button configuration dialog will display the following text: "Some
s are pressed and the buttons tab in Tablet PC Control Panel will be removed.If you disable this policy user and OEM defined button action
Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab w
here this behavior is available. This policy applies only when using a tablet pen as an input device.Tablet PC Input Panel is a Tablet PC acce
here this behavior is available. This policy applies only when a user is using touch input.Tablet PC Input Panel is a Tablet PC accessory that
t. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified) Chinese (Traditional) Japanese and Korean. This s
s a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcu
s where this behavior is available.Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keybo
Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default preventing users from switching
e Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch o
earning mode is not. Pen flicks are off by default and can be turned on system-wide but cannot be restricted to learning mode application
d features are unavailable. This includes: pen flicks themselves pen flicks training pen flicks training triggers in Internet Explorer the pen fl
aining.If you disable or do not configure this policy setting users can open Tablet PC Pen Training.
puter using their finger.If you enable this setting the user will not be able to produce input with touch. They will not be able to use touch in
compatible PC with a touch digitizer by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the
the last page of the Scheduled Task Wizard. This policy is only designed to simplify task creation for beginning users.The checkbox when c
e Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result u
k items from the context menu that appears when you right-click a task. As a result users cannot start tasks manually or force tasks to end
cheduled program for existing tasks.This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the
s folder.This setting disables the Cut Copy Paste and Paste Shortcut items on the context menu and the Edit menu in Scheduled Tasks. It a
s the New Task Wizard. Also the system does not respond when users try to move paste or drag programs or documents into the Schedule
command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also the system
sonal calendars publishing them and subscribing to other users calendars.If you enable this setting Windows Calendar will be turned off.If
icy setting users cannot install new color profiles or uninstall previously installed color profiles.If you disable or do not configure this policy
Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software
reen warnings about potentially malicious websites.If you enable this setting employees can't ignore Windows Defender SmartScreen war
e sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products or additional data other than
ges to the system event log.If you enable this policy setting Windows Error Reporting events are not recorded in the system event log.If yo
her Microsoft or internal servers within your organization when software unexpectedly stops working or fails.If you enable this policy settin
oft automatically.If you enable this policy setting any additional data requests from Microsoft in response to a Windows Error Reporting re
el report data even if a CAB file containing data about the same event types has already been uploaded to the server.If you enable this po
nning on battery power. By default when a computer is running on battery power WER only checks for solutions but does not upload additi
olicy that restricts the amount of data that is sent over the network.If you enable this policy setting WER does not check for network cost p
olicy setting you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all all data collected for each
ble this policy setting you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull
Windows Error Reporting is turned on.If you enable this policy setting you can create a list of applications that are never included in error r
e this policy setting you can set the default consent handling for error reports. The following list describes the Consent level settings that a
ypes.If you enable this policy setting you can add specific event types to a list by clicking Show and typing event types in the Value Name co
stom consent settings.If you enable this policy setting the default consent levels of Windows Error Reporting always override any other co
on-premises authentication.If you enable this policy setting Windows Hello for Business enrolls a sign-in certificate that is used for on-pre
ectory or Azure Active Directory account that can replace passwords Smart Cards and Virtual Smart Cards.If you enable this policy the devi
m on the system.If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for programs
this policy setting if a user tries to install a program from removable media such as CD-ROMs floppy disks and DVDs a message appears sta
e an interrupted or unsuccessful installation.If you enable this policy setting Windows Installer is prevented from recording the original sta
disable or do not configure this policy setting by default the Windows Installer searches the network first then removable media (floppy d
o expire. By default a user is notified before logon hours expire if actions have been set to occur when the logon hours expire.If you enable
ontacted during logon and he has been logged on using previously stored account information.If enabled a notification popup will be displ
he actions include lock the workstation disconnect the user or log the user off completely.If you choose to lock or disconnect a session the
rom the Internet.If you enable this policy setting the Player is prevented from automatically obtaining media information from the Interne
m the Internet.If you enable this policy setting the Player is prevented from automatically obtaining media information for music files such a
t.If you enable this policy setting the Player is prevented from automatically retrieving radio station presets from the Internet and displayin
able this policy setting select one of the following proxy types:- Autodetect: the proxy settings are automatically detected.- Custom: uniqu
umber of seconds.If you enable this policy setting select one of the following options to specify the number of seconds streaming media is
ab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for t
tocols when receiving streaming media from a server running Windows Media Services.If you enable this policy setting the protocols that
en saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties di
able this policy setting the Player is prevented from automatically downloading codecs to your computer. In addition the Download codecs
policy hides the anchor window when the Player is in skin mode. In addition the option on the Player tab in the Player that enables users
cy setting the "Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet" check box on the M
licy setting the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users
kin.If you enable this policy setting the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab.You mus
setting Windows Messenger does not run.If you disable or do not configure this policy setting Windows Messenger can be used.Note: If yo
this policy setting Windows Messenger is not loaded automatically when a user logs on.If you disable or do not configure this policy settin
ble to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not la
elp cmdlet.If you enable this policy setting the Update-Help cmdlet will use the specified value as the default value for the SourcePath par
able this policy setting pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Eve
erShell/Operational event log. If you enable this policy setting Windows PowerShell will log the processing of commands script blocks f
o text-based transcripts. If you enable this policy setting Windows PowerShell will enable transcripting for Windows PowerShell the W
to run.If you enable this policy setting the scripts selected in the drop-down list are allowed to run.The "Allow only signed scripts" policy s
wed to be the default choice in the Shut Down Windows dialog.If you enable this policy setting the user's last shut down choice (Hibernate
ayed in the Shut Down Windows dialog box.If you enable this policy setting 'Install Updates and Shut Down' will not appear as a choice in
Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com fro
tion instead of its own OAuth2 token flow used in previous versions.
rs are allowed to change settings when setting up Work Folders on a domain-joined computer.If you enable this policy setting affected use
l opens to the category view.If this policy setting is not configured the Control Panel opens to the view used in the last Control Panel sessio
ntrol Panel window as well as other ways to access Control Panel items such as shortcuts in Help and Support or command lines that use c
tart Control Panel or PC settings or run any of their items.This setting removes Control Panel from:The Start screenFile ExplorerThis setting
p and if all pages in a category are blocked the category will be hidden as well. Direct navigation to a blocked page via URI context menu in
ose you specify in this setting. This setting affects the Start screen and Control Panel as well as other ways to access Control Panel items su
tion lists system services that have not been configured and offers users easy access to the configuration tools.If you disable this setting or
or assigned by a system administrator.If you disable this setting or do not configure it the Add New Programs button is available to all user
ets users configure installed services and use the Windows Component Wizard to add remove and configure components of Windows from
ll repair add or remove features of installed programs.If you disable this setting or do not configure it the Change or Remove Programs pag
u disable this setting or do not configure it the "Add a program from CD-ROM or floppy disk" option is available to all users.This setting doe
ng or do not configure it "Add programs from Microsoft" is available to all users.This setting does not prevent users from using other tools
ection lists published programs and provides an easy way to install them.Published programs are those programs that the system administ
ministrators specify default programs for certain activities such as Web browsing or sending e-mail as well as which programs are accessibl
ets users install uninstall repair add and remove features and components of Windows 2000 Professional and a wide variety of Windows p
on" hyperlink. When clicked the hyperlink opens a dialog box that displays troubleshooting information including a link to the installation fi
rams" page opens. Users can use the Category box on the "Add New Programs" page to display programs in other categories.To use this s
"Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings m
s a result users cannot change the screen saver options.If you do not configure it this setting has no effect on the system.If you enable it a
a UNC path (\\Server\Share\aero.msstyles).If you enable this setting the visual style file that you specify will be used. Also a user may not a
e Screen Saver dialog in the Personalization or Display Control Panel which prevents users from changing the screen saver.If you disable th
s not prevent the user from changing the theme or any of the theme elements such as the desktop background color sounds or screen sav
et on any screen saver.This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or D
g prevents users from using Control Panel to change the window border and taskbar color (on Windows 8) glass color (on Windows Vista a
setting a user may change the color scheme of the current desktop theme.For Windows 7 and later use the "Prevent changing color and a
n (wallpaper) to their desktop.If you enable this setting none of the Desktop Background settings can be changed by the user.To specify wa
this setting none of the desktop icons can be changed by the user.For systems prior to Windows Vista this setting also hides the Desktop t
se pointer scheme settings can be changed by the user.
uter. It does not prevent a screen saver from running.
ound Scheme settings can be changed by the user.
nd screen saver can still be changed (unless policies are set to turn them off).If you disable or do not configure this setting there is no effec
list on the Appearance tab in Display Properties.When enabled on Windows XP and later systems this setting prevents users and applicatio
sabled. If you disable or do not configure this setting a user may change the font size using the "Font size" drop-down list on the Appearan
o zero the screen saver will not be started.This setting has no effect under any of the following circumstances: - The setting is disabled or
e an Internet or intranet address in the text box the system adds a Browse button to the "Specify a Printer" page in the Add Printer Wizard
nter or a printer attached to another computer" radio button on Add Printer Wizard's page 2 and also check the "Connect to this printer (o
ng these searches begin at the location you specify in the "Default Active Directory path" box. Otherwise searches begin at the root of Acti
If you enable this setting the computer will restrict printing to printer connections on the corporate network or approved USB-conne
n Device Control Printing is enabled the system uses the specified list of vid/pid values to determine if the current USB connected printer is
nt and print client computers will check the driver signature of all drivers that are downloaded from print servers.If this setting is disabled o
is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connec
ers that are members of a domain. If you enable this policy setting: -Windows XP and later clients will only download print drive
tart click Printers and then click Add Printer.) This setting also removes Add Printer from the Printers folder in Control Panel. Also user
explaining that a setting prevents the action. This setting does not prevent users from running other programs to delete a printer.
ou do not configure this setting default printer management will not change.
ms and Features in Classic View and the "Install a program from the netowrk" task. The "Get Programs" page lists published programs and
The updates are often downloaded directly from Windows Update or from various program publishers.If this setting is disabled or not confi
ms and Features" will be available to all users.This setting does not prevent users from using other tools and methods to view or uninstall p
page allows administrators to specify default programs for certain activities such as Web browsing or sending e-mail as well as specify the
sers cannot view enable or disable various Windows features and services.If this setting is disabled or is not configured the "Turn Window
Windows Marketplace allows users to purchase and/or download various programs to their computer for installation.Enabling this feature d
s enable and disable Windows Features set program defaults view installed updates and purchase software from Windows Marketplace. P
olicy setting does not however prevent an administrator or another application from changing these values programmatically.This policy s
you enable this policy setting the user does not see the option to change the GeoID. This does not prevent the user or an application from
ns control panel.If you enable this policy setting the user does not see the option for changing the UI language. This does not prevent the
olicy setting the user does not see the regional formats options. This does not prevent the user or an application from changing their user
â€¯Windowsâ€¯languageâ€¯use the following policy: "Restricts the UI languages Windows should use for the selected user."â€¯â€¯ If
he language selection defaults to English.If you enable this policy setting the dialog box controls in the Regional and Language Options con
dows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specifie
option controls whether or not errors in typed text will be automatically corrected. If the policy is Enabled then the option will be lock
controls whether or next spelling errors in typed text will be highlighted. If the policy is Enabled then the option will be locked to not
after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate w
option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard. If the policy is En
to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing mes
folder the system adds a connection to the shared folder to Network Locations.If you enable this setting shared folders are not added to N
r are not saved when users log off. However shortcuts placed on the desktop are always saved.
from using another method to start the programs or opening the items they represent.Also see "Items displayed in Places Bar" in User Con
ote: In operating systems earlier than Microsoft Windows Vista this policy applies to the My Network Places icon.
rs have added or removed toolbars this setting prevents them from restoring the default configuration.Tip: To view the toolbars that can b
sktop.Note: If users have adjusted their toolbars this setting prevents them from restoring the default configuration.Also see the "Prevent
the folder's Properties dialog box.If you enable this setting users are unable to type a new location in the Target box.
he user navigates into Computer via the "Up" button while this setting is enabled they view an empty Computer folder. This setting allows
rd Open dialog box.This setting does not prevent the user from using other methods to gain access to the contents of the My Documents
the File menu. Likewise Alt-Enter does nothing when Computer is selected.If you disable or do not configure this setting the Properties op
oes any of the following:Right-clicks the My Documents icon.Clicks the My Documents icon and then opens the File menu.Clicks the My Do
cks File. Likewise Alt-Enter does nothing when Recycle Bin is selected.If you disable or do not configure this setting the Properties option i
n dialog box.This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.Note
access the Desktop Cleanup Wizard.If you disable this setting or do not configure it the default behavior of the Desktop Clean Wizard runn
the active window is shaken back and forth with the mouse.If you disable or do not configure this policy this window minimizing and resto
ctive Directory Find dialog box opens but users can hide it.If you disable this setting or do not configure it the filter bar does not appear bu
the Network Locations folder.If you disable this setting or do not configure it the Active Directory folder appears in the Network Locations
hose in Local Users and Groups Active Directory Users and Computers and dialog boxes used to set permissions for user or group objects in
but the items are added again each time the setting is refreshed.You can also use this setting to delete particular Web-based items from u
he Browse button on the Desktop tab the wallpaper does not load. Files that are autoconverted to a .bmp format such as JPEG GIF and PN
he wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file.To use this setting type the fully qualified path and name of
Active Desktop is disabled by default but users can enable it.Note: If both the "Enable Active Desktop" setting and the "Disable Active Desk
Panel. As a result users cannot add Web pages or pictures from the Internet or an intranet to the desktop.Note: This setting does not disab
Active Desktop is disabled by default but users can enable it.Note: If both the "Enable Active Desktop" setting and the "Disable Active Desk
nternet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop or prevent users from
in this folder. This setting removes the Web tab from Display in Control Panel. As a result users cannot enable or disable Active Desktop. I
desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Displa
ete Web content from their Active Desktop.This setting does not prevent users from adding Web content to their Active Desktop.Also see t
item from the menu for each item on the Active Desktop. As a result users cannot change the properties of an item such as its synchroniz
Availability page in the New Connection Wizard click the "For all users" option.This setting determines whether the Properties menu item i
ers" option.If you enable this setting all users can delete shared remote access connections. In addition if your file system is NTFS users nee
ble/disable a LAN connection by double-clicking the icon representing the connection by right-clicking it or by using the File menu.If you d
rs" option.If you enable this setting the Rename option is enabled for all-user remote access connections. Any user can rename all-user co
an icon representing the connection or by using the File menu.If you disable this setting the Rename option is disabled for nonadministrat
enting a connection or by using the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Adminis
ndows XP Professional. In Windows 2000 Professional all of these settings had the ability to prohibit the use of certain features from Adm
box is available to users.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting) the Pr
onents of a LAN connection is enabled.If you enable this setting (and enable the "Enable Network Connections settings for Administrators
ed by a private or all-user remote access connection is enabled.If you enable this setting (and enable the "Enable Network Connections se
ange the order in which the computer accesses connections network providers and print providers.If you enable this setting (and enable t
tting) the Make New Connection icon does not appear in the Start Menu on in the Network Connections folder. As a result users (including
ore logon and configure automatic dialing and callback features.If you enable this setting (and enable the "Enable Network Connections se
"Enable Network Connections settings for Administrators" setting) the Install and Uninstall buttons for components of connections are dis
he Connection Availability page in the New Connection Wizard click the "Only for myself" option.This setting determines whether the Prop
he icon has no effect and the Connect and Disconnect menu items are disabled for all users (including administrators).Important: If the "E
annot delete any remote access connections. This setting also disables the Delete option on the context menu for a remote access connecti
g) the check boxes for enabling and disabling components are disabled. As a result administrators cannot enable or disable the componen
page in the New Connection Wizard click the "Only for myself" option.If you enable this setting (and enable the "Enable Network Connecti
rnet Protocol (TCP/IP) Properties dialog box is disabled for all users (including administrators). As a result users cannot open the Advanced
mation about the connection and its activity. It also provides buttons to disconnect and to configure the properties of the connection.If yo
ssignment of an automatic private IP address"(i.e. an IP address in the range 169.254.*.*). This indicates that a DHCP server could not be r
Offline Files tab. This prevents users from trying to change the option while a setting controls it.If you enable this setting you can use the "A
when the offline files storage cache is corrupted. However you can use this setting to specify additional events you want Offline Files to re
riodically. By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed
tion on server disconnect" setting.To use this setting click Show. In the Show Contents dialog box in the Value Name column box type the s
mputer. Also they cannot use the folder to view characteristics of offline files such as their server status type or location.This setting does
ine Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result users cannot view or change the o
ons appear when the user's connection to a network file is lost or reconnected and they are updated periodically. By default the first remi
first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for 15 seconds. You can u
dows will still cache local copies of files that reside on network shares designated for automatic caching.If you disable or do not configure
ot available for the files and folders that you list. To specify these files and folders click Show. In the Show Contents dialog box in the Value
rk offline" command is not displayed in File Explorer.If you disable or do not configure this policy setting the "Work offline" command is di
tting the files you enter are always available offline to users of the computer. To specify a file or folder click Show. In the Show Contents d
rying to change the option while a setting controls it.If you enable this setting offline files are fully synchronized. Full synchronization ensur
ying to change the option while a setting controls it.If you enable this setting offline files are fully synchronized at logon. Full synchronizati
on to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files a
on to a networked file and are working on a local copy of the file. Users can then decide how to proceed.If you enable this setting the syst
n related tasks including "Set up a wireless router or access point" and "Add a wireless device" are disabled. If you disable or do not configu
ory" option to publish DFS roots as shared folders in AD DS .If you disable this policy setting users cannot publish DFS roots in AD DS and th
irectory" option in the Shared Folders snap-in to publish shared folders in AD DS.If you disable this policy setting users cannot publish shar
irtual DOS Machine program. VDM simulates a 16-bit environment complete with the DLLs required by 16-bit programs. By default all 16-
enable this setting the Log Off <username> item appears in the Start menu. This setting also removes the Display Logoff item from Start Me
policy there will not be a "Search the Internet" link when the user performs a search in the start menu search box. If you do not confi
Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set the Add the Run command to the Start menu po
n to either Sleep or Hibernate and that state is not supported on a computer then the button will fall back to Shut Down.If you disable or d
t menu is always empty when the user logs on. In addition recently and frequently used items in the Jump Lists off of programs in the Star
with programs for each new user.
ersions of these notifications will be cleared when the user logs on.If you disable or do not configure this setting the system retains notifica
ble this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications.
also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.If you d
to the Taskbar these programs continue to show in the Taskbar. However users cannot unpin these programs already pinned to the Taskb
ill be removed from the Taskbar on next login.If you disable or do not configure this policy setting users can pin the Store app to the Taskb
splay section is not enabled in the taskbar properties dialog.If you disable or do not configure this policy setting users can show taskbars o
s Desktop and other custom toolbars created by the user or by an application.If this setting is enabled the taskbar does not display any cus
tes and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.If you
ts to documents opened while the setting is in effect. Also they retain but do not display existing document shortcuts. The system empties
o in the start menu control panel.
ectly in Control Panel. If you enable this policy a "See more results" / "Search Everywhere" link will not be shown when the user performs
ess the user chooses not to in the start menu control panel.
rams and Control Panel items unless the user chooses not to do so directly in Control Panel.
st displays a message explaining that the file is not found.If you disable or do not configure this policy setting by default when the system
begins a comprehensive search of the drive specified in the target path.If you disable or do not configure this policy setting by default whe
e menu. When the classic Start menu is used the following icons are placed on the desktop: Documents Pictures Music Computer and Net
indows will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings.
etting users will always go to the Start screen when they sign in.If you donâ€™t configure this policy setting the default setting for the user
Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured
tifications and the system clock.If this setting is enabled the userâ€™s entire notification area including the notification icons is hidden. The
ther sorting options would continue to be available and the user could choose to change their default sorting options.If you disable or don
skbar.If you disable or do not configure this policy setting the user will be able to set any taskbar setting that is not prevented by another p
ed at the bottom of the screen but it can be dragged to any side of the screen. When it is locked it cannot be moved or resized.If you enab
clicks the taskbar and then clicks Properties a message appears explaining that a setting prevents the action.If you disable or do not config
full.If you enable this setting it prevents the taskbar from grouping items that share the same program name. By default this setting is alw
o add toolbars either.If you disable or do not configure this policy setting the users and applications are able to add toolbars to the taskba
ry tile entering the customize mode and rearranging tiles within Start and Apps.If you disable or do not configure this setting you will allow
ou disable or do not configure this policy setting users are able to drag their taskbar to another area of the monitor unless prevented by a
etting users are able to rearrange the toolbars on the taskbar.
able to resize their taskbar unless prevented by another setting.
ng setting will also be disabled in Settings.

n such as the Start button the clock and the taskbar buttons.If you disable or do not configure this policy setting the context menus for the
will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.Selecting "Coll
s from running Windows-based programs that perform these functions.If you enable this policy setting the Power button and the Shut Dow
mation about the object.If you enable this setting some of this pop-up text is not displayed. The pop-up text affected by this setting include
default behavior of the clock appearing in the notification area will occur.
etting only items in the user's profile appear in the Programs menu.Tip: To see the Program menu items in the All Users profile on the syst
link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for
bling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the
this policy setting the Downloads link is available from the Start Menu.
ble or do not configure this setting the Display Favorite item is available.Note:The Favorities menu does not appear on the Start menu by d
ove it in the start menu control panel.
y setting the Help command is available from the Start menu.This policy setting only affects the Start menu. It does not remove the Help m
u. If you disable or do not configure this policy users can use the Start Menu options to add or remove the homegroup link from the Sta
blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also the policy setting removes the Window
r in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result users cannot restore the
ng the Music icon is available from Start Menu.
the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu.Ne
setting the Network icon is available from Start Menu.
s and the system clock. If this setting is enabled Notifications and Action Center is not displayed in the notification area. The user will be a
etting the Pictures icon is available from Start Menu.
Taskbar.If you disable or do not configure this policy setting users can pin programs so that the program shortcuts stay on the Taskbar.
moved from the 'Customize Start Menu' dialog. If you disable this setting or do not configure it the "Pinned Programs" list remains on the
u and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.Ho
y opened. It appears so that users can easily reopen their documents.If you enable this setting the system saves document shortcuts but d
ure this policy setting the Recorded TV link is available from the Start Menu.
(2) The New Task (Run) command is removed from Task Manager.(3) The user will be blocked from entering the following into the Interne
own when the user performs a search in the start menu search box.
you enable this policy setting the Search item is removed from the Start menu and from the context menu that appears when you right-cli
ee more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is install
he simple Start menu and your PC can be undocked.
t configure this policy setting the battery meter is displayed in the system notification area.
not configure this policy setting the Meet Now icon is displayed in the system notification area.
o not configure this policy setting the networking icon is displayed in the system notification area.
oggle is removed from the taskbar settings page and users will not be able to pin people to the taskbar.
ea.If you disable or do not configure this policy setting the Security and Maintenance icon is displayed in the system notification area.
ble or do not configure this policy setting the volume control icon is displayed in the system notification area.
start menu control panel.
u in Windows XP and Windows Server 2003.To remove the user name folder on Windows Vista set the "Remove user folder link from Start
ottom) section of the Start menu. However the original user-specific version of the folder still appears on the top section of the Start men
cy setting the Videos link is available from the Start Menu.
efault view for Start.If you enable this policy setting searching from the Apps view will only search the list of installed apps.If you disable or
hich support this functionality.If you disable this setting or do not configure it users cannot access the "Run as different user" command fr
d holiday names in Simplified Chinese (Lunar) by default. For zh-TW zh-HK and zh-MO locales an additional calendar shows the lunar mont
annot change to hide it using the Settings app.Selecting "Hide" will force the "Most used" list to be hidden and user cannot change to sho
the QuickLaunch bar will be hidden and cannot be turned on.If you do not configure this policy setting then users will be able to turn the Q
olicy setting the Start screen will appear on the display the user is using when they press the Windows logo key.If you disable or don't confi
o switch between the Apps view and the Start screen.If you disable or donâ€™t configure this policy setting the Start screen will appear by
Windows Store apps on the taskbar. If you donâ€™t configure this policy setting the default setting for the userâ€™s device will be used a
generated by the Export-StartLayout PowerShell cmdlet.To use this setting you must first manually configure a device's Start layout to the
alloons are shown to the user.
sers can still configure icons to be shown or hidden in the Notification Control Panel.If you disable or do not configure this policy setting ne
u disable do not configure this policy setting feature advertisement balloons are shown.
setting determines whether the items are always expanded or always collapsed. By default notifications are collapsed. The notification cle
y clicking an arrow to extend the menu.If you enable this setting the system does not personalize menus. All menu items appear and rema
configure this policy setting the taskbar thumbnails are displayed.
nu.If you disable or do not configure this policy setting the system tracks the programs that the user runs. The system uses this information
able to customize any Quiet Hours settings. If you disable this policy setting a default value will be used and users will not be able to c
ble to customize any Quiet Hours settings. If you disable this policy setting a default value will be used and users will not be able to cha
ers will not be able to customize any other Quiet Hours settings. If you disable this policy setting voice and video calls will be allowed d
onfigure this policy setting notifications will be mirrored and can be turned off by the administrator or user. No reboots or service res
ed Quiet Hours time window each day. If you disable this policy setting toast notifications will be suppressed and some backgroun
ble or do not configure this policy setting tile and badge notifications are enabled and can be turned off by the administrator or user. N
ar notification balloons. Note that Windows system features are not affected by this policy. You must enable/disable system features
configure this policy setting toast notifications on the lock screen are enabled and can be turned off by the administrator or user. No re
wo-digit years correctly consult the documentation or manufacturer of the program.If you enable this policy setting the system specifies th
g the system starts the interface you specify instead of Explorer.exe.To use this setting copy your interface program to a network share or
o a computer where this policy is applied.Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welco
olicy setting or do not configure it users can run any programs.This policy setting only prevents users from running programs that are start
nterfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered
policy setting or do not configure it users can run Regedit.exe normally.To prevent users from using other administrative tools use the "Ru
licy setting and the user tries to open a command window the system displays a message explaining that a setting prevents the action.If y
e this policy setting enter the file names names of the programs you want to restrict separated by commas. If you disable or do no
policy setting or do not configure it users can run all applications.This policy setting only prevents users from running programs that are sta
cally downloads them. This happens in the background and the user is prompted when downloaded components are ready to be installed
ou press Ctrl+Alt+Del.However users are still able to change their password when prompted by the system. The system prompts users for
you enable this policy setting users cannot lock the computer from the keyboard using Ctrl+Alt+Del.If you disable or do not configure this p
ll prevent them from logging off unless they restart or shutdown the computer or clicking Log off from the Start menu.Also see the 'Remo
ing on their computers including system services; find the executable names of programs; and change the priority of the process in which
changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI) connect remotely from
. Users can use System in Control Panel to select a more secure setting but when this setting is enabled the system does not implement an
OM drives Windows Update.Using this setting you may remove the floppy and CD-ROM drives from the search algorithm.If you enable thi
r searching" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled or
ault.If you enable this policy setting users must manually select the files they wish to make available offline. If you disable or do not config
available offline.If you disable or do not configure this policy setting all redirected shell folders are automatically made available offline. All
on.If you enable this policy setting when the path to a redirected folder is changed from one network location to another and Folder Redir
here the user might not want to download private data such as on a meeting room computer or on a computer in a remote office.To desig
parent Start Menu and legacy My Documents folder respectively.If you enable this policy setting Windows Vista Windows 7 Windows 8 an
ry Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated
n this group is slower than the rate specified by this setting the system considers the connection to be slow.The system's response to a slo
nfigure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Compu
olicy setting interactive users cannot generate RSoP data.If you disable or do not configure this policy setting interactive users can generat
supported by Group Policy must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies reg
Policy Management tools including the Group Policy tab in Active Directory tools and the GPO browser.The display name can contain env
Configuration folder.In addition to background updates Group Policy for users is always updated when users log on.By default user Group
he amount of space used on the system volume of a DC.By default when you start the Group Policy Object Editor a timestamp comparison
ation settings" section are set such that their respective features cannot access the Internet.If you disable this policy setting all of the the p
ociated with any applications on the computer the user is given the choice to select a local application or use the Store service to find an a
not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are n
g style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition
and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in futu
elp so that Microsoft can improve it.If you enable this policy setting users cannot participate in the Help Experience Improvement program
g ratings controls are added to Help topics.Users can use the control to provide feedback on the quality and usefulness of the Help and Su
ervices such as online storage and photographic printing. By default Windows displays providers downloaded from a Windows website in
iated with any applications on the computer the user is given the choice to select a local application or use the Web service to find an app
client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared prin
rder prints online.If you enable this policy setting the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.If yo
ders.The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.If you enable this po
users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the produ
policy setting users are prevented from accessing online assistance content from Windows Online.If you disable or do not configure this po
ers may select any GeoID.If you enable this policy setting at the computer level it cannot be disabled by a per-user policy setting. If you dis
e selection of replacement locales. To prevent the selection of replacement locales adjust the permissions of the %windir%\Globalization
rst reset the user(s) values to the defaults and then apply this policy.When this policy setting is enabled users can still choose alternate loc
ngs; however the next time a user attempts to change their user locale their choices will be restricted to locales in this list.To set this policy
essional and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system star
These programs are added to the standard list of programs and services that the system starts.If you enable this policy setting the system i
he time the user logs on to this computer that has this policy applied.To specify values for this policy setting click Show. In the Show Conte
pecified as the Value name including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be
nd prompted for a password when it is resumed from a suspend or hibernate state.If you disable or do not configure this policy setting use
ch class.If you enable this policy setting no access is allowed to any removable storage class.If you disable or do not configure this policy se
cy setting read access is allowed to this removable storage class.
licy setting write access is allowed to this removable storage class.
setting read access is allowed to these removable storage classes.
y setting write access is allowed to these removable storage classes.
e or do not configure this policy setting read access is allowed to this removable storage class.
ble or do not configure this policy setting write access is allowed to this removable storage class.
allowed to this removable storage class.
s allowed to this removable storage class.Note: To require that users write data to BitLocker-protected storage enable the policy setting "
ng you can set the number of seconds you want the system to wait until a reboot.If you disable or do not configure this setting the operati
y setting read access is allowed to this removable storage class.
cy setting write access is allowed to this removable storage class.
ble storage class.If you disable or do not configure this policy setting read access is allowed to this removable storage class.
able storage class.If you disable or do not configure this policy setting write access is allowed to this removable storage class.
logoff script.If you enable this policy setting the system displays each instruction in the logoff script as it runs. The instructions appear in a
n scripts.If you enable this policy setting the system displays each instruction in the logon script as it runs. The instructions appear in a com
he instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run although it does not display logo
start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user start
s PowerShell scripts. If you enable this policy setting within each applicable Group Policy Object (GPO) PowerShell scripts are run before n
e home directory of a user profile. The home directory is a persistent mapping of a drive letter on the local computer to a local or remote d
w users to other computers.Note: When excluding content from the profile you should try to exclude the narrowest set of data that will ad
you disable this policy setting or do not configure it the system does not limit the size of user profiles.If you enable this policy setting you c
help resolve issues with applications that do not work well with Offline Files while the user is online.If you enable this policy setting the ne
is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.If you enable t
here is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.If you enable
Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
he attachment is in the list of high-risk file types and is from the restricted zone Windows blocks the user from accessing the file. If the file
correctly and will fail without notice on FAT32. By not preserving the zone information Windows cannot make proper risk assessments.If
x in the security warning dialog. Removing the zone information allows users to open potentially dangerous file attachments that Window
f the file is from the Internet zone Windows prompts the user before accessing the file. This inclusion list takes precedence over the mediu
e information. This inclusion list overrides the list of high-risk file types built into Windows and has a lower precedence than the high-risk o
ore accessing the file. This inclusion list overrides the list of potentially high-risk file types built into Windows and it takes precedence over
s on-access checks or scans files as they arrive on the computer's email server additional calls would be redundant. If you enable this polic
. For example trust notepad.exe but don't trust .txt files.Preferring the file type instructs Windows to use the file type data over the file ha
configure this policy setting AutoPlay is enabled for non-volume devices.
do when a device is connected. If you disable or do not configure this policy setting AutoPlay remembers user's choice of what to do
Windows Vista when media containing an autorun command is inserted the system will automatically execute the program without user
media start immediately. Prior to Windows XP SP2 Autoplay is disabled by default on removable drives such as the floppy disk drive (b
Calculator app. If you enable or don't configure this policy setting users will be able to access graphing functionality.
ock screen. "Windows spotlight" will display daily images from Microsoft on the lock screen.Additionally if you check the "Include content
may still see suggestions and tips to make them more productive with Microsoft features and apps.If you disable or do not configure this
ata may include browser app and feature usage depending on the "diagnostic data" setting value) to customize content shown on lock scr
es will be turned off. You should enable this policy setting if your goal is to minimize network traffic from target devices.If you disable or d
w features.If you enable this policy the Windows Welcome Experience will no longer display when there are updates and changes to Windo
gest apps or features to help users be more productive on Windows.
be productive on Windows or their linked phone.
user types a password in the password entry text box.If you disable or do not configure this policy setting the password reveal button will
gs app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and do
e not been digitally signed will not be extracted.If you disable or do not configure this setting both signed and unsigned gadgets will be ex
e or do not configure this setting desktop gadgets will be turned on.The default is for desktop gadgets to be turned on.
tting Windows will run user-installed gadgets.The default is for Windows to run user installed gadgets.
able this policy setting Flip 3D is inaccessible. If you disable or do not configure this policy setting Flip 3D is accessible if desktop compositio
f you disable or do not configure this policy setting window animations are turned on. Changing this policy setting requires a logoff for it to
this policy setting you allow users to change the default window frame color. Note: This policy setting can be used in conjunction with the
e user does not specify a color. If you disable or do not configure this policy setting the default internal color is used if the user does not sp
acquired and stored in the user's Windows Marketplace Digital Locker.If you enable this setting Digital Locker will not run.If you disable or
wiping in from the screen edges.
help tips to the user.
o longer be able to switch to recent apps using the mouse. The user will still be able to switch apps using touch gestures keyboard shortcu
X.If you enable this policy setting the Command Prompt will always be listed in that menu and users won't be able to replace it with Wind
e Start Devices and Settings will no longer appear when the mouse is pointing to the upper-right corner. They'll still be available if the mou
ers will be allowed to switch between recent apps.
e Search and Share panes - the drop-down app list in the Picker If you disable or don't configure this policy setting Windows will keep
dministrator or that will not impact other users of the machine.A shell extension only runs if there is an entry in at least one of the followin
System. This behavior is consistent with Windows Vista's behavior in this scenario.This disables access to user-defined properties and pro
folder exists before the policy is applied the folder must be manually deleted since the policy only blocks the creation of the folder.You ca
to the Recycle Bin by the user.If you disable or do not configure this setting the default behavior of not displaying a confirmation dialog oc
plorer.If you disable or do not configure this policy setting the menu bar will not be displayed in File Explorer.Note: When the menu bar is
ears in the navigation pane and other advanced view settings.If you enable this policy setting users will receive an error message if they tap
he Control Panel or Start menu.If you disable or do not configure this policy setting the Welcome Center is displayed at user logon.
using File Explorer will not be placed in the Recycle Bin and will therefore be permanently deleted.If you disable or do not configure this se
prompts the current user for the user name and password of an administrator appears when users who are not administrators try to instal
file as well as the relative path to the current target file. When the system cannot find the file in the current target path then by default it
rive letters representing the selected drives do not appear in the standard Open dialog box.If you enable this policy setting select a drive o
sc) a console tool that includes many of the primary Windows 2000 administrative tools such as Event Viewer Device Manager and Disk M
efinition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon the policy settin
station.If you disable or do not configure this setting users can change the total amount of disk space used by the Recycle Bin.Note: This s
he user has most recently opened.If you enable this policy setting the system displays the number of shortcuts specified by the policy setti
ves the "Computers Near Me" option and the icons representing nearby computers from Network Locations. This policy setting also remov
option and the icons representing networked computers from Network Locations and from the browser associated with the Map Networ
of the Search Results view allow the user to reconduct a search but in a different location. The Internet search site will be searched with t
user to reconduct a search but in a different location. To add a Library or Search Connector link specify the path of the .Library-ms or .sea
r but they cannot open folders and access the contents. Also they cannot use the Run dialog box or the Map Network Drive dialog box to v
be able to add new items such as files or folders to the root of their Users Files folder in File Explorer.If you disable or do not configure this
nds from the toolbar and Tools menus in File Explorer and Network Locations and from menus that appear when you right-click the File Ex
ures in the File Explorer that allow you to use your CD writer are removed.If you disable or do not configure this policy setting users are ab
File Explorer browser such as My Computer. As a result users cannot use this tab to view or change the properties of the DFS shares availa
right-click the items in File Explorer. This setting does not prevent users from using other methods to issue commands available on the sh
all local drives including hard drives floppy disk drives and CD-ROM drives. As a result users cannot use the Hardware tab to view or change
plorer and other programs that use the File Explorer window such as My Computer and Network Locations.Enabling this policy setting doe
Security tab. As a result users will be able to neither change the security settings nor view a list of all users that have access to the resource
er Places" and also under "Files Stored on This Computer" in My Computer. Using this policy setting you can choose not to have these item
en the user performs a search in the Explorer window. This button launches a search in the default browser with the search terms.If you d
haracter (hot key) does not appear on menus until you press ALT.Effects such as transitory underlines are designed to enhance the user's e
sition effects for menus and tooltips" option in Display in Control Panel is disabled and cannot be toggled by users.Effects such as animatio
work computer across a local area network connection.If you disable this setting or do not configure it this dialog box appears only when us
rst time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting users can cho
ached.Note: For shared corporate workstations or computers where security is a top concern you should enable this policy setting to turn
the Search Box. These suggestions are based on their past entries into the Search Box.Note: If you enable this policy File Explorer will not
a file name (for example 111 < 22 < 3).If you disable or do not configure this policy setting File Explorer will sort file names by increasing nu
ected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able t
nable this policy setting File Explorer does not create read from or write to thumbs.db files.If you disable or do not configure this policy setti
ure this policy setting File Explorer shows snippets in Content view mode by default.
y setting File Explorer displays only icons and never displays thumbnail images on network folders.If you disable or do not configure this p
plorer displays only icons and never displays thumbnail images.If you disable or do not configure this policy setting File Explorer displays on
sing Windows+E starts File Explorer. By using this setting you can disable these Windows Key hotkeys.If you enable this setting the Window
handle included folders that have been redirected to non-indexed network locations.Setting this policy will: * Disable all Arrangement vi
Mouse in Control Panel). As a result the user interface looks and operates like the interface for Windows NT 4.0 and users cannot restore th
rlier. This policy setting affects only programs that use the standard Open dialog box provided to developers of Windows programs.If you
dows NT 4.0 and earlier. These policies only affect programs that use the standard Open dialog box provided to developers of Windows pr
ng the "File name" field is a simple text box. Users must browse directories to find a file or type a file name in the text box.This setting and
in the Places Bar are:1) Shortcuts to a local folders -- (ex. C:\Windows)2) Shortcuts to remote folders -- (\\server\share)3) FTP folders4) we
w Pane is hidden by default and can be displayed by the user.
er.If you enable this policy setting and configure it to show the pane the Details Pane is always visible and cannot be hidden by the user. N
ng users cannot list or restore previous versions of files on local disks.If you disable this policy setting users cannot list and restore previous
not list or restore previous versions of files on file shares.If you disable this policy setting users can list and restore previous versions of file
up media.If you enable this policy setting users cannot see any previous versions corresponding to backup copies and can see only previou
disabled when the user selects a previous version corresponding to a local file.If you disable this policy setting the Restore button remains
you enable this policy setting the Restore button is disabled when the user selects a previous version corresponding to a backup.If you dis
is disabled when the user selects a previous version corresponding to a file on a file share.If you disable this policy setting the Restore butt
all content on the device that is protected by a particular enterprise add an entry to the list on a new line that contains the enterprise iden
not allowed to control IME version to use. The previous version of Microsoft IME is always selected.â€‹If you disable this user is not allowe
yph is not included in the candidate list when Publishing Standard Glyph for the word exists.If you disable or do not configure this policy se
d for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values:0x0001 // JIS20
rd registered in the custom dictionary before enabling this policy setting can continue to be used for conversion.If you disable or do not co
sed predictive input is on by default.This policy setting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take e
ese Microsoft IME.If you enable this policy setting you cannot use search integration.If you disable or do not configure this policy setting t
soft IME an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion.If you disable or do not c
ing data is saved to file by default.This policy setting applies to Japanese Microsoft IME only.
ciated with this feature is turned on the user's keyboard input is sent to Microsoft to generate the suggestions and the user won't be able
ciated with this feature is turned on the user's keyboard input is sent to Microsoft to generate the suggestions and the user won't be able
and popular words lexicon can be downloaded to local PC the user is able to turn it on or off in settings.If you disable this policy setting the
board input is sent to Microsoft to generate the live stickers and the user won't be able to turn it off.If you disable this policy setting the fu
etting misconversion logging is turned off.This policy setting applies to Japanese Microsoft IME and Traditional Chinese IME.
the default Internet search provider will be used.
so add a search provider from the provider's website.If you enable this policy setting the user can add and remove search providers but on
rk the same as Internet Explorer.If you disable or do not configure this policy setting "Save Target As" will not show up in the Internet Expl
with particular web applications.If you enable this policy setting OnUnLoad script handlers display UI during shutdown.If you disable or do
ft services.If you enable this policy setting users receive enhanced suggestions while typing in the Address bar. In addition users won't be a
lorer are considered to be the same as newly installed add-ons and are not activated when the user upgrades to Internet Explorer 9.In Inte
users cannot display the Media Explorer Bar. The auto-play feature is also disabled. When users click on a link within Internet Explorer th
to open or save attachments that could potentially contain a virus. Users will not be able to disable the blocking of attachments in option
Microsoft Edge. If any of the chosen versions are not installed on the device that preference will be bypassed.If both the Windows Update
ustom string in the version portion of the User Agent header.If you disable or do not configure this policy setting Internet Explorer sends th
s setting the user is suggested possible matches when filling forms. The user cannot change it.If you do not configure this setting the user
ored temporarily on the users' computer.If you disable this policy or do not configure it automatic proxy scripts can be stored in the users
y or do not configure it users can change accessibility settings such as overriding fonts and colors on Web pages.If you set the "Disable the
a and printing. Users cannot select or clear the check boxes on the Advanced tab.If you disable this policy or do not configure it users can
s provided in a file by the system administrator.If you enable this policy setting the user will not be able to do automatic configuration. You
lay these options users open the Internet Options dialog box and then click the Programs tab.If you disable this policy or do not configure
nt tab in the Internet Options dialog box appear dimmed.If you disable this policy or do not configure it users can import new certificates r
hen the user clicks the General tab and then clicks the Colors button in the Internet Options dialog box.If you disable this policy or do not
e it users can change their settings for dial-up connections.If you set the "Disable the Connections page" policy (located in \User Configura
he Programs tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it users can determine w
Tab in the Internet Options dialog box will be disabled.If you disable this policy or do not configure it users can change the default fonts f
m default home page. You must specify which default home page should load on the user machine. For machines with at least Internet Exp
Languages" button on the General Tab in the Internet Options dialog box will be disabled.If you disable this policy or do not configure it us
n users click the General tab and then click the Colors button in the Internet Options dialog box.If you disable this policy or do not configure
e options users open the Internet Options dialog box and then click the Programs tab.If you disable this policy or do not configure it users c
you disable this policy or do not configure it users can change their profile information such as their street and e-mail addresses.The "Disa
ns dialog box appear dimmed.If you disable this policy or do not configure it users can change their ratings settings.The "Disable the Ratin
pages.If you enable this policy setting you can specify which default home pages should load as secondary home pages. The user cannot se
r dimmed. These settings are found in the dialog box that appears when users click the General tab and then click the Settings button in th
y another party such as an Internet service provider or Internet content provider.If you disable this policy or do not configure it users coul
ther browser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import fa
rom running the wizard by clicking the Connect to the Internet icon on the desktop or by clicking Start pointing to Programs pointing to Ac
r's usage to Microsoft Edge's native 'Internet Explorer mode'.- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge S
disable this policy or do not configure it users can restore the default settings for home and search pages.The "Disable the Programs page
proxy settings.If you disable this policy or do not configure it error messages will not be displayed when problems occur with proxy script
On Manager.If you disable or do not configure this policy setting the appropriate controls in the Add-On Manager will be available to the u
in Internet Explorer mode and work the same as Internet Explorer.If you disable or don't configure this policy extended hotkeys will not w
sktop.The navigation bar includes features for browsing webpages searching the web by using a selection of search tools viewing a history
identity with a different password and different program preferences.If you enable this policy users will not be able to create new identiti
policy isnâ€™t enabled this policy has no effect.If you enable this policy all intranet sites are opened in Internet Explorer 11. The only excep
out the websites for which users turn on Enterprise Mode using the Tools menu.If you turn this setting on users can see and use the Enter
at are part of the domains configured in the policy. When disabled or not configured all domains will be included in site discovery. This pol
hat are part of the zones configured in the policy. When disabled or not configured all Zones will be included in site discovery. This policy c
ult web browser. Users cannot change the setting.If you disable this policy setting users will not be notified if Internet Explorer is not the d
can enter a list of sites which will be allowed to open pop-up windows regardless of user settings. Only the domain name is allowed so ww
ols accessing and managing favorites viewing a history of visited pages printing and accessing email and newsgroups. The menu bar conta
e or do not configure this policy setting the user can use the "Fix settings" functionality.Note: When this policy setting is enabled the "Fix se
from the Command bar. â€¢ The shortcut key F1 does not make Help appear. â€¢ Help cannot be accessed from the Settings charm (s
s content. SmartScreen Filter also prevents the execution of files that are known to be malicious.If you enable this policy setting SmartScr
from the Internet.If you enable this policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy
om secure sites.If you enable this policy setting the user cannot change the filter level. You can specify the filter level by importing Privacy
an configure proxy settings.
er.If you disable or do not configure this policy setting the user can change the default search provider.
en in Internet Explorer when he or she clicks links from other applications. You must specify one of the following: â€¢ Open in an existing
ecify whether tabs should open in the foreground or in the background. The user cannot open the tabs in the background by pressing Ctrl+
tting the Search box does not appear in the Internet Explorer frame.If you disable or do not configure this policy setting the Search box ap
or do not configure this policy setting the user can add websites to or remove websites from the exception list.Note: You can allow a defau
is known to host malware.If you enable this policy setting the user is not prompted to turn on SmartScreen Filter. All website addresses th
s policy setting the user is not prompted to enable the phishing filter. You must specify which mode the phishing filter uses: manual autom
back Options command does not appear on the Help menu.If you disable this policy setting the user must participate in the CEIP and the C
onfigure this policy setting ActiveX controls can be installed on a per-user basis.
ake one of the following choices: â€¢ Skip the First Run wizard and go directly to the user's home page. â€¢ Skip the First Run wizard an
ware\policies\Microsoft\Internet Explorer\SearchScopes]). Normally search providers can be added from third-party toolbars or in Setup b
xplorer) or to search the hard disk (from File Explorer). If the user presses F3 a prompt appears that informs the user that this feature has b
their Search Assistant settings such as setting default search engines for specific tasks.If you disable this policy or do not configure it users
onents\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mo
h or default. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process to
mployees see an additional page in Internet Explorer 11 stating that a site has been opened using Microsoft Edge with Enterprise Mode.If y
ut:blank) the first home page the new tab page or the new tab page with my news feed.If you disable or do not configure this policy settin
allow the installation of ActiveX controls.If you disable or do not configure this policy setting ActiveX controls including per-user controls a
If you disable or do not configure this policy setting users can pin sites.
hat Internet Explorer has not used before a Notification bar will appear asking the user for approval.If you enable this policy setting the Ac
re slowing his or her browsing and displays a button that opens the Disable Add-ons dialog box. The Disable Add-ons dialog box displays th
able or do not configure this policy setting Automatic Crash Recovery prompts the user to recover his or her data after a program stops re
ned off.If you disable this policy setting browser geolocation support is turned on.If you do not configure this policy setting browser geolo
ndows in tabbed browsing. You must specify one of the following values: 0: Let Internet Explorer decide. 1: Force pop-up windows to o
Service Pack 1 and earlier namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.If
vorites bar is turned on.If you do not configure this policy setting the user can turn on or turn off the Favorites bar.
own to host malware.If you enable this policy setting the user is not prompted to turn on SmartScreen Filter. You must specify which mod
ontent to be re-rendered at a scaled size.If you disable or do not configure this policy setting applications that host MSHTML respond to u
e (grayed out) and all other pop-up manager controls notifications and dialog boxes will not appear. Pop-up windows will continue to func
you disable or do not configure this policy setting Quick Tabs is turned on.
ng Session feature.If you disable or do not configure this policy setting the user can use the Reopen Last Browsing Session feature.
o not configure this policy setting the user can choose to view suggestions for all user-installed search providers that offer suggestions.
ng is turned on.If you do not configure this policy setting the user can turn on or turn off Tab Grouping.
.If you enable this policy setting tabbed browsing and related entry points are turned off for Internet Explorer and the user cannot turn th
eb addresses. The user cannot change the auto-complete for web-address setting.If you disable this policy setting user will be suggested m
not appear until the user starts typing.If you disable or do not configure this policy setting when a user clicks in the Search box the quick p
eature is turned off.If you disable or do not configure this policy setting the feature is turned on.
perly.If you enable this policy setting ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering although
can log information that is blocked by new Internet Explorer features. The user cannot turn off logging.If you disable this policy setting the
nd the user cannot turn it off.If you disable this policy setting the menu bar appears in Internet Explorer by default and the user cannot tu
e aggregated using a client management solution(SCCM) or other means. When disabled no data will be written to the WMI class. Enablin
fied when setting this policy. When disabled no data will be written to the XML file. Enabling or disabling this setting will not impact other o
that the user might want to visit.If you enable this policy setting the user is not prompted to enable Suggested Sites. The userâ€™s browsi
swords". The Auto Complete feature for User names and passwords on Forms will be turned on. You have to decide whether to select "pro
time it is started.If you enable this policy users' dial-up settings will be configured by Automatic Detection.If you disable this policy or do n
this policy setting Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Ex
user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overlap
the user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not ov
d through Group Policy. The user cannot add or delete Accelerators.If you disable or do not configure this policy setting the user can acces
ccess Accelerators and install new Accelerators.
which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it this control will not be d
nd obtain information about vehicles.If you enable this policy this control can be run in security zones in which you specify that administra
ed by a web site because it includes file access and other features and a "safe for scripting" version that has restricted functionality and is
can be run in security zones in which you specify that administrator-approved controls can be run.If you disable this policy or do not confi
cify that administrator-approved controls can be run.If you disable this policy or do not configure it these controls will not be designated a
Microsoft Windows interface.If you enable this policy this control can be run in security zones in which you specify that administrator-app
b.If you enable this policy this control can be run in security zones in which you specify that administrator-approved controls can be run.If
which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it this control will not be
n.If you disable this policy or do not configure it this control will not be designated as administrator-approved.To specify how administrato
zones in which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it these controls
be run.If you disable this policy or do not configure it this control will not be designated as administrator-approved.To specify how adminis
disable this policy or do not configure it this control will not be designated as administrator-approved.To specify how administrator-approv
g the user is not prompted when a script that is running in any process on the computer performs a Clipboard operation. This means that i
e is set to prompt.If you enable this policy setting the user is not prompted when a script that is running in the Internet Explorer process p
nternet Explorer processes use the "Bypass prompting for Clipboard access for scripts running in the Internet Explorer process" policy. If t
f you disable this policy or do not configure it users can open a Web page in a new browser window by using the shortcut menu.This policy
Disk command while attempting to download a file. The file will not be downloaded and users will be informed that the command is not a
are not prevented from closing the browser or File Explorer.Note: The Close button in the top right corner of the program will not work; if
g Window. The user interface is not changed but a new window will not be opened and users will be informed that the command is not av
ers click the Open command they will be notified that the command is not available.If you disable this policy or do not configure it users c
a Web page.If you enable this policy the Web Page Complete file type option will be removed from the Save as Type box in the Save Web P
olicy or do not configure it users can save Web pages for later viewing.This policy takes precedence over the "File Menu: Disable Save As W
figure it users can display content about switching from Netscape by clicking the For Netscape Users command on the Help menu.Caution
able this policy or do not configure it users can fill out an Internet form to provide feedback about Microsoft products.
y or do not configure it users can enable or disable the Tip of the Day which appears at the bottom of the browser.
configure it users can run the tour from the Help menu.
nterface and the Favorites button on the browser toolbar appears dimmed. The Add to Favorites command on the shortcut menu is disab
cache size and connection and proxy settings from the browser Tools menu. When users click the Internet Options command on the Tools
xplorer and any printers under the Devices charm.If you enable this policy setting the Print menu in Internet Explorer will not be available
the desktop.If you enable this policy setting the shortcut menu will not appear when a user right-clicks a webpage.If you disable or do not
r settings or in the tools menu in the desktop. Users wonâ€™t be able to use it to launch the report site problems dialog box.If you disable
will not display the browser in a full screen.If you disable this policy or do not configure it users can display the browser in a full screen.Thi
able this policy or do not configure it then users can view the HTML source of Web pages from the browser View menu.Caution: This policy
used during browser navigation. If a user visits a site on the compatibility lists the pages are automatically displayed in Compatibility View.
e the Compatibility View button or manage the Compatibility View sites list.If you disable or do not configure this policy setting the user c
able this policy setting the user cannot use the Compatibility View button.If you disable or do not configure this policy setting the user can
in Internet Explorer 7 Standards Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this policy s
rnet Explorer uses the current user agent string for local intranet content. Additionally all local intranet Standards Mode pages appear in t
not remove the entries that you specify.If you disable or do not configure this policy setting the user can add and remove sites from the lis
net Explorer.If you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appen
et files cookies history form data and passwords) are applied and those items are deleted.If you enable this policy setting deleting browsin
menu click Internet Options click the General tab and then click Settings under Browsing history.If you enable this policy setting a user cann
r 10" in the TechNet technical library.If you enable this policy setting the user cannot access the Delete Browsing History dialog box. Starti
disable ActiveX Filtering or Tracking Protection. In addition Tracking Protection data is also collected if users turn on the Personalized Tra
f you disable this policy setting cookies are deleted when the user clicks Delete.If you do not configure this policy setting the user can choo
when the user clicks Delete.If you disable this policy setting download history is deleted when the user clicks Delete.If you do not configure
user clicks Delete.If you disable this policy setting favorites site data is deleted when the user clicks Delete.If you do not configure this pol
te.If you disable this policy setting form data is deleted when the user clicks Delete.If you do not configure this policy setting the user can c
third-party items should be blocked when InPrivate Filtering is enabled. This feature is available in the Delete Browsing History dialog box.
te.If you disable this policy setting passwords are deleted when the user clicks Delete.If you do not configure this policy setting the user ca
ved when the user clicks Delete.If you disable this policy setting temporary Internet files are deleted when the user clicks Delete.If you do
hat the user has visited are preserved when he or she clicks Delete.If you disable this policy setting websites that the user has visited are d
et Explorer.If you enable this policy setting users will not be able to delete temporary Internet files and cookies.If you disable or do not con
and printing.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do not ne
y or do not configure it users can see and change these settings.When you set this policy you do not need to set the following policies for
e and change these settings.
and accessibility.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do no
not configure it users can see and change these settings.
policy or do not configure it users can see and change these settings.When you set this policy you do not need to set the following policie
ser authentication.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do
Internet Explorer.If you enable this policy setting the user cannot continue browsing.If you disable or do not configure this policy setting t
DNS) servers or to proxy servers.If you enable this policy setting you must specify when IDN server names should be sent: 0) Unicode do
TF-8.If you disable or do not configure this policy setting Internet Explorer sends mailto links encoded through the user's code page. This b
t.If you disable this policy setting active content on a CD will always prompt before running.If you do not configure this policy users can cho
a and Java) that are required in order to view web pages as intended.If you enable this policy setting non-Internet Explorer components w
Web page that requires Japanese-text display support Internet Explorer could prompt the user to download the Japanese Language Pack c
f you enable this policy setting Internet Explorer uses the HTTP2 network protocol.If you disable this policy setting Internet Explorer won't
nd prioritization.If you enable this policy setting Internet Explorer uses the SPDY/3 network protocol.If you disable this policy setting Intern
e that someone has tampered with the file.If you enable this policy setting users will be prompted to install or run files with an invalid sign
ns which impact Internet Explorer's performance or stability.If you enable this policy setting Internet Explorer automatically launches any b
. The DNT:1 header signals to the servers not to track the user.For Internet Explorer 9 and 10:If you disable this policy setting Internet Exp
prompted to install new versions as they become available.If you enable this policy setting Internet Explorer checks the Internet for a new
is option protects users from submitting confidential data to a site that may be fraudulent or not secure.If you enable this policy setting In
computers before downloading executable programs.If you enable this policy setting Internet Explorer will check the digital signatures of
otected Mode and a website attempts to load the control Internet Explorer notifies the user and gives the option to run the website in reg
ry and disable add-ons that are not preapproved.If you enable this policy setting the user cannot use Reset Internet Explorer Settings.If yo
e which may be insecure.If you enable this policy setting Internet Explorer will not save encrypted pages containing secure (HTTPS) inform
s on the computer or storing sensitive files that other users could see in addition to managing total disk space usage.If you enable this poli
as java applets are not.If you enable this policy setting Internet Explorer will play animated pictures found in Web content.If you disable th
ava applets are not.If you enable this policy setting Internet Explorer will play sounds found in Web content.If you disable this policy setting
pplets are not.If you enable this policy setting Internet Explorer will play videos found in Web content.If you disable this policy setting Inte
host MSHTML do not render text by using the Microsoft ClearType rendering engine.If you disable or do not configure this policy setting a
unication between the browser and the target server. When the browser attempts to set up a protected communication with the target se
seamlessly switches into view.If you enable this policy setting Internet Explorer doesn't load any websites or content in the background.If
t be prompted to provide information.If you disable this policy setting then when a Web site requests Profile Assistant information users w
s policy setting you must specify when to use UTF-8 to encode query strings: 0) Never encode query strings. 1) Only encode query strin
page prediction works. This feature isn't available for Internet Explorer for the desktop.If you enable this policy setting flip ahead with pag
ons of Windows.Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.If you enable this po
ctionality such as using the Shift key to select text and copying a selection to the clipboard. This policy setting is particularly useful to users
Mode also limits the locations Internet Explorer can read from in the registry and the file system.If you enable this policy setting Enhanced P
HTTP 1.1.If you do not configure this policy setting users can configure Internet Explorer to use or not use HTTP 1.1.
isable this policy setting Internet Explorer does not use HTTP 1.1 through proxy connections.If you do not configure this policy setting user
tab of the Internet Options dialog box. Users can change Content Advisor settings.If you disable or do not configure this policy setting Inte
ew browsing session with the tabs from the last browsing session.If you enable this policy setting Internet Explorer starts a new browsing
website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting websites will not be able
w website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting websites will not be
torage limits for application caches. If a domain exceeds the application cache storage limit for an individual domain Internet Explorer send
en you set this policy setting you provide the expiration time limit in days.If you enable this policy setting Internet Explorer will remove app
g Internet Explorer displays a notification when a website exceeds the configured storage limit.If you disable or do not configure this policy
storage limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain Internet Explorer se
nternet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting you provide t
umber of resources allowed including the page that referenced the manifest Internet Explorer sends an error to the website. No notificatio
es the user and the user must delete application caches before an updated one can be saved on their computer. The default maximum sto
tifies the user and the user must delete indexed databases before an updated database can be saved on their computer. The default maxim
and select a security level all values for individual settings in the zone will be overwritten by the standard template defaults.If you disable
plicitly mapped into a zone are considered to be in the Intranet Zone.If you disable this policy setting local sites which are not explicitly ma
this policy setting network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).If you do not confi
e Intranet Zone.If you disable this policy setting sites which bypass the proxy server aren't necessarily mapped into the Intranet Zone (othe
ternet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intran
mapping rules are applied automatically if the computer belongs to a domain.If you disable this policy setting automatic detection of the i
tificates issued for a different website address. This warning helps prevent spoofing attacks.If you enable this policy setting the certificate
net mappings if they require them.If you enable this policy setting a Notification bar notification appears whenever the user browses to a
setting users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the
ricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.If you enable this p
-down box users are queried to choose whether to allow script code on pages in the zone to run.If you disable this policy setting script cod
ng binary and script behaviors are available. If you select Administrator approved in the drop-down box only behaviors listed in the Admin-
d operation.If you select Prompt in the drop-down box users are queried as to whether to perform clipboard operations.If you disable this
one automatically. If you select Prompt in the drop-down box users are queried to choose whether to drag or copy files from this zone.If y
e file is delivered.If you enable this policy setting files can be downloaded from the zone.If you disable this policy setting files are prevente
nd Prompt is selected in the drop-down box users are queried whether to allow HTML fonts to download.If you disable this policy setting H
zone automatically.If you select Prompt in the drop-down box users are queried to choose whether to install desktop items from this zone
dbox and take advantage of the Windows Presentation Foundation platform for the web.If you enable this policy setting and set the drop-
es and graphics that take advantage of the Windows Presentation Foundation.If you enable this policy setting and set the drop-down box
this policy setting and set the drop-down box to Enable XPS files are automatically loaded inside Internet Explorer. The user cannot chang
b page.If you enable this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to a
prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current sit
isable this policy setting the TDC Active X control will run from all sites in this zone.
within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.If you enable this policy setting use
returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer) it m
y setting script access to the WebBrowser control is not allowed.If you do not configure this policy setting the user can enable or disable sc
t apply in this zone. The security zone runs without the added layer of security provided by this feature.If you disable this policy setting the
ot configure this policy setting the user can enable or disable scriptlets.
figure this policy setting script is not allowed to update the status bar.
tion.If you selected Prompt in the drop-down box users are asked to choose whether to allow VBScript to run.If you selected Disable in the
ernal controls or media players.The dynsrc attribute on the img tag specifies an older media player. Also as of Internet Explorer 8 this polic
s that have no status bar or Address bar.If you disable this policy setting websites cannot open new Internet Explorer windows that have n
splay any scripted windows by using the Notification bar.If you do not configure this policy setting the user can enable or disable the Notifi
they do not have installed.If you disable this policy setting ActiveX control installations will be blocked using the Notification bar. Users ca
this setting users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting file do
tems.If you enable this policy setting and the drop-down box is set to Enable the user does not receive a security information message (Th
sers with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate.If you disable t
eck with your antimalware program to see if it's safe to create an instance of the ActiveX control.If you disable this policy setting Internet
you select Prompt in the drop-down box users are queried whether to download controls signed by publishers who aren't trusted. Code s
this policy setting users can run unsigned controls without user intervention. If you select Prompt in the drop-down box users are queried
ble users can drag content from one domain to a different domain when the source and destination are in different windows. Users canno
ble users can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot
nature.If you enable this policy setting the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the a
ed to the server. For instance files sent from the user's desktop may contain the user name as a part of the path.If you enable this policy s
usted data or scripts. This setting is not recommended except for secure and administered zones. This setting causes both unsafe and safe
Safety enables applets to perform all operations.Medium Safety enables applets to run in their sandbox (an area in memory outside of whi
an run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop
he guest account only for the Common Internet File System (CIFS) protocol.Prompt for user name and password to query users for user IDs
domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to allow wind
Enable or Disable under Options in Group Policy Editor.If you disable or do not configure this policy setting users can choose whether or n
erenced from an object tag and managed executables referenced from a link.If you enable this policy setting Internet Explorer will execut
nced from an object tag and managed executables referenced from a link.If you enable this policy setting Internet Explorer will execute sig
tion.If you selected Prompt in the drop-down box users are asked to choose whether to allow the controls or plug-in to run.If you disable t
tervention.If you select Prompt in the drop-down box users are queried to choose whether to allow script interaction.If you disable this po
Prompt in the drop-down box users are queried to choose whether to allow scripts to access applets.If you disable this policy setting script
File Explorer for example).If you enable this policy setting and set the drop-down box to Enable these files open without a security warnin
software updates by e-mail software packages to be automatically downloaded to users' computers and software packages to be automa
ts non-SSL form data submission.If you enable this policy setting information using HTML forms on pages in this zone can be submitted aut
eration platform for Windows. It uses the common language runtime and incorporates support from multiple developer tools. It includes t
ed to approve the control. This policy setting determines whether the user is prompted.If you enable this policy setting the first-run promp
sites in this zone and the XSS Filter attempts to block cross-site script injections.If you disable this policy setting the XSS Filter is turned off
try and the file system.If you enable this policy setting Protected Mode is turned on. The user cannot turn off Protected Mode.If you disab
able this policy setting SmartScreen Filter does not scan pages in this zone for malicious content.If you do not configure this policy setting t
wanted pop-up windows are prevented from appearing.If you disable this policy setting pop-up windows are not prevented from appearin
e the state of the page can be restored if this policy setting is appropriately configured.If you enable this policy setting users can preserve
an open new windows in or navigate into this zone. The security zone will run without the added layer of security that is provided by the P
figure this policy setting script is allowed to update the status bar.
this setting users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting users
open new windows in or navigate into this zone. The security zone will run without the added layer of security that is provided by the Pro
from other domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to
restricted protocols may be set in the Trusted Sites Zone Restricted Protocols section under Network Protocol Lockdown policy.If you ena
from other domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to
ternet Explorer does not open tiles on the desktop.If you do not configure this policy users can choose how Internet Explorer tiles are ope
setting Internet Explorer enforces your choice. Users cannot change the setting.If you disable or do not configure this policy setting users
Address bar if it is available.If you disable or do not configure this policy setting Internet Explorer does not go directly to an intranet site fo
plorer will be hidden.If you disable this policy setting the button to open Microsoft Edge from Internet Explorer will be shown.If you do no
ways â€¢ Never â€¢ Hover (when the mouse pointer pauses on a link)If you disable or do not configure this policy setting the user can c
er sees only the error code and the name of the error.If you enable this policy setting when there is a problem connecting with an Interne
page transitions will be turned off. The user cannot change this behavior.If you disable this policy setting page transitions will be turned o
ne number detection is turned off. Users won't be able to modify this setting.If you disable this policy setting phone number detection is tu
you disable this policy setting smooth scrolling is turned on. The user cannot turn off smooth scrolling.If you do not configure this policy se
wse edit and debug .htm and .asp files that contain Microsoft Visual Basic Scripting Edition (VBScript) or Microsoft JScript.If you enable th
re testing webpages.If you enable this policy setting the user is shown script errors when a page does not appear properly because of prob
s policy setting the Internet Connection Wizard starts automatically if it was not completed before. The user cannot prevent the wizard fro
appropriate software is installed.If you disable this policy setting Internet Explorer does not play these files.If you do not configure this poli
mpletely downloaded. This option is ignored if the Show Pictures check box is cleared.If you enable this policy setting placeholders appea
e user cannot change this setting.If you disable this policy setting automatic image resizing is turned on. The user cannot change this settin
e quickly you can turn off image display.If you enable this policy setting images do not appear. The user cannot turn on image display. How
annot turn it on.If you disable this policy setting smart image dithering is turned on. The user cannot turn it off.If you do not configure this
printed and the quality of the printing depending on the capabilities of the printer.If you enable this policy setting the printing of backgrou
he user cannot change the specified action. â€¢ Do not search from the Address bar: The user cannot use the Address bar for searches. T
ser performs a search in the Address bar a list of search results from the selected search provider is displayed in the main window. â€¢ E
ration Kit (IEAK).If you enable this policy setting Internet Explorer is started automatically to complete the signup process after the brandi
default this functionality is turned on in File Explorer.If you enable this policy setting Inline AutoComplete for File Explorer is turned off. T
nth. No user data is sent over the internet by this feature.If you enable this policy setting URL Suggestions will be turned off. Users will not
ntering a web address in the browser Address bar. This feature provides more relevant results in the browser Address bar.If you enable th
dress or command with the closest match.If you enable this policy setting inline AutoComplete is turned on. The user cannot turn it off.If y
e default text size: â€¢ Largest â€¢ Larger â€¢ Medium â€¢ Smaller â€¢ SmallestIf you disable or do not configure this policy setti
fy the background color (for example: 192192192).If you disable or do not configure this policy setting the user can specify the background
(for example: 192192192).If you disable or do not configure this policy setting the user can specify the text color in Internet Explorer.
policy setting Windows colors are turned on. The user cannot turn them off.If you do not configure this policy setting the user can turn on
e high-contrast color schemes.If you enable this policy setting the user cannot specify the color of links already clicked in Internet Explorer
e high-contrast color schemes.If you enable this policy setting the user cannot specify the color of links not yet clicked in Internet Explorer.
must specify the hover color (for example: 192192192).If you disable or do not configure this policy setting the user can specify the hover
cy setting the hover color option is turned off. The user cannot turn it on.If you do not configure this policy setting the user can turn on or
resses (URLs) that contain characters from any language.If you enable this policy setting Internet Explorer does not allow sending the path
policy the Add Active Channel button which appears on a channel that users haven't yet subscribed to will be disabled. Users also cannot a
ed to the Internet.If you enable this policy users cannot add new schedules for downloading offline content. The Make Available Offline ch
et.If you enable this policy the check boxes for schedules on the Schedule tab of the Web page properties are cleared and users cannot se
olicy the Channel bar interface will be disabled and users cannot select the Internet Explorer Channel Bar check box on the Web tab in the
to the Internet.If you enable this policy content will not be downloaded from Web sites that users have subscribed to. However synchron
ges it links to.If you enable this policy the Add Remove and Edit buttons on the Schedule tab in the Web page Properties dialog box are dim
nnected to the Internet.If you enable this policy users cannot display the schedule properties of pages that have been set up for offline vie
nel providers in the channel definition format (.cdf) file. The .cdf file determines the schedule and other settings for downloading Web con
provider.If you enable this policy users cannot prevent channels from being synchronized.If you disable this policy or do not configure it u
ter is not connected to the Internet.If you enable this policy the Make Available Offline check box in the Organize Favorites Favorite dialog
of subscriptions a prompt will appear that states that they cannot set up more Web sites for offline viewing.If you disable this policy or do
n or per document for this security zone.If you disable this policy or do not configure it you cannot set this limit.Note: This setting does no
domain or per document for this security zone.If you disable this policy or do not configure it you cannot set this limit.Note: This setting do
r domain or per document for this security zone.If you disable this policy or do not configure it you cannot set this limit.Note: This setting
r domain or per document for this security zone.If you disable this policy or do not configure it you cannot set this limit.Note: This setting d
omain or per document for this security zone.If you disable this policy or do not configure it you cannot set this limit.Note: This setting do
e it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However do
re it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However d
s browsing session. By default the computer does not load them when InPrivate Browsing starts.If you enable this policy setting toolbars a
that referenced it. It is collected during non-InPrivate (normal) browsing sessions.If you enable this policy setting InPrivate Filtering data c
et files history and other data.If you enable this policy setting InPrivate Browsing is turned off.If you disable this policy setting InPrivate Bro
sit. InPrivate Filtering does this by identifying third-party content that is used by multiple websites that users have visited.If you enable thi
y visit. Tracking Protection does this by identifying third-party content that is used by multiple websites that users have visited.If you enab
e button the current password value is visible until the mouse button is released (or until the tap ends).If you enable this policy setting the
se 64 encoding. Malware filters or other network-based filters may not properly filter encapsulated data.If you enable this policy setting D
are specifically written to extend or enhance the functionality of the browser or web pages.This list can be used with the 'Deny all add-on
xplorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.If you
elper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.By default the 'Add
esses use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user pre
Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.If you disable or do
u enable this setting IE stops downloading updated versions of VersionList.XML. Turning off this automatic download breaks the out-of-da
plorer stops blocking outdated ActiveX controls.If you disable or don't configure this policy setting Internet Explorer continues to block spe
e this policy setting you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Each
hat loaded the control and whether it was blocked) to a local file.If you disable or don't configure this policy setting Internet Explorer won'
he user cannot run natively implemented scriptable XMLHTTP.If you do not configure this policy setting the user can choose to run nativel
es the connection limit of your choice for HTTP 1.1.If you disable or do not configure this policy setting Internet Explorer uses the default c
Internet Explorer will use the default connection limit for HTTP 1.0 (6 connections per host).In versions of Internet Explorer prior to Intern
uses the WebSocket connection limit that you set with this policy setting.If you disable or do not configure this policy setting Internet Exp
arty domains embedded in the page.If you disable or do not configure this policy setting documents can request data across third-party do
. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also this policy
omains through other features in Internet Explorer 8 and it does not prevent a site from requesting cross-domain data through a server.If
e opted in to the behavior and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page.)If you
avior Security Restriction setting is prevented or allowed.If you enable this policy setting binary behaviors are prevented for all processes.
nd MD4 signing technologies by default because they are not as secure as other technologies.If you enable this policy setting Internet Exp
avior Security Restriction setting is prevented or allowed.If you enable this policy setting binary behaviors are prevented for the File Explor
avior Security Restriction setting is prevented or allowed.This policy setting allows administrators to define applications for which they wa
er requires that all file-type information provided by Web servers be consistent. For example if the MIME type of a file is text/plain but the
ve the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content. T
ve the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content p
ter have the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and con
re is enabled for all processes.If you disable or do not configure this policy setting the Mime Sniffing Safety Feature is disabled for all proce
te a file of one type to a more dangerous file type.If you disable this policy setting Internet Explorer processes will allow a MIME sniff prom
for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 this protection
disabled for all processes. Any use of the MK Protocol is blocked.If you disable or do not configure this policy setting the MK Protocol is ena
prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.If you disable this policy setting applicati
pplications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 use
h restricted protocols is prevented or allowed.If you enable this policy setting restricting content obtained through restricted protocols is
t obtained through restricted protocols is prevented or allowed.If you enable this policy setting restricting content obtained through restri
h restricted protocols is prevented or allowed.This policy setting allows administrators to define applications for which they want restricti
e user or simply disabling the content. For each zone this list of protocols may be configured here and applies to all processes which have
ar is not displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes for which the Notifica
Explorer processes.If you enable this policy setting the Notification bar will be displayed for Internet Explorer Processes.If you disable this
when file or code installs are restricted (except for the Internet Explorer Processes for which the Notification bar is displayed by default).If y
ssible when navigating within or across domains for all processes.If you disable or do not configure this policy setting object reference is re
ccessible when navigating within or across domains for Internet Explorer processes.If you disable this policy setting an object reference is r
which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 references to obj
n the local computer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a
er have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target for ma
mputer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target
atic prompting of ActiveX control installation for all processes.If you disable or do not configure this policy setting the Web Browser Contro
Explorer processes.If you disable this policy setting prompting for ActiveX control installations will not be blocked for Internet Explorer pro
g of ActiveX control installation is blocked. If you enter a Value of 0 automatic prompting of ActiveX control installation is allowed. The Val
l block automatic prompting of file downloads that are not user initiated for all processes.If you disable this policy setting the Web Browse
ocesses.If you disable this policy setting prompting will occur for file downloads that are not user initiated for Internet Explorer processes.I
matic prompting of non-initiated file downloads is blocked. If you enter a Value of 0 automatic prompting of non-initiated file downloads is
ng windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable this
ng windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable this
ng windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.This policy settin
e check boxes for each button.If you disable this policy or do not configure it the standard toolbar will be displayed with its default settings
played according to which one of the following options you choose and the user cannot change how command buttons are displayed:Show
on. This is present under the Toolbars submenu of the View menu in Internet Explorer 6 and under the Toolbars submenu of the Tools me
then pointing to the Toolbars command will appear dimmed.If you disable this policy or do not configure it users can determine which too
.If you do not configure this policy setting the user can change where tabs are displayed.
d bar is shown and the user cannot choose to hide it.If you do not configure this policy setting the Command bar is shown by default and t
n and the user cannot choose to hide it.If you do not configure this policy setting the status bar is shown by default and the user can choo
lbars are unlocked and the user can move them.If you do not configure this policy setting the toolbars are locked by default but the user c
and the user cannot move them.If you disable this policy setting the Stop and Refresh buttons are next to the Address bar and the user ca
ure this policy setting the user can access Developer Tools.
the tool detects an incompatible toolbar the user is prompted to update or disable the toolbar. Specific toolbars or Browser Helper Object
sable this policy setting icons for command buttons are 16 x 16 pixels (the default) and cannot be made bigger (20 x 20 pixels).If you do no
n information from the location feature. If you disable or do not configure this policy setting all programs on this computer will not be
tion scripts will run.
you disable or do not configure this policy setting all programs on this computer can use the sensor feature.
y console files that open in author mode by default.As a result users cannot create console files or add or remove snap-ins. Also because th
if you plan to prohibit use of most snap-ins. To explicitly permit a snap-in open the Restricted/Permitted snap-ins setting folder and enab
as a standalone console. If you disable this policy setting the snap-in is prohibited and cannot be added into the Microsoft Management C
e explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.-- If "Restrict users to the explicit
s displayed in the property sheet for a site domain or organizational unit displayed by the Active Directory Users and Computers and Activ
new Application preference item and you are unable to do so. This policy setting does not affect existing Application preference items.If y
of the GPMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Restric
figuration\Preferences\Control Panel Settings. When the Control Panel Settings item or a preference extension is prohibited it does not ap
ation\Preferences\Control Panel Settings. When the Control Panel Settings item or a preference extension is prohibited it does not appear
of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Control P
e GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Control Panel S
f the GPMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Restrict
of the GPMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Restri
PMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Restrict users t
w of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Control
e GPMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Restrict use
dow of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Contro
or window of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of
dow of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Contr
ow of the GPMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Res
w of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Control
ditor window of the GPMC. The Extended and Standard tabs are unaffected and you can still create and manage preference items.If you en
dow of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Contr
ow of the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Contro
the GPMC.If you enable this policy setting you permit use of the preference extension. Enabling this policy setting overrides the "Restrict u
f the GPMC.If you enable this policy setting you permit use of the preference extension unless restricted by the "Permit use of Control Pan
a built-in sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default valu
mputer and the settings storage location. If you enable this policy setting the UE-V Agent will not synchronize settings for Windows apps.If
vider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesnâ€™t attempt the synchroniza
ormation about package file size. If you enable this policy setting specify the threshold file size in bytes. When the settings package file exce
configure this policy setting the user settings are stored in the userâ€™s home directory if configured for your environment.
nnection.With this setting enabled the UE-V Agent synchronizes settings over a metered connection.With this setting disabled the UE-V Ag
aming connection.By default the UE-V Agent does not synchronize settings over a metered connection that is roaming.With this setting en
milliseconds. If you enable this policy setting set the number of milliseconds that the system waits to retrieve settings. If you disable or do
Windows desktop settings Ease of Access settings and network printers. Use this policy setting to specify which Windows settings synchroni
nd checkpoints are normally stored only on the local computer. With this policy setting enabled the rollback information is copied to the se
icy setting to suppress the backup of specific Microsoft Access 2013 settings.If you enable this policy setting certain user settings of Micros
icy setting to suppress the backup of specific Microsoft Access 2016 settings.If you enable this policy setting certain user settings of Micros
alculator from synchronization between computers. If you enable this policy setting the Calculator user settings continue to synchronize. I
een applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific
een applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific
setting to suppress the backup of specific Microsoft Excel 2013 settings.If you enable this policy setting certain user settings of Microsoft E
setting to suppress the backup of specific Microsoft Excel 2016 settings.If you enable this policy setting certain user settings of Microsoft E
policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.If you enable this policy setting certain user settings of M
he user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting the Internet Explorer 1
he user settings for Internet Explorer 11 from synchronization between computers.If you enable this policy setting the Internet Explorer 11
e user settings for Internet Explorer 8 from synchronization between computers. If you enable this policy setting the Internet Explorer 8 us
e user settings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting the Internet Explorer 9 us
Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization be
etting to suppress the backup of specific Microsoft Lync 2013 settings.If you enable this policy setting certain user settings of Microsoft Lyn
etting to suppress the backup of specific Microsoft Lync 2016 settings.If you enable this policy setting certain user settings of Microsoft Lyn
vent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting Microsoft Acces
vent the user settings of Microsoft Access 2013 from synchronization between computers.If you enable this policy setting Microsoft Access
vent the user settings of Microsoft Access 2016 from synchronization between computers.If you enable this policy setting Microsoft Access
t the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting Microsoft Excel 2010
t the user settings of Microsoft Excel 2013 from synchronization between computers.If you enable this policy setting Microsoft Excel 2013
t the user settings of Microsoft Excel 2016 from synchronization between computers.If you enable this policy setting Microsoft Excel 2016
prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.If you enable this policy setting Microsoft I
prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.If you enable this policy setting Microsoft I
the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting Microsoft Lync 2010 us
the user settings of Microsoft Lync 2013 from synchronization between computers.If you enable this policy setting Microsoft Lync 2013 us
the user settings of Microsoft Lync 2016 from synchronization between computers.If you enable this policy setting Microsoft Lync 2016 us
ft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common b
Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.If you
Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.If you
ties of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Access 2013 will synchronize between a userâ€™s w
ties of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Access 2016 will synchronize between a userâ€™s w
UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled then the user settings which are common between the Micro
UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled then the user settings which are common between the Micro
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a userâ€™s wor
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a userâ€™s wor
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a userâ€
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a userâ€™s work
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a userâ€™s work
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a userâ€
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a userâ€
ilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a userâ€™
ilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a userâ€™
pabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a u
pabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a u
ities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Project 2013 will synchronize between a userâ€™s
ities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Project 2016 will synchronize between a userâ€™s
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a userâ
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a userâ
zation capabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchro
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a userâ€™s work
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a userâ€™s work
ties of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Word 2013 will synchronize between a userâ€™s wo
ties of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Word 2016 will synchronize between a userâ€™s wo
tting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.If you enable this policy setting O
tting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.If you enable this policy setting O
prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.If you enable this policy setting Microsoft
revent the user settings of Microsoft Outlook 2010 from synchronization between computers.If you enable this policy setting Microsoft Ou
ng to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.If you enable this policy setting M
vent the user settings of Microsoft Project 2010 from synchronization between computers.If you enable this policy setting Microsoft Proje
o prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.If you enable this policy setting Microsoft
se the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.If you e
se the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.If you e
rs. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers.
the user settings of Microsoft Visio 2010 from synchronization between computers.If you enable this policy setting Microsoft Visio 2010 u
nt the user settings of Microsoft Word 2010 from synchronization between computers.If you enable this policy setting Microsoft Word 201
epad from synchronization between computers. If you enable this policy setting the Notepad user settings continue to synchronize. If you
e policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.If you enable this policy setting certain user settings of
e policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.If you enable this policy setting certain user settings of
policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.If you enable this policy setting certain user settings of M
policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.If you enable this policy setting certain user settings of M
se the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.If you enable this policy setting certain user se
se the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.If you enable this policy setting certain user se
olicy setting to suppress the backup of specific Microsoft Project 2013 settings.If you enable this policy setting certain user settings of Micro
olicy setting to suppress the backup of specific Microsoft Project 2016 settings.If you enable this policy setting certain user settings of Micro
he policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.If you enable this policy setting certain user settings o
he policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.If you enable this policy setting certain user settings o
een computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.If you enable this po
setting to suppress the backup of specific Microsoft Visio 2013 settings.If you enable this policy setting certain user settings of Microsoft Vi
setting to suppress the backup of specific Microsoft Visio 2016 settings.If you enable this policy setting certain user settings of Microsoft Vi
y setting to suppress the backup of specific Microsoft Word 2013 settings.If you enable this policy setting certain user settings of Microsoft
y setting to suppress the backup of specific Microsoft Word 2016 settings.If you enable this policy setting certain user settings of Microsoft
ordPad from synchronization between computers. If you enable this policy setting the WordPad user settings continue to synchronize. If yo
nce from synchronizing between computers.If you enable this policy setting Finance user settings continue to sync.If you disable this policy
s from synchronizing between computers.If you enable this policy setting Games user settings continue to sync.If you disable this policy se
m synchronizing between computers.If you enable this policy setting Maps user settings continue to sync.If you disable this policy setting M
om synchronizing between computers.If you enable this policy setting Music user settings continue to sync.If you disable this policy setting
m synchronizing between computers.If you enable this policy setting News user settings continue to sync.If you disable this policy setting N
er from synchronizing between computers.If you enable this policy setting Reader user settings continue to sync.If you disable this policy se
from synchronizing between computers.If you enable this policy setting Sports user settings continue to sync.If you disable this policy setti
rom synchronizing between computers.If you enable this policy setting Travel user settings continue to sync.If you disable this policy settin
om synchronizing between computers.If you enable this policy setting Video user settings continue to sync.If you disable this policy setting
eather from synchronizing between computers.If you enable this policy setting Weather user settings continue to sync.If you disable this p
r deployers who have their own location or calling schemes such as a Web site or an address book."
er any conflicting settings set by downloading them from this URL.
ng NetMeeting to run always.

mputer. An administrator can opt in the computer by using the sharing wizard to share a file within their profile.If you enable this policy se
their account. Enable this policy to prevent this experience from launching.If this policy is enabled the privacy experience will not launch
be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure
mpt to connect to the remote computer through an RD Gateway server. In this case the clients will attempt to connect to the RD Gateway s
overwrite this policy setting. By default when you enable this policy setting it is enforced. When this policy setting is enforced users canno
y setting. By default when you enable this policy setting it is enforced. When this policy setting is enforced users cannot override this settin
is policy setting users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RD
ecognized by the client such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also c
be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings any password that pr
y certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.2. Full Control with user's pe
e redirection send their time zone information to the server. The server base time is then used to calculate the current session time (curren
use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default Rem
rected in Remote Desktop Services sessions.If you disable or do not configure this policy setting all client printers are redirected in Remote
rver first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Pr
d after a client connects to a remote computer even if an initial program is already specified in the default user profile Remote Desktop Co
uring a Remote Desktop Services session. If you enable this policy setting wallpaper is not displayed in a Remote Desktop Services session
default Remote Desktop Services sessions provide access to the full Windows desktop unless otherwise specified with this setting by the s
the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default Remot
policy setting you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect acti
ect the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the sp
mains active on the server. By default Remote Desktop Services allows users to disconnect from a Remote Desktop Services session witho
t server.By default if a user closes a RemoteApp program the session is disconnected from the RD Session Host server but it is not logged o
tion to the capabilities that are common to all connections the default connection URL allows document file types to be associated with Re
d list in the Favorites Center.If you disable or do not configure this policy setting the user can access the feed list in the Favorites Center.
eive a notification on the toolbar that a feed or Web Slice is available.If you disable or do not configure this policy setting the user receives
nload an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.If you disable
e disabled and access to Web Slices is turned off. A developer cannot add a feed or Web Slice or delete a feed or Web Slice by using the Fe
.If you disable or do not configure this policy setting the user can synchronize feeds and Web Slices in the background.
henticates feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.If you disable or d
y if a protocol handler referencing a SID-based user scope such as MAPI is specified. File system paths that do not reference a specific SID
handler referencing a SID-based user scope such as MAPI is specified. File system paths that do not reference a specific SID will not be inc
l not be removed.When this policy is disabled or not configured users will be able to add UNC locations to the index.This policy has no effe
k only if a protocol handler referencing a SID-based user scope such as MAPI is specified. File system paths that do not reference a specifi
provided by apps or by Windows based on local content will still appear.If you disable or do not configure this policy setting users will get
d as an audio file.If you enable this policy setting Sound Recorder will not run.If you disable or do not configure this policy setting Sound R
w apps in the private store.If you disable or don't configure this setting users can access the retail catalog in the Microsoft Store.
figure this setting the Store application will offer updates to the latest version of Windows.
setting access to the Store application is allowed.
o it will fail.If you disable this policy you will be able to use this feature to print to a Journal Note.If you do not configure this policy users w
pping Tool will run.
indows Journal accessory will run.
e shown instead of the pen cursors.If you disable or do not configure this policy visual feedback and pen cursors will be shown unless the u
disable this policy Back->ESC mapping will occur.If you do not configure this policy Back->ESC mapping will occur.
om the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab).If you disable this policy applications ca
ay the following text: "Some settings are controlled by Group Policy. If a setting is unavailable contact your system administrator."If you d
nd OEM defined button actions will occur when the buttons are pressed.If you do not configure this policy user and OEM defined button a
ard and the handwriting tab when the feature is available for the current input area and input language.Touch Keyboard and Handwriting
Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyb
l is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard short
l) Japanese and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input languag
numbers or keyboard shortcuts.If you enable this policy Input Panel tab will not appear on the edge of the Tablet PC screen. Users will no
writing or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy application auto complete
venting users from switching to another Input Panel skin (the writing pad or character pad) and not showing what keys are tapped when e
ant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. Tablet PC Input Panel
d to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks noti
in Internet Explorer the pen flicks notification and the pen flicks tray icon.If you disable or do not configure this policy pen flicks and relate
will not be able to use touch input or touch gestures such as tap and double tap the touch pointer and other touch-specific features.If you
ing up or down directly on the scrolling content.If you enable this setting the user will not be able to pan windows by touch. If you disable
ng users.The checkbox when checked instructs Task Scheduler to automatically open the newly created task's property sheet upon compl
right-click a task. As a result users cannot change any properties of a task. They can only see the properties that appear in Detail view and
manually or force tasks to end before they are finished.Note: This setting appears in the Computer Configuration and User Configuration fo
and from the Task tab of the properties dialog box for a task. Also users cannot edit the "Run" box or the "Start in" box that determine th
menu in Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.As a result users cannot add new sche
r documents into the Scheduled Tasks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If b
t-click a task. Also the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.Note: This setting ap
Calendar will be turned off.If you disable or do not configure this setting Windows Calendar will be turned on.The default is for Windows C
or do not configure this policy setting all users can install new color profiles. Standard users can uninstall color profiles that they previous
scams and malicious software. By default Windows Defender SmartScreen is turned on.If you enable this setting Windows Defender Smar
ws Defender SmartScreen warnings and they are blocked from continuing to the site.If you disable or don't configure this setting employee
s or additional data other than memory dumps.If you enable or do not configure this policy setting any memory dumps generated for erro
d in the system event log.If you disable or do not configure this policy setting Windows Error Reporting events and errors are logged to the
.If you enable this policy setting Windows Error Reporting does not send any problem information to Microsoft. Additionally solution infor
a Windows Error Reporting report are automatically declined without notification to the user.If you disable or do not configure this policy
he server.If you enable this policy setting WER does not throttle data; that is WER uploads additional CAB files that can contain data about
ons but does not upload additional report data until the computer is connected to a more permanent power source.If you enable this pol
s not check for network cost policy restrictions and transmits data even if network cost is restricted.If you disable or do not configure this
e all all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only only th
hen the Queuing behavior pull-down list is set to Default Windows determines when a problem occurs whether the report should be place
t are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors click Show an
he Consent level settings that are available in the pull-down menu in this policy setting:- Always ask before sending data: Windows prompt
ent types in the Value Name column of the Show Contents dialog box. Event types are those for generic non-fatal errors: crash no respons
g always override any other consent policy setting.If you disable or do not configure this policy setting custom consent policy settings for e
tificate that is used for on-premises authentication.If you disable or do not configure this policy setting Windows Hello for Business enrolls
you enable this policy the device provisions Windows Hello for Business using keys or certificates for all users.If you disable this policy setti
usually reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automati
d DVDs a message appears stating that the feature cannot be found.This policy setting applies even when the installation is running in the
from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer fr
en removable media (floppy drive CD-ROM or DVD) and finally the Internet (URL).If you enable this policy setting you can change the searc
gon hours expire.If you enable this setting warnings are not displayed to the user before the logon hours expire.If you disable or do not co
otification popup will be displayed to the user when the user logs on with cached credentials.If disabled or not configured no popup will b
ock or disconnect a session the user cannot unlock the session or reconnect except during permitted logon hours.If you choose to log off a
a information from the Internet for CDs and DVDs played by users. In addition the Retrieve media information for CDs and DVDs from the I
ormation for music files such as Windows Media Audio (WMA) and MP3 files from the Internet. In addition the Update my music files (WM
rom the Internet and displaying them in Media Library. In addition presets that exist before the policy is configured are not be updated an
ally detected.- Custom: unique proxy settings are used.- Use browser proxy settings: browser's proxy settings are used.If the Custom proxy
ally detected.- Custom: unique proxy settings are used.If the Custom proxy type is selected the rest of the options on the Setting tab must
of seconds streaming media is buffered before it is played.- Custom: the number of seconds up to 60 that streaming media is buffered.- De
ally detected.- Custom: unique proxy settings are used.If the Custom proxy type is selected the rest of the options on the Setting tab must
defined network settings for the Player.If you disable or do not configure this policy setting the Network tab appears and users can use it t
licy setting the protocols that are selected on the Network tab of the Player are used to receive a stream initiated through an MMS or RTS
ab in the Display Properties dialog box in Control Panel. The Allow screen saver during playback check box on the Player tab in the Player i
addition the Download codecs automatically check box on the Player tab in the Player is not available.If you disable this policy setting code
the Player that enables users to choose whether the anchor window displays is not available.When this policy is not configured or disable
e Internet" check box on the Media Library tab is available even though the Privacy tab is hidden unless the "Prevent music file media info
the settings previously. Users can still change security and zone settings by using Internet Explorer unless these settings have been hidden
ox on the Setting tab.You must use the complete file name for the skin (for example skin_name.wmz) and the skin must be installed in the
senger can be used.Note: If you enable this policy setting Remote Assistance also cannot use Windows Messenger.Note: This policy settin
not configure this policy setting Windows Messenger will be loaded automatically at logon.Note: This policy setting simply prevents Windo
nts and the .exe file does not launch it.If you disable this policy setting the user is able to invoke Windows Mobility Center and the .exe file
t value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter
Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails
ng of commands script blocks functions and scripts - whether invoked interactively or through automation. If you disable this polic
r Windows PowerShell the Windows PowerShell ISE and any other applications that leverage the Windows PowerShell engine. By defa
ow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.The "Allow local scripts and rem
shut down choice (Hibernate Restart etc.) is the default option in the Shut Down Windows dialog box regardless of whether the 'Install U
will not appear as a choice in the Shut Down Windows dialog box even if updates are available for installation when the user selects the S
owsupdate.microsoft.com from the Windows Update hyperlink on the Start menu and also on the Tools menu in Internet Explorer. Windo
this policy setting affected users receive Work Folders settings when they sign in to a domain-joined PC. If this policy setting is disabled or n
in the last Control Panel session.Note: Icon size is dependent upon what the user has set it to in the previous session.
rt or command lines that use control.exe. This policy has no effect on items displayed in PC settings.If you enable this setting you can selec
screenFile ExplorerThis setting removes PC settings from:The Start screenSettings charmAccount pictureSearch resultsIf users try to select
d page via URI context menu in Explorer or other means will result in the front page of Settings being shown instead.This policy has two mo
o access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effect on item
ls.If you disable this setting or do not configure it "Set up services" appears only when there are unconfigured system services. If you enab
s button is available to all users.This setting does not prevent users from using other tools and methods to install programs.
components of Windows from the installation files.If you disable this setting or do not configure it the Add/Remove Windows Componen
ange or Remove Programs page is available to all users.This setting does not prevent users from using other tools and methods to delete o
ble to all users.This setting does not prevent users from using other tools and methods to add or remove program components.Note: If the
t users from using other tools and methods to connect to Windows Update.Note: If the "Hide Add New Programs page" setting is enabled
rams that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically system admin
which programs are accessible from the Start menu desktop and other locations.If you disable this setting or do not configure it the Set Pr
d a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.If you disable this
ding a link to the installation files and data that users need to obtain product support such as the Product ID and version number of the pr
other categories.To use this setting type the name of a category in the Category box for this setting. You must enter a category that is alre
move programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
n the system.If you enable it a screen saver runs provided the following two conditions hold: First a valid screen saver on the client is speci
be used. Also a user may not apply a different visual style when changing themes.If you disable or do not configure this setting the users ca
e screen saver.If you disable this setting or do not configure it users can select any screen saver.If you enable this setting type the name of
nd color sounds or screen saver after the first logon.If you disable or do not configure this setting the default theme will be applied at the
log in the Personalization or Display Control Panel preventing users from changing the password protection setting.If you do not configure
ass color (on Windows Vista and Windows 7) system colors or color scheme of the desktop and windows.If this setting is disabled or not co
"Prevent changing color and appearance" setting.
nged by the user.To specify wallpaper for a group use the "Desktop Wallpaper" setting.Note: You must also enable the "Desktop Wallpape
etting also hides the Desktop tab in the Display Control Panel.
re this setting there is no effect.Note: If you enable this setting but do not specify a theme using the "load a specific theme" setting the the
g prevents users and applications from changing the visual style through the command line. Also a user may not apply a different visual st
rop-down list on the Appearance tab.
s: - The setting is disabled or not configured. - The wait time is set to zero. - The "Enable Screen Saver" setting is disabled. - Neither t
page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or office netwo
the "Connect to this printer (or to browse for a printer select this option and click Next)" radio button on Add Printer Wizard's page 3 and
arches begin at the root of Active Directory. This setting only provides a starting point for Active Directory searches for printers. It doe
twork or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to printing based
rrent USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by commas) that
vers.If this setting is disabled or not configured users will not be restricted to package-aware point and print only.
ackage point and print connections.Windows Vista and later clients will attempt to make a non-package point and print connection anytim
will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client a p
n Control Panel. Also users cannot add printers by dragging a printer icon into the Printers folder. If they try a message appears expla
ograms to delete a printer. If this policy is disabled or not configured users can delete printers using the methods described above.
lists published programs and provides an easy way to install them.Published programs are those programs that the system administrator
setting is disabled or not configured the "View installed updates" task and the "Installed Updates" page will be available to all users.This s
methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features including W
g e-mail as well as specify the programs that are accessible from the Start menu desktop and other locations.If this setting is disabled or no
configured the "Turn Windows features on or off" task will be available to all users.This setting does not prevent users from using other to
allation.Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. If this feature is disab
from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Programs Control
programmatically.This policy setting is used only to simplify the Regional Options control panel.If you enable this policy setting the user ca
he user or an application from changing the GeoID programmatically.If you disable or do not configure this policy setting the user sees the
ge. This does not prevent the user or an application from changing the UI language programmatically.If you disable or do not configure thi
tion from changing their user locale or user overrides programmatically.If you disable or do not configure this policy setting the user sees t
e selected user."â€¯â€¯ If you enable this policy setting theâ€¯installation of language packs and language featuresâ€¯isâ€¯preventedâ
nal and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different
e selected user. If the specified language is not installed on the target computer or you disable this policy setting the language selection de
d then the option will be locked to not autocorrect misspelled words. If the policy is Disabled or Not Configured then the user will be f
e option will be locked to not highlight misspelled words. If the policy is Disabled or Not Configured then the user will be free to chang
a text prediction candidate when using the on-screen keyboard. If the policy is Enabled then the option will be locked to not insert a s
eyboard. If the policy is Enabled then the option will be locked to not offer text predictions. If the policy is Disabled or Not Configur
cted includes all outgoing messages in Windows Mail and MAPI enabled email clients as well as URLs from the Internet Explorer browser h
ared folders are not added to Network Locations automatically when you open a document in the shared folder.
ayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desk
To view the toolbars that can be added to the desktop right-click a docked toolbar (such as the taskbar beside the Start button) and point t
uration.Also see the "Prevent adding dragging dropping and closing the Taskbar's toolbars" setting.
ter folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace allowing them to present
ontents of the My Documents folder.This setting does not remove the My Documents icon from the Start menu. To do so use the "Remove
e this setting the Properties option is displayed as usual.
he File menu.Clicks the My Documents icon and then presses ALT+ENTER.If you disable or do not configure this policy setting the Propertie
setting the Properties option is displayed as usual.
of the Recycle Bin folder.Note: To make changes to this setting effective you must log off and then log back on.
he Desktop Clean Wizard running every 60 days occurs.Note: When this setting is not enabled users can run the Desktop Cleanup Wizard o
window minimizing and restoring gesture will apply.
filter bar does not appear but users can display it by selecting "Filter" on the "View" menu.To see the filter bar open Network Locations c
ears in the Network Locations folder.This setting is designed to let users search Active Directory but not tempt them to casually browse Ac
ons for user or group objects in Active Directory.If you enable this setting you can use the "Number of objects returned" box to limit return
cular Web-based items from users' desktops. Users can add the item again (if settings allow) but the item is deleted each time the setting
ormat such as JPEG GIF and PNG can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".Also see the "Deskto
lly qualified path and name of the file that stores the wallpaper image. You can type a local path such as C:\Windows\web\wallpaper\hom
g and the "Disable Active Desktop" setting are enabled the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting
ote: This setting does not disable Active Desktop. Users can still use image formats such as JPEG and GIF for their desktop wallpaper.
g and the "Disable Active Desktop" setting are enabled the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting
Desktop or prevent users from removing existing Web content.Also see the "Disable all items" setting.
ble or disable Active Desktop. If Active Desktop is already enabled users cannot add remove or edit Web content or disable lock or synchro
ems on the Web tab in Display in Control Panel.Note: This setting does not prevent users from deleting items from their Active Desktop.
their Active Desktop.Also see the "Prohibit closing items" and "Disable all items" settings.
an item such as its synchronization schedule password or display characteristics.
her the Properties menu item is enabled and thus whether the Remote Access Connection Properties dialog box is available to users.If you
ur file system is NTFS users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network\Connecti
y using the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting) double
ny user can rename all-user connections by clicking an icon representing the connection or by using the File menu.If you disable this settin
is disabled for nonadministrators only.If you do not configure this setting only Administrators and Network Configuration Operators can re
nnections settings for Administrators" setting) the Rename option for LAN and all user remote access connections is disabled for all users
of certain features from Administrators.By default Network Connections group settings in Windows XP Professional do not have the abilit
Administrators" setting) the Properties menu items are disabled for all users and users cannot open the Local Area Connection Properties d
ons settings for Administrators" setting) the Properties button is disabled for Administrators. Network Configuration Operators are prohibit
nable Network Connections settings for Administrators" setting) the Properties button is disabled for all users (including administrators).Im
able this setting (and enable the "Enable Network Connections settings for Administrators" setting) the Advanced Settings item is disabled
er. As a result users (including administrators) cannot start the New Connection Wizard.Important: If the "Enable Network Connections se
nable Network Connections settings for Administrators" setting) the Remote Access Preferences item is disabled for all users (including ad
ponents of connections are disabled and administrators are not permitted to access network components in the Windows Components W
determines whether the Properties menu item is enabled and thus whether the Remote Access Connection Properties dialog box for a pri
nistrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not app
u for a remote access connection and on the File menu in the Network Connections folder.Important: If the "Enable Network Connection
nable or disable the components that a connection uses.Important: If the "Enable Network Connections settings for Administrators" is disa
he "Enable Network Connections settings for Administrators" setting) the Rename option is disabled for all users (including administrators
ers cannot open the Advanced TCP/IP Settings Properties page and modify IP settings such as DNS and WINS server information.Important
perties of the connection.If you enable this setting the connection status taskbar icon and Status dialog box are not available to users (incl
t a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP address. By def
this setting you can use the "Action" box to specify how computers in the group respond.-- "Work offline" indicates that the computer can
nts you want Offline Files to record.To use this setting in the "Enter" box select the number corresponding to the events you want the syst
60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.This setting appears in t
e Name column box type the server's computer name. Then in the Value column box type "0" if users can work offline when they are disco
e or location.This setting does not prevent users from working offline or from saving local copies of files available offline. Also it does not p
rs cannot view or change the options on the Offline Files tab or Offline Files dialog box.This is a comprehensive setting that locks down the
ically. By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for 1
ayed for 15 seconds. You can use this setting to change the duration of the update reminder.This setting appears in the Computer Configur
ou disable or do not configure this policy setting users can manually specify files and folders that they want to make available offline.Notes
ontents dialog box in the Value Name column box type the fully qualified UNC path to the file or folder. Leave the Value column field blank
"Work offline" command is displayed in File Explorer.
Show. In the Show Contents dialog box in the Value Name column type the fully qualified UNC path to the file or folder. Leave the Value co
ed. Full synchronization ensures that offline files are complete and current.If you disable this setting the system only performs a quick syn
ed at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon sync
" ensures that all cached files and folders are up-to-date with the most current version.If you disable or do not configuring this setting files
ou enable this setting the system hides the reminder balloons and prevents users from displaying them.If you disable the setting the syste
f you disable or do not configure this policy setting users can access the wizard tasks including "Set up a wireless router or access point" an
blish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note: The default is to allow shared folders to be publishe
tting users cannot publish shared folders in AD DS and the "Publish in Active Directory" option is disabled. Note: The default is to allow sha
it programs. By default all 16-bit programs run as threads in a single shared VDM process. As such they share the memory space allocated
play Logoff item from Start Menu Options. As a result users cannot remove the Log Off <username> item from the Start Menu.If you disab
h box. If you do not configure this policy (default) there will not be a "Search the Internet" link on the start menu.
mmand to the Start menu policy has no effect.
o Shut Down.If you disable or do not configure this setting the Start Menu power button will be set to Shut Down by default and the user c
sts off of programs in the Start Menu and Taskbar will be cleared when the user logs off.If you disable or do not configure this setting the s
tting the system retains notifications and when a user logs on the tiles appear just as they did when the user logged off including the history
ssues with toast notifications. If you disable or donâ€™t configure this policy setting all notifications will appear as toast notifications.A reb
s will continue to show.If you disable or do not configure this policy setting users can pin files folders websites and other items to a progra
ms already pinned to the Taskbar and they cannot pin new programs to the Taskbar.If you disable or do not configure this policy setting use
pin the Store app to the Taskbar.
tting users can show taskbars on more than one display.
skbar does not display any custom toolbars and the user cannot add any custom toolbars to the taskbar. Moreover the "Toolbars" menu c
uments and other tasks.If you enable this policy setting the Start Menu and Taskbar only track the files that the user opens locally on this c
shortcuts. The system empties the Recent Items menu on the Start menu and Windows programs do not display shortcuts at the bottom o
hown when the user performs a search in the start menu search box.
g by default when the system cannot find the target file for a shortcut (.lnk) it searches all paths associated with the shortcut. If the target
policy setting by default when the system cannot find the target file for a shortcut (.lnk) it searches all paths associated with the shortcut
ures Music Computer and Network. The new Start menu starts them directly.If you enable this setting the Start menu displays the classic S
size of Start in Settings.
he default setting for the userâ€™s device will be used and the user can choose to change it.
ose that users have configured for full installation upon first use.If you disable this setting or do not configure it all Start menu shortcuts ap
otification icons is hidden. The taskbar displays only the Start button taskbar buttons custom toolbars (if any) and the system clock.If this s
g options.If you disable or don't configure this policy setting the desktop apps won't be listed first when the apps are sorted by category an
t is not prevented by another policy setting.
e moved or resized.If you enable this setting it prevents the user from moving or resizing the taskbar. While the taskbar is locked auto-hide
.If you disable or do not configure this policy setting the Taskbar and Start Menu items are available from Settings on the Start menu.
e. By default this setting is always enabled.If you disable or do not configure it items on the taskbar that share the same program are grou
e to add toolbars to the taskbar.
gure this setting you will allow a user to select an app resize a tile pin/unpin a tile or a secondary tile enter the customize mode and rearra
monitor unless prevented by another policy setting.
tting the context menus for the taskbar are available.This policy setting does not prevent users from using other methods to issue the comm
Settings to Off.Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start men
ower button and the Shut Down Restart Sleep and Hibernate commands are removed from the Start menu. The Power button is also remo
affected by this setting includes "Click here to begin" on the Start button "Where have all my programs gone" on the Start menu and "Whe
he All Users profile on the system drive go to ProgramData\Microsoft\Windows\Start Menu\Programs.

o specify default programs for certain activities such as Web browsing or sending e-mail as well as which programs are accessible from the
n access to the contents of the Documents folder.Note: To make changes to this policy setting effective you must log off and then log on.If
appear on the Start menu by default. To display the Favorites menu right-click Start click Properties and then click Customize. If you are us
It does not remove the Help menu from File Explorer and does not prevent users from running Help.
e homegroup link from the Start Menu.
y setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.Windows Update the
esult users cannot restore the Log Off <username> item to the Start Menu.If you disable or do not configure this policy setting users can us
Settings on the Start menu.Network Connections still appears in Control Panel and in File Explorer but if users try to start it a message app
cation area. The user will be able to read notifications when they appear but they wonâ€™t be able to review any notifications they miss.
ortcuts stay on the Taskbar.

Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
Control.exe) from running.However users can still start Control Panel items by using other methods such as right-clicking the desktop to s
aves document shortcuts but does not display the Recent Items menu in the Start Menu and users cannot turn the menu on.If you later dis
the following into the Internet Explorer Address Bar:--- A UNC path: \\<server>\<share> ---Accessing local drives: e.g. C:--- Accessing loca
at appears when you right-click the Start menu. Also the system does not respond when users press the Application key (the key with the
arty protocol handler is installed a "Search Everywhere" link will be shown instead of the "See more results" link.
system notification area.
ove user folder link from Start Menu" policy setting.If you disable or do not configure this policy setting the user name label appears on th
e top section of the Start menu. Because the appearance of two folders with the same name might confuse users you can use this setting
installed apps.If you disable or donâ€™t configure this policy setting the user can configure this setting.
as different user" command from Start for any applications.Note: This setting does not prevent users from using other methods such as th
alendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default.If you enable this policy setting users
nd user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this policy setting
users will be able to turn the QuickLaunch bar on and off.
key.If you disable or don't configure this policy setting the Start screen will always appear on the main display when the user presses the W
he Start screen will appear by default whenever the user goes to Start and the user will be able to switch between the Apps view and the
userâ€™s device will be used and the user can choose to change it.
a device's Start layout to the desired look and feel. Once you are done run the Export-StartLayout PowerShell cmdlet on that same device
configure this policy setting newly added notification icons are temporarily promoted to the Taskbar.
collapsed. The notification cleanup << icon can be referred to as the "notification chevron."If you enable this setting the system notificatio
menu items appear and remain in standard order. Also this setting removes the "Use Personalized Menus" option so users do not try to ch
e system uses this information to customize Windows features such as showing frequently used programs in the Start Menu.Also see thes
and users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting a default value will b
nd users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting a default value will be
nd video calls will be allowed during Quiet Hours and users will not be able to customize this or any other Quiet Hours settings. If you d
No reboots or service restarts are required for this policy setting to take effect.
ppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change this or an
e administrator or user. No reboots or service restarts are required for this policy setting to take effect.
nable/disable system features individually to stop their ability to raise toast notifications. If you disable or do not configure this policy
dministrator or user. No reboots or service restarts are required for this policy setting to take effect.
setting the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified
program to a network share or to your system drive. Then enable this setting and type the name of the interface program including the file
art menu or by typing ""Welcome"" in the Run dialog box.If you disable or do not configure this policy the welcome screen is displayed eac
nning programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager whic
dows has internally registered the required components.If you enable this policy setting and a component registration is missing the syste
dministrative tools use the "Run only specified Windows applications" policy setting.
etting prevents the action.If you disable this policy setting or do not configure it users can run Cmd.exe and batch files normally.Note: Do
If you disable or do not configure this policy setting users can run all applications from online Help. Note: You can also rest
running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Manager w
nents are ready to be installed or prior to downloading depending on their configuration.If you enable this setting it prohibits Windows fro
The system prompts users for a new password when an administrator requires a new password or their password is expiring.
able or do not configure this policy setting users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.Tip:To lock a com
tart menu.Also see the 'Remove Logoff on the Start Menu' policy setting.If you disable or do not configure this policy setting users can see
riority of the process in which programs run.If you enable this policy setting users will not be able to access Task Manager. If users try to st
or (DPI) connect remotely from a device with a different display scale factor or manually change the display scale factor) many desktop ap
system does not implement any setting less secure than the one the setting established.When you enable this setting use the drop-down b
ch algorithm.If you enable this setting you can remove the locations by selecting the associated check box beside the location name.If you
nication settings" is disabled or not configured.If you enable this setting administrators will not be prompted to search Windows Update.If
If you disable or do not configure this policy setting redirected shell folders are automatically made available offline. All subfolders within
ally made available offline. All subfolders within the redirected folders are also made available offline.Note: This policy setting does not pr
on to another and Folder Redirection is configured to move the content to the new location instead of copying the content to the new loca
ter in a remote office.To designate a user's primary computers an administrator must use management software or a script to add primary
ista Windows 7 Windows 8 and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Men
domain controller designated as the PDC Operations Master for the domain."Inherit from Active Directory Snap-ins" indicates that the Gro
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to
ve Directory Users and Computers or Active Directory Sites and Services you can enable the object links for use on the system.If you disab
g interactive users can generate RSoP.Note: This policy setting does not affect administrators. If you enable or disable this policy setting by
ws\CurrentVersion\Policies registry subkeys. Preferences which are not fully supported use registry entries in other subkeys.If you enable
display name can contain environment variables and can be a maximum of 255 characters long.If this setting is Disabled or Not Configured
log on.By default user Group Policy is updated in the background every 90 minutes with a random offset of 0 to 30 minutes.If you enable
ditor a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the
is policy setting all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective featu
the Store service to find an application.If you enable this policy setting the "Look for an app in the Store" item in the Open With dialog is
downloading drivers that are not already installed locally.If you enable this policy setting print drivers cannot be downloaded over HTTP.If
prove handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure co
andwriting recognition in future versions of Windows.If you enable this policy users cannot start the handwriting recognition error reporti
erience Improvement program.If you disable or do not configure this policy setting users can turn on the Help Experience Improvement pr
usefulness of the Help and Support content.
d from a Windows website in addition to providers specified in the registry.If you enable this policy setting Windows does not download p
he Web service to find an application.If you enable this policy setting the link and the dialog for using the Web service to open an unhandl
ver and making its shared printers available via HTTP.If you enable this policy setting it prevents this client from printing to Internet printer
ks in File Explorer folders.If you disable or do not configure this policy setting the task is displayed.
o the web.If you enable this policy setting these tasks are removed from the File and Folder tasks in Windows folders.If you disable or do n
n is used to improve the product in future releases.If you enable this policy setting Windows Messenger does not collect usage information
ble or do not configure this policy setting users can access online assistance if they have a connection to the Internet and have not disable
r-user policy setting. If you disable this policy setting at the computer level the per-user policy is ignored. If you do not configure this polic
f the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.The policy setting "Restrict user locales
s can still choose alternate locales installed on the system unless prevented by other policies however they will be unable to customize tho
les in this list.To set this policy setting on a per-user basis make sure that you do not configure the per-computer policy setting.The locale l
d services that the system starts.If you enable this policy setting the system ignores the run list for Windows Vista Windows XP Professiona
this policy setting the system ignores the run-once list.If you disable or do not configure this policy setting the system runs the programs in
click Show. In the Show Contents dialog box in the Value column type the name of the executable program (.exe) file or document file. To
articular positions. Bits can be set to either 0 (setting is forced off) 1 (setting is forced on) or ? (setting retains its existing value prior to GPO
onfigure this policy setting users control if their computer is automatically locked or not after performing a resume operation.
do not configure this policy setting write and read accesses are allowed to all removable storage classes.
age enable the policy setting "Deny write access to drives not protected by BitLocker" which is located in "Computer Configuration\Admini
nfigure this setting the operating system does not force a reboot.Note: If no reboot is forced the access right does not take effect until the
storage class.
ble storage class.
s. The instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not configure this p
he instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not configure this polic
hough it does not display logon scripts written for Windows 2000.If you enable this setting Windows 2000 does not display logon scripts w
omplete before the user starts working but it can delay the appearance of the desktop.If you disable or do not configure this policy setting
erShell scripts are run before non-PowerShell scripts during user logon and logoff. For example assume the following scenario: There are th
omputer to a local or remote directory.If you enable this policy setting the system uses the Windows NT 4.0 definitions. %HOMESHARE% s
rowest set of data that will address your needs. For example if there is one application with data that should not be roamed then add only
enable this policy setting you can:-- Set a maximum permitted user profile size.-- Determine whether the registry files are included in the ca
nable this policy setting the network paths specified in this policy setting will be synchronized only by Offline Files during user logon and lo
p for a file type.If you enable this policy setting Windows Store apps cannot open files in the default desktop app for a file type; they can o
ng a desktop app.If you enable this policy setting Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they
m accessing the file. If the file is from the Internet zone Windows prompts the user before accessing the file.Moderate Risk: If the attachm
ke proper risk assessments.If you enable this policy setting Windows does not mark file attachments with their zone information.If you dis
file attachments that Windows has blocked users from opening.If you enable this policy setting Windows hides the check box and Unblock
es precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).If you enable
ecedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).If you enable this p
s and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an extension is
undant. If you enable this policy setting Windows tells the registered antivirus program to scan the file when a user opens a file attachmen
e file type data over the file handler data. For example trust .txt files regardless of the file handler.Using both the file handler and type dat
ers user's choice of what to do when a device is connected.

ute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge
such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2 Autoplay is enabled fo
ou check the "Include content from Enterprise spotlight" checkbox and your organization has setup an Enterprise spotlight content service
sable or do not configure this policy Windows spotlight features may suggest apps and content from third-party software publishers in ad
ize content shown on lock screen Windows tips Microsoft consumer features and other related features. If these features are enabled use
get devices.If you disable or do not configure this policy setting Windows spotlight features are allowed and may be controlled individually
updates and changes to Windows and its apps.If you disable or do not configure this policy the Windows Welcome Experience will be laun
e password reveal button will be displayed after a user types a password in the password entry text box.By default the password reveal bu
dered part of Windows and does not apply to any additional apps installed by your organization. - Diagnostic data off (not recommended
nd unsigned gadgets will be extracted.The default is for Windows to extract both signed and unsigned gadgets.
cessible if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab keys a visual version of the deskt
etting requires a logoff for it to be applied.
e used in conjunction with the "Specify a default color for window frames" policy setting to enforce a specific color for window frames tha
is used if the user does not specify a color. Note: This policy setting can be used in conjunction with the "Prevent color changes of window
r will not run.If you disable or do not configure this setting Digital Locker can be run.
uch gestures keyboard shortcuts and the Start screen.If you disable or don't configure this policy setting the recent apps will be available b
be able to replace it with Windows PowerShell. Users will still be able to access Windows PowerShell but not from that menu.If you disable
y'll still be available if the mouse is pointing to the lower-right corner.If you disable or don't configure this policy setting Search Share Start
licy setting Windows will keep track of the apps that are used and searched most frequently. Most frequently used apps will appear at the
in at least one of the following locations in registry.For shell extensions that have been approved by the administrator and are available t
ser-defined properties and properties stored in NTFS secondary streams.
e creation of the folder.You can specify a known folder using its known folder id or using its canonical name. For example the Sample Vide
aying a confirmation dialog occurs.
r.Note: When the menu bar is not displayed users can access the menu bar by pressing the 'ALT' key.
ve an error message if they tap or click the Options button or choose the Change folder and search options command and they will not be
isplayed at user logon.
ble or do not configure this setting files and folders deleted using File Explorer will be placed in the Recycle Bin.
not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as regular user
target path then by default it searches for the target in the original path. If the shortcut has been copied to a different computer the origi
s policy setting select a drive or combination of drives in the drop-down list.Note: This policy setting removes the drive icons. Users can sti
er Device Manager and Disk Management. You must be an administrator to use many of the features of these tools.This setting does not r
On every logon the policy settings are verified and Libraries for the user are updated or changed according to the path defined.If you disabl
by the Recycle Bin.Note: This setting is applied to all volumes.
uts specified by the policy setting.If you disable or do not configure this policy setting by default the system displays shortcuts to the 10 mo
. This policy setting also removes these icons from the Map Network Drive browser.If you disable or do not configure this policy setting com
ociated with the Map Network Drive option.This setting does not prevent users from viewing or connecting to computers in their workgro
rch site will be searched with the text in the search box. To add an Internet search site specify the URL of the search site in OpenSearch fo
path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example "C:\sampleLibrary.Library-ms" for the Documen
Network Drive dialog box to view the directories on these drives.To use this setting select a drive or combination of drives from the drop-
disable or do not configure this policy setting users will be able to add new items such as files or folders to the root of their Users Files fold
when you right-click the File Explorer or Network Locations icons.This setting does not prevent users from connecting to another computer
his policy setting users are able to use the File Explorer CD burning features.Note: This policy setting does not prevent users from using th
perties of the DFS shares available from their computer.This policy setting does not prevent users from using other methods to configure D
commands available on the shortcut menus.
ardware tab to view or change the device list or device properties or use the Troubleshoot button to resolve problems with the device.
Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows such as the Inter
at have access to the resource in question.If you disable or do not configure this setting users will be able to access the security tab.
choose not to have these items displayed.If you enable this policy setting the Shared Documents folder is not displayed in the Web view o
with the search terms.If you do not configure this policy (default) there will be an "Internet" link when the user performs a search in the E
signed to enhance the user's experience but might be confusing or distracting to some users.
users.Effects such as animation are designed to enhance the user's experience but might be confusing or distracting to some users.If you d
alog box appears only when users are installing programs from local media.The "Install Program as Other User" dialog box prompts the cur
his policy setting users can choose how the ribbon appears when they open new windows.
able this policy setting to turn off the thumbnail view cache because the thumbnail cache can be read by everyone.
his policy File Explorer will not show suggestion pop-ups as users type into the Search Box and it will not store Search Box entries into the r
ort file names by increasing number value (for example 3 < 22 < 111).
ers. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in
do not configure this policy setting File Explorer creates reads from and writes to thumbs.db files.
able or do not configure this policy setting File Explorer displays only thumbnail images on network folders.
etting File Explorer displays only thumbnail images.
enable this setting the Windows Key hotkeys are unavailable.If you disable or do not configure this setting the Windows Key hotkeys are a
* Disable all Arrangement views except for "By Folder" * Disable all Search filter suggestions other than "Date Modified" and "Size" *
4.0 and users cannot restore the new features.Enabling this policy will also turn off the preview pane and set the folder options for File Exp
of Windows programs.If you enable this policy setting the Back button is removed from the standard Open dialog box.If you disable or do
to developers of Windows programs.To see an example of the standard Open dialog box start Wordpad and on the File menu click Open.
n the text box.This setting and others in this folder lets you remove new features added in Windows 2000 Professional so that the Open d
rver\share)3) FTP folders4) web folders5) Common Shell folders.The list of Common Shell Folders that may be specified:Desktop Recent P
nnot be hidden by the user. Note: This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed
annot list and restore previous versions of files on local disks.If you do not configure this policy setting it defaults to disabled.
estore previous versions of files on file shares.If you do not configure this policy setting it is disabled by default.
pies and can see only previous versions corresponding to on-disk restore points.If you disable this policy setting users can see previous ver
ng the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button Windows atte
ponding to a backup.If you disable this policy setting the Restore button remains active for a previous version corresponding to a backup. I
policy setting the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore
at contains the enterprise identifier separated by a comma and the Package Family Name of the application. The EID must be an internet d
disable this user is not allowed to control IME version to use. The new Microsoft IME is always selected.This Policy setting applies only to
do not configure this policy setting both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list.T
llowing values:0x0001 // JIS208 area0x0002 // NEC special char code0x0004 // NEC selected IBM extended code0x0008 // IBM extended c
ion.If you disable or do not configure this policy setting the custom dictionary can be used by default.For Japanese Microsoft IME [Clear au
s to this setting will not take effect until the user logs off.
configure this policy setting the search integration function can be used by default.This policy setting applies to Japanese Microsoft IME.N
rsion.If you disable or do not configure this policy setting Open Extended Dictionary can be added and used by default.This policy setting is
ns and the user won't be able to turn it off.If you disable this policy setting the functionality associated with this feature is turned off and t
ns and the user won't be able to turn it off.If you disable this policy setting the functionality associated with this feature is turned off and t
u disable this policy setting the functionality associated with this feature is turned off and the user won't be able to turn it on.If you don't c
isable this policy setting the functionality associated with this feature is turned off and the user won't be able to turn it on.If you don't con
al Chinese IME.
emove search providers but only from the set of search providers specified in the list of policy keys for search providers (found under [HKC
t show up in the Internet Explorer mode context menu.For more information see https://go.microsoft.com/fwlink/?linkid=2102115
shutdown.If you disable or do not configure this policy setting OnUnLoad script handlers do not display UI during shutdown (default behav
r. In addition users won't be able to change the Suggestions setting on the Settings charm.If you disable this policy setting users won't rece
es to Internet Explorer 9.In Internet Explorer 9 add-ons are defined as toolbars Browser Helper Objects or Explorer bars. ActiveX controls a
ink within Internet Explorer the content will be played by the default media client on their system.If you enable the Media Explorer Bar or
cking of attachments in options.If the block attachments setting is not checked the user can specify to enable or disable the blocking of att
d.If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed the following beha
tting Internet Explorer sends the current Internet Explorer version in the User Agent header (for example "MSIE 7.0").
onfigure this setting the user has the freedom to turn on the auto-complete feature for forms.To display this option the users open the In
ipts can be stored in the users' cache.
ges.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Inte
do not configure it users can select or clear settings on the Advanced tab.If you set the "Disable the Advanced page" policy (located in \Us
o automatic configuration. You can import your current connection settings from your machine using Internet Explorer Maintenance unde
this policy or do not configure it users can determine which programs to use for managing schedules and contacts if programs that perform
s can import new certificates remove approved publishers and change settings for certificates that have already been accepted.The "Disab
u disable this policy or do not configure it users can change the default background and text color of Web pages.If you set the "Disable the
icy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not
gure it users can determine whether Internet Explorer will check to see if it is the default browser. When Internet Explorer performs this c
can change the default fonts for viewing Web pages.If you set the "Disable the General page" policy (located in \User Configuration\Admin
hines with at least Internet Explorer 7 the home page can be set within this policy to override other home page policies.If you disable or do
policy or do not configure it users can change the language preference settings for viewing Web sites for languages in which the character
this policy or do not configure it users can change the default color of links on Web pages.If you set the "Disable the General page" policy
y or do not configure it users can determine which programs to use for sending mail viewing newsgroups and placing Internet calls if prog
nd e-mail addresses.The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Componen
ettings.The "Disable the Ratings page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Ex
ome pages. The user cannot set custom default secondary home pages.If you disable or do not configure this policy setting the user can ad
n click the Settings button in the Internet Options dialog box.If you disable this policy or do not configure it users can change their cache se
do not configure it users could install customizations from another party-for example when signing up for Internet services.This policy is in
file allows the user to import favorites feeds and cookies from a file. Exporting settings to a file allows the user to export favorites feeds an
ting to Programs pointing to Accessories pointing to Communications and then clicking Internet Connection Wizard.If you disable this polic
xplorer 11 to Microsoft Edge Stable Channel browser.- Overrides any other policies that redirect to Internet Explorer 11.If you disable or do
he "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\
blems occur with proxy scripts.
nager will be available to the user.
cy extended hotkeys will not work in Internet Explorer mode.For more information see https://go.microsoft.com/fwlink/?linkid=2102115
search tools viewing a history of visited pages printing and accessing email and newsgroups. The menu bar contains menus that open lists
be able to create new identities manage existing identities or switch identities. The Switch Identity option will be removed from the File m
net Explorer 11. The only exceptions are sites listed in your Enterprise Mode Site List.If you disable or donâ€™t configure this policy all intra
sers can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on but don't specify a report location Enterp
ded in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configure the
in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configure zone(s)
f Internet Explorer is not the default web browser. Users cannot change the setting.If you do not configure this policy setting users can cho
domain name is allowed so www.contoso.com is valid but not http://www.contoso.com. Wildcards are allowed so *.contoso.com is also v
wsgroups. The menu bar contains menus that open lists of commands. The commands include options for printing customizing Internet Exp
y setting is enabled the "Fix settings" command on the Notification bar shortcut menu should be disabled.
ed from the Settings charm (starting with Internet Explorer 10 on Windows 8).If you disable or do not configure this policy setting the Inte
le this policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting the user can bypass Sm
or do not configure this policy setting the user can bypass SmartScreen Filter warnings.
ter level by importing Privacy settings from your computer under Internet Explorer Maintenance.If you disable or do not configure this pol
wing: â€¢ Open in an existing Internet Explorer window. If tabbed browsing is enabled a new tab is created in this scenario. â€¢ Open a
e background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select.If you disable or do not configu
olicy setting the Search box appears by default in the Internet Explorer frame.Note: If you enable this policy setting Internet Explorer does
st.Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker se
Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disa
hing filter uses: manual automatic or off.If you select manual mode the phishing filter performs only local analysis and the user is prompte
rticipate in the CEIP and the Customer Feedback Options command does not appear on the Help menu.If you do not configure this policy s
€¢ Skip the First Run wizard and go directly to the "Welcome to Internet Explorer" webpage.Starting with Windows 8 the "Welcome to Inte
rd-party toolbars or in Setup but the user can also add them from a search provider's website.If you enable this policy setting the user cann
the user that this feature has been disabled.If you disable this policy or do not configure it users can press F3 to search the Internet (from
cy or do not configure it users can change their settings for the Search Assistant.This policy is designed to help administrators maintain con
one site in the Enterprise Mode Site List.Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in
high allows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The default settin
dge with Enterprise Mode.If you disable or don't configure this setting the default app behavior occurs and no additional page appears.
not configure this policy setting the user can select his or her preference for this behavior.
ls including per-user controls are installed through the standard installation process.
nable this policy setting the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to load an Activ
Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-ons and con
data after a program stops responding.
s policy setting browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs.If you disable or do not configure this
Reporting continue to apply.If you disable or do not configure this policy setting the crash detection feature for add-on management will b
. You must specify which mode the SmartScreen Filter uses: on or off.All website addresses that are not on the filter's allow list are sent au
at host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
windows will continue to function as they did in Windows XP Service Pack 1 or earlier although windows launched off screen will continue
wsing Session feature.
ders that offer suggestions.
er and the user cannot turn them on.If you disable this policy setting tabbed browsing and related entry points appear on the user interfac
tting user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.If
in the Search box the quick pick menu appears.
n off ActiveX Filtering although they may add per-site exceptions.If you disable or do not configure this policy setting ActiveX Filtering is no
u disable this policy setting the user cannot log information that is blocked by new Internet Explorer features. The user cannot turn on logg
default and the user cannot turn it on.If you do not configure this policy setting the menu bar is turned off by default. The user can turn on
tten to the WMI class. Enabling or disabling this setting will not impact other output methods available for the SDTK.
setting will not impact other output methods available for the SDTK.
ed Sites. The userâ€™s browsing history is sent to Microsoft to produce suggestions.If you disable this policy setting the entry points and f
decide whether to select "prompt me to save passwords".If you disable this setting the user cannot change "User name and passwords o
you disable this policy or do not configure it dial-up settings will not be configured by Automatic Detection unless specified by the user.
policies\Microsoft\Internet Explorer\Main\EnterpriseMode) opening all listed websites using Enterprise Mode IE.If you disable or don't co
ccelerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided through firs
ult Accelerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided throug
licy setting the user can access any Accelerators that he or she has installed.
ure it this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each
ich you specify that administrator-approved controls can be run.If you disable this policy or do not configure it this control will not be desi
restricted functionality and is intended for use by web sites.If you enable this policy this control will be available as an administrator appro
able this policy or do not configure it these controls will not be designated as administrator-approved.Select the check boxes for the contr
ntrols will not be designated as administrator-approved.To specify a control as administrator-approved click Enabled and then select the c
specify that administrator-approved controls can be run.If you disable this policy or do not configure it these controls will not be designate
proved controls can be run.If you disable this policy or do not configure it this control will not be designated as administrator-approved.To
gure it this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each
d.To specify how administrator-approved controls are handled for each security zone carry out the following steps:1. In Group Policy click
ot configure it these controls will not be designated as administrator-approved.Select the check boxes for the controls that you want to de
roved.To specify how administrator-approved controls are handled for each security zone carry out the following steps:1. In Group Policy
cify how administrator-approved controls are handled for each security zone carry out the following steps:1. In Group Policy click User Con
d operation. This means that if the zone behavior is currently set to prompt it will be bypassed and enabled.If you disable this policy settin
he Internet Explorer process performs a Clipboard operation. In the Internet Explorer process if the zone behavior is currently set to prom
et Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enabled the pr
the shortcut menu.This policy can be used in coordination with the "File menu: Disable New menu option" policy which prevents users fr
ed that the command is not available.If you disable this policy or do not configure it users can download programs from their browsers.
f the program will not work; if users click the Close button they will be informed that the command is not available.
d that the command is not available.If you disable this policy or do not configure it users can open a new browser window from the File m
y or do not configure it users can open a Web page from the browser File menu.Caution: This policy does not prevent users from right-click
as Type box in the Save Web Page dialog box. Users can still save Web pages as hypertext markup language (HTML) files or as text files bu
"File Menu: Disable Save As Web Page Complete" policy which prevents users from saving the entire contents that are displayed or run fr
and on the Help menu.Caution: Enabling this policy does not remove the tips for Netscape users from the Microsoft Internet Explorer Help
on the shortcut menu is disabled; when users click it they are informed that the command is unavailable.If you disable this policy or do no
ptions command on the Tools menu they are informed that the command is unavailable.If you disable this policy or do not configure it us
Explorer will not be available. Starting with Windows 8 the Print flyout for Internet Explorer will not be available and users will not see pr
bpage.If you disable or do not configure this policy setting users can use the shortcut menu.
lems dialog box.If you disable or do not configure this policy setting the menu options will be available.
he browser in a full screen.This policy is intended to prevent users from displaying the browser without toolbars which might be confusing
View menu.Caution: This policy does not prevent users from viewing the HTML source of a Web page by right-clicking a Web page to open
splayed in Compatibility View.If you disable this policy setting the Microsoft-provided website lists are not used. Additionally the user cann
e this policy setting the user can use the Compatibility View button and manage the Compatibility View sites list.
his policy setting the user can use the Compatibility View button.
orer.If you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended). A
dards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behav
and remove sites from the list.
with an additional string appended). Additionally webpages included in this list appear in Quirks Mode.
policy setting deleting browsing history on exit is turned on.If you disable this policy setting deleting browsing history on exit is turned off.I
e this policy setting a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must spec
wsing History dialog box. Starting with Windows 8 users cannot click the Delete Browsing History button on the Settings charm.If you disab
s turn on the Personalized Tracking Protection List which blocks third-party items while the user is browsing.With at least Internet Explorer
olicy setting the user can choose whether to delete or preserve cookies when he or she clicks Delete.If the "Prevent access to Delete Brow
Delete.If you do not configure this policy setting the user can choose whether to delete or preserve download history when he or she clic
f you do not configure this policy setting the user can choose whether to delete or preserve favorites site data when he or she clicks Delet
his policy setting the user can choose whether to delete or preserve form data when he or she clicks Delete.If the "Prevent access to Delet
e Browsing History dialog box.If you enable this policy setting InPrivate Filtering data is preserved when the user clicks Delete.If you disabl
e this policy setting the user can choose whether to delete or preserve passwords when he or she clicks Delete.If the "Prevent access to De
he user clicks Delete.If you do not configure this policy setting the user can choose whether to delete or preserve temporary Internet files
that the user has visited are deleted when he or she clicks Delete.If you do not configure this policy setting the user can choose whether t
es.If you disable or do not configure this policy setting users will be able to delete temporary Internet files and cookies.
ou set this policy you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrati
o set the following policies for the Content tab because this policy removes the Connections tab from the interface:"Disable Internet Conn
n you set this policy you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templa
ed to set the following policies for the Programs tab because this policy removes the Programs tab from the interface:"Disable changing M
hen you set this policy you do not need to set the following Internet Explorer policies because this policy removes the Security tab from th
t configure this policy setting the user can choose to ignore certificate errors and continue browsing.
hould be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN format on
gh the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavior on the In
figure this policy users can choose whether to be prompted before running active content on a CD.
ernet Explorer components will be automatically installed as necessary.If you disable this policy setting users will be prompted when non-
the Japanese Language Pack component if it is not already installed.If you enable this policy setting Web components such as fonts will be
etting Internet Explorer won't use the HTTP2 network protocol.If you don't configure this policy setting users can turn this behavior on or
sable this policy setting Internet Explorer won't use the SPDY/3 network protocol.If you don't configure this policy setting users can turn th
or run files with an invalid signature.If you disable this policy setting users cannot run or install files with an invalid signature.If you do not
r automatically launches any browser helper objects that are installed on the user's computer.If you disable this policy setting browser hel
his policy setting Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode
checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are availab
ou enable this policy setting Internet Explorer will check to see if server certificates have been revoked.If you disable this policy setting Inte
check the digital signatures of executable programs and display their identities before downloading them to user computers.If you disable
ption to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced
nternet Explorer Settings.If you disable or do not configure this policy setting the user can use Reset Internet Explorer Settings.
taining secure (HTTPS) information to the cache.If you disable this policy setting Internet Explorer will save encrypted pages containing sec
e usage.If you enable this policy setting Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all br
Web content.If you disable this policy setting Internet Explorer will not play or download animated pictures helping pages display more qu
f you disable this policy setting Internet Explorer will not play or download sounds in Web content helping pages display more quickly.If yo
disable this policy setting Internet Explorer will not play or download videos helping pages display more quickly.If you do not configure thi
t configure this policy setting applications that host MSHTML render text by using the Microsoft ClearType rendering engine.
mmunication with the target server the browser and server negotiate which protocol and version to use. The browser and server attempt t
content in the background.If you disable this policy setting Internet Explorer preemptively loads websites and content in the background.
Assistant information users will be prompted to choose which information to share. At that time users can also choose to allow this inform
s. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the Intranet z
licy setting flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.If you disable this policy se
are used.If you enable this policy setting Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on
g is particularly useful to users who do not use a mouse.If you enable this policy setting Caret Browsing is turned on.If you disable this poli
e this policy setting Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected
nfigure this policy setting users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections.
onfigure this policy setting Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Options dialog
xplorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the home
etting websites will not be able to store application caches on client computers. Allow website database and caches on Website Data Settin
cy setting websites will not be able to store an indexed database on client computers. Allow website database and caches on Website Data
domain Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum
ernet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting.If you disable or do not
or do not configure this policy setting users can set default data storage limits for indexed databases and application caches.
al domain Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data sto
his policy setting you provide the resource size limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow
r to the website. No notification will be displayed to the user. When you set this policy setting you provide the resource limit as a number.
uter. The default maximum storage limit for all application caches is 1 GB.If you enable this policy setting you can set the maximum storag
r computer. The default maximum storage limit for all indexed databases is 4 GB.If you enable this policy setting you can set the maximum
mplate defaults.If you disable this template policy setting no security level is configured.If you do not configure this template policy setting
es which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zone
one there).If you do not configure this policy setting users choose whether network paths are mapped into the Intranet Zone.
ed into the Intranet Zone (other rules might map one there).If you do not configure this policy setting users choose whether sites which by
s to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set for
g automatic detection of the intranet is turned off and intranet mapping rules are applied however they are configured.If this policy settin
s policy setting the certificate address mismatch warning always appears.If you disable or do not configure this policy setting the user can
enever the user browses to a page that loads content from an intranet site.If you disable this policy setting a Notification bar notification d
ne. If you select Prompt in the drop-down box users are queried to choose whether to allow a page to be loaded in the zone that uses MS
own policy.If you enable this policy setting no Intranet Zone content accessed is affected even for protocols on the restricted list. If you sel
le this policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting script code on pa
behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.If you disable this policy
d operations.If you disable this policy setting a script cannot perform a clipboard operation.If you do not configure this policy setting a scrip
or copy files from this zone.If you disable this policy setting users are prevented from dragging files or copying and pasting files from this zo
olicy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files can be downloaded
ou disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting HTML fonts can be do
desktop items from this zone.If you disable this policy setting users are prevented from installing desktop items from this zone.If you do n
olicy setting and set the drop-down box to Enable XBAPs are automatically loaded inside Internet Explorer. The user cannot change this be
g and set the drop-down box to Enable XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavio
plorer. The user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XPS files.If you disa
setting can be redirected to another Web page.If you disable this policy setting a user's browser that loads a page containing an active Me
rol to run from the current site or from all sites.If you disable this policy setting the user does not see the per-site ActiveX prompt and Acti
u enable this policy setting users can perform OpenSearch queries in this zone using Search Connectors.If you disable this policy setting us
m within the File Explorer) it might affect other items as well that are marked from this zone. For example some application-specific items
e user can enable or disable script access to the WebBrowser control. By default script access to the WebBrowser control is allowed only in
u disable this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that include the title an
n.If you selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting VBS
f Internet Explorer 8 this policy setting controls HTML+TIME media elements that refer to audio and video files.If you enable this policy setti
Explorer windows that have no status bar or Address bar.If you do not configure this policy setting the user can choose whether websites
an enable or disable the Notification bar behavior.
g the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.If you do not configure this policy setting
ot configure this setting file downloads that are not user-initiated will be blocked and users will see the Notification bar instead of the file d
urity information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonse
one certificate.If you disable this policy setting Internet Explorer prompts users with a "Client Authentication" message when they connec
ble this policy setting Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX
ers who aren't trusted. Code signed by trusted publishers is silently downloaded.If you disable the policy setting signed controls cannot be
p-down box users are queried to choose whether to allow the unsigned control to run.If you disable this policy setting users cannot run un
fferent windows. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content from one do
e same window. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content from one do
rity zone will run without the added layer of security provided by this feature.If you disable this policy setting the actions that may be harm
path.If you enable this policy setting path information is sent when the user is uploading a file via an HTML form.If you disable this policy s
g causes both unsafe and safe controls to be initialized and scripted ignoring the Script ActiveX controls marked safe for scripting option.If
area in memory outside of which the program cannot make calls) plus capabilities like scratch space (a safe and secure storage area on the
you select Prompt in the drop-down box users are queried to choose whether to run applications and download files from IFRAMEs on the
ord to query users for user IDs and passwords. After a user is queried these values can be used silently for the remainder of the session.Au
queried whether to allow windows and frames to access applications from other domains.If you disable this policy setting users cannot op
users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dia
g Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box Internet Explorer will prompt t
ernet Explorer will execute signed managed components. If you select Prompt in the drop-down box Internet Explorer will prompt the use
plug-in to run.If you disable this policy setting controls and plug-ins are prevented from running.If you do not configure this policy setting
teraction.If you disable this policy setting script interaction is prevented from occurring.If you do not configure this policy setting script int
sable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts can access applets a
pen without a security warning. If you set the drop-down box to Prompt a security warning appears before the files open.If you disable th
ftware packages to be automatically installed on users' computers.Medium safety to allow users to be notified of software updates by e-m
his zone can be submitted automatically. If you select Prompt in the drop-down box users are queried to choose whether to allow informa
e developer tools. It includes the new managed code APIs for Windows.If you enable this policy setting .NET Framework Setup is turned off
icy setting the first-run prompt is turned off in the corresponding zone.If you disable this policy setting the first-run prompt is turned on in
ng the XSS Filter is turned off for sites in this zone and Internet Explorer permits cross-site script injections.
ff Protected Mode.If you disable this policy setting Protected Mode is turned off. The user cannot turn on Protected Mode.If you do not co
t configure this policy setting the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.Note: In Inter
not prevented from appearing.If you do not configure this policy setting most unwanted pop-up windows are prevented from appearing.
icy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page saved to disk.
curity that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning is issue
ot configure this setting users will receive a file download dialog for automatic download attempts.
not prevented from appearing.If you do not configure this policy setting pop-up windows are not prevented from appearing.
ity that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning is issued t
le this policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting users are queried
n.If you selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting use
olicy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are prevented from
ou disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are queried whe
x users are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy se
sable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are prevented from
col Lockdown policy.If you enable this policy setting no Trusted Sites Zone content accessed is affected even for protocols on the restricted
olicy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are prevented from
ou disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are queried whe
x users are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy se
sable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are prevented from
Internet Explorer tiles are opened.
figure this policy setting users can choose how links are opened in Internet Explorer.
o directly to an intranet site for a one-word entry in the Address bar.
rer will be shown.If you do not configure this policy setting the button to open Microsoft Edge from Internet Explorer can be configured by
s policy setting the user can choose when to underline links.
em connecting with an Internet server the user does not see a detailed description or hints about how to correct the problem. The user can
ge transitions will be turned on. The user cannot change this behavior.If you do not configure this policy setting the user can turn on or off
phone number detection is turned on. Users won't be able to modify this setting.If you don't configure this policy setting users can turn th
do not configure this policy setting the user can hide or show the button to open Microsoft Edge from Internet Explorer.
rosoft JScript.If you enable this policy setting script debugging is turned on. The user cannot turn off script debugging.If you disable this po
pear properly because of problems with its scripting. The user cannot change this policy setting.If you disable this policy setting the user is
cannot prevent the wizard from starting.If you disable this policy setting the Internet Connection Wizard does not start automatically. The
you do not configure this policy setting the user can change the "Enable alternative codecs in HTML5 media elements" setting on the Adv
cy setting placeholders appear for graphical images while the images are downloading. The user cannot change this policy setting. The "Tu
user cannot change this setting.If you do not configure this policy setting the user can turn on or off automatic image resizing.
not turn on image display. However the user can still display an individual image by right-clicking the icon that represents the image and th
off.If you do not configure this policy setting the user can turn on or turn off smart image dithering.
etting the printing of background colors and images is turned on. The user cannot turn it off.If you disable this policy setting the printing o
he Address bar for searches. The user can still perform searches on the Search bar by clicking the Search button. â€¢ Display the results i
d in the main window. â€¢ Enable top result search: When a user performs a search in the Address bar the user is directed to an externa
gnup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior.If you disable this policy setting Internet
or File Explorer is turned off. The user cannot turn it on.If you disable this policy setting Inline AutoComplete for File Explorer is turned on.
ll be turned off. Users will not be able to turn on URL Suggestions.If you disable this policy setting URL Suggestions will be turned on. Users
r Address bar.If you enable this policy setting Internet Explorer does not use Windows Search AutoComplete for providing relevant results
The user cannot turn it off.If you disable this policy setting inline AutoComplete is turned off. The user cannot turn it on.If you do not confi
not configure this policy setting the user can choose the default text size in Internet Explorer.
ser can specify the background color in Internet Explorer.
color in Internet Explorer.
y setting the user can turn on or turn off Windows colors for display.
dy clicked in Internet Explorer. You must specify the link color (for example: 192192192).If you disable or do not configure this policy settin
et clicked in Internet Explorer. You must specify the link color (for example: 192192192).If you disable or do not configure this policy settin
he user can specify the hover color.
etting the user can turn on or turn off the hover color option.
oes not allow sending the path portion of URLs as UTF-8. The user cannot change this policy setting.If you disable this policy setting Interne
e disabled. Users also cannot add content that is based on a channel such as some of the Active Desktop items from Microsoft's Active De
The Make Available Offline check box will be dimmed in the Add Favorite dialog box.If you disable this policy or do not configure it users c
e cleared and users cannot select them. To display this tab users click the Tools menu click Synchronize select a Web page click the Proper
eck box on the Web tab in the Display Properties dialog box.If you disable this policy or do not configure it users can view and subscribe to
scribed to. However synchronization with the Web pages will still occur to determine if any content has been updated since the last time t
e Properties dialog box are dimmed. To display this tab users click the Tools menu click Synchronize select a Web page click the Properties
ave been set up for offline viewing. If users click the Tools menu click Synchronize select a Web page and then click the Properties button
ttings for downloading Web content.If you disable this policy or do not configure it channel providers can record information about when th
policy or do not configure it users can disable the synchronization of channels.This policy is intended to help administrators ensure that u
anize Favorites Favorite dialog box and the Make This Page Available Offline check box will be selected but dimmed. To display the Make T
If you disable this policy or do not configure it then users can determine the amount of content that is searched for new information and
mit.Note: This setting does not appear in the user interface.
this limit.Note: This setting does not appear in the user interface.
et this limit.Note: This setting does not appear in the user interface.
et this limit.Note: This setting does not appear in the user interface.
this limit.Note: This setting does not appear in the user interface.
user's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you enab
a user's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you en
le this policy setting toolbars and BHOs are not loaded by default during an InPrivate Browsing session.If you disable this policy setting too
etting InPrivate Filtering data collection is turned off.If you disable this policy setting InPrivate Filtering collection is turned on.If you do not
his policy setting InPrivate Browsing is available for use.If you do not configure this policy setting InPrivate Browsing can be turned on or o
s have visited.If you enable this policy setting InPrivate Filtering is turned off in all browsing sessions and InPrivate Filtering data is not colle
users have visited.If you enable this policy setting Tracking Protection is disabled in all browsing sessions and Tracking Protection data is n
u enable this policy setting the reveal password button will be hidden for all password fields. Users and developers will not be able to depe
ou enable this policy setting Data URI support is turned off. Without Data URI support a Data URI will be interpreted as a failed URL.If you d
used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting which defines whether add-ons not listed here
nces and policy settings.If you enable this policy setting all processes will respect add-on management user preferences and policy settings
web pages.By default the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. However user
end support for these user preferences and policy settings to specific processes listed in the process list.If you enable this policy setting an
veX control.If you disable or don't configure this policy setting users will see the "Run this time" button on the warning message that appea
ownload breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls poten
xplorer continues to block specific outdated ActiveX controls.For more information see "Outdated ActiveX Controls" in the Internet Explor
cked in Internet Explorer. Each domain entry must be formatted like one of the following:1. "domain.name.TLD". For example if you want
setting Internet Explorer won't log ActiveX control information.Note that you can turn this policy setting on or off regardless of the "Turn o
user can choose to run natively implemented scriptable XMLHTTP.
net Explorer uses the default connection limit for HTTP 1.1 (6 connections per host).In versions of Internet Explorer before Internet Explore
ternet Explorer prior to Internet Explorer 8 the default connection limit for HTTP 1.0 was 4.
this policy setting Internet Explorer uses the default limit of 6 WebSocket connections per server.
uest data across third-party domains embedded in the page.
et Explorer 10. Also this policy setting does not prevent a site from requesting cross-domain data through a server.If you enable this policy
omain data through a server.If you enable this policy setting websites cannot request data across domains by using the XDomainRequest o
y or behavior on a page.)If you enable this policy setting this sets the list of behaviors permitted in each zone for which Script and Binary B
e prevented for all processes. Any use of binary behaviors for HTML rendering is blocked.If you disable or do not configure this policy settin
his policy setting Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies.If you disable or do not configure this p
e prevented for the File Explorer and Internet Explorer processes.If you disable this policy setting binary behaviors are allowed for the File
applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 bin
pe of a file is text/plain but the MIME sniff indicates that the file is really an executable file Internet Explorer renames the file by saving it in
to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malici
to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone is used a
pplies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load
eature is disabled for all processes.
es will allow a MIME sniff promoting a file of one type to a more dangerous file type.If you do not configure this policy setting MIME sniffin
ter a Value of 1 this protection will be in effect. If you enter a Value of 0 any file may be promoted to more dangerous file types. The Value
setting the MK Protocol is enabled.
able this policy setting applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and I
tting and enter a Value of 1 use of the MK protocol is prevented. If you enter a Value of 0 use of the MK protocol is allowed. If a Value Nam
hrough restricted protocols is allowed for all processes other than File Explorer or Internet Explorer.If you disable this policy setting restric
ontent obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example you can restrict activ
s for which they want restricting content obtained through restricted protocols to be prevented or allowed.If you enable this policy setting
s to all processes which have opted in to the security restriction.If you enable this policy setting for a zone this sets the list of protocols to
rocesses for which the Notification bar is displayed by default). If you enable this policy setting the Notification bar will be displayed for all
er Processes.If you disable this policy setting the Notification bar will not be displayed for Internet Explorer processes.If you do not configu
bar is displayed by default).If you enable this policy setting and enter a Value of 1 the Notification bar is displayed. If you enter a Value of 0
y setting object reference is retained when navigating within or across domains in the Restricted Zone sites.
setting an object reference is retained when navigating within or across domains for Internet Explorer processes.If you do not configure th
a Value of 1 references to objects are inaccessible after navigation. If you enter a Value of 0 references to objects are still accessible after
Local Machine security zone a prime target for malicious users.If you enable this policy setting any zone can be protected from zone elevati
rity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.If you enable t
e security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.This pol
etting the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
ocked for Internet Explorer processes.If you do not configure this policy setting the user's preference will be used to determine whether to
installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting
policy setting the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
r Internet Explorer processes.If you do not configure this policy setting the user's preference determines whether to prompt for file downl
non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1
d status bars.If you enable this policy setting scripted windows are restricted for all processes.If you disable or do not configure this policy
d status bars.If you enable this policy setting popup windows and other restrictions apply for File Explorer and Internet Explorer processes
d status bars.This policy setting allows administrators to define applications for which they want this security feature to be prevented or a
played with its default settings unless users customize it.
nd buttons are displayed:Show all text labels: All command buttons have only text.Show selective text: Some command buttons have only
bars submenu of the Tools menu in the Command bar in subsequent versions of Internet Explorer.If you enable this policy the Customize o
users can determine which toolbars are displayed in File Explorer and Internet Explorer.This policy can be used in coordination with the "D
d bar is shown by default and the user can choose to hide it.
default and the user can choose to hide it.
cked by default but the user can unlock them through the shortcut menu of the Command bar.
he Address bar and the user cannot move them.If you do not configure this policy setting the Stop and Refresh buttons are next to the Add
bars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check.If you enable this policy setting th
er (20 x 20 pixels).If you do not configure this policy setting icons for command buttons are 16 x 16 pixels and the user can make them bigg
on this computer will not be prevented from using location information from the location feature.
move snap-ins. Also because they cannot open author-mode console files they cannot use the tools that the files contain.This setting perm
nap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or n
the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that po
f "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted. To
sers and Computers and Active Directory Sites and Services snap-ins. If you disable the setting the Group Policy tab is not displayed in thos
plication preference items.If you enable or do not configure this policy setting you permit use of Application snap-ins. Enabling this policy s
y setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit
ion is prohibited it does not appear in the Group Policy Management Editor window.If you enable this policy setting you permit use of the
prohibited it does not appear in the Group Policy Management Editor window.If you enable this policy setting you permit use of the Contr
y the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this pol
"Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this policy se
setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit u
y setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit
overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use of t
by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this po
tting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use o
tting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use o
d by the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Restrict users to the explic
estricted by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabli
ed by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this
olicy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you proh
by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this po
age preference items.If you enable this policy setting you permit use of the Preferences tab. Enabling this policy setting does not override
"Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this policy se
ed by the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Restrict users to the explic
tting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use
d by the "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users)" policy settings. Enabling this
"Permit use of Control Panel Settings (Computers)" policy setting. Enabling this policy setting overrides the "Restrict users to the explicitly
etting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit us
the "Permit use of Control Panel Settings (Users)" policy setting. Enabling this policy setting overrides the "Restrict users to the explicitly pe
ocation. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the se
settings for Windows apps.If you disable this policy setting the UE-V Agent will synchronize settings for Windows apps. If you do not confi
â€™t attempt the synchronization. If you enable this policy setting the sync provider pings the settings storage location before synchronizin
n the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.If you disable or do not config
r environment.
s setting disabled the UE-V Agent does not synchronize settings over a metered connection.If you do not configure this policy setting any d
s roaming.With this setting enabled the UE-V Agent synchronizes settings over a metered connection that is roaming.With this setting disa
e settings. If you disable or do not configure this policy setting the default value of 2000 milliseconds is used.
h Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in informatio
information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to register
certain user settings of Microsoft Access 2013 will continue to be backed up.If you disable this policy setting certain user settings of Micro
certain user settings of Microsoft Access 2016 will continue to be backed up.If you disable this policy setting certain user settings of Micro
ngs continue to synchronize. If you disable this policy setting Calculator user settings are excluded from the synchronization settings.If you
uppress the backup of specific common Microsoft Office Suite 2013 applications.If you enable this policy setting certain user settings whic
uppress the backup of specific common Microsoft Office Suite 2016 applications.If you enable this policy setting certain user settings whic
ain user settings of Microsoft Excel 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Ex
ain user settings of Microsoft Excel 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Ex
etting certain user settings of Microsoft InfoPath 2013 will continue to be backed up.If you disable this policy setting certain user settings o
setting the Internet Explorer 10 user settings continue to synchronize. If you disable this policy setting Internet Explorer 10 user settings ar
etting the Internet Explorer 11 user settings continue to synchronize.If you disable this policy setting Internet Explorer 11 user settings are
tting the Internet Explorer 8 user settings continue to synchronize. If you disable this policy setting Internet Explorer 8 user settings are excl
tting the Internet Explorer 9 user settings continue to synchronize. If you disable this policy setting Internet Explorer 9 user settings are excl
plorer from synchronization between computers. If you enable this policy setting the user settings which are common between the version
n user settings of Microsoft Lync 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Lync
n user settings of Microsoft Lync 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Lync
policy setting Microsoft Access 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Access 2010 user setti
y setting Microsoft Excel 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2010 user settings are
e this policy setting Microsoft InfoPath 2010 user settings continue to synchronize.If you disable this policy setting Microsoft InfoPath 2010
e this policy setting Microsoft InfoPath 2013 user settings continue to synchronize.If you disable this policy setting Microsoft InfoPath 2013
setting Microsoft Lync 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2010 user settings are ex
setting Microsoft Lync 2013 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2013 user settings are exc
setting Microsoft Lync 2016 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2016 user settings are exc
settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enable
settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.If you enable
tion between computers.If you enable this policy setting Microsoft Office 2013 Upload Center user settings continue to synchronize.If you
settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.If you enable
tion between computers.If you enable this policy setting Microsoft Office 2016 Upload Center user settings continue to synchronize.If you
hronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office
hronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office
e common between the Microsoft Office Suite 2013 applications will synchronize between a userâ€™s work computers with UE-V by defau
e common between the Microsoft Office Suite 2016 applications will synchronize between a userâ€™s work computers with UE-V by defau
synchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft O
nchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offic
nchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offic
3 will synchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micros
6 will synchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micros
chronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office
chronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office
oint Designer 2013 will synchronize between a userâ€™s work computers with UE-V by default. Use this policy setting to prevent the user s
you enable this policy setting OneDrive for Business 2013 user settings continue to synchronize.If you disable this policy setting OneDrive fo
you enable this policy setting OneDrive for Business 2016 user settings continue to synchronize.If you disable this policy setting OneDrive fo
le this policy setting Microsoft OneNote 2010 user settings continue to synchronize.If you disable this policy setting Microsoft OneNote 20
his policy setting Microsoft Outlook 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Outlook 2010 us
ou enable this policy setting Microsoft PowerPoint 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Po
policy setting Microsoft Project 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Project 2010 user se
ble this policy setting Microsoft Publisher 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Publisher 2
n between computers.If you enable this policy setting Microsoft SharePoint Designer 2010 user settings continue to synchronize.If you dis
n between computers.If you enable this policy setting Microsoft SharePoint Designer 2013 user settings continue to synchronize.If you dis
onization between computers.If you enable this policy setting Microsoft SharePoint Workspace 2010 user settings continue to synchronize
setting Microsoft Visio 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Visio 2010 user settings are e
cy setting Microsoft Word 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Word 2010 user settings a
ontinue to synchronize. If you disable this policy setting Notepad user settings are excluded from the synchronization settings.If you do not
setting certain user settings of Microsoft OneNote 2013 will continue to be backed up.If you disable this policy setting certain user settings
setting certain user settings of Microsoft OneNote 2016 will continue to be backed up.If you disable this policy setting certain user settings
tting certain user settings of Microsoft Outlook 2013 will continue to be backed up.If you disable this policy setting certain user settings of M
tting certain user settings of Microsoft Outlook 2016 will continue to be backed up.If you disable this policy setting certain user settings of M
s policy setting certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.If you disable this policy setting certain us
s policy setting certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.If you disable this policy setting certain us
g certain user settings of Microsoft Project 2013 will continue to be backed up.If you disable this policy setting certain user settings of Micr
g certain user settings of Microsoft Project 2016 will continue to be backed up.If you disable this policy setting certain user settings of Micr
setting certain user settings of Microsoft Publisher 2013 will continue to be backed up.If you disable this policy setting certain user setting
setting certain user settings of Microsoft Publisher 2016 will continue to be backed up.If you disable this policy setting certain user setting
3 settings.If you enable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up.If you d
n user settings of Microsoft Visio 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Visi
n user settings of Microsoft Visio 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Visi
tain user settings of Microsoft Word 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft
tain user settings of Microsoft Word 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft
continue to synchronize. If you disable this policy setting WordPad user settings are excluded from the synchronization settings.If you do
o sync.If you disable this policy setting Finance user settings are excluded from synchronization.If you do not configure this policy setting a
nc.If you disable this policy setting Games user settings are excluded from synchronization.If you do not configure this policy setting any d
you disable this policy setting Maps user settings are excluded from synchronization.If you do not configure this policy setting any defined
f you disable this policy setting Music user settings are excluded from the synchronizing settings.If you do not configure this policy setting
you disable this policy setting News user settings are excluded from synchronization.If you do not configure this policy setting any defined
ync.If you disable this policy setting Reader user settings are excluded from the synchronization.If you do not configure this policy setting a
.If you disable this policy setting Sports user settings are excluded from synchronization.If you do not configure this policy setting any defi
If you disable this policy setting Travel user settings are excluded from synchronization.If you do not configure this policy setting any defin
you disable this policy setting Video user settings are excluded from synchronization.If you do not configure this policy setting any defined
ue to sync.If you disable this policy setting Weather user settings are excluded from synchronization.If you do not configure this policy setti
file.If you enable this policy setting users cannot share files within their profile using the sharing wizard. Also the sharing wizard cannot cr
cy experience will not launch for newly-created user accounts or for accounts that would have been prompted to choose their privacy setti
uick and easy way to configure their system settings before a presentation to block system notifications and screen blanking adjust speaker
o connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.You can enforce this policy setti
setting is enforced users cannot override this setting even if they select the "Use these RD Gateway server settings" option on the client.To
ers cannot override this setting even if they select the "Use these RD Gateway server settings" option on the client.Note: It is highly recom
uter. Before a user starts an RDP session the user receives a warning message and is asked to confirm whether they want to connect.If you
store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example when a user d
settings any password that previously existed in the RDP file will be deleted.If you disable this setting or leave it not configured the user w
an .rdp file that is signed by a trusted certificate the user does not receive any warning messages when they start the file. To obtain the th
n.2. Full Control with user's permission: Allows the administrator to interact with the session with the user's consent.3. Full Control witho
he current session time (current session time = server base time + client time zone).If you disable or do not configure this policy setting the
ocal computer. By default Remote Desktop Services allows Clipboard redirection.If you enable this policy setting users cannot redirect Clip
nters are redirected in Remote Desktop Services sessions.
n the Remote Desktop Easy Print printer driver cannot be used a printer driver on the RD Session Host server that matches the client print
er profile Remote Desktop Connection or through Group Policy.If you enable this policy setting the desktop is always displayed when a clie
mote Desktop Services session. If you disable this policy setting wallpaper is displayed in a Remote Desktop Services session depending on
cified with this setting by the server administrator or by the user in configuring the client connection. Enabling this setting overrides the "S
are reached. By default Remote Desktop Services disconnects sessions that reach their time limits.Time limits are set locally by the server a
l automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the
ect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services sessio
esktop Services session without logging off and ending the session.When a session is in a disconnected state running programs are kept ac
ost server but it is not logged off.If you enable this policy setting when a user closes the last running RemoteApp program associated with a
types to be associated with RemoteApp programs.The default connection URL must be configured in the form of http://contoso.com/rdw
d list in the Favorites Center.
policy setting the user receives a notification when a feed or Web Slice is available and can click the feed discovery button.
gh the Feed APIs.If you disable or do not configure this policy setting the user can set the Feed Sync Engine to download an enclosure thro
ed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders.If you disable or do not configure this policy settin
P connection.If you disable or do not configure this policy setting the Windows RSS Platform does not authenticate feeds to servers by usin
o not reference a specific SID will not be excluded from indexing if these are only specified in the Group Policy under "User Configuration."
ce a specific SID will not be included for indexing if these are only specified in the Group Policy under "User Configuration." To include a fil
e index.This policy has no effect if the Files on Microsoft Networks add-in is not installed.Disabled by default.
hat do not reference a specific SID will not be excluded from indexing if these are only specified in the Group Policy under "User Configura
his policy setting users will get search suggestions based on previous searches in the search pane.
ure this policy setting Sound Recorder can be run.
the Microsoft Store.
t configure this policy users will be able to use this feature to print to a Journal Note.
ors will be shown unless the user disables them in Control Panel.
able this policy applications can be launched from a hardware button.If you do not configure this policy applications can be launched from
system administrator."If you disable this policy press and hold actions for buttons will be available.If you do not configure this policy press
ser and OEM defined button actions will occur when the buttons are pressed.
ch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard
ext symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to text entry areas when using a ta
ls numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to any text entry area when a user is using to
only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windo
Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Panel
olicy application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Panel
g what keys are tapped when entering a password.Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen
pes. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbol
led and that the pen flicks notification will never be displayed. However pen flicks the pen flicks tray icon and pen flicks training (that can b
his policy pen flicks and related features are available.
touch-specific features.If you disable this setting the user can produce input with touch by using gestures the touch pointer and other-tou
ndows by touch. If you disable this setting the user can pan windows by touch.If you do not configure this setting Touch Panning is on by d
's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task characteris
that appear in Detail view and in the task preview.This setting prevents users from viewing and changing characteristics such as the progra
tion and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the settin
tart in" box that determine the program and path for a task.As a result when users create a task they must select a program from the list i
ult users cannot add new scheduled tasks by dragging moving or copying a document or program into the Scheduled tasks folder.This setti
User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User
ks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setti
n.The default is for Windows Calendar to be turned on.
lor profiles that they previously installed. Administrators will be able to uninstall all color profiles.
tting Windows Defender SmartScreen is turned on and employees can't turn it off.If you disable this setting Windows Defender SmartScree
onfigure this setting employees can ignore Windows Defender SmartScreen warnings and continue to the site.
ory dumps generated for error reports by Microsoft Windows are automatically uploaded without notification to the user.If you disable th
ts and errors are logged to the system event log as with other Windows-based programs.
oft. Additionally solution information is not available in Security and Maintenance in Control Panel.If you disable or do not configure this p
or do not configure this policy setting then consent policy settings in Computer Configuration/Administrative Templates/Windows Compo
s that can contain data about the same event types as an earlier uploaded report.If you disable or do not configure this policy setting WER
r source.If you enable this policy setting WER does not determine whether the computer is running on battery power but checks for soluti
sable or do not configure this policy setting WER does not send data but will check the network cost policy again if the network profile is c
Store parameters only only the minimum information required to check for an existing solution is stored. The Maximum number of repor
her the report should be placed in the reporting queue or the user should be prompted to send it immediately. When Queuing behavior is
er reports errors click Show and then add or remove applications from the list of application file names in the Show Contents dialog box (e
ending data: Windows prompts users for consent to send reports.- Send parameters: Only the minimum data that is required to check for
fatal errors: crash no response and kernel fault errors. For each specified event type you can set a consent level of 0 1 2 3 or 4.- 0 (Disable
m consent policy settings for error reporting determine the consent level for specified event types and the default consent setting determi
dows Hello for Business enrolls a key that is used for on-premises authentication.NOTE: Disabling or not configuring this policy setting and
s.If you disable this policy setting the device does not provision Windows Hello for Business for any user.If you do not configure this policy
computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install pro
e installation is running in the user's security context.If you disable or do not configure this policy setting users can install from removable
prevents Windows Installer from retaining files it intends to delete later. As a result Windows Installer cannot restore the computer to its
tting you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer
pire.If you disable or do not configure this setting users receive warnings before the logon hours expire if actions have been set to occur w
not configured no popup will be displayed to the user.
ours.If you choose to log off a user the user cannot log on again except during permitted logon hours. If you choose to log off a user the us
n for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in the Player a
he Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first use dialog
figured are not be updated and presets a user adds are not be displayed.If you disable or do not configure this policy setting the Player au
s are used.If the Custom proxy type is selected the rest of the options on the Setting tab must be specified because no default settings are
ptions on the Setting tab must be specified; otherwise the default settings are used. The options are ignored if Autodetect is selected.The
eaming media is buffered.- Default: default network buffering is used and the number of seconds that is specified is ignored.The "Use defa
ptions on the Setting tab must be specified; otherwise the default settings are used. The options are ignored if Autodetect is selected.The C
appears and users can use it to configure network settings.
tiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected a user can specify UDP ports in t
n the Player tab in the Player is selected and is not available.If you disable this policy setting a screen saver does not interrupt playback ev
disable this policy setting codecs are automatically downloaded and the Download codecs automatically check box is not available.If you d
cy is not configured or disabled users can show or hide the anchor window when the Player is in skin mode by using the Player tab in the P
"Prevent music file media information retrieval" policy setting is enabled.The default privacy settings are used for the options on the Privac
ese settings have been hidden or disabled by Internet Explorer policies.If you disable or do not configure this policy setting users can confi
he skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not installed on a u
senger.Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present the Computer
setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows Messenger from that point on W
obility Center and the .exe file launches it.If you do not configure this policy setting Windows Mobility Center is on by default.
th the SourcePath parameter on the Update-Help cmdlet.If this policy setting is disabled or not configured this policy setting does not set
e LogPipelineExecutionDetails property of the module to True. If you disable this policy setting logging of execution events is disabled f
If you disable this policy setting logging of PowerShell script input is disabled. If you enable the Script Block Invocation Logg
ws PowerShell engine. By default Windows PowerShell will record transcript output to each users' My Documents directory with a file
he "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet must
dless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.If you disable o
on when the user selects the Shut Down option in the Start menu.If you disable or do not configure this policy setting the 'Install Updates a
nu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical update
is policy setting is disabled or not configured no Work Folders settings are specified for the affected users though users can manually set u
able this setting you can select specific items not to display on the Control Panel window and the Start screen.To hide a Control Panel item
rch resultsIf users try to select a Control Panel item from the Properties item on a context menu a message appears explaining that a settin
instead.This policy has two modes: it can either specify a list of settings pages to show or a list of pages to hide. To specify a list of pages to
his policy has no effect on items displayed in PC settings.To display a Control Panel item enable this policy setting and click Show to access
ed system services. If you enable this setting "Set up services" never appears.This setting does not prevent users from using other methods
nstall programs.
Remove Windows Components button is available to all users.This setting does not prevent users from using other tools and methods to c
tools and methods to delete or uninstall programs.
gram components.Note: If the "Hide Add New Programs page" setting is enabled this setting is ignored. Also if the "Prevent removable me
grams page" setting is enabled this setting is ignored.
taller. Typically system administrators publish programs to notify users that the programs are available to recommend their use or to enab
r do not configure it the Set Program Access and Defaults button is available to all users.This setting does not prevent users from using oth
e Programs.If you disable this setting or do not configure it Add or Remove Programs is available to all users.When enabled this setting tak
and version number of the program. The dialog box also includes a hyperlink to support information on the Internet such as the Microsoft
st enter a category that is already defined in Add or Remove Programs. To define a category use Software Installation.If you disable this se
en saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. S
nfigure this setting the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is av
e this setting type the name of the file that contains the screen saver including the .scr file name extension. If the screen saver file is not in
t theme will be applied at the first logon.
setting.If you do not configure this setting users can choose whether or not to set password protection on each screen saver.To ensure tha
his setting is disabled or not configured the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Disp
enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for more infor
specific theme" setting the theme defaults to whatever the user previously set or the system default.
not apply a different visual style when changing themes.
etting is disabled. - Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalizati
or on a home or office network" option. When users click Browse the system opens an Internet browser and navigates to the specified UR
d Printer Wizard's page 3 and do not specify a printer name in the adjacent "Name" edit box then Add Printer Wizard displays the list of sh
ory searches for printers. It does not restrict user searches through Active Directory.
o restrictions to printing based on connection type or printer Make/Model.
(separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vid
nt and print connection anytime a package point and print connection fails including attempts that are blocked by this policy. Administrato
er is available on the client a printer connection will be made. If a compatible print driver is not available on the client no connection will b
y try a message appears explaining that the setting prevents the action. However this setting does not prevent users from using the A
e methods described above.
that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically system administrat
be available to all users.This setting does not prevent users from using other tools and methods to install or uninstall programs.
trol Panel Features including Windows Features Get Programs or Windows Marketplace.
.If this setting is disabled or not configured the Set Program Access and Defaults button is available to all users.This setting does not preve
vent users from using other tools and methods to configure services or enable or disable program components.
methods. If this feature is disabled or is not configured the "Get new programs from Windows Marketplace" task link will be available to al
ppear in the Programs Control Panel.If this setting is disabled or not configured the Programs Control Panel in Category View and Program
this policy setting the user cannot see the Administrative options.If you disable or do not configure this policy setting the user can see the
olicy setting the user sees the option for changing the user location (GeoID).Note: Even if a user can see the GeoID option the "Disallow ch
disable or do not configure this policy setting the user sees the option for changing the UI language.Note: Even if a user can see the option
is policy setting the user sees the regional formats options for changing and customizing the user locale.
e featuresâ€¯isâ€¯preventedâ€¯for the user.â€¯â€¯ If you disable or do not configure this policy setting there is noâ€¯language packs
pecifying a language different than the one used.To enable this policy setting in Windows Vista use the "Restricts the UI languages Window
tting the language selection defaults to the language selected by the user.If you disable or do not configure this policy setting there is no re
nfigured then the user will be free to change the setting according to their preference. Note that the availability and function of this se
the user will be free to change the setting according to their preference. Note that the availability and function of this setting is depen
will be locked to not insert a space after selecting a text prediction. If the policy is Disabled or Not Configured then the user will be fre
icy is Disabled or Not Configured then the user will be free to change the setting according to their preference. Note that the availabili
he Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the han
File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
e the Start button) and point to "Toolbars."Also see the "Prohibit adjusting desktop toolbars" setting.
pace allowing them to present their users with a simpler desktop environment.If you enable this setting Computer is hidden on the deskto
nu. To do so use the "Remove My Documents icon from Start Menu" setting.Note: To make changes to this setting effective you must log
his policy setting the Properties menu command is displayed.
he Desktop Cleanup Wizard or have it run automatically every 60 days from Display by clicking the Desktop tab and then clicking the Custo
bar open Network Locations click Entire Network and then click Directory. Right-click the name of a Windows domain and click Find. Type
pt them to casually browse Active Directory.
s returned" box to limit returns from an Active Directory search.If you disable this setting or do not configure it the system displays up to 1
deleted each time the setting is refreshed.Note: Removing an item from the "Add" list for this setting is not the same as deleting it. Items
llpaper".Also see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Contro
Windows\web\wallpaper\home.jpg or a UNC path such as \\Server\Share\Corp.jpg. If the specified file is not available when the user logs
"Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled Acti
their desktop wallpaper.
"Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled Ac
tent or disable lock or synchronize Active Desktop components.

ms from their Active Desktop.
box is available to users.If you enable this setting a Properties menu item appears when any user right-clicks the icon for a remote access c
\Microsoft\Network\Connections\Pbk to delete a shared remote access connection.If you disable this setting (and enable the "Enable Net
dministrators" setting) double-clicking the icon has no effect and the Enable and Disable menu items are disabled for all users (including ad
menu.If you disable this setting the Rename option is disabled for nonadministrators only.If you do not configure the setting only Administ
Configuration Operators can rename LAN connectionsNote: This setting does not apply to Administrators.Note: When the "Ability to renam
ctions is disabled for all users (including Administrators and Network Configuration Operators).Important: If the "Enable Network Connecti
essional do not have the ability to prohibit the use of features from Administrators.If you enable this setting the Windows XP settings that
l Area Connection Properties dialog box.Important: If the "Enable Network Connections settings for Administrators" is disabled or not con
uration Operators are prohibited from accessing connection components regardless of the "Enable Network Connections settings for Adm
s (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this s
anced Settings item is disabled for administrators.Important: If the "Enable Network Connections settings for Administrators" is disabled o
nable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to administrators on post-W
bled for all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not c
the Windows Components Wizard.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configure
Properties dialog box for a private connection is available to users.If you enable this setting (and enable the "Enable Network Connections
figured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it the C
"Enable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to administrators on pos
ngs for Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you
users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured th
server information.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting w
are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the File m
with a valid IP address. By default a notification is displayed providing the user with information on how the problem can be resolved.If yo
ndicates that the computer can use local copies of network files while the server is inaccessible.-- "Never go offline" indicates that networ
o the events you want the system to log. The levels are cumulative; that is each level includes the events in all preceding levels."0" records
minder.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Com
ork offline when they are disconnected from this server or type "1" if they cannot.This setting appears in the Computer Configuration and U
able offline. Also it does not prevent them from using other programs such as Windows Explorer to view their offline files.This setting app
ve setting that locks down the configuration you establish by using other settings in this folder.This setting appears in the Computer Config
minutes and are displayed for 15 seconds. You can use this setting to change the update interval.This setting appears in the Computer Confi
ears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration t
o make available offline.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy setti
e the Value column field blank.If you disable this policy setting the list of files and folders is deleted including any lists inherited from lower
e or folder. Leave the Value column field blank.If you disable this policy setting the list of files or folders made always available offline (inc
tem only performs a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are curren
omatically enables logon synchronization in Synchronization Manager.If this setting is disabled and Synchronization Manager is configured
ot configuring this setting files are not synchronized when the computer is suspended.Note: If the computer is suspended by closing the di
u disable the setting the system displays the reminder balloons and prevents users from hiding them.If this setting is not configured remin
eless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
w shared folders to be published when this setting is not configured.
ote: The default is to allow shared folders to be published when this setting is not configured.
e the memory space allocated to the VDM process and cannot run simultaneously.Enabling this setting adds a check box to the Run dialog
m the Start Menu.If you disable this setting or do not configure it users can use the Display Logoff item to add and remove the Log Off item
own by default and the user can change this setting to another action.
not configure this setting the system retains document shortcuts and when a user logs on the Recent Items menu and the Jump Lists appe
ogged off including the history of previous notifications for each tile.This setting does not prevent new notifications from appearing. See th
ear as toast notifications.A reboot is required for this policy setting to take effect.
es and other items to a program's Jump List so that the items is always present in this menu.
onfigure this policy setting users can change the programs currently pinned to the Taskbar.
reover the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button task
the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in th
play shortcuts at the bottom of the File menu. In addition the Jump Lists off of programs in the Start Menu and Taskbar do not show lists o
with the shortcut. If the target file is located on an NTFS partition the system then uses the target's file ID to find a path. If the resulting pat
s associated with the shortcut. If the target file is located on an NTFS partition the system then uses the target's file ID to find a path. If the
art menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.If you disable this setting the
e it all Start menu shortcuts appear as black text.Note: Enabling this setting can make the Start menu slow to open.
) and the system clock.If this setting is disabled or is not configured the notification area is shown in the user's taskbar.Note: Enabling this
apps are sorted by category and the user can configure this setting.
he taskbar is locked auto-hide and other taskbar options are still available in Taskbar properties.If you disable this setting or do not config
ttings on the Start menu.

e the same program are grouped together. The users have the option to disable grouping if they choose.
he customize mode and rearrange tiles within Start and Apps.
her methods to issue the commands that appear on these menus.

he "Show app list in Start menu" in Settings so users cannot turn it to On.Selecting "Remove and disable setting" will remove the all apps li
The Power button is also removed from the Windows Security screen which appears when you press CTRL+ALT+DELETE.If you disable or d
" on the Start menu and "Where have my icons gone" in the notification area.If you disable this setting or do not configure it all pop-up te
ograms are accessible from the Start menu desktop and other locations.If you disable or do not configure this policy setting the Default Pro
must log off and then log on.If you disable or do not configure this policy setting he Documents icon is available from the Start menu.Also s
click Customize. If you are using Start menu click the Advanced tab and then under Start menu items click the Favorites menu. If you are
Explorer.Windows Update the online extension of Windows offers software updates to keep a userâ€™s system up-to-date. The Windows
this policy setting users can use the Display Logoff item to add and remove the Log Off item.This policy setting affects the Start menu only.
s try to start it a message appears explaining that a setting prevents the action.If you disable or do not configure this policy setting Netwo
w any notifications they miss. If you disable or do not configure this policy setting Notification and Security and Maintenance will be displa
right-clicking the desktop to start Display or right-clicking Computer to start System.If you disable or do not configure this policy setting th
rn the menu on.If you later disable the setting so that the Recent Items menu appears in the Start Menu the document shortcuts saved be
rives: e.g. C:--- Accessing local folders: e.g. \temp>Also users with extended keyboards will no longer be able to display the Run dialog box
plication key (the key with the Windows logo)+ F.Note: Enabling this policy setting also prevents the user from using the F3 key.In File Expl
user name label appears on the Start Menu in Windows XP and Windows Server 2003.
users you can use this setting to hide user-specific folders.Note that this setting hides all user-specific folders not just those associated wit
sing other methods such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" comman
enable this policy setting users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar) regardle
ot configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is default beh
y when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that
tween the Apps view and the Start screen. Also the user will be able to configure this setting.
ell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured.Once the XML file is generate
s setting the system notification area expands to show all of the notifications that use this area.If you disable this setting the system notifi
ption so users do not try to change the setting while a setting is in effect.Note: Personalized menus require user tracking. If you enable the
the Start Menu.Also see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized m
y setting a default value will be used which administrators and users will be able to modify.
setting a default value will be used which administrators and users will be able to modify.
iet Hours settings. If you do not configure this policy setting voice and video calls will be allowed during Quiet Hours by default. Admin
ot be able to change this or any other Quiet Hours settings. If you do not configure this policy setting Quiet Hours are enabled by d
or do not configure this policy setting toast notifications are enabled and can be turned off by the administrator or user. No reboots
than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted
ace program including the file name extension in the Shell name text box. If the interface program file is not located in a folder specified i
elcome screen is displayed each time a user logs on to the computer.This setting applies only to Windows 2000 Professional. It does not aff
ms such as Task Manager which are started by the system process or by other processes. Also if users have access to the command promp
gistration is missing the system searches for it in Active Directory and if it is found downloads it. The resulting searches might make some
batch files normally.Note: Do not prevent the computer from running batch files if the computer uses logon logoff startup or shutdown ba
Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer C
grams such as Task Manager which are started by the system process or by other processes. Also if users have access to the command pro
etting it prohibits Windows from searching for updates.If you disable or do not configure it Windows searches for updates and automatica
word is expiring.
Ctrl+Alt+Del.Tip:To lock a computer without configuring a setting press Ctrl+Alt+Delete and then click Lock this computer.
his policy setting users can see and select the Log off menu item when they press Ctrl+Alt+Del.
Task Manager. If users try to start Task Manager a message appears explaining that a policy prevents the action.If you disable or do not con
scale factor) many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this sce
is setting use the drop-down box to specify the desired response.-- "Ignore" directs the system to proceed with the installation even if it i
eside the location name.If you disable or do not configure this setting Windows searches the installation location floppy drives and CD-RO
to search Windows Update.If you disable or do not configure this setting and "Turn off Windows Update device driver searching" is disable
e offline. All subfolders within the redirected folders are also made available offline. Note: This policy setting does not prevent files from b
This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching" nor d
ng the content to the new location the cached content is renamed in the local cache and not copied to the new location. To use this policy
ware or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting a
hen redirecting the Start Menu or legacy My Documents folder.If you disable or not configure this policy setting Windows Vista Windows
nap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directory Use
icy can specify the response to a slow link. Also the policy processing settings in this folder lets you override the programs' specified respo
use on the system.If you disable this setting or do not configure it new Group Policy object links are created in the enabled state. If you do
or disable this policy setting by default administrators can view RSoP data.Note: To view RSoP data on a client computer use the RSoP snap
n other subkeys.If you enable this policy setting the "Show Policies Only" command is turned on and administrators cannot turn it off. As a
g is Disabled or Not Configured the default display name of New Group Policy object is used.
0 to 30 minutes.If you enable this setting you can specify an update rate from 0 to 64800 minutes (45 days). If you select 0 minutes the co
d the source files stored in the GPO. If the local files are newer they are copied into the GPO.Changing the status of this setting to Enabled
uch that their respective features can access the Internet.If you do not configure this policy setting all of the the policy settings in the "Inte
em in the Open With dialog is removed.If you disable or do not configure this policy setting the user is allowed to use the Store service and
be downloaded over HTTP.If you disable or do not configure this policy setting users can download print drivers over HTTP.
m to Microsoft over a secure connection.If you enable this policy Tablet PC users cannot choose to share writing samples from the handwri
riting recognition error reporting tool or send error reports to Microsoft.If you disable this policy Tablet PC users can report handwriting re
p Experience Improvement program feature from the Help and Support settings page.
Windows does not download providers and only the service providers that are cached in the local registry are displayed.If you disable or do
eb service to open an unhandled file association are removed.If you disable or do not configure this policy setting the user is allowed to us
om printing to Internet printers over HTTP.If you disable or do not configure this policy setting users can choose to print to Internet printe
s folders.If you disable or do not configure this policy setting the tasks are shown.
s not collect usage information and the user settings to enable the collection of usage information are not shown.If you disable this policy
Internet and have not disabled Windows Online from the Help and Support Options page.
you do not configure this policy setting at the computer level restrictions are based on per-user policy settings.To set this policy setting on
y setting "Restrict user locales" can also be enabled to disallow selection of a custom locale even if this policy setting is not configured.If yo
will be unable to customize those choices. The user cannot customize their user locale with user overrides.If this policy setting is disabled
uter policy setting.The locale list is specified using language tags separated by a semicolon (;). For example en-US is English (United States
Vista Windows XP Professional and Windows 2000 Professional.If you disable or do not configure this policy setting Windows Vista adds an
e system runs the programs in the run-once list.This policy setting appears in the Computer Configuration and User Configuration folders.
(.exe) file or document file. To specify another name press ENTER and type the name. Unless the file is located in the %Systemroot% direc
its existing value prior to GPO evaluation). The recognized bit locations are: PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
esume operation.
mputer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."

does not take effect until the operating system is restarted.
sable or do not configure this policy setting the instructions are suppressed.
e or do not configure this policy setting the instructions are suppressed.
oes not display logon scripts written for Windows NT 4.0 and earlier.If you disable or do not configure this policy setting Windows 2000 dis
not configure this policy setting the logon scripts and File Explorer are not synchronized and can run simultaneously.This policy setting app
ollowing scenario: There are three GPOs (GPO A GPO B and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the fo
definitions. %HOMESHARE% stores only the network share (such as \\server\share). %HOMEPATH% stores the remainder of the fully qual
d not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\Roamin
stry files are included in the calculation of the profile size.-- Determine whether users are notified when the profile exceeds the permitted
Files during user logon and logoff and will be taken offline while the user is logged on.If you disable or do not configure this policy setting
p app for a file type; they can open files only in other Windows Store apps.If you disable or do not configure this policy setting Windows Sto
op app for a URI scheme; they can open URIs only in other Windows Store apps.If you disable or do not configure this policy setting Windo
Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone Windows prompts the
eir zone information.If you disable this policy setting Windows marks file attachments with their zone information.If you do not configure
des the check box and Unblock button.If you disable this policy setting Windows shows the check box and Unblock button.If you do not con
ne inclusion list).If you enable this policy setting you can create a custom list of high-risk file types.If you disable this policy setting Window
lusion list).If you enable this policy setting you can specify file types that pose a low risk.If you disable this policy setting Windows uses its
ion list (where an extension is listed in more than one inclusion list).If you enable this policy setting you can specify file types which pose a
a user opens a file attachment. If the antivirus program fails the attachment is blocked from being opened.If you disable this policy setting
h the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cause use
ted without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be
XP SP2 Autoplay is enabled for removable drives as well including Zip drives and some USB mass storage devices. If you enable this p
prise spotlight content service in Azure the lock screen will display internal messages and communications configured in that service when
arty software publishers in addition to Microsoft apps and content.
hese features are enabled users will still see recommendations tips and offers but they may be less relevant.If you disable or do not config
may be controlled individually using their corresponding policy settings.
lcome Experience will be launched to help onboard users to Windows telling them about what's new changed and suggested.
default the password reveal button is displayed after a user types a password in the password entry text box. To display the password click
tic data off (not recommended). Using this value no diagnostic data is sent from the device. This value is only supported on Enterprise Edu
ys a visual version of the desktop is presented and items can be flipped through to select. Changing this policy setting requires a logoff for i
c color for window frames that cannot be changed by users.

vent color changes of window frames" setting to enforce a specific color for window frames that cannot be changed by users.
recent apps will be available by default and the user can configure this setting.
from that menu.If you disable or don't configure this policy setting Command Prompt will be listed in the menu by default and users can c
olicy setting Search Share Start Devices and Settings will be available by default and the user can configure this setting.
y used apps will appear at the top.

ministrator and are available to all users of the computer there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
For example the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVideos.N
ommand and they will not be able to open Folder Options.If you disable or do not configure this policy setting users can open Folder Optio
have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.Many pro
a different computer the original path might lead to a network computer including external resources such as an Internet server.If you ena
s the drive icons. Users can still gain access to drive contents by using other methods such as by typing the path to a directory on the drive
e tools.This setting does not remove the Computer Management item from the Start menu (Start Programs Administrative Tools Compute
the path defined.If you disable or do not configure this policy setting no changes are made to the location of the default Library definition
displays shortcuts to the 10 most recently opened documents.

onfigure this policy setting computers in the user's workgroup and domain appear in lists of network resources in File Explorer and Netwo
to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other commonly use
e search site in OpenSearch format with {searchTerms} for the query string (for example http://www.example.com/results.aspx?q={search
y.Library-ms" for the Documents library or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned link will
ation of drives from the drop-down list. To allow access to all drive directories disable this setting or select the "Do not restrict drives" opti
e root of their Users Files folder in File Explorer.Note: Enabling this policy setting does not prevent the user from being able to add new ite
nnecting to another computer by typing the name of a shared folder in the Run dialog box.Note:This setting was documented incorrectly o
ot prevent users from using third-party applications to create or modify CDs using a CD writer.
other methods to configure DFS.If you disable or do not configure this policy setting the DFS tab is available.
problems with the device.

ser windows such as the Internet Explorer window.If you disable or do not configure this policy setting the Search button is available from
access the security tab.
ot displayed in the Web view or in My Computer.If you disable or do not configure this policy setting the Shared Documents folder is displa
ser performs a search in the Explorer window.
tracting to some users.If you disable or do not configure this policy setting users are allowed to turn on or off these minor system animatio
er" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who have
e Search Box entries into the registry for future references. If the user types a property values that match this property will be shown but
nded to leave this protocol in the protected mode to increase the security of Windows.If you enable this policy setting the protocol is fully
he Windows Key hotkeys are available.

Date Modified" and "Size" * Disable view of file content snippets in Content mode when search results are returned * Disable ability to
the folder options for File Explorer to Use classic folders view and disable the users ability to change these options.If you disable or not co
dialog box.If you disable or do not configure this policy setting the Back button is displayed for any standard Open dialog box.To see an exa
d on the File menu click Open.Note: In Windows Vista this policy setting applies only to applications that are using the Windows XP comm
rofessional so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use the sta
be specified:Desktop Recent Places Documents Pictures Music Recently Changed Attachments and Saved Searches.If you disable or do not
the two cannot be displayed at the same time.If you disable or do not configure this policy setting the Details Pane is hidden by default an
aults to disabled.
tting users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.If
Restore button Windows attempts to restore the file from the local disk.If you do not configure this policy setting it is disabled by default.
n corresponding to a backup. If the Restore button is clicked Windows attempts to restore the file from the backup media.If you do not co
e. If the user clicks the Restore button Windows attempts to restore the file from the file share.If you do not configure this policy setting it
The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: Contoso
Policy setting applies only to Microsoft Japanese IME.Note: Changes to this setting will not take effect until the user logs off.
Policy setting applies only to Microsoft Korean IME.Note: Changes to this setting will not take effect until the user logs off.
Policy setting applies only to Microsoft Simplified Chinese IME.Note: Changes to this setting will not take effect until the user logs off.
Policy setting applies only to Microsoft Traditional Chinese IME.Note: Changes to this setting will not take effect until the user logs off.
ncluded in the candidate list.This policy setting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take effect un
ode0x0008 // IBM extended code0x0010 // Half width katakana code0x0100 // EUDC(GAIJI)0x0200 // S-JIS unmapped area0x0400 // Unic
panese Microsoft IME [Clear auto-tuning information] works even if this policy setting is enabled and it clears self-tuned words from the cu
s to Japanese Microsoft IME.Note: Changes to this setting will not take effect until the user logs off.
by default.This policy setting is applied to Japanese Microsoft IME.
this feature is turned off and the user won't be able to turn it on.If you don't configure this policy setting it will be turned off by default and
this feature is turned off and the user won't be able to turn it on.If you don't configure this policy setting it will be turned off by default and
able to turn it on.If you don't configure this policy setting it will be turned on by default and the user can turn on and turn off the lexicon u
e to turn it on.If you don't configure this policy setting it will be turned off by default and the user can turn on and turn off the live sticker
h providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created fro
fwlink/?linkid=2102115
ring shutdown (default behavior in Internet Explorer 9).
policy setting users won't receive enhanced suggestions while typing in the Address bar. In addition users won't be able to change the Sug
plorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition.If you enable this policy setting newly installed ad
able the Media Explorer Bar or do not configure it users can show and hide the Media Explorer Bar.Administrators also have the ability to t
e or disable the blocking of attachments in options.
e installed the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge Stable channel is used. This is the de
s option the users open the Internet Options dialog box click the Contents Tab and click the Settings button.
s\Windows Components\Internet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the General pa
ed page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Pane
t Explorer Maintenance under Admin Templates using group policy editor.If you disable or do no configure this policy setting the user will
ntacts if programs that perform these tasks are installed.This "Disable the Programs Page" policy (located in \User Configuration\Administr
ady been accepted.The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Component
ges.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Inte
rnet Control Panel) you do not need to set this policy because the "Disable the Connections page" policy removes the Connections tab from
ernet Explorer performs this check it prompts the user to specify which browser to use as the default.This policy is intended for organizati
in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need to se
ge policies.If you disable or do not configure this policy setting the Home page box is enabled and users can choose their own home page.
guages in which the character set has been installed.If you set the "Disable the General page" policy (located in \User Configuration\Admin
sable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Interne
d placing Internet calls if programs that perform these tasks are installed.The "Disable the Programs page" policy (located in \User Configu
emplates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Content tab from Internet Explorer in Contr
dows Components\Internet Explorer\Internet Control Panel) which removes the Ratings tab from Internet Explorer in Control Panel takes
s policy setting the user can add secondary home pages.Note: If the â€œDisable Changing Home Page Settingsâ€ policy is enabled the use
sers can change their cache settings.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templa
nternet services.This policy is intended for administrators who want to maintain a consistent browser across an organization.
er to export favorites feeds and cookies to a file.If you enable this policy setting the user will not be able to use the Import/Export Settings
Wizard.If you disable this policy or do not configure it users can change their connection settings by running the Internet Connection Wizar
Explorer 11.If you disable or donâ€™t configure this policy all sites are opened using the current active browser settings. Note: Microsoft E
omponents\Internet Explorer\Internet Control Panel) which removes the Programs tab from Internet Explorer in Control Panel takes prece
com/fwlink/?linkid=2102115
contains menus that open lists of commands for printing customizing Internet Explorer copying and pasting text managing favorites and ac
ill be removed from the File menu in Address Book.If you disable this policy or do not configure it users can set up and change identities.
™t configure this policy all intranet sites are automatically opened in Microsoft Edge.We strongly recommend keeping this policy in sync wi
pecify a report location Enterprise Mode will still be available to your users but you won't get any reports.If you disable or don't configure
Site Discovery.To configure the domain(s) included in data collection for the IE Site Discovery Toolkit Add one domain per line to the text b
Discovery.To configure zone(s) included in site discovery a binary number is formed based on the selected zones. The decimal representati
his policy setting users can choose whether to be notified that Internet Explorer is not the default web browser through the Tell me if Inte
wed so *.contoso.com is also valid.If you disable this or do not configure this policy setting you will not be able to provide a default Pop-up
nting customizing Internet Explorer copying and pasting text managing favorites and accessing Help.If you enable this policy setting the me
ure this policy setting the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access H
setting the user can bypass SmartScreen Filter warnings.
le or do not configure this policy setting the user can manage pop-ups by changing the filter level.You may also want to enable the "Preve
in this scenario. â€¢ Open a new Internet Explorer window.If you disable or do not configure this policy setting the user can configure ho
f you disable or do not configure this policy setting the user can configure how new tabs are created by default.
setting Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on users can i
er process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
prompting the user.If you disable or do not configure this policy setting the user is prompted to decide whether to turn on SmartScreen Fi
alysis and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled all website addresses that are no
u do not configure this policy setting the user can choose to participate in the CEIP.
ndows 8 the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is cho
his policy setting the user cannot configure the list of search providers on his or her computer and any default providers installed do not a
3 to search the Internet (from Internet Explorer) or the hard disk (from File Explorer).This policy is intended for situations in which administ
lp administrators maintain consistent settings for searching across an organization.
e Enterprise Mode Site List in Microsoft Edge.Disabling or not configuring this setting opens all sites based on the currently active browser
al memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical memo
no additional page appears.
for permission to load an ActiveX control and Internet Explorer loads the control if it passes all other internal security checks.If you disable
ser to disable add-ons and configure the threshold.If you enable this policy setting users are not notified when the average time to load all
isable or do not configure this policy setting Internet Explorer uses the user's setting for pop-up windows in tabbed browsing.
or add-on management will be functional.
he filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setting th
nched off screen will continue to be re-positioned onscreen.If you disable or do not configure this policy setting the popup management fe
nts appear on the user interface for Internet Explorer and the user cannot turn them off.If you do not configure this policy setting the user
lete for web-address setting.If you do not configure this policy setting a user will have the freedom to choose to turn the auto-complete se
y setting ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
. The user cannot turn on logging.If you do not configure this policy setting the user can change the logging settings.
default. The user can turn on or turn off the menu bar.
setting the entry points and functionality associated with this feature are turned off.If you do not configure this policy setting the user can
"User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and passwords on F
unless specified by the user.
de IE.If you disable or don't configure this policy setting Internet Explorer opens all websites using Standards mode.
that are provided through first use of the browser.
ators that are provided through first use of the browser.
controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer
it this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each sec
able as an administrator approved control and can be run if the user specifies to run administrator-approved Active-X controls and plug-in
the check boxes for the controls that you want to designate as administrator-approved.To specify how administrator-approved controls a
Enabled and then select the check box for the control:-- MCSiMenu - enables Web authors to control the placement and appearance of W
e controls will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each security
as administrator-approved.To specify how administrator-approved controls are handled for each security zone carry out the following ste
controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer
steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zone
he controls that you want to designate as administrator-approved.To specify how administrator-approved controls are handled for each se
owing steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security
In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Co
If you disable this policy setting the user is prompted when a script that is running in any process on the computer attempts to perform a
havior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting the user is prompted when a script that is
policy setting is enabled the processes configured in this policy setting take precedence over that policy setting.If you enable this policy setti
policy which prevents users from opening the browser in a new window by clicking the File menu pointing to New and then clicking Windo
ograms from their browsers.
owser window from the File menu.Caution: This policy does not prevent users from opening a new browser window by right-clicking and t
t prevent users from right-clicking a link on a Web page and then clicking the Open or Open in New Window command. To prevent users fr
(HTML) files or as text files but graphics scripts and other elements are not saved. To display the Save Web Page dialog box users click the
nts that are displayed or run from a Web Page such as graphics scripts and linked files but does not prevent users from saving the text of a
crosoft Internet Explorer Help file.
ou disable this policy or do not configure it users can manage their Favorites list.Note: If you enable this policy users also cannot click Sync
olicy or do not configure it users can change their Internet settings from the browser Tools menu.Caution: This policy does not prevent us
lable and users will not see printers under the Devices charm.If you disable or do not configure this policy setting the Print menu in Interne
bars which might be confusing for some beginning users.

t-clicking a Web page to open the shortcut menu and then clicking View Source. To prevent users from viewing the HTML source of a Web
ed. Additionally the user cannot activate the feature by using the Compatibility View Settings dialog box.If you do not configure this policy
additional string appended). Additionally all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option results
user cannot change this behavior through the Compatibility View Settings dialog box.If you disable this policy setting Internet Explorer uses
g history on exit is turned off.If you do not configure this policy setting it can be configured on the General tab in Internet Options.If the "P
he History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete b
he Settings charm.If you disable or do not configure this policy setting the user can access the Delete Browsing History dialog box. Starting
With at least Internet Explorer 11:This policy setting prevents users from deleting ActiveX Filtering data Tracking Protection data and Do N
Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
ad history when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is ena
ta when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect.
f the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
user clicks Delete.If you disable this policy setting InPrivate Filtering data is deleted when the user clicks Delete.If you do not configure this
te.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
serve temporary Internet files when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this
the user can choose whether to delete or preserve visited websites when he or she clicks Delete.If the "Prevent access to Delete Browsing
nd cookies.
ser Configuration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the Advanced tab from
erface:"Disable Internet Connection Wizard""Disable changing connection settings""Prevent changing proxy settings""Disable changing Au
ration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the General tab from the interfa
interface:"Disable changing Messaging settings""Disable changing Calendar and Contact settings""Disable the Reset Web Settings feature
moves the Security tab from the interface:"Security zones: Do not allow users to change policies""Security zones: Do not allow users to add
re converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN format
change this behavior on the Internet Explorer Tools menu: Click Internet Options click the Advanced tab and then under International sele
s will be prompted when non-Internet Explorer components would be installed.If you do not configure this policy setting non-Internet Exp
mponents such as fonts will be automatically installed as necessary.If you disable this policy setting users will be prompted when Web Com
s can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
policy setting users can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
nvalid signature.If you do not configure this policy users can choose to run or install files with an invalid signature.
this policy setting browser helper objects do not launch.If you do not configure this policy Internet Explorer automatically launches any br
d or inPrivate Browsing mode is used.For at least Internet Explorer 11:If you disable this policy setting Internet Explorer only sends the Do
versions when they are available.If you disable this policy setting Internet Explorer does not check the Internet for new versions of the bro
disable this policy setting Internet Explorer will not check server certificates to see if they have been revoked.If you do not configure this
user computers.If you disable this policy setting Internet Explorer will not check the digital signatures of executable programs or display th
websites to run in Enhanced Protected Mode.Enhanced Protected Mode provides additional protection against malicious websites by usi
t Explorer Settings.
ncrypted pages containing secure (HTTPS) information to the cache.If you do not configure this policy Internet Explorer will save encrypte
ternet Files folder when all browser windows are closed.If you disable this policy setting Internet Explorer will not delete the contents of t
helping pages display more quickly.If you do not configure this policy setting Internet Explorer will play animated pictures found in Web co
ages display more quickly.If you enable this policy setting Internet Explorer will play sounds found in Web content.
ckly.If you do not configure this policy setting Internet Explorer will play videos found in Web content.
ndering engine.
browser and server attempt to match each otherâ€™s list of supported protocols and versions and they select the most preferred match.
nd content in the background.If you don't configure this policy setting users can turn this behavior on or off using Internet Explorer setting
also choose to allow this information to be shared with the Web site in the future without being prompted.If you do not configure this pol
URLs that are in the Intranet zone. 3) Always encode query strings.If you disable or don't configure this policy setting users can turn this
und.If you disable this policy setting flip ahead with page prediction is turned on and the next webpage is loaded into the background.If yo
Enhanced Protected Mode on 64-bit versions of Windows.If you disable this policy setting Internet Explorer 11 will use 32-bit tab processe
rned on.If you disable this policy setting Caret Browsing is turned off.If you do not configure this policy setting Caret Browsing support can
will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.If you disable this policy setting Enhanced
of the Internet Options dialog box.Note: This policy is no longer supported starting with Windows 10 Version 1607.
option to start with the home page.If you disable this policy setting Internet Explorer starts a new browsing session with the home page.
caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store applic
se and caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store
oup policy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting you provide the cach
setting.If you disable or do not configure this policy setting Internet Explorer will use the default application cache expiration time limit for
plication caches.
cy sets the maximum data storage limit for domains that are trusted by users. When you set this policy setting you provide the cache limit
tting Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size se
he resource limit as a number. The default is 1000 resources.If you enable this policy setting Internet Explorer will allow the creation of ap
u can set the maximum storage limit for all application caches. The default is 1 GB.If you disable or do not configure this policy setting Inte
tting you can set the maximum storage limit for all indexed databases. The default is 4 GB.If you disable or do not configure this policy setti
re this template policy setting no security level is configured.Note. Local Machine Zone Lockdown Security and Network Protocol Lockdow
ypically be in the Internet Zone).If you do not configure this policy setting users choose whether to force local sites into the Intranet Zone.
he Intranet Zone.
hoose whether sites which bypass the proxy server are mapped into the Intranet Zone.
Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low tem
configured.If this policy setting is not configured the user can choose whether or not to automatically detect the intranet through the intr
his policy setting the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Inter
a Notification bar notification does not appear when the user loads content from an intranet site that is being treated as though it is in the
aded in the zone that uses MSXML or ADO to access data from another site in the zone.If you disable this policy setting users cannot load a
on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over questionable cont
policy setting script code on pages in the zone can run automatically.
ilable.If you disable this policy setting binary and script behaviors are not available unless applications have implemented a custom securi
figure this policy setting a script can perform a clipboard operation.
g and pasting files from this zone.If you do not configure this policy setting users can drag files or copy and paste files from this zone autom
tting files can be downloaded from the zone.
setting HTML fonts can be downloaded automatically.
ems from this zone.If you do not configure this policy setting users are queried to choose whether to install desktop items from this zone.
he user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XBAPs.If you disable this po
er cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XAML files.If you disable this poli
or loading XPS files.If you disable this policy setting XPS files are not loaded inside Internet Explorer. The user cannot change this behavior
a page containing an active Meta Refresh setting cannot be redirected to another Web page.If you do not configure this policy setting a us
r-site ActiveX prompt and ActiveX controls can run from all sites in this zone.
u disable this policy setting users are prevented from performing OpenSearch queries in this zone using Search Connectors.If you do not c
me application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in Fil
owser control is allowed only in the Local Machine and Intranet zones.
ndows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the
disable this policy setting VBScript is prevented from running.

es.If you enable this policy setting video and animation can be played through older media players in specified zones.If you disable this po
can choose whether websites can open new Internet Explorer Windows that have no status bar or Address bar.
ot configure this policy setting ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification bar
fication bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
nonsecure items?) and nonsecure content can be displayed.If the drop-down box is set to Prompt the user will receive the security inform
n" message when they connect to a Web site that has no certificate or only one certificate.If you do not configure this policy setting Intern
ate an instance of the ActiveX control.If you don't configure this policy setting Internet Explorer always checks with your antimalware prog
tting signed controls cannot be downloaded.If you do not configure this policy setting users are queried whether to download controls sign
cy setting users cannot run unsigned controls.If you do not configure this policy setting users cannot run unsigned controls.
nnot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot ch
not drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change t
g the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the featur
orm.If you disable this policy setting path information is removed when the user is uploading a file via an HTML form.If you do not configur
ked safe for scripting option.If you enable this policy setting and select Prompt in the drop-down box users are queried whether to allow th
nd secure storage area on the client computer) and user-controlled file I/O.High Safety enables applets to run in their sandbox. Disable Ja
oad files from IFRAMEs on the pages in this zone.If you disable this policy setting users are prevented from running applications and down
he remainder of the session.Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is
policy setting users cannot open windows and frames to access applications from different domains.If you do not configure this policy setti
ab of the Internet Options dialog box. Filters are not rendered by default in this zone.
nternet Explorer will prompt the user to determine whether to execute unsigned managed components.If you disable this policy setting In
et Explorer will prompt the user to determine whether to execute signed managed components.If you disable this policy setting Internet Ex
ot configure this policy setting controls and plug-ins can run without user intervention.
ure this policy setting script interaction can occur automatically without user intervention.
ng scripts can access applets automatically without user intervention.
he files open.If you disable this policy setting these files do not open.If you do not configure this policy setting the user can configure how
ed of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.High sa
oose whether to allow information using HTML forms on pages in this zone to be submitted.If you disable this policy setting information u
Framework Setup is turned off. The user cannot change this behavior.If you disable this policy setting .NET Framework Setup is turned on
rst-run prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned off by defau
otected Mode.If you do not configure this policy setting the user can turn on or turn off Protected Mode.
alicious content.Note: In Internet Explorer 7 this policy setting controls whether Phishing Filter scans pages in this zone for malicious conte
re prevented from appearing.
hin a Web page saved to disk.If you disable this policy setting users cannot preserve information in the browser's history in favorites in an
p-down box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possibly h
disable this policy setting VBScript will run without user intervention.
ot configure this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
ate an instance of the ActiveX control.If you don't configure this policy setting Internet Explorer won't check with your antimalware progra
ab of the Internet Options dialog box. Filters are rendered by default in this zone.
rst-run prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned on by defau
from appearing.
ems from this zone.If you do not configure this policy setting users can install desktop items from this zone automatically.
tting signed controls cannot be downloaded.If you do not configure this policy setting users can download signed controls without user inte
cy setting users cannot run unsigned controls.If you do not configure this policy setting users can run unsigned controls without user interv
from appearing.
down box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possibly har
policy setting users are queried to choose whether to allow script code on pages in the Local Machine zone to run.

ot configure this policy setting controls and plug-ins are prevented from running.
disable this policy setting users are asked to choose whether to allow VBScript to run.
from appearing.
from appearing.
policy setting script code on pages in the zone is prevented from running.
figure this policy setting a script cannot perform a clipboard operation.
g and pasting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files from
tting files are prevented from being downloaded from the zone.
setting users are queried whether to allow HTML fonts to download.
ems from this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

tting signed controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
ins.If you disable this policy setting users cannot open other windows and frames from other domains or access applications from differen
ure this policy setting script interaction is prevented from occurring.
ng scripts are prevented from accessing applets.
from appearing.
for protocols on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over que
policy setting script code on pages in the zone is prevented from running.
figure this policy setting a script cannot perform a clipboard operation.
g and pasting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files from
tting files are prevented from being downloaded from the zone.
setting users are queried whether to allow HTML fonts to download.
ems from this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

tting signed controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
ins.If you disable this policy setting users cannot open other windows and frames from other domains or access applications from differen
ure this policy setting script interaction is prevented from occurring.
ng scripts are prevented from accessing applets.
cy setting users cannot run unsigned controls.If you do not configure this policy setting users are queried to choose whether to allow the u
from appearing.
Explorer can be configured by the user.
rect the problem. The user cannot change this policy setting.If you disable this policy setting when there is a problem connecting with an I
tting the user can turn on or off page transitions.This feature only applies to versions of Internet Explorer up to and including Internet Explo
policy setting users can turn this behavior on or off using Internet Explorer settings. The default is on.
net Explorer.
ebugging.If you disable this policy setting script debugging is turned off. The user cannot turn on script debugging.If you do not configure t
e this policy setting the user is not shown script errors when a page does not appear properly because of problems with its scripting. The u
es not start automatically. The user can start the wizard manually.If you do not configure this policy setting the user can decide whether th
elements" setting on the Advanced tab in the Internet Options dialog box.
nge this policy setting. The "Turn off image display" policy setting must be disabled if this policy setting is enabled.If you disable this policy
tic image resizing.
at represents the image and then clicking Show Picture. The "Allow the display of image download placeholders" policy setting must be dis
is policy setting the printing of background colors and images is turned off. The user cannot turn it on.If you do not configure this policy se
tton. â€¢ Display the results in the main window: When the user searches on the Address bar the list of search results is displayed in the m
e user is directed to an external top result website determined by the search provider if available.If you enable this policy setting you can c
ble this policy setting Internet Explorer is not started automatically to complete the signup process after the branding is complete for ISPs
for File Explorer is turned on. The user cannot turn it off.If you do not configure this policy setting a user will have the freedom to turn on
stions will be turned on. Users will not be able to turn off URL Suggestions.If you do not configure this policy setting URL Suggestions will b
for providing relevant results in the Address bar. The user cannot change this setting.If you disable this policy setting Internet Explorer us
t turn it on.If you do not configure this policy setting the user can turn on or turn off inline AutoComplete.By default inline AutoComplete
not configure this policy setting the user can specify the color of links already clicked.
not configure this policy setting the user can specify the color of links not yet clicked.
sable this policy setting Internet Explorer allows sending the path portion of URLs as UTF-8. The user cannot change this policy setting.If yo
ms from Microsoft's Active Desktop Gallery to their desktop.If you disable this policy or do not configure it users can add channels to the C
y or do not configure it users can add new offline content schedules.This policy is intended for organizations that are concerned about ser
ct a Web page click the Properties button and then click the Schedule tab.If you disable this policy then Web pages can be updated on the
ers can view and subscribe to channels from the Channel bar interface.
n updated since the last time the user synchronized with or visited the page.If you disable this policy or do not configure it content will not
Web page click the Properties button and then click the Schedule tab.If you disable this policy or do not configure it users can add remove
en click the Properties button no properties are displayed. Users do not receive an alert stating that the command is unavailable.If you disa
ord information about when their channel pages are viewed by users who are working offline.
p administrators ensure that users' computers are being updated uniformly across their organization.Note: This policy does not prevent us
immed. To display the Make This Page Available Offline check box users click the Tools menu click Synchronize and then click the Properti
hed for new information and downloaded.Caution: Although the Maximum Number of Offline Pages option determines how many levels
nge is 3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting the u
ange is 3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting the
disable this policy setting toolbars and BHOs are loaded by default during an InPrivate Browsing session.If you do not configure this policy
tion is turned on.If you do not configure this policy setting InPrivate Filtering data collection can be turned on or off on the Privacy tab in In
rowsing can be turned on or off through the registry.
ivate Filtering data is not collected.If you disable this policy setting InPrivate Filtering is available for use.If you do not configure this policy
d Tracking Protection data is not collected.If you disable this policy setting Tracking Protection is available for use.If you do not configure t
opers will not be able to depend on the reveal password button being displayed in any web form or web application.If you disable or do n
rpreted as a failed URL.If you disable this policy setting Data URI support is turned on.If you do not configure this policy setting Data URI su
ether add-ons not listed here are assumed to be denied.If you enable this policy setting you can enter a list of add-ons to be allowed or de
references and policy settings.If you disable or do not configure this policy setting all processes will not respect add-on management user
h Group Policy. However users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'Add-on
u enable this policy setting and enter a Value of 1 the process entered will respect the add-on management user preferences and policy se
e warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outd
ewly outdated controls potentially compromising the security of your computer.If you disable or don't configure this setting IE continues t
ontrols" in the Internet Explorer TechNet library.
TLD". For example if you want to include *.contoso.com/* use "contoso.com"2. "hostname". For example if you want to include http://exa
or off regardless of the "Turn off blocking of outdated ActiveX controls for Internet Explorer" or "Turn off blocking of outdated ActiveX con
plorer before Internet Explorer 8 the default connection limit for HTTP 1.1 was 2.
erver.If you enable this policy setting websites cannot request data across domains by using the WebSocket object.If you disable or do not
y using the XDomainRequest object.If you disable or do not configure this policy setting websites can request data across domains by using
e for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation e.g. #default
not configure this policy setting binary behaviors are allowed for all processes.
able or do not configure this policy setting Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies.
aviors are allowed for the File Explorer and Internet Explorer processes.If you do not configure this policy setting binary behaviors are prev
tting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name is the
renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Consistent Mime Ha
renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Internet Explorer req
renames the file by saving it in the Internet Explorer cache and changing its extension.This policy setting allows administrators to define ap
an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone security applies to all local files and
Local Machine zone is used as an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone secu
ed as an attack vector to load malicious HTML code.If you enable this policy setting and enter a value of 1 Local Machine Zone security app
this policy setting MIME sniffing will never promote a file of one type to a more dangerous file type.
angerous file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is
work for the File Explorer and Internet Explorer processes.If you do not configure this policy setting the MK Protocol is prevented for File Ex
ocol is allowed. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processe
sable this policy setting restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or I
example you can restrict active content from pages served over the http and https protocols by adding the value names http and https.If
f you enable this policy setting and enter a Value of 1 restricting content obtained through restricted protocols is allowed. If you enter a Va
his sets the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active content over restricted protocols to ac
on bar will be displayed for all processes.If you disable or do not configure this policy setting the Notification bar will not be displayed for a
rocesses.If you do not configure this policy setting the Notification bar will be displayed for Internet Explorer Processes.
layed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name is em
sses.If you do not configure this policy setting an object reference is no longer accessible when navigating within or across domains for Int
bjects are still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or
be protected from zone elevation for all processes.If you disable or do not configure this policy setting processes other than Internet Explo
ecurity context.If you enable this policy setting any zone can be protected from zone elevation by Internet Explorer processes.If you disab
is no security context.This policy setting allows administrators to define applications for which they want this security feature to be preven
used to determine whether to block ActiveX control installations for Internet Explorer processes.
e is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Process
er initiated for all processes.
ether to prompt for file downloads that are not user initiated for Internet Explorer processes.
mpty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet
or do not configure this policy setting scripted windows are not restricted.
nd Internet Explorer processes.If you disable this policy setting scripts can continue to create popup windows and windows that obfuscate
y feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 such windows may not be opened. If you enter
e command buttons have only text; some have icons and text.Show only icons: All command buttons have only icons.If you disable or do n
ble this policy the Customize option will be removed from the menu.If you disable this policy or do not configure it users can customize w
ed in coordination with the "Disable customizing browser toolbar buttons" policy which prevents users from adding or removing toolbars
sh buttons are next to the Address bar by default and the user can choose to move them.
ou enable this policy setting the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted and incompatibl
d the user can make them bigger (20 x 20 pixels).
files contain.This setting permits users to open MMC user-mode console files such as those on the Administrative Tools menu in Windows
g in the folder is disabled or not configured the snap-in is prohibited.-- If you disable this setting or do not configure it all snap-ins are perm
age is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the "Restrict us
hose explicitly permitted. To explicitly permit use of this snap-in enable this setting. If this setting is not configured (or disabled) this snap
ge is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the "Restrict use
icy tab is not displayed in those snap-ins.If this setting is not configured the setting of the "Restrict users to the explicitly permitted list of s
snap-ins. Enabling this policy setting does not override policy settings that restrict the use of preference extensions.If you disable this poli
his policy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference
setting you permit use of the Control Panel Settings item and all preference extensions under Control Panel Settings for Computer Configu
ng you permit use of the Control Panel Settings item and all preference extensions under Control Panel Settings for User Configuration. En
olicy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disabl
ettings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this
his policy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference e
this policy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference
cy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference extensio
policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disab
olicy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference exten
olicy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference exten
he "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use of the preferen
Users)" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If
" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you di
ble this policy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preferen
policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disab
olicy setting does not override policy settings that restrict the use of preference extensions.If you disable this policy setting you prohibit use
ettings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this
he "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use of the preferen
policy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference exte
" policy settings. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy setting.If you dis
"Restrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use of the preference
policy setting you prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference ext
estrict users to the explicitly permitted list of snap-ins" policy setting.If you disable this policy setting you prohibit use of the preference ex
re always connected to the settings storage location.When SyncMethod is set to â€œNoneâ€ the UE-V Agent uses no sync provider. Setti
dows apps. If you do not configure this policy setting any defined values are deleted.Note: If the user connects their Microsoft account for
ge location before synchronizing settings packages.If you disable this policy setting the sync provider doesnâ€™t ping the settings storage l
If you disable or do not configure this policy setting no event is written to the event log to report settings package size.
figure this policy setting any defined values are deleted.

roaming.With this setting disabled the UE-V Agent will not synchronize settings over a metered connection that is roaming.If you do not c
tion of users' sign-in information for certain apps networks and certificates.If you enable this policy setting only the selected Windows setti
. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that re
certain user settings of Microsoft Access 2013 will not be backed up.If you do not configure this policy setting any defined values will be d
certain user settings of Microsoft Access 2016 will not be backed up.If you do not configure this policy setting any defined values will be d
synchronization settings.If you do not configure this policy setting any defined values will be deleted.
tting certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.If you dis
tting certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.If you dis
n user settings of Microsoft Excel 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
n user settings of Microsoft Excel 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
setting certain user settings of Microsoft InfoPath 2013 will not be backed up.If you do not configure this policy setting any defined values
et Explorer 10 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
t Explorer 11 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values wil
xplorer 8 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
xplorer 9 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
common between the versions of Internet Explorer continue to synchronize.If you disable this policy setting the user settings which are co
user settings of Microsoft Lync 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
user settings of Microsoft Lync 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
Microsoft Access 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined v
icrosoft Access 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined va
icrosoft Access 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined va
oft Excel 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values wi
ft Excel 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will
ft Excel 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will
tting Microsoft InfoPath 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any d
tting Microsoft InfoPath 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any d
Lync 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values will b
Lync 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
Lync 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
ween computers. If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2010 application
ween computers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2013 application
ontinue to synchronize.If you disable this policy setting Microsoft Office 2013 Upload Center user settings are excluded from the synchron
ween computers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2016 application
ontinue to synchronize.If you disable this policy setting Microsoft Office 2016 Upload Center user settings are excluded from the synchron
er settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.If you enable this policy setting Micros
er settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.If you enable this policy setting Micros
computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite
computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite
ettings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft O
ettings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft O
user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.If you enable this policy setting M
ttings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
ttings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
e user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.If you enable this policy setting
e user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.If you enable this policy setting
user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.If you enable this policy setting M
user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.If you enable this policy setting M
ent the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.If you enable this policy
ent the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.If you enable this policy
er settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.If you enable this policy setting Micro
er settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.If you enable this policy setting Micro
he user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.If you enable this policy settin
he user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.If you enable this policy settin
cy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE
ettings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft O
ettings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft O
settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
this policy setting OneDrive for Business 2013 user settings are excluded from the synchronization settings.If you do not configure this po
this policy setting OneDrive for Business 2016 user settings are excluded from the synchronization settings.If you do not configure this po
setting Microsoft OneNote 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting an
ng Microsoft Outlook 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defi
this policy setting Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings.If you do not configure this poli
Microsoft Project 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined v
y setting Microsoft Publisher 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting an
tinue to synchronize.If you disable this policy setting Microsoft SharePoint Designer 2010 user settings are excluded from the synchronizati
tinue to synchronize.If you disable this policy setting Microsoft SharePoint Designer 2013 user settings are excluded from the synchronizati
ttings continue to synchronize.If you disable this policy setting Microsoft SharePoint Workspace 2010 user settings are excluded from the s
Visio 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will b
soft Word 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
nization settings.If you do not configure this policy setting any defined values will be deleted.
cy setting certain user settings of Microsoft OneNote 2013 will not be backed up.If you do not configure this policy setting any defined valu
cy setting certain user settings of Microsoft OneNote 2016 will not be backed up.If you do not configure this policy setting any defined valu
etting certain user settings of Microsoft Outlook 2013 will not be backed up.If you do not configure this policy setting any defined values w
etting certain user settings of Microsoft Outlook 2016 will not be backed up.If you do not configure this policy setting any defined values w
le this policy setting certain user settings of Microsoft PowerPoint 2013 will not be backed up.If you do not configure this policy setting an
le this policy setting certain user settings of Microsoft PowerPoint 2016 will not be backed up.If you do not configure this policy setting an
g certain user settings of Microsoft Project 2013 will not be backed up.If you do not configure this policy setting any defined values will be
g certain user settings of Microsoft Project 2016 will not be backed up.If you do not configure this policy setting any defined values will be
icy setting certain user settings of Microsoft Publisher 2013 will not be backed up.If you do not configure this policy setting any defined va
icy setting certain user settings of Microsoft Publisher 2016 will not be backed up.If you do not configure this policy setting any defined va
ntinue to be backed up.If you disable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will not be backed up.I
user settings of Microsoft Visio 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
user settings of Microsoft Visio 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
ain user settings of Microsoft Word 2013 will not be backed up.If you do not configure this policy setting any defined values will be delete
ain user settings of Microsoft Word 2016 will not be backed up.If you do not configure this policy setting any defined values will be delete
hronization settings.If you do not configure this policy setting any defined values will be deleted.
configure this policy setting any defined values will be deleted.
figure this policy setting any defined values will be deleted.
t configure this policy setting any defined values will be deleted.
t configure this policy setting any defined values will be deleted.
o the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders.If you disable or don't co
ed to choose their privacy settings after an upgrade.If this policy is disabled or not configured then the privacy experience may launch for
screen blanking adjust speaker volume and apply a custom background image.Note: Users will be able to customize their system settings f
ou can enforce this policy setting or you can allow users to overwrite this setting. By default when you enable this policy setting it is enforc
ttings" option on the client.To allow users to overwrite this policy setting select the "Allow users to change this setting" check box. When y
e client.Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authentication meth
er they want to connect.If you disable this policy setting users cannot run unsigned .rdp files and .rdp files from unknown publishers on th
gs (for example when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).If you enable or do
e it not configured the user will be able to save passwords using Remote Desktop Connection
start the file. To obtain the thumbprint view the certificate details and then click the Thumbprint field.If you disable or do not configure t
consent.3. Full Control without user's permission: Allows the administrator to interact with the session without the user's consent.4. View
onfigure this policy setting the client computer does not redirect its time zone information and the session time zone is the same as the se
tting users cannot redirect Clipboard data.If you disable this policy setting Remote Desktop Services always allows Clipboard redirection.If
r that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer the cli
is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.If you dis
Services session depending on the client configuration. If you do not configure this policy setting Windows Vista displays wallpaper to rem
ng this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are no
s are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Servi
arning two minutes before the session disconnects which allows the user to press a key or move the mouse to keep the session active. If yo
emote Desktop Services session disconnects which allows the user to save open files and close programs. If you have a console session ac
e running programs are kept active even though the user is no longer actively connected. By default these disconnected sessions are maint
App program associated with a session the RemoteApp session will remain in a disconnected state until the time limit that you specify is re
m of http://contoso.com/rdweb/Feed/webfeed.aspx. If you enable this policy setting the specified URL is configured as the default con
overy button.
o download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
not configure this policy setting the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and delete
ticate feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.A developer cannot ch
cy under "User Configuration." To restrict a file system path from indexing please specify the file system path to be indexed under the "Co
Configuration." To include a file system path for indexing please specify the file system path to be indexed under the "Computer Configura
p Policy under "User Configuration." To restrict a file system path from indexing please specify the file system path to be indexed under th
lications can be launched from a hardware button.

not configure this policy press and hold actions will be available.
symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will not provide text prediction suggestions. Users will not be
ext entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog
ry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable
Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text symbols nu
disable this policy Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Inp
this setting in the Input Panel Options dialog box.If you disable this policy application auto complete lists will appear next to Input Panel in
e handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy and choose â€œLo
keyboard to enter text symbols numbers or keyboard shortcuts. If you enable this policy and choose â€œAllâ€ from the drop-down m
d pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks polic
he touch pointer and other-touch specific features.If you do not configure this setting touch input is on by default.Note: Changes to this se
tting Touch Panning is on by default.Note: Changes to this setting will not take effect until the user logs off.
ers to change task characteristics such as: the program the task runs details of its schedule idle time and power management settings and
racteristics such as the program the task runs its schedule details idle time and power management settings and its security context.Note:
kes precedence over the setting in User Configuration.
elect a program from the list in the Scheduled Task Wizard which displays only the tasks that appear on the Start menu and its submenus.
heduled tasks folder.This setting does not prevent users from using other methods to create new tasks and it does not prevent users from
dence over the setting in User Configuration.Important: This setting does not prevent administrators of a computer from using At.exe to cr
ttings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Important: This settin
Windows Defender SmartScreen is turned off and employees can't turn it on.If you don't configure this setting employees can choose whet
on to the user.If you disable this policy setting then all memory dumps are uploaded according to the default consent and notification setti
able or do not configure this policy setting the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative T
e Templates/Windows Components/Windows Error Reporting/Consent take precedence.
nfigure this policy setting WER throttles data by default; that is WER does not upload more than one CAB file for a report that contains dat
ry power but checks for solutions and uploads report data normally.If you disable or do not configure this policy setting WER checks for so
again if the network profile is changed.
he Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.If
ely. When Queuing behavior is set to Always queue all reports are added to the queue until the user is prompted to send the reports or un
e Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an applicatio
a that is required to check for an existing solution is sent automatically and Windows prompts users for consent to send any additional dat
evel of 0 1 2 3 or 4.- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.- 1 (Always ask before sending da
efault consent setting determines only the consent level of any other error reports.
figuring this policy setting and enabling the "Use Windows Hello for Business" policy setting requires the environment to have one or more
u do not configure this policy setting users can provision Windows Hello for Business as a convenience credential that encrypts their doma
file setting lets users install programs that require access to directories that the user might not have permission to view or change includin
ers can install from removable media when the installation is running in their own security context but only system administrators can use
ot restore the computer to its original state if the installation does not complete.This policy setting is designed to reduce the amount of tem
t you want Windows Installer to search:-- "n" represents the network;-- "m" represents media;-- "u" represents URL or the Internet.To
tions have been set to occur when the logon hours expire.Note: If you configure this setting you might want to examine and appropriately
choose to log off a user the user might lose unsaved data.If you enable this setting the system will perform the action you specify when th
the Privacy tab in the Player are not selected and are not available.If you disable or do not configure this policy setting users can change t
heck box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available.If you dis
his policy setting the Player automatically retrieves radio station presets from the Internet.
ecause no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected.The Configure button on th
if Autodetect is selected.The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If
cified is ignored.The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available.If you disable or d
if Autodetect is selected.The Configure button on the Network tab in the Player is not available and the protocol cannot be configured. If
user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports the Player uses default ports when using the
oes not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared and is n
eck box is not available.If you do not configure this policy setting users can change the setting for the Download codecs automatically chec
by using the Player tab in the Player.When this policy is not configured and the Set and Lock Skin policy is enabled some options in the anc
d for the options on the Privacy tab unless the user changed the settings previously.If you disable or do not configure this policy setting th
s policy setting users can configure the security settings on the Security tab.
the skin is not installed on a user's computer or if the Skin box is blank the Player opens by using the Corporate skin. The only way to spec
oth are present the Computer Configuration version of this policy setting takes precedence.
essenger from that point on Windows Messenger will be loaded.The user can also configure this behavior on the Preferences tab on the To
r is on by default.
his policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.Note: This policy setting exists und
execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the Lo
he Script Block Invocation Logging PowerShell additionally logs events when invocation of a command script block function or script sta
ments directory with a file name that includes 'PowerShell_transcript' along with the computer name and time started. Enabling this p
ginate from the Internet must be signed by a trusted publisher.The "Allow all scripts" policy setting allows all scripts to run.If you disable t
uter to do?' list.If you disable or do not configure this policy setting the 'Install Updates and Shut Down' option will be the default option in
y setting the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when
will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing driver upd
ough users can manually set up Work Folders by using the Work Folders Control Panel item.The "Work Folders URL" can specify either the
en.To hide a Control Panel item enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Show Co
appears explaining that a setting prevents the action.
de. To specify a list of pages to show the policy string must begin with "showonly:" (without quotes) and to specify a list of pages to hide i
tting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column enter the Contr
sers from using other methods to configure services.Note: When "Set up services" does not appear clicking the Add/Remove Windows Com
g other tools and methods to configure services or add or remove program components. However this setting blocks user access to the Wi
if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Compo
commend their use or to enable users to install them without having to search for installation files.If you enable this setting users cannot t
t prevent users from using other tools and methods to change program access or defaults.This setting does not prevent the Set Program A
When enabled this setting takes precedence over the other settings in this folder.This setting does not prevent users from using other too
Internet such as the Microsoft Product Support Services Web page.If you disable this setting or do not configure it the Support Info hyper
stallation.If you disable this setting or do not configure it all programs (Category: All) are displayed when the "Add New Programs" page op
anel on the client computer. Second the screen saver timeout is set to a nonzero value through the setting or Control Panel.Also see the "P
onalization Control Panel is available).Note: If this setting is enabled and the file is not available at user logon the default visual style is load
f the screen saver file is not in the %Systemroot%\System32 directory type the fully qualified path to the file.If the specified screen saver i
ach screen saver.To ensure that a computer will be password protected enable the "Enable Screen Saver" setting and specify a timeout via
e in the Personalization or Display Control Panel.For systems prior to Windows Vista this setting hides the Appearance and Themes tabs in
rticle: Q327998 for more information.Also see the "Allow only bitmapped wallpaper" setting.
client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client.When not configure
d navigates to the specified URL address to display the available printers. This setting makes it easy for users to find the printers you w
er Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list.If you disable this setting th
SB printer queue the device vid/pid will be compared to the approved list.
ed by this policy. Administrators may need to set both policies to block all print connections to a specific print server.If this setting is enabl
the client no connection will be made. -You can configure Windows Vista clients so that security warnings and elevated command pro
revent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add printer
. Typically system administrators publish programs to notify users of their availability to recommend their use or to enable users to install
uninstall programs.
ers.This setting does not prevent users from using other tools and methods to change program access or defaults.This setting does not pre
task link will be available to all users.Note: If the "Hide Programs control Panel" setting is enabled this setting is ignored.
n Category View and Programs and Features in Classic View will be available to all users.When enabled this setting takes precedence over
cy setting the user can see the Administrative options.Note: Even if a user can see the Administrative options other policies may prevent t
GeoID option the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical
en if a user can see the option to change the UI language other policy settings can prevent them from changing their UI language.
there is noâ€¯language packs or language featuresâ€¯installationâ€¯restrictionâ€¯forâ€¯the user.â€¯â€¯

ricts the UI languages Windows should use for the selected user" policy setting.If you disable or do not configure this policy setting the log
his policy setting there is no restriction on which language users should use.To enable this policy setting in Windows Server 2003 Window
lability and function of this setting is dependent on supported languages being enabled.
unction of this setting is dependent on supported languages being enabled.
gured then the user will be free to change the setting according to their preference. Note that the availability and function of this settin
ce. Note that the availability and function of this setting is dependent on supported languages being enabled.
s not already known to the handwriting recognition engines (for example proper names and acronyms). Deleting email content or the brow
he Desktop.
mputer is hidden on the desktop the new Start menu the Explorer folder tree pane and the Explorer Web views. If the user manages to nav
setting effective you must log off from and log back on to Windows 2000 Professional.
tab and then clicking the Customize Desktop button.
s domain and click Find. Type the name of an object in the directory such as "Administrator." If the filter bar does not appear above the re
e it the system displays up to 10000 objects. This consumes approximately 2 MB of memory or disk space.This setting is designed to protec
the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again.N
ministrative Templates\Control Panel\Display) settings.
available when the user logs on no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to spe
dows Explorer) is enabled Active Desktop is disabled and both these policies are ignored.
ndows Explorer) is enabled Active Desktop is disabled and both of these policies are ignored.
the icon for a remote access connection. Also when any user selects the connection Properties appears on the File menu.If you disable th
g (and enable the "Enable Network Connections settings for Administrators" setting) users (including administrators) cannot delete all-use
abled for all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not
gure the setting only Administrators and Network Configuration Operators can rename all-user remote access connections.Note: This setti
te: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to either en
the "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to administrators on
the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certain feat
trators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setti
Connections settings for Administrators" setting.Important: If the "Enable Network Connections settings for Administrators" is disabled or
sabled or not configured this setting does not apply to administrators on post-Windows 2000 computers.If you disable this setting or do no
r Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable
ly to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it the Make New Connection icon app
nistrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this s
rs" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or
"Enable Network Connections settings for Administrators" setting) the Properties menu items are disabled and no users (including admini
ng or do not configure it the Connect and Disconnect options for remote access connections are available to all users. Users can connect o
apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it all users can delete their private
ndows 2000 computers.If you disable this setting or do not configure it the Properties dialog box for a connection includes a check box bes
s disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do
r not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting the Advanced bu
e connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the taskbar fro
problem can be resolved.If you enable this policy setting this condition will not be reported as an error to the user.If you disable or do not
offline" indicates that network files are not available while the server is inaccessible.If you disable this setting or select the "Work offline"
ll preceding levels."0" records an error when the offline storage cache is corrupted."1" also records an event when the server hosting the
e configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
Computer Configuration and User Configuration folders. If both settings are configured for a particular server the setting in Computer Con
eir offline files.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the settin
ppears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration
appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuratio
g in Computer Configuration takes precedence over the setting in User Configuration.
tion folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence.The "Make Available Offl
g any lists inherited from lower precedence GPOs and the "Make Available Offline" command is displayed for all files and folders.If you do
de always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available for
ot ensure that they are current.If you do not configure this setting the system performs a quick synchronization by default but users can c
nization Manager is configured for logon synchronization the system performs only a quick synchronization. Quick synchronization ensures
is suspended by closing the display on a portable computer files are not synchronized. If multiple users are logged on to the computer at t
setting is not configured reminder balloons are displayed by default when you enable offline files but users can change the setting.To prev
cess all WCN wizards.
a check box to the Run dialog box giving users the option of running a 16-bit program in its own dedicated NTVDM process. The additiona
dd and remove the Log Off item.This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog
menu and the Jump Lists appear just as it did when the user logged off.Note: The system saves document shortcuts in the user profile in th
cations from appearing. See the "Turn off Application Notifications" setting to prevent new notifications.
ays only the Start button taskbar buttons the notification area and the system clock.If this setting is disabled or is not configured the taskb
are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic particularly over slow network connections.If you dis
nd Taskbar do not show lists of recently or frequently used files folders or websites.If you disable or do not configure this setting the syste
find a path. If the resulting path is not correct it conducts a comprehensive search of the target drive in an attempt to find the file.Note: Th
et's file ID to find a path. If the resulting path is not correct it conducts a comprehensive search of the target drive in an attempt to find the
.If you disable this setting the Start menu only displays in the new style meaning the desktop icons are now on the Start page.If you do not
r's taskbar.Note: Enabling this setting overrides the "Turn off notification area cleanup" setting because if the notification area is hidden th
e this setting or do not configure it the user can configure the taskbar position.Note: Enabling this setting also locks the QuickLaunch bar a
ng" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings so users cannot turn it to On. Select th
ALT+DELETE.If you disable or do not configure this policy setting the Power button and the Shut Down Restart Sleep and Hibernate comma
o not configure it all pop-up text is displayed on the Start menu and in the notification area.
s policy setting the Default Programs link is available from the Start menu.Note: This policy setting does not prevent the Set Default Progra
ble from the Start menu.Also see the "Remove Documents icon on the desktop" policy setting.
he Favorites menu. If you are using the classic Start menu click Display Favorites under Advanced Start menu options.Note:The items that
em up-to-date. The Windows Update Product Catalog determines any system files security fixes and Microsoft updates that users need an
ng affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Al
gure this policy setting Network Connections is available from the Start Menu.Also see the "Disable programs on Settings menu" and "Disa
nd Maintenance will be displayed on the taskbar. A reboot is required for this policy setting to take effect.
configure this policy setting the Control Panel Printers and Network and Connection folders from Settings are available on the Start menu
document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.When the setting is
e to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.If you disable or do not configure this
m using the F3 key.In File Explorer the Search item still appears on the Standard buttons toolbar but the system does not respond when th
s not just those associated with redirected folders.If you enable this setting no folders appear on the top section of the Start menu. If users
un as different user" command.

tional Chinese (Lunar) regardless of the locale.If you disable this policy setting users cannot show an additional calendar regardless of the lo
ettings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede
ssing the Start button on that display. Also the user will be able to configure this setting.
.Once the XML file is generated and moved to the desired file path type the fully qualified path and name of the XML file. You can type a lo
e this setting the system notification area will always collapse notifications.If you do not configure it the user can choose if they want notifi
user tracking. If you enable the "Turn off user tracking" setting the system disables user tracking and personalized menus and ignores this s
u" and "Turn off personalized menus".This policy setting does not prevent users from pinning programs to the Start Menu or Taskbar. See
Quiet Hours by default. Adminstrators and users will be able to modify this setting.
g Quiet Hours are enabled by default but can be turned off or by the administrator or user.
ator or user. No reboots or service restarts are required for this policy setting to take effect.
pecified value are interpreted as being preceded by 19.For example the default value 2029 specifies that all two-digit years less than or eq
located in a folder specified in the Path environment variable for your system enter the fully qualified path to the file.If you disable this se
000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server.Note: This se
access to the command prompt (Cmd.exe) this policy setting does not prevent them from starting programs in the command window even
ng searches might make some programs start or run slowly.If you disable or do not configure this policy setting the program continues with
logoff startup or shutdown batch file scripts or for users that use Remote Desktop Services.
ettings available in Computer Configuration\Security Settings. Note: This policy setting is available under Computer Configuration a
ve access to the command prompt (Cmd.exe) this policy setting does not prevent them from starting programs in the command window e
es for updates and automatically downloads them.Note: Windows Update is an online catalog customized for your computer that consists
his computer.
on.If you disable or do not configure this policy setting users can access Task Manager to start and stop programs monitor the performan
to display properly in this scenario will be blurry until the user logs out and back in to Windows. When you enable this policy some blurry
with the installation even if it includes unsigned files.-- "Warn" notifies the user that files are not digitally signed and lets the user decide
ation floppy drives and CD-ROM drives.Note: To prevent searching Windows Update for drivers also see "Turn off Windows Update device
vice driver searching" is disabled or not configured the administrator will be prompted for consent before going to Windows Update to sea
does not prevent files from being automatically cached if the network share is configured for "Automatic Caching" nor does it affect the a
for "Automatic Caching" nor does it affect the availability of the "Always available offline" menu option in the user interface.Note: The con
ew location. To use this policy setting you must move or restore the server content to the new network location using a method that pres
s (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.If you enable this p
tting Windows Vista Windows 7 Windows 8 and Windows Server 2012 will use the standard English names for these subfolders when redir
oller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use."Use any available domain controller" i
the programs' specified responses to slow links.If you enable this setting you can in the "Connection speed" box type a decimal number be
in the enabled state. If you do not want them to be effective until they are configured and tested you must disable the object link.
t computer use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typ
trators cannot turn it off. As a result Group Policy Object Editor displays only true settings; preferences do not appear.If you disable or do
If you select 0 minutes the computer tries to update user Group Policy every 7 seconds. However because updates might interfere with u
tatus of this setting to Enabled will keep any source files from copying to the GPO.Changing the status of this setting to Disabled will enfor
the policy settings in the "Internet Communication settings" section are set to not configured.
ed to use the Store service and the Store item is available in the Open With dialog.
vers over HTTP.
ng samples from the handwriting recognition personalization tool with Microsoft.If you disable this policy Tablet PC user writing samples f
sers can report handwriting recognition errors to Microsoft.If you do not configure this policy Tablet PC users can report handwriting recog
displayed.If you disable or do not configure this policy setting a list of providers are downloaded when the user uses the web publishing o
tting the user is allowed to use the Web service.
ose to print to Internet printers over HTTP.Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Tem
own.If you disable this policy setting Windows Messenger collects anonymous usage information and the setting is not shown.If you do no
s.To set this policy setting on a per-user basis make sure that the per-computer policy setting is not configured.
y setting is not configured.If you enable this policy setting the user cannot select a custom locale as their user locale but they can still selec
this policy setting is disabled or not configured then the user can customize their user locale overrides.If this policy is set to Enabled at the
n-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).If you enab
setting Windows Vista adds any customized run list configured to its run list.This policy setting appears in the Computer Configuration and
nd User Configuration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence over th
ed in the %Systemroot% directory you must specify the fully qualified path to the file.If you disable or do not configure this policy setting t
ATION_POLICY_DEP_ENABLE (0x00000001) Enables data execution prevention (DEP) for the child process PROCESS_CREATION_M
able Data Drives."
licy setting Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.Also see the "Run Logon Scripts Visible" setting.
neously.This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Config
PO B and GPO C include the following user logon scripts:GPO B: B.cmd B.ps1GPO C: C.cmd C.ps1Assume also that there are two users Qin
he remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result users can access any directory on t
han all of the AppData\Roaming folder to the exclusion list.By default the Appdata\Local and Appdata\LocalLow folders and all their subfol
profile exceeds the permitted maximum size.-- Specify a customized message notifying users of the oversized profile.-- Determine how oft
t configure this policy setting the paths specified in this policy setting will behave like any other cached data via Offline Files and continue
his policy setting Windows Store apps can open files in the default desktop app for a file type.
gure this policy setting Windows Store apps can open URIs in the default desktop app for a URI scheme.Note: Enabling this policy setting d
et zone Windows prompts the user before accessing the file.Low Risk: If the attachment is in the list of low-risk file types Windows will not
mation.If you do not configure this policy setting Windows marks file attachments with their zone information.
nblock button.If you do not configure this policy setting Windows hides the check box and Unblock button.
ble this policy setting Windows uses its built-in list of file types that pose a high risk.If you do not configure this policy setting Windows use
olicy setting Windows uses its default trust logic.If you do not configure this policy setting Windows uses its default trust logic.
specify file types which pose a moderate risk.If you disable this policy setting Windows uses its default trust logic.If you do not configure th
f you disable this policy setting Windows does not call the registered antivirus programs when file attachments are opened.If you do not co
mendation which will cause users to see more trust prompts than choosing the other options.If you enable this policy setting you can choo
her autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this policy
vices. If you enable this policy setting Autoplay is disabled on CD-ROM and removable media drives or disabled on all drives. This
onfigured in that service when available. If your organization does not have an Enterprise spotlight content service the checkbox will have
.If you disable or do not configure this policy setting Microsoft will use diagnostic data to provide personalized recommendations tips and
ed and suggested.
. To display the password click the password reveal button.The policy applies to all Windows components and applications that use the W
y supported on Enterprise Education and Server editions. - Send required diagnostic data. This is the minimum diagnostic data necessary
y setting requires a logoff for it to be applied.
changed by users.
enu by default and users can configure this setting.
Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.For shell extensions to run on a per-user basis there must be an
54907c53f} or SampleVideos.Note: Disabling a known folder can introduce application compatibility issues in applications that depend on t
ng users can open Folder Options from the View tab on the ribbon.
nistrator credentials.Many programs can be installed only by an administrator. If you enable this setting and a user does not have sufficien
as an Internet server.If you enable this policy setting Windows only searches the current target path. It does not search for the original pat
ath to a directory on the drive in the Map Network Drive dialog box in the Run dialog box or in a command window.Also this policy setting
Administrative Tools Computer Management) nor does it prevent users from using other methods to start Computer Management.Tip: To
f the default Library definition files.
ces in File Explorer and Network Locations.This policy setting does not prevent users from connecting to computers in their workgroup or d
uters by other commonly used methods such as by typing the share name in the Run dialog box or the Map Network Drive dialog box.To r
le.com/results.aspx?q={searchTerms}).You can add up to five additional links to the "Search again" links at the bottom of results returned
onnector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-ms file
he "Do not restrict drives" option from the drop-down list.Note: The icons representing the specified drives still appear in My Computer bu
rom being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting preve
earch button is available from the File Explorer toolbar.This policy setting does not affect the Search items on the File Explorer context me
red Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup.Note: The ability to remo
ff these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel.
ows administrators who have logged on as regular users to install programs without logging off and logging on again using their administra
is property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box.
licy setting the protocol is fully enabled allowing the opening of folders and files.If you disable this policy setting the protocol is in the prot
e returned * Disable ability to stack in the Context menu and Column headers * Exclude Libraries from the scope of Start searchThis pol
options.If you disable or not configure this policy the default File Explorer behavior is applied to the user.Note: In operating systems earlier
Open dialog box.To see an example of the standard Open dialog box start Notepad and on the File menu click Open.Note: In Windows Vis
using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. It
ect programs that use the standard Open dialog box provided to developers of Windows programs.To see an example of the standard Op
arches.If you disable or do not configure this setting the default list of items will be displayed in the Places Bar.Note: In Windows Vista this
ils Pane is hidden by default and can be displayed by the user. This is the default policy setting.
ing to on-disk restore points.If you do not configure this policy setting it is disabled by default.
etting it is disabled by default. The Restore button is active when the previous version is of a local file.
backup media.If you do not configure this policy setting it is disabled by default. The Restore button is active when the previous version is o
configure this policy setting it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
mat. Example value: Contoso.comContosoIT.HumanResourcesApp_m5g0r7arhahqy If you enable this policy setting the application identi
the user logs off.
e user logs off.
ffect until the user logs off.
ffect until the user logs off.
setting will not take effect until the user logs off.
unmapped area0x0400 // Unicode char0x0800 // surrogate char0x1000 // IVS char0xFFFF // no definition.If you disable or do not configur
self-tuned words from the custom dictionary.This policy setting is applied to Japanese Microsoft IME.Note: Changes to this setting will no
ill be turned off by default and the user can turn on and turn off the cloud candidates feature.This Policy setting applies to Microsoft CHS P
ill be turned off by default and the user can turn on and turn off the cloud candidates feature.This Policy setting applies only to Microsoft
n on and turn off the lexicon udpate feature.This Policy setting applies only to Microsoft CHS Pinyin IME.
n and turn off the live sticker feature.This Policy setting applies only to Microsoft CHS Pinyin IME.
te: This list can be created from a custom administrative template file. For information about creating this custom administrative template
on't be able to change the Suggestions setting on the Settings charm.If you don't configure this policy setting users can change the Suggesti
olicy setting newly installed add-ons are automatically activated in the browser.If you disable or do not configure this policy setting newly
ators also have the ability to turn the auto-play feature on or off. This setting only applies if the Media Explorer Bar is enabled.If checked
channel is used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in up to three of the follo
e the "Disable the General page" policy removes the General tab from the interface.
xplorer\Internet Control Panel) you do not need to set this policy because the "Disable the Advanced page" policy removes the Advanced
his policy setting the user will have the freedom to automatically configure these settings.
\User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) takes precedence over th
mplates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Content tab from Internet Explorer in Contro
es\Windows Components\Internet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the General pa
moves the Connections tab from the interface.
olicy is intended for organizations that do not want users to determine which browser should be their default.The "Disable the Programs p
l Panel) you do not need to set this policy because the "Disable the General page" policy removes the General tab from the interface.Note
choose their own home page.
in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need to se
ents\Internet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the General page" policy removes th
olicy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) which re
rom Internet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
xplorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
gsâ€ policy is enabled the user cannot add secondary home pages.
uration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need to set this policy beca
an organization.
se the Import/Export Settings wizard.If you disable or do not configure this policy setting the user will be able to use the Import/Export Setti
the Internet Connection Wizard.Note: This policy overlaps with the "Disable the Connections page" policy (located in \User Configuration\
ser settings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect.
er in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
text managing favorites and accessing Help. The Command bar enables the user to access and manage favorites feeds shortcuts to home p
set up and change identities.
d keeping this policy in sync with the â€˜Send all intranet sites to Internet Explorerâ€™ (â€˜SendIntranetToInternetExplorerâ€™) policy. Ad
you disable or don't configure this policy setting the menu option won't appear and users won't be able to run websites in Enterprise Mode
e domain per line to the text box. For example:microsoft.sharepoint.comoutlook.comonedrive.comtimecard.contoso.comLOBApp.contoso
nes. The decimal representation of this number is used to represent this number in policy. For example:â€¢Â 2 - Intranet site zone onlyÂ
ser through the Tell me if Internet Explorer is not the default web browser check box on the Programs tab in the Internet Options dialog b
e to provide a default Pop-up Blocker exception list.Note: You can disable users from adding or removing websites to the exception list by
nable this policy setting the menu bar is above the navigation bar. The user cannot interchange the positions of the menu bar and the navi
mmand bar and F1 to access Help.
lso want to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the user fr
tting the user can configure how windows open when he or she clicks links from other applications.
ators are turned on users can install search providers as Accelerators to include them on the Accelerator menu.
her to turn on SmartScreen Filter during the first-run experience.

website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do
gardless of which option is chosen.If you disable or do not configure this policy setting Internet Explorer may run the First Run wizard the fi
ult providers installed do not appear (including providers installed from other applications). The only providers that appear are those in the
or situations in which administrators do not want users to explore the Internet or the hard disk.This policy can be used in coordination wit
n the currently active browser.Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all
and amount of physical memory. We recommend the default setting.The second algorithm must be explicitly enabled through the creatio
security checks.If you disable or do not configure this policy setting the ActiveX Opt-In prompt appears.
en the average time to load all the user's enabled add-ons exceeds the threshold.If you disable or do not configure this policy setting users
tabbed browsing.
configure this policy setting the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience.
tting the popup management feature will be functional.

ure this policy setting the user can turn on or turn off tabbed browsing.
e to turn the auto-complete setting for web-addresses on or off.
this policy setting the user can turn on and turn off the Suggested Sites feature.
ser names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.If you do not configure this
uration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Cur
ntrols are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer Ma
d Active-X controls and plug-ins under security zones.If you disable this policy or do not configure it this control will not be designated as ad
ministrator-approved controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration cl
acement and appearance of Windows pop-up menus on Web pages-- Popup Menu Object - enables Web authors to add pop-up menus to
are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer Mainten
one carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2.
uration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Cu
.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Selec
ntrols are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer M
curity.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3.
le-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the co
mputer attempts to perform a Clipboard operation.If you do not configure this policy setting current values of the URL action for the applic
prompted when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation.If you do not configure
ng.If you enable this policy setting and enter a value of 1 prompts are bypassed. If you enter a value of 0 prompts are not bypassed. Value
o New and then clicking Window.Note: When users click the Open in New Window command the link will not open in a new window and t
window by right-clicking and then clicking the Open in New Window command. To prevent users from using the shortcut menu to open ne
command. To prevent users from opening Web pages by using the shortcut menu set the "Disable Open in New Window menu option" po
Page dialog box users click the File menu and then click the Save As command.If you disable this policy or do not configure it users can save
users from saving the text of a Web page.Caution: If you enable this policy users are not prevented from saving Web content by pointing t
cy users also cannot click Synchronize on the Tools menu (in Internet Explorer 6) to manage their favorite links that are set up for offline v
his policy does not prevent users from viewing and changing Internet settings by clicking the Internet Options icon in Windows Control Pa
tting the Print menu in Internet Explorer will be available. Starting with Windows 8 the Print flyout for Internet Explorer will be available a
ng the HTML source of a Web page from the shortcut menu set the "Turn off Shortcut Menu" policy which disables the entire shortcut me
ou do not configure this policy setting the Microsoft-provided website lists are not active. The user can activate the feature by using the Co
ards Mode. This option results in the greatest compatibility with existing webpages but newer content written to common Internet standa
setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Add
ab in Internet Options.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect.
ory List. Users can not delete browsing history.If you disable or do not configure this policy setting a user can set the number of days that I
ng History dialog box. Starting with Windows 8 users can click the Delete Browsing History button on the Settings charm.
king Protection data and Do Not Track exceptions stored for visited websites.This feature is available in the Delete Browsing History dialog
nabled this policy setting is enabled by default.

his policy setting has no effect.
te.If you do not configure this policy setting the user can choose whether to delete or preserve InPrivate Filtering data when he or she clic
" policy setting is enabled this policy setting is enabled by default.

ent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
emoves the Advanced tab from the interface.

settings""Disable changing Automatic Configuration settings"
e General tab from the interface:"Disable changing home page settings""Disable changing Temporary Internet files settings""Disable chang
he Reset Web Settings feature""Disable changing default browser check"

nes: Do not allow users to add/delete sites"
are converted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to IDN fo
d then under International select the "Use UTF-8 for mailto links" check box.
olicy setting non-Internet Explorer components will be automatically installed as necessary.

l be prompted when Web Components such as fonts would be downloaded.If you do not configure this policy users will be prompted whe
gs. The default is on.
automatically launches any browser helper objects that are installed on the user's computer.
et Explorer only sends the Do Not Track header if inPrivate Browsing mode is used.If you don't configure the policy setting users can select
et for new versions of the browser so does not prompt users to install them.If you do not configure this policy setting Internet Explorer do
d.If you do not configure this policy setting Internet Explorer will not check server certificates to see if they have been revoked.
cutable programs or display their identities before downloading them to user computers.If you do not configure this policy Internet Explor
ainst malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8 Enhanced Pro
et Explorer will save encrypted pages containing secure (HTTPS) information to the cache.
ill not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.If you do not configure this poli
mated pictures found in Web content.
ect the most preferred match.If you enable this policy setting the browser negotiates or does not negotiate an encryption tunnel by using
using Internet Explorer settings. This feature is turned on by default
f you do not configure this policy setting a user will have the freedom to accept requests from Web sites for Profile Assistant information.
icy setting users can turn this behavior on or off using Internet Explorer Advanced Options settings. The default is to encode all query strin
ded into the background.If you don't configure this setting users can turn this behavior on or off using the Settings charm.
11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.If you don't configure this polic
g Caret Browsing support can be turned on or off through the registry.
le this policy setting Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Prote
session with the home page. Users cannot change this option to start with the tabs from the last browsing session.If you do not configure
tes will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be avail
websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings wil
cy setting you provide the cache limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow trusted doma
cache expiration time limit for all application caches. The default is 30 days.
ng you provide the cache limit in MB. The default is 500 MB.If you enable this policy setting Internet Explorer will allow trusted domains to
ess than or equal to the size set in this policy setting.If you disable or do not configure this policy setting Internet Explorer will use the defa
er will allow the creation of application caches whose manifest file contains the number of resources including the page that referenced th
nfigure this policy setting Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB.
o not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databases. The default is 4 G
nd Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent z
l sites into the Intranet Zone.
e: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (H
t the intranet through the intranet settings dialog in Control Panel.
he Advanced page in the Internet Control panel).
g treated as though it is in the Internet zone.If this policy setting is not configured a Notification bar notification appears for intranet conte
licy setting users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.If you do not config
ontrol over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you disable this pol
implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are available.
aste files from this zone automatically.
desktop items from this zone.

ng XBAPs.If you disable this policy setting XBAPs are not loaded inside Internet Explorer. The user cannot change this behavior.If you do no
ML files.If you disable this policy setting XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.If you do
r cannot change this behavior.If you do not configure this policy setting the user can decide whether to load XPS files inside Internet Explo
nfigure this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web p
ch Connectors.If you do not configure this policy setting users can perform OpenSearch queries in this zone using Search Connectors.
eturned as search results in File Explorer will be affected. MAPI items reside in the Internet zone so disabling this policy for the Internet zo
in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.If you do not configure this p
ed zones.If you disable this policy setting video and animation cannot be played through older media players.If you do not configure this p
an click on the Notification bar to allow the ActiveX control prompt.

nload prompt.
will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.If you
figure this policy setting Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has n
ks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off usin
her to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
igned controls.
rent windows. Users cannot change this setting.In Internet Explorer 10 if you disable this policy setting or do not configure it users cannot
window. Users cannot change this setting in the Internet Options dialog.In Internet Explorer 10 if you disable this policy setting or do not co
zone as dictated by the feature control setting for the process.If you do not configure this policy setting the MIME Sniffing Safety Feature
ML form.If you do not configure this policy setting the user can choose whether path information is sent when he or she is uploading a file
re queried whether to allow the control to be loaded with parameters or scripted.If you disable this policy setting ActiveX controls that can
un in their sandbox. Disable Java to prevent any applets from running.If you disable this policy setting Java applets cannot run.If you do not
unning applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are que
in other zones. After a user is queried these values can be used silently for the remainder of the session.Automatic logon with current use
o not configure this policy setting users can open windows and frames from othe domains and access applications from other domains.
ou disable this policy setting Internet Explorer will not execute unsigned managed components.If you do not configure this policy setting In
e this policy setting Internet Explorer will not execute signed managed components.If you do not configure this policy setting Internet Expl
ng the user can configure how the computer handles these files. By default these files are blocked in the Restricted zone enabled in the Int
d on) users' computers.High safety to prevent users from being notified of software updates by e-mail software packages from being auto
is policy setting information using HTML forms on pages in this zone is prevented from being submitted.If you do not configure this policy
ramework Setup is turned on. The user cannot change this behavior.If you do not configure this policy setting .NET Framework Setup is tu
prompt is turned off by default.
n this zone for malicious content.
wser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users can pr
his policy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Pro

not have installed.
figure this policy setting Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web site
with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off using
igned controls.
prompt is turned on by default.
automatically.
not have installed.
ned controls without user intervention.
ed controls without user intervention.
unning applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users can run
policy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Prote
implemented a custom security manager.If you do not configure this policy setting only behaviors listed in the Admin-approved Behaviors


nload prompt.
igned controls.
zone as dictated by the feature control setting for the process.If you do not configure this policy setting the actions that may be harmful c


nload prompt.
igned controls.
automatically.

nload prompt.
igned controls.
implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unless app
her to drag or copy files from this zone.
ms from this zone.

nfigure this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another We
ch Connectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connectors.

nload prompt.
be downloaded.
igned controls.
unning applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are prev
cess applications from different domains.If you do not configure this policy setting users cannot open other windows and frames from diffe
wser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users canno
automatically.

nload prompt.
igned controls.
pear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you d
implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unless app
her to drag or copy files from this zone.

ms from this zone.
nfigure this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another We
ch Connectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connectors.

nload prompt.
be downloaded.
igned controls.
unning applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are prev
cess applications from different domains.If you do not configure this policy setting users cannot open other windows and frames from diffe
wser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users canno
automatically.
not have installed.
choose whether to allow the unsigned control to run.
problem connecting with an Internet server the user sees a detailed description with hints about how to correct the problem. The user ca
o and including Internet Explorer 8.
gging.If you do not configure this policy setting the user can turn on or turn off script debugging.
oblems with its scripting. The user cannot change this policy setting.If you do not configure this policy setting the user can turn on or turn o
he user can decide whether the Internet Connection Wizard should start automatically.
abled.If you disable this policy setting placeholders will not appear for graphical images while the images are downloading. The user canno
ers" policy setting must be disabled if this policy setting is enabled.If you disable this policy setting images appear. The user cannot turn off
do not configure this policy setting the user can turn on or turn off the printing of background colors and images.
rch results is displayed in the main window.If you disable or do not configure this policy setting the user can specify what action applies to
le this policy setting you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results we
branding is complete for ISPs (IEAK). The user cannot change this behavior.If you do not configure this policy setting the user can decide w
have the freedom to turn on or off Inline AutoComplete for File Explorer.
setting URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By defa
cy setting Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot change th
y default inline AutoComplete is turned off for Windows Vista Windows 7 Internet Explorer 7 and Internet Explorer 8. By default inline Aut
change this policy setting.If you do not configure this policy setting the user can allow or prevent the sending of the path portion of URLs a
sers can add channels to the Channel bar or to their desktop.Note: Most channel providers use the words Add Active Channel for this optio
that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Administ
pages can be updated on the schedules specified on the Schedule tab.This policy is intended for organizations that are concerned about s
ot configure it content will not be prevented from being downloaded.The "Disable downloading of site subscription content" policy and th
figure it users can add remove and edit schedules for Web sites and groups of Web sites.The "Disable editing schedules for offline pages"
mand is unavailable.If you disable this policy or do not configure it users can edit an existing schedule for downloading Web content for offl
his policy does not prevent users from removing active content from the desktop interface.
ize and then click the Properties button.If you disable this policy or do not configure it users can remove the preconfigured settings for pag
determines how many levels of a Web site are searched for new information it does not change the user interface in the Offline Favorites
nfigure this policy setting the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate Fil
onfigure this policy setting the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Tracking
ou do not configure this policy setting it can be configured on the Privacy tab in Internet Options.
n or off on the Privacy tab in Internet Options.
ou do not configure this policy setting it can be configured through the registry.
r use.If you do not configure this policy setting it can be configured through the registry.
plication.If you disable or do not configure this policy setting the reveal password button can be shown by the application as a user types in
this policy setting Data URI support can be turned on or off through the registry.
of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list enter the following information:Name of th
ect add-on management user preferences or policy settings.
s not listed within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assumed to
user preferences and policy settings. If you enter a Value of 0 the add-on management user preferences and policy settings are ignored by
tton lets the user run the outdated ActiveX control once.For more information see "Outdated ActiveX Controls" in the Internet Explorer Te
gure this setting IE continues to download updated versions of VersionList.XML.For more information see "Out-of-date ActiveX control blo
you want to include http://example use "example"3. "file:///path/filename.htm". For example use "file:///C:/Users/contoso/Desktop/inde
cking of outdated ActiveX controls for Internet Explorer on specific domains" policy settings.For more information see "Outdated ActiveX
object.If you disable or do not configure this policy setting websites can request data across domains by using the WebSocket object. By d
t data across domains by using the XDomainRequest object.
ehavior notation e.g. #default#vml.If you disable this policy setting no behaviors will be allowed in zones set to 'admin-approved' just as if
MD4 signing technologies.

tting binary behaviors are prevented for the File Explorer and Internet Explorer processes.
owed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do n
cy setting Consistent Mime Handling is enabled for all processes.If you disable or do not configure this policy setting Consistent Mime Hand
cy setting Internet Explorer requires consistent MIME data for all received files.If you disable this policy setting Internet Explorer will not re
ws administrators to define applications for which they want this security feature to be prevented or allowed.If you enable this policy setti
ty applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list.If you disabl
g the Local Machine zone security applies to all local files and content processed by Internet Explorer.If you disable this policy setting Local
ocal Machine Zone security applies. If you enter a value of 0 Local Machine Zone security does not apply. If a Value Name is empty or the V
not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes
rotocol is prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.
the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Pro
es other than File Explorer or Internet Explorer.If you do not configure this policy setting no policy is enforced for processes other than File
value names http and https.If you disable this policy setting restricting content obtained through restricted protocols is prevented for File
ols is allowed. If you enter a Value of 0 restricting content obtained through restricted protocols is blocked. The Value Name is the name o
over restricted protocols to access my computer."If you disable or do not configure this policy setting for a zone no protocols are restricte
bar will not be displayed for all processes other than Internet Explorer or those listed in the Process List.
r Processes.
cutable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this
ithin or across domains for Internet Explorer processes.

empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Intern
sses other than Internet Explorer or those listed in the Process List receive no such protection.
xplorer processes.If you disable this policy setting no zone receives such protection for Internet Explorer processes.If you do not configure
s security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 elevation to more privileged zones can
ated Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes config
is list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the
and windows that obfuscate other windows.If you do not configure this policy setting popup windows and other restrictions apply for File
ay not be opened. If you enter a Value of 0 windows have none of these restrictions. The Value Name is the name of the executable. If a V
nly icons.If you disable or do not configure this policy setting the command buttons show selective text by default and the user can change
gure it users can customize which buttons appear on the Internet Explorer and File Explorer toolbars.This policy can be used in coordinatio
adding or removing toolbars from Internet Explorer.
not prompted and incompatible toolbars run unless previously disabled through policy settings or user choice.If you disable or do not confi
rative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However users cannot open a blank MMC console wind
onfigure it all snap-ins are permitted except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.
the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohib
figured (or disabled) this snap-in is prohibited.-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured u
he explicitly permitted list of snap-ins" setting determines whether this tab is displayed.-- If "Restrict users to the explicitly permitted list o
ensions.If you disable this policy setting you prohibit use of Applications snap-ins and new Application preference items cannot be created
permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
Settings for Computer Configuration. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" p
ngs for User Configuration. Enabling this policy setting overrides the "Restrict users to the explicitly permitted list of snap-ins" policy settin
ns" policy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy setting yo
olicy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy setting you per
permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
u permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
-ins" policy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy setting
mit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
u prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference extension unless res
t of snap-ins" policy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy
ap-ins" policy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy settin
you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting
-ins" policy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy setting
policy setting you prohibit use of the Preferences tab.If you do not configure this policy setting you permit use of the Preferences tab.
olicy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy setting you pe
ou prohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference extension unless re
ap-ins" policy setting.If you disable this policy setting you prohibit use of the preference extension.If you do not configure this policy settin
rohibit use of the preference extension.If you do not configure this policy setting you permit use of the preference extension unless restric
rmit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" policy setting.
hibit use of the preference extension.If you do not configure this policy setting you permit use of the preference extension unless restricte
nt uses no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. Set SyncMeth
cts their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to
€™t ping the settings storage location before synchronizing settings packages. If you do not configure this policy any defined values will be
ckage size.
that is roaming.If you do not configure this policy setting any defined values are deleted.
nly the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.If you disable thi
oled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V wa
nue to be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 2013 app
nue to be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 2016 app
efined values will be deleted.
licy setting any defined values will be deleted.
the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version
ned values will be deleted.
ned values will be deleted.
is policy setting any defined values will be deleted.
ft Office Suite 2010 applications continue to synchronize.If you disable this policy setting the user settings which are common between the
Office Suite 2013 applications continue to synchronize.If you disable this policy setting the user settings which are common between the
e excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
Office Suite 2016 applications continue to synchronize.If you disable this policy setting the user settings which are common between the
e excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
nable this policy setting Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.If you disable this policy setting Microso
nable this policy setting Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.If you disable this policy setting Microso
ween the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.If you enable this policy setting use
ween the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.If you enable this policy setting use
this policy setting Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offic
this policy setting Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offic
you enable this policy setting Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.If you disable this policy setting M
his policy setting Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office
his policy setting Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office
f you enable this policy setting Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.If you disable this policy settin
f you enable this policy setting Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.If you disable this policy settin
u enable this policy setting Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.If you disable this policy setting Mi
u enable this policy setting Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.If you disable this policy setting Mi
h UE-V.If you enable this policy setting Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.If you disable this po
h UE-V.If you enable this policy setting Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.If you disable this po
enable this policy setting Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.If you disable this policy setting Micros
enable this policy setting Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.If you disable this policy setting Micros
If you enable this policy setting Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.If you disable this policy settin
If you enable this policy setting Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.If you disable this policy settin
n between computers with UE-V.If you enable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings continue to s
this policy setting Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office
this policy setting Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office
le this policy setting Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft O
le this policy setting Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft O
f you do not configure this policy setting any defined values will be deleted.
f you do not configure this policy setting any defined values will be deleted.
xcluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
xcluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
ttings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.

r 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
fined values will be deleted.
fined values will be deleted.
olders.If you disable or don't configure this policy setting users can share files out of their user profile after an administrator has opted in th
cy experience may launch for newly-created user accounts or for accounts that should be prompted to choose their privacy settings after
tomize their system settings for presentations in Windows Mobility Center.If you do not configure this policy setting Windows presentatio
e this policy setting it is enforced. When this policy setting is enforced users cannot override this setting even if they select the "Use these
his setting" check box. When you do this users can specify an alternate authentication method by configuring settings on the client using a
Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting either the NTLM pro
om unknown publishers on the client computer. If the user tries to start an RDP session the user receives a message that the publisher ha
an .rdp file).If you enable or do not configure this policy setting users can run .rdp files that are signed with a valid certificate. Users can als
u disable or do not configure this policy setting no publisher is treated as a trusted .rdp publisher.Note:You can define this policy setting in
hout the user's consent.4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the us
me zone is the same as the server time zone.Note: Time zone redirection is possible only when connecting to at least a Microsoft Window
llows Clipboard redirection.If you do not configure this policy setting Clipboard redirection is not specified at the Group Policy level.
tches the client printer the client printer is not available for the Remote Desktop session.If you disable this policy setting the RD Session H
gram policy settings.If you disable or do not configure this policy setting an initial program can be specified that runs on the remote comp
Vista displays wallpaper to remote clients connecting through Remote Desktop depending on the client configuration (see the Experience t
and Windows Desktop are not displayed and when the user exits the program the session is automatically logged off.To use this setting in
r active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.If you ena
o keep the session active. If you have a console session idle session time limits do not apply.If you disable or do not configure this policy s
you have a console session active session time limits do not apply.If you disable or do not configure this policy setting this policy setting is
sconnected sessions are maintained for an unlimited time on the server.If you enable this policy setting disconnected sessions are deleted
time limit that you specify is reached. When the time limit specified is reached the RemoteApp session will be logged off from the RD Sessi
configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default conn
rough the Feed APIs.
n Internet Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice by using
nection.A developer cannot change this policy setting through the Feed APIs.
h to be indexed under the "Computer Configuration" Group Policy.
nder the "Computer Configuration" Group Policy.
m path to be indexed under the "Computer Configuration" Group Policy.If you enable and then disable this policy setting users can index an
suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Panel will
he Input Panel Options dialog box.If you disable this policy Input Panel will appear next to any text entry area in applications where this be
ptions dialog box.If you disable this policy Input Panel will appear next to text entry areas in applications where this behavior is available. U
board to enter text symbols numbers or keyboard shortcuts.If you enable this policy rarely used Chinese Kanji and Hanja characters will be
onfigure this setting in the Input Panel Options dialog box.If you do not configure this policy Input Panel tab will appear on the edge of the
l appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Input
this policy and choose â€œLowâ€ from the drop-down box password security is set to â€œLow.â€ At this setting all password security s
œAllâ€ from the drop-down menu no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in
t of the Disable pen flicks policy.If you disable or do not configure this policy all the features described above will be available.
fault.Note: Changes to this setting will not take effect until the user logs off.
wer management settings and its security context. Beginning users will often not be interested or confused by having the property sheet d
and its security context.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are confi
Start menu and its submenus. Once a task is created users cannot change the program a task runs.Important: This setting does not preven
t does not prevent users from deleting tasks.Note: This setting appears in the Computer Configuration and User Configuration folders. If b
mputer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers.
guration.Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks.
g employees can choose whether to use Windows Defender SmartScreen.
t consent and notification settings.
Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes preceden
e for a report that contains data about the same event types.
olicy setting WER checks for solutions while a computer is running on battery power but does not upload report data until the computer is
ts are automatically deleted.If you disable or do not configure this policy setting no Windows Error Reporting information is stored.
pted to send the reports or until the user sends problem reports by using the Solutions to Problems page in Control Panel.The Maximum n
nsion. To remove an application from the list click the name and then press DELETE. If this policy setting is enabled the Exclude errors for a
ent to send any additional data that is requested by Microsoft.- Send parameters and safe additional data: the minimum data that is requi
Always ask before sending data): Windows prompts the user for consent to send reports.- 2 (Send parameters): Windows Error Reporting
ronment to have one or more Windows Server 2016 domain controllers to prevent Windows Hello for Business authentication from failin
ential that encrypts their domain password.Select "Do not start Windows Hello provisioning after sign-in" when you use a third-party soluti
on to view or change including directories on highly restricted computers.If you disable or do not configure this policy setting the system a
ystem administrators can use removable media when an installation is running with elevated system privileges such as installations offere
ed to reduce the amount of temporary disk space required to install programs. Also it prevents malicious users from interrupting an installa
esents URL or the Internet.To exclude a file source omit or delete the letter representing that source type.
to examine and appropriately configure the â€œSet action to take when logon hours expireâ€ setting. If â€œSet action to take when logo
he action you specify when the userâ€™s logon hours expire.If you disable or do not configure this setting the system takes no action whe
licy setting users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
and are not available.If you disable or do not configure this policy setting users can change the setting of the Update my music files (WMA
ed.The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured. If the
tocol cannot be configured. If the "Hide network tab" policy setting is also enabled the entire Network tab is hidden.This policy setting is ig
ot available.If you disable or do not configure this policy setting users can change the buffering options on the Performance tab.
ocol cannot be configured. If the "Hide network tab" policy setting is also enabled the entire Network tab is hidden.If you disable this polic
default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the Playe
ck check box is cleared and is not available.If you do not configure this policy setting users can change the setting for the Allow screen save
oad codecs automatically check box.
abled some options in the anchor window are not available.
configure this policy setting the Privacy tab is not hidden and users can configure any privacy settings not configured by other polices.
ate skin. The only way to specify the Corporate skin is to leave the Skin box blank.A user has access only to the Player features that are av
the Preferences tab on the Tools menu in the Windows Messenger user interface.Note: If you do not want users to use Windows Messen
: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configura
is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured the Log
block function or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. Note: This policy se
d time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. If you
l scripts to run.If you disable this policy setting no scripts are allowed to run.Note: This policy setting exists under both "Computer Configu
on will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the
f updates are available when the user selects the Shut Down option in the Start menu.
omatically installing driver updates from the Windows Update Web site.If enabled you can configure one of the following notification optio
rs URL" can specify either the URL used by the organization for Work Folders discovery or the specific URL of the file server that stores the
rol Panel items. In the Show Contents dialog box in the Value column enter the Control Panel item's canonical name. For example enter M
specify a list of pages to hide it must begin with "hide:". If a page in a showonly list would normally be hidden for other reasons (such as a
Value column enter the Control Panel item's canonical name. For example enter Microsoft.Mouse Microsoft.System or Microsoft.Persona
he Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option o
g blocks user access to the Windows Component Wizard.
e Templates\Windows Components\Windows Installer) is enabled users cannot add programs from removable media regardless of this se
able this setting users cannot tell which programs have been published by the system administrator and they cannot use Add or Remove P
not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defau
ent users from using other tools and methods to install or uninstall programs.
gure it the Support Info hyperlink appears.Note: Not all programs provide a support information hyperlink.
e "Add New Programs" page opens.You can use this setting to direct users to the programs they are most likely to need.Note: This setting i
r Control Panel.Also see the "Prevent changing Screen Saver" setting.

n the default visual style is loaded.Note: When running Windows XP you can select the Luna visual style by typing %windir%\resources\The
.If the specified screen saver is not installed on a computer to which this setting applies the setting is ignored.Note: This setting can be sup
tting and specify a timeout via the "Screen Saver timeout" setting.Note: To remove the Screen Saver dialog use the "Prevent changing Scre
pearance and Themes tabs in the in Display in Control Panel.
the client.When not configured whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display C
users to find the printers you want them to add. Also see the "Custom support URL in the Printers folder's left pane" and "Activate Int
ist.If you disable this setting the network printer browse page is removed from within the Add Printer Wizard and users cannot search the
t server.If this setting is enabled users will only be able to package point and print to print servers approved by the network administrator
gs and elevated command prompts do not appear when users Point and Print or when printer connection drivers need to be updated.
other programs to add printers. This setting does not delete printers that users have already added. However if users have not added
se or to enable users to install them without having to search for installation files.If this setting is enabled users cannot view the programs
aults.This setting does not prevent the Default Programs icon from appearing on the Start menu.
g is ignored.
etting takes precedence over the other settings in this folder.This setting does not prevent users from using other tools and methods to in
s other policies may prevent them from modifying the values.
ing their current geographical location.
ing their UI language.
gure this policy setting the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select
Windows Server 2003 Windows XP or Windows 2000 to use the "Restrict selection of Windows menus and dialogs language" policy setting.
bility and function of this setting is dependent on supported languages being enabled.
ting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected an
ws. If the user manages to navigate to Computer the folder will be empty.If you disable this setting Computer is displayed as usual appeari
does not appear above the resulting display on the View menu click Filter.
is setting is designed to protect the network and the domain controller from the effect of expansive searches.
are simply not added again.Note: For this setting to take affect you must log off and log on to the system.
can also use this setting to specify that the wallpaper image be centered tiled or stretched. Users cannot change this specification.If you di
he File menu.If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting) the Properties m
strators) cannot delete all-user remote access connections. (By default users can still delete their private connections but you can change t
inistrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you do not confi
ss connections.Note: This setting does not apply to AdministratorsNote: When the "Ability to rename LAN connections or remote access c
g is configured (set to either enabled or disabled) this setting does not apply.
not apply to administrators on post-Windows 2000 computers.If this setting is not configured only Administrators and Network Configurati
trators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available to all us
mputers.If you disable this setting or do not configure it a Properties menu item appears when users right-click the icon representing a LAN
Administrators" is disabled or not configured this setting does not apply to administrators on post-Windows 2000 computers.If you disabl
ou disable this setting or do not configure it the Properties button is enabled for all users.The Networking tab of the Remote Access Conne
2000 computers.If you disable this setting or do not configure it the Advanced Settings item is enabled for administrators.Note: Nonadmin
Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Connecti
computers.If you disable this setting or do not configure it the Remote Access Preferences item is enabled for all users.
ers.If you disable this setting or do not configure it the Install and Uninstall buttons for components of connections in the Network Connecti
nd no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection.Important:
o all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection by right-cl
l users can delete their private remote access connections. Private connections are those that are available only to one user. (By default o
ction includes a check box beside the name of each component that the connection uses. Selecting the check box enables the component
f you disable this setting or do not configure it the Rename option is enabled for all users' private remote access connections. Users can re
e this setting the Advanced button is enabled and all users can open the Advanced TCP/IP Setting dialog box.Note: This setting is supersede
nnection icon in the taskbar from the Connection Properties dialog box.Important: If the "Enable Network Connections settings for Admini
e user.If you disable or do not configure this policy setting a DHCP-configured connection that has not been assigned an IP address will be
g or select the "Work offline" option users can work offline if disconnected.If you do not configure this setting users can work offline by de
t when the server hosting the offline file is disconnected from the network."2" also records events when the local computer is connected a
er the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration
ttings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To view the Offline
tting in Computer Configuration takes precedence over the setting in User Configuration.Tip: This setting provides a quick method for lockin
tting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To set reminder balloon frequency without e
ence.The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012 Windows Ser
all files and folders.If you do not configure this policy setting the "Make Available Offline" command is available for all files and folders.No
folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).If you do
tion by default but users can change this option.This setting appears in the Computer Configuration and User Configuration folders. If both
Quick synchronization ensures that files are complete but does not ensure that they are current.If you do not configure this setting and Sy
ogged on to the computer at the time the computer is suspended a synchronization is not performed.
an change the setting.To prevent users from changing the setting while a setting is in effect the system disables the "Enable reminders" op
NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box.
n the Windows Security dialog box that appears when you press Ctrl+Alt+Del.Note: To add or remove the Log Off item on a computer click
ortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Also see the "Remove Recent Items menu from Start Menu
or is not configured the taskbar displays all toolbars. Users can add or remove custom toolbars and the "Toolbars" command appears in t
network connections.If you disable or do not configure this policy setting all files that the user opens appear in the menus including files lo
onfigure this setting the system will store and display shortcuts to recently and frequently used files folders and websites.Note: The system
ttempt to find the file.Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and
drive in an attempt to find the file.Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID
on the Start page.If you do not configure this setting the default is the new style and the user can change the view.
e notification area is hidden there is no need to clean up the icons.
so locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked and the user canno
cannot turn it to On. Select this option for compatibility with earlier versions of Windows.If you disable or do not configure this setting the
rt Sleep and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available.No
prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
u options.Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most
oft updates that users need and shows the newest versions available for download.If you disable or do not configure this policy setting the
ppears when you press Ctrl+Alt+Del and it does not prevent users from using other methods to log off.Tip: To add or remove the Log Off it
s on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Confi
e available on the Start menu and from Computer and File Explorer.Also see the "Disable Control Panel" "Disable Display in Control Panel"
ems menu.When the setting is disabled the Recent Items menu appears in the Start Menu and users cannot remove it.If the setting is not c
sable or do not configure this setting users will be able to access the Run command in the Start menu and in Task Manager and use the Int
em does not respond when the user presses Ctrl+F. Also Search does not appear in the context menu when you right-click an icon represe
tion of the Start menu. If users add folders to the Start Menu directory in their user profiles the folders appear in the directory but not on
al calendar regardless of the locale.If you do not configure this policy setting the calendar will be set according to the default logic.
of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of Sta
the XML file. You can type a local path such as C:\StartLayouts\myLayout.xml or a UNC path such as \\Server\Share\Layout.xml. If the spe
can choose if they want notifications collapsed.

alized menus and ignores this setting.Tip: To Turn off personalized menus without specifying a setting click Start click Settings click Taskbar
he Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the Taskbar
two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20 that is 2000 to 2029. Conversely all two-digit ye
to the file.If you disable this setting or do not configure it the setting is ignored and the system displays the Explorer interface.Tip: To find
ows 2000 Server.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured t
in the command window even though they would be prevented from doing so using File Explorer.Note: Non-Microsoft applications with W
ng the program continues without the registration. As a result the program might not perform all its functions or it might stop.This setting
nder Computer Configuration and User Configuration. If both are settings are used any programs listed in either of these locations cannot l
ms in the command window even though they would be prevented from doing so using File Explorer.Note: Non-Microsoft applications wit
r your computer that consists of items such as drivers critical updates Help files and Internet products that you can download to keep you
grams monitor the performance of their computers view and monitor all programs running on their computers including system services fi
enable this policy some blurry applications will be crisp after they are restarted without requiring the user to log out and back in to Windo
gned and lets the user decide whether to stop or to proceed with the installation and whether to permit unsigned files to be installed. "Wa
n off Windows Update device driver searching" in Administrative Templates/System/Internet Communication Management/Internet Com
ing to Windows Update to search for device drivers.
aching" nor does it affect the availability of the "Always available offline" menu option in the user interface. Note: Do not enable this polic
he user interface.Note: The configuration of this policy for any folder will override the configured value of "Do not automatically make all r
tion using a method that preserves the state of the files including their timestamps before updating the Folder Redirection location.If you
o function.If you enable this policy setting and the user has redirected folders such as the Documents and Pictures folders the folders are
r these subfolders when redirecting the Start Menu or legacy My Documents folder.Note: This policy is valid only on Windows Vista Windo
available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain con
box type a decimal number between 0 and 4294967200 indicating a transfer rate in kilobits per second. Any connection slower than this r
disable the object link.
rom the command line by typing RSOP.mscNote: This policy setting exists as both a User Configuration and Computer Configuration settin
ot appear.If you disable or do not configure this policy setting the "Show Policies Only" command is turned on by default but administrato
updates might interfere with users' work and increase network traffic very short update intervals are not appropriate for most installations
s setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp.NOTE: If the C
ablet PC user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.If you do n
s can report handwriting recognition errors to Microsoft.
user uses the web publishing or online ordering wizards.See the documentation for the web publishing and online ordering wizards for mo
nfiguration/Administrative Templates/Printers.
tting is not shown.If you do not configure this policy setting users have the choice to opt in and allow information to be collected.
r locale but they can still select a replacement locale if one is installed.If you disable or do not configure this policy setting the user can sel
s policy is set to Enabled at the computer level then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the compu
nd French (Canada).If you enable this policy setting only locales in the specified locale list can be selected by users.If you disable or do not
e Computer Configuration and User Configuration folders. If both policy settings are configured the policy setting in Computer Configuratio
tion takes precedence over the policy setting in User Configuration.Note: Customized run-once lists are stored in the registry in HKEY_LOC
configure this policy setting the user will have to start the appropriate programs after logon.Note: This setting appears in the Computer C
ss PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) Enables DEP-ATL thunk emulation for the c
gon Scripts Visible" setting.

setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
o that there are two users Qin Hong and Tamara Johnston. For Qin GPOs A B and C are applied. Therefore the scripts for GPOs B and C run
s can access any directory on the home share by using the home directory drive letter.If you disable or do not configure this policy setting
ow folders and all their subfolders such as the History Temp and Temporary Internet Files folders are excluded from the user's roaming pr
d profile.-- Determine how often the customized message is displayed.Note: In operating systems earlier than Microsoft Windows Vista W
via Offline Files and continue to remain online while the user is logged on if the network paths are accessible. Note: You should not use t
e: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http https and mailto URI s
sk file types Windows will not prompt the user before accessing the file regardless of the file's zone information.If you enable this policy s
his policy setting Windows uses its built-in list of high-risk file types.
default trust logic.
logic.If you do not configure this policy setting Windows uses its default trust logic.
nts are opened.If you do not configure this policy setting Windows does not call the registered antivirus programs when file attachments a
his policy setting you can choose the order in which Windows processes risk assessment data.If you disable this policy setting Windows use
g. If you enable this policy setting an Administrator can change the default Windows Vista or later behavior for autorun to: a) Com
disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autopla
service the checkbox will have no effect.If you disable this policy setting Windows spotlight will be turned off and users will no longer be ab
ed recommendations tips and offers to tailor Windows for the user's needs and make it work better for them.Note: this setting does not co
d applications that use the Windows system controls including Internet Explorer.
um diagnostic data necessary to keep Windows secure up to date and performing as expected.â€¯Using this value disables the "Optional d
er-user basis there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.
applications that depend on the existence of the known folder.
a user does not have sufficient permissions to install a program the installation continues with the current user's logon credentials. As a re
not search for the original path even when it cannot find the target file in the current target path.If you disable or do not configure this po
window.Also this policy setting does not prevent users from using programs to access these drives or their contents. And it does not preven
omputer Management.Tip: To hide all context menus use the "Remove File Explorer's default context menu" setting.
mputers in their workgroup or domain by other commonly used methods such as typing the share name in the Run dialog box or the Map N
Network Drive dialog box.To remove computers in the user's workgroup or domain from lists of network resources use the "No Computer
he bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Sear
ms or .searchConnector-ms file.You can add up to five additional links to the "Search again" links at the bottom of results returned in File E
still appear in My Computer but if users double-click the icons a message appears explaining that a setting prevents the action. Also this se
orrectly that this setting prevents users from connecting and disconnecting drives.Note: It is a requirement for third-party applications wit
n the File Explorer context menu or on the Start menu. To remove Search from the Start menu use the "Remove Search menu from Start m
oup.Note: The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional.
n Control Panel.
on again using their administrator credentials.If the dialog box does not appear the installation proceeds with the current user's permission
arch box.
tting the protocol is in the protected mode allowing applications to only open a limited set of folders.If you do not configure this policy setti
e scope of Start searchThis policy will not enable users to add unsupported locations to Libraries.If you enable this policy Windows Librarie
e: In operating systems earlier than Windows Vista enabling this policy will also disable the Active Desktop and Web view. This setting will
ck Open.Note: In Windows Vista this policy setting applies only to applications that are using the Windows XP common dialog box style. T
a common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this settin
n example of the standard Open dialog box start Wordpad and on the File menu click Open.Note: In Windows Vista this policy setting app
ar.Note: In Windows Vista this policy setting applies only to applications that are using the Windows XP common dialog box style. This pol
when the previous version is of a local file and stored on the backup.
s of a file on a file share.
y setting the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specifi
you disable or do not configure this policy setting no range of characters are filtered by default.This policy setting applies to Japanese Micr
Changes to this setting will not take effect until the user logs off.
tting applies to Microsoft CHS Pinyin IME and JPN IME.

tting applies only to Microsoft CHS Pinyin IME.
ustom administrative template file see the Internet Explorer documentation on search providers.If you disable or do not configure this pol
users can change the Suggestions setting on the Settings charm.

gure this policy setting newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user when ne
orer Bar is enabled.If checked the Media Explorer Bar will automatically display and play the media content when the user clicks on a med
pen in up to three of the following channels where: 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microso
policy removes the Advanced tab from the interface.
nel) takes precedence over this policy. If it is enabled this policy is ignored.
om Internet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.Caution: If you enable this poli
se the "Disable the General page" policy removes the General tab from the interface.Note: The default Web page colors are ignored on W
t.The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explo
al tab from the interface.Note: The default font settings colors are ignored in cases in which the Web page author has specified the font att
l Panel) you do not need to set this policy because the "Disable the General page" policy removes the General tab from the interface.
eneral page" policy removes the General tab from the interface.Note: The default link colors are ignored on Web pages on which the autho
ternet Control Panel) which removes the Programs tab from Internet Explorer in Control Panel takes precedence over this policy. If it is en
not need to set this policy because the "Disable the General page" policy removes the General tab from the interface.
e to use the Import/Export Settings wizard.

cated in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes t
ites feeds shortcuts to home page and more. Full-screen mode disables not only these three bars but also the shortcuts to these bars.If yo
nternetExplorerâ€™) policy. Additionally itâ€™s best to enable this policy only if your intranet sites have known compatibility problems wit
n websites in Enterprise Mode.
.contoso.comLOBApp.contoso.com
Â 2 - Intranet site zone onlyÂ Â Binary Representation - 00010â€¢Â 0 - Restricted Sites Zoneâ€¢Â 0 - Internet Zoneâ€¢Â 0 - Trusted Sites
the Internet Options dialog box. Note that starting with Internet Explorer 10 on Windows 8 the check box is located on the Advanced tab
ebsites to the exception list by enabling "Turn off Managing Pop-up Allow list" policy.
of the menu bar and the navigation bar.If you disable this policy setting the menu bar is below the navigation bar. The user cannot interch
settings to prevent the user from configuring pop-up behavior.
g the user.If you disable or do not configure this policy setting the user is prompted to decide the mode of operation for the phishing filter
run the First Run wizard the first time the browser is started after installation.
rs that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative temp
an be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Templat
ents\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting then all intranet sites will continue to open in Internet Ex
y enabled through the creation of an integer setting. In this case each Internet Explorer isolation setting will quickly grow to use the specifi
figure this policy setting users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is the
the first-run experience.

ds.If you do not configure this setting the user has the freedom of turning on Auto complete for User name and passwords on forms and th
nt Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to m
tion click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Curren
rol will not be designated as administrator-approved.
licy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings
thors to add pop-up menus to Web pagesTo specify how administrator-approved controls are handled for each security zone carry out the
click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Current Sec
nce and then click Security.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then cl
nt Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to
n click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run
ation click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Curre
d then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the
odify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX
f the URL action for the application or process on the computer prevail.
ration.If you do not configure this policy setting current values of the URL action for the Internet Explorer process prevail.
mpts are not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1 the policy setting
t open in a new window and they will be informed that the command is not available.
the shortcut menu to open new browser windows you should also set the "Disable Open in New Window menu option" policy which disab
New Window menu option" policy which disables this command on the shortcut menu or the "Turn off Shortcut Menu" policy which disab
not configure it users can save all elements on a Web page.The "File menu: Disable Save As... menu option" policy which removes the Sav
ing Web content by pointing to a link on a Web page clicking the right mouse button and then clicking Save Target As.
nks that are set up for offline viewing.
ns icon in Windows Control Panel.Also see policies for Internet options in the \Administrative Templates\Windows Components\Internet E
net Explorer will be available and users will see installed printers under the Devices charm.
disables the entire shortcut menu.

ate the feature by using the Compatibility View Settings dialog box.
n to common Internet standards may be displayed incorrectly.If you disable this policy setting Internet Explorer uses a current user agent
for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user can
setting has no effect.

set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
ttings charm.
Delete Browsing History dialog box.If you enable this policy setting ActiveX Filtering Tracking Protection and Do Not Track data is preserved
ering data when he or she clicks Delete.
et files settings""Disable changing history settings""Disable changing color settings""Disable changing link color settings""Disable changing
re always converted to IDN format.If you disable or do not configure this policy setting the user can control this setting by using Advanced
cy users will be prompted when Web Components such as fonts would be downloaded.
policy setting users can select the Always send Do Not Track header option in Internet Explorer settings. By selecting this option Internet E
cy setting Internet Explorer does not check the Internet for new versions of the browser so does not prompt users to install them.
have been revoked.
gure this policy Internet Explorer will not check the digital signatures of executable programs or display their identities before downloading
east Windows 8 Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.Wh
you do not configure this policy Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windo
an encryption tunnel by using the encryption methods that you select from the drop-down list.If you disable or do not configure this policy
Profile Assistant information.

ult is to encode all query strings in UTF-8.
ettings charm.
you don't configure this policy setting users can turn this feature on or off using Internet Explorer settings. This feature is turned off by de
d will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.If you do not configure this policy users will
session.If you do not configure this policy setting Internet Explorer starts with the home page. Users can change this option to start with th
site Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
s on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
plorer will allow trusted domains to store additional files in application caches up to the limit set in this policy setting.If you disable or do n
r will allow trusted domains to store additional data in indexed databases up to the limit set in this group policy.If you disable or do not co
rnet Explorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB.
ng the page that referenced the manifest that are less than or equal to the limit set in this policy setting.If you disable or do not configure t
hes. The default is 1 GB.
d databases. The default is 4 GB.
the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security) the same change should be m
e) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that p
tion appears for intranet content loaded on a browser on a computer that is not a domain member until the user turns off the Notification
n the zone.If you do not configure this policy setting users cannot load a page in the zone that uses MSXML or ADO to access data from ano
affected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you do not configure
rs are available.
ange this behavior.If you do not configure this policy setting the user can decide whether to load XBAPs inside Internet Explorer.
change this behavior.If you do not configure this policy setting the user can decide whether to load XAML files inside Internet Explorer.
XPS files inside Internet Explorer.
e redirected to another Web page.
using Search Connectors.

this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails it is the zon
.If you do not configure this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that inc
s.If you do not configure this policy setting video and animation can be played through older media players in specified zones.
secure (http://) content.If you disable this policy setting users cannot receive the security information message and nonsecure content can
nnect to a Web site that has no certificate or only one certificate.
urn this behavior on or off using Internet Explorer Security settings.
ntly downloaded.
not configure it users cannot drag content from one domain to a different domain when the source and destination are in different windo
this policy setting or do not configure it users cannot drag content from one domain to a different domain when the source and destinatio
MIME Sniffing Safety Feature will not apply in this zone.
en he or she is uploading a file via an HTML form. By default path information is sent.
etting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting Acti
pplets cannot run.If you do not configure this policy setting the permission is set to High Safety.
his policy setting users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
omatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authen
ations from other domains.
configure this policy setting Internet Explorer will execute unsigned managed components.
his policy setting Internet Explorer will execute signed managed components.
tricted zone enabled in the Intranet and Local Computer zones and set to prompt in the Internet and Trusted zones.
are packages from being automatically downloaded to users' computers and software packages from being automatically installed on use
u do not configure this policy setting users are queried to choose whether to allow information using HTML forms on pages in this zone to
ng .NET Framework Setup is turned on by default. The user can change this behavior.
this policy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page saved
be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from less pr
n the zone.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone that use
rs are available.

.If you do not configure this policy setting Windows Restrictions security will not apply in this zone. The security zone runs without the add
en they connect to a Web site that has no certificate or only one certificate.
n this behavior on or off using Internet Explorer Security settings.
ntly downloaded.
pplets cannot run.If you do not configure this policy setting the permission is set to Medium Safety.
u do not configure this policy setting information using HTML forms on pages in this zone can be submitted automatically.
be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from less pr
n the zone.If you do not configure this policy setting users can load a page in the zone that uses MSXML or ADO to access data from anothe
rs are available.

etting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting user
pplets cannot run.If you do not configure this policy setting the permission is set to Medium Safety.
his policy setting users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
configure this policy setting Internet Explorer will not execute unsigned managed components.
his policy setting Internet Explorer will not execute signed managed components.
on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting the possibly harmful nav
he Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

ntly downloaded.
actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the feature co
pplets cannot run.If you do not configure this policy setting Java applets are disabled.
n the zone.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone that use

ntly downloaded.

rs are not available unless applications have implemented a custom security manager.
ot be redirected to another Web page.
one using Search Connectors.

his policy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
windows and frames from different domains or access applications from different domains.
this policy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web page sav

protocols is unaffected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you d
rs are not available unless applications have implemented a custom security manager.
ot be redirected to another Web page.
one using Search Connectors.

his policy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
windows and frames from different domains or access applications from different domains.
this policy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web page sav
rs are available.

etting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting user
pplets cannot run.If you do not configure this policy setting the permission is set to Low Safety.
be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting a warning is issued to
rrect the problem. The user cannot change this policy setting.If you do not configure this policy setting the user can turn on or turn off deta
the user can turn on or turn off the display of script errors.
downloading. The user cannot change this policy setting.If you do not configure this policy setting the user can allow or prevent the displa
ppear. The user cannot turn off image display.If you do not configure this policy setting the user can turn on or turn off image display.
specify what action applies to searches on the Address bar.

website or a search-results webpage in the main window.If you disable or do not configure this policy setting the user can select their pref
y setting the user can decide whether to start Internet Explorer automatically to complete the signup process after the branding is comple
ternet Options dialog. By default URL Suggestions are turned on.

ar. The user cannot change this setting.If you do not configure this policy setting the user can choose to turn the Use Windows Search setti
plorer 8. By default inline AutoComplete is turned on for Internet Explorer 9.
g of the path portion of URLs as UTF-8.
d Active Channel for this option; however a few use different words such as Subscribe.
n User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled
ns that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Admini
ription content" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Compone
g schedules for offline pages" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windo
wnloading Web content for offline viewing.This policy is intended for organizations that are concerned about server load for downloading
preconfigured settings for pages to be downloaded for offline viewing.This policy is intended for organizations that are concerned about s
erface in the Offline Favorites wizard.Note: The begin and end times for downloading are measured in minutes after midnight. The Maxim
and then clicking InPrivate Filtering.

tton and then clicking Tracking Protection.
e application as a user types in a password. The reveal password button is visible by default.On at least Windows 8 if the "Do not display t
owing information:Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brack
rs - all add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting.If you enable this poli
d policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Value
ols" in the Internet Explorer TechNet library.
ut-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
/Users/contoso/Desktop/index.htm"If you disable or don't configure this policy setting the list is deleted and Internet Explorer continues t
mation see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
ng the WebSocket object. By default the WebSocket object is enabled.
to 'admin-approved' just as if those zones were set to 'disable'.If you do not configure this policy setting only VML will be allowed in zone
e policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to ena
setting Consistent Mime Handling is prevented for all processes.
ng Internet Explorer will not require consistent MIME data for all received files.If you do not configure this policy setting Internet Explorer
d.If you enable this policy setting and enter a Value of 1 MIME handling is in effect. If you enter a Value of 0 file-type information is allowe
d in a process list.If you disable or do not configure this policy setting Local Machine zone security is not applied to local files or content pr
isable this policy setting Local Machine zone security is not applied to local files or content processed by Internet Explorer.If you do not co
Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use th
ed Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configure
able IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you
d for processes other than File Explorer and Internet Explorer.
rotocols is prevented for File Explorer and Internet Explorer processes.If you do not configure this policy setting the policy setting is ignore
The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not ente
one no protocols are restricted for that zone regardless of the setting for "Allow active content over restricted protocols to access my com
rnet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Proces
this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled th
cesses.If you do not configure this policy setting any zone can be protected from zone elevation by Internet Explorer processes.
n to more privileged zones can be prevented. If you enter a Value of 0 elevation to any zone is allowed. The Value Name is the name of th
enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the se
s policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this pol
other restrictions apply for File Explorer and Internet Explorer processes.
name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer
efault and the user can change this.

olicy can be used in coordination with the "Disable customizing browser toolbars" policy which prevents users from determining which too
e.If you disable or do not configure this policy setting the toolbar upgrade tool checks for incompatible toolbars. The user can enable or dis
en a blank MMC console window on the Start menu. (To open the MMC click Start click Run and type mmc.) Users also cannot open a blan
permit use of most snap-ins. To explicitly prohibit a snap-in open the Restricted/Permitted snap-ins setting folder and then disable the se
snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users canno
is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable
snap-in is permitted or prohibited.-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot
o the explicitly permitted list of snap-ins" is enabled users will not have access to the Group Policy tab. To explicitly permit use of the Gr
ence items cannot be created.
t of snap-ins" policy setting.
y permitted list of snap-ins" policy setting for the Control Panel Settings item but not for its children. Enabling this policy setting does not o
d list of snap-ins" policy setting for the Control Panel Settings item but not for its children. Enabling this policy setting does not override an
configure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted
gure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of
of snap-ins" policy setting.
st of snap-ins" policy setting.
p-ins" policy setting.
t configure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted
nap-ins" policy setting.
nap-ins" policy setting.
reference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Setti
ou do not configure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly p
not configure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitt
d list of snap-ins" policy setting.
ot configure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted
use of the Preferences tab.
gure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitted list of
reference extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Setti
snap-ins" policy setting.
not configure this policy setting you permit use of the preference extension unless restricted by the "Restrict users to the explicitly permitt
erence extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settings
f snap-ins" policy setting.
ence extension unless restricted by the "Restrict users to the explicitly permitted list of snap-ins" or "Permit use of Control Panel Settings (U
ed to sync later. Set SyncMethod to â€œExternalâ€ when an external synchronization engine is being deployed for settings sync. This co
Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows.
licy any defined values will be deleted.
chronization.If you disable this policy setting all Windows Settings are excluded from the settings synchronization.If you do not configure t
ck to the state when UE-V was installed or to â€œlast-known-goodâ€ configurations. Only enable this policy setting on computers runnin
Microsoft Office Suite 2013 applications will not be backed up. If you do not configure this policy setting any defined values will be deleted.
Microsoft Office Suite 2016 applications will not be backed up. If you do not configure this policy setting any defined values will be deleted.
ynchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled.If you do not configur
ich are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Micros
ch are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the Micros
ll be deleted.
ch are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the Micros
ll be deleted.
ble this policy setting Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V.If you do not configure
ble this policy setting Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V.If you do not configure
enable this policy setting user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize w
enable this policy setting user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize w
s policy setting Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V.If you do not configure this pol
s policy setting Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V.If you do not configure this pol
you disable this policy setting Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V.If you do not c
policy setting Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy
policy setting Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy
If you disable this policy setting Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V.If you do no
If you disable this policy setting Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V.If you do no
u disable this policy setting Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V.If you do not con
u disable this policy setting Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V.If you do not con
with UE-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-
with UE-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-
sable this policy setting Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V.If you do not configu
sable this policy setting Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V.If you do not configu
.If you disable this policy setting Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V.If you do n
.If you disable this policy setting Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V.If you do n
013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings a
policy setting Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy
policy setting Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy
this policy setting Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V.If you do not configure this p
this policy setting Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V.If you do not configure this p
e deleted.
e deleted.
n administrator has opted in the computer.
se their privacy settings after an upgrade.
y setting Windows presentation settings can be invoked.
n if they select the "Use these RD Gateway server settings" option on the client.Note: To enforce this policy setting you must also specify th
g settings on the client using an RDP file or using an HTML script. If users do not specify an alternate authentication method the authentic
is setting either the NTLM protocol that is enabled on the client or a smart card can be used.To allow users to overwrite the "Set RD Gatew
message that the publisher has been blocked.
valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RD
an define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for t
n of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a re
o at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later.
t the Group Policy level.
policy setting the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does
hat runs on the remote computer after the client connects to the remote computer. If an initial program is not specified the desktop is alw
guration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2008
ogged off.To use this setting in Program path and file name type the fully qualified path and file name of the executable file to be run when
sions policy settings.If you enable this policy setting Remote Desktop Services ends any session that reaches its time-out limit.If you disable
do not configure this policy setting the time limit is not specified at the Group Policy level. By default Remote Desktop Services allows ses
cy setting this policy setting is not specified at the Group Policy level. By default Remote Desktop Services allows sessions to remain active
onnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessi
e logged off from the RD Session Host server. If the user starts a RemoteApp program before the time limit is reached the user will reconn
annot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.If you
te a feed or Web Slice by using the Feed APIs.
olicy setting users can index any path not restricted by other policies but their original list of paths to index is not restored.
ble this policy Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Option
a in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If yo
ere this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configure th
nji and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to config
will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.Cauti
figure this setting in the Input Panel Options dialog box.If you do not configure this policy application auto complete lists will appear next
setting all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. I
able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose â€œTolerant" users will be abl
e will be available.
by having the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled or N
lders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: Th
t: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To pre
computers.
ation settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured user settings in Control Pane
ort data until the computer is connected to a more permanent power source.
g information is stored.
Control Panel.The Maximum number of reports to queue setting determines how many reports can be queued before older reports are au
nabled the Exclude errors for applications on this list setting takes precedence.If you disable or do not configure this policy setting errors ar
he minimum data that is required to check for an existing solution along with data which Windows has determined (within a high probabil
ers): Windows Error Reporting automatically sends the minimum data required to check for an existing solution and Windows prompts the
ness authentication from failing.
hen you use a third-party solution to provision Windows Hello for Business.If you select "Do not start Windows Hello provisioning after sign
this policy setting the system applies the current user's permissions when it installs programs that a system administrator does not distribu
ges such as installations offered on the desktop or in Add or Remove Programs.Also see the "Enable user to use media source while elevat
rs from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However beca
œSet action to take when logon hours expireâ€ is disabled or not configured the â€œRemove logon hours expiration warningsâ€ setting
he system takes no action when the userâ€™s logon hours expire. The user can continue the existing session but cannot log on to a new se
net check box.
Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box.
xy cannot be configured. If the "Hide network tab" policy setting is also enabled the entire Network tab is hidden.This policy is ignored if th
hidden.This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected.If you disabl
he Performance tab.
hidden.If you disable this policy setting the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings.If you do n
eceived if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.If you enable this policy setting the
tting for the Allow screen saver during playback check box.
nfigured by other polices.
he Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a different ski
users to use Windows Messenger enable the "Do not allow Windows Messenger to run" policy setting.Note: This policy setting is available
itor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
tting is not configured the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a mo
s. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Com
PowerShell session. If you disable this policy setting transcripting of PowerShell-based applications is disabled by default although tran
nder both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has preced
the time the user selects the Shut Down option in the Start menu.Note that this policy setting has no impact if the User Configuration\Ad
he following notification options:0 = Do not show any notificationsThis setting will remove all access to Windows Update features and no
f the file server that stores the affected users' data.The "Work Folders Local Path" specifies the local folder used on the client machine to s
al name. For example enter Microsoft.Mouse Microsoft.System or Microsoft.Personalization.Note: For Windows Vista Windows Server 200
n for other reasons (such as a missing hardware device) this policy will not force that page to appear. After this the policy string must cont
ft.System or Microsoft.Personalization.Note: For Windows Vista Windows Server 2008 and earlier versions of Windows the module name f
e the only remaining option on the Add/Remove Windows Components page starts the wizard that option is selected automatically and th
ble media regardless of this setting.
y cannot use Add or Remove Programs to install published programs. However they can still install programs by using other methods and t
Set Program Access and Defaults from Start menu" setting.
ely to need.Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setti
yping %windir%\resources\Themes\Luna\Luna.msstylesNote: To select the Windows Classic visual style leave the box blank beside "Path t
d.Note: This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled this setting is
use the "Prevent changing Screen Saver" setting.
e Personalization or Display Control Panel is used. The default is 15 minutes.

r's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers."
d and users cannot search the network but must type a printer name.Note: This setting affects the Add Printer Wizard only. It does not pre
by the network administrator. When using package point and print client computers will check the driver signature of all drivers that are d
rivers need to be updated. If you do not configure this policy setting: -Windows Vista client computers can point and print to any
wever if users have not added a printer when this setting is applied they cannot print. Note: You can use printer permissions to restric
ers cannot view the programs that have been published by the system administrator and they cannot use the "Get Programs" page to inst
other tools and methods to install or uninstall programs.
Options control panel to select any available UI language.

alogs language" policy setting.
ugh Input Panel is collected and stored. Note: Automatic learning of both text and ink might not be available for all languages even when h
r is displayed as usual appearing as normal on the desktop Start menu folder tree pane and Web views unless restricted by another setting
nge this specification.If you disable this setting or do not configure it no wallpaper is displayed. However users can select the wallpaper of
ators" setting) the Properties menu items are disabled and users (including administrators) cannot open the remote access connection pro
nections but you can change the default by using the "Prohibit deletion of remote access connections" setting.)Important: If the "Enable N
computers.If you do not configure this setting only Administrators and Network Configuration Operators can enable/disable LAN connecti
onnections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled) this setting does no
ators and Network Configuration Operators have the right to rename LAN or all user remote access connections.Note: When configured th
connections available to all users" "Prohibit access to properties of components of a LAN connection" "Prohibit access to properties of com
ck the icon representing a LAN connection. Also when users select the connection Properties is enabled on the File menu.Note: This setting
2000 computers.If you disable this setting or do not configure it the Properties button is enabled for administrators and Network Configu
b of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To view or c
dministrators.Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box regardless of this setting.
cking the Make New Connection icon starts the New Connection Wizard.Note: Changing this setting from Enabled to Not Configured does
r all users.
ctions in the Network Connections folder are enabled. Also administrators can gain access to network components in the Windows Compo
rivate connection.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting wil
ting the connection by right-clicking it or by using the File menu.
only to one user. (By default only Administrators and Network Configuration Operators can delete connections available to all users but yo
k box enables the component and clearing the check box disables the component.Note: When the "Prohibit access to properties of a LAN
cess connections. Users can rename their private connection by clicking an icon representing the connection or by using the File menu.Not
Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When these polic
onnections settings for Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 co
assigned an IP address will be reported via a notification providing the user with information as to how the problem can be resolved.
ng users can work offline by default but they can change this option.This setting appears in the Computer Configuration and User Configura
local computer is connected and disconnected from the network."3" also records an event when the server hosting the offline file is recon
puter and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions throu
uration.Tip: To view the Offline Files Folder in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then
vides a quick method for locking down the default settings for Offline Files. To accept the defaults just enable this setting. You do not have
r balloon frequency without establishing a setting in Windows Explorer on the Tools menu click Folder Options and then click the Offline F
ows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Windows 7 or Windows Vista.
able for all files and folders.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy
olders for offline use).If you do not configure this policy setting no files or folders are made available for offline use by Group Policy.Note: T
r Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Con
ot configure this setting and Synchronization Manager is configured for logon synchronization the system performs a quick synchronization
les the "Enable reminders" option on the Offline Files tabThis setting appears in the Computer Configuration and User Configuration folde
g Off item on a computer click Start click Settings click Taskbar and Start Menu click the Start Menu Options tab and then in the Start Men
t Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this
olbars" command appears in the context menu.

in the menus including files located remotely on another computer.Note: This setting does not prevent Windows from displaying remote fi
and websites.Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Also see
o not have this ID tracking and search capability.Also see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracki
T partitions do not have this ID tracking and search capability.Also see the "Do not track Shell shortcuts during roaming" and the "Do not u
n is locked and the user cannot show and hide various toolbars using the taskbar context menu.
o not configure this setting the all apps list will be visible by default and the user can change "Show app list in Start" in Settings.
ity screen is also available.Note: Third-party programs certified as compatible with Microsoft Windows Vista Windows XP SP2 Windows XP
the system to appeal to most users. However users can add and remove items from this menu and system administrators can create a cu
onfigure this policy setting the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer.A
o add or remove the Log Off item on a computer click Start click Settings click Taskbar and Start Menu click the Start Menu Options tab and
ections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections).
able Display in Control Panel" and "Remove Network Connections from Start Menu" policy settings.
remove it.If the setting is not configured users can turn the Recent Items menu on and off.Note: This setting does not prevent Windows pr
Task Manager and use the Internet Explorer Address Bar.Note:This setting affects the specified interface only. It does not prevent users fr
you right-click an icon representing a drive or a folder.This policy setting affects the specified user interface elements only. It does not affe
ar in the directory but not on the Start menu.If you disable this setting or do not configured it Windows 2000 Professional and Windows X
ng to the default logic.

hich manages same part of Start menu but with fewer options).
r\Share\Layout.xml. If the specified file is not available when the user logs on the layout won't be changed. Users cannot customize their S
art click Settings click Taskbar and Start Menu and then on the General tab clear the "Use Personalized Menus" option.
nning programs to the Taskbar" policy settings.

29. Conversely all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19 that is 1930 to 1999.If you disable or
Explorer interface.Tip: To find the folders indicated by the Path environment variable click System Properties in Control Panel click the Adv
both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To displa
-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.Note: To create a list of allo
ns or it might stop.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the se
her of these locations cannot launched from Help

Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.Note: To create a list of
ou can download to keep your computer up to date.Also see the "Remove links and access to Windows Update" setting. If the "Remove lin
ers including system services find the executable names of programs and change the priority of the process in which programs run.
log out and back in to Windows. Be aware of the following:Per Process System DPI will only improve the rendering of desktop application
igned files to be installed. "Warn" is the default.-- "Block" directs the system to refuse to install unsigned files. As a result the installation
on Management/Internet Communication settings.
Note: Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirected files
o not automatically make all redirected folders available offline".
der Redirection location.If you disable or do not configure this policy setting when the path to a redirected folder is changed and Folder Re
ctures folders the folders are redirected on the user's primary computer only.If you disable or do not configure this policy setting and the
only on Windows Vista Windows 7 Windows 8 and Windows Server 2012 when it processes a legacy redirection policy already deployed f
es to any available domain controller.If you disable this setting or do not configure it the Group Policy Object Editor snap-in uses the doma
connection slower than this rate is considered to be slow. If you type 0 all connections are considered to be fast.If you disable this setting
Computer Configuration setting.Also see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administra
n by default but administrators can view preferences by turning off the "Show Policies Only" command.Note: To find the "Show Policies O
ropriate for most installations.If you disable this setting user Group Policy is updated every 90 minutes (the default). To specify that Group
ater timestamp.NOTE: If the Computer Configuration policy setting "Always use local ADM files for the Group Policy Object Editor" is enab
ared with Microsoft.If you do not configure this policy Tablet PC users can choose whether or not they want to share their writing samples
online ordering wizards for more information including details on specifying service providers in the registry.
ation to be collected.
policy setting the user can select a custom locale as their user locale.If this policy setting is enabled at the machine level it cannot be disab
s set to Disabled at the computer level then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level
users.If you disable or do not configure this policy setting users can select any locale installed on the computer unless restricted by the "Di
tting in Computer Configuration takes precedence over the policy setting in User Configuration.Note: To create a customized run list by us
ed in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.Also see the ""Do not process the leg
ng appears in the Computer Configuration and User Configuration folders. If both settings are configured the system starts the programs s
-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Acti
e scripts for GPOs B and C run in the following order for Qin:Within GPO B: B.ps1 B.cmdWithin GPO C: C.ps1 C.cmd For Tamara GPOs B and
t configure this policy setting the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully qualified pa
ed from the user's roaming profile.In operating systems earlier than Microsoft Windows Vista only the History Local Settings Temp and Te
an Microsoft Windows Vista Windows will not allow users to log off until the profile size has been reduced to within the allowable limit. In
e. Note: You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming Start Menu and Do
the http https and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untrusted
tion.If you enable this policy setting you can specify the default risk level for file types.If you disable this policy setting Windows sets the d
rams when file attachments are opened.
his policy setting Windows uses its default trust logic which prefers the file handler over the file type.If you do not configure this policy setti
vior for autorun to: a) Completely disable autorun commands or b) Revert back to pre-Windows Vista behavior of automatically
this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting AutoP
and users will no longer be able to select it as their lock screen. Users will see the default lock screen image and will be able to select ano
.Note: this setting does not control Cortana tailored experiences since there are separate policies to configure it.
value disables the "Optional diagnostic data" control in the Settings app. - Send optional diagnostic data. Additional diagnostic data is co
n\Shell Extensions\Approved.
ser's logon credentials. As a result the installation might fail or it might complete but not include all features. Or it might appear to comple
ble or do not configure this policy setting Windows searches for the original path when it cannot find the target file in the current target pa
ntents. And it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.If you disable or d
e Run dialog box or the Map Network Drive dialog box.To remove network computers from lists of network resources use the "No Entire N
sources use the "No Computers Near Me in Network Locations" setting.Note: It is a requirement for third-party applications with Windows
Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.The first
m of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search Conn
events the action. Also this setting does not prevent users from using programs to access local and network drives. And it does not preven
or third-party applications with Windows 2000 or later certification to adhere to this setting.
move Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hide all c
XP Professional.
h the current user's permissions. If these permissions are not sufficient the installation might fail or it might complete but not include all fe
o not configure this policy setting the protocol is in the protected mode allowing applications to only open a limited set of folders.
e this policy Windows Libraries features that rely on indexed file data will be disabled.If you disable or do not configure this policy all defa
nd Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled Active Desktop i
XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also third-party applic
fication to adhere to this setting.
ws Vista this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting does no
mon dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
ent protected using the specified EID on the device. If you disable or do not configure this policy setting the only Windows Runtime applic
tting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take effect until the user logs off.
le or do not configure this policy setting the user can configure their list of search providers unless another policy setting restricts such con
orer notifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the notifica
when the user clicks on a media link.If unchecked the content will be played by the default media client on their system.
rsion 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or laterIf the Windows Update for the
Caution: If you enable this policy users can still run the Certificate Manager Import Wizard by double-clicking a software publishing certific
page colors are ignored on Web pages in which the author has specified the background and text colors.
ws Components\Internet Explorer\Internet Control Panel) which removes the Programs tab from Internet Explorer in Control Panel takes p
uthor has specified the font attributes.
al tab from the interface.

Web pages on which the author has specified link colors.
ence over this policy. If it is enabled this policy is ignored.
ontrol Panel) which removes the Connections tab from the interface. Removing the Connections tab from the interface however does not
e shortcuts to these bars.If you enable this policy setting the navigation bar the menu bar and the Command bar are not visible and the us
wn compatibility problems with Microsoft Edge.Related policies:- Send all intranet sites to Internet Explorer (â€˜SendIntranetToInternetEx
et Zoneâ€¢Â 0 - Trusted Sites Zoneâ€¢Â 1 - Local Intranet Zoneâ€¢Â 0 - Local Machine Zoneâ€¢Â 6 - Intranet and Trusted site zones onlyÂ
located on the Advanced tab in the Internet Options dialog box. For more information see "Group Policy Settings in Internet Explorer 10"
on bar. The user cannot interchange the positions of the menu bar and the navigation bar.If you do not configure this policy setting the use
peration for the phishing filter.
a custom administrative template file. For information about creating this custom administrative template file see the Internet Explorer do
ation\Administrative Templates\Windows Components\Internet Explorer\Browser Menus) which prevents users from opening files by usi
ontinue to open in Internet Explorer 11.

quickly grow to use the specified integer number of tab processes regardless of the physical memory on the computer or how many Inter
eeds the threshold. This is the default.

nd passwords on forms and the option of prompting to save passwords. To display this option the users open the Internet Options dialog b
nt zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click A
Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to man
rity Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in
ach security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then clic
gs click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to manage
rity Zones Settings and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click C
nt zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click A
ck Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to ma
en click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
m Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
ocess prevail.
s not 0 or 1 the policy setting is ignored.If you enable this policy setting for an application or process in the list a script can perform a Clipb
enu option" policy which disables this command on the shortcut menu or the "Turn off Shortcut Menu" policy which disables the entire sh
cut Menu" policy which disables the entire shortcut menu.
policy which removes the Save As command takes precedence over this policy. If it is enabled this policy is ignored.
ndows Components\Internet Explorer and in \Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel fo
orer uses a current user agent string. Additionally all Standards Mode webpages appear in the Standards Mode available in the latest versi
Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.If you do not configure this po
wsing history.
Do Not Track data is preserved when the user clicks Delete.If you disable this policy setting ActiveX Filtering Tracking Protection and Do No
or settings""Disable changing font settings""Disable changing language settings""Disable changing accessibility settings"
his setting by using Advanced Options in Internet Control Panel. By default domain names are converted to IDN format only for addresses
selecting this option Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific excep
users to install them.
identities before downloading them to user computers.

egistry and the file system.When Enhanced Protected Mode is enabled and a user encounters a website that attempts to load an ActiveX c
es folder when browser windows are closed.
or do not configure this policy setting the user can select which encryption method the browser supports.Note: SSL 2.0 is off by default an
This feature is turned off by default.
onfigure this policy users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog
nge this option to start with the tabs from the last session.
on their computers.
tore data on their computers.
y setting.If you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all applicatio
licy.If you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databa
es. The default is 50 MB.
u disable or do not configure this policy setting Internet Explorer will use the default maximum application cache resource list size for all a
the same change should be made to the Locked-Down equivalent.Note. It is recommended to configure template policy settings in one Gr
special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zone
user turns off the Notification bar.

r ADO to access data from another site in the zone.
blocked.If you do not configure this policy setting the Notification bar will appear to allow control over questionable content accessed over
ustom thumbnails it is the zone of the thumbnail that is checked not the zone of item. Typically these are the same but a source is able to
windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as
n specified zones.
ge and nonsecure content cannot be displayed.If you do not configure this policy setting the user will receive the security information me
tination are in different windows. Users can change this setting in the Internet Options dialog.In Internet Explorer 9 and earlier versions if
hen the source and destination are in the same window. Users can change this setting in the Internet Options dialog.In Internet Explorer 9
nfigure this policy setting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
on the pages in this zone.

e (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server the logon uses the user's network u
automatically installed on users' computers.If you disable this policy setting permissions are set to high safety.If you do not configure this
forms on pages in this zone to be submitted.
ectly within a Web page saved to disk.

setting Web sites from less privileged zones can open new windows in or navigate into this zone.
be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
rity zone runs without the added layer of security provided by this feature.
n specified zones.

automatically.

setting Web sites from less privileged zones can open new windows in or navigate into this zone.
DO to access data from another site in the zone.
n specified zones.
nfigure this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.
out user intervention.

automatically.

tting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection from
n specified zones.
as dictated by the feature control setting for the process.


be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
n specified zones.

automatically.

n specified zones.
automatically.

n specified zones.
pages in this zone.

directly within a Web page saved to disk.

n specified zones.

automatically.

d protocols is blocked.If you do not configure this policy setting all attempts to access such content over the restricted protocols is blocked
n specified zones.
pages in this zone.

directly within a Web page saved to disk.
n specified zones.
nfigure this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.

automatically.

setting a warning is issued to the user that potentially risky navigation is about to occur.
ser can turn on or turn off details in these error messages.
an allow or prevent the display of placeholders for graphical images while the images are downloading.
or turn off image display.
g the user can select their preference for this behavior. Browsing to the top-result website is the default.
s after the branding is complete for ISPs (IEAK).
the Use Windows Search setting on or off.Note: If you enable this policy setting feeds do not appear in the Address bar. This does not affe
over this policy. If it is enabled this policy is ignored.
in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabl
Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled this policy is ignored.
ministrative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled this policy is
t server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Window
ns that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Admin
tes after midnight. The Maximum Offline Page Crawl Depth setting specifies how many levels of a Web site are searched for new informati
dows 8 if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Templates\Win
The CLSID should be in brackets for example â€˜{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtaine
y setting.If you enable this policy setting Internet Explorer only allows add-ons that are specifically listed (and allowed) through the 'Add-on
ue Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter Internet Explorer processes in this list because these
d Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.For more information see "Ou
y VML will be allowed in zones set to 'admin-approved'.Note. If this policy is set in both Computer Configuration and User Configuration b
plorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box
olicy setting Internet Explorer requires consistent MIME data for all received files.
file-type information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the Value i
lied to local files or content processed by any process other than Internet Explorer or those defined in a process list.
ernet Explorer.If you do not configure this policy setting the Local Machine zone security applies to all local files and content processed by
er processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy settin
nabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the secu
edence over that setting.If you disable or do not configure this policy setting the policy setting is ignored.
tting the policy setting is ignored.

setting is ignored.Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processes polic
ed protocols to access my computer."Note. If policy for a zone is set in both Computer Configuration and User Configuration both lists of p
IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting. If you di
ses policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this p
Explorer processes.
Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter th
figure this policy setting the security feature is allowed.
le or do not configure this policy setting the security feature is allowed.
ot enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If
s from determining which toolbars are displayed in Internet Explorer and File Explorer.
ars. The user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo these c
Users also cannot open a blank MMC console window from a command prompt.If you disable this setting or do not configure it users can
folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not confi
ap-ins" is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy
hibit use of this snap-in disable this setting. If this setting is not configured (or enabled) the snap-in is permitted.When a snap-in is prohibit
p-ins" is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this policy s
explicitly permit use of the Group Policy tab enable this setting. If this setting is not configured (or disabled) the Group Policy tab is inacces
g this policy setting does not override any "Permit use of <extension name> preference extension" policy settings that are disabled.If you
y setting does not override any "Permit use of <extension name> preference extension" policy settings that are disabled.If you disable this
ers to the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (
the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users
sers to the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings
rmit use of Control Panel Settings (Users)" policy settings.

Restrict users to the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Pane
t users to the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settin
sers to the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Setting
the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settings (Users
ermit use of Control Panel Settings (Users)" policy settings.
users to the explicitly permitted list of snap-ins" "Permit use of Control Panel Settings (Computers)" or "Permit use of Control Panel Settin
it use of Control Panel Settings (Computers)" policy settings.
use of Control Panel Settings (Users)" policy settings.
oyed for settings sync. This could use OneDrive Work Folders SharePoint or any other engine that uses a local folder to synchronize data b
ation.If you do not configure this policy setting any defined values will be deleted.
cy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop co

disabled.If you do not configure this policy setting any defined values will be deleted.
n settings. If any of the Microsoft Office Suite 2010 applications are enabled this policy setting should not be disabled If you do not configu
n settings. If any of the Microsoft Office Suite 2013 applications are enabled this policy setting should not be disabled.If you do not configu
n settings. If any of the Microsoft Office Suite 2016 applications are enabled this policy setting should not be disabled.If you do not configu
tions continue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office Sui
tions continue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office Sui
ation with UE-V.If you do not configure this policy setting any defined values will be deleted.
u do not configure this policy setting any defined values will be deleted.
u do not configure this policy setting any defined values will be deleted.
nization with UE-V.If you do not configure this policy setting any defined values will be deleted.
nization with UE-V.If you do not configure this policy setting any defined values will be deleted.
rom synchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
rom synchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
onization with UE-V.If you do not configure this policy setting any defined values will be deleted.
onization with UE-V.If you do not configure this policy setting any defined values will be deleted.
t Designer 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setting any defined values wi
ou do not configure this policy setting any defined values will be deleted.
ou do not configure this policy setting any defined values will be deleted.
etting you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting or client co
tication method the authentication method that you specify in this policy setting is used by default.If you disable or do not configure this p
o overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server you must select the "Allow use
lient. When a user starts an RDP session the user is asked to confirm whether they want to connect.If you disable this policy setting users c
nfigure this policy setting for the computer the list of certificate thumbprints trusted for a user is a combination of the list defined for the c
tor to watch the session of a remote user without the user's consent.If you disable this policy setting administrators can interact with a use
e RD Session Host server does not have a printer driver that matches the client printer the server tries to use the Remote Desktop Easy Pri
not specified the desktop is always displayed on the remote computer after the client connects to the remote computer.Note: If this policy
running Windows Server 2008 do not display wallpaper by default to Remote Desktop Services sessions.
executable file to be run when the user logs on. If necessary in Working Directory type the fully qualified path to the starting directory for
its time-out limit.If you disable this policy setting Remote Desktop Services always disconnects a timed-out session even if specified otherw
te Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to en
ows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a sessio
havior that disconnected sessions are maintained for an unlimited time select Never. If you have a console session disconnected session ti
s reached the user will reconnect to the disconnected session on the RD Session Host server.If you disable or do not configure this policy s
default connection URL.If you disable or do not configure this policy setting the user has no default connection URL.Note: RemoteApp pro
s not restored.
tting in the Input Panel Options dialog box.If you do not configure this policy Input Panel will provide text prediction suggestions. Users wil
Panel Options dialog box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where this beha
box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where this behavior is available. Use
Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy rarely used Chinese Kanji and
ab in Input Panel Options.Caution: If you enable both the â€œPrevent Input Panel from appearing next to text entry areasâ€ policy and th
omplete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting
put Panel Options dialog box. If you enable this policy and choose â€œMedium-Lowâ€ from the drop-down box password security is set t
€œTolerant" users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Use
n if this setting is Disabled or Not Configured.Note: This setting appears in the Computer Configuration and User Configuration folders. If b
g in User Configuration.Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created tasks u
cheduled Tasks folder. To prevent this action use the "Prohibit Drag-and-Drop" setting.Note: This setting appears in the Computer Configu
dence over the setting in User Configuration.
d user settings in Control Panel for Windows Error Reporting are applied.
ed before older reports are automatically deleted. The setting for Number of days between solution check reminders determines the inter
ure this policy setting errors are reported on all Microsoft and Windows applications by default.
mined (within a high probability) does not contain personally-identifiable information is sent automatically and Windows prompts the use
on and Windows prompts the user for consent to send any additional data requested by Microsoft.- 3 (Send parameters and safe addition
ws Hello provisioning after sign-in" Windows Hello for Business does not automatically start provisioning after the user has signed in.If you
administrator does not distribute or offer.Note: This policy setting appears both in the Computer Configuration and User Configuration fold
use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
re system files. However because an incomplete installation can render the system or a program inoperable do not use this policy setting
expiration warningsâ€ setting will have no effect and users receive no warnings about logon hour expiration
but cannot log on to a new session.Note: If you configure this setting you might want to examine and appropriately configure the â€œRem
dden.This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected.If you disable this policy se
ast is not selected.If you disable this policy setting the MMS proxy server cannot be used and users cannot configure the MMS proxy settin
RTSP proxy settings.If you do not configure this policy setting users can configure the RTSP proxy settings.
u enable this policy setting the administrator must also specify the protocols that are available to users on the Network tab. If the administ
cannot choose a different skin.If you disable or do not configure this policy setting users can display the Player in full or skin mode and ha
This policy setting is available under both Computer Configuration and User Configuration. If both are present the Computer Configuratio
the execution events of a module or snap-in are logged. By default the LogPipelineExecutionDetails property of all modules and snap-ins i
Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
abled by default although transcripting can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirector
ter Configuration" has precedence over "User Configuration."If you disable or do not configure this policy setting it reverts to a per-machi
t if the User Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and Shut Do
dows Update features and no notifications will be shown.1 = Show restart required notificationsThis setting will show notifications about r
sed on the client machine to sync files. This path may contain environment variables. Note: In order for this configuration to take effect a
ows Vista Windows Server 2008 and earlier versions of Windows the module name should be entered for example timedate.cpl or inetcpl
his the policy string must contain a semicolon-delimited list of settings page identifiers. The identifier for any given settings page is the pub
Windows the module name for example timedate.cpl or inetcpl.cpl should be entered. If a Control Panel item does not have a CPL file or
s selected automatically and the page is bypassed.To remove "Set up services" and prevent the Windows Component Wizard from starting
by using other methods and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Sta
Add New Programs page" setting is enabled.
e the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT you cannot apply the Wind
tting is disabled this setting is ignored and screen savers do not run.
\Printers."
er Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers.
gnature of all drivers that are downloaded from print servers.If this setting is disabled or not configured package point and print will not be
ters can point and print to any server. -Windows Vista computers will show a warning and an elevated command prompt when users
e printer permissions to restrict the use of printers without specifying a setting. In the Printers folder right-click a printer click Properties an
e "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by using othe
for all languages even when handwriting personalization is available. See Tablet PC Help for more information.If you enable this policy se
s restricted by another setting.If you do not configure this setting the default is to display Computer as usual.Note: In operating systems e
rs can select the wallpaper of their choice.Also see the "Allow only bitmapped wallpaper" in the same location and the "Prevent changing
remote access connection properties dialog box.Important: If the "Enable Network Connections settings for Administrators" is disabled or
ng.)Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to a
n enable/disable LAN connections.Note: Administrators can still enable/disable LAN connections from Device Manager when this setting is
r Disabled) this setting does not apply.Note: This setting does not prevent users from using other programs such as Internet Explorer to by
ons.Note: When configured this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rename all
ibit access to properties of components of a remote access connection" "Ability to access TCP/IP advanced configuration" "Prohibit access
he File menu.Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Connection
strators and Network Configuration Operators.The Local Area Connection Properties dialog box includes a list of the network components
connection uses. To view or change the properties of a component click the name of the component and then click the Properties button
ox regardless of this setting.
abled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this setting
onents in the Windows Components Wizard.The Install button opens the dialog boxes used to add network components. Clicking the Unin
not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configur
ns available to all users but you can change the default by using the "Ability to delete all user remote access connections" setting.)Importa
access to properties of a LAN connection" setting is enabled users are blocked from accessing the check boxes for enabling and disabling t
or by using the File menu.Note: This setting does not prevent users from using other programs such as Internet Explorer to bypass this setti
omponents. When these policies are set to deny access to the connection properties dialog box or Properties button for connection comp
ors on post-Windows 2000 computers.If you disable this setting or do not configure it the connection status taskbar icon and Status dialog
problem can be resolved.
nfiguration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over th
hosting the offline file is reconnected to the network.Note: This setting appears in the Computer Configuration and User Configuration fol
m setting custom actions through the Offline Files tab. However users are unable to change any custom actions established via this setting
the Offline Files tab and then click "View Files."
e this setting. You do not have to disable any other settings in this folder.
ons and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
uration folders. If both policy settings are configured the policy settings are combined and the "Make Available Offline" command is unava
ne use by Group Policy.Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings are
ce over the setting in User Configuration.Tip: To change the synchronization method without changing a setting in Windows Explorer on th
forms a quick synchronization by default but users can change this option.This setting appears in the Computer Configuration and User Co
n and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in
tab and then in the Start Menu Settings box click Display Logoff.Also see "Remove Logoff" in User Configuration\Administrative Templates
er. The system only uses this setting when neither of these related settings are selected.This setting does not clear the list of recent files t
dows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump Lists""
r-name\Recent folder.Also see the "Remove Recent Items menu from Start Menu" and "Clear history of recently opened documents on ex
and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings.
ng roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings.
n Start" in Settings.
Windows XP SP2 Windows XP SP1 Windows XP or Windows 2000 Professional are required to support this policy setting.
administrators can create a customized Favorites menu for a user group.Note:This setting only affects the Start menu. The Favorites item s
ols menu in Internet Explorer.Also see the "Hide the "Add programs from Microsoft" option" policy setting.
he Start Menu Options tab and in the Start Menu Settings box click Display Logoff.See also: "Remove Logoff" policy setting in User Configur
Connections).
does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently o
y. It does not prevent users from using other methods to run programs.Note: It is a requirement for third-party applications with Window
elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.If you disable or do n
0 Professional and Windows XP Professional display folders on both sections of the Start menu.
Users cannot customize their Start screen while this setting is enabled.If you disable this setting or do not configure it the Start screen layo
us" option.
1930 to 1999.If you disable or do not configure this policy setting Windows does not interpret two-digit year formats using this scheme for
in Control Panel click the Advanced tab click the Environment Variables button and then in the System variables box click Path.
er Configuration.Tip: To display the welcome screen click Start point to Programs point to Accessories point to System Tools and then click
ng.Note: To create a list of allowed applications click Show. In the Show Contents dialog box in the Value column type the application exe
settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
etting.Note: To create a list of allowed applications click Show. In the Show Contents dialog box in the Value column type the application
ate" setting. If the "Remove links and access to Windows Update" setting is enabled the links to Windows Update on the Start menu are a
n which programs run.

ndering of desktop applications that are positioned on the primary display. Some desktop applications can still be blurry on secondary disp
es. As a result the installation stops and none of the files in the driver package are installed.To change driver file security without specifyin
ver holding the redirected files becomes unavailable.Note: If one or more valid folder GUIDs are specified in the policy setting "Do not auto
lder is changed and Folder Redirection is configured to move the content to the new location Windows copies the contents of the local ca
ure this policy setting and the user has redirected folders the folders are redirected on every computer that the user logs on to.Note: If yo
ction policy already deployed for these folders in your existing localized environment.
Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.Note: To change the PDC Operations
fast.If you disable this setting or do not configure it the system uses the default value of 500 kilobits per second.This setting appears in th
uter Configuration\Administrative Templates\System\GroupPolicy.

e: To find the "Show Policies Only" command in Group Policy Object Editor click the Administrative Templates folder (either one) right-click
default). To specify that Group Policy for users should never be updated while the computer is in use select the "Turn off background refre
p Policy Object Editor" is enabled the state of this setting is ignored and always treated as Enabled.
to share their writing samples from the handwriting recognition personalization tool with Microsoft.
achine level it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level the per-user policy setti
nfigured at the computer level then restrictions will be based on per-User policies.To set this policy on a per-user basis make sure that the
ter unless restricted by the "Disallow selection of Custom Locales" policy setting.If this policy setting is enabled at the computer level it can
ate a customized run list by using a policy setting use the ""Run these applications at startup"" policy setting.Also see the ""Do not process
e the ""Do not process the legacy run list"" policy setting.
e system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Config
ts that originate from the Active Template Library (ATL) thunk layer. PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00
C.cmd For Tamara GPOs B and C are applied but not GPO A. Therefore the scripts for GPOs B and C run in the following order for Tamara:W
E% stores the fully qualified path to the home directory (such as \\server\share\dir1\dir2\homedir). Users can access the home directory a
ry Local Settings Temp and Temporary Internet Files folders are excluded from the user's roaming profile by default.If you enable this polic
within the allowable limit. In Microsoft Windows Vista Windows will not block users from logging off. Instead if the user has a roaming us
a\Roaming Start Menu and Documents. You should suspend only the subfolders of these parent folders.
vulnerabilities from untrusted sources reducing the associated risk.
cy setting Windows sets the default risk level to moderate.If you do not configure this policy setting Windows sets the default risk level to
o not configure this policy setting Windows uses its default trust logic which prefers the file handler over the file type.
sta behavior of automatically executing the autorun command. If you disable or not configure this policy setting Windows Vista or lat
figure this policy setting AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configura
and will be able to select another image unless you have enabled the "Prevent changing lock screen image" policy.If you do not configure
Additional diagnostic data is collected that helps us to detect diagnose and fix issues as well as make product improvements. Required diag
. Or it might appear to complete successfully but the installed program might not operate correctly.If you disable this setting or do not con
get file in the current target path.
aracteristics.If you disable or do not configure this policy setting all drives are displayed or select the "Do not restrict drives" option in the
resources use the "No Entire Network in Network Locations" policy setting.
rty applications with Windows 2000 or later certification to adhere to this setting.
Internet search links.The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start menu. T
search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.The first several
drives. And it does not prevent them from using the Disk Management snap-in to view and change drive characteristics.Also see the "Hide
enu and Taskbar). To hide all context menus use the "Remove File Explorer's default context menu" policy setting.
complete but not include all features. Or it might appear to complete successfully but the installed program might not operate correctly.N
limited set of folders.
ot configure this policy all default Windows Libraries features will be enabled.
s are enabled Active Desktop is disabled.Also see the "Disable Active Desktop" setting in User Configuration\Administrative Templates\Des
x style. Also third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting.
yle. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applications w
only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the us
policy setting restricts such configuration.
m by responding to the notification using Manage Add-ons or using other methods.

heir system.
If the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed the following behaviors
a software publishing certificate (.spc) file. This wizard enables users to import and configure settings for certificates from software publis
plorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
e interface however does not prevent users from running the Internet Connection Wizard from the desktop or the Start menu.
d bar are not visible and the user cannot access them.If you disable or do not configure this policy setting the user can view and access the
(â€˜SendIntranetToInternetExplorerâ€™)- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (â€˜RestrictIEâ€™)
t and Trusted site zones onlyÂ Â Binary Representation - 00110â€¢Â 0 - Restricted Sites Zoneâ€¢Â 0 - Internet Zoneâ€¢Â 1 - Trusted Sites
ttings in Internet Explorer 10" in the Internet Explorer TechNet library.
gure this policy setting the user can interchange the positions of the menu bar and the navigation bar.
le see the Internet Explorer documentation on search providers.If you disable or do not configure this policy setting the user can configure
users from opening files by using the browser.
computer or how many Internet Explorer isolation settings are running.If you enable this policy setting you set the rate at which Internet
n the Internet Options dialog box click the Contents Tab and click the Settings button.
ntrols and Plug-ins area click Administrator Approved.

one in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Admi
s.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and
orer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settin
n which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administr
tiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
ntrols and Plug-ins area click Administrator Approved.
zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Adm
st a script can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to prompt
cy which disables the entire shortcut menu.Note: the user will still be able to open New Tabs.
lorer\Internet Control Panel folders.
de available in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer.If you do not configure
f you do not configure this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appende
Tracking Protection and Do Not Track data is deleted when the user clicks Delete.If you don't configure this policy setting users can turn th
ity settings"
IDN format only for addresses that are not in the Intranet zone.
ser grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default this option is turn
attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode Internet Explorer notifies the user and gives th
ote: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol an
of the Internet Options dialog.
m storage limit for all application caches. The default is 50 MB.
age limit for all indexed databases. The default is 500 MB.
ache resource list size for all application caches. The default is 1000 resources.
mplate policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can then
of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone a
onable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled.
e same but a source is able to define a specific location of a thumbnail that is different than the location of the item.If you enable this poli
ture will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
e the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.
plorer 9 and earlier versions if you disable this policy or do not configure it users can drag content from one domain to a different domain
ns dialog.In Internet Explorer 9 and earlier versions if you disable this policy setting or do not configure it users can drag content from one
gon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server the use
y.If you do not configure this policy setting permissions are set to Medium safety.
y.If you do not configure this policy setting permissions are set to Medium safety.
y.If you do not configure this policy setting permissions are set to Low safety.
s zone as set by Protection from Zone Elevation feature control.


restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
y.If you do not configure this policy setting permissions are set to High safety.
Address bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center.
e over this policy. If it is enabled this policy is ignored.
bled this policy is ignored.

policy is enabled this policy is ignored.
ministrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled this policy is ignored.
in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabl
re searched for new information.
Administrative Templates\Windows Components\Credential User Interface is enabled for the system it will override this policy setting.
D for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.Value - A number indicatin
d allowed) through the 'Add-on List' policy setting.If you disable or do not configure this policy setting users may use Add-on Manager to al
esses in this list because these processes always respect add-on management user preferences and policy settings. If the All Processes poli
For more information see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
ation and User Configuration both lists of behaviors will be allowed as appropriate.
ocesses configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security feature is
Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the relat
les and content processed by Internet Explorer.

f the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not
ure this policy setting the security feature is allowed.
ernet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled the processes configured
er Configuration both lists of protocols will be restricted for that zone.
nce over that setting. If you disable or do not configure this policy setting the Notification bar is not displayed for the specified processes.
able or do not configure this policy setting the security feature is allowed.
tting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disab
ble or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setti
ttings do not undergo these checks.
r do not configure it users can enter author mode and open author-mode console files.
e folder is enabled or not configured the snap-in is permitted.When a snap-in is prohibited it does not appear in the Add/Remove Snap-in w
this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. -- If the policy setting "Re
ed.When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file tha
his snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited.-- If the policy setting "Res
the Group Policy tab is inaccessible.-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users will h
ttings that are disabled.If you disable this policy setting you prohibit use of preference extensions under Control Panel Settings for Comput
are disabled.If you disable this policy setting you prohibit use of preference extensions under Control Panel Settings for User Configuration
use of Control Panel Settings (Users)" policy settings.
f Control Panel Settings (Users)" policy settings.
it use of Control Panel Settings (Users)" policy settings.
or "Permit use of Control Panel Settings (Users)" policy settings.

mit use of Control Panel Settings (Users)" policy settings.
it use of Control Panel Settings (Users)" policy settings.
f Control Panel Settings (Users)" policy settings.
mit use of Control Panel Settings (Users)" policy settings.

al folder to synchronize data between usersâ€™ computers. In this mode UE-V writes settings data to the local folder specified in the settin
name of the virtual desktop collection containing the virtual computers. If you enable this policy setting the UE-V rollback state is copied to
disabled If you do not configure this policy setting any defined values will be deleted.
ween the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V.If you do not configure this policy setting
ween the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V.If you do not configure this policy setting

ress" policy setting or client connection attempts to any remote computer will fail if the client cannot connect directly to the remote comp
able or do not configure this policy setting the authentication method that is specified by the user is used if one is specified. If an authenti
ou must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway server. Use
sable this policy setting users cannot run .rdp files that are signed with a valid certificate. Additionally users cannot start an RDP session by
tion of the list defined for the computer and the list defined for the user.This policy setting overrides the behavior of the "Allow .rdp files fr
strators can interact with a user's Remote Desktop Services session with the user's consent.
e the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot b
e computer.Note: If this policy setting is enabled then the "Start a program on connection" policy setting is ignored.
h to the starting directory for the program. If you leave Working Directory blank the program runs with its default working directory. If the
ession even if specified otherwise by the server administrator.If you do not configure this policy setting Remote Desktop Services disconne
emote Desktop Services to end instead of disconnect a session when the time limit is reached you can configure the policy setting Comput
instead of disconnect a session when the time limit is reached you can configure the policy setting Computer Configuration\Administrativ
ession disconnected session time limits do not apply.If you disable or do not configure this policy setting this policy setting is not specified
r do not configure this policy setting when a user closes the last RemoteApp program the session will be disconnected from the RD Session
on URL.Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compro
ediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Wind
n applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.Cautio
this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
rarely used Chinese Kanji and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Use
xt entry areasâ€ policy and the â€œPrevent Input Panel tab from appearingâ€ policy and disable the â€œShow Input Panel taskbar icon
able to configure this setting on the Text completion tab in Input Panel Options.
box password security is set to â€œMedium-Low.â€ At this setting when users enter passwords from Input Panel they use the on-screen
dows XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy
erties of newly created tasks use the "Remove Advanced Menu" setting.
pears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration
eminders determines the interval time between the display of system notifications that remind the user to check for solutions to problems
and Windows prompts the user for consent to send any additional data that is requested by Microsoft.- Send all data: any error reporting d
parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing s
er the user has signed in.If you do not select "Do not start Windows Hello provisioning after sign-in" Windows Hello for Business automatic
on and User Configuration folders. To make this policy setting effective you must enable it in both folders.Caution: Skilled users can take a
do not use this policy setting unless it is essential.This policy setting appears in the Computer Configuration and User Configuration folder
priately configure the â€œRemove logon hours expiration warningsâ€ setting
ed.If you disable this policy setting the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy.If you do not confi
onfigure the MMS proxy settings.If you do not configure this policy setting users can configure the MMS proxy settings.
e Network tab. If the administrator does not specify any protocols the Player cannot access an MMS or RTSP URL from a Windows Media
yer in full or skin mode and have access to all available features of the Player.
nt the Computer Configuration version of this policy setting takes precedence.
y of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list click Show and then type the module
on policy setting.
If you use the OutputDirectory setting to enable transcript logging to a shared location be sure to limit access to that directory to prevent
tting it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
ay 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
will show notifications about restarts that are required to complete an installation.On Windows 8 and Windows RT if this policy is Enabled
configuration to take effect a valid 'Work Folders URL' must also be specified. The â€œOn-demand file access preferenceâ€ option contr
ample timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file or the CPL file contains multiple applets then its module
given settings page is the published URI for that page minus the "ms-settings:" protocol part.Example: to specify that only the About and
em does not have a CPL file or the CPL file contains multiple applets then its module name and string resource identification number shoul
mponent Wizard from starting enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Co
d on the desktop or on the Start menu.If you disable this setting or do not configure it "Add programs from your network" is available to al
RT you cannot apply the Windows Classic visual style.
nect to network printers.
age point and print will not be restricted to specific print servers.
command prompt when users create a printer connection to any server using Point and Print. -Windows Vista computers will show a
ick a printer click Properties and then click the Security tab. If this policy is disabled or not configured users can add printers using the
talling programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are offere
on.If you enable this policy setting automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control P
l.Note: In operating systems earlier than Microsoft Windows Vista this policy applies to the My Computer icon. Hiding Computer and its co
on and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.Note: This setting does no
Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you do not c
this setting will not apply to administrators on post-Windows 2000 computers.If you do not configure this setting only Administrators and
e Manager when this setting is disabled.
uch as Internet Explorer to bypass this setting.
ns" and "Ability to rename all user remote access connections" settings.Note: This setting does not prevent users from using other program
onfiguration" "Prohibit access to the Advanced Settings Item on the Advanced Menu" "Prohibit adding and removing components for a LA
side the Local Area Connection Properties dialog box. If this setting is enabled nothing within the properties dialog box for a LAN connectio
st of the network components that the connection uses. To view or change the properties of a component click the name of the compone
en click the Properties button beneath the component list.Note: Not all network components have configurable properties. For componen
other changes to this setting are applied the icon does not appear or disappear in the Network Connections folder until the folder is refre
components. Clicking the Uninstall button removes the selected component in the components list (above the button).The Install and Unin
this setting or do not configure it a Properties menu item appears when any user right-clicks the icon representing a private remote access
connections" setting.)Important: When enabled this setting takes precedence over the "Ability to delete all user remote access connectio
es for enabling and disabling the components of a LAN connection.Note: Nonadministrators are already prohibited from enabling or disab
net Explorer to bypass this setting.
es button for connection components users cannot gain access to the Advanced button for TCP/IP configuration.Note: Nonadministrators (
taskbar icon and Status dialog box are available to all users.
ation takes precedence over the setting in User Configuration.Tip: To configure this setting without establishing a setting in Windows Explo
tion and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting
ons established via this setting.Tip: To configure this setting without establishing a setting in Windows Explorer on the Tools menu click Fol
inutes" option.
ble Offline" command is unavailable for all specified files and folders.The "Make Available Offline" command is called "Always available offl
ders. If both policy settings are configured the policy settings will be combined and all specified files will be available for offline use.
tting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select the "Synchronize all offline files
ter Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence o
precedence over the setting in User Configuration.Tip: To display or hide reminder balloons without establishing a setting in Windows Exp
tion\Administrative Templates\System\Logon/Logoff.
t clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recently open
w pinning items in Jump Lists"" policy setting.

ntly opened documents on exit" policies in this folder.If you enable this setting but do not enable the "Remove Recent Items menu from S
policy setting.
art menu. The Favorites item still appears in File Explorer and in Internet Explorer.
policy setting in User Configuration\Administrative Templates\System\Logon/Logoff.
not keep history of recently opened documents" setting.This setting also does not hide document shortcuts displayed in the Open dialog
arty applications with Windows 2000 or later certification to adhere to this setting.
to search.If you disable or do not configure this policy setting the Search link is available from the Start menu.
nfigure it the Start screen layout won't be changed and users will be able to customize it.
formats using this scheme for the program.
bles box click Path.
o System Tools and then click ""Getting Started."" To suppress the welcome screen without specifying a setting clear the ""Show this scree
lumn type the application executable name (e.g. Winword.exe Poledit.exe Powerpnt.exe).
nfiguration.
e column type the application executable name (e.g. Winword.exe Poledit.exe Powerpnt.exe).
pdate on the Start menu are also removed.Note: If you have installed Windows XP Service Pack 1 or the update to Automatic Updates tha
till be blurry on secondary displays that have different display scale factors. Per Process System DPI will not work for all applications as som
r file security without specifying a setting use System in Control Panel. Right-click My Computer click Properties click the Hardware tab and
the policy setting "Do not automatically make specific redirected folders available offline" that setting will override the configured value of
es the contents of the local cache to the new network location then deleted the content from the old network location.
the user logs on to.Note: If you enable this policy setting in Computer Configuration and User Configuration the Computer Configuration p
o change the PDC Operations Master for a domain in Active Directory Users and Computers right-click a domain and then click "Operation
ond.This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a s
s folder (either one) right-click the same folder and then point to "View."In Group Policy Object Editor preferences have a red icon to disti
the "Turn off background refresh of Group Policy" setting.This setting also lets you specify how much the actual update interval varies. To p
level the per-user policy setting will be ignored. If this policy setting is not configured at the machine level restrictions will be based on pe
user basis make sure that the per-computer policy is set to Not Configured.
ed at the computer level it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level the per-user polic
Also see the ""Do not process the run once list"" policy setting.
ms specified in the User Configuration setting.Also see the ""Do not process the legacy run list"" and the ""Do not process the run once list
POLICY_SEHOP_ENABLE (0x00000004) Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHO
e following order for Tamara:Within GPO B: B.cmd B.ps1Within GPO C: C.cmd C.ps1Note: This policy setting determines the order in which
an access the home directory and any of its subdirectories from the home drive letter but they cannot see or access its parent directories.
default.If you enable this policy setting you can exclude additional folders.If you disable this policy setting or do not configure it only the d
d if the user has a roaming user profile Windows will not synchronize the user's profile with the roaming profile server if the maximum pro
s sets the default risk level to moderate.

e file type.
y setting Windows Vista or later will prompt the user whether autorun command is to be run.
nfiguration and User Configuration folders. If the policy settings conflict the policy setting in Computer Configuration takes precedence ove
policy.If you do not configure this policy Windows spotlight will be available on the lock screen and will be selected by default unless you
improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic d
sable this setting or do not configure it the "Install Program As Other User" dialog box appears whenever users install programs locally on t
restrict drives" option in the drop-down list.Also see the "Prevent access to drives from My Computer" policy setting.
pinned on the Start menu. The "See more results" link will be pinned first by default unless it is disabled via Group Policy. The "Search th
t search links.The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. The "Se
aracteristics.Also see the "Hide these specified drives in My Computer" setting.
might not operate correctly.Note: If it is enabled the "Do not request alternate credentials" setting takes precedence over this setting. Wh
Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on the Vie
is policy setting.
t for third-party applications with Windows 2000 or later certification to adhere to this setting.
e are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revok
alled the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge version 45 or earlier is automatically used
rtificates from software publishers that haven't already been configured for Internet Explorer.
or the Start menu.

e user can view and access the navigation bar the menu bar and the Command bar.
osoft Edge (â€˜RestrictIEâ€™)For more info about how to use this policy together with other related policies to create the optimal configu
et Zoneâ€¢Â 1 - Trusted Sites Zoneâ€¢Â 1 - Local Intranet Zoneâ€¢Â 0 - Local Machine Zoneâ€¢Â 22 - Trusted Intranet and Restricted site
setting the user can configure his or her list of search providers.
set the rate at which Internet Explorer creates new tab processes to low medium or high or to an integer.If you disable or do not configure
ls and Plug-ins area click Administrator Approved.
the Run ActiveX Controls and Plug-ins area click Administrator Approved.
Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls a
d Plug-ins area click Administrator Approved.
or Approved.
ols and Plug-ins area click Administrator Approved.
vior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting for an application or process in the list a scri
xplorer.If you do not configure this policy setting the user can turn on and turn off Internet Explorer 7 Standards Mode.
h an additional string appended) for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explore
policy setting users can turn this feature on and off determining whether to delete ActiveX Filtering Tracking Protection and Do Not Track d
n. By default this option is turned on.
r notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.If you enable this policy setting Int
outdated security protocol and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
a separate GPO. You can then use Group Policy management features (for example precedence inheritance or enforce) to apply individua
ettings for the specified zone are applied to the site.Â For each entry that you add to the list enter the following information:Valuename
re is enabled.
he item.If you enable this policy setting users can preview items and get custom thumbnails from OpenSearch query results in this zone u
for the process.
ttp://) content.
domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
upported by the server the user is queried to provide the user name and password.If you disable this policy setting logon is set to Automati
re is enabled.
ttp://) content.
re is enabled.
ttp://) content.
for the process.
ttp://) content.
for the process.
ttp://) content.
for the process.
ttp://) content.
for the process.
ttp://) content.
for the process.
ttp://) content.
for the process.
ttp://) content.
re is enabled.
ttp://) content.
abled this policy is ignored.
e over this policy. If it is enabled this policy is ignored.
verride this policy setting.
ced.Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should
may use Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting.Note: If an add-on is listed in
ttings. If the All Processes policy setting is enabled the processes configured in this policy setting take precedence over that setting.If you d
setting the security feature is allowed.
cesses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is e
etting.If you disable or do not configure this policy setting the security feature is allowed.
bled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the securi
d for the specified processes.
esses policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take preced
take precedence over that setting.If you disable or do not configure this policy setting the security feature is allowed.
r in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console file ope
ted. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-i
a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
ed.-- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any snap-in
or not configured users will have access to the Group Policy tab. To explicitly prohibit use of the Group Policy tab disable this setting. If t
trol Panel Settings for Computer Configuration. Disabling this policy setting overrides any "Permit use of <extension name> preference ext
Settings for User Configuration. Disabling this policy setting overrides any "Permit use of <extension name> preference extension" policy se
al folder specified in the settings storage path. These settings are then synchronized to other computers by an external synchronization en
UE-V rollback state is copied to the settings storage location on logout and restored on login.If you disable this policy setting no UE-V rollba
ct directly to the remote computer. To enhance security it is also highly recommended that you specify the authentication method by usin
one is specified. If an authentication method is not specified the Negotiate protocol that is enabled on the client or a smart card can be us
ernate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client using an RDP file or usi
cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RD
avior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.If the list contains a string that is not a cer
y Print printer driver cannot be used the client printer is not available for the Remote Desktop Services session.Note: If the "Do not allow c
gnored.
efault working directory. If the specified program path file name or working directory is not the name of a valid directory the RD Session H
ote Desktop Services disconnects a timed-out session unless specified otherwise in local settings.Note: This policy setting only applies to ti
gure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Deskt
r Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time L
policy setting is not specified at the Group Policy level. Be y default Remote Desktop Services disconnected sessions are maintained for an
onnected from the RD Session Host server but it is not logged off.Note: This policy setting appears in both Computer Configuration and Us
n untrusted server can compromise the security of a user's account.
ptions in Windows 7 and Windows Vista.
b in Input Panel Options.Caution: If you enable both the â€œPrevent Input Panel from appearing next to text entry areasâ€ policy and th
is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configure this
Show Input Panel taskbar iconâ€ policy the user will then have no way to access Input Panel.
t Panel they use the on-screen keyboard by default skin switching is allowed and Input Panel displays the cursor and which keys are tappe
ox. If you enable this policy and choose â€œNoneâ€ users will be able to use both the tolerant scratch-out gestures and the Z-shaped
dence over the setting in User Configuration.
ng in Computer Configuration takes precedence over the setting in User Configuration.

heck for solutions to problems. A value of 0 disables the reminder.If you disable or do not configure this policy setting Windows Error Repo
d all data: any error reporting data requested by Microsoft is sent automatically.If this policy setting is disabled or not configured then the
uired to check for an existing solution as well as data which Windows has determined (within a high probability) does not contain persona
s Hello for Business automatically starts provisioning after the user has signed in.
ution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access t
and User Configuration folders. If the policy setting is enabled in either folder it is considered be enabled even if it is explicitly disabled in t
HTTP proxy.If you do not configure this policy setting users can configure the HTTP proxy settings.
y settings.
P URL from a Windows Media server. If the "Hide network tab" policy setting is enabled the entire Network tab is hidden.If you do not con
how and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. Note: This po
s to that directory to prevent users from viewing the transcripts of other users or computers. Note: This policy setting exists under
ows RT if this policy is Enabled then only notifications related to restarts and the inability to detect updates will be shown. The notification
ss preferenceâ€ option controls whether to enable on-demand file access. When enabled the user controls which files in Work Folders ar
ltiple applets then its module name and string resource identification number should be entered for example @systemcpl.dll-1 for System
ecify that only the About and Bluetooth pages should be shown (their respective URIs are ms-settings:about and ms-settings:bluetooth) a
e identification number should be entered. For example enter @systemcpl.dll-1 for System or @themecpl.dll-1 for Personalization. A com
ide Add/Remove Windows Components page" setting is enabled this setting is ignored.
our network" is available to all users.Note: If the "Hide Add New Programs page" setting is enabled this setting is ignored.
ws Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be updated
sers can add printers using the methods described above.
alled) programs that are offered on the desktop or on the Start menu.If this setting is disabled or is not configured the "Install a program fr
nfigure this setting in Control Panel.If you disable this policy setting automatic learning is turned on. Users cannot configure this policy setti
on. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example if the users navigate into o
nel.Note: This setting does not apply to remote desktop server sessions.
000 computers.If you do not configure this setting only Administrators and Network Configuration Operators can change properties of all-
etting only Administrators and Network Configuration Operators can delete all user remote access connections.Important: W

FINAL-MS Security Baseline Windows Server 2022

Uploaded by

Copyright:

Available Formats

You might also like

FINAL-MS Security Baseline Windows Server 2022

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FINAL-MS Security Baseline Windows Server 2022

Uploaded by

Copyright:

Available Formats

General Information

Settings contained are as of Build 20348.169

Last modified: September 6, 2021

Settings contained are as of Build 20348.169

Last modified: September 6, 2021

in controller is not available)

Lock Workstation Lock Workstation

Send NTLMv2 Responses onlySend NTLMv2 Responses only, Refuse LM and

oftware Restriction Policies

Administrators, SERVICE, LocaAdministrators, SERVICE, Local Service, Networ

When the Create Vulnerable Connections list (allow list) is configured:

This policy is supported on at least Windows Server 2008 R2.

Interactive Logon: Display user information when session is locked

Network access: Restrict clients allowed to make remote calls to SAM

Windows Server 2003: Send NTLM response only

Default: Administrators, Users

Default: Administrators, Power Users, Users

User Rights security settings are not registry keys

Restart of service might be sufficient

Require restart of recovery console

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Windows Components\File Explorer

Windows Components\Internet Explorer\Security Features\Consistent Mime Handling

Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature

Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction

Windows Components\Internet Explorer\Security Features\Notification bar

Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation

Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Windows Components\Internet Explorer\Security Features\Restrict File Download

Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction

Windows Components\Windows Defender SmartScreen\Explorer

Windows Components\Windows PowerShell

Hardened UNC Paths

Turn On Virtualization Based Security

Configure registry policy processing

Configure Windows Defender SmartScreen

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Configure Attack Surface Reduction rules

Configure Windows Defender SmartScreen

Turn on PowerShell Script Block Logging

Disable driver (reco Disable driver (recomme

P-node (recommendeP-node (recommended)

Highest protection, s Highest protection, sourc

[[[main setting]]] = [[[main setting]]] =

tion server and File Share Shadow Copy Agent running on th

Do not execute any Do not execute any aut

[[[main setting]]] = [[[main setting]]] =