FINAL-MS Security Baseline Windows 11

General Information
This workbook displays all available Group Policy settings for Windows 11 and the corresponding M
recommended configuration of those settings for well-managed enterprise systems.
Settings contained are as of Build 22000.194
Last modified on October 4, 2021
Legend:
Setting that should be removed for non-Domain joined systems
Note:
This Excel spreadsheet lists all security settings and group policies for Windows 11, along with t
recommended configuration of those settings for well-managed enterprise systems. All the setting
the Windows group policy and security template editors, except for LAPS, MS Security Guide and
LAPS can be downloaded with the LAPS solution from https://www.microsoft.com/en-us/downlo
id=46899. The MS Security Guide and MSS (Legacy) can be implemented using a custom ADMX tha
this security guidance.
General Information
plays all available Group Policy settings for Windows 11 and the corresponding Microsoft-
nfiguration of those settings for well-managed enterprise systems.
Settings contained are as of Build 22000.194
Last modified on October 4, 2021
Legend:
that should be removed for non-Domain joined systems
Note:
eadsheet lists all security settings and group policies for Windows 11, along with the Microsoft-
onfiguration of those settings for well-managed enterprise systems. All the settings are present in
roup policy and security template editors, except for LAPS, MS Security Guide and MSS (Legacy).
wnloaded with the LAPS solution from https://www.microsoft.com/en-us/download/details.aspx?
S Security Guide and MSS (Legacy) can be implemented using a custom ADMX that is included with
this security guidance.
Policy Path
Account Lockout
Account Lockout
Account Lockout
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Audit Policy
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Event Log
Kerberos Policy
Kerberos Policy
Kerberos Policy
Kerberos Policy
Kerberos Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Password Policy
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
Security Options
User Rights Assignments
Policy Setting Name
Account lockout duration
Account lockout threshold
Reset account lockout counter after
Audit account logon events
Audit account management
Audit directory service access
Audit logon events
Audit object access
Audit policy change
Audit privilege use
Audit process tracking
Audit system events
Maximum application log size
Maximum security log size
Maximum system log size
Prevent local guests group from accessing application log
Prevent local guests group from accessing security log
Prevent local guests group from accessing system log
Retain application log
Retain security log
Retain system log
Retention method for application log
Retention method for security log
Retention method for system log
Enforce user logon restrictions
Maximum lifetime for service ticket
Maximum lifetime for user ticket
Maximum lifetime for user ticket renewal
Maximum tolerance for computer clock synchronization
Enforce password history
Maximum password age
Minimum password age
Minimum password length
Minimum password length audit
Password must meet complexity requirements
Relax minimum password length limits
Store passwords using reversible encryption
Accounts: Administrator account status
Accounts: Block Microsoft accounts
Accounts: Guest account status
Accounts: Limit local account use of blank passwords to console logon only
Accounts: Rename administrator account
Accounts: Rename guest account
Audit: Audit the access of global system objects
Audit: Audit the use of Backup and Restore privilege
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit
Audit: Shut down system immediately if unable to log security audits
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax
Devices: Allow undock without having to log on
Devices: Allowed to format and eject removable media
Devices: Prevent users from installing printer drivers
Devices: Restrict CD-ROM access to locally logged-on user only
Devices: Restrict floppy access to locally logged-on user only
Domain controller: Allow server operators to schedule tasks
Domain controller: Allow vulnerable Netlogon secure channel connections
Domain controller: LDAP server channel binding token requirements
Domain controller: LDAP server signing requirements
Domain controller: Refuse machine account password changes
Domain member: Digitally encrypt or sign secure channel data (always)
Domain member: Digitally encrypt secure channel data (when possible)
Domain member: Digitally sign secure channel data (when possible)
Domain member: Disable machine account password changes
Domain member: Maximum machine account password age
Domain member: Require strong (Windows 2000 or later) session key
Interactive logon: Display user information when the session is locked
Interactive logon: Do not require CTRL+ALT+DEL
Interactive logon: Don't display last signed-in
Interactive logon: Don't display username at sign-in
Interactive logon: Machine account lockout threshold
Interactive logon: Machine inactivity limit
Interactive logon: Message text for users attempting to log on
Interactive logon: Message title for users attempting to log on
Interactive logon: Number of previous logons to cache (in case domain controller is not available)
Interactive logon: Prompt user to change password before expiration
Interactive logon: Require Domain Controller authentication to unlock workstation
Interactive logon: Require Windows Hello for Business or smart card
Interactive logon: Smart card removal behavior
Microsoft network client: Digitally sign communications (always)
Microsoft network client: Digitally sign communications (if server agrees)
Microsoft network client: Send unencrypted password to third-party SMB servers
Microsoft network server: Amount of idle time required before suspending session
Microsoft network server: Attempt S4U2Self to obtain claim information
Microsoft network server: Digitally sign communications (always)
Microsoft network server: Digitally sign communications (if client agrees)
Microsoft network server: Disconnect clients when logon hours expire
Microsoft network server: Server SPN target name validation level
Network access: Allow anonymous SID/Name translation
Network access: Do not allow anonymous enumeration of SAM accounts
Network access: Do not allow anonymous enumeration of SAM accounts and shares
Network access: Do not allow storage of passwords and credentials for network authentication
Network access: Let Everyone permissions apply to anonymous users
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths
Network access: Remotely accessible registry paths and sub-paths
Network access: Restrict anonymous access to Named Pipes and Shares
Network access: Restrict clients allowed to make remote calls to SAM
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts
Network security: Allow Local System to use computer identity for NTLM
Network security: Allow LocalSystem NULL session fallback
Network security: Allow PKU2U authentication requests to this computer to use online identities.
Network security: Configure encryption types allowed for Kerberos
Network security: Do not store LAN Manager hash value on next password change
Network security: Force logoff when logon hours expire
Network security: LAN Manager authentication level
Network security: LDAP client signing requirements
Network security: Minimum session security for NTLM SSP based (including secure RPC)
Network security: Minimum session security for NTLM SSP based (including secure RPC)
Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication
Network security: Restrict NTLM: Add server exceptions in this domain
Network security: Restrict NTLM: Audit Incoming NTLM Traffic
Network security: Restrict NTLM: Audit NTLM authentication in this domain
Network security: Restrict NTLM: Incoming NTLM traffic
Network security: Restrict NTLM: NTLM authentication in this domain
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers
Recovery console: Allow automatic administrative logon
Recovery console: Allow floppy copy and access to all drives and all folders
Shutdown: Allow system to be shut down without having to log on
Shutdown: Clear virtual memory pagefile
System cryptography: Force strong key protection for user keys stored on the computer
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing
System objects: Require case insensitivity for non-Windows subsystems
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic
System settings: Optional subsystems
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies
User Account Control: Admin Approval Mode for the Built-in Administrator account
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop
User Account Control: Behavior of the elevation prompt for administrators in Admin A
User Account Control: Behavior of the elevation prompt for standard users
User Account Control: Detect application installations and prompt for elevation
User Account Control: Only elevate executables that are signed and validated
User Account Control: Only elevate UIAccess applications that are installed in secure lo
User Account Control: Run all administrators in Admin Approval Mode
User Account Control: Switch to the secure desktop when prompting for elevation
User Account Control: Virtualize file and registry write failures to per-user locations
Access Credential Manager as a trusted caller
Access this computer from the network
Act as part of the operating system
Add workstations to domain
Adjust memory quotas for a process
Allow log on locally
Allow log on through Remote Desktop Services
Back up files and directories
Bypass traverse checking
Change the system time
Change the time zone
Create a pagefile
Create a token object
Create global objects
Create permanent shared objects
Create symbolic links
Debug programs
Deny access to this computer from the network
Deny log on as a batch job
Deny log on as a service
Deny log on locally
Deny log on through Remote Desktop Services
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system
Generate security audits
Impersonate a client after authentication
Increase a process working set
Increase scheduling priority
Load and unload device drivers
Lock pages in memory
Log on as a batch job
Log on as a service
Manage auditing and security log
Modify an object label
Modify firmware environment values
Obtain an impersonation token for another user in the same session
Perform volume maintenance tasks
Profile single process
Profile system performance
Remove computer from docking station
Replace a process level token
Restore files and directories
Shut down the system
Synchronize directory service data
Take ownership of files or other objects
Windows 11
15
10
15
24
14
Enabled
Disabled
Enabled
Enabled
age (SDDL) syntax

age (SDDL) syntax
Enabled
Enabled
Enabled
Disabled
30
Enabled
900
roller is not available)
Lock Workstation
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
work authentication
Enabled
O:BAG:BAD:(A;;RC;;;BA)
Disabled
use online identities.
Enabled
Send NTLMv2 response only. Refuse LM & NTLM

Negotiate signing
Require NTLMv2 session security and Require 128-bit enc
Require NTLMv2 session security and Require 128-bit enc
uthentication
he computer
g, and signing
Enabled
Restriction Policies
Enabled
without using the secure desktop
Prompt for consent on the secure desktop
Automatically deny elevation requests
Enabled
Enabled
Enabled
Enabled
No One (Blank)
Administrators; Remote Desktop Users
No One (Blank)
Administrators; Users
Administrators
Administrators
No One (Blank)
Administrators; LOCAL SERVICE; NETWORK SERVICE; SER
No One (Blank)
Administrators
NT AUTHORITY\Local Account
NT AUTHORITY\Local Account
No One (blank)
Administrators
Administrators, SERVICE, Local Service, Network Service
Administrators
No One (blank)
Administrators
Administrators
Administrators
Administrators
Administrators
Administrators
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Default: 0.
Default: None, because this policy setting only has meaning when an Account lockout threshold is specified.
Default: Success.
Default: Nodomain
Success on auditing.
controllers.
No auditing on member servers.
Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up a
Success on domain controllers.
No auditing on member servers.
Default:
Default: Enabled
Enabled for
for Windows
Windows XP,
XP, Disabled
Disabled for
for Windows
Windows 2000
2000
Default: Enabled for Windows XP, Disabled for Windows 2000
Default: None.
Default: None.
Default: Enabled.
Default: 600 minutes (10 hours).
Default: 10 hours.
Default: 7 days.
Default:
Note: By5default,
minutes.
member computers follow the configuration of their domain controllers.
To maintain the effectiveness of the password history, do not allow passwords to be changed immediately after they were jus
Default: 42.
Note: By default, member computers follow the configuration of their domain controllers.
Note: By default,
For more member
information computers follow the configuration of their domain controllers.
see https://go.microsoft.com/fwlink/?LinkId=2097191.
Note: By default, member computers follow the configuration of their domain controllers.
For more information see https://go.microsoft.com/fwlink/?LinkId=2097191.
Default: Disabled.
Default: Disabled.
If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows.
Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts i
Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
Default: Administrator.
Default: Disabled.
This security setting determines whether the domain controller bypasses secure RPC for Netlogon secure channel connections
Default: Disabled
This policy should be applied to all domain controllers in a forest by enabling the policy on the domain controllers OU.
When the Create Vulnerable Connections list (allow list) is configured:
- Given allow permission, the domain controller will allow accounts to use a Netlogon secure channel without secure RPC.
- Given deny permission, the domain controller will require accounts to use a Netlogon secure channel with secure RPC wh
This setting
Warning! does not
Enabling affect
this Administrators.
policy will expose your domain-joined devices and can expose your Active Directory forest to risk. This
the account should be removed from the Create Vulnerable Connections list. To better understand the risk of configuring acco
Default: This policy is not configured. No machines or trust accounts are explicitly exempt from secure RPC with Netlogon secu
This policy is supported on at least Windows Server 2008 R2.
Notes: The When Supported option only protects those clients that do support Extended Protection for Authentication; clients
This security setting should not be enabled. Computer account passwords are used to establish secure channel communication
This setting should not be used in an attempt to support dual-boot scenarios that use the same computer account. If you wan
Interactive Logon: Display user information when session is locked
The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please
Default: not enforced.
Default: No message.
Default: No message.
Default: 25
On Windows Vista and above: For this setting to work, the Smart Card Removal Policy service must be started.
Default: Disabled.
Default: Automatic.
All Windows operating systems support both a client-side SMB component and a server-side SMB component. This setting affe
System\CurrentControlSet\Control\Server Applications
Software\Microsoft\Windows NT\CurrentVersion
Note: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you configure t
Network access: Restrict clients allowed to make remote calls to SAM

This policy will have no impact on computers running Windows 2000.
When the computer is not joined to a domain, this setting also modifies the Sharing and Security tabs in Windows Explorer to
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
The default is TRUE up to Windows Vista and FALSE in Windows 7.
This policy will be turned off by default on domain joined machines. This would disallow the online identities to be able to auth
This policy is supported on at least Windows 7 or Windows Server 2008 R2.
Windows Server 2003: Send NTLM response only

Windows Vista and Windows Server 2008: Send NTLMv2 response only
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used b
The naming format for servers on this exception list is the fully qualified domain name (FQDN) or NetBIOS server name used b
Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/M
Note: Audit events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/M
Note: Block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Services Log/Mi
Note: Audit and block events are recorded on this computer in the "NTLMBlock" Log located under the Applications and Servic
Note: The Federal Information Processing Standard (FIPS) 140 is a security implementation designed for certifying cryptograph
Default: Disabled
If you plan to enable this setting, you should also review the effect of the "User Account Control: Behavior of the elevation pro
This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned
Everyone
Pre-Windows 2000 Compatible Access
Default: None.
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
Default: Administrators, Users
Network Service
Service
Default:
Note None.
This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to c
Default: Administrators
Default: Guest
Default: None.
Default: None.
This setting does not have any effect on Windows 2000 computers that have not been updated to Service Pack 2.
On workstations on domain
and servers: controllers.
Administrators.
On domain
Default: controllers:
Local Service Administrators, Server Operators.
Network Service.
If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
Warning: Increasing the working set size for a process decreases the amount of physical memory available to the rest of the sy
Default: Administrators.
Administrators
Print Operators
Default:
Default: None.
Administrators
Backup Operators.
Default setting: None.
Default: None
If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
Default: Administrators, Power users.
Default: Administrators, Power Users, Users

Default: Network
Workstations and Service,
servers:Local Service. Backup Operators.
Administrators,
Domain controllers: Administrators, Backup Operators, Server Operators.
Default on Domain controllers: Administrators, Backup Operators, Server Operators, Print Operators.
Defaults: None.
Registry Informa
Account Lockout Policy security settings are not registry keys.
Audit Policy security settings are not registry keys.
Event Log security settings are not registry keys.
Kerberos Policy security settings are not registry keys.
Password Policy security settings are not registry keys.
MACHINE\System\CurrentControlSet\Control\SAM\MinimumPasswordLengthAudit
MACHINE\System\CurrentControlSet\Control\SAM\RelaxMinimumPasswordLengthLimits
Not a registry key
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoConnectedUser
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse
Not a registry key
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\AuditBaseObjects
MACHINE\System\CurrentControlSet\Control\Lsa\FullPrivilegeAuditing
MACHINE\System\CurrentControlSet\Control\Lsa\SCENoApplyLegacyAuditPolicy
MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineAccessRestriction
MACHINE\SOFTWARE\policies\Microsoft\windows NT\DCOM\MachineLaunchRestriction
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\UndockWithoutLogon
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateDASD
MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrinterDrivers
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateCDRoms
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AllocateFloppies
MACHINE\System\CurrentControlSet\Control\Lsa\SubmitControl
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding
MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RefusePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrSeal
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChannel
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DisablePasswordChange
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\MaximumPasswordAge
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireStrongKey
Machine\Software\Microsoft\Windows\CurrentVersion\Policies\System, value=DontDisplayLockedUserId
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCAD
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayLastUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\DontDisplayUserName
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\MaxDevicePasswordFailedAttempts
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\InactivityTimeoutSecs
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ForceUnlockLogon
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ScForceOption
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScRemoveOption
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\EnablePlainTextPassword
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoDisconnect
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableS4U2SelfForClaims
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecuritySignature
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForcedLogOff
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\SmbServerNameHardeningLevel
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymousSAM
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous
MACHINE\System\CurrentControlSet\Control\Lsa\DisableDomainCreds
MACHINE\System\CurrentControlSet\Control\Lsa\EveryoneIncludesAnonymous
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionPipes
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedExactPaths\Machine
MACHINE\System\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths\Machine
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RestrictNullSessAccess
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictRemoteSAM
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\NullSessionShares
MACHINE\System\CurrentControlSet\Control\Lsa\ForceGuest
MACHINE\System\CurrentControlSet\Control\Lsa\UseMachineId
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\allownullsessionfallback
MACHINE\System\CurrentControlSet\Control\Lsa\pku2u\AllowOnlineID
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash
Not a registry key
MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
MACHINE\System\CurrentControlSet\Services\LDAP\LDAPClientIntegrity
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinClientSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\NTLMMinServerSec
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\ClientAllowedNTLMServers
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\DCAllowedNTLMServers
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\AuditReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\AuditNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictReceivingNTLMTraffic
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RestrictNTLMInDomain
MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0\RestrictSendingNTLMTraffic
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SecurityLevel
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Setup\RecoveryConsole\SetCommand
MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ShutdownWithoutLogon
MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown
MACHINE\Software\Policies\Microsoft\Cryptography\ForceKeyProtection
MACHINE\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy
MACHINE\System\CurrentControlSet\Control\Session Manager\Kernel\ObCaseInsensitive
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode
MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\optional
MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\AuthenticodeEnabled
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableUIADesktopToggle
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization
User Rights security settings are not registry keys

Note: This
Note: This setting
setting does
does not
not appear
appear in
in the
the Local
Local Computer
Computer Policy
Policy object.
object.
Important: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility informatio
Note:
Notes:This
Thissetting
settingdoes
doesnot
notappear
appearininthe
theLocal
LocalComputer
ComputerPolicy
Policyobject.
object.
This
This security setting affects only computers running Windows 2000, Windows
security setting affects only computers running Windows 2000, Windows Server
Server 2003,
2003, and
and Windows
Windows XP.
XP.
A userThis
Note: mustsetting
possess thenot
does Manage
appearauditing and security
in the Local ComputerlogPolicy
user right to acces
object.
This security
Notes: settingdoes
This setting affects
notonly computers
appear running
in the Local Windows
Computer 2000,
Policy Windows Server 2003, and Windows XP.
object.
A user must possess the Manage auditing and security log user right to access the security log.
Notes: This setting does not appear in the Local Computer Policy object.
Note: This setting does not appear in the Local Computer Policy object.
clients will get the new setting after a maximum of 8 hours but for DCs to assign these new settings a Gpupdate /force is requi
For the policy change to take effect, the spooler service needs to be stopped/restarted, but the system does not have to be re
Restart of service might be sufficient
Important: In order to take advantage of this policy on member workstations and servers, all domain controllers that constitut
In order to take advantage of this policy on doma
Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manage
Important: This setting applies to Windows 2000 computers, but it is not available through the Security Configuration Manage
Important: This setting will apply to any computers running Windows 2000 through changes in the registry, but the security se
Only LogOff is required for W2K, XP and W2K3 computers. In Vista, start/restart the scpolicysvc will work or LogOff
Important: For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled
Important: For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled
Important: This policy has no impact on domain controllers. For more information, search for "Security Settings Descriptions"
Important: The Network access: Remotely accessible registry paths security setting that appears on computers running Windo
Important: On Windows XP, this security setting was called "Network access: Remotely accessible registry paths." If you config
This policy setting allows you to restrict remote rpc connections to SAM. If not selected, the default security descriptor will be
Important: This setting only affects computers running Windows XP Professional which are not joined to a domain.
This policy will have no impact on computers running Windows 2000. For more information, search for "Security Setting Descr
Important: Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Wind
This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Pr
Important: This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Window
Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setti
Warning: This setting will apply to any computers running Windows 2000 through changes in the registry but the security setti
Require restart of recovery console

Require restart of recovery console
Requires logoff
Vista does NOT require reboot
Requires reboot with CNG on Vista; Does not require reboot with CAPI on Vista; Does not require reboot on XP, 2003 with CAP
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Note: In Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family, t
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Logoff required
Policy Path
Account Logon
Account Logon
Account Logon
Account Logon
Account Management
Account Management
Account Management
Account Management
Account Management
Account Management
Detailed Tracking
Detailed Tracking
Detailed Tracking
Detailed Tracking
Detailed Tracking
Detailed Tracking
DS Access
DS Access
DS Access
DS Access
Global Object Access Auditing
Global Object Access Auditing
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Logon/Logoff
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Object Access
Policy Change
Policy Change
Policy Change
Policy Change
Policy Change
Policy Change
Privilege Use
Privilege Use
Privilege Use
System
System
System
System
System
Policy Setting Name
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Audit DPAPI Activity
Audit PNP Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
Audit Token Right Adjusted
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
File system
Registry
Audit Account Lockout
Audit Group Membership
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Audit User / Device Claims
Audit Application Generated
Audit Central Access Policy Staging
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit Removable Storage
Audit SAM
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Windows 11
Success and Failure
Success
Success and Failure
Success
Success
Failure
Success
Success and Failure
Success and Failure

Success
Failure
Success and Failure
Success and Failure

Success and Failure
Success
Success
Success and Failure

Failure
Success and Failure
Success and Failure

Success
Success
Success and Failure
Policy Path
Domain Profile\State
Domain Profile\Settings
Domain Profile\Logging
Private Profile\State
Private Profile\Settings
Private Profile\Logging
Public Profile\State
Public Profile\Settings
Public Profile\Logging
IPSec Settings\Ipsec defaults
IPSec Settings\Ipsec exemptions
IPSec Settings
Policy Setting Name
Firewall State
Inbound Connections
Outbound Connections
Protected network connections
Display a notification
Allow unicast response
Apply local firewall rules
Apply local connection security rules
Name
Size limit
Log dropped packets
Log successful connections
Firewall State
Inbound Connections
Name
Size limit
Log dropped packets
Firewall State
Inbound Connections
Name
Size limit
Log dropped packets
Key exchange
Data protection
Authentication method
Exempt ICMP from Ipsec
Ipsec tunnel authorization
Windows 11
On
Block
Allow
No
16384
Yes
Yes
On
Block
Allow
No
16384
Yes
Yes
On
Block
Allow
No
No
No
16384
Yes
Yes
Policy Path
Control Panel
Control Panel
Control Panel\Personalization
Control Panel\Regional and Language Options
Control Panel\Regional and Language Options\Handwriting personalization
Control Panel\User Accounts
LAPS
LAPS
LAPS
LAPS
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MS Security Guide
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
MSS (Legacy)
Network
Network\Background Intelligent Transfer Service (BITS)
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\BranchCache
Network\DirectAccess Client Experience Settings
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\DNS Client
Network\Fonts
Network\Hotspot Authentication
Network\Lanman Server
Network\Lanman Workstation
Network\Link-Layer Topology Discovery
Network\Link-Layer Topology Discovery
Network\Microsoft Peer-to-Peer Networking Services
Network\Microsoft Peer-to-Peer Networking Services
Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Global Clouds
Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Link-Local Clouds
Network\Microsoft Peer-to-Peer Networking Services\Peer Name Resolution Protocol\Site-Local Clouds
Network\Network Connections
Network\Network Connections\Windows Defender Firewall
Network\Network Connections\Windows Defender Firewall\Domain Profile
Network\Network Connections\Windows Defender Firewall\Standard Profile
Network\Network Connectivity Status Indicator
Network\Network Isolation
Network\Network Provider
Network\Offline Files
Network\QoS Packet Scheduler
Network\QoS Packet Scheduler\DSCP value of conforming packets
Network\QoS Packet Scheduler\DSCP value of non-conforming packets
Network\QoS Packet Scheduler\Layer-2 priority value
Network\SNMP
Network\SNMP
Network\SNMP
Network\SSL Configuration Settings
Network\SSL Configuration Settings
Network\TCPIP Settings\IPv6 Transition Technologies
Network\TCPIP Settings\Parameters
Network\TCPIP Settings\Parameters
Network\Windows Connect Now
Network\Windows Connection Manager
Network\Wireless Display
Network\Wireless Display
Network\WLAN Service\WLAN Media Cost
Network\WLAN Service\WLAN Settings
Network\WWAN Service\Cellular Data Access
Network\WWAN Service\WWAN Media Cost
Network\WWAN Service\WWAN Media Cost
Network\WWAN Service\WWAN UI Settings
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Printers
Start Menu and Taskbar
Start Menu and Taskbar\Notifications
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System\Access-Denied Assistance
System\Access-Denied Assistance
System\App-V
System\App-V\CEIP
System\App-V\Client Coexistence
System\App-V\Integration
System\App-V\PackageManagement
System\App-V\PowerManagement
System\App-V\Publishing
System\App-V\Reporting
System\App-V\Scripting
System\App-V\Streaming
System\App-V\Virtualization
System\App-V\Virtualization
System\Audit Process Creation
System\Credentials Delegation
System\Device Guard
System\Device Guard
System\Device Health Attestation Service
System\Device Installation
System\Device Installation\Device Installation Restrictions

System\Disk NV Cache
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Disk Quotas
System\Display
System\Display
System\Display
System\Distributed COM\Application Compatibility Settings
System\Distributed COM\Application Compatibility Settings
System\Driver Installation
System\Early Launch Antimalware

System\Enhanced Storage Access
System\File Classification Infrastructure
System\File Classification Infrastructure
System\File Share Shadow Copy Provider
System\Filesystem
System\Filesystem
System\Filesystem
System\Filesystem\NTFS
System\Folder Redirection
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Internet Communication Management
System\Internet Communication Management\Internet Communication settings
System\iSCSI\General iSCSI
System\iSCSI\General iSCSI
System\iSCSI\iSCSI Security
System\iSCSI\iSCSI Target Discovery
System\KDC
System\KDC
System\KDC
System\KDC
System\KDC
System\KDC
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kerberos
System\Kernel DMA Protection

System\Locale Services
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Logon
System\Mitigation Options
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon
System\Net Logon\DC Locator DNS Records
System\OS Policies
System\OS Policies
System\OS Policies
System\OS Policies
System\OS Policies
System\PIN Complexity
System\Power Management
System\Power Management\Button Settings
System\Power Management\Energy Saver Settings
System\Power Management\Energy Saver Settings
System\Power Management\Hard Disk Settings
System\Power Management\Hard Disk Settings
System\Power Management\Notification Settings
System\Power Management\Power Throttling Settings
System\Power Management\Sleep Settings
System\Power Management\Video and Display Settings
System\Recovery
System\Remote Assistance
System\Remote Procedure Call
System\Removable Storage Access
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Security Account Manager
System\Server Manager
System\Service Control Manager Settings\Security Settings
System\Shutdown
System\Shutdown Options
System\Storage Health
System\Storage Sense
System\System Restore
System\System Restore
System\Troubleshooting and Diagnostics
System\Troubleshooting and Diagnostics
System\Troubleshooting and Diagnostics\Application Compatibility Diagnostics
System\Troubleshooting and Diagnostics\Corrupted File Recovery
System\Troubleshooting and Diagnostics\Disk Diagnostic
System\Troubleshooting and Diagnostics\Disk Diagnostic
System\Troubleshooting and Diagnostics\Fault Tolerant Heap
System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool
System\Troubleshooting and Diagnostics\MSI Corrupted File Recovery
System\Troubleshooting and Diagnostics\Scheduled Maintenance
System\Troubleshooting and Diagnostics\Scripted Diagnostics
System\Troubleshooting and Diagnostics\Windows Boot Performance Diagnostics
System\Troubleshooting and Diagnostics\Windows Memory Leak Diagnosis
System\Troubleshooting and Diagnostics\Windows Resource Exhaustion Detection and Resolution
System\Troubleshooting and Diagnostics\Windows Shutdown Performance Diagnostics
System\Troubleshooting and Diagnostics\Windows Standby/Resume Performance Diagnostics
System\Troubleshooting and Diagnostics\Windows System Responsiveness Performance Diagnostics
System\Trusted Platform Module Services
System\User Profiles
System\Windows File Protection
System\Windows Time Service
System\Windows Time Service\Time Providers
Windows Components\ActiveX Installer Service
Windows Components\ActiveX Installer Service
Windows Components\Add features to Windows 10
Windows Components\App Package Deployment
Windows Components\App Privacy
Windows Components\App runtime
Windows Components\Application Compatibility
Windows Components\AutoPlay Policies
Windows Components\Backup\Server
Windows Components\Biometrics
Windows Components\Biometrics\Facial Features
Windows Components\BitLocker Drive Encryption
Windows Components\BitLocker Drive Encryption\Fixed Data Drives
Windows Components\BitLocker Drive Encryption\Operating System Drives
Windows Components\BitLocker Drive Encryption\Removable Data Drives

Windows Components\Camera
Windows Components\Chat
Windows Components\Cloud Content
Windows Components\Connect
Windows Components\Connect
Windows Components\Credential User Interface
Windows Components\Data Collection and Preview Builds
Windows Components\Delivery Optimization
Windows Components\Desktop Gadgets
Windows Components\Desktop Window Manager
Windows Components\Desktop Window Manager\Window Frame Coloring
Windows Components\Device and Driver Compatibility
Windows Components\Device and Driver Compatibility
Windows Components\Device Registration
Windows Components\Digital Locker
Windows Components\Edge UI
Windows Components\Event Forwarding
Windows Components\Event Forwarding
Windows Components\Event Log Service\Application
Windows Components\Event Log Service\Security
Windows Components\Event Log Service\Setup
Windows Components\Event Log Service\System
Windows Components\Event Logging
Windows Components\Event Viewer
Windows Components\File Explorer
Windows Components\File Explorer\Previous Versions
Windows Components\File History
Windows Components\Find My Device
Windows Components\Handwriting
Windows Components\HomeGroup
Windows Components\Human Presence
Windows Components\Internet Explorer
Windows Components\Internet Explorer\Accelerators
Windows Components\Internet Explorer\Application Compatibility\Clipboard access
Windows Components\Internet Explorer\Browser menus
Windows Components\Internet Explorer\Compatibility View
Windows Components\Internet Explorer\Corporate Settings\Code Download
Windows Components\Internet Explorer\Delete Browsing History
Windows Components\Internet Explorer\Internet Control Panel
Windows Components\Internet Explorer\Internet Control Panel\Advanced Page
Windows Components\Internet Explorer\Internet Control Panel\Content Page
Windows Components\Internet Explorer\Internet Control Panel\General Page
Windows Components\Internet Explorer\Internet Control Panel\General Page\Browsing History
Windows Components\Internet Explorer\Internet Control Panel\Security Page
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Internet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Intranet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Internet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Intranet Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Local Machine Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Restricted Sites Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Trusted Sites Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites Zone
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Zone
Windows Components\Internet Explorer\Internet Settings
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Browsing
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Multimedia
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Searching
Windows Components\Internet Explorer\Internet Settings\AutoComplete
Windows Components\Internet Explorer\Internet Settings\Component Updates\Help Menu > About Internet Explor
Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Interne
Windows Components\Internet Explorer\Internet Settings\Component Updates\Periodic check for updates to Interne
Windows Components\Internet Explorer\Privacy
Windows Components\Internet Explorer\Security Features
Windows Components\Internet Explorer\Security Features\Add-on Management
Windows Components\Internet Explorer\Security Features\AJAX
Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restriction
Windows Components\Internet Explorer\Security Features\Consistent Mime Handling

Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Security
Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature

Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction

Windows Components\Internet Explorer\Security Features\Network Protocol Lockdown
Windows Components\Internet Explorer\Security Features\Network Protocol Lockdown\Restricted Protocols Per Sec
Windows Components\Internet Explorer\Security Features\Notification bar

Windows Components\Internet Explorer\Security Features\Object Caching Protection
Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation

Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Windows Components\Internet Explorer\Security Features\Restrict File Download

Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions

Windows Components\Internet Explorer\Toolbars
Windows Components\Internet Information Services
Windows Components\Location and Sensors
Windows Components\Location and Sensors\Windows Location Provider
Windows Components\Maintenance Scheduler
Windows Components\Maps
Windows Components\Maps
Windows Components\MDM
Windows Components\MDM
Windows Components\Messaging
Windows Components\Microsoft account
Windows Components\Microsoft Defender Antivirus
Windows Components\Microsoft Defender Antivirus\Client Interface
Windows Components\Microsoft Defender Antivirus\Device Control
Windows Components\Microsoft Defender Antivirus\Device Control
Windows Components\Microsoft Defender Antivirus\Exclusions
Windows Components\Microsoft Defender Antivirus\MAPS
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction

Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Controlled Folder Access
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection
Windows Components\Microsoft Defender Antivirus\MpEngine
Windows Components\Microsoft Defender Antivirus\Network Inspection System
Windows Components\Microsoft Defender Antivirus\Quarantine
Windows Components\Microsoft Defender Antivirus\Quarantine
Windows Components\Microsoft Defender Antivirus\Real-time Protection
Windows Components\Microsoft Defender Antivirus\Remediation
Windows Components\Microsoft Defender Antivirus\Reporting
Windows Components\Microsoft Defender Antivirus\Scan
Windows Components\Microsoft Defender Antivirus\Security Intelligence Updates
Windows Components\Microsoft Defender Antivirus\Threats
Windows Components\Microsoft Defender Antivirus\Threats
Windows Components\Microsoft Defender Application Guard
Windows Components\Microsoft Defender Exploit Guard\Exploit Protection
Windows Components\Microsoft Edge
Windows Components\Microsoft Secondary Authentication Factor
Windows Components\Microsoft User Experience Virtualization
Windows Components\Microsoft User Experience Virtualization\Applications
Windows Components\Microsoft User Experience Virtualization\Windows Apps
Windows Components\NetMeeting
Windows Components\OneDrive
Windows Components\Online Assistance
Windows Components\OOBE
Windows Components\Portable Operating System
Windows Components\Presentation Settings
Windows Components\Push To Install
Windows Components\Remote Desktop Services\RD Licensing
Windows Components\Remote Desktop Services\RD Licensing
Windows Components\Remote Desktop Services\Remote Desktop Connection Client
Windows Components\Remote Desktop Services\Remote Desktop Connection Client\RemoteFX USB Device Redirect
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Licensing
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redirection
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Profiles
Windows Components\Remote Desktop Services\Remote Desktop Session Host\RD Connection Broker
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Remot
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders
Windows Components\RSS Feeds
Windows Components\Search
Windows Components\Security Center
Windows Components\Shutdown Options
Windows Components\Shutdown Options
Windows Components\Smart Card
Windows Components\Software Protection Platform
Windows Components\Software Protection Platform
Windows Components\Sound Recorder
Windows Components\Speech
Windows Components\Store
Windows Components\Sync your settings
Windows Components\Tablet PC\Accessories
Windows Components\Tablet PC\Cursors
Windows Components\Tablet PC\Hardware Buttons
Windows Components\Tablet PC\Input Panel
Windows Components\Tablet PC\Pen Flicks Learning
Windows Components\Tablet PC\Pen UX Behaviors
Windows Components\Tablet PC\Tablet PC Pen Training
Windows Components\Tablet PC\Touch Input
Windows Components\Task Scheduler
Windows Components\Tenant Restrictions
Windows Components\Text Input
Windows Components\Text Input
Windows Components\Widgets
Windows Components\Windows Calendar
Windows Components\Windows Color System
Windows Components\Windows Customer Experience Improvement Program
Windows Components\Windows Customer Experience Improvement Program
Windows Components\Windows Defender SmartScreen\Explorer
Windows Components\Windows Defender SmartScreen\Explorer
Windows Components\Windows Defender SmartScreen\Microsoft Edge
Windows Components\Windows Error Reporting
Windows Components\Windows Error Reporting\Advanced Error Reporting Settings
Windows Components\Windows Error Reporting\Consent
Windows Components\Windows Game Recording and Broadcasting
Windows Components\Windows Hello for Business
Windows Components\Windows Ink Workspace
Windows Components\Windows Ink Workspace
Windows Components\Windows Installer
Windows Components\Windows Logon Options
Windows Components\Windows Media Digital Rights Management
Windows Components\Windows Media Player
Windows Components\Windows Messenger
Windows Components\Windows Mobility Center
Windows Components\Windows PowerShell

Windows Components\Windows Reliability Analysis
Windows Components\Windows Remote Management (WinRM)\WinRM Client
Windows Components\Windows Remote Management (WinRM)\WinRM Service
Windows Components\Windows Remote Shell
Windows Components\Windows Sandbox
Windows Components\Windows Security\Account protection
Windows Components\Windows Security\App and browser protection
Windows Components\Windows Security\App and browser protection
Windows Components\Windows Security\Device performance and health
Windows Components\Windows Security\Device security
Windows Components\Windows Security\Enterprise Customization
Windows Components\Windows Security\Family options
Windows Components\Windows Security\Firewall and network protection
Windows Components\Windows Security\Notifications
Windows Components\Windows Security\Notifications
Windows Components\Windows Security\Systray
Windows Components\Windows Security\Virus and threat protection
Windows Components\Windows Security\Virus and threat protection
Windows Components\Windows Update\Legacy Policies
Windows Components\Windows Update\Manage end user experience
Windows Components\Windows Update\Manage updates offered from Windows Server Update Service
Windows Components\Windows Update\Manage updates offered from Windows Update
Windows Components\Work Folders
Policy Setting Name
Allow Online Tips
Settings Page Visibility
Do not display the lock screen
Force a specific background and accent color
Force a specific default lock screen and logon image
Force a specific Start background
Prevent changing lock screen and logon image
Prevent changing start menu background
Prevent enabling lock screen camera
Prevent enabling lock screen slide show
Prevent lock screen background motion
Allow users to enable online speech recognition services
Block clean-up of unused language packs
Force selected system UI language to overwrite the user UI language
Restrict Language Pack and Language Feature Installation
Restricts the UI language Windows uses for all logged users
Turn off automatic learning
Apply the default account picture to all users
Do not allow password expiration time longer than required by policy
Enable local admin password management
Name of administrator account to manage
Password Settings
Apply UAC restrictions to local accounts on network logons
Block Flash activation in Office documents
Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)
Configure SMB v1 client driver
Configure SMB v1 server
Enable Structured Exception Handling Overwrite Protection (SEHOP)
Extended Protection for LDAP Authentication (Domain Controllers only) (DEPRECATED)
Limits print driver installation to Administrators
LSA Protection
Lsass.exe audit mode
NetBT NodeType configuration
Remove "Run As Different User" from context menus
Restrict legacy JScript execution for Office
Turn on Windows Defender protection against Potentially Unwanted Applications (DEPRECATED)
WDigest Authentication (disabling may require KB2871997)
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure envir
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofi
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests exc
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended 5 is defaul
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
Configure how often a DFS client discovers domain controllers
Allow BITS Peercaching
Do not allow the BITS client to use Windows Branch Cache
Do not allow the computer to act as a BITS Peercaching client
Do not allow the computer to act as a BITS Peercaching server
Limit the age of files in the BITS Peercache
Limit the BITS Peercache size
Limit the maximum BITS job download time
Limit the maximum network bandwidth for BITS background transfers
Limit the maximum network bandwidth used for Peercaching
Limit the maximum number of BITS jobs for each user
Limit the maximum number of BITS jobs for this computer
Limit the maximum number of files allowed in a BITS job
Limit the maximum number of ranges that can be added to the file in a BITS job
Set default download behavior for BITS jobs on costed networks
Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers
Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers
Timeout for inactive BITS jobs
Configure BranchCache for network files
Configure Client BranchCache Version Support
Configure Hosted Cache Servers
Enable Automatic Hosted Cache Discovery by Service Connection Point
Set age for segments in the data cache
Set BranchCache Distributed Cache mode
Set BranchCache Hosted Cache mode
Set percentage of disk space used for client computer cache
Turn on BranchCache
Corporate Resources
Custom Commands
DirectAccess Passive Mode
Friendly Name
IPsec Tunnel Endpoints
Prefer Local Names Allowed
Support Email Address
User Interface
Allow DNS suffix appending to unqualified multi-label name queries
Allow NetBT queries for fully qualified domain names
Configure DNS over HTTPS (DoH) name resolution
Connection-specific DNS suffix
DNS servers
DNS suffix search list
Dynamic update
IDN mapping
Prefer link local responses over DNS when received over a network with higher precedence
Primary DNS suffix
Primary DNS suffix devolution
Primary DNS suffix devolution level
Register DNS records with connection-specific DNS suffix
Register PTR records
Registration refresh interval
Replace addresses in conflicts
TTL value for A and PTR records
Turn off IDN encoding
Turn off multicast name resolution
Turn off smart multi-homed name resolution
Turn off smart protocol reordering
Update security level
Update top level domain zones
Enable Font Providers
Enable Hotspot Authentication
Cipher suite order
Hash Publication for BranchCache
Hash Version support for BranchCache
Honor cipher suite order
Cipher suite order
Enable insecure guest logons
Handle Caching on Continuous Availability Shares
Offline Files Availability on Continuous Availability Shares
Turn on Mapper I/O (LLTDIO) driver
Turn on Responder (RSPNDR) driver
Disable password strength validation for Peer Grouping
Turn off Microsoft Peer-to-Peer Networking Services
Set PNRP cloud to resolve only
Set the Seed Server
Turn off Multicast Bootstrap
Turn off PNRP cloud creation
Set the Seed Server
Set the Seed Server
Do not show the "local access only" network icon
Prohibit installation and configuration of Network Bridge on your DNS domain network
Prohibit use of Internet Connection Firewall on your DNS domain network
Prohibit use of Internet Connection Sharing on your DNS domain network
Require domain users to elevate when setting a network's location
Route all traffic through the internal network
Windows Defender Firewall: Allow authenticated IPsec bypass
Windows Defender Firewall: Allow ICMP exceptions
Windows Defender Firewall: Allow inbound file and printer sharing exception
Windows Defender Firewall: Allow inbound remote administration exception
Windows Defender Firewall: Allow inbound Remote Desktop exceptions
Windows Defender Firewall: Allow inbound UPnP framework exceptions
Windows Defender Firewall: Allow local port exceptions
Windows Defender Firewall: Allow local program exceptions
Windows Defender Firewall: Allow logging
Windows Defender Firewall: Define inbound port exceptions
Windows Defender Firewall: Define inbound program exceptions
Windows Defender Firewall: Do not allow exceptions
Windows Defender Firewall: Prohibit notifications
Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Defender Firewall: Protect all network connections
Windows Defender Firewall: Allow ICMP exceptions
Windows Defender Firewall: Allow inbound file and printer sharing exception
Windows Defender Firewall: Allow inbound remote administration exception
Windows Defender Firewall: Allow inbound Remote Desktop exceptions
Windows Defender Firewall: Allow inbound UPnP framework exceptions
Windows Defender Firewall: Allow local port exceptions
Windows Defender Firewall: Allow local program exceptions
Windows Defender Firewall: Allow logging
Windows Defender Firewall: Define inbound port exceptions
Windows Defender Firewall: Define inbound program exceptions
Windows Defender Firewall: Do not allow exceptions
Windows Defender Firewall: Prohibit notifications
Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requests
Windows Defender Firewall: Protect all network connections
Specify corporate DNS probe host address
Specify corporate DNS probe host name
Specify corporate site prefix list
Specify corporate Website probe URL
Specify domain location determination URL
Specify global DNS
Specify passive polling
Domains categorized as both work and personal
Enterprise resource domains hosted in the cloud
Internet proxy servers for apps
Intranet proxy servers for apps
Private network ranges for apps
Proxy definitions are authoritative
Subnet definitions are authoritative
Hardened UNC Paths

Action on server disconnect
Allow or Disallow use of the Offline Files feature
At logoff delete local copy of user’s offline files
Configure Background Sync
Configure Slow link speed
Configure slow-link mode
Default cache size
Enable file screens
Enable file synchronization on costed networks
Enable Transparent Caching
Encrypt the Offline Files cache
Event logging level
Files not cached
Initial reminder balloon lifetime
Limit disk space used by Offline Files
Non-default server disconnect actions
Prevent use of Offline Files folder
Prohibit user configuration of Offline Files
Reminder balloon frequency
Reminder balloon lifetime
Remove "Make Available Offline" command
Remove "Make Available Offline" for these files and folders
Remove "Work offline" command
Specify administratively assigned Offline Files
Subfolders always available offline
Synchronize all offline files before logging off
Synchronize all offline files when logging on
Synchronize offline files before suspend
Turn off reminder balloons
Turn on economical application of administratively assigned Offline Files
Limit outstanding packets
Limit reservable bandwidth
Set timer resolution
Best effort service type
Controlled load service type
Guaranteed service type
Network control service type
Qualitative service type
Non-conforming packets
Specify communities
Specify permitted managers
Specify traps for public community
ECC Curve Order
SSL Cipher Suite Order
Set 6to4 Relay Name
Set 6to4 Relay Name Resolution Interval
Set 6to4 State
Set IP-HTTPS State
Set ISATAP Router Name
Set ISATAP State
Set Teredo Client Port
Set Teredo Default Qualified
Set Teredo Refresh Rate
Set Teredo Server Name
Set Teredo State
Set IP Stateless Autoconfiguration Limits State
Set Window Scaling Heuristics State
Configuration of wireless settings using Windows Connect Now
Prohibit access of the Windows Connect Now wizards
Disable power management in connected standby mode
Enable Windows to soft-disconnect a computer from a network
Minimize the number of simultaneous connections to the Internet or a Windows Domain
Prohibit connection to non-domain networks when connected to domain authenticated network
Prohibit connection to roaming Mobile Broadband networks
Prefer PIN pairing
Require PIN pairing
Set Cost
Allow Windows to automatically connect to suggested open hotspots to networks shared by contacts a
Let Windows apps access cellular data
Set 3G Cost
Set 4G Cost
Set Per-App Cellular Access UI Visibility
Activate Internet printing
Add Printer wizard - Network scan page (Managed network)
Add Printer wizard - Network scan page (Unmanaged network)
Allow job name in event logs
Allow Print Spooler to accept client connections
Allow printers to be published
Allow pruning of published printers
Always rasterize content to be printed using a software rasterizer
Always render print jobs on the server
Automatically publish new printers in Active Directory
Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)
Check published state
Computer location
Custom support URL in the Printers folder's left pane
Directory pruning interval
Directory pruning priority
Directory pruning retry
Disallow installation of printers using kernel-mode drivers
Do not allow v4 printer drivers to show printer extensions
Enable Device Control Printing Restrictions
Execute print drivers in isolated processes
Extend Point and Print connection to search Windows Update
Isolate print drivers from applications
List of Approved USB-connected print devices
Log directory pruning retry events
Only use Package Point and print
Override print driver execution compatibility setting reported by print driver
Package Point and print - Approved servers
Point and Print Restrictions
Pre-populate printer search location text
Printer browsing
Prune printers that are not automatically republished
Disable context menus in the Start Menu
Do not keep history of recently opened documents
Force Start to be either full screen size or menu size
Pin Apps to Start when installed
Remove "Recently added" list from Start Menu
Remove All Programs list from the Start menu
Remove and prevent access to the Shut Down Restart Sleep and Hibernate commands
Remove frequent programs list from the Start Menu
Show or hide "Most used" list from Start menu
Start Layout
Enables group policy for the WNS FQDN
Turn off notifications network usage
Activate Shutdown Event Tracker System State Data feature
Allow Distributed Link Tracking clients to use domain resources
Display highly detailed status messages
Display Shutdown Event Tracker
Do not automatically encrypt files moved to encrypted folders
Do not display Manage Your Server page at logon
Do not turn off system power after a Windows system shutdown has occurred.
Download missing COM components
Enable Persistent Time Stamp
Remove Boot / Shutdown / Logon / Logoff status messages
Restrict potentially unsafe HTML Help functions to specified folders
Restrict these programs from being launched from Help
Specify settings for optional component installation and component repair
Specify Windows installation file location
Specify Windows Service Pack installation file location
Turn off Data Execution Prevention for HTML Help Executible
Customize message for Access Denied errors
Enable access-denied assistance on client for all file types
Enable App-V Client
Microsoft Customer Experience Improvement Program (CEIP)
Enable Migration Mode
Integration Root Global
Integration Root User
Roaming File Exclusions
Roaming Registry Exclusions
Enable automatic cleanup of unused appv packages
Enable background sync to server when on battery power
Enable Publishing Refresh UX
Publishing Server 1 Settings
Reporting Server
Enable Package Scripts
Allow First Time Application Launches if on a High Cost Windows 8 Metered Connection
Certificate Filter For Client SSL
Enable Support for BranchCache
Location Provider
Package Installation Root
Package Source Root
Reestablishment Interval
Reestablishment Retries
Require Publish As Admin
Shared Content Store (SCS) mode
Specify what to load in background (aka AutoLoad)
Verify certificate revocation list
Enable Dynamic Virtualization
Virtual Component Process Allow List
Include command line in process creation events
Allow delegating default credentials
Allow delegating default credentials with NTLM-only server authentication
Allow delegating fresh credentials
Allow delegating fresh credentials with NTLM-only server authentication
Allow delegating saved credentials
Allow delegating saved credentials with NTLM-only server authentication
Deny delegating default credentials
Deny delegating fresh credentials
Deny delegating saved credentials
Encryption Oracle Remediation

Remote host allows delegation of non-exportable credentials
Restrict delegation of credentials to remote servers
Deploy Windows Defender Application Control
Turn On Virtualization Based Security

Enable Device Health Attestation Monitoring and Reporting
Allow remote access to the Plug and Play interface
Configure device installation time-out
Do not send a Windows error report when a generic driver is installed on a device
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
Prevent device metadata retrieval from the Internet
Prevent Windows from sending an error report when a device driver requests additional software during installation
Prioritize all digitally signed drivers equally during the driver ranking and selection process
Specify search order for device driver source locations
Specify the search server for device driver updates
Turn off "Found New Hardware" balloons during device installation
Allow administrators to override Device Installation Restriction policies
Allow installation of devices that match any of these device IDs
Allow installation of devices that match any of these device instance IDs
Allow installation of devices using drivers that match these device setup classes
Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria
Display a custom message title when device installation is prevented by a policy setting
Display a custom message when installation is prevented by a policy setting
Prevent installation of devices not described by other policy settings
Prevent installation of devices that match any of these device IDs
Prevent installation of devices that match any of these device instance IDs
Prevent installation of devices using drivers that match these device setup classes
Prevent installation of removable devices
Time (in seconds) to force reboot when required for policy changes to take effect
Turn off boot and resume optimizations
Turn off cache power mode
Turn off non-volatile cache feature
Turn off solid state mode
Apply policy to removable media
Enable disk quotas
Enforce disk quota limit
Log event when quota limit is exceeded
Log event when quota warning level is exceeded
Specify default quota limit and warning level
Configure Per-Process System DPI settings
Turn off GdiDPIScaling for applications
Turn on GdiDPIScaling for applications
Allow local activation security check exemptions
Define Activation Security Check exemptions
Allow non-administrators to install drivers for these device setup classes
Turn off Windows Update device driver search prompt
Boot-Start Driver Initialization Policy

Allow only USB root hub connected Enhanced Storage devices
Configure list of Enhanced Storage devices usable on your computer
Configure list of IEEE 1667 silos usable on your computer
Do not allow non-Enhanced Storage removable devices
Do not allow password authentication of Enhanced Storage devices
Do not allow Windows to activate Enhanced Storage devices
Lock Enhanced Storage when the computer is locked
File Classification Infrastructure: Display Classification tab in File Explorer
File Classification Infrastructure: Specify classification properties list
Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running o
Disable delete notifications on all volumes
Enable Win32 long paths
Selectively allow the evaluation of a symbolic link
Do not allow compression on all NTFS volumes
Do not allow encryption on all NTFS volumes
Enable / disable TXF deprecated features
Enable NTFS non-paged pool usage
Enable NTFS pagefile encryption
NTFS default tier
NTFS parallel flush threshold
NTFS parallel flush worker threads
Short name creation options
Redirect folders on primary computers only
Use localized subfolder names when redirecting Start Menu and My Documents
Allow cross-forest user policy and roaming user profiles
Always use local ADM files for Group Policy Object Editor
Change Group Policy processing to run asynchronously when a slow network connection is detected.
Configure Direct Access connections as a fast network connection
Configure disk quota policy processing
Configure EFS recovery policy processing
Configure folder redirection policy processing
Configure Group Policy Caching
Configure Group Policy slow link detection
Configure Internet Explorer Maintenance policy processing
Configure IP security policy processing
Configure Logon Script Delay
Configure registry policy processing

Configure scripts policy processing
Configure security policy processing
Configure software Installation policy processing
Configure user Group Policy loopback processing mode
Configure web-to-app linking with app URI handlers
Configure wired policy processing
Configure wireless policy processing
Continue experiences on this device
Determine if interactive users can generate Resultant Set of Policy data
Enable AD/DFS domain controller synchronization during policy refresh
Enable Group Policy Caching for Servers
Phone-PC linking on this device
Remove users' ability to invoke machine policy refresh
Set Group Policy refresh interval for computers
Set Group Policy refresh interval for domain controllers
Specify startup policy processing wait time
Specify workplace connectivity wait time for policy processing
Turn off background refresh of Group Policy
Turn off Group Policy Client Service AOAC optimization
Turn off Local Group Policy Objects processing
Turn off Resultant Set of Policy logging
Restrict Internet communication
Turn off access to all Windows Update features
Turn off access to the Store
Turn off Automatic Root Certificates Update
Turn off downloading of print drivers over HTTP
Turn off Event Viewer "Events.asp" links
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Help and Support Center "Did you know?" content
Turn off Help and Support Center Microsoft Knowledge Base search
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off Registration if URL connection is referring to Microsoft.com
Turn off Search Companion content file updates
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Customer Experience Improvement Program
Turn off Windows Error Reporting
Turn off Windows Network Connectivity Status Indicator active tests
Turn off Windows Update device driver searching
Do not allow additional session logins
Do not allow changes to initiator iqn name
Do not allow changes to initiator CHAP secret
Do not allow connections without IPSec
Do not allow sessions without mutual CHAP
Do not allow sessions without one way CHAP
Do not allow adding new targets via manual configuration
Do not allow manual configuration of discovered targets
Do not allow manual configuration of iSNS servers
Do not allow manual configuration of target portals
KDC support for claims compound authentication and Kerberos armoring
KDC support for PKInit Freshness Extension
Provide information about previous logons to client computers
Request compound authentication
Use forest search order
Warning for large Kerberos tickets
Allow retrieving the cloud kerberos ticket during the logon
Always send compound authentication first
Define host name-to-Kerberos realm mappings
Define interoperable Kerberos V5 realm settings
Disable revocation checking for the SSL certificate of KDC proxy servers
Fail authentication requests when Kerberos armoring is not available
Kerberos client support for claims compound authentication and Kerberos armoring
Require strict KDC validation
Require strict target SPN match on remote procedure calls
Set maximum Kerberos SSPI context token buffer size
Specify KDC proxy servers for Kerberos clients
Support compound authentication
Support device authentication using certificate
Use forest search order
Enumeration policy for external devices incompatible with Kernel DMA Protection
Disallow changing of geographic location
Disallow copying of user input methods to the system account for sign-in
Disallow selection of Custom Locales
Disallow user override of locale settings
Restrict system locales
Restrict user locales
Allow users to select when a password is required when resuming from connected standby
Always use classic logon
Always use custom logon background
Always wait for the network at computer startup and logon
Assign a default credential provider
Assign a default domain for logon
Block user from showing account details on sign-in
Do not display network selection UI
Do not display the Getting Started welcome screen at logon
Do not enumerate connected users on domain-joined computers
Do not process the legacy run list
Do not process the run once list
Enumerate local users on domain-joined computers
Exclude credential providers
Hide entry points for Fast User Switching
Run these programs at user logon
Show clear logon background
Show first sign-in animation
Turn off app notifications on the lock screen
Turn off picture password sign-in
Turn off Windows Startup sound
Turn on convenience PIN sign-in
Turn on security key sign-in
Process Mitigation Options
Untrusted Font Blocking
Allow cryptography algorithms compatible with Windows NT 4.0
Contact PDC on logon failure
Set Netlogon share compatibility
Set scavenge interval
Set SYSVOL share compatibility
Specify expected dial-up delay on logon
Specify log file debug output level
Specify maximum log file size
Specify negative DC Discovery cache setting
Specify positive periodic DC Cache refresh for non-background callers
Specify site name
Use final DC discovery retry setting for background callers
Use initial DC discovery retry setting for background callers
Use maximum DC discovery retry interval setting for background callers
Use positive periodic DC cache refresh for background callers
Use urgent mode when pinging domain controllers
Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names
Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails
Force Rediscovery Interval
Return domain controller address type
Set Priority in the DC Locator DNS SRV records
Set TTL in the DC Locator DNS Records
Set Weight in the DC Locator DNS SRV records
Specify address lookup behavior for DC locator ping
Specify DC Locator DNS records not registered by the DCs
Specify dynamic registration of the DC Locator DNS Records
Specify Refresh Interval of the DC Locator DNS records
Specify sites covered by the application directory partition DC Locator DNS SRV records
Specify sites covered by the DC Locator DNS SRV records
Specify sites covered by the GC Locator DNS SRV Records
Try Next Closest Site
Use automated site coverage by the DC Locator DNS SRV Records
Use DNS name resolution when a single-label domain name is used by appending different registered DNS suffixes if the Allow
Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC
Use lowercase DNS host names when registering domain controller SRV records
Allow Clipboard History
Allow Clipboard synchronization across devices
Allow publishing of User Activities
Allow upload of User Activities
Enables Activity Feed
Expiration
History
Maximum PIN length
Minimum PIN length
Require digits
Require lowercase letters
Require special characters
Require uppercase letters
Select an active power plan
Specify a custom active power plan
Select the lid switch action (on battery)
Select the lid switch action (plugged in)
Select the Power button action (on battery)
Select the Power button action (plugged in)
Select the Sleep button action (on battery)
Select the Sleep button action (plugged in)
Select the Start menu Power button action (on battery)
Select the Start menu Power button action (plugged in)
Energy Saver Battery Threshold (on battery)
Energy Saver Battery Threshold (plugged in)
Turn Off the hard disk (on battery)
Turn Off the hard disk (plugged in)
Critical battery notification action
Critical battery notification level
Low battery notification action
Low battery notification level
Reserve battery notification level
Turn off low battery user notification
Turn off Power Throttling
Allow applications to prevent automatic sleep (on battery)
Allow applications to prevent automatic sleep (plugged in)
Allow automatic sleep with Open Network Files (on battery)
Allow automatic sleep with Open Network Files (plugged in)
Allow network connectivity during connected-standby (on battery)
Allow network connectivity during connected-standby (plugged in)
Allow standby states (S1-S3) when sleeping (on battery)
Allow standby states (S1-S3) when sleeping (plugged in)
Require a password when a computer wakes (on battery)
Require a password when a computer wakes (plugged in)
Specify the system hibernate timeout (on battery)
Specify the system hibernate timeout (plugged in)
Specify the system sleep timeout (on battery)
Specify the system sleep timeout (plugged in)
Specify the unattended sleep timeout (on battery)
Specify the unattended sleep timeout (plugged in)
Turn off hybrid sleep (on battery)
Turn off hybrid sleep (plugged in)
Turn on the ability for applications to prevent sleep transitions (on battery)
Turn on the ability for applications to prevent sleep transitions (plugged in)
Reduce display brightness (on battery)
Reduce display brightness (plugged in)
Specify the display dim brightness (on battery)
Specify the display dim brightness (plugged in)
Turn off adaptive display timeout (on battery)
Turn off adaptive display timeout (plugged in)
Turn off the display (on battery)
Turn off the display (plugged in)
Turn on desktop background slideshow (on battery)
Turn on desktop background slideshow (plugged in)
Allow restore of system to default state
Allow only Windows Vista or later connections
Configure Offer Remote Assistance
Configure Solicited Remote Assistance
Customize warning messages
Turn on bandwidth optimization
Turn on session logging
Enable RPC Endpoint Mapper Client Authentication
Ignore Delegation Failure
Maintain RPC Troubleshooting State Information
Propagate extended error information
Restrict Unauthenticated RPC clients
Set Minimum Idle Connection Timeout for RPC/HTTP connections
All Removable Storage classes: Deny all access
All Removable Storage: Allow direct access in remote sessions
CD and DVD: Deny execute access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny execute access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny execute access
Removable Disks: Deny read access
Removable Disks: Deny write access
Set time (in seconds) to force reboot
Tape Drives: Deny execute access
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
Allow logon scripts when NetBIOS or WINS is disabled
Display instructions in shutdown scripts as they run
Display instructions in startup scripts as they run
Run logon scripts synchronously
Run startup scripts asynchronously
Run Windows PowerShell scripts first at computer startup shutdown
Run Windows PowerShell scripts first at user logon logoff
Specify maximum wait time for Group Policy scripts
Configure validation of ROCA-vulnerable WHfB keys during authentication
Configure the refresh interval for Server Manager
Do not display Initial Configuration Tasks window automatically at logon
Do not display Server Manager automatically at logon
Enable svchost.exe mitigation options
Require use of fast startup
Turn off automatic termination of applications that block or cancel shutdown
Allow downloading updates to the Disk Failure Prediction Model
Allow Storage Sense
Allow Storage Sense Temporary Files cleanup
Configure Storage Sense cadence
Configure Storage Sense Cloud Content dehydration threshold
Configure Storage Sense Recycle Bin cleanup threshold
Configure Storage Storage Downloads cleanup threshold
Turn off Configuration
Turn off System Restore
Diagnostics: Configure scenario execution level
Diagnostics: Configure scenario retention
Detect application failures caused by deprecated COM objects
Detect application failures caused by deprecated Windows DLLs
Detect application install failures
Detect application installers that need to be run as administrator
Detect applications unable to launch installers under UAC
Detect compatibility issues for applications and drivers
Notify blocked drivers
Configure Corrupted File Recovery behavior
Disk Diagnostic: Configure custom alert text
Disk Diagnostic: Configure execution level
Configure Scenario Execution Level
Microsoft Support Diagnostic Tool: Configure execution level
Microsoft Support Diagnostic Tool: Restrict tool download
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
Troubleshooting: Allow users to access recommended troubleshooting for known problems
Configure MSI Corrupted File Recovery behavior
Configure Scheduled Maintenance Behavior
Configure Security Policy for Scripted Diagnostics
Troubleshooting: Allow users to access and run Troubleshooting Wizards
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control
Configure the level of TPM owner authorization information available to the operating system
Configure the list of blocked TPM commands
Configure the system to clear the TPM if it is not in a ready state.
Configure the system to use legacy Dictionary Attack Prevention Parameters setting for TPM 2.0.
Ignore the default list of blocked TPM commands
Ignore the local list of blocked TPM commands
Standard User Individual Lockout Threshold
Standard User Lockout Duration
Standard User Total Lockout Threshold
Add the Administrators security group to roaming user profiles
Control slow network connection timeout for user profiles
Delete cached copies of roaming profiles
Delete user profiles older than a specified number of days on system restart
Disable detection of slow network connections
Do not check for user ownership of Roaming Profile Folders
Do not forcefully unload the users registry at user logoff
Do not log users on with temporary profiles
Download roaming profiles on primary computers only
Establish timeout value for dialog boxes
Leave Windows Installer and Group Policy Software Installation Data
Maximum retries to unload and update user profile
Only allow local user profiles
Prevent Roaming Profile changes from propagating to the server
Prompt user when a slow network connection is detected
Set maximum wait time for the network if a user has a roaming user profile or remote home directory
Set roaming profile path for all users logging onto this computer
Set the schedule for background upload of a roaming user profile's registry file while user is logged on
Set user home folder
Turn off the advertising ID
User management of sharing user name account picture and domain information with apps (not desktop apps)
Wait for remote user profile
Hide the file scan progress window
Limit Windows File Protection cache size
Set Windows File Protection scanning
Specify Windows File Protection cache location
Global Configuration Settings
Configure Windows NTP Client
Enable Windows NTP Client
Enable Windows NTP Server
Approved Installation Sites for ActiveX Controls
Establish ActiveX installation policy for sites in Trusted zones
Prevent the wizard from running.
Allow a Windows app to share application data between users
Allow all trusted apps to install
Allow deployment operations in special profiles
Allows development of Windows Store apps and installing them from an integrated development environment (IDE)
Archive infrequently used apps
Disable installing Windows apps on non-system volumes
Not allow sideloaded apps to auto-update in the background
Not allow sideloaded apps to auto-update in the background on a metered network
Prevent non-admin users from installing packaged Windows apps
Prevent users' app data from being stored on non-system volumes
Let Windows apps access account information
Let Windows apps access an eye tracker device
Let Windows apps access call history
Let Windows apps access contacts
Let Windows apps access diagnostic information about other apps
Let Windows apps access email
Let Windows apps access location
Let Windows apps access messaging
Let Windows apps access motion
Let Windows apps access notifications
Let Windows apps access Tasks
Let Windows apps access the calendar
Let Windows apps access the camera
Let Windows apps access the microphone
Let Windows apps access trusted devices
Let Windows apps access user movements while running in the background
Let Windows apps activate with voice
Let Windows apps activate with voice while the system is locked
Let Windows apps communicate with unpaired devices
Let Windows apps control radios
Let Windows apps make phone calls
Let Windows apps run in the background
Let Windows apps take screenshots of various windows or displays
Let Windows apps turn off the screenshot border
Allow Microsoft accounts to be optional
Block launching desktop apps associated with a file.
Block launching desktop apps associated with a URI scheme
Block launching Universal Windows apps with Windows Runtime API access from hosted content.
Turn on dynamic Content URI Rules for Windows store apps
Prevent access to 16-bit applications
Remove Program Compatibility Property Page
Turn off Application Compatibility Engine
Turn off Application Telemetry
Turn off Inventory Collector
Turn off Program Compatibility Assistant
Turn off Steps Recorder
Turn off SwitchBack Compatibility Engine
Disallow Autoplay for non-volume devices
Prevent AutoPlay from remembering user choices.
Set the default behavior for AutoRun
Turn off Autoplay
Allow only system backup
Disallow locally attached storage as backup target
Disallow network as backup target
Disallow optical media as backup target
Disallow run-once backups
Allow domain users to log on using biometrics
Allow the use of biometrics
Allow users to log on using biometrics
Specify timeout for fast user switching events
Configure enhanced anti-spoofing
Choose default folder for recovery password
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
Choose drive encryption method and cipher strength (Windows 8 Windows Server 2012 Windows 8.1 Windows Server 2012 R
Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7 Windows Server 2008
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
Disable new DMA devices when this computer is locked
Prevent memory overwrite on restart
Provide the unique identifiers for your organization
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
Validate smart card certificate usage rule compliance
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows
Choose how BitLocker-protected fixed drives can be recovered
Configure use of hardware-based encryption for fixed data drives
Configure use of passwords for fixed data drives
Configure use of smart cards on fixed data drives
Deny write access to fixed drives not protected by BitLocker
Enforce drive encryption type on fixed data drives
Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
Allow enhanced PINs for startup
Allow network unlock at startup
Allow Secure Boot for integrity validation
Choose how BitLocker-protected operating system drives can be recovered
Configure minimum PIN length for startup
Configure pre-boot recovery message and URL
Configure TPM platform validation profile (Windows Vista Windows Server 2008 Windows 7 Windows Server 2008 R2)
Configure TPM platform validation profile for BIOS-based firmware configurations
Configure TPM platform validation profile for native UEFI firmware configurations
Configure use of hardware-based encryption for operating system drives
Configure use of passwords for operating system drives
Disallow standard users from changing the PIN or password
Enable use of BitLocker authentication requiring preboot keyboard input on slates
Enforce drive encryption type on operating system drives
Require additional authentication at startup
Require additional authentication at startup (Windows Server 2008 and Windows Vista)
Reset platform validation data after BitLocker recovery
Use enhanced Boot Configuration Data validation profile
Allow access to BitLocker-protected removable data drives from earlier versions of Windows
Choose how BitLocker-protected removable drives can be recovered
Configure use of hardware-based encryption for removable data drives
Configure use of passwords for removable data drives
Configure use of smart cards on removable data drives
Control use of BitLocker on removable drives
Deny write access to removable drives not protected by BitLocker

Enforce drive encryption type on removable data drives
Allow Use of Camera
Configures the Chat icon on the taskbar
Do not show Windows tips
Turn off cloud consumer account state content
Turn off cloud optimized content
Turn off Microsoft consumer experiences
Don't allow this PC to be projected to
Require pin for pairing
Do not display the password reveal button
Enumerate administrator accounts on elevation
Prevent the use of security questions for local accounts
Require trusted path for credential entry
Allow commercial data pipeline
Allow Desktop Analytics Processing
Allow device name to be sent in Windows diagnostic data
Allow Diagnostic Data
Allow Update Compliance Processing
Allow WUfB Cloud Processing
Configure Authenticated Proxy usage for the Connected User Experience and Telemetry service
Configure collection of browsing data for Desktop Analytics
Configure Connected User Experiences and Telemetry
Configure diagnostic data opt-in change notifications
Configure diagnostic data opt-in settings user interface
Configure diagnostic data upload endpoint for Desktop Analytics
Configure the Commercial ID
Disable deleting diagnostic data
Disable diagnostic data viewer
Disable OneSettings Downloads
Do not show feedback notifications
Enable OneSettings Auditing
Limit Diagnostic Log Collection
Limit Dump Collection
Limit optional diagnostic data for Desktop Analytics
Toggle user control over Insider builds
Absolute Max Cache Size (in GB)
Allow uploads while the device is on battery while under set Battery level (percentage)
Cache Server Hostname
Cache Server Hostname Source
Delay Background download Cache Server fallback (in seconds)
Delay background download from http (in secs)
Delay Foreground download Cache Server fallback (in seconds)
Delay Foreground download from http (in secs)
Download Mode
Enable Peer Caching while the device connects via VPN
Group ID
Max Cache Age (in seconds)
Max Cache Size (percentage)
Maximum Background Download Bandwidth (in KB/s)
Maximum Background Download Bandwidth (percentage)
Maximum Foreground Download Bandwidth (in KB/s)
Maximum Foreground Download Bandwidth (percentage)
Minimum Background QoS (in KB/s)
Minimum disk size allowed to use Peer Caching (in GB)
Minimum Peer Caching Content File Size (in MB)
Minimum RAM capacity (inclusive) required to enable use of Peer Caching (in GB)
Modify Cache Drive
Monthly Upload Data Cap (in GB)
Select a method to restrict Peer Selection
Select the source of Group IDs
Set Business Hours to Limit Background Download Bandwidth
Set Business Hours to Limit Foreground Download Bandwidth
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
Do not allow Flip3D invocation
Do not allow window animations
Use solid color for Start background
Do not allow color changes
Specify a default color
Device compatibility settings
Driver compatibility settings
Register domain joined computers as devices
Do not allow Digital Locker to run
Allow edge swipe
Disable help tips
Configure forwarder resource usage
Configure target Subscription Manager
Back up log automatically when full
Configure log access
Configure log access (legacy)
Control Event Log behavior when the log file reaches its maximum size
Control the location of the log file
Specify the maximum log file size (KB)
Turn on logging
Enable Protected Event Logging
Events.asp program
Events.asp program command line parameters
Events.asp URL
Allow the use of remote paths in file shortcut icons
Configure Windows Defender SmartScreen
Disable binding directly to IPropertySetStorage without intermediate layers.
Do not reinitialize a pre-existing roamed user profile when it is loaded on a machine for the first time
Do not show the 'new application installed' notification
Location where all default Library definition files for users/machines reside.
Set a default associations configuration file
Set a support web page link
Show hibernate in the power options menu
Show lock in the user tile menu
Show sleep in the power options menu
Start File Explorer with ribbon minimized
Turn off Data Execution Prevention for Explorer
Turn off heap termination on corruption
Turn off numerical sorting in File Explorer
Turn off shell protocol protected mode
Verify old and new Folder Redirection targets point to the same share before redirecting
Hide previous versions list for local files
Hide previous versions list for remote files
Hide previous versions of files on backup location
Prevent restoring local previous versions
Prevent restoring previous versions from backups
Prevent restoring remote previous versions
Turn off File History
Turn On/Off Find My Device
Handwriting Panel Default Mode Docked
Prevent the computer from joining a homegroup
Force Instant Lock
Force Instant Wake
Lock Timeout
Add a specific list of search providers to the user's list of search providers
Allow "Save Target As" in Internet Explorer mode
Allow Internet Explorer 8 shutdown behavior
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Automatically activate newly installed add-ons
Configure which channel of Microsoft Edge to use for opening redirected sites
Customize user agent string
Disable Automatic Install of Internet Explorer components
Disable changing Automatic Configuration settings
Disable changing connection settings
Disable changing secondary home page settings
Disable Import/Export Settings wizard
Disable Internet Explorer 11 as a standalone browser
Disable Periodic Check for Internet Explorer software updates
Disable showing the splash screen
Disable software update shell notifications on program launch
Do not allow users to enable or disable add-ons
Enable extended hot keys in Internet Explorer mode
Enforce full-screen mode
Install new versions of Internet Explorer automatically
Keep all intranet sites in Internet Explorer
Let users turn on and use Enterprise Mode from the Tools menu
Limit Site Discovery output by Domain
Limit Site Discovery output by Zone
Make proxy settings per-machine (rather than per-user)
Pop-up allow list
Prevent "Fix settings" functionality
Prevent access to Internet Explorer Help
Prevent bypassing SmartScreen Filter warnings
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from t
Prevent changing pop-up filter level
Prevent changing proxy settings
Prevent changing the default search provider
Prevent configuration of how windows open
Prevent configuration of new tab creation
Prevent Internet Explorer Search box from appearing
Prevent managing pop-up exception list
Prevent managing SmartScreen Filter
Prevent managing the phishing filter
Prevent participation in the Customer Experience Improvement Program
Prevent per-user installation of ActiveX controls
Prevent running First Run wizard
Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.
Restrict search providers to a specific list
Security Zones: Do not allow users to add/delete sites
Security Zones: Do not allow users to change policies
Security Zones: Use only machine settings
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge
Set tab process growth
Show message when opening sites in Microsoft Edge using Enterprise Mode
Specify default behavior for a new tab
Specify use of ActiveX Installer Service for installation of ActiveX controls
Turn off ability to pin sites in Internet Explorer on the desktop
Turn off ActiveX Opt-In prompt
Turn off add-on performance notifications
Turn off Automatic Crash Recovery
Turn off browser geolocation
Turn off configuration of pop-up windows in tabbed browsing
Turn off Crash Detection
Turn off Favorites bar
Turn off Managing SmartScreen Filter for Internet Explorer 8
Turn off page-zooming functionality
Turn off pop-up management
Turn off Quick Tabs functionality
Turn off Reopen Last Browsing Session
Turn off suggestions for all user-installed providers
Turn off tabbed browsing
Turn off the auto-complete feature for web addresses
Turn off the quick pick menu
Turn off the Security Settings Check feature
Turn on ActiveX Filtering
Turn on compatibility logging
Turn on menu bar by default
Turn on Site Discovery WMI output
Turn on Site Discovery XML output
Turn on Suggested Sites
Use the Enterprise Mode IE website list
Add default Accelerators
Add non-default Accelerators
Restrict Accelerators to those deployed through Group Policy
Turn off Accelerators
Bypass prompting for Clipboard access for scripts running in any process
Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
Define applications and processes that can access the Clipboard without prompting
Turn off Print Menu
Turn off the ability to launch report site problems using a menu option
Include updated website lists from Microsoft
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for local intranet
Use Policy List of Internet Explorer 7 sites
Use Policy List of Quirks Mode sites
Prevent specifying the code download path for each computer
Allow deleting browsing history on exit
Disable "Configuring History"
Prevent access to Delete Browsing History
Prevent deleting ActiveX Filtering Tracking Protection and Do Not Track data
Prevent deleting cookies
Prevent deleting download history
Prevent deleting favorites site data
Prevent deleting form data
Prevent deleting InPrivate Filtering data
Prevent deleting passwords
Prevent deleting temporary Internet files
Prevent deleting websites that the user has visited
Prevent the deletion of temporary Internet files and cookies
Disable the Advanced page
Disable the Connections page
Disable the Content page
Disable the General page
Disable the Privacy page
Disable the Programs page
Disable the Security page
Prevent ignoring certificate errors
Send internationalized domain names
Use UTF-8 for mailto links
Allow active content from CDs to run on user machines
Allow Install On Demand (except Internet Explorer)
Allow Install On Demand (Internet Explorer)
Allow Internet Explorer to use the HTTP2 network protocol
Allow Internet Explorer to use the SPDY/3 network protocol
Allow software to run or install even if the signature is invalid
Allow third-party browser extensions
Always send Do Not Track header
Automatically check for Internet Explorer updates
Check for server certificate revocation
Check for signatures on downloaded programs
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Do not allow resetting Internet Explorer settings
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Play animations in web pages
Play sounds in web pages
Play videos in web pages
Turn off ClearType
Turn off encryption support
Turn off loading websites and content in the background to optimize performance
Turn off Profile Assistant
Turn off sending UTF-8 query strings for URLs
Turn off the flip ahead with page prediction feature
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Wind
Turn on Caret Browsing support
Turn on Enhanced Protected Mode
Use HTTP 1.1
Use HTTP 1.1 through proxy connections
Show Content Advisor on Internet Options
Start Internet Explorer with tabs from last browsing session
Allow websites to store application caches on client computers
Allow websites to store indexed databases on client computers
Set application cache storage limits for individual domains
Set application caches expiration time limit for individual domains
Set default storage limits for websites
Set indexed database storage limits for individual domains
Set maximum application cache individual resource size
Set maximum application cache resource list size
Set maximum application caches storage limit for all domains
Set maximum indexed database storage limit for all domains
Internet Zone Template
Intranet Sites: Include all local (intranet) sites not listed in other zones
Intranet Sites: Include all network paths (UNCs)
Intranet Sites: Include all sites that bypass the proxy server
Intranet Zone Template
Local Machine Zone Template
Locked-Down Internet Zone Template
Locked-Down Intranet Zone Template
Locked-Down Local Machine Zone Template
Locked-Down Restricted Sites Zone Template
Locked-Down Trusted Sites Zone Template
Restricted Sites Zone Template
Site to Zone Assignment List
Trusted Sites Zone Template
Turn on automatic detection of intranet
Turn on certificate address mismatch warning
Turn on Notification bar notification for intranet content
Access data sources across domains
Allow active content over restricted protocols to access my computer
Allow active scripting
Allow binary and script behaviors
Allow cut copy or paste operations from the clipboard via script
Allow drag and drop or copy and paste files
Allow file downloads
Allow font downloads
Allow installation of desktop items
Allow loading of XAML Browser Applications
Allow loading of XAML files
Allow loading of XPS files
Allow META REFRESH
Allow only approved domains to use ActiveX controls without prompt
Allow only approved domains to use the TDC ActiveX control
Allow OpenSearch queries in File Explorer
Allow previewing and custom thumbnails of OpenSearch query results in File Explorer
Allow scripting of Internet Explorer WebBrowser controls
Allow script-initiated windows without size or position constraints
Allow scriptlets
Allow updates to status bar via script
Allow VBScript to run in Internet Explorer
Allow video and animation on a webpage that uses an older media player
Allow websites to open windows without status bar or Address bar
Allow websites to prompt for information by using scripted windows
Automatic prompting for ActiveX controls
Automatic prompting for file downloads
Display mixed content
Do not prompt for client certificate selection when no certificates or only one certificate exists.
Don't run antimalware programs against ActiveX controls
Download signed ActiveX controls
Download unsigned ActiveX controls
Enable dragging of content from different domains across windows
Enable dragging of content from different domains within a window
Enable MIME Sniffing
Include local path when user is uploading files to a server
Initialize and script ActiveX controls not marked as safe
Java permissions
Launching applications and files in an IFRAME
Logon options
Navigate windows and frames across different domains
Render legacy filters
Run .NET Framework-reliant components not signed with Authenticode
Run .NET Framework-reliant components signed with Authenticode
Run ActiveX controls and plugins
Script ActiveX controls marked safe for scripting
Scripting of Java applets
Show security warning for potentially unsafe files
Software channel permissions
Submit non-encrypted form data
Turn off .NET Framework Setup
Turn off first-run prompt
Turn on Cross-Site Scripting Filter
Turn on Protected Mode
Turn on SmartScreen Filter scan
Use Pop-up Blocker
Userdata persistence
Web sites in less privileged Web content zones can navigate into this zone
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Open Internet Explorer tiles on the desktop
Set how links are opened in Internet Explorer
Go to an intranet site for a one-word entry in the Address bar
Hide the button (next to the New Tab button) that opens Microsoft Edge
Turn off phone number detection
Allow Internet Explorer to play media files that use alternative codecs
Prevent configuration of search on Address bar
Prevent configuration of top-result search on Address bar
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Prevent specifying cipher strength update information URLs
Prevent changing the URL for checking updates to Internet Explorer and Internet Tools
Prevent specifying the update check interval (in days)
Establish InPrivate Filtering threshold
Establish Tracking Protection threshold
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
Turn off collection of InPrivate Filtering data
Turn off InPrivate Browsing
Turn off InPrivate Filtering
Turn off Tracking Protection
Allow fallback to SSL 3.0 (Internet Explorer)
Do not display the reveal password button
Turn off Data Execution Prevention
Turn off Data URI support
Add-on List
All Processes
Deny all add-ons unless specifically allowed in the Add-on List
Process List
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Turn off blocking of outdated ActiveX controls for Internet Explorer
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
Turn on ActiveX control logging in Internet Explorer
Allow native XMLHTTP support
Change the maximum number of connections per host (HTTP 1.1)
Maximum number of connections per server (HTTP 1.0)
Set the maximum number of WebSocket connections per server
Turn off cross-document messaging
Turn off the WebSocket Object
Turn off the XDomainRequest object
Admin-approved behaviors
All Processes
Install binaries signed by MD2 and MD4 signing technologies
Internet Explorer Processes
Process List
All Processes

Process List
All Processes
Process List
All Processes

Process List
All Processes

Process List
All Processes
Process List
Internet Zone Restricted Protocols
Intranet Zone Restricted Protocols
Local Machine Zone Restricted Protocols
Restricted Sites Zone Restricted Protocols
Trusted Sites Zone Restricted Protocols
All Processes

Process List
All Processes
Process List
All Processes

Process List
All Processes

Process List
All Processes

Process List
All Processes

Process List
Customize command labels
Display tabs on a separate row
Hide the Command bar
Hide the status bar
Lock all toolbars
Lock location of Stop and Refresh buttons
Turn off Developer Tools
Turn off toolbar upgrade tool
Use large icons for command buttons
Prevent IIS installation
Turn off location
Turn off location scripting
Turn off sensors
Turn off Windows Location Provider
Automatic Maintenance Activation Boundary
Automatic Maintenance Random Delay
Automatic Maintenance WakeUp Policy
Turn off Automatic Download and Update of Map Data
Turn off unsolicited network traffic on the Offline Maps settings page
Disable MDM Enrollment
Enable automatic MDM enrollment using default Azure AD credentials
Allow Message Service Cloud Sync
Block all consumer Microsoft account user authentication
Allow antimalware service to remain running always
Allow antimalware service to startup with normal priority
Configure detection for potentially unwanted applications
Configure local administrator merge behavior for lists
Configure scheduled task times randomization window
Define addresses to bypass proxy server
Define proxy auto-config (.pac) for connecting to the network
Define proxy server for connecting to the network
Define the directory path to copy support log files
Randomize scheduled task times
Turn off Microsoft Defender Antivirus
Turn off routine remediation
Display additional text to clients when they need to perform an action
Enable headless UI mode
Suppress all notifications
Suppresses reboot notifications
Define device control policy groups
Define device control policy rules
Extension Exclusions
Ip Address Exclusions
Path Exclusions
Process Exclusions
Turn off Auto Exclusions
Configure local setting override for reporting to Microsoft MAPS
Configure the 'Block at First Sight' feature
Join Microsoft MAPS
Send file samples when further analysis is required
Configure Attack Surface Reduction rules

Exclude files and paths from Attack Surface Reduction Rules
Configure allowed applications
Configure Controlled folder access
Configure protected folders
Prevent users and apps from accessing dangerous websites
This settings controls whether Network Protection is allowed to be configured into block or audit mode on Windows Server.
Configure extended cloud check
Enable file hash computation feature
Select cloud protection level
Specify additional definition sets for network traffic inspection
This setting controls datagram processing for network protection.
Turn on definition retirement
Turn on protocol recognition
Configure local setting override for the removal of items from Quarantine folder
Configure removal of items from Quarantine folder
Configure local setting override for monitoring file and program activity on your computer
Configure local setting override for monitoring for incoming and outgoing file activity
Configure local setting override for scanning all downloaded files and attachments
Configure local setting override for turn on behavior monitoring
Configure local setting override to turn on real-time protection
Configure monitoring for incoming and outgoing file and program activity
Define the maximum size of downloaded files and attachments to be scanned
Monitor file and program activity on your computer
Scan all downloaded files and attachments
Turn off real-time protection
Turn on behavior monitoring
Turn on process scanning whenever real-time protection is enabled
Turn on raw volume write notifications
Turn on script scanning
Configure local setting override for the time of day to run a scheduled full scan to complete remediation
Specify the day of the week to run a scheduled full scan to complete remediation
Specify the time of day to run a scheduled full scan to complete remediation
Configure time out for detections in critically failed state
Configure time out for detections in non-critical failed state
Configure time out for detections in recently remediated state
Configure time out for detections requiring additional action
Configure Watson events
Configure Windows software trace preprocessor components
Configure WPP tracing level
Turn off enhanced notifications
Allow users to pause scan
Check for the latest virus and spyware security intelligence before running a scheduled scan
Configure local setting override for maximum percentage of CPU utilization
Configure local setting override for schedule scan day
Configure local setting override for scheduled quick scan time
Configure local setting override for scheduled scan time
Configure local setting override for the scan type to use for a scheduled scan
Configure low CPU priority for scheduled scans
Create a system restore point
Define the number of days after which a catch-up scan is forced
Run full scan on mapped network drives
Scan archive files
Scan network files
Scan removable drives
Specify the day of the week to run a scheduled scan
Specify the interval to run quick scans per day
Specify the maximum depth to scan archive files
Specify the maximum percentage of CPU utilization during a scan
Specify the maximum size of archive files to be scanned
Specify the scan type to use for a scheduled scan
Specify the time for a daily quick scan
Specify the time of day to run a scheduled scan
Start the scheduled scan only when computer is on but not in use
Turn on catch-up full scan
Turn on catch-up quick scan
Turn on e-mail scanning
Turn on heuristics
Turn on removal of items from scan history folder
Turn on reparse point scanning
Allow notifications to disable security intelligence based reports to Microsoft MAPS
Allow real-time security intelligence updates based on reports to Microsoft MAPS
Allow security intelligence updates from Microsoft Update
Allow security intelligence updates when running on battery power
Allows Microsoft Defender Antivirus to update and communicate over a metered connection.
Check for the latest virus and spyware security intelligence on startup
Define file shares for downloading security intelligence updates
Define security intelligence location for VDI clients.
Define the number of days after which a catch-up security intelligence update is required
Define the number of days before spyware security intelligence is considered out of date
Define the number of days before virus security intelligence is considered out of date
Define the order of sources for downloading security intelligence updates
Initiate security intelligence update on startup
Specify the day of the week to check for security intelligence updates
Specify the interval to check for security intelligence updates
Specify the time to check for security intelligence updates
Turn on scan after security intelligence update
Specify threat alert levels at which default action should not be taken when detected
Specify threats upon which default action should not be taken when detected
Allow auditing events in Microsoft Defender Application Guard
Allow camera and microphone access in Microsoft Defender Application Guard
Allow data persistence for Microsoft Defender Application Guard
Allow files to download and save to the host operating system from Microsoft Defender Application Guard
Allow hardware-accelerated rendering for Microsoft Defender Application Guard
Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device
Configure Microsoft Defender Application Guard clipboard settings
Configure Microsoft Defender Application Guard print settings
Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
Turn on Microsoft Defender Application Guard in Managed Mode
Use a common set of exploit protection settings
Allow a shared Books folder
Allow Address bar drop-down list suggestions
Allow Adobe Flash
Allow clearing browsing data on exit
Allow configuration updates for the Books Library
Allow Developer Tools
Allow extended telemetry for the Books tab
Allow Extensions
Allow FullScreen Mode
Allow InPrivate browsing
Allow Microsoft Compatibility List
Allow Microsoft Edge to pre-launch at Windows startup when the system is idle and each time Microsoft Edge is closed
Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
Allow printing
Allow Saving History
Allow search engine customization
Allow Sideloading of extension
Allow web content on New Tab page
Always show the Books Library in Microsoft Edge
Configure additional search engines
Configure Autofill
Configure cookies
Configure Do Not Track
Configure Favorites
Configure Favorites Bar
Configure Home Button
Configure kiosk mode
Configure kiosk reset after idle timeout
Configure Open Microsoft Edge With
Configure Password Manager
Configure Pop-up Blocker
Configure search suggestions in Address bar
Configure Start pages
Configure the Adobe Flash Click-to-Run setting
Configure the Enterprise Mode Site List
Disable lockdown of Start pages
For PDF files that have both landscape and portrait pages print each in its own orientation.
Keep favorites in sync between Internet Explorer and Microsoft Edge
Prevent access to the about:flags page in Microsoft Edge
Prevent bypassing Windows Defender SmartScreen prompts for files
Prevent bypassing Windows Defender SmartScreen prompts for sites
Prevent certificate error overrides
Prevent changes to Favorites on Microsoft Edge
Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
Prevent the First Run webpage from opening on Microsoft Edge
Prevent turning off required extensions
Prevent using Localhost IP address for WebRTC
Provision Favorites
Send all intranet sites to Internet Explorer 11
Set default search engine
Set Home Button URL
Set New Tab page URL
Show message when opening sites in Internet Explorer
Unlock Home Button
Allow companion device for secondary authentication
Configure Sync Method
Contact IT Link Text
Contact IT URL
Do not synchronize Windows Apps
Enable UEV
First Use Notification
Ping the settings storage location before sync
Settings package size warning threshold
Settings storage path
Settings template catalog path
Sync settings over metered connections
Sync settings over metered connections even when roaming
Sync Unlisted Windows Apps
Synchronization timeout
Synchronize Windows settings
Tray Icon
Use User Experience Virtualization (UE-V)
VDI Configuration
Access 2013 backup only
Calculator
Common 2013 backup only
Excel 2013 backup only
InfoPath 2013 backup only
Internet Explorer 10
Internet Explorer 8
Internet Explorer 9
Internet Explorer Common Settings
Lync 2013 backup only
Microsoft Access 2010
Microsoft Excel 2010
Microsoft InfoPath 2010
Microsoft Lync 2010
Microsoft Lync 2013
Microsoft Lync 2016
Microsoft Office 2010 Common Settings
Microsoft Office 2013 Upload Center
Microsoft Office 365 Access 2013
Microsoft Office 365 Common 2013
Microsoft Office 365 Excel 2013
Microsoft Office 365 InfoPath 2013
Microsoft Office 365 Lync 2013
Microsoft Office 365 OneNote 2013
Microsoft Office 365 Outlook 2013
Microsoft Office 365 PowerPoint 2013
Microsoft Office 365 Project 2013
Microsoft Office 365 Publisher 2013
Microsoft Office 365 SharePoint Designer 2013
Microsoft Office 365 Visio 2013
Microsoft Office 365 Word 2013
Microsoft OneDrive for Business 2013
Microsoft OneNote 2010
Microsoft Outlook 2010
Microsoft PowerPoint 2010
Microsoft Project 2010
Microsoft Publisher 2010
Microsoft SharePoint Designer 2010
Microsoft SharePoint Workspace 2010
Microsoft Visio 2010
Microsoft Word 2010
Microsoft Word 2013
Microsoft Word 2016
Notepad
OneNote 2013 backup only
Outlook 2013 backup only
PowerPoint 2013 backup only
Project 2013 backup only
Publisher 2013 backup only
SharePoint Designer 2013 backup only
Visio 2013 backup only
Word 2013 backup only
WordPad
Finance
Games
Maps
Music
News
Reader
Sports
Travel
Video
Weather
Disable remote Desktop Sharing
Prevent OneDrive files from syncing over metered connections
Prevent OneDrive from generating network traffic until the user signs in to OneDrive
Prevent the usage of OneDrive for file storage
Prevent the usage of OneDrive for file storage on Windows 8.1
Save documents to OneDrive by default
Turn off Active Help
Don't launch privacy settings experience on user logon
Allow hibernate (S4) when starting from a Windows To Go workspace
Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace
Windows To Go Default Startup Options
Turn off Windows presentation settings
Turn off Push To Install service
License server security group
Prevent license upgrade
Allow .rdp files from unknown publishers
Allow .rdp files from valid publishers and user's default .rdp settings
Configure server authentication for client
Do not allow hardware accelerated decoding
Do not allow passwords to be saved
Prompt for credentials on the client computer
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Turn Off UDP On Client
Allow RDP redirection of other supported RemoteFX USB devices from this computer
Allow users to connect remotely by using Remote Desktop Services
Automatic reconnection
Configure keep-alive connection interval
Deny logoff of an administrator logged in to the console session
Limit number of connections
Restrict Remote Desktop Services users to a single Remote Desktop Services session
Select network detection on the server
Select RDP transport protocols
Set rules for remote control of Remote Desktop Services user sessions
Suspend user sign-in to complete app registration
Allow audio and video playback redirection
Allow audio recording redirection
Allow time zone redirection
Allow UI Automation redirection
Do not allow Clipboard redirection
Do not allow COM port redirection
Do not allow drive redirection
Do not allow location redirection
Do not allow LPT port redirection
Do not allow smart card device redirection
Do not allow supported Plug and Play device redirection
Do not allow video capture redirection
Limit audio playback quality
Hide notifications about RD Licensing problems that affect the RD Session Host server
Set the Remote Desktop licensing mode
Use the specified Remote Desktop license servers
Do not allow client printer redirection
Do not set default client printer to be default printer in a session
Specify RD Session Host server fallback printer driver behavior
Use Remote Desktop Easy Print printer driver first
Limit the size of the entire roaming user profile cache
Set path for Remote Desktop Services Roaming User Profile
Set Remote Desktop Services User Home Directory
Use mandatory profiles on the RD Session Host server
Configure RD Connection Broker farm name
Configure RD Connection Broker server name
Join RD Connection Broker
Use IP Address Redirection
Always show desktop on connection
Configure compression for RemoteFX data
Configure H.264/AVC hardware encoding for Remote Desktop Connections
Configure image quality for RemoteFX Adaptive Graphics
Configure RemoteFX Adaptive Graphics
Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1
Enforce Removal of Remote Desktop Wallpaper
Limit maximum color depth
Limit maximum display resolution
Limit number of monitors
Prioritize H.264/AVC 444 graphics mode for Remote Desktop Connections
Remove "Disconnect" option from Shut Down dialog
Remove Windows Security item from Start menu
Start a program on connection
Use advanced RemoteFX graphics for RemoteApp
Use hardware graphics adapters for all Remote Desktop Services sessions
Use WDDM graphics display driver for Remote Desktop Connections
Configure RemoteFX
Optimize visual experience for Remote Desktop Service Sessions
Optimize visual experience when using RemoteFX
Always prompt for password upon connection
Do not allow local administrators to customize permissions
Require secure RPC communication
Require use of specific security layer for remote (RDP) connections
Require user authentication for remote connections by using Network Level Authentication
Server authentication certificate template
Set client connection encryption level
End session when time limits are reached
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for active Remote Desktop Services sessions
Set time limit for disconnected sessions
Do not delete temp folders upon exit
Do not use temporary folders per session
Prevent access to feed list
Prevent automatic discovery of feeds and Web Slices
Prevent downloading of enclosures
Prevent subscribing to or deleting a feed or a Web Slice
Turn off background synchronization for feeds and Web Slices
Turn on Basic feed authentication over HTTP
Add primary intranet search location
Add secondary intranet search locations
Allow Cloud Search
Allow Cortana
Allow Cortana above lock screen
Allow Cortana Page in OOBE on an AAD account
Allow indexing of encrypted files
Allow search and Cortana to use location
Allow use of diacritics
Always use automatic language detection when indexing content and properties
Control rich previews for attachments
Default excluded paths
Default indexed paths
Disable indexer backoff
Do not allow locations on removable drives to be added to libraries
Do not allow web search
Don't search the web or display web results in Search
Don't search the web or display web results in Search over metered connections
Enable indexing of online delegate mailboxes
Enable indexing uncached Exchange folders
Enable throttling for online mail indexing
Indexer data location
Prevent adding UNC locations to index from Control Panel
Prevent adding user-specified locations to the All Locations menu
Prevent automatically adding shared folders to the Windows Search index
Prevent clients from querying the index remotely
Prevent customization of indexed locations in Control Panel
Prevent indexing certain paths
Prevent indexing e-mail attachments
Prevent indexing files in offline files cache
Prevent indexing Microsoft Office Outlook
Prevent indexing of certain file types
Prevent indexing public folders
Prevent indexing when running on battery power to conserve energy
Prevent the display of advanced indexing options for Windows Search in the Control Panel
Prevent unwanted iFilters and protocol handlers
Preview pane location
Set large or small icon view in desktop search results
Set the SafeSearch setting for Search
Set what information is shared in Search
Stop indexing in the event of limited hard drive space
Turn on Security Center (Domain PCs only)
Timeout for hung logon sessions during shutdown
Turn off legacy remote shutdown interface
Allow certificates with no extended key usage certificate attribute
Allow ECC certificates to be used for logon and authentication
Allow Integrated Unblock screen to be displayed at the time of logon
Allow signature keys valid for Logon
Allow time invalid certificates
Allow user name hint
Configure root certificate clean up
Display string when smart card is blocked
Filter duplicate logon certificates
Force the reading of all certificates from the smart card
Notify user of successful smart card driver installation
Prevent plaintext PINs from being returned by Credential Manager
Reverse the subject name stored in a certificate when displaying
Turn on certificate propagation from smart card
Turn on root certificate propagation from smart card
Turn on Smart Card Plug and Play service
Control Device Reactivation for Retail devices
Turn off KMS Client Online AVS Validation
Do not allow Sound Recorder to run
Allow Automatic Update of Speech Data
Disable all apps from Microsoft Store
Only display the private store within the Microsoft Store
Turn off Automatic Download and Install of updates
Turn off Automatic Download of updates on Win8 machines
Turn off the offer to update to the latest version of Windows
Turn off the Store application
Do not sync
Do not sync app settings
Do not sync Apps
Do not sync browser settings
Do not sync desktop personalization
Do not sync on metered connections
Do not sync other Windows settings
Do not sync passwords
Do not sync personalize
Do not sync start settings
Do not allow Inkball to run
Do not allow printing to Journal Note Writer
Do not allow Snipping Tool to run
Do not allow Windows Journal to be run
Turn off pen feedback
Prevent Back-ESC mapping
Prevent launch an application
Prevent press and hold
Turn off hardware buttons
Disable text prediction
For tablet pen input don’t show the Input Panel icon
For touch input don’t show the Input Panel icon
Include rarely used Chinese Kanji or Hanja characters
Prevent Input Panel tab from appearing
Turn off AutoComplete integration with Input Panel
Turn off password security in Input Panel
Turn off tolerant and Z-shaped scratch-out gestures
Prevent Flicks Learning Mode
Prevent flicks
Turn off Tablet PC Pen Training
Turn off Tablet PC touch input
Turn off Touch Panning
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
Hide Property Pages
Prevent Task Run or End
Prohibit Browse
Prohibit Drag-and-Drop
Prohibit New Task Creation
Prohibit Task Deletion
Cloud Policy Details
Allow uninstallation of language features when a language is uninstalled
Improve inking and typing recognition
Allow widgets
Turn off Windows Calendar
Prohibit installing or uninstalling color profiles
Allow Corporate redirection of Customer Experience Improvement uploads
Tag Windows Customer Experience Improvement data with Study Identifier
Configure App Install Control
Automatically send memory dumps for OS-generated error reports
Configure Error Reporting
Disable logging
Disable Windows Error Reporting
Display Error Notification
Do not send additional data
Do not throttle additional data
Prevent display of the user interface for critical errors
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Configure Corporate Windows Error Reporting
Configure Report Archive
Configure Report Queue
Default application reporting settings
List of applications to always report errors for
List of applications to be excluded
List of applications to never report errors for
Report operating system errors
Report unplanned shutdown events
Configure Default consent
Customize consent settings
Ignore custom consent settings
Enables or disables Windows Game Recording and Broadcasting
Allow enumeration of emulated smart card for all users
Configure device unlock factors
Configure dynamic lock factors
Turn off smart card emulation
Use a hardware security device
Use biometrics
Use certificate for on-premises authentication
Use cloud trust for on-premises authentication
Use PIN Recovery
Use Windows Hello for Business
Use Windows Hello for Business certificates as smart card certificates
Allow suggested apps in Windows Ink Workspace
Allow Windows Ink Workspace
Allow user control over installs
Allow users to browse for source while elevated
Allow users to patch elevated products
Allow users to use media source while elevated
Always install with elevated privileges
Control maximum size of baseline file cache
Enforce upgrade component rules
Prevent embedded UI
Prevent Internet Explorer security prompt for Windows Installer scripts
Prevent users from using Windows Installer to install updates and upgrades
Prohibit flyweight patching
Prohibit non-administrators from applying vendor signed updates
Prohibit removal of updates
Prohibit rollback
Prohibit use of Restart Manager
Prohibit User Installs
Remove browse dialog box for new source
Save copies of transform files in a secure location on workstation
Specify the types of events Windows Installer records in its transaction log
Turn off creation of System Restore checkpoints
Turn off logging via package settings
Turn off shared components
Turn off Windows Installer
Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
Disable or enable software Secure Attention Sequence
Display information about previous logons during user logon
Report when logon server was not available during user logon
Sign-in and lock last interactive user automatically after a restart
Prevent Windows Media DRM Internet Access
Do Not Show First Use Dialog Boxes
Prevent Automatic Updates
Prevent Desktop Shortcut Creation
Prevent Media Sharing
Prevent Quick Launch Toolbar Shortcut Creation
Prevent Video Smoothing
Do not allow Windows Messenger to be run
Do not automatically start Windows Messenger initially
Turn off Windows Mobility Center
Set the default source path for Update-Help
Turn on Module Logging
Turn on PowerShell Script Block Logging

Turn on PowerShell Transcription
Turn on Script Execution
Configure Reliability WMI Providers
Allow Basic authentication
Allow CredSSP authentication
Allow unencrypted traffic
Disallow Digest authentication
Disallow Kerberos authentication
Disallow Negotiate authentication
Trusted Hosts
Allow Basic authentication
Allow CredSSP authentication
Allow remote server management through WinRM
Allow unencrypted traffic
Disallow Kerberos authentication
Disallow Negotiate authentication
Disallow WinRM from storing RunAs credentials
Specify channel binding token hardening level
Turn On Compatibility HTTP Listener
Turn On Compatibility HTTPS Listener
Allow Remote Shell Access
MaxConcurrentUsers
Specify idle Timeout
Specify maximum amount of memory in MB per Shell
Specify maximum number of processes per Shell
Specify maximum number of remote shells per user
Specify Shell Timeout
Allow audio input in Windows Sandbox
Allow clipboard sharing with Windows Sandbox
Allow networking in Windows Sandbox
Allow printer sharing with Windows Sandbox
Allow vGPU sharing for Windows Sandbox
Allow video input in Windows Sandbox
Hide the Account protection area
Hide the App and browser protection area
Prevent users from modifying settings
Hide the Device performance and health area
Disable the Clear TPM button
Hide the Device security area
Hide the Secure boot area
Hide the Security processor (TPM) troubleshooter page
Hide the TPM Firmware Update recommendation.
Configure customized contact information
Configure customized notifications
Specify contact company name
Specify contact email address or Email ID
Specify contact phone number or Skype ID
Specify contact website
Hide the Family options area
Hide the Firewall and network protection area
Hide all notifications
Hide non-critical notifications
Hide Windows Security Systray
Hide the Ransomware data recovery area
Hide the Virus and threat protection area
Allow Automatic Updates immediate installation
Allow non-administrators to receive update notifications
Configure auto-restart reminder notifications for updates
Configure auto-restart required notification for updates
Configure auto-restart warning notifications schedule for updates
Delay Restart for scheduled installations
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not allow update deferral policies to cause scans against Windows Update
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates
No auto-restart with logged on users for scheduled automatic updates installations
Re-prompt for restart with scheduled installations
Reschedule Automatic Updates scheduled installations
Specify deadline before auto-restart for update installation
Specify Engaged restart transition and notification schedule for updates
Turn off auto-restart notifications for update installations
Turn on recommended updates via Automatic Updates
Turn on Software Notifications
Allow updates to be downloaded automatically over metered connections
Always automatically restart at the scheduled time
Configure Automatic Updates
Display options for update notifications
Remove access to "Pause updates" feature
Remove access to use all Windows Update features
Specify active hours range for auto-restarts
Specify deadlines for automatic updates and restarts
Turn off auto-restart for updates during active hours
Update Power Policy for Cart Restarts
Allow signed updates from an intranet Microsoft update service location
Automatic Updates detection frequency
Do not connect to any Windows Update Internet locations
Enable client-side targeting
Specify intranet Microsoft update service location
Specify source service for specific classes of Windows Updates
Disable safeguards for Feature Updates
Do not include drivers with Windows Updates
Manage preview builds
Select the target Feature Update version
Select when Preview Builds and Feature Updates are received
Select when Quality Updates are received
Force automatic setup for all users
Windows 11
Enabled
Enabled
Enabled
Enabled
Disable driver (recommended)

Disabled
Enabled
Enabled
P-node (recommended)
Disabled
mended except for highly secure environments)

ecure environments)
ure environments)
Highest protection, source routing is completely disabled
Highest protection, source routing is completely disabled
d lead to DoS)
Disabled
secure environments)
Enabled
resses (could lead to DoS)
d expires (0 recommended)
ection request is not acknowledged

nsmitted (3 recommended 5 is default)
tted (3 recommended 5 is default)
will generate a warning
ackground transfers
nd transfers
Enabled
Disabled
Enabled
Enabled
\\*\SYSVOL = RequireIntegrity=1
RequireMutualAuthentication=1
\\*\NETLOGON = RequireIntegrity=1
RequireMutualAuthentication=1
Enabled
Disabled
crosoft XPS format (*.xps)

Enabled
Force Updated Clients
Enabled
Enabled
Virtualization Based Protection of Code Integrity = Enabled with UEFI lock
Credential Guard Configuration = Enabled with UEFI lock
Select Platform Security Level = Secure Boot
Secure Launch Configuration = Enabled
Require UEFI Memory Attributes Table = True
mpt creation of a restore point
software during installation

s all device match criteria
Enabled
Also apply to matching devices that are already installed = True
1 = {d48179be-ec20-11d1-b6b8-00c04fa372a7}
Enabled
Good, unknown and bad but critical
hare Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file s
is detected.
Enabled
Process even if the Group Policy objects have not changed = True
Do not apply during periodic background processing = False
Enabled
Enabled
Enabled
Block all
Disabled
Disabled
NetBIOS domain names
nt registered DNS suffixes if the AllowSingleLabelDnsDomain setting is not enabled.

lution to locate the DC
Disabled
Disabled
Enabled
Enabled
Disabled
Enabled: Authenticated
ers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)
me directory
is logged on
ps (not desktop apps)

lopment environment (IDE)
Enabled: Force Deny
Enabled
Enabled
Enabled: Do not execute any autorun commands

Enabled: All drives
Enabled
Windows 8.1 Windows Server 2012 R2 Windows 10 [Version 1507])

08 Windows 7 Windows Server 2008 R2)
ndows Vista)
Enabled
er 2008 and Windows Vista)
Enabled
s 7 Windows Server 2008 R2)

Enabled
Do not allow write access to devices configured in another organization = False
Enabled
Disabled
Enabled: 32768
Enabled: 196608
Enabled: 32768
Enabled: Warn and prevent bypass
he first time
Enabled
Enabled
Enabled: On
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Disabled
Enabled
Disabled
Enabled
Enabled
Enabled
Enabled: Use TLS 1.1 and TLS 1.2
Enabled
Enabled
Disabled
Enabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disable Java
Disabled
Prompt for user name and password
Disabled
Disabled
Disabled
Enabled: Prompt
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Enabled: High Safety
Disabled
Enabled: Disable Java

Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled: Anonymous logon
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Disabled
Enabled
Enabled
Enabled
Enabled
Disabled
Disabled
Disabled
Disabled
Enabled: High Safety
Browsing starts
Enabled: No Sites
Enabled
Disabled
iexplore.exe = Enabled
explorer.exe = Enabled
(Reserved) = Enabled
Enabled: Block
Enabled
Enabled: Advanced MAPS
Enabled: Send safe samples
Enabled
be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 = 1
b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 = 1
9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 = 1
d4f940ab-401b-4efc-aadc-ad5f3c50688a = 1
d3e037e1-3eb8-44c8-a917-57927947596d = 1
5beb7efe-fd9a-4556-801d-275e5ffc04cc = 1
3b576869-a4ec-4529-8536-b80a7769e899 = 1
26190899-1602-49e8-8b27-eb1d0a1ce869 = 1
92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B = 1
7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c = 1
75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 = 1
c1db55ab-c21a-4637-bb3f-a12568109d35 = 1
e6db77e5-3df2-4cf1-b95a-636979351e5b = 1
Enabled: Block
or audit mode on Windows Server.
Enabled: High blocking level

Enabled
Disabled
Enabled
Enabled
te remediation
Enabled
Application Guard
user’s device
nternet Explorer
time Microsoft Edge is closed
nd each time Microsoft Edge is closed
Enabled
Enabled
Enabled
Enabled
Enabled: High Level

Enabled
Disabled
Enabled: Warn and prevent bypass
Enabled
Enabled
Disabled
Enabled: On, but disallow access above lock

Disabled
Disabled
start or cold boot
Disabled
Enabled
Log script block invocation start / stop events = [[[delete]]]
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
nstall scheduled updates
Registry Information
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AllowOnlineTips
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SettingsPageVisibility
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreen
HKLM\Software\Policies\Microsoft\Windows\Personalization!PersonalColors_Background HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\Personalization!LockScreenImage HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\Personalization!ForceStartBackground
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoChangingLockScreen
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoChangingStartMenuBackground
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreenCamera
HKLM\Software\Policies\Microsoft\Windows\Personalization!NoLockScreenSlideshow
HKLM\Software\Policies\Microsoft\Windows\Personalization!AnimateLockScreenBackground
HKLM\Software\Policies\Microsoft\InputPersonalization!AllowInputPersonalization
HKLM\Software\Policies\Microsoft\Control Panel\International!BlockCleanupOfUnusedPreinstalledL
HKLM\Software\Policies\Microsoft\MUI\Settings!MachineUILock
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesIn
HKLM\Software\Policies\Microsoft\MUI\Settings!PreferredUILanguages
HKLM\SOFTWARE\Policies\Microsoft\InputPersonalization!RestrictImplicitTextCollection HKLM\SOFTWA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!UseDefaultTile
HKLM\Software\Policies\Microsoft Services\AdmPwd!PwdExpirationProtectionEnabled
HKLM\Software\Policies\Microsoft Services\AdmPwd!AdmPwdEnabled
HKLM\Software\Policies\Microsoft Services\AdmPwd!AdminAccountName
HKLM\Software\Policies\Microsoft Services\AdmPwd!PasswordComplexity HKLM\Software\Policies
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System!LocalAccountTokenFilterPoli
HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility!Comment
HKLM\SYSTEM\CurrentControlSet\Services\LanmanWorkstation!DependOnService
HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10!Start
HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters!SMB1
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel!DisableExceptionChainValidatio
HKLM\System\CurrentControlSet\Services\NTDS\Parameters!LdapEnforceChannelBinding; HKLM\Sys
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!RestrictDriverInstallationTo
HKLM\SYSTEM\CurrentControlSet\Control\Lsa!RunAsPPL
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe!A
HKLM\SYSTEM\CurrentControlSet\Services\NetBT\Parameters!NodeType
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartBanner HKLM\SOFTWAR
HKLM\software\policies\microsoft\internet explorer\main\featurecontrol\FEATURE_RESTRICT_LE
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpEnablePus
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest!UseLogonCredential
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!AutoAdminLogon
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl!AutoReboot
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters!AutoShareServer
HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters!AutoShareWks
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters!DisableIPSourceRouting
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!DisableIPSourceRouting
HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters!DisableSavePassword
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableDeadGWDetect
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableICMPRedirect
HKLM\System\CurrentControlSet\Services\Lanmanserver\Parameters!Hidden
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!KeepAliveTime
HKLM\System\CurrentControlSet\Services\IPSEC!NoDefaultExempt
HKLM\System\CurrentControlSet\Services\Netbt\Parameters!NoNameReleaseOnDemand
HKLM\System\CurrentControlSet\Control\FileSystem!NtfsDisable8dot3NameCreation
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!PerformRouterDiscovery
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager!SafeDllSearchMode
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon!ScreenSaverGracePeriod
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!SynAttackProtect
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!TcpMaxConnectResponseRetransmissi
HKLM\System\CurrentControlSet\Services\Tcpip6\Parameters!TcpMaxDataRetransmissions
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!TcpMaxDataRetransmissions
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security!WarningLevel
HKLM\Software\Policies\Microsoft\System\DFSClient!DfsDcNameDelay
HKLM\Software\Policies\Microsoft\Windows\BITS!EnablePeercaching
HKLM\Software\Policies\Microsoft\Windows\BITS!DisableBranchCache
HKLM\Software\Policies\Microsoft\Windows\BITS!DisablePeerCachingClient
HKLM\Software\Policies\Microsoft\Windows\BITS!DisablePeerCachingServer
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxContentAge
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxCacheSize
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxDownloadTime
HKLM\Software\Policies\Microsoft\Windows\BITS!EnableBITSMaxBandwidth; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxBandwidthServed
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxJobsPerUser
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxJobsPerMachine
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxFilesPerJob
HKLM\Software\Policies\Microsoft\Windows\BITS!MaxRangesPerFile
HKLM\Software\Policies\Microsoft\Windows\BITS\TransferPolicy!ForegroundTransferPolicy HKLM\So
HKLM\Software\Policies\Microsoft\Windows\BITS\Throttling!EnableMaintenanceLimits; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\BITS\Throttling!EnableBandwidthLimits; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\BITS!JobInactivityTimeout
HKLM\Software\Policies\Microsoft\Windows\NetCache!PeerCachingLatencyThreshold
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service\Versioning!PreferredContentInformationVers
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\MultipleServers
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Discovery!SCPDiscoveryEnabled
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Retrieval!SegmentTTL
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\CooperativeCaching!Enable
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\HostedCache\Connection!Location
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\CacheMgr\Republication!SizePercent
HKLM\SOFTWARE\Policies\Microsoft\PeerDist\Service!Enable
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\Probes!Probe
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\CustomCommands
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!PassiveMode
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!FriendlyName
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs!DTE
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!NamePreferenceAllo
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!SupportEmail
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant!ShowUI
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AppendToMultiLabelName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!QueryNetBTFQDN
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DoHPolicy
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!AdapterDomainName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!NameServer
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!SearchList
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationEnabled
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableIdnMapping
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!PreferLocalOverLowerBindingDNS
HKLM\Software\Policies\Microsoft\System\DNSClient!NV PrimaryDnsSuffix
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UseDomainNameDevolution
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableDevolutionLevelControl; HKLM\S
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterAdapterName
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegisterReverseLookup
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationRefreshInterval
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationOverwritesInConflict
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!RegistrationTtl
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableIdnEncoding
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!EnableMulticast
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableSmartNameResolution
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!DisableSmartProtocolReordering
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateSecurityLevel
HKLM\Software\Policies\Microsoft\Windows NT\DNSClient!UpdateTopLevelDomainZones
HKLM\Software\Policies\Microsoft\Windows\System!EnableFontProviders
HKLM\Software\Policies\Microsoft\Windows\HotspotAuthentication!Enabled
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!CipherSuiteOrder
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HashPublicationForPeerCaching
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HashSupportVersion
HKLM\Software\Policies\Microsoft\Windows\LanmanServer!HonorCipherSuiteOrder
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!CipherSuiteOrder
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!AllowInsecureGuestAuth
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!EnableHandleCachingForCAFiles
HKLM\Software\Policies\Microsoft\Windows\LanmanWorkstation!AllowOfflineFilesforCAShares
HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableLLTDIO; HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\Windows\LLTD!EnableRspndr; HKLM\Software\Policies\Microso
HKLM\Software\policies\Microsoft\Peernet!IgnoreDomainPasswordPolicyForNewGroups
HKLM\Software\policies\Microsoft\Peernet!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!SeedServer HKLM\Software\policies\M
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-Global!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!SeedServer
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-LinkLocal!Disabled
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SearchOnly
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!SeedServer
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!DisableMulticastBootstrap
HKLM\Software\policies\Microsoft\Peernet\Pnrp\IPv6-SiteLocal!Disabled
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_DoNotShowLocalOnlyIcon
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowNetBridge_NLA
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_PersonalFirewallConfig
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_ShowSharedAccessUI
HKLM\Software\Policies\Microsoft\Windows\Network Connections!NC_StdDomainUserSetLocation
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Force_Tunneling
HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\ICFv4!BypassFirewall
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\IcmpSettings!AllowOutbound
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\FileAndPrint!Enable
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\RemoteAdminSettings!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\RemoteDesktop!Ena
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Services\UPnPFramework!En
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!AllowUse
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Allo
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\Logging!LogDroppedPackets H
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\GloballyOpenPorts!Enabled;
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\AuthorizedApplications!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DoNotAllowExceptions
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DisableNotifications
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!DisableUnicastResponsesToMu
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile!EnableFirewall
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\IcmpSettings!AllowOutboun
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\FileAndPrint!Enabl
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\RemoteAdminSettings!Enab
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\RemoteDesktop!En
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Services\UPnPFramework!E
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!AllowUs
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!All
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\Logging!LogDroppedPackets
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\GloballyOpenPorts!Enabled;
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\AuthorizedApplications!Enab
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DoNotAllowExceptions
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableNotifications
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!DisableUnicastResponsesToM
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile!EnableFirewall
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnec
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectiv
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnect
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!UseGlobalDns
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!DisablePassivePol
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!NeutralResources
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!CloudResources
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainProxies
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainLocalProxies
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DomainSubnets
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DProxiesAuthoritive
HKLM\SOFTWARE\Policies\Microsoft\Windows\NetworkIsolation!DSubnetsAuthoritive
HKLM\Software\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths
HKLM\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
HKLM\Software\Policies\Microsoft\Windows\NetCache!Enabled
HKLM\Software\Policies\Microsoft\Windows\NetCache!PurgeAtLogoff; HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows\NetCache!BackgroundSyncEnabled; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\NetCache!SlowLinkSpeed
HKLM\Software\Policies\Microsoft\Windows\NetCache!SlowLinkEnabled; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\NetCache!DefCacheSize
HKLM\Software\Policies\Microsoft\Windows\NetCache!ExcludedFileTypes
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncEnabledForCostedNetwork
HKLM\Software\Policies\Microsoft\Windows\NetCache!OnlineCachingLatencyThreshold
HKLM\Software\Policies\Microsoft\Windows\NetCache!EncryptCache
HKLM\Software\Policies\Microsoft\Windows\NetCache!EventLoggingLevel
HKLM\Software\Policies\Microsoft\Windows\NetCache!ExcludeExtensions
HKLM\Software\Policies\Microsoft\Windows\NetCache!InitialBalloonTimeoutSeconds
HKLM\Software\Policies\Microsoft\Windows\NetCache!CacheQuotaLimit HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoCacheViewer
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
HKLM\Software\Policies\Microsoft\Windows\NetCache!ReminderFreqMinutes
HKLM\Software\Policies\Microsoft\Windows\NetCache!ReminderBalloonTimeoutSeconds
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoMakeAvailableOffline
HKLM\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
HKLM\Software\Policies\Microsoft\Windows\NetCache!WorkOfflineDisabled
HKLM\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
HKLM\Software\Policies\Microsoft\Windows\NetCache!AlwaysPinSubFolders
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
HKLM\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
HKLM\Software\Policies\Microsoft\Windows\NetCache!NoReminders
HKLM\Software\Policies\Microsoft\Windows\NetCache!EconomicalAdminPinning
HKLM\Software\Policies\Microsoft\Windows\Psched!MaxOutstandingSends
HKLM\Software\Policies\Microsoft\Windows\Psched!NonBestEffortLimit
HKLM\Software\Policies\Microsoft\Windows\Psched!TimerResolution
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeBe
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeC
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceType
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceType
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingConforming!ServiceTypeQu
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTy
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceT
HKLM\Software\Policies\Microsoft\Windows\Psched\DiffservByteMappingNonConforming!ServiceTy
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeBestEffort
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeControlledLo
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeGuaranteed
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNetworkCont
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeNonConform
HKLM\Software\Policies\Microsoft\Windows\Psched\UserPriorityMapping!ServiceTypeQualitative
HKLM\Software\Policies\SNMP\Parameters\ValidCommunities
HKLM\Software\Policies\SNMP\Parameters\PermittedManagers
HKLM\Software\Policies\SNMP\Parameters\TrapConfiguration\public
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!EccCurves
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002!Functions
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_RouterName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_RouterNameResolutionInterv
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!6to4_State
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition\IPHTTPS\IPHTTPSInterface!IPHTTPS
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!ISATAP_RouterName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!ISATAP_State
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_ClientPort
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_DefaultQualified
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_RefreshRate
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_ServerName
HKLM\Software\Policies\Microsoft\Windows\TCPIP\v6Transition!Teredo_State
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableIPAutoConfigurationLimits
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters!EnableWsd
HKLM\Software\Policies\Microsoft\Windows\WCN\Registrars!EnableRegistrars; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\WCN\UI!DisableWcnUi
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fDisablePowerManagement
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fSoftDisconnectConnections
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fMinimizeConnections
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fBlockNonDomain
HKLM\Software\Policies\Microsoft\Windows\WcmSvc\GroupPolicy!fBlockRoaming
HKLM\SOFTWARE\Policies\Microsoft\WirelessDisplay!PreferPinBasedPairing
HKLM\SOFTWARE\Policies\Microsoft\WirelessDisplay!EnforcePinBasedPairing
HKLM\Software\Policies\Microsoft\Windows\Wireless\NetCost!Cost
HKLM\Software\Microsoft\wcmsvc\wifinetworkmanager\config!AutoConnectAllowedOEM
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\CellularDataAccess!LetAppsAccessCellularD
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\NetCost!Cost3G
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\NetCost!Cost4G
HKLM\Software\Policies\Microsoft\Windows\WwanSvc\UISettings!AppCellularAccessUI
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPrinting
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!DomainDisplayPrinters_State; HK
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!NonDomainDisplayPrinters_State;
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ShowJobTitleInEventLogs
HKLM\Software\Policies\Microsoft\Windows NT\Printers!RegisterSpoolerRemoteRpcEndPoint
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PublishPrinters
HKLM\Software\Policies\Microsoft\Windows NT\Printers!Immortal
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ForceSoftwareRasterization
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ForceCSREMFDespooling
HKLM\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Auto Publishing
HKLM\Software\Policies\Microsoft\Windows NT\Printers!MXDWUseLegacyOutputFormatMSXPS
HKLM\Software\Policies\Microsoft\Windows NT\Printers!VerifyPublishedState
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocation
HKLM\Software\Policies\Microsoft\Windows NT\Printers!SupportLink
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningInterval
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningPriority
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetries
HKLM\Software\Policies\Microsoft\Windows NT\Printers!KMPrintersAreBlocked
HKLM\Software\Policies\Microsoft\Windows NT\Printers!V4DriverDisallowPrinterExtension
HKLM\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PrintDriverIsolationExecutionPolicy
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DoNotInstallCompatibleDriverFromWindo
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApplicationDriverIsolation
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruningRetryLog
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPr
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PrintDriverIsolationOverrideCompat
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrin
HKLM\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PhysicalLocationSupport
HKLM\Software\Policies\Microsoft\Windows NT\Printers!ServerThread
HKLM\Software\Policies\Microsoft\Windows NT\Printers!PruneDownlevel
HKLM\Software\Policies\Microsoft\Windows\Explorer!DisableContextMenusInStart
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsHistory
HKLM\Software\Policies\Microsoft\Windows\Explorer!ForceStartSize
HKLM\Software\Policies\Microsoft\Windows\Explorer!StartPinAppsWhenInstalled; HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\Explorer!HideRecentlyAddedApps
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMorePrograms
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HidePowerOptions
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMFUprogramsLi
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKLM\Software\Policies\Microsoft\Windows\Explorer!LockedStartLayout; HKLM\Software\Policies\
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!WnsEndpoint
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoCloudApplicatio
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!SnapShot
HKLM\Software\Policies\Microsoft\Windows\System!DLT_AllowDomainMode
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!VerboseStatus
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!ShutdownReasonOn; HKLM\Software\Pol
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoEncryptOnMove
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\MYS!DisableShowAtLogon
HKLM\Software\Policies\Microsoft\Windows NT!DontPowerOffAfterShutdown
HKLM\Software\Policies\Microsoft\Windows\App Management!COMClassStore
HKLM\Software\Policies\Microsoft\Windows NT\Reliability!TimeStampEnabled; HKLM\Software\Polic
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStatusMessages
HKLM\Software\Policies\Microsoft\Windows\System!HelpQualifiedRootDir
HKLM\Software\Policies\Microsoft\Windows\System!DisableInHelp
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Servicing HKLM\Software\Microsoft\Wi
HKLM\Software\Policies\Microsoft\Windows NT\Setup!SourcePath
HKLM\Software\Policies\Microsoft\Windows NT\Setup!ServicePackSourcePath
HKLM\Software\Policies\Microsoft\Windows\System!DisableHHDEP
HKLM\SOFTWARE\Policies\Microsoft\Windows\ADR\AccessDenied!Enabled; HKLM\SOFTWARE\Polici
HKLM\SOFTWARE\Policies\Microsoft\Windows\Explorer!EnableShellExecuteFileStreamCheck
HKLM\Software\Policies\Microsoft\AppV\Client!Enabled
HKLM\SOFTWARE\Policies\Microsoft\AppV\CEIP!CEIPEnable
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Coexistence!MigrationMode
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!IntegrationRootGlobal
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!IntegrationRootUser
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!RoamingFileExclusions
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Integration!RoamingRegistryExclusions
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\PackageManagement!AutoCleanupEnabled
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\PowerManagement!SyncOnBatteriesEnabled
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Publishing!EnablePublishingRefreshUI
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Publishing\Servers\1!Name HKLM\SOFTWARE\Policie
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Reporting!ReportingEnabled; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Scripting!EnablePackageScripts
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!AllowHighCostLaunch
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!CertFilterForClientSsl
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!SupportBranchCache
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!LocationProvider
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!PackageInstallationRoot
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!PackageSourceRoot
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!ReestablishmentInterval
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!ReestablishmentRetries
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!RequirePublishAsAdmin
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!SharedContentStoreMode
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!Autoload
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Streaming!VerifyCertificateRevocationList
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization!EnableDynamicVirtualization
HKLM\SOFTWARE\Policies\Microsoft\AppV\Client\Virtualization!ProcessesUsingVirtualComponents;
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit!ProcessCreationInclud
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowDefaultCredentials; HKLM\
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowDefCredentialsWhenNTLM
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowFreshCredentials; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowFreshCredentialsWhenNT
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowSavedCredentials; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowSavedCredentialsWhenNT
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenyDefaultCredentials; HKLM\
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenyFreshCredentials; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!DenySavedCredentials; HKLM\So
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters!AllowEnc
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!AllowProtectedCreds
HKLM\Software\Policies\Microsoft\Windows\CredentialsDelegation!RestrictedRemoteAdministratio
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!DeployConfigCIPolicy; HKLM\SOFTWARE\P
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!EnableVirtualizationBasedSecurity;
HKLM\Software\Policies\Microsoft\DeviceHealthAttestationService!EnableDeviceHealthAttestationS
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!AllowRemoteRPC
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!InstallTimeout
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSendGenericDriverNot
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSystemRestore
HKLM\SOFTWARE\Policies\Microsoft\Windows\Device Metadata!PreventDeviceMetadataFromNetw
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableSendRequestAdditional
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!AllSigningEqual
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!SearchOrderConfig
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DriverServerSelection
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Settings!DisableBalloonTips
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowAdminInstall
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDeviceIDs; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowInstanceIDs; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDeviceClasses; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!AllowDenyLayered
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy!SimpleText
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy!DetailText
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyUnspecified
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyDeviceIDs; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyInstanceIDs; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyDeviceClasses; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!DenyRemovableDevices
HKLM\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions!ForceReboot; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\NvCache!OptimizeBootAndResume
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnablePowerModeState
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnableNvCache
HKLM\Software\Policies\Microsoft\Windows\NvCache!EnableSolidStateMode
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!ApplyToRemovableMedia
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enable
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Enforce
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverLimit
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!LogEventOverThreshold
HKLM\Software\Policies\Microsoft\Windows NT\DiskQuota!Limit HKLM\Software\Policies\Microsof
HKLM\Software\Policies\Microsoft\Windows\Control Panel\Desktop!EnablePerProcessSystemDPI HK
HKLM\Software\Policies\Microsoft\Windows\Display!DisableGdiDPIScaling
HKLM\Software\Policies\Microsoft\Windows\Display!EnableGdiDPIScaling
HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!AllowLocalActivationSecurityCh
HKLM\Software\Policies\Microsoft\Windows NT\DCOM\AppCompat!ListBox_Support_ActivationSecu
HKLM\Software\Policies\Microsoft\Windows\DriverInstall\Restrictions!AllowUserDeviceClasses; HKL
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
HKLM\System\CurrentControlSet\Policies\EarlyLaunch!DriverLoadPolicy; HKLM\System\CurrentContro
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!RootHubConnectedEnStorDe
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedEnStorDevices!Poli
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices\ApprovedSilos!SiloAllowListP
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!DisallowLegacyDiskDevices
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!DisablePasswordAuthenticat
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!TCGSecurityActivationDisabl
HKLM\Software\Policies\Microsoft\Windows\EnhancedStorageDevices!LockDeviceOnMachineLock
HKLM\SOFTWARE\Policies\Microsoft\Windows\FCI!EnableManualUX
HKLM\SOFTWARE\Policies\Microsoft\Windows\FCI!CentralClassificationList
HKLM\Software\Policies\Microsoft\Windows\fssProv!EncryptProtocol
HKLM\System\CurrentControlSet\Policies!DisableDeleteNotification
HKLM\System\CurrentControlSet\Control\FileSystem!LongPathsEnabled
HKLM\Software\Policies\Microsoft\Windows\Filesystems\NTFS!SymLinkState; HKLM\Software\Polic
HKLM\System\CurrentControlSet\Policies!NtfsDisableCompression
HKLM\System\CurrentControlSet\Policies!NtfsDisableEncryption
HKLM\System\CurrentControlSet\Policies!NtfsEnableTxfDeprecatedFunctionality
HKLM\System\CurrentControlSet\Policies!NtfsForceNonPagedPoolAllocation
HKLM\System\CurrentControlSet\Policies!NtfsEncryptPagingFile
HKLM\System\CurrentControlSet\Policies!NtfsDefaultTier
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushThreshold
HKLM\System\CurrentControlSet\Policies!NtfsParallelFlushWorkers
HKLM\System\CurrentControlSet\Policies!NtfsDisable8dot3NameCreation
HKLM\Software\Policies\Microsoft\Windows\System\Fdeploy!PrimaryComputerEnabledFR
HKLM\Software\Policies\Microsoft\Windows\System\Fdeploy!LocalizeXPRelativePaths
HKLM\Software\Policies\Microsoft\Windows\System!AllowX-ForestPolicy-and-RUP
HKLM\Software\Policies\Microsoft\Windows\Group Policy!OnlyUseLocalAdminFiles
HKLM\Software\Policies\Microsoft\Windows\System!SlowlinkDefaultToAsync
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDefaultForDirectAccess
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{3610eda5-77ef-11d2-8dc5-00c04fa31a6
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{25537BA6-77A8-11D2-9B6C-0000F8080
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonOptimization; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{A2E30F80-D7DE-11d2-BBDE-00C04F86A
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{e437bc1c-aa7d-11d2-a382-00c04f991e2
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonScriptDelay; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBC
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{42B5FAAE-6536-11d2-AE5A-0000F87571
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{827D319E-6EAC-11D2-A4EA-00C04F79F
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{c6dc5466-785a-11d2-84d0-00c04fb169f
HKLM\Software\Policies\Microsoft\Windows\System!UserPolicyMode
HKLM\Software\Policies\Microsoft\Windows\System!EnableAppUriHandlers
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{B587E2B1-4D59-4e7e-AED9-22B9DF11D
HKLM\Software\Policies\Microsoft\Windows\Group Policy\{0ACDD40C-75AC-47ab-BAA0-BF6DE7E7F
HKLM\Software\Policies\Microsoft\Windows\System!EnableCdp
HKLM\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
HKLM\Software\Policies\Microsoft\Windows\System!ResetDfsClientInfoDuringRefreshPolicy
HKLM\Software\Policies\Microsoft\Windows\System!EnableLogonOptimizationOnServerSKU; HKLM
HKLM\Software\Policies\Microsoft\Windows\System!EnableMmx
HKLM\Software\Policies\Microsoft\Windows\System!DenyUsersFromMachGP
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTimeDC HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\System!GpNetworkStartTimeoutPolicyValue
HKLM\Software\Policies\Microsoft\Windows\System!CorpConnStartTimeoutPolicyValue
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableBkGndGroupPolicy
HKLM\Software\Policies\Microsoft\Windows\System!DisableAOACProcessing
HKLM\Software\Policies\Microsoft\Windows\System!DisableLGPOProcessing
HKLM\Software\Policies\Microsoft\Windows\System!RSoPLogging
HKLM\Software\Policies\Microsoft\InternetManagement!RestrictCommunication; HKLM\Software\Mi
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWindowsUpdateAccess
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoUseStoreOpenWith
HKLM\Software\Policies\Microsoft\SystemCertificates\AuthRoot!DisableRootAutoUpdate
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftEventVwrDisableLinks
HKLM\Software\Policies\Microsoft\Windows\TabletPC!PreventHandwritingDataSharing
HKLM\Software\Policies\Microsoft\Windows\HandwritingErrorReports!PreventHandwritingErrorRep
HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!Headlines
HKLM\Software\Policies\Microsoft\PCHealth\HelpSvc!MicrosoftKBSearch
HKLM\Software\Policies\Microsoft\Windows\Internet Connection Wizard!ExitOnMSICW
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
HKLM\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
HKLM\Software\Policies\Microsoft\Windows\Registration Wizard Control!NoRegistration
HKLM\Software\Policies\Microsoft\SearchCompanion!DisableContentFileUpdates
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
HKLM\Software\Policies\Microsoft\Messenger\Client!CEIP
HKLM\Software\Policies\Microsoft\SQMClient\Windows!CEIPEnable
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!DoReport HKLM\Software\Policies\Mic
HKLM\Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator!NoActiveProbe
HKLM\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchWindowsUpdate
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RestrictAdditionalLogins
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ChangeIQNName
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ChangeCHAPSecret
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireIPSec
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireMutualCHAP
HKLM\Software\Policies\Microsoft\Windows\iSCSI!RequireOneWayCHAP
HKLM\Software\Policies\Microsoft\Windows\iSCSI!NewStaticTargets
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureTargets
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureiSNSServers
HKLM\Software\Policies\Microsoft\Windows\iSCSI!ConfigureTargetPortals
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EnableCbacA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!PKINITFreshn
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EmitLILI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!RequestCom
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!UseForestSear
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\KDC\Parameters!EnableTicketS
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!CloudKer
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Alway
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!domain_realm_Enabl
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!MitRealms_Enabled;
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!NoRevo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Require
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!Enable
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!KdcValid
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!StrictTa
HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters!EnableMaxTokenSize; HKLM\Sys
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos!KdcProxyServer_Enab
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!CompoundIdDisabled; HKLM\Software\Pol
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!DevicePK
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters!UseFores
HKLM\Software\Policies\Microsoft\Windows\Kernel DMA Protection!DeviceEnumerationPolicy

HKLM\Software\Policies\Microsoft\Control Panel\International!PreventGeoIdChange
HKLM\Software\Policies\Microsoft\Control Panel\International!BlockUserInputMethodsForSignIn
HKLM\Software\Policies\Microsoft\Control Panel\International!CustomLocalesNoSelect
HKLM\Software\Policies\Microsoft\Control Panel\International!PreventUserOverrides
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictSystemLocales; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Control Panel\International!RestrictUserLocales; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainDelayLock
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonType
HKLM\Software\Policies\Microsoft\Windows\System!UseOEMBackground
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon!SyncForegroundPolicy
HKLM\Software\Policies\Microsoft\Windows\System!DefaultCredentialProvider
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DefaultLogonDomain
HKLM\Software\Policies\Microsoft\Windows\System!BlockUserFromShowingAccountDetailsOnSigni
HKLM\Software\Policies\Microsoft\Windows\System!DontDisplayNetworkSelectionUI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
HKLM\Software\Policies\Microsoft\Windows\System!DontEnumerateConnectedUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableLocalMachineRunOnc
HKLM\Software\Policies\Microsoft\Windows\System!EnumerateLocalUsers
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ExcludedCredentialProviders
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideFastUserSwitching
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKLM\Software\Policies\Microsoft\Windows\System!DisableAcrylicBackgroundOnLogon
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableFirstLogonAnimation
HKLM\Software\Policies\Microsoft\Windows\System!DisableLockScreenAppNotifications
HKLM\Software\Policies\Microsoft\Windows\System!BlockDomainPicturePassword
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableStartupSound
HKLM\Software\Policies\Microsoft\Windows\System!AllowDomainPINLogon
HKLM\Software\Policies\Microsoft\FIDO!EnableFIDODeviceLogon
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions!MitigationOptions_FontBocki
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowNT4Crypto
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidPdcOnWan
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveScriptsShareAccess
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ScavengeInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowExclusiveSysvolShareAccess
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ExpectedDialupDelay
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!dbFlag
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!MaximumLogFileSize
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NegativeCachePeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NonBackgroundSuccessfulRefreshPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteName
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryQuitTime
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryInitialPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundRetryMaximumPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!BackgroundSuccessfulRefreshPeriod
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!PingUrgencyMode
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!IgnoreIncomingMailslotMessages
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AvoidFallbackNetbiosDiscovery
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!ForceRediscoveryInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AddressTypeReturned
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvPriority
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsTtl
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!LdapSrvWeight
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AddressLookupOnPingBehavior
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsAvoidRegisterRecords
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!UseDynamicDns
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsRefreshInterval
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!NdncSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!SiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!GcSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!TryNextClosestSite
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AutoSiteCoverage
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowDnsSuffixSearch
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!AllowSingleLabelDnsDomain
HKLM\Software\Policies\Microsoft\Netlogon\Parameters!DnsSrvRecordUseLowerCaseHostNames
HKLM\Software\Policies\Microsoft\Windows\System!AllowClipboardHistory
HKLM\Software\Policies\Microsoft\Windows\System!AllowCrossDeviceClipboard
HKLM\Software\Policies\Microsoft\Windows\System!PublishUserActivities
HKLM\Software\Policies\Microsoft\Windows\System!UploadUserActivities
HKLM\Software\Policies\Microsoft\Windows\System!EnableActivityFeed
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!Expiration
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!History
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!MaximumPINLength
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!MinimumPINLength
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!Digits
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!LowercaseLetters
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!SpecialCharacters
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\PINComplexity!UppercaseLetters
HKLM\Software\Policies\Microsoft\Power\PowerSettings!ActivePowerScheme
HKLM\Software\Policies\Microsoft\Power\PowerSettings!ActivePowerScheme
HKLM\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936
HKLM\Software\Policies\Microsoft\Power\PowerSettings\5CA83367-6E45-459F-A27B-476B1D01C936
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7648EFA3-DD9C-4E3E-B566-50F929386280
HKLM\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\96996BC0-AD50-47EC-923B-6F41874DD9E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A7066653-8D6C-40A8-910E-A1F54B84C7E5
HKLM\Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD
HKLM\Software\Policies\Microsoft\Power\PowerSettings\E69653CA-CF7F-4F05-AA73-CB833FA90AD
HKLM\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\6738E2C4-E8A5-4A42-B16A-E040E769756E
HKLM\Software\Policies\Microsoft\Power\PowerSettings\637EA02F-BBCB-4015-8E2C-A1C7B9C0B54
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9A66D8D7-4FF7-4EF9-B5A2-5A326CA2A46
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d8742dcb-3e6a-4b3c-b3fe-374623cdcf06!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\8183ba9a-e910-48da-8769-14ae6dc1170a
HKLM\Software\Policies\Microsoft\Power\PowerSettings\F3C5027D-CD16-4930-AA6B-90DB844A8F0
HKLM\Software\Policies\Microsoft\Power\PowerSettings\bcded951-187b-4d05-bccc-f7e51960c258!
HKLM\System\CurrentControlSet\Control\Power\PowerThrottling!PowerThrottlingOff
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2
HKLM\Software\Policies\Microsoft\Power\PowerSettings\A4B195F5-8225-47D8-8012-9D41369786E2
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\d4c1d4c8-d5cc-43d3-b83e-fc51215cb04d!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f15576e8-98b7-4186-b944-eafa664402d9!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\abfc2519-3608-4c2a-94ea-171b0ed546ab!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364
HKLM\Software\Policies\Microsoft\Power\PowerSettings\9D7815A6-7EE4-497E-8888-515A05F02364
HKLM\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\29F6C1DB-86DA-48C5-9FDB-F2B67B1F44D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\94ac6d29-73ce-41a6-809f-6363ba21b47e!
HKLM\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\B7A27025-E569-46c2-A504-2B96CAD225A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\17aaa29b-8b43-4b94-aafe-35f64daaf1ee!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\f1fbfde2-a960-4165-9f88-50667911ce96!A
HKLM\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335
HKLM\Software\Policies\Microsoft\Power\PowerSettings\90959D22-D6A1-49B9-AF93-BCE885AD335
HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7
HKLM\Software\Policies\Microsoft\Power\PowerSettings\3C0BC021-C8A8-4E07-A973-6B14CBCB2B7
HKLM\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4!D
HKLM\Software\Policies\Microsoft\Power\PowerSettings\309dce9b-bef4-4119-9921-a851fb12f0f4!A
HKLM\SOFTWARE\Policies\Microsoft\Windows\WinRE!DisableSetup
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!CreateEncryptedOnlyTickets
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowUnsolicited; HKLM\Software
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!fAllowToGetHelp; HKLM\Software\
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!UseCustomMessages; HKLM\Softw
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!UseBandwidthOptimization; HKL
HKLM\Software\policies\Microsoft\Windows NT\Terminal Services!LoggingEnabled
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!EnableAuthEpResolution
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!IgnoreDelegationFailure
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!StateInformation
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!ExtErrorInformation HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!RestrictRemoteClients
HKLM\Software\Policies\Microsoft\Windows NT\Rpc!MinimumConnectionTimeout
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!AllowRemoteDASD
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read!Deny_R
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write!Deny_W
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices!RebootTimeinSeconds_stat
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKLM\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!Allow-LogonScript-NetbiosDisa
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideShutdownScripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideStartupScripts
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunStartupScriptSync
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunComputerPSScriptsFirst
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunUserPSScriptsFirst
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MaxGPOScriptWait
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\SAM!SamNGCKeyROCAValidat
HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager!RefreshIntervalEnabled; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\Server\InitialConfigurationTasks!DoNotOpenAtLogon
HKLM\Software\Policies\Microsoft\Windows\Server\ServerManager!DoNotOpenAtLogon
HKLM\System\CurrentControlSet\Control\SCMConfig!EnableSvchostMitigationPolicy
HKLM\Software\Policies\Microsoft\Windows\System!HiberbootEnabled
HKLM\Software\Policies\Microsoft\Windows\System!AllowBlockingAppsAtShutdown
HKLM\Software\Policies\Microsoft\Windows\StorageHealth!AllowDiskHealthModelUpdates
HKLM\Software\Policies\Microsoft\Windows\StorageSense!AllowStorageSenseGlobal
HKLM\Software\Policies\Microsoft\Windows\StorageSense!AllowStorageSenseTemporaryFilesClean
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseGlobalCadence; HKL
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseCloudContentDehydr
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseRecycleBinCleanupTh
HKLM\Software\Policies\Microsoft\Windows\StorageSense!ConfigStorageSenseDownloadsCleanupTh
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableConfig
HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore!DisableSR
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI!ScenarioExecutionEnabled; HKLM\SOFTWARE\Pol
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI!DataRetentionBySizeEnabled; HKLM\SOFTWARE\P
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{88D69CE1-577A-4dd9-87AE-AD36D3CD9643}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{659F08FB-2FAB-42a7-BD4F-566CFA528769}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{acfd1ca6-18b6-4ccf-9c07-580cdb6eded4}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{D113E4AA-2D07-41b1-8D9B-C065194A791D}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{081D3213-48AA-4533-9284-D98F01BDC8E6}!Sc
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePcaUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{affc81e2-612a-4f70-6fb2-916ff5c7e3f8}!Scenar
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{8519d925-541e-4a2b-8b1e-8059d16082f2}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD}!Dfd
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{29689E29-2CE9-4751-B4FC-8EFF5066E3FD}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{dc42ff48-e40d-4a60-8675-e71f7e64aa9a}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{C295FBBA-FD47-46ac-8BEE-B1715EC634E5}!Do
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy!DisableQueryRe
HKLM\Software\Policies\Microsoft\Windows\Troubleshooting\AllowRecommendations!Troublesho
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{54077489-683b-4762-86c8-02cf87a33423}!Scen
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScheduledDiagnostics!EnabledExecution; HKLM\SOFT
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics!ValidateTrust
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics!EnableDiagnostics
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnosticsProvider\Policy!EnableQueryRem
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{67144949-5132-4859-8036-a737b43825d8}!Sce
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{eb73b633-3f4e-4ba0-8f60-8f3c6f53168f}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{3af8b24a-c441-4fa4-8c5c-bed591bfa867}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{2698178D-FDAD-40AE-9D3C-1371703ADC5B}!Sc
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{ffc42108-4920-4acf-a4fc-8abdcc68ada4}!Scena
HKLM\SOFTWARE\Policies\Microsoft\Windows\WDI\{a7a5847a-7511-4e4e-90b1-45ad2a002f51}!Scen
HKLM\Software\Policies\Microsoft\TPM!OSManagedAuthLevel
HKLM\SOFTWARE\Policies\Microsoft\Tpm\BlockedCommands!Enabled; HKLM\SOFTWARE\Policies\M
HKLM\Software\Policies\Microsoft\TPM!ClearTPMIfNotReadyGP
HKLM\Software\Policies\Microsoft\TPM!UseLegacyDictionaryAttackParameters
HKLM\Software\Policies\Microsoft\TPM\BlockedCommands!IgnoreDefaultList
HKLM\Software\Policies\Microsoft\TPM\BlockedCommands!IgnoreLocalList
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureIndividualThreshold; HKLM
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureDuration; HKLM\Software\
HKLM\Software\Policies\Microsoft\Tpm!StandardUserAuthorizationFailureTotalThreshold; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\System!AddAdminGroupToRUP
HKLM\Software\Policies\Microsoft\Windows\System!UserProfileMinTransferRate HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\System!DeleteRoamingCache
HKLM\Software\Policies\Microsoft\Windows\System!CleanupProfiles
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkDetectEnabled
HKLM\Software\Policies\Microsoft\Windows\System!CompatibleRUPSecurity
HKLM\Software\Policies\Microsoft\Windows\System!DisableForceUnload
HKLM\Software\Policies\Microsoft\Windows\System!ProfileErrorAction
HKLM\Software\Policies\Microsoft\Windows\System!PrimaryComputerEnabledRUP
HKLM\Software\Policies\Microsoft\Windows\System!ProfileDlgTimeOut
HKLM\Software\Policies\Microsoft\Windows\System!LeaveAppMgmtData
HKLM\Software\Policies\Microsoft\Windows\System!ProfileUnloadTimeout
HKLM\Software\Policies\Microsoft\Windows\System!LocalProfile
HKLM\Software\Policies\Microsoft\Windows\System!ReadOnlyProfile
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkUIEnabled
HKLM\Software\Policies\Microsoft\Windows\System!WaitForNetwork
HKLM\Software\Policies\Microsoft\Windows\System!MachineProfilePath
HKLM\Software\Policies\Microsoft\Windows\System!UploadHiveMethod HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\Windows\System!HomeDirLocation HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows\AdvertisingInfo!DisabledByGroupPolicy
HKLM\Software\Policies\Microsoft\Windows\System!AllowUserInfoAccess; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows\System!SlowLinkProfileDefault
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcShowProgress
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcQuota
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SfcScan
HKLM\Software\Policies\Microsoft\Windows NT\Windows File Protection!SFCDllCacheDir
HKLM\Software\Policies\Microsoft\W32Time\Config!FrequencyCorrectRate HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\W32time\Parameters!NtpServer HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\W32time\TimeProviders\NtpClient!Enabled
HKLM\Software\Policies\Microsoft\W32Time\TimeProviders\NtpServer!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\AxInstaller!ApprovedList; HKLM\SOFTWARE\Policies\M
HKLM\SOFTWARE\Policies\Microsoft\Windows\AxInstaller\AxISURLZonePolicies!InstallTrustedOCX
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU!Disabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\AppModel\StateManager!AllowShare
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAllTrustedApps
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowDeploymentInSpecialProfiles
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowDevelopmentWithoutDevLicense
HKLM\Software\Policies\Microsoft\Windows\Appx!AllowAutomaticAppArchiving
HKLM\Software\Policies\Microsoft\Windows\Appx!RestrictAppToSystemVolume
HKLM\Software\Policies\Microsoft\Windows\Appx!DisableBackgroundAutoUpdates
HKLM\Software\Policies\Microsoft\Windows\Appx!DisableMeteredNetworkBackgroundAutoUpdate
HKLM\Software\Policies\Microsoft\Windows\Appx!BlockNonAdminUserInstall
HKLM\Software\Policies\Microsoft\Windows\Appx!RestrictAppDataToSystemVolume
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessAccountInfo HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGazeInput HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCallHistory HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessContacts HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsGetDiagnosticInfo HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessEmail HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessLocation HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessMessaging HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessMotion HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessNotifications HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessTasks HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCalendar HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessCamera HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessMicrophone HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessTrustedDevices HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessBackgroundSpatialPercepti
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsActivateWithVoice
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsActivateWithVoiceAboveLock
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsSyncWithDevices HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessRadios HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessPhone HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsRunInBackground HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureProgramma
HKLM\Software\Policies\Microsoft\Windows\AppPrivacy!LetAppsAccessGraphicsCaptureWithoutBo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!MSAOptional
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockFileElevation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!BlockHostedAppAccessWinRT
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Packages\Applications!EnableDynamicC
HKLM\Software\Policies\Microsoft\Windows\AppCompat!VDMDisallowed
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePropPage
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableEngine
HKLM\Software\Policies\Microsoft\Windows\AppCompat!AITEnable
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableInventory
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA
HKLM\Software\Policies\Microsoft\Windows\AppCompat!DisableUAR
HKLM\Software\Policies\Microsoft\Windows\AppCompat!SbEnable
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoAutoplayfornonVolume
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DontSetAutoplayCheckbox
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutorun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!OnlySystemBackup
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToDisk
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToNetwork
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoBackupToOptical
HKLM\Software\Policies\Microsoft\Windows\Backup\Server!NoRunNowBackup
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!Domain Accounts
HKLM\SOFTWARE\Policies\Microsoft\Biometrics!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!Enabled
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\Credential Provider!SwitchTimeoutInSeconds
HKLM\SOFTWARE\Policies\Microsoft\Biometrics\FacialFeatures!EnhancedAntiSpoofing
HKLM\SOFTWARE\Policies\Microsoft\FVE!DefaultRecoveryFolderPath
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethodWithXtsOs HKLM\SOFTWARE\Policies\M
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethodNoDiffuser
HKLM\SOFTWARE\Policies\Microsoft\FVE!EncryptionMethod
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseRecoveryPassword HKLM\SOFTWARE\Policies\Microso
HKLM\Software\Policies\Microsoft\FVE!DisableExternalDMAUnderLock
HKLM\Software\Policies\Microsoft\FVE!MorBehavior
HKLM\Software\Policies\Microsoft\FVE!IdentificationField; HKLM\Software\Policies\Microsoft\FVE!Id
HKLM\Software\Policies\Microsoft\FVE!ActiveDirectoryBackup; HKLM\Software\Policies\Microsoft\F
HKLM\Software\Policies\Microsoft\FVE!CertificateOID
HKLM\Software\Policies\Microsoft\FVE!FDVDiscoveryVolumeType; HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVRecovery; HKLM\SOFTWARE\Policies\Microsoft\FVE!F
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVHardwareEncryption; HKLM\SOFTWARE\Policies\Micros
HKLM\Software\Policies\Microsoft\FVE!FDVPassphrase; HKLM\Software\Policies\Microsoft\FVE!FD
HKLM\Software\Policies\Microsoft\FVE!FDVAllowUserCert; HKLM\Software\Policies\Microsoft\FVE!
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE!FDVDenyWriteAccess
HKLM\SOFTWARE\Policies\Microsoft\FVE!FDVEncryptionType; HKLM\SOFTWARE\Policies\Microsoft
HKLM\Software\Policies\Microsoft\FVE!OSEnablePreBootPinExceptionOnDECapableDevice
HKLM\Software\Policies\Microsoft\FVE!UseEnhancedPin
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSManageNKP
HKLM\Software\Policies\Microsoft\FVE!OSAllowSecureBootForIntegrity
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSRecovery; HKLM\SOFTWARE\Policies\Microsoft\FVE!OS
HKLM\Software\Policies\Microsoft\FVE!MinimumPIN
HKLM\Software\Policies\Microsoft\FVE!RecoveryKeyMessageSource HKLM\Software\Policies\Micro
HKLM\SOFTWARE\Policies\Microsoft\FVE\PlatformValidation!Enabled; HKLM\SOFTWARE\Policies\Mic
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_BIOS!Enabled; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\FVE\OSPlatformValidation_UEFI!Enabled; HKLM\SOFTWARE\Poli
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSHardwareEncryption; HKLM\SOFTWARE\Policies\Microso
HKLM\Software\Policies\Microsoft\FVE!OSPassphrase; HKLM\Software\Policies\Microsoft\FVE!OSPa
HKLM\Software\Policies\Microsoft\FVE!DisallowStandardUserPINReset
HKLM\Software\Policies\Microsoft\FVE!OSEnablePrebootInputProtectorsOnSlates
HKLM\SOFTWARE\Policies\Microsoft\FVE!OSEncryptionType; HKLM\SOFTWARE\Policies\Microsoft\
HKLM\SOFTWARE\Policies\Microsoft\FVE!UseAdvancedStartup; HKLM\SOFTWARE\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!EnableNonTPM HKLM\SOFTWARE\Policies\Microsoft\FVE!U
HKLM\Software\Policies\Microsoft\FVE!TPMAutoReseal
HKLM\Software\Policies\Microsoft\FVE!OSUseEnhancedBcdProfile; HKLM\Software\Policies\Microsoft
HKLM\Software\Policies\Microsoft\FVE!RDVDiscoveryVolumeType; HKLM\Software\Policies\Micros
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVRecovery; HKLM\SOFTWARE\Policies\Microsoft\FVE!R
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVHardwareEncryption; HKLM\SOFTWARE\Policies\Micros
HKLM\Software\Policies\Microsoft\FVE!RDVPassphrase; HKLM\Software\Policies\Microsoft\FVE!RD
HKLM\Software\Policies\Microsoft\FVE!RDVAllowUserCert; HKLM\Software\Policies\Microsoft\FVE
HKLM\Software\Policies\Microsoft\FVE!RDVConfigureBDE; HKLM\Software\Policies\Microsoft\FVE
HKLM\System\CurrentControlSet\Policies\Microsoft\FVE!RDVDenyWriteAccess; HKLM\Software\Pol
HKLM\SOFTWARE\Policies\Microsoft\FVE!RDVEncryptionType; HKLM\SOFTWARE\Policies\Microsoft
HKLM\software\Policies\Microsoft\Camera!AllowCamera
HKLM\Software\Policies\Microsoft\Windows\Windows Chat!ChatIcon
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableSoftLanding
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableConsumerAccountStateContent
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableCloudOptimizedContent
HKLM\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsConsumerFeatures
HKLM\Software\Policies\Microsoft\Windows\Connect!AllowProjectionToPC
HKLM\Software\Policies\Microsoft\Windows\Connect!RequirePinForPairing; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Windows\CredUI!DisablePasswordReveal
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnumerateAdministrators
HKLM\Software\Policies\Microsoft\Windows\System!NoLocalPasswordResetQuestions
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\CredUI!EnableSecureCredentialPrompt
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowCommercialDataPipeline
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowDesktopAnalyticsProcessing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowDeviceNameInTelemetry
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowTelemetry
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowUpdateComplianceProcessing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!AllowWUfBCloudProcessing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableEnterpriseAuthProxy; HKLM\Soft
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection!MicrosoftEdgeDataOpt
HKLM\Software\Policies\Microsoft\Windows\DataCollection!TelemetryProxyServer
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableTelemetryOptInChangeNotificat
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableTelemetryOptInSettingsUx; HKL
HKLM\Software\Policies\Microsoft\Windows\DataCollection!ConfigureMicrosoft365UploadEndpoint
HKLM\Software\Policies\Microsoft\Windows\DataCollection!CommercialId
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableDeviceDelete
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableDiagnosticDataViewer
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DisableOneSettingsDownloads
HKLM\Software\Policies\Microsoft\Windows\DataCollection!DoNotShowFeedbackNotifications
HKLM\Software\Policies\Microsoft\Windows\DataCollection!EnableOneSettingsAuditing
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDiagnosticLogCollection
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitDumpCollection
HKLM\Software\Policies\Microsoft\Windows\DataCollection!LimitEnhancedDiagnosticDataWindowsA
HKLM\Software\Policies\Microsoft\Windows\PreviewBuilds!AllowBuildPreview
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOAbsoluteMaxCacheSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinBatteryPercentageAllo
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOCacheHost
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOCacheHostSource
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayCacheServerFallbackB
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayBackgroundDownloa
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayCacheServerFallbackF
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODelayForegroundDownload
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DODownloadMode
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOAllowVPNPeerCaching
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOGroupId
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxCacheAge
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxCacheSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxBackgroundDownloadB
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOPercentageMaxBackgroun
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMaxForegroundDownloadB
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOPercentageMaxForeground
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinBackgroundQos
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinDiskSizeAllowedToPeer
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinFileSizeToCache
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMinRAMAllowedToPeer
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOModifyCacheDrive
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOMonthlyUploadDataCap
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DORestrictPeerSelectionBy
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOGroupIdSource
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOSetHoursToLimitBackgrou
HKLM\SOFTWARE\Policies\Microsoft\Windows\DeliveryOptimization!DOSetHoursToLimitForegrou
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUnsignedGa
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffSidebar
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUserInstalle
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowFlip3d
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowAnimations
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisableAccentGradient
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowColorizationColorChanges
HKLM\SOFTWARE\Policies\Microsoft\Windows\DWM!DefaultColorizationColorState; HKLM\SOFTWAR
HKLM\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDeviceFlags
HKLM\System\CurrentControlSet\Policies\Microsoft\Compatibility!DisableDriverShims
HKLM\Software\Policies\Microsoft\Windows\WorkplaceJoin!autoWorkplaceJoin
HKLM\SOFTWARE\Policies\Microsoft\Windows\Digital Locker!DoNotRunDigitalLocker
HKLM\Software\Policies\Microsoft\Windows\EdgeUI!AllowEdgeSwipe
HKLM\Software\Policies\Microsoft\Windows\EdgeUI!DisableHelpSticker
HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding!MaxForwardingRate
HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\Application!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Application!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\Security!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Security!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\Setup!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\Setup!Enabled
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!AutoBackupLogFiles
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!ChannelAccess
HKLM\System\CurrentControlSet\Services\EventLog\System!CustomSD
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!Retention
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!File
HKLM\Software\Policies\Microsoft\Windows\EventLog\System!MaxSize
HKLM\Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging!EnableProtectedEvent
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgram
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionProgramCommandLineParame
HKLM\Software\Policies\Microsoft\EventViewer!MicrosoftRedirectionURL
HKLM\Software\Policies\Microsoft\Windows\Explorer!EnableShellShortcutIconRemotePath
HKLM\Software\Policies\Microsoft\Windows\System!EnableSmartScreen; HKLM\Software\Policies\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableBindDirectlyToPropert
HKLM\Software\Policies\Microsoft\Windows\Explorer!DisableRoamedProfileInit
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoNewAppAlert
HKLM\Software\Policies\Microsoft\Windows\Explorer!DefaultLibrariesLocation
HKLM\Software\Policies\Microsoft\Windows\System!DefaultAssociationsConfiguration
HKLM\Software\Policies\Microsoft\Windows\Explorer!AdminInfoUrl
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowHibernateOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowLockOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ShowSleepOption
HKLM\Software\Policies\Microsoft\Windows\Explorer!ExplorerRibbonStartsMinimized; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoDataExecutionPrevention
HKLM\Software\Policies\Microsoft\Windows\Explorer!NoHeapTerminationOnCorruption
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStrCmpLogical
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavi
HKLM\Software\Policies\Microsoft\Windows\Explorer!CheckSameSourceAndTargetForFRAndDFS
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableLocalPage
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableRemotePage
HKLM\Software\Policies\Microsoft\PreviousVersions!HideBackupEntries
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableLocalRestore
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableBackupRestore
HKLM\Software\Policies\Microsoft\PreviousVersions!DisableRemoteRestore
HKLM\Software\Policies\Microsoft\Windows\FileHistory!Disabled
HKLM\SOFTWARE\Policies\Microsoft\FindMyDevice!AllowFindMyDevice
HKLM\Software\Policies\Microsoft\Handwriting!PanelDefaultModeDocked
HKLM\Software\Policies\Microsoft\Windows\HomeGroup!DisableHomeGroup
HKLM\Software\Policies\Microsoft\HumanPresence!ForceInstantLock; HKLM\Software\Policies\Mic
HKLM\Software\Policies\Microsoft\HumanPresence!ForceInstantWake; HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\HumanPresence!ForceLockTimeout
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!AddPolicySearchProvi
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!AllowSaveTargetAsInI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ShutdownWaitForOnUnload
HKLM\Software\Policies\Microsoft\Internet Explorer!AllowServicePoweredQSA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!IgnoreFrameApprovalCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!NeedEdgeBrowser HKLM
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!Version
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoJITSetup
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Autoconfig
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connection Settings HKLM\Softw
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
HKLM\Software\Policies\Microsoft\Internet Explorer!DisableImportExportFavorites
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NotifyDisableIEOptions
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoUpdateCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSplash
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMSAppLogo5ChannelNotif
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!EnableExtendedIEMode
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus; HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!EnableAutoUpgrade
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!KeepIntranetSitesInInte
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!Enable
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!DomainAllowList
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!ZoneAllowList
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxySettingsPerUser
HKLM\Software\Policies\Microsoft\Internet Explorer\New Windows!ListBox_Support_Allow; HKLM\S
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!DisableFixSecuritySettings
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpMenu
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverride
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverrideAppRepUnknow
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!DisablePopupFilterLevel
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Proxy
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChangeDefaultSea
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AllowWindowReuse
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!OpenInForeground
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchBox
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!RestrictPopupExceptionList
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV9
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram
HKLM\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX!BlockNonAdminActiveXInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableFirstRunCustomize
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!JScriptReplacement
HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!UsePolicySearchProv
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_zones_map_
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_options_edi
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!Security_HKLM_only
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!RestrictIE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!TabProcGrowth
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!ShowMessageWhenOpen
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!NewTabPageShow
HKLM\Software\Policies\Microsoft\Windows\AxInstaller!OnlyUseAXISForActiveXInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableAddSiteMode
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!NoFirsttimeprompt
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!DisableAddonLoadTimePerformance
HKLM\Software\Policies\Microsoft\Internet Explorer\Recovery!AutoRecover
HKLM\Software\Policies\Microsoft\Internet Explorer\Geolocation!PolicyDisableGeolocation
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!PopupsUseNewWindow
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
HKLM\Software\Policies\Microsoft\Internet Explorer\LinksBar!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV8
HKLM\Software\Policies\Microsoft\Internet Explorer\ZOOM!ZoomDisabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPopupManagement
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!QuickTabsThreshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Recovery!NoReopenLastSession
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!ShowSearchSuggestionsGlobal
HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Enabled
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!AutoSuggest
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!DisplayQuickPick
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!DisableSecuritySettingsCheck
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering!IsEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!Active
HKLM\Software\Microsoft\Internet Explorer\WMITelemetry!XMLPath
HKLM\Software\Policies\Microsoft\Internet Explorer\Suggested Sites!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!SiteList
HKLM\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesDefaultInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesInstall
HKLM\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions!UsePolicyActivitiesOnly
HKLM\Software\Policies\Microsoft\Internet Explorer\Activities!NoActivities
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_Featur
HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPrinting
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoReportSiteProblems
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!MSCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!DisableSiteListEditing
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowCompatibilityViewButton
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!AllSitesCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!IntranetCompatibilityMode
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CodeBaseSearchPath
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!ClearBrowsingHistoryOnExit
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!History; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteBrowsingHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTrackingProtection
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanCookies
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanDownloadHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!UseAllowList
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteForms
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanInPrivateBlocking
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeletePasswords
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTIF
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanHistory
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!Settings
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!AdvancedTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ConnectionsTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ContentTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!GeneralTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!PrivacyTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!ProgramsTab
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!SecurityTab
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!PreventIgnoreCertErr
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnablePunyCode
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols\Mailto!UT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALM
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoWebJITSetup
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHTTP2
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableSPDY3_0
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DoNotTrack
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!NoUpdateCheck
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CertificateRevocation
HKLM\Software\Policies\Microsoft\Internet Explorer\Download!CheckExeSignatures
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisableEPMCompat
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableRIED
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisableCachingOfSSL
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache!Persistent
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Play_Animations
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Play_Background_Sounds
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Videos
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!UseClearType
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!SecureProtocols
HKLM\Software\Policies\Microsoft\Internet Explorer\PrefetchPrerender!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Security\P3Global!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel!UTF8URLQuery
HKLM\Software\Policies\Microsoft\Internet Explorer\FlipAhead!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation64Bit
HKLM\Software\Policies\Microsoft\Internet Explorer\CaretBrowsing!EnableOnStartup
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHttp1_1
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxyHttp1.1
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ShowContentAdvisor
HKLM\Software\Policies\Microsoft\Internet Explorer\ContinuousBrowsing!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!AllowWebsiteCach
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!AllowWebsiteData
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!MaxTrustedDomai
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!GarbageCollection
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage!DefaultDomainCacheLimitInM
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!MaxTrustedDoma
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestSingleRe
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestResource
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!TotalLimitInMB
HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!TotalLimitInMB
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies!In
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!IntranetN
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!UNCAsIntr
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!ProxyByPa
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies!In
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template P
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template P
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Setting
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Tem
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Templ
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Polic
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_Zo
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policie
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!AutoDetec
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnBadCertRecv
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnIntranet
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1406
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120b
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120c
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180E
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180F
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!140C
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120A
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A04
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1C00
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270B
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1E05
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!ApplicationTileImmersiveActivation
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AssociationActivationMode
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!GotoIntranetSiteForSingleWordEntry
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!HideNewEdgeButton
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FormatDetection!PhoneNumberEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!EnableAlternativeCodec
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!AutoSearch
HKLM\Software\Policies\Microsoft\Internet Explorer\SearchScopes!TopResult
HKLM\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch!EnabledScopes
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion!IEAKUpdateUrl
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Update_Check_Page
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!Update_Check_Interval
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!Threshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!TrackingProtectionThreshold
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableToolbars
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableLogging
HKLM\Software\Policies\Microsoft\Internet Explorer\Privacy!EnableInPrivateBrowsing
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableInPrivateBlocking
HKLM\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableTrackingProtection
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DisablePasswordReveal
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!DEPOff
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI!iexpl
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID; HKLM\Soft
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MA
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RunThisTimeEnabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!VersionCheckEnabled
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_DomainAllowlist; HKLM\So
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!AuditModeEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!XMLHTTP
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOC
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET!ie
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQU
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_All
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!*
HKLM\Software\Policies\Microsoft\Internet Explorer\Security!ENABLE_MD2_MD4
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!(Re
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEAT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDL
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FE
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMAC
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACH
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFIN
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_L
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_F
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAN
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACH
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVAT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEA
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACT
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_F
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FI
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RES
HKLM\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_REST
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!TextOption
HKLM\Software\Policies\Microsoft\Internet Explorer\MINIE!ShowTabsBelowAddressBar
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!CommandBarEnabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Main!StatusBarWeb
HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbar!Locked
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowLeftAddressToolbar
HKLM\Software\Policies\Microsoft\Internet Explorer\IEDevTools!Disabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions!DisableToolbarUpgrader
HKLM\Software\Policies\Microsoft\Internet Explorer\CommandBar!SmallIcons
HKLM\Software\Policies\Microsoft\Windows NT\IIS!PreventIISInstall
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocation
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocationScripting
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableSensors
HKLM\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableWindowsLocationProvider
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Activation Boundary
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!Randomized; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler\Maintenance!WakeUp
HKLM\Software\Policies\Microsoft\Windows\Maps!AutoDownloadAndUpdateMapData
HKLM\Software\Policies\Microsoft\Windows\Maps!AllowUntriggeredNetworkTrafficOnSettingsPage
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\MDM!DisableRegistration
HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\MDM!AutoEnrollMDM; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\Messaging!AllowMessageSync
HKLM\Software\Policies\Microsoft\MicrosoftAccount!DisableUserAuth
HKLM\Software\Policies\Microsoft\Windows Defender!ServiceKeepAlive
HKLM\Software\Policies\Microsoft\Windows Defender!AllowFastServiceStartup
HKLM\Software\Policies\Microsoft\Windows Defender!PUAProtection; HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\Windows Defender!DisableLocalAdminMerge
HKLM\Software\Policies\Microsoft\Windows Defender!SchedulerRandomizationTime; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyBypass
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyPacUrl
HKLM\Software\Policies\Microsoft\Windows Defender!ProxyServer
HKLM\Software\Policies\Microsoft\Windows Defender!SupportLogLocation
HKLM\Software\Policies\Microsoft\Windows Defender!RandomizeScheduleTaskTimes
HKLM\Software\Policies\Microsoft\Windows Defender!DisableAntiSpyware
HKLM\Software\Policies\Microsoft\Windows Defender!DisableRoutinelyTakingAction
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!CustomDefaultActionToastS
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!UILockdown
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!Notification_Suppress
HKLM\Software\Policies\Microsoft\Windows Defender\UX Configuration!SuppressRebootNotificatio
HKLM\Software\Policies\Microsoft\Windows Defender\Device Control\Policy Groups!PolicyGroups
HKLM\Software\Policies\Microsoft\Windows Defender\Device Control\Policy Rules!PolicyRules
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Extensions; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_IpAddresses; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Paths; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!Exclusions_Processes; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Exclusions!DisableAutoExclusions
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!LocalSettingOverrideSpynetReportin
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!DisableBlockAtFirstSeen
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SpynetReporting; HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows Defender\Spynet!SubmitSamplesConsent; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR!Explo

HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\ASR!Explo
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled F
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network Pr
HKLM\Software\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Network P
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpBafsExtendedTimeout; HKLM\S
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!EnableFileHashComputation
HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine!MpCloudBlockLevel; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS\SKU Differentiation!Nis_
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableDatagramProcessing
HKLM\Software\Policies\Microsoft\Windows Defender\NIS\Consumers\IPS!DisableSignatureRetirem
HKLM\Software\Policies\Microsoft\Windows Defender\NIS!DisableProtocolRecognition
HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine!LocalSettingOverridePurgeItemsA
HKLM\Software\Policies\Microsoft\Windows Defender\Quarantine!PurgeItemsAfterDelay; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!LocalSettingOverrideDi
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!LocalSettingOverrideRe
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!RealtimeScanDirection;
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!IOAVMaxSize; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableOnAccessProtec
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableIOAVProtection
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRealtimeMonito
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableBehaviorMonito
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScanOnRealtim
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableRawWriteNotifi
HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection!DisableScriptScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!LocalSettingOverrideScan_Sch
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!Scan_ScheduleDay; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Remediation!Scan_ScheduleTime; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!CriticalFailureTimeout; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!NonCriticalTimeout; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!RecentlyCleanedTimeout; HKLM\S
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!AdditionalActionTimeout; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!DisableGenericRePorts
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!WppTracingComponents; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!WppTracingLevel; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows Defender\Reporting!DisableEnhancedNotifications
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!AllowPause
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!CheckForSignaturesBeforeRunningScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideAvgCPULoadFacto
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleDay
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleQuickSca
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScheduleTime
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LocalSettingOverrideScanParameters
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!LowCpuPriority
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRestorePoint
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!MissedScheduledScanCountBeforeCatc
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableScanningMappedNetworkDrives
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableArchiveScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableScanningNetworkFiles
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableRemovableDriveScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleDay; HKLM\Software\Policies
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!QuickScanInterval; HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ArchiveMaxDepth; HKLM\Software\Pol
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!AvgCPULoadFactor; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ArchiveMaxSize; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScanParameters; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleQuickScanTime; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScheduleTime; HKLM\Software\Policie
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!ScanOnlyIfIdle
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableCatchupFullScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableCatchupQuickScan
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableEmailScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableHeuristics
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!PurgeItemsAfterDelay; HKLM\Software\
HKLM\Software\Policies\Microsoft\Windows Defender\Scan!DisableReparsePointScanning
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureDisableNotificat
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!RealtimeSignatureDeliver
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ForceUpdateFromMU
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableScheduledSignatu
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!MeteredConnectionUpda
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!UpdateOnStartUp
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DefinitionUpdateFileShar
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SharedSignatureRoot
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureUpdateCatchupIn
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ASSignatureDue; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!AVSignatureDue; HKLM\So
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!FallbackOrder
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableUpdateOnStartup
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ScheduleDay; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!SignatureUpdateInterval;
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!ScheduleTime; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows Defender\Signature Updates!DisableScanOnUpdate
HKLM\Software\Policies\Microsoft\Windows Defender\Threats!Threats_ThreatSeverityDefaultAction
HKLM\Software\Policies\Microsoft\Windows Defender\Threats!Threats_ThreatIdDefaultAction; HKL
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AuditApplicationGuard
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AllowCameraMicrophoneRedirection
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AllowPersistence
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!SaveFilesToHost
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AllowVirtualGPU
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!CertificateThumbprints HKLM\SOFTWARE\Policies\Mi
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AppHVSIClipboardSettings HKLM\SOFTWARE\Policies\
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AppHVSIPrintingSettings
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!BlockNonEnterpriseContent
HKLM\SOFTWARE\Policies\Microsoft\AppHVSI!AllowAppHVSI_ProviderSet
HKLM\Software\Policies\Microsoft\Windows Defender ExploitGuard\Exploit Protection!ExploitProtec
HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary!UseSharedFolderForBooks
HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI!ShowOneBox
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Addons!FlashPlayerEnabled
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Privacy!ClearBrowsingHistoryOnExit
HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary!AllowConfigurationUpdateForBooks
HKLM\Software\Policies\Microsoft\MicrosoftEdge\F12!AllowDeveloperTools
HKLM\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary!EnableExtendedBooksTelemetry
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions!ExtensionsEnabled
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowFullScreenMode
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowInPrivate
HKLM\Software\Policies\Microsoft\MicrosoftEdge\BrowserEmulation!MSCompatibilityMode
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowPrelaunch
HKLM\Software\Policies\Microsoft\MicrosoftEdge\TabPreloader!AllowTabPreloading
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowPrinting
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowSavingHistory
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Protected - It is a violation of Windows Policy t
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions!AllowSideloadingOfExtensions
HKLM\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI!AllowWebContentOnNewTabPage
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AlwaysEnableBooksLibrary
HKLM\Software\Policies\Microsoft\MicrosoftEdge\OpenSearch!ConfigureAdditionalSearchEngines
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!Use FormSuggest
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!Cookies
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!DoNotTrack
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings\ProvisionedFavorites
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!ConfigureFavoritesBar
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!ConfigureHomeButton
HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode!ConfigureKioskMode; HKLM\Software
HKLM\Software\Policies\Microsoft\MicrosoftEdge\KioskMode!ConfigureKioskResetAfterIdleTimeout
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!ConfigureOpenMicrosoftEdgeWi
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!FormSuggest Passwords
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowPopups
HKLM\Software\Policies\Microsoft\MicrosoftEdge\SearchScopes!ShowSearchSuggestionsGlobal
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!ProvisionedHomePages
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Security!FlashClickToRunMode
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode!SiteList
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!EnabledV9
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!DisableLockdownOfStartPages
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowMixedModePrintingInPDF
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!SyncFavoritesBetweenIEAndMicrosoftEdge
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!PreventAccessToAboutFlagsInMicrosoftEdg
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverrideAppRepUnknown
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverride
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!PreventCertErrorOverrides
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites!LockdownFavorites
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!PreventLiveTileDataCollection
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!PreventFirstRunPage
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Extensions!PreventTurningOffRequiredExtensions
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!HideLocalHostIP
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Favorites!ConfiguredFavorites
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!SendIntranetTraffictoInternetExplorer
HKLM\Software\Policies\Microsoft\MicrosoftEdge\OpenSearch!SetDefaultSearchEngine
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!HomeButtonURL
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!NewTabPageURL
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Main!ShowMessageWhenOpeningSitesInInternetE
HKLM\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!UnlockHomeButton
HKLM\SOFTWARE\Policies\Microsoft\SecondaryAuthenticationFactor!AllowSecondaryAuthenticatio
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncMethod HKLM\Software\Policies\M
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!ContactITDescription
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!ContactITUrl
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!DontSyncWindows8AppSettings
HKLM\Software\Policies\Microsoft\UEV\Agent!Enabled; HKLM\Software\Policies\Microsoft\Window
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!FirstUseNotificationEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncProviderPingEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!MaxPackageSizeInBytes
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SettingsStoragePath
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SettingsTemplateCatalogPath HKLM\So
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetwork
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetworkWhenRoam
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncUnlistedWindows8Apps
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncTimeoutInMilliseconds
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!DesktopSettings HKL
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!TrayIconEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncEnabled
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!VdiState; HKLM\Soft
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Bac
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftCalculator6
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013B
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016B
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Back
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplore
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplo
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Back
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Back
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win3
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2010
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Win32
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Win32
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Wi
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Win
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Offi
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Of
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Of
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Off
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Offic
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftNotepad6
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Ba
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftWordpad6
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingFin
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.XboxLI
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingMa
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneMu
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingNe
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.Reader_
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingSpo
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingTra
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneVi
HKLM\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingWe
HKLM\Software\Policies\Microsoft\Conferencing!NoRDS
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableMeteredNetworkFileSync
HKLM\SOFTWARE\Microsoft\OneDrive!PreventNetworkTrafficPreUserSignIn
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableFileSyncNGSC
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableFileSync
HKLM\Software\Policies\Microsoft\Windows\OneDrive!DisableLibrariesDefaultSaveToOneDrive
HKLM\Software\Policies\Microsoft\Assistance\Client\1.0!NoActiveHelp
HKLM\Software\Policies\Microsoft\Windows\OOBE!DisablePrivacyExperience
HKLM\System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem!Hibernate
HKLM\System\CurrentControlSet\Policies\Microsoft\PortableOperatingSystem!Sleep
HKLM\Software\Policies\Microsoft\PortableOperatingSystem!Launcher
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings!NoPresentationSe
HKLM\Software\Policies\Microsoft\PushToInstall!DisablePushToInstall
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fSecureLicensing
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services!fPreventLicenseUpgrade
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowUnsignedFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowSignedFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AuthenticationLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!EnableHardwareMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!PromptForCredsOnClient
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!TrustedCertThumbprints
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!fClientDisableUDP
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\Client!fUsbRedirectionEnable
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDenyTSConnections
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAutoReconnect
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!KeepAliveEnable; HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableForcibleLogoff
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxInstanceCount
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fSingleSessionPerUser
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SelectNetworkDetect
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SelectTransport
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\AllUserInstallAgent!LogonWait
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCam
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableAudioCapture
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableTimeZoneRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!EnableUiaRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableClip
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCcm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCdm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableLocationRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableLPT
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableSmartCard
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisablePNPRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCameraRedir
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowedAudioQualityMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableTerminalServerTooltip
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicensingMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!LicenseServers
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fDisableCpm
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fForceClientLptDef
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPolicyFallbackPrintDriver; HK
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseUniversalPrinterDriverFirst
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DeleteRoamingUserProfile; HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFProfilePath
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFHomeDirUNC HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!WFDontAppendUserNameToPro
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryClusterName
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryActive
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SessionDirectoryExposeServerI
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fTurnOffSingleAppMode
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxCompressionLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AVCHardwareEncodePreferred
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ImageQuality
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!GraphicsProfile
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableVirtualizedGraphics
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fNoRemoteDesktopWallpaper
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!ColorDepth
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxXResolution HKLM\SOFTWAR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxMonitors
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AVC444ModePreferred
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDisconnect
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNTSecurity
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!InitialProgram HKLM\SOFTWARE
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableRemoteFXAdvancedR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!bEnumerateHWBeforeSW
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableWddmDriver
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEnableVirtualizedGraphics
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!VisualExperiencePolicy
HKLM\Software\Policies\Microsoft\Windows NT\Terminal Services\!VGOptimization_CaptureFrameR
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fPromptForPassword
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fWritableTSCCPermTab
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fEncryptRPCTraffic
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!SecurityLayer
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UserAuthentication
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!CertTemplateName
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MinEncryptionLevel
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DeleteTempDirsOnExit
HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!PerSessionTempDir
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableFeedPane
HKLM\Software\Policies\Microsoft\Internet Explorer\Feed Discovery!Enabled
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableEnclosureDownload
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableAddRemove
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!BackgroundSyncStatus
HKLM\Software\Policies\Microsoft\Internet Explorer\Feeds!AllowBasicAuthInClear
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PrimaryIntranetSearchScopeUrl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!SecondaryIntranetSearchScopeUrl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCloudSearch; HKLM\SOFTWARE
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCortana
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCortanaAboveLock
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowCortanaInAAD; HKLM\SOFTWA
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowIndexingEncryptedStoresOrIt
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowSearchToUseLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AllowUsingDiacritics
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AlwaysUseAutoLangDetection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!RichAttachmentPreviews
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultExcludedPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultIndexedPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableBackoff
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableRemovableDriveIndexing
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DisableWebSearch
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWeb
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchUseWebOverMete
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableIndexingDelegateMailboxes
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingUncachedExchange
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!EnableThrottlingOnlineMailboxes;
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!DataDirectory
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!HideUNCTab
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!FavoriteLocations
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!AutoIndexSharedFolders
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventRemoteQueries
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventModifyingIndexedLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingEmailAttachments
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingOfflineFiles
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingOutlook
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ExcludedExtensionsMultiline0 HKLM
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingPublicFolders
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexOnBattery
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventUsingAdvancedIndexingOpt
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventUnwantedAddins
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreviewPaneLocation
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!SearchResultIconSize
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchSafeSearch; HKLM
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!ConnectedSearchPrivacy; HKLM\SO
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventIndexingLowDiskSpaceMB
HKLM\Software\Policies\Microsoft\Windows NT\Security Center!SecurityCenterInDomain
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ShutdownSessionTimeout
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableShutdownNamedPipe
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowCertificatesWit
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!EnumerateECCCerts
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowIntegratedUnblo
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowSignatureOnlyKe
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!AllowTimeInvalidCertif
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!X509HintsNeeded
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!RootCertificateCleanupOption
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!IntegratedUnblockPro
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!FilterDuplicateCerts
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!ForceReadingAllCertifi
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScPnP!ScPnPNotification
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!DisallowPlaintextPin
HKLM\SOFTWARE\Policies\Microsoft\Windows\SmartCardCredentialProvider!ReverseSubject
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!CertPropEnabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\CertProp!EnableRootCertificatePropagation
HKLM\SOFTWARE\Policies\Microsoft\Windows\ScPnP!EnableScPnP
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform!Allo
HKLM\Software\Policies\Microsoft\Windows NT\CurrentVersion\Software Protection Platform!NoGe
HKLM\SOFTWARE\Policies\Microsoft\SoundRecorder!Soundrec
HKLM\Software\Policies\Microsoft\Speech!AllowSpeechModelUpdate
HKLM\Software\Policies\Microsoft\WindowsStore!DisableStoreApps
HKLM\Software\Policies\Microsoft\WindowsStore!RequirePrivateStoreOnly
HKLM\Software\Policies\Microsoft\WindowsStore!AutoDownload
HKLM\Software\Policies\Microsoft\WindowsStore!AutoDownload
HKLM\Software\Policies\Microsoft\WindowsStore!DisableOSUpgrade
HKLM\Software\Policies\Microsoft\WindowsStore!RemoveWindowsStore
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableSettingSync; HKLM\Software\Polici
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableApplicationSettingSync; HKLM\Soft
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableAppSyncSettingSync; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableWebBrowserSettingSync; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableDesktopThemeSettingSync; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableSyncOnPaidNetwork
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableWindowsSettingSync; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableCredentialsSettingSync; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisablePersonalizationSettingSync; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\SettingSync!DisableStartLayoutSettingSync; HKLM\Soft
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableInkball
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableNoteWriterPrinting
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!DisableJournal
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPenFeedback
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonBackEscapeMapping
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonApplicationLaunch
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonPressAndHold
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffButtons
HKLM\software\policies\microsoft\TabletTip\1.7!DisablePrediction
HKLM\software\policies\microsoft\TabletTip\1.7!HideIPTIPTarget
HKLM\software\policies\microsoft\TabletTip\1.7!HideIPTIPTouchTarget
HKLM\software\policies\microsoft\TabletTip\1.7!IncludeRareChar
HKLM\software\policies\microsoft\TabletTip\1.7!DisableEdgeTarget
HKLM\software\policies\microsoft\TabletTip\1.7!DisableACIntegration
HKLM\software\policies\microsoft\TabletTip\1.7!PasswordSecurityState; HKLM\software\policies\mi
HKLM\software\policies\microsoft\TabletTip\1.7!ScratchOutState; HKLM\software\policies\microsof
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicksLearningMode
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicks
HKLM\SOFTWARE\Policies\Microsoft\PenTraining!DisablePenTraining
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffTouchInput
HKLM\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPanning
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
HKLM\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
HKLM\SOFTWARE\Policies\Microsoft\Windows\TenantRestrictions\Payload!cloudid HKLM\SOFTWARE\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput!AllowLanguageFeaturesUnins
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\TextInput!AllowLinguisticDataCollectio
HKLM\SOFTWARE\Policies\Microsoft\Dsh!AllowNewsAndInterests
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Windows!TurnOffWinCal
HKLM\Software\Policies\Microsoft\Windows\WindowsColorSystem!ProhibitInstallUninstall
HKLM\Software\Policies\Microsoft\SQMClient!CorporateSQMURL
HKLM\Software\Policies\Microsoft\SQMClient\Windows!StudyId; HKLM\Software\Policies\Microso
HKLM\Software\Policies\Microsoft\Windows Defender\SmartScreen!ConfigureAppInstallControlEnab
HKLM\Software\Policies\Microsoft\Windows\System!EnableSmartScreen; HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!EnabledV9
HKLM\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverride
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!AutoApproveOSDumps
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\DW!DWNoExternalURL HKLM\Software\
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!LoggingDisabled
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!Disabled
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!ShowUI; HKLM\Software\Policies\Mic
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassDataThrottling
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontShowUI
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassPowerThrottling
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassNetworkCostThrottl
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!CorporateWerServer HKL
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableArchive; HKLM\SOF
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableQueue; HKLM\SOFT
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!AllOrNone HKLM\Software\Policies\Mi
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\InclusionList
HKLM\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting\ExclusionList
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeKernelFaults
HKLM\Software\Policies\Microsoft\PCHealth\ErrorReporting!IncludeShutdownErrs
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultConsent
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent
HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultOverrideB
HKLM\Software\Policies\Microsoft\Windows\GameDVR!AllowGameDVR
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!AllowAllUserAccessToSmartCardNode
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DeviceUnlock!GroupA HKLM\SOFTWARE\Polic
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork\DynamicLock!DynamicLock; HKLM\SOFTWARE\
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!DisableSmartCardNode
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!RequireSecurityDevice; HKLM\SOFTWARE\Pol
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WinBio\Credential Provider!Domain Account
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseCertificateForOnPremAuth
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseCloudTrustForOnPremAuth
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!EnablePinRecovery
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!Enabled; HKLM\SOFTWARE\Policies\Microsoft
HKLM\SOFTWARE\Policies\Microsoft\PassportForWork!UseHelloCertificatesAsSmartCardCertificates
HKLM\Software\Policies\Microsoft\WindowsInkWorkspace!AllowSuggestedAppsInWindowsInkWork
HKLM\Software\Policies\Microsoft\WindowsInkWorkspace!AllowWindowsInkWorkspace; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\Installer!EnableUserControl
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownBrowse
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownPatch
HKLM\Software\Policies\Microsoft\Windows\Installer!AllowLockdownMedia
HKLM\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
HKLM\Software\Policies\Microsoft\Windows\Installer!MaxPatchCacheSize
HKLM\Software\Policies\Microsoft\Windows\Installer!EnforceUpgradeComponentRules
HKLM\Software\Policies\Microsoft\Windows\Installer!MsiDisableEmbeddedUI
HKLM\Software\Policies\Microsoft\Windows\Installer!SafeForScripting
HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatch
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableFlyweightPatching
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLUAPatching
HKLM\Software\Policies\Microsoft\Windows\Installer!DisablePatchUninstall
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableRollback
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableAutomaticApplicationShutdown
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableUserInstalls
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableBrowse
HKLM\Software\Policies\Microsoft\Windows\Installer!TransformsSecure
HKLM\Software\Policies\Microsoft\Windows\Installer!Logging
HKLM\Software\Policies\Microsoft\Windows\Installer!LimitSystemRestoreCheckpointing
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableLoggingFromPackage
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableSharedComponent
HKLM\Software\Policies\Microsoft\Windows\Installer!DisableMSI
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!AutomaticRestartSignOnConfi
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!SoftwareSASGeneration
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisplayLastLogonInfo
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!ReportControllerMissing
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableAutomaticRestartSignO
HKLM\Software\Policies\Microsoft\WMDRM!DisableOnline
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!GroupPrivacyAcceptance
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DisableAutoUpdate
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DesktopShortcut
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!PreventLibrarySharing
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!QuickLaunchShortcut
HKLM\Software\Policies\Microsoft\WindowsMediaPlayer!DontUseFrameInterpolation
HKLM\Software\Policies\Microsoft\Messenger\Client!PreventRun
HKLM\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter!NoMobilityCenter
HKLM\Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp!EnableUpdateHelpDefaultS
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging!EnableModuleLogging; H
HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging!EnableScriptBlockLoggi
HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription!EnableTranscripting; HKLM\S
HKLM\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts; HKLM\Software\Policies\Mi
HKLM\SOFTWARE\Policies\Microsoft\Windows\Reliability Analysis\WMI!WMIEnable
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowBasic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowCredSSP
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowUnencryptedTraffic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowDigest
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowKerberos
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!AllowNegotiate
HKLM\Software\Policies\Microsoft\Windows\WinRM\Client!TrustedHosts; HKLM\Software\Policies\
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowBasic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowCredSSP
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowAutoConfig; HKLM\Software\Polic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowUnencryptedTraffic
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowKerberos
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!AllowNegotiate
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!DisableRunAs
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!CBTHardeningLevelStatus; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!HttpCompatibilityListener
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service!HttpsCompatibilityListener
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!AllowRemoteShellAccess
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxConcurrentUsers
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!IdleTimeout HKLM\Software\P
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxMemoryPerShellMB
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxProcessesPerShell
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!MaxShellsPerUser
HKLM\Software\Policies\Microsoft\Windows\WinRM\Service\WinRS!ShellTimeOut
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowAudioInput
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowClipboardRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowNetworking
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowPrinterRedirection
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVGPU
HKLM\SOFTWARE\Policies\Microsoft\Windows\Sandbox!AllowVideoInput
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Account protection!UILoc
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protecti
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device performance and h
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!DisableCl
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!UILockdo
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!HideSecur
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!HideTPMT
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security!Disable
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customizatio
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Enterprise Customization!U
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Family options!UILockdow
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Firewall and network prot
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications!DisableNotifi
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications!DisableEnhan
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Systray!HideSystray
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protect
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Virus and threat protecti
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AutoInstallMinorUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ElevateNonAdmins
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartNotificationConfig; H
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartRequiredNotificationDi
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetRestartWarningSchd; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RebootWarningTimeoutEnabled;
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableDualScan
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AUPowerManagement
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoRebootWithLoggedOnUse
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RebootRelaunchTimeoutEnabled;
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!RescheduleWaitTimeEnabled; HK
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartDeadline; HKLM\Softw
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetEngagedRestartTransitionSchedul
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetAutoRestartNotificationDisable
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!IncludeRecommendedUpdates
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!EnableFeaturedSoftware
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AllowAutoWindowsUpdateDownloa
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!AlwaysAutoRebootAtScheduledT
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAutoUpdate; HKLM\Software\Po
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetUpdateNotificationLevel; HKLM\So
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetDisablePauseUXAccess
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetDisableUXWUAccess
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetActiveHoursMaxRange; HKLM\Sof
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetComplianceDeadline; HKLM\Softwa
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetActiveHours; HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!SetEDURestart
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!AcceptTrustedPublisherCerts
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!DetectionFrequencyEnabled; HKL
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DoNotConnectToWindowsUpdateInte
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!TargetGroupEnabled; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseWUServer HKLM\Software\Poli
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!UseUpdateClassPolicySource HKLM
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DisableWUfBSafeguards
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ExcludeWUDriversInQualityUpdate
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!ManagePreviewBuildsPolicyValue; H
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!TargetReleaseVersion; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DeferFeatureUpdates; HKLM\Softwar
HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate!DeferQualityUpdates; HKLM\Software
HKLM\Software\Policies\Microsoft\Windows\WorkFolders!AutoProvision
Supported On
At least Windows Server 2016 Windows 10 Version 1709
At least Windows Server 2012 Windows 8 or Windows RT
Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1 only
At least Windows Server 2012 R2 Windows 8.1 or Windows RT 8.1
At least Windows 10
At least Windows Server 2016 Windows 10
At least Windows Vista
At least Microsoft Windows Vista or Windows Server 2003 family
At least Windows Server 2008 R2 or Windows 7
Only Windows 7 Windows Server 2008 Windows Server 2008R2 Windows Server 2012
Windows Server 2008 and newer
At least Windows Server 2003 operating systems or Windows XP Professional
Windows 7 or computers with BITS 3.5 installed.
Windows XP SP2 or Windows Server 2003 SP1 or computers with BITS 2.0 installed.
Windows 8 or Windows Server 2012 or Windows RT or computers with BITS 5 installed.
Windows XP or Windows Server 2003 or computers with BITS 1.5 installed.
At least Windows 7 or Windows Server 2008 R2*
Windows XP Professional only
At least Windows 2000
At least Windows XP Professional with SP2
Windows Server 2003 and Windows XP only

Windows Server 2003 Windows XP and Windows 2000 only
At least Windows Server 2003 operating systems Service Pack 1 Windows XP Professional Service Pa
Windows Server 2008 Windows 7 Windows Vista and Windows 10
At least Windows 10
Windows 2000 only
At least Windows Server 2003
At least Windows Server 2016 or Windows 10
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista Windows XP and Windows 1
Windows Server 2003 only
At least Windows Server 2003 operating systems or Windows XP Professional with SP1
At least Internet Explorer 6 Service Pack 1


Windows Server 2008 Windows 7 and Windows Vista
Windows Server 2016 Version 1709 Windows 10 Version 1709 Windows Server 2016 Version 1703
Windows Server 2016 Version 1709 Windows 10 Version 1709 Windows Server 2016 Version 1703

Windows Server 2008 Windows Server 2003 Windows Vista and Windows XP SP2


At least Windows Server 2003 operating systems Windows XP Professional Service Pack 1 or Windows
At least Windows Server 2003 operating systems with SP1 or Windows XP Professional with SP2
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista and Windows XP

Windows Server 2003 and versions of Windows from Windows XP Professional through Windows 7.
Windows Server 2008 R2 and Windows 7
Windows 2000 only
Windows operating systems from Windows Vista through Windows 7
At least Windows 10
At least Windows Server 2012 R2 or Windows 8.1
Unknown
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
Windows Vista only
Windows Vista only
At least Windows 10
At least Windows 10
At least Windows 10
Windows Server 2008 and Windows Server 2008 R2 operating systems only
Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
Windows Server 2008 with Desktop Experience installed or Windows Vista
Windows Server 2008 with Desktop Experience installed or Windows Vista
At least Windows Server 2003 operating systems Windows XP Professional Service Pack 1 or Windows
At least Windows 8.1 Update 2
At least Windows 8.1 Update 2
Windows Server 2008 and Windows Vista
Windows Server 2012 R2 Windows 8.1 Windows Server 2012 Windows 8 Windows Server 2008 Wind

At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows Server 2012 Windows 8 or Windows RT or at least Internet Explorer 10
Microsoft Edge on Windows 10 Version 1803 or later
Windows Server 2016 Windows 10 up to Version 1703
Supported Windows Vista through Windows 7
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Internet Explorer 7.0
Only Internet Explorer 5.0 and Internet Explorer 6.0
At least Internet Explorer 11.0 on Windows 10
Only Internet Explorer 5.0
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Servic
At least Internet Explorer 7.0. Not supported on Windows Vista
At least Internet Explorer 11.0 on Windows 10 vertion 1607 or later
Internet Explorer 7.0 to Internet Explorer 10.0
Only Internet Explorer 5.0 through Internet Explorer 7.0
Only Internet Explorer 6.0 in Windows 2003 Service Pack 1
Only Internet Explorer 11.0 on Windows 8.1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1. Not supported on Windows Vista
Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 throu
At least Internet Explorer 7.0 in Windows Vista
At least Internet Explorer 11.0 on Windows 10 version 1703 or later
Only Internet Explorer 9.0 through 11.0. Not supported on Windows 10
Windows Server 2012 Windows 8 Windows RT Windows Server 2012 R2 Windows 8.1 or Windows RT
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
Unknown
Unknown

Unknown
Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Ente
Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Applica
Windows 10 Enterprise Windows 10 Education or later
Microsoft Edge on Windows 10 or later
at least Windows NetMeeting v3.0
At least Windows Vista with Service Pack 1
At least Windows 8 or Windows RT
At least Windows 7 with Service Pack 1 or Windows Server 2008 R2 with Service Pack 1
At least Windows XP and Windows Server 2003 only
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista an
At least Windows 8 Enterprise or Windows Server 2012
Unknown
Unknown
At least Windows Server 2003 with Service Pack 1
Windows Server 2003 with Service Pack 1 only
At least Windows Server 2008 R2
At least Windows Server 2003 Enterprise Edition
At least Windows 2000 Terminal Services
At least Windows 2000 Terminal Services
Windows 10 Version 1903 Windows 10 Version 1909 and Windows 10 Version 2004
Windows 7 or Windows Server 2008 R2 (and their subsequent Service Packs) only
Microsoft Windows XP or Windows Server 2003 with Windows Search version 3.01 or later
Microsoft Windows Vista or any version of Windows with Windows Search 4.0 or later
Microsoft Windows 8 or later
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of Mi
Any version of Microsoft Windows with Windows Search 4.0 or later
Microsoft Windows 8.1 or later
Microsoft Windows 8.1 or later
Microsoft Windows 8.1. Not supported on Windows 10 or later
Any version of Microsoft Windows with Windows Search 4.0
Microsoft Windows Vista or later
Microsoft Windows XP Windows Server 2003 with Windows Search version 3.01 or any version of M
At least Windows Vista Service Pack 1
Windows Vista only
Windows Vista only
Windows Vista only
At least Windows 10 Version 1909
At least Windows 10
Windows Vista only
Windows Server 2016 Version 1703 Windows 10 Version 1703 Windows 10 Windows 8.1 Windows 8
Windows 8.1 Windows 8 Windows 7 and Windows Vista only
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10 Redstone
At least Windows 10 Redstone
Windows Installer v3.0
Microsoft Windows XP or Windows 2000 with Windows Installer v2.0
Windows Media Player 9 Series and later.
Windows Media Player 11 for Windows XP or Windows Media Player 11 for Windows Vista or later.
At least Microsoft Windows 7 or Windows Server 2008 family

Unknown
Unknown
Unknown
Unknown
Unknown
Unknown
At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through
At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through
Windows Server 2016 through Windows Server 2022 or Windows 10
Windows 7 Windows Server 2008 R2 Windows Vista Windows Server 2003 Windows XP SP2 Windows
Windows 7 Windows Server 2008 R2 Windows Vista Windows XP SP2
Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3
At least Windows Vista through Windows 8.1 or Windows Server 2012 R2 with most current service
Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3Option 7 only supported on servers of at leas
At least Windows Server 2003 operating systems or Windows XP Professional with SP1 excluding Wi
At least Windows XP Professional Service Pack 1 or Windows 2000 Service Pack 3 excluding Windows
Help Text
Enables or disables the retrieval of online tips and help for the Settings app.If disabled Settings will not contact Microsoft cont
Specifies the list of pages to show or hide from the System Settings app.This policy allows an administrator to block a given set
This policy setting controls whether the lock screen appears for users.If you enable this policy setting users that are not requir
Forces Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB.By de
This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file.
Forces the Start screen to use one of the available backgrounds 1 through 20 and prevents the user from changing it.If this setti
Prevents users from changing the background image shown when the machine is locked or when on the logon screen.By defau
Prevents users from changing the look of their start menu background such as its color or accent.By default users can change
Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen.By
Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen.By defaul
This policy setting controls whether the lock screen image is static or has a subtle panning effect driven by the device's acceler
This policy specifies whether users on the device have the option to enable online speech recognition services. If
This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but ar
This policy setting controls which UI language is used for computers with more than one UI language installed.If you enable th
This policy setting restricts all users from installing language packs and language features on demand packages. This policy
This policy setting restricts the Windows UI language for all users.This is a policy setting for computers with more than one UI
This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic lear
This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account
When you enable this setting planned password expiration longer than password age dictated by "Password Settings" policy is
Enables management of password for local administrator accountIf you enable this setting local administrator password is ma
Administrator account name: name of the local account you want to manage password for. DO NOT configure when you use
Configures password parametersPassword complexity: which characters are used when generating a new password Default: L
This setting controls whether local accounts can be used for remote administration via network logon (e.g. NET USE connectin
This policy setting controls whether the Adobe Flash control can be activated by Office documents. Note that activation blocki
APPLIES ONLY TO: Windows 7 and Windows Servers 2008 2008R2 and 2012 (NOT 2012R2):To disable client-side processing of
Configures the SMB v1 client driver's start type.To disable client-side processing of the SMBv1 protocol select the "Enabled" ra
Disabling this setting disables server-side processing of the SMBv1 protocol. (Recommended.)Enabling this setting enables ser
If this setting is enabled SEHOP is enforced. For more information see https://support.microsoft.com/en-us/help/956607/how
Beginning with the Windows 10 and Windows Server v2004 security baseline this setting has been moved to Security Options\
Determines whether users that aren't Administrator can install print drivers on this computer.By default users that aren't Adm
Enable LSA protection. For more information see http://technet.microsoft.com/en-us/library/dn408187.aspx
Enable auditing of Lsass.exe to evaluate feasibility of enabling LSA protection. For more information see http://technet.micros
The NetBT NodeType setting determines what methods NetBT uses to register and resolve names:* A B-node computer uses b
This setting controls whether "Run As Different User" appears on the Shift+RightClick context menu for .bat .cmd .exe and .ms
This policy setting controls JScript execution per Security Zone within Internet Explorer and WebBrowser Control (WebOC) for
Beginning with Windows 10 v1809 and Windows Server v1809 this functionality should instead be configured through the foll
When WDigest authentication is enabled Lsass.exe retains a copy of the user's plaintext password in memory where it can be
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure envir
MSS: (AutoShareServer) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
MSS: (DisableSavePassword) Prevent the dial-up passsword from being saved (recommended)
MSS: (EnableDeadGWDetect) Allow automatic detection of dead network gateways (could lead to DoS)
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments)
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic.
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS)
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)
MSS: (SynAttackProtect) Syn attack protection level (protects against DoS)
MSS: (TcpMaxConnectResponseRetransmissions) SYN-ACK retransmissions when a connection request is not acknowledged
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended 5 is defaul
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended 5 is default)
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning
This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain contro
This policy setting determines if the Background Intelligent Transfer Service (BITS) peer caching feature is enabled on a specific
This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache componen
This policy setting specifies whether the computer will act as a BITS peer caching client. By default when BITS peer caching is e
This policy setting specifies whether the computer will act as a BITS peer caching server. By default when BITS peer caching is
This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) peer cache. In order to
This policy setting limits the maximum amount of disk space that can be used for the BITS peer cache as a percentage of the to
This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files
This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transf
This policy setting limits the network bandwidth that BITS uses for peer cache transfers (this setting does not affect transfers f
This policy setting limits the number of BITS jobs that can be created by a user. By default BITS limits the total number of jobs
This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default BITS limits the to
This policy setting limits the number of files that a BITS job can contain. By default a BITS job is limited to 200 files. You can use
This policy setting limits the number of ranges that can be added to a file in a BITS job. By default files in a BITS job are limited
This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for backgroun
This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned
This policy setting is used only when you have deployed one or more BranchCache-enabled file servers at your main office. Th
This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to mainta
This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer na
This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by se
This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client comp
This policy setting specifies whether BranchCache distributed cache mode is enabled on client computers to which this policy i
This policy setting specifies whether BranchCache hosted cache mode is enabled on client computers to which this policy is ap
This policy setting specifies the default percentage of total disk space that is allocated for the BranchCache disk cache on clien
This policy setting specifies whether BranchCache is enabled on client computers to which this policy is applied. In addition to
Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies th
Specifies commands configured by the administrator for custom logging. These commands will run in addition to default log co
Specifies whether NCA service runs in Passive Mode or not.Set this to Disabled to keep NCA probing actively all the time. If thi
Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For e
Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA a
Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networkin
Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. W
Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.Se
Specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the
Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting
Specifies if the DNS client will perform name resolution over DNS over HTTPS (DoH).By default the DNS client will do classic DN
Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes and those confi
Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes
Specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.An un
Specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update
Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form a canonical Un
Specifies that responses from link local name resolution protocols received over a network interface that is higher in the bindi
Specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution.To use this policy setti
Specifies if the DNS client performs primary DNS suffix devolution during the name resolution process.With devolution a DNS
Specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolu
Specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of
Specifies if DNS client computers will register PTR resource records.By default DNS clients configured to perform dynamic DNS
Specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to comp
Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.This policy
Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this p
Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on
Specifies that link local multicast name resolution (LLMNR) is disabled on client computers.LLMNR is a secondary name resoluti
Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance
Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over
Specifies the security level for dynamic DNS updates.To use this policy setting click Enabled and then select one of the followin
Specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level d
This policy setting determines whether Windows is allowed to download fonts and font catalog data from an online font p
This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protoco
This policy setting determines the cipher suites used by the SMB server.If you enable this policy setting cipher suites are priori
This policy setting specifies whether a hash generation service generates hashes also called content information for data that
This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes version 2 (V2) ha
This policy setting determines how the SMB server selects a cipher suite when negotiating a new connection with an SMB clien
This policy setting determines the cipher suites used by the SMB client.If you enable this policy setting cipher suites are prioriti
This policy setting determines if the SMB client will allow insecure guest logons to an SMB server.If you enable this policy setti
This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Conti
This policy setting determines the behavior of Offline Files on clients connecting to an SMB share where the Continuous A
This policy setting changes the operational behavior of the Mapper I/O network protocol driver.LLTDIO allows a computer to d
This policy setting changes the operational behavior of the Responder network protocol driver.The Responder allows a compu
By default when a Peer Group is created that allows for password-authentication (or the password for such a Group is change
This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety and will cause all dependent applications to sto
This policy setting limits a node to resolving but not publishing names in a specific Peer Name Resolution Protocol (PNRP) clou
This setting sets the seed server for the global cloud to a specified node in the enterprise. The Peer Name Resolution Protocol
This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in th
This policy setting enables or disables PNRP cloud creation.PNRP is a distributed name resolution protocol allowing Internet ho
This setting sets the seed server for the link local cloud to a specified node in the enterprise.The Peer Name Resolution Protoc
This setting sets the seed server for the site local cloud to a specified node in the enterprise.The Peer Name Resolution Protoc
Specifies whether or not the "local access only" network icon will be shown.When enabled the icon for Internet access will be
Determines whether a user can install and configure the Network Bridge.Important: This settings is location aware. It only app
Prohibits use of Internet Connection Firewall on your DNS domain network.Determines whether users can enable the Internet
Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet con
This policy setting determines whether to require domain users to elevate when setting a network's location.If you enable this
This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whet
Allows unsolicited incoming messages from specified systems that authenticate using the IPsec transport.If you enable this po
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Defender Firewall allows. Utilities c
Allows inbound file and printer sharing. To do this Windows Defender Firewall opens UDP ports 137 and 138 and TCP ports 13
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC)
Allows this computer to receive inbound Remote Desktop requests. To do this Windows Defender Firewall opens TCP port 338
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with buil
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local port exceptions list.
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local program exceptions
Allows Windows Defender Firewall to record information about the unsolicited incoming messages that it receives.If you enab
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Defender Firewall uses two
Allows you to view and change the program exceptions list defined by Group Policy. Windows Defender Firewall uses two prog
Specifies that Windows Defender Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Wind
Prevents Windows Defender Firewall from displaying notifications to the user when a program requests that Windows Defend
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.If you enable this po
Turns on Windows Defender Firewall.If you enable this policy setting Windows Defender Firewall runs and ignores the "Compu
Defines the set of Internet Control Message Protocol (ICMP) message types that Windows Defender Firewall allows. Utilities c
Allows inbound file and printer sharing. To do this Windows Defender Firewall opens UDP ports 137 and 138 and TCP ports 13
Allows remote administration of this computer using administrative tools such as the Microsoft Management Console (MMC)
Allows this computer to receive inbound Remote Desktop requests. To do this Windows Defender Firewall opens TCP port 338
Allows this computer to receive unsolicited inbound Plug and Play messages sent by network devices such as routers with buil
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local port exceptions list.
Allows administrators to use the Windows Defender Firewall component in Control Panel to define a local program exceptions
Allows Windows Defender Firewall to record information about the unsolicited incoming messages that it receives.If you enab
Allows you to view and change the inbound port exceptions list defined by Group Policy. Windows Defender Firewall uses two
Allows you to view and change the program exceptions list defined by Group Policy. Windows Defender Firewall uses two prog
Specifies that Windows Defender Firewall blocks all unsolicited incoming messages. This policy setting overrides all other Wind
Prevents Windows Defender Firewall from displaying notifications to the user when a program requests that Windows Defend
Prevents this computer from receiving unicast responses to its outgoing multicast or broadcast messages.If you enable this po
Turns on Windows Defender Firewall.If you enable this policy setting Windows Defender Firewall runs and ignores the "Compu
This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolutio
This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful reso
This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachab
This policy setting enables you to specify the URL of the corporate website against which an active probe is performed.
This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current do
This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is c
This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network s
This setting does not apply to desktop apps.A comma-separated list of domain names that can be used as both work or perso
This setting does not apply to desktop apps.A pipe-separated list of domain cloud resources. Each cloud resource can also be
This setting does not apply to desktop apps.A semicolon-separated list of Internet proxy server IP addresses. These addresses
This setting does not apply to desktop apps.A semicolon-separated list of intranet proxy server IP addresses. These addresses
This setting does not apply to desktop apps.A comma-separated list of IP address ranges that are in your corporate network.If
This setting does not apply to desktop apps.Turns off Windows Network Isolation's automatic proxy discovery in the domain c
This setting does not apply to desktop apps.Turns off Windows Network Isolation's automatic discovery of private network ho
This policy setting configures secure access to UNC paths.If you enable this policy Windows only allows access to the specified
Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files
This policy setting determines whether the Offline Files feature is enabled. Offline Files saves a copy of network files on the us
Deletes local copies of the user's offline files when the user logs off.This setting specifies that automatically and manually cach
This policy setting controls when background synchronization occurs while operating in slow-link mode and applies to any use
Configures the threshold value at which Offline Files considers a network connection to be "slow". Any network speed below t
This policy setting controls the network latency and throughput thresholds that will cause a client computers to transition files
Limits the percentage of the computer's disk space that can be used to store automatically cached offline files.This setting also
This policy setting enables administrators to block certain file types from being created in the folders that have been made ava
This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on
This policy setting controls whether files read from file shares over a slow network are transparently cached in the Offline Files
This policy setting determines whether offline files are encrypted.Offline files are locally cached copies of files from a network
Determines which events the Offline Files feature records in the event log.Offline Files records events in the Application log in
Lists types of files that cannot be used offline.This setting lets you exclude certain types of files from automatic and manual ca
Determines how long the first reminder balloon for a network status change is displayed.Reminder balloons appear when the
This policy setting limits the amount of disk space that can be used to store offline files. This includes the space used by autom
Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the
Disables the Offline Files folder.This setting disables the "View Files" button on the Offline Files tab. As a result users cannot us
Prevents users from enabling disabling or changing the configuration of Offline Files.This setting removes the Offline Files tab f
Determines how often reminder balloon updates appear.If you enable this setting you can select how often reminder balloons
Determines how long updated reminder balloons are displayed.Reminder balloons appear when the user's connection to a ne
This policy setting prevents users from making network files and folders available offline.If you enable this policy setting users
This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" com
This policy setting removes the "Work offline" command from Explorer preventing users from manually changing whether Offl
This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files an
Makes subfolders available offline whenever their parent folder is made available offline.This setting automatically extends th
Determines whether offline files are fully synchronized when users log off.This setting also disables the "Synchronize all offline
Determines whether offline files are fully synchronized when users log on.This setting also disables the "Synchronize all offline
Determines whether offline files are synchonized before a computer is suspended.If you enable this setting offline files are syn
Hides or displays reminder balloons and prevents users from changing the setting.Reminder balloons appear above the Offline
This policy setting allows you to turn on economical application of administratively assigned Offline Files.If you enable or do no
Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets re
Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth r
Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Sch
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (Ser
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (S
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (Se
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (Ser
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (S
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service typ
Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (Se
Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). Th
Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlle
Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed)
Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetwor
Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Sc
Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). T
This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service.S
This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP)
This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent.Simple Network Man
This policy setting determines the priority order of ECC curves used with ECDHE cipher suites.If you enable this policy setting E
This policy setting determines the cipher suites used by the Secure Socket Layer (SSL).If you enable this policy setting SSL ciphe
This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 ne
This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interv
This policy setting allows you to configure 6to4 an address assignment and router-to-router automatic tunneling technology th
This policy setting allows you to configure IP-HTTPS a tunneling technology that uses the HTTPS protocol to provide IP connecti
This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router.If you
This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) an address-to-router and
This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0 the
This policy setting allows you to set Teredo to be ready to communicate a process referred to as qualification. By default Tered
This policy setting allows you to configure the Teredo refresh rate.Note: On a periodic basis (by default every 30 seconds) Tere
This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client com
This policy setting allows you to configure Teredo an address assignment and automatic tunneling technology that provides un
This policy setting allows you to configure IP Stateless Autoconfiguration Limits.If you enable or do not configure this policy se
This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify con
This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enable
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting the wizards are t
This policy setting specifies that power management is disabled when the machine enters connected standby mode.If this pol
This policy setting determines whether Windows will soft-disconnect a computer from a network.If this policy setting is enable
This policy setting determines if a computer can have multiple connections to the internet or to a Windows domain. If mu
This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at
This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming
This policy applies to Wireless Display connections. This policy changes the preference order of the pairing methods.When ena
This policy applies to Wireless Display connections. This policy means that the use of a PIN for pairing to Wireless Display devic
This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine.If this policy setting is enabled
This policy setting determines whether users can enable the following WLAN settings: "Connect to suggested open hotspots" "
This policy setting specifies whether Windows apps can access cellular data.You can specify either a default setting for all apps
This policy setting configures the cost of 3G connections on the local machine.If this policy setting is enabled a drop-down list
This policy setting configures the cost of 4G connections on the local machine. If this policy setting is enabled a drop-down l
This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting U
Internet printing lets you display printers on Web pages so that printers can be viewed managed and used across the Internet
If you enable this policy setting it sets the maximum number of printers (of each type) that the Add Printer wizard will display
This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an u
This policy controls whether the print job name will be included in print event logs. If you disable or do not configure t
This policy controls whether the print spooler will accept client connections.When the policy is unconfigured or enabled the sp
Determines whether the computer's shared printers can be published in Active Directory. If you enable this setting or do
Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer.
Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer ins
When printing through a print server determines whether the print spooler on the client will process print jobs itself or pass th
Determines whether the Add Printer Wizard automatically publishes the computer's shared printers in Active Directory. If y
Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 10 Windows 10 and Window
Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setti
If this policy setting is enabled it specifies the default location criteria used when searching for printers. This setting is a co
By default the Printers folder includes a link to the Microsoft Support Web page called "Get help with printing". It can also incl
Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operationa
Sets the priority of the pruning thread. The pruning thread which runs only on domain controllers deletes printer object
Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before prunin
Determines whether printers using kernel-mode drivers may be installed on the local computer. Kernel-mode drivers have ac
This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optiona
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When pri
This policy setting allows you to manage where client computers search for Point and Printer drivers.If you enable this policy s
Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolati
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer befor
This policy restricts clients computers to use package point and print only.If this setting is enabled users will only be able to po
This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print d
Restricts package point and print to approved servers.This policy setting restricts package point and print connections to appro
This policy setting controls the client Point and Print behavior including the security prompts for Windows Vista computers. Th
Enables the physical Location Tracking setting for Windows printers.Use Location Tracking to design a location scheme for you
Announces the presence of shared printers to print browse master servers for the domain.On domains with Active Directory s
Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished
This policy allows you to prevent users from being able to open context menus in the Start Menu.If you enable this policy then
Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.I
If you enable this policy and set it to Start menu or full screen Start Start will be that size and users will be unable to change th
This policy setting allows pinning apps to Start by default when they are included by AppID on the list.
This policy allows you to prevent the Start Menu from displaying a list of recently installed applications.If you enable this polic
If you enable this setting the Start Menu will either collapse or remove the all apps list from the Start menu.Selecting "Collapse
This policy setting prevents users from performing the following commands from the Windows security screen the logon scree
If you enable this setting the frequently used programs list is removed from the Start menu.If you disable this setting or do not
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
Specifies the Start layout for users.This setting lets you specify the Start layout for users and prevents them from changing its
This policy sets a special WNS FQDN for specific environments.
This policy setting blocks applications from using the network to send notifications to update tiles tile badges toast or raw
This policy setting defines when the Shutdown Event Tracker System State Data feature is activated.The system state data file
Specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server which runs on
This policy setting directs the system to display highly detailed status messages.This policy setting is designed for advanced use
The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions t
This policy setting prevents File Explorer from encrypting files that are moved to an encrypted folder.If you enable this policy s
This policy setting allows you to turn off the automatic display of the Manage Your Server page. If you enable this policy settin
This policy setting allows you to configure whether power is automatically turned off when Windows shutdown completes. Th
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that
This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a sche
This policy setting suppresses system status messages.If you enable this setting the system does not display a message remind
This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specifi
This policy setting allows you to restrict programs from being run from online Help. If you enable this policy settin
This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabl
Specifies an alternate location for Windows installation files.If you enable this policy setting enter the fully qualified path to th
Specifies an alternate location for Windows Service Pack installation files.If you enable this policy setting enter the fully qualifi
This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Pr
This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the
This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types
This policy setting allows you to enable or disable Microsoft Application Virtualization (App-V) feature. Reboot is needed for di
The program collects information about computer hardware and how you use Microsoft Application Virtualization without int
Migration mode allows the App-V client to modify shortcuts and FTA's for packages created using a previous version of App-V.
Specifies the location where symbolic links are created to the current version of a globally published package. Shortcuts file ty
Specifies the location where symbolic links are created to the current version of a per-user published package. Shortcuts file ty
Specifies the file paths relative to %userprofile% that do not roam with a user's profile. Example usage: /FILEEXCLUSIONLIST='d
Specifies the registry paths that do not roam with a user profile. Example usage: /REGISTRYEXCLUSIONLIST=software\classes;s
Enables automatic cleanup of appv packages that were added after Windows10 anniversary release.
Enables background sync to server when on battery power.
Enables a UX to display to the user when a publishing refresh is performed on the client.
Publishing Server Display Name: Displays the name of publishing server. Publishing Server URL: Displays the URL of p
Reporting Server URL: Displays the URL of reporting server. Reporting Time: When the client data should be reported to the
Enables scripts defined in the package manifest of configuration files that should run.
This setting controls whether virtualized applications are launched on Windows 8 machines connected via a metered network
Specifies the path to a valid certificate in the certificate store.
If enabled the App-V client will support BrancheCache compatible HTTP streaming. If BranchCache support is not desired this
Specifies the CLSID for a compatible implementation of the IAppvPackageLocationProvider interface.
Specifies directory where all new applications and updates will be installed.
Overrides source location for downloading package content.
Specifies the number of seconds between attempts to reestablish a dropped session.
Specifies the number of times to retry a dropped session.
Requires admin privileges to publish and unpublish packages and connection groups.
Specifies that streamed package contents will be not be saved to the local hard disk.
Specifies how new packages should be loaded automatically by App-V on a specific computer.
Verifies Server certificate revocation status before streaming using HTTPS.
Enables Dynamic Virtualization of supported shell extensions browser helper objects and ActiveX controls.
Specifies a list of process paths (may contain wildcards) which are candidates for using virtual components (shell extensions br
This policy setting determines what information is logged in security audit events when a new process has been created.This s
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).This polic
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).If you ena
Encryption Oracle RemediationThis policy setting applies to applications using the CredSSP component (for example: Remote D
Remote host allows delegation of non-exportable credentialsWhen using credential delegation devices provide an exportable
When running in Restricted Admin or Remote Credential Guard mode participating apps do not expose signed in or supplied c
Deploy Windows Defender Application ControlThis policy setting lets you deploy a Code Integrity Policy to a machine to contro
Specifies whether Virtualization Based Security is enabled.Virtualization Based Security uses the Windows Hypervisor to provid
This group policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported device
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting rem
This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If y
Windows has a feature that sends "generic-driver-installed" reports through the Windows Error Reporting infrastructure. This
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would norm
This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this p
Windows has a feature that allows a device driver to request additional software through the Windows Error Reporting infrast
This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with d
This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable
This policy setting allows you to specify the search server that Windows uses to find updates for device drivers.If you enable th
This policy setting allows you to turn off "Found New Hardware" balloons during device installation.If you enable this policy se
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers fo
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allo
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is allowed to instal
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that W
This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one
This policy setting allows you to display a custom message title in a notification when a device installation is attempted and a p
This policy setting allows you to display a custom message to users in a notification when a device installation is attempted an
This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy settin
This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is pre
This policy setting allows you to specify a list of Plug and Play device instance IDs for devices that Windows is prevented from
This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for driver packages that W
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when t
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.If you enable this policy
This policy setting turns off power save mode on the hybrid hard disks in the system.If you enable this policy setting the hard d
This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you ha
This policy setting turns off the solid state mode for the hybrid hard disks. If you enable this policy setting frequently written fi
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on removable media.If you disable
This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer and prevents users from
This policy setting determines whether disk quota limits are enforced and prevents users from changing the setting.If you enab
This policy setting determines whether the system records an event in the local Application log when users reach their disk qu
This policy setting determines whether the system records an event in the Application log when users reach their disk quota w
This policy setting specifies the default disk quota limit and warning level for new users of the volume.This policy setting deter
Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a disp
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.This policy setting lets you spec
GDI DPI Scaling enables applications that are not DPI aware to become per monitor DPI aware.This policy setting lets you spec
Allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" li
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation s
This policy setting specifies a list of device setup class GUIDs describing driver packages that non-administrator members of th
Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the In
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early
This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing on
This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable o
This policy setting allows you to create a list of IEEE 1667 silos compliant with the Institute of Electrical and Electronics Enginee
This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer.If you e
This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device.If you enable this
This policy setting configures whether or not Windows will activate an Enhanced Storage device.If you enable this policy settin
This policy setting locks Enhanced Storage devices when the computer is locked.This policy setting is supported in Windows Se
This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer.The Classifica
This policy setting controls which set of properties is available for classifying files on affected computers.Administrators can de
Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled.VSS for SMB2 File Share
Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operati
Enabling Win32 long paths will allow manifested win32 applications and Windows Store applications to access paths beyond t
Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue you can selectively enable or disable t
Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and cre
Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creati
TXF deprecated features included savepoints secondary RM miniversion and roll forward. Please enable it if you want to use t
By default NTFS allocates memory from both pageable and non-pageable memory as needed. Enabling this setting tells NTFS
Encrypting the page file prevents malicious users from reading data that has been paged to disk but also adds processing over
For NTFS tiered volumes this controls the tier that new allocations go to by default.Client systems default to the Performance
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are current
When flushing modified file data from memory NTFS chooses to use one or more threads based on how many files are current
These settings provide control over whether or not short names are generated during file creation. Some applications require
This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to im
This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Progra
This policy setting allows user-based policy processing roaming user profiles and user object logon scripts for interactive logon
This policy setting lets you always use local ADM files for the Group Policy snap-in.By default when you edit a Group Policy Ob
This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (t
This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection
This policy setting determines when disk quota policies are updated.This policy setting affects all policies that use the disk quo
This policy setting determines when encryption policies are updated.This policy setting affects all policies that use the encrypti
This policy setting determines when folder redirection policies are updated.This policy setting affects all policies that use the fo
This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy
This policy setting defines a slow connection for purposes of applying and updating Group Policy.If the rate at which data is tra
This policy setting determines when Internet Explorer Maintenance policies are updated.This policy setting affects all policies t
This policy setting determines when IP security policies are updated.This policy setting affects all policies that use the IP securi
Enter “0” to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client wa
This policy setting determines when registry policies are updated.This policy setting affects all policies in the Administrative Te
This policy setting determines when policies that assign shared scripts are updated.This policy setting affects all policies that u
This policy setting determines when security policies are updated.This policy setting affects all policies that use the security co
This policy setting determines when software installation policies are updated.This policy setting affects all policy settings that
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a co
This policy setting determines whether Windows supports web-to-app linking with app URI handlers.Enabling this policy settin
This policy setting determines when policies that assign wired network settings are updated.This policy setting affects all polici
This policy setting determines when policies that assign wireless network settings are updated.This policy setting affects all po
This policy setting determines whether the Windows device is allowed to participate in cross-device experiences (continue exp
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.By default interactively logged o
Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being use
This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading emailing and other tasks that r
This policy setting allows you to control a user's ability to invoke a computer policy refresh.If you enable this policy setting use
This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background)
This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the backgroun
This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy proce
This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy pr
This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group
This policy setting prevents the Group Policy Client Service from stopping when idle.
This policy setting prevents Local Group Policy Objects (Local GPOs) from being applied.By default the policy settings in Local G
This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer.RSoP logs information o
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.If yo
This policy setting allows you to remove access to Windows Update.If you enable this policy setting all Windows Update featu
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file typ
This policy setting specifies whether to automatically update root certificates using the Windows Update website. Typically a c
This policy setting specifies whether to allow this client to download print driver packages over HTTP.To set up HTTP printing n
This policy setting specifies whether "Events.asp" hyperlinks are available for events within the Event Viewer application.The E
Turns off data sharing from the handwriting recognition personalization tool.The handwriting recognition personalization tool
Turns off the handwriting recognition error reporting tool.The handwriting recognition error reporting tool enables users to re
This policy setting specifies whether to show the "Did you know?" section of Help and Support Center.This content is dynamic
This policy setting specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center.
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Se
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering w
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandl
This policy setting specifies whether to allow printing over HTTP from this client.Printing over HTTP allows a client to print to p
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.If you
This policy setting specifies whether Search Companion should automatically download content updates during local and Inter
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.The Orde
This policy setting specifies whether the tasks "Publish this file to the Web" "Publish this folder to the Web" and "Publish the s
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger so
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Im
This policy setting controls whether or not errors are reported to Microsoft.Error Reporting is used to report information abou
This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determ
This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device
If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins
If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed.
If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be change
If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are
If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are
If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that ar
If enabled then new targets may not be manually configured by entering the target name and target portal; already discovere
If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually confi
If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS serv
If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals
This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Ac
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controller’s
This policy setting controls whether the domain controller provides information about previous logons to client computers.If y
This policy setting allows you to configure a domain controller to request compound authentication.Note: For a domain contro
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolv
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos a
This policy setting allows retrieving the cloud kerberos ticket during the logon.If you disable or do not configure this policy setti
This policy setting controls whether a device always sends a compound authentication request when the resource domain req
This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm.If you
This policy setting configures the Kerberos client so that it can authenticate with interoperable Kerberos V5 realms as defined
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.If you enable
This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating
This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and
This policy setting controls the Kerberos client's behavior in validating the KDC certificate for smart card and system certificate
This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generate
This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context tok
This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names
This policy setting controls configuring the device's Active Directory account for compound authentication.Support for providi
Support for device authentication using certificate will require connectivity to a DC in the device account domain which suppo
This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part ser
Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when K
This policy setting prevents users from changing their user geographical location (GeoID).If you enable this policy setting users
This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The use
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to th
This policy setting prevents the user from customizing their locale by changing their user overrides.Any existing overrides in pl
This policy setting restricts the permitted system locales to the specified list. If the list is empty it locks the system locale to its
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty it locks all user locales to
This policy setting allows you to control whether a user can change the time before a password is required when a Connected
This policy is not available in this version of Windows.
This policy setting ignores Windows Logon Background.This policy setting may be used to make Windows give preference to a
This policy setting determines whether Group Policy processing is synchronous (that is whether computers wait for the netwo
This policy setting allows the administrator to assign a specified credential provider as the default credential provider.If you en
This policy setting specifies a default logon domain which might be a different domain than the domain to which the compute
This policy prevents the user from showing account details (email address or user name) on the sign-in screen.If you enable th
This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen.If you en
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.If you
This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy se
This policy setting ignores the customized run list.You can create a customized list of additional programs and documents that
This policy setting ignores customized run-once lists.You can create a customized list of additional programs and documents th
This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting Logon U
This policy setting allows the administrator to exclude the specifiedcredential providers from use during authentication.Note:
This policy setting allows you to hide the Switch User interface in the Logon UI the Start menu and the Task Manager.If you en
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the s
This policy setting disables the acrylic blur effect on logon background image. If you enable this policy the logon backgroun
This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the fi
This policy setting allows you to prevent app notifications from appearing on the lock screen.If you enable this policy setting n
This policy setting allows you to control whether a domain user can sign in using a picture password.If you enable this policy se
This policy is not available in this version of Windows.
This policy setting allows you to control whether a domain user can sign in using a convenience PIN.If you enable this policy se
This policy setting allows you to control whether users can sign in using external security keys. If you enable this policy setti
This security feature provides a means to override individual process MitigationOptions settings. This can be used to enfo
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in
This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with th
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) sh
This policy setting determines the interval at which Netlogon performs the following scavenging operations:- Checks if a passw
This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) sho
This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when loggin
This policy setting specifies the level of debug output for the Net Logon service.The Net Logon service outputs debug informati
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when loggi
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could no
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs th
This policy setting specifies the Active Directory site to which computers belong.An Active Directory site is one or more well-co
This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain c
This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform perio
This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domai
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs th
This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).Note:
This policy setting allows you to control the domain controller (DC) location algorithm. By default the DC location algorithm pr
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.The Domain Controller Lo
This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP
This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this se
This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Log
This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which th
This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not m
This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.If you enable this pol
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. T
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied
This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resour
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resourc
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same th
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records fo
This policy setting specifies whether the computers to which this setting is applied attemps DNS name resolution of single-labl
This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-lab
This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host nam
This policy setting determines whether history of Clipboard contents can be stored in memory. If you enable this
This policy setting determines whether Clipboard contents can be synchronized across devices. If you enable this
This policy setting determines whether User Activities can be published. If you enable this policy setting activities
This policy setting determines whether published User Activities can be uploaded. If you enable this policy setting
This policy setting determines whether ActivityFeed is enabled. If you enable this policy setting all activity types (a
This setting specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The P
This setting specifies the number of past PINs that can be associated to a user account that can’t be reused. This policy enable
Maximum PIN length configures the maximum number of characters allowed for the PIN. The largest number you can configu
Minimum PIN length configures the minimum number of characters required for the PIN. The lowest number you can configu
Use this policy setting to configure the use of digits in the PIN.If you enable this policy setting Windows requires the user to inc
Use this policy setting to configure the use of lowercase letters in the PIN.If you enable this policy setting Windows requires th
Use this policy setting to configure the use of special characters in the PIN. Allowable special characters are: ! " # $ % & ' ( ) * +
Use this policy setting to configure the use of uppercase letters in the PIN.If you enable this policy setting Windows requires th
This policy setting specifies the active power plan from a list of default Windows power plans. To specify a custom power plan
This policy setting specifies the active power plan from a specified power plan’s GUID. The GUID for a custom power plan GUID
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.Possible actions include:-
This policy setting specifies the action that Windows takes when a user closes the lid on a mobile PC.Possible actions include:-
This policy setting specifies the action that Windows takes when a user presses the power button.Possible actions include:-Tak
This policy setting specifies the action that Windows takes when a user presses the power button.Possible actions include:-Tak
This policy setting specifies the action that Windows takes when a user presses the sleep button.Possible actions include:-Take
This policy setting specifies the action that Windows takes when a user presses the sleep button.Possible actions include:-Take
This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.If you enable thi
This policy setting specifies the action that Windows takes when a user presses the Start menu Power button.If you enable thi
This policy setting allows you to specify battery charge level at which Energy Saver is turned on.If you enable this policy setting
This policy setting allows you to specify battery charge level at which Energy Saver is turned on.If you enable this policy setting
This policy setting specifies the period of inactivity before Windows turns off the hard disk.If you enable this policy setting you
This policy setting specifies the period of inactivity before Windows turns off the hard disk.If you enable this policy setting you
This policy setting specifies the action that Windows takes when battery capacity reaches the critical battery notification level.
This policy setting specifies the percentage of battery capacity remaining that triggers the critical battery notification action.If
This policy setting specifies the action that Windows takes when battery capacity reaches the low battery notification level.If y
This policy setting specifies the percentage of battery capacity remaining that triggers the low battery notification action.If you
This policy setting specifies the percentage of battery capacity remaining that triggers the reserve power mode.If you enable t
This policy setting turns off the user notification when the battery capacity remaining equals the low battery notification level.
This policy setting allows you to turn off Power Throttling.If you enable this policy setting Power Throttling will be turned off.If
This policy setting allows applications and services to prevent automatic sleep.If you enable this policy setting any application
This policy setting allows applications and services to prevent automatic sleep.If you enable this policy setting any application
This policy setting allows you to manage automatic sleep with open network files.If you enable this policy setting the compute
This policy setting allows you to manage automatic sleep with open network files.If you enable this policy setting the compute
This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.If you
This policy setting allows you to control the network connectivity state in standby on modern standby-capable systems.If you
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep st
This policy setting manages whether or not Windows is allowed to use standby states when putting the computer in a sleep st
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.If you e
This policy setting specifies whether or not the user is prompted for a password when the system resumes from sleep.If you e
This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.If you ena
This policy setting allows you to specify the period of inactivity before Windows transitions the system to hibernate.If you ena
This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.If you enable t
This policy setting allows you to specify the period of inactivity before Windows transitions the system to sleep.If you enable t
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user
This policy setting allows you to specify the period of inactivity before Windows transitions to sleep automatically when a user
This policy setting allows you to turn off hybrid sleep.If you enable this policy setting a hiberfile is not generated when the syst
This policy setting allows you to turn off hybrid sleep.If you enable this policy setting a hiberfile is not generated when the syst
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.If you ena
This policy setting allows you to turn on the ability for applications and services to prevent the system from sleeping.If you ena
This policy setting allows you to specify the period of inactivity before Windows automatically reduces brightness of the displa
This policy setting allows you to specify the period of inactivity before Windows automatically reduces brightness of the displa
This policy setting allows you to specify the brightness of the display when Windows automatically reduces brightness of the d
This policy setting allows you to specify the brightness of the display when Windows automatically reduces brightness of the d
This policy setting allows you to manage how long a computer must be inactive before Windows turns off the computer’s disp
This policy setting allows you to manage how long a computer must be inactive before Windows turns off the computer’s disp
This policy setting allows you to specify the period of inactivity before Windows turns off the display.If you enable this policy s
This policy setting allows you to specify the period of inactivity before Windows turns off the display.If you enable this policy s
This policy setting allows you to specify if Windows should enable the desktop background slideshow.If you enable this policy
This policy setting allows you to specify if Windows should enable the desktop background slideshow.If you enable this policy
Requirements: Windows 7 Description: This policy setting controls whether users can access the options in Recovery (in Co
This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers ru
This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer.If you enable this p
This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer.If you enable this po
This policy setting lets you customize warning messages.The "Display warning message before sharing control" policy setting a
This policy setting allows you to improve performance in low bandwidth scenarios.This setting is incrementally scaled from "N
This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assis
This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making
This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.The constraine
This policy setting determines whether the RPC Runtime maintains RPC state information for the system and how much inform
This policy setting controls whether the RPC runtime generates extended error information when an error occurs.Extended er
This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.This po
This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where
Configure access to all removable storage classes.This policy setting takes precedence over any individual removable storage p
This policy setting grants normal users direct access to removable storage devices in remote sessions.If you enable this policy
This policy setting denies execute access to the CD and DVD removable storage class.If you enable this policy setting execute a
This policy setting denies read access to the CD and DVD removable storage class.If you enable this policy setting read access i
This policy setting denies write access to the CD and DVD removable storage class.If you enable this policy setting write access
This policy setting denies read access to custom removable storage classes.If you enable this policy setting read access is denie
This policy setting denies write access to custom removable storage classes.If you enable this policy setting write access is den
This policy setting denies execute access to the Floppy Drives removable storage class including USB Floppy Drives.If you enab
This policy setting denies read access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable t
This policy setting denies write access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable t
This policy setting denies execute access to removable disks.If you enable this policy setting execute access is denied to this re
This policy setting denies read access to removable disks.If you enable this policy setting read access is denied to this removab
This policy setting denies write access to removable disks.If you enable this policy setting write access is denied to this remova
This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a c
This policy setting denies execute access to the Tape Drive removable storage class.If you enable this policy setting execute ac
This policy setting denies read access to the Tape Drive removable storage class.If you enable this policy setting read access is
This policy setting denies write access to the Tape Drive removable storage class.If you enable this policy setting write access i
This policy setting denies read access to removable disks which may include media players cellular phones auxiliary displays an
This policy setting denies write access to removable disks which may include media players cellular phones auxiliary displays a
This policy setting allows user logon scripts to run when the logon cross-forest DNS suffixes are not configured and NetBIOS or
This policy setting displays the instructions in shutdown scripts as they run.Shutdown scripts are batch files of instructions tha
This policy setting displays the instructions in startup scripts as they run.Startup scripts are batch files of instructions that run b
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface progr
This policy setting lets the system run startup scripts simultaneously.Startup scripts are batch files that run before the user is i
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during co
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during us
This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vu
This policy setting allows you to set the refresh interval for Server Manager. Each refresh provides Server Manager with updat
This policy setting allows you to turn off the automatic display of the Initial Configuration Tasks window at logon on Windows
This policy setting allows you to turn off the automatic display of Server Manager at logon.If you enable this policy setting Serv
This policy setting enables process mitigation options on svchost.exe processes.If you enable this policy setting built-in system
This policy setting controls the use of fast startup. If you enable this policy setting the system requires hibernate to be enable
This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level win
Allows downloading new updates to ML Model parameters for predicting storage disk failure. Enabled: Updates w
Storage Sense can automatically clean some of the user’s files to free up disk space. By default Storage Sense is automatically
When Storage Sense runs it can delete the user’s temporary files that are not in use.If the group policy "Allow Storage Sense"
Storage Sense can automatically clean some of the user’s files to free up disk space.If the group policy "Allow Storage Sense" i
When Storage Sense runs it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days.If the g
When Storage Sense runs it can delete files in the user’s Recycle Bin if they have been there for over a certain amount of days
When Storage Sense runs it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certai
Allows you to disable System Restore configuration through System Protection.This policy setting allows you to turn off System
Allows you to disable System Restore.This policy setting allows you to turn off System Restore.System Restore enables users in
This policy setting determines the execution level for Diagnostic Policy Service (DPS) scenarios.If you enable this policy setting
This policy setting determines the data retention limit for Diagnostic Policy Service (DPS) scenario data.If you enable this policy
This setting exists only for backward compatibility and is not valid for this version of Windows. To configure the Program Comp
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compa
This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:Regular: Detection t
This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T
This policy setting determines the execution level for S.M.A.R.T.-based disk diagnostics. Self-Monitoring And Reporting Techno
This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption pr
This policy setting determines the execution level for Microsoft Support Diagnostic Tool.Microsoft Support Diagnostic Tool (MS
This policy setting restricts the tool download policy for Microsoft Support Diagnostic Tool.Microsoft Support Diagnostic Tool (
This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider.
This policy setting configures how troubleshooting for known problems can be applied on the device and lets administrators c
This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:Prompt for Reso
Determines whether scheduled diagnostics will run to proactively detect and resolve system problems.If you enable this policy
This policy setting determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publ
This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control P
This policy setting allows users who are connected to the Internet to access and search troubleshooting content that is hosted
Determines the execution level for Windows Boot Performance Diagnostics.If you enable this policy setting you must select an
This policy setting determines whether Diagnostic Policy Service (DPS) diagnoses memory leak problems.If you enable or do no
Determines the execution level for Windows Resource Exhaustion Detection and Resolution.If you enable this policy setting yo
Determines the execution level for Windows Shutdown Performance Diagnostics.If you enable this policy setting you must sel
Determines the execution level for Windows Standby/Resume Performance Diagnostics.If you enable this policy setting you m
Determines the execution level for Windows System Responsiveness Diagnostics.If you enable this policy setting you must sele
This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local comp
This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windo
This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other th
This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery tim
This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) comm
This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) comman
This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted
This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted
This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted P
This policy setting adds the Administrator security group to the roaming user profile share.Once an administrator has configur
This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network spee
This policy setting determines whether Windows keeps a copy of a user's roaming profile on the local computer's hard drive w
This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used with
This policy setting disables the detection of slow network connections. Slow link detection measures the speed of the connecti
This policy setting disables the more secure default setting for the user's roaming user profile folder.After an administrator has
This policy setting controls whether Windows forcefully unloads the user's registry at logoff even if there are open handles to
This policy setting will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user
This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers
This policy setting controls how long Windows waits for a user response before it uses a default user profile for roaming user p
This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based softwar
This policy setting determines how many times the system tries to unload and update the registry portion of a user profile. Wh
This setting determines if roaming user profiles are available on a particular computer. By default when roaming profile users
This policy setting determines if the changes a user makes to their roaming profile are merged with the server copy of their pr
This policy setting provides users with the ability to download their roaming profile even when a slow network connection wit
This policy setting controls how long Windows waits for a response from the network before logging on a user without a remo
This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all us
This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy s
This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon sessio
This policy setting turns off the advertising ID preventing apps from using the ID for experiences across apps.If you enable this
This setting prevents users from managing the ability to allow apps to access the user name account picture and domain infor
This policy setting directs the system to wait for the remote copy of the roaming user profile to load even when loading is slow
This policy setting hides the file scan progress window. This window provides status information to sophisticated users but it m
This policy setting specifies the maximum amount of disk space that can be used for the Windows File Protection file cache.W
This policy setting allows you to set when Windows File Protection scans protected files. This policy setting directs Windows Fi
This policy setting specifies an alternate location for the Windows File Protection cache.If you enable this policy setting enter t
This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for doma
This policy setting specifies a set of parameters for controlling the Windows NTP Client.If you enable this policy setting you can
This policy setting specifies whether the Windows NTP Client is enabled.Enabling the Windows NTP Client allows your comput
This policy setting allows you to specify whether the Windows NTP Server is enabled.If you enable this policy setting for the W
This policy setting determines which ActiveX installation sites standard users in your organization can use to install ActiveX con
This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting ActiveX
By default Add features to Windows 10 is available for all administrators. If you enable this policy setting the wizard will not ru
Manages a Windows app's ability to share data between users who have installed the app. If you enable this policy a Wind
This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store
This policy setting allows you to manage the deployment of Windows Store apps when the user is signed in using a special pro
Allows or denies development of Microsoft Store applications and installing them directly from an IDE. If you enable t
This policy setting controls whether the system can archive infrequently used apps.If you enable this policy setting then the sy
This policy setting allows you to manage installing Windows apps on additional volumes such as secondary partitions USB
Manages a sideloaded apps' ability to auto-update in the background. If you enable this policy sideloaded apps will not au
Manages a sideloaded apps' ability to auto-update in the background on a metered network. If you enable this policy side
Manages non-Administrator users' ability to install Windows app packages. If you enable this policy non-Administrators w
Prevent users' app data from moving to another location when an app is moved or installed on another location. If yo
This policy setting specifies whether Windows apps can access account information.You can specify either a default setting for
This policy setting specifies whether Windows apps can access the eye tracker.You can specify either a default setting for all ap
This policy setting specifies whether Windows apps can access call history.You can specify either a default setting for all apps o
This policy setting specifies whether Windows apps can access contacts.You can specify either a default setting for all apps or a
This policy setting specifies whether Windows apps can get diagnostic information about other Windows apps including user n
This policy setting specifies whether Windows apps can access email.You can specify either a default setting for all apps or a p
This policy setting specifies whether Windows apps can access location.You can specify either a default setting for all apps or a
This policy setting specifies whether Windows apps can read or send messages (text or MMS).You can specify either a default
This policy setting specifies whether Windows apps can access motion data.You can specify either a default setting for all apps
This policy setting specifies whether Windows apps can access notifications.You can specify either a default setting for all apps
This policy setting specifies whether Windows apps can access tasks.You can specify either a default setting for all apps or a pe
This policy setting specifies whether Windows apps can access the calendar.You can specify either a default setting for all apps
This policy setting specifies whether Windows apps can access the camera.You can specify either a default setting for all apps
This policy setting specifies whether Windows apps can access the microphone.You can specify either a default setting for all a
This policy setting specifies whether Windows apps can access trusted devices.You can specify either a default setting for all ap
This policy setting specifies whether Windows apps can access the movement of the user's head hands motion controllers and
This policy setting specifies whether Windows apps can be activated by voice.If you choose the "User is in control" option emp
This policy setting specifies whether Windows apps can be activated by voice while the system is locked.If you choose the "Us
This policy setting specifies whether Windows apps can communicate with unpaired wireless devices.You can specify either a
This policy setting specifies whether Windows apps have access to control radios.You can specify either a default setting for al
This policy setting specifies whether Windows apps can make phone calls.You can specify either a default setting for all apps o
This policy setting specifies whether Windows apps can run in the background.You can specify either a default setting for all ap
This policy setting specifies whether Windows apps can take screenshots of various windows or displays.You can specify eithe
This policy setting specifies whether Windows apps can turn off the screenshot border.You can specify either a default setting
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Be
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI schem
This policy setting controls whether Universal Windows apps with Windows Runtime API access directly from web conten
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of
Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launc
This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on t
This policy controls the state of the application compatibility engine in the system.The engine is part of the loader and looks t
The policy controls the state of the Application Telemetry engine in the system.Application Telemetry is a mechanism that trac
This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications files device
This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the
This policy setting controls the state of Steps Recorder.Steps Recorder keeps a record of steps taken by the user. The data gen
The policy controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides ge
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting AutoPlay is
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected.
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.i
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert
This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can
This policy setting allows you to manage whether backups of a machine can run to locally attached storage or not.If you enabl
This policy setting allows you to manage whether backups of a machine can run to a network share or not.If you enable this po
This policy setting allows you to manage whether backups of a machine can run to an optical media or not.If you enable this p
This policy setting allows you to manage whether run-once backups of a machine can be run or not.If you enable this policy se
This policy setting determines whether users with a domain account can log on or elevate User Account Control (UAC) permiss
This policy setting allows or prevents the Windows Biometric Service to run on this computer. If you enable or do not confi
This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics.
This policy setting specifies the number of seconds a pending fast user switch event will remain active before the switch is initi
This policy setting determines whether enhanced anti-spoofing is required for Windows Hello face authentication.If you enabl
This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard pr
This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy se
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker
This policy setting allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports un
This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied
This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption re
This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This
This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed
This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the require
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on fixed data drives and specify which
This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to p
This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protecte
This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer.If yo
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied
This policy setting allows users on devices that are compliant with InstantGo or Microsoft Hardware Security Test Interface (HS
This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker.Enhanced startup PIN
This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (
This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker
This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the
This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This polic
This policy setting lets you configure the entire recovery message or replace the existing URL that are displayed on the pre-boo
This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-T
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs provide
This policy setting allows users to turn on authentication options that require user input from the pre-boot environment even
This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard will be able to set up an addition
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started followin
This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation.If y
This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and vi
This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the re
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on removable data drives and specify w
This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choos
This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected re
This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLo
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable
This policy setting allow the use of Camera devices on the machine. If you enable or do not configure this policy s
This policy setting allows you to configure the Chat icon on the taskbar.If you enable this policy setting and set it to Show the C
This policy setting prevents Windows tips from being shown to users.If you enable this policy setting users will no longer see W
This policy setting lets you turn off cloud consumer account state content in all Windows experiences. If you enable this
This policy setting lets you turn off cloud optimized content in all Windows experiences.If you enable this policy Windows expe
This policy setting turns off experiences that help consumers make the most of their devices and Microsoft account.If you ena
This policy setting allows you to turn off projection to a PC. If you turn it on your PC isn't discoverable and can't be projected
This policy setting allows you to require a pin for pairing. If you set this to 'Never' a pin isn't required for pairing.If you set this
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.If you
This policy setting controls whether administrator accounts are displayed when a user attempts to elevate a running applicatio
If you turn this policy setting on local users won’t be able to set up and use security questions to reset their passwords.
This policy setting requires the user to enter Microsoft Windows credentials using a trusted path to prevent a Trojan horse or
AllowCommercialDataPipeline controls whether Microsoft is a processor or controller for Windows diagnostic data collected f
Allows IT admins to enable diagnostic data from this device to be processed by Desktop Analytics. The following li
This policy allows the device name to be sent to Microsoft as part of Windows diagnostic data.If you disable or do not configur
By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restric
Allows IT admins to enable diagnostic data from this device to be processed by Update Compliance. The following
Allows IT admins to enable diagnostic data from this device to be processed by Windows Update for Business cloud.
This policy setting blocks the Connected User Experience and Telemetry service from automatically using an authenticated pro
You can configure Microsoft Edge to send intranet history only internet history only or both to Desktop Analytics for enterpris
With this policy setting you can forward Connected User Experience and Telemetry requests to a proxy server.If you enable th
This policy setting controls whether notifications are shown following a change to diagnostic data opt-in settings on first logon
This policy setting determines whether an end user can change diagnostic data settings in the Settings app.If you set this policy
This policy sets the upload endpoint for this device’s diagnostic data as part of the Desktop Analytics program.If your organiza
This policy setting defines the identifier used to uniquely associate this device’s diagnostic data data as belonging to a given or
This policy setting controls whether the Delete diagnostic data button is enabled in Diagnostic & feedback Settings page.If you
This policy setting controls whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & feedback S
This policy setting controls whether Windows attempts to connect with the OneSettings service.If you enable this policy Windo
This policy setting allows an organization to prevent its devices from showing feedback questions from Microsoft.If you enable
This policy setting controls whether Windows records attempts to connect with the OneSettings service to the EventLog.If you
This policy setting controls whether additional diagnostic logs are collected when more information is needed to troubleshoot
This policy setting limits the type of dumps that can be collected when more information is needed to troubleshoot a problem
This policy setting in combination with the "Allow Diagnostic Data" policy setting enables organizations to send the minimum d
This policy setting determines whether users can get preview builds of Windows by configuring controls in Settings > Update a
Specifies the maximum size in GB of Delivery Optimization cache.This policy overrides the DOMaxCacheSize policy.The value 0
Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and Group peers while on DC p
This policy allows you to set one or more Delivery Optimization in Network Cache servers that will be used by your client(s).On
This policy allows you to specify how your client(s) can discover Delivery Optimization in Network Cache servers dynamically.O
Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds.No
This policy allows you to delay the use of an HTTP source in a background download that is allowed to use P2P.After the max d
Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds.No
This policy allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.Aft
Specifies the download method that Delivery Optimization can use in downloads of Windows Updates Apps and App updates.
Specify "true" to allow the device to participate in Peer Caching while connected via VPN to the domain network.This means t
Group ID must be set as a GUID. This Policy specifies an arbitrary group ID that the device belongs to.Use this if you need to cr
Specifies the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully
Specifies the maximum cache size that Delivery Optimization uses as a percentage of available disk size (1-100).
Specifies the maximum background download bandwidth in KiloBytes/second that the device can use across all concurrent do
Specifies the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activ
Specifies the maximum foreground download bandwidth in KiloBytes/second that the device can use across all concurrent dow
Specifies the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activ
Specifies the minimum download QoS (Quality of Service or speed) for background downloads in KiloBytes/second.This policy
Specifies the required minimum disk size (capacity in GB) for the device to use Peer Caching. The cloud service set default valu
Specifies the minimum content file size in MB enabled to use Peer Caching.Recommended values: 1 MB to 100000 MB.
Specifies the minimum RAM size in GB required to use Peer Caching.For example if the minimum set is 1 GB then devices with
Specifies the drive Delivery Optimization shall use for its cache.By default %SystemDrive% is used to store the cache. The drive
Specifies the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar mo
Set this policy to restrict peer selection via selected option.Options available are:0 = NAT.1 = Subnet mask.2 = Local discovery
Set this policy to restrict peer selection to a specific source.Options available are:1 = AD Site.2 = Authenticated domain SID.3 =
Specifies the maximum background download bandwidth that Delivery Optimization uses during and outside business hours a
Specifies the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours ac
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the
This policy setting allows you to turn off desktop gadgets that have been installed by the user.If you enable this setting Window
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the W
This policy setting controls the appearance of window animations such as those found when restoring minimizing and maximiz
This policy setting controls the Start background visuals.If you enable this policy setting the Start background will use a solid co
This policy setting controls the ability to change the color of window frames. If you enable this policy setting you prevent users
This policy setting controls the default color for window frames when the user does not specify a color. If you enable this polic
Changes behavior of Microsoft bus drivers to work with specific devices.
Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.
This setting lets you configure how domain joined computers become registered as devices.When you enable this setting dom
Specifies whether Digital Locker can run.Digital Locker is a dedicated download manager associated with Windows Marketplac
If you disable this policy setting users will not be able to invoke any system UI by swiping in from any screen edge.If you enabl
Disables help tips that Windows shows to the user.By default Windows will show the user help tips until the user has successfu
This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to t
This policy setting allows you to configure the server address refresh interval and issuer certificate authority (CA) of a target Su
This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the "Retain o
This policy setting specifies the security descriptor to use for the log using the Security Descriptor Definition Language (SDDL) s
This policy setting controls Event Log behavior when the log file reaches its maximum size.If you enable this policy setting and
This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and sh
This policy setting specifies the maximum size of the log file in kilobytes.If you enable this policy setting you can configure the
This policy setting turns on logging.If you enable or do not configure this policy setting then events can be written to this log.If
This policy setting lets you configure Protected Event Logging.If you enable this policy setting components that support it will u
This is the program that will be invoked when the user clicks the events.asp link.
This specifies the command line parameters that will be passed to the events.asp program
This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to u
This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons.If you enable this policy setti
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users befo
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorag
This policy setting allows administrators who have configured roaming profile in conjunction with Delete Cached Roaming Pro
This policy removes the end-user notification for new application associations. These associations are based on file types (e.g.
This policy setting allows you to specify a location where all default Library definition files for users/machines reside.If you ena
This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol d
Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by
Shows or hides hibernate from the power options menu.If you enable this policy setting the hibernate option will be shown in
Shows or hides lock from the user tile menu.If you enable this policy setting the lock option will be shown in the User Tile men
Shows or hides sleep from the power options menu.If you enable this policy setting the sleep option will be shown in the Powe
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are o
Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.
Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explore
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical orde
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full fun
This policy setting allows you to prevent data loss when you change the target location for Folder Redirection and the new and
This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come fr
This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from th
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backu
This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a p
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous
This policy setting allows you to turn off File History.If you enable this policy setting File History cannot be activated to create r
This policy turns on Find My Device.When Find My Device is on the device and its location are registered in the cloud so that t
The handwriting panel has 2 modes - floats near the text box or attached to the bottom of the screen. Default is floating near
This policy setting specifies whether users can add computers to a homegroup. By default users can add their computer to a h
Determines whether Lock on Leave is forced on/off by the MDM policy. The user will not be able to change this setting and the
Determines whether Wake On Arrival is forced on/off by the MDM policy. The user will not be able to change this setting and
Determines the timeout for Lock on Leave forced by the MDM policy. The user will be unable to change this setting and the to
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally se
This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.If you enable this policy "
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI d
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide e
This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explore
Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this pol
This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Ag
Prevents Internet Explorer from automatically installing components.If you enable this policy it prevents Internet Explorer from
This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet
Prevents users from changing dial-up settings.If you enable this policy the Settings button on the Connections tab in the Intern
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page wheneve
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browse
This policy lets you restrict launching of Internet Explorer as a standalone browser.If you enable this policy it:- Prevents Intern
Prevents Internet Explorer from checking whether a new version of the browser is available.If you enable this policy it prevent
Prevents the Internet Explorer splash screen from appearing when users start the browser.If you enable this policy the splash
Specifies that programs using the Microsoft Software Distribution Channel will not notify users when they install new compon
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.If y
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as "Ctrl+S" to have "Save
This policy setting allows you to enforce full-screen mode which disables the navigation bar the menu bar and the Command b
This policy setting configures Internet Explorer to automatically install new versions of Internet Explorer when they are availab
Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not inclu
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionall
This policy setting allows you to control which Domains are included in the discovery functionality of the Internet Explorer Site
This policy setting allows you to control which site zones are included in the discovery functionality of the Internet Explorer Sit
Applies proxy settings to all users of the same computer.If you enable this policy users cannot set user-specific proxy settings.
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Intern
This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check.If you enable
This policy setting prevents the user from accessing Help in Internet Explorer.If you enable this policy setting the following occ
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the us
This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Bloc
This policy setting specifies if a user can change proxy settings.If you enable this policy setting the user will not be able to confi
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applic
This policy setting allows you to configure how new tabs are created by default in Internet Explorer.If you enable this policy se
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available it includes al
You can allow pop-ups from specific websites by adding the sites to the exception list.If you enable this policy setting the user
This policy setting prevents the user from managing SmartScreen Filter which warns the user if the website being visited is kno
This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudu
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).If you enable
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.If you enable this policy setting
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after in
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC based invocations. If you enab
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those define
Prevents users from adding or removing sites from security zones. A security zone is a group of Web sites with the same secur
Prevents users from changing security zone settings. A security zone is a group of Web sites with the same security level.If you
Applies security zone information to all users of the same computer. A security zone is a group of Web sites with the same sec
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms th
This policy setting lets you decide whether employees see an additional page in Internet Explorer 11 stating that a site has bee
This policy setting allows you to specify what is displayed when the user opens a new tab.If you enable this policy setting you c
This policy setting allows you to specify how ActiveX controls are installed.If you enable this policy setting ActiveX controls are
This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed such as the taskbar
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX
This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enable
This policy setting turns off Automatic Crash Recovery.If you enable this policy setting Automatic Crash Recovery does not pro
This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data
This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Inte
This policy setting allows you to manage the crash detection feature of add-on Management.If you enable this policy setting a
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer.If you enable this p
This policy setting allows the user to enable the SmartScreen Filter which warns the user if the website being visited is known
This policy setting prevents the user from zooming in to or out of a page to better see the content.If you enable this policy setti
This policy setting allows you to manage pop-up management functionality in Internet Explorer.If you enable this policy setting
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer.If you enable this policy setting the e
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Ex
This policy setting allows you to turn off suggestions for all user-installed search providers.If you enable this policy setting the
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. S
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.If y
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box.If you enabl
This policy setting turns off the Security Settings Check feature which checks Internet Explorer security settings to determine w
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to
This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information i
This policy setting allows you to turn on or turn off the earlier menus (for example File Edit and View) in Internet Explorer.If yo
This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site discovery Toolkit(SDTK). W
This policy setting allows you to manage the XML output functionality of the Internet Explorer Site discovery Toolkit(SDTK). Wh
This policy setting controls the Suggested Sites feature which recommends websites based on the user’s browsing activity. Sug
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE instead of Stan
This policy setting allows you to add default Accelerators.If you enable this policy setting the specified Accelerators are added
This policy setting allows you to add non-default Accelerators.If you enable this policy setting the specified Accelerators are ad
This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy.If yo
This policy setting allows you to manage whether users can access Accelerators.If you enable this policy setting users cannot a
This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to pe
This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to pe
This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user.N
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8 this policy setting
This policy setting allows you to manage whether users can launch the report site problems dialog using a menu option.If you
This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Window
This policy setting controls the Compatibility View feature which allows the user to fix website display problems that he or she
This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Exp
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage t
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.If you enable
Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rend
This policy setting prevents the user from specifying the code download path for each computer. The Internet Component Dow
This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences sele
This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Tempor
This policy setting prevents the user from performing actions which will delete browsing history. For more information on brow
In Internet Explorer 9 and Internet Explorer 10:This policy setting prevents users from deleting ActiveX Filtering and Tracking P
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing
This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History d
This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog bo
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data du
This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing His
This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history avail
Removes the Advanced tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented
Removes the Connections tab from the interface in the Internet Options dialog box.If you enable this policy users are prevente
If you enable this policy setting users are prevented from seeing and changing ratings certificates AutoComplete Wallet and Pr
Removes the General tab from the interface in the Internet Options dialog box.If you enable this policy users are unable to see
Removes the Privacy tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented fro
Removes the Programs tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented
Removes the Security tab from the interface in the Internet Options dialog box.If you enable this policy it prevents users from
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors th
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized dom
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mai
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to ru
This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Exp
This policy setting allows you to manage whether users can automatically download and install Web components (such as fon
This policy setting determines whether Internet Explorer uses the HTTP2 network protocol. HTTP2 requests help optimize the
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests
This policy setting allows you to manage whether software such as ActiveX controls and file downloads can be installed or run
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.If you enable this policy
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Exp
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certific
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. Wh
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings a
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) info
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder
This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Gene
This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only soun
This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only em
This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the r
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0 TLS 1.1 TLS 1.2 Secure Sockets Layer (SS
This policy setting determines whether Internet Explorer preemptively loads websites and content in the background speeding
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information.If you enable thi
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query s
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (fo
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using th
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versio
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1.If you enable this policy setting Internet Exp
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections.If you enable thi
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box.If you enable this p
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default Internet Explo
This policy setting allows websites to store file resources in application caches on client computers.If you enable this policy setti
This policy setting allows websites to store indexed database cache information on client computers.If you enable this policy s
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage lim
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set t
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage li
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an app
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting you
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting yo
This template policy setting allows you to configure policy settings in this zone consistent with a selected security level for exa
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.If you enable thi
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.If you
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone nu
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain.If you enab
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned o
This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping ru
This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Micr
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Intranet Zone can r
This policy setting allows you to manage whether script code on pages in the zone is run.If you enable this policy setting script
This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functiona
This policy setting allows you to manage whether scripts can perform a clipboard operation (for example cut copy and paste) i
This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.If y
This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by th
This policy setting allows you to manage whether pages of the zone may download HTML fonts.If you enable this policy setting
This policy setting allows you to manage whether users can install Active Desktop items from this zone. The settings for this op
This policy setting allows you to manage the loading of XAML Browser Applications (XBAPs). These are browser-hosted ClickOn
This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-
This policy setting allows you to manage the loading of XPS files. These files contain a fixed-layout representation of paginated
This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the
This policy setting controls whether or not the user is prompted to allow ActiveX controls to run on websites other than the w
This policy setting controls whether or not the user is allowed to run the TDC ActiveX control on websites.If you enable this po
This policy setting allows you to manage whether OpenSearch queries in this zone can be performed using Search Connectors
This policy setting allows you to manage whether a user may preview an item from this zone or display custom thumbnails in t
This policy setting determines whether a page can control embedded WebBrowser controls via script.If you enable this policy
This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and
This policy setting allows you to manage whether the user can run scriptlets.If you enable this policy setting the user can run s
This policy setting allows you to manage whether script is allowed to update the status bar within the zone.If you enable this p
This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.If
This policy setting allows the playing of video and animation through older media players in specified zones. Video and animati
This policy setting controls whether websites can open new Internet Explorer windows that have no status bar or Address bar
This policy setting determines whether scripted windows are automatically displayed.If you enable this policy setting scripted
This policy setting manages whether users will be automatically prompted for ActiveX control installations.If you enable this p
This policy setting determines whether users will be prompted for non user-initiated file downloads. Regardless of this setting
This policy setting allows you to manage whether users can display nonsecure items and manage whether users receive a secu
This policy setting allows you to manage whether users are prompted to select a certificate when no certificate or only one ce
This policy setting determines whether Internet Explorer runs antimalware programs against ActiveX controls to check if they'
This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone.If you e
This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is
This policy setting allows you to set options for dragging content from one domain to a different domain when the source and
This policy setting allows you to manage MIME sniffing for file promotion from one type to another based on a MIME sniff. A M
This policy setting controls whether or not local path information is sent when the user is uploading a file via an HTML form. If
This policy setting allows you to manage ActiveX controls not marked as safe.If you enable this policy setting ActiveX controls a
This policy setting allows you to manage permissions for Java applets.If you enable this policy setting you can choose options f
This policy setting allows you to manage whether applications may be run and files may be downloaded from an IFRAME refer
This policy setting allows you to manage settings for logon options.If you enable this policy setting you can choose from the fo
This policy setting allows you to manage the opening of windows and frames and access of applications across different doma
This policy setting specifies whether Internet Explorer renders legacy visual filters in this zone.If you enable this policy setting y
This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be
This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be exec
This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.If
This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.If you
This policy setting allows you to manage whether applets are exposed to scripts within the zone.If you enable this policy settin
This policy setting controls whether or not the "Open File - Security Warning" message appears when the user tries to open ex
This policy setting allows you to manage software channel permissions.If you enable this policy setting you can choose the foll
This policy setting allows you to manage whether data on HTML forms on pages in the zone may be submitted. Forms sent wit
This policy setting prevents the user's computer from starting Microsoft .NET Framework Setup when the user is browsing to .
This policy setting controls the first-run response that the user sees on a zone-by-zone basis. When the user encounters a new
This policy controls whether or not the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into w
This policy setting allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vuln
This policy setting controls whether SmartScreen Filter scans pages in this zone for malicious content.If you enable this policy
This policy setting allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when
This policy setting allows you to manage the preservation of information in the browser's history in favorites in an XML store o
This policy setting allows you to manage whether Web sites from less privileged zones such as Restricted Sites can navigate int
This policy setting allows you to manage whether Web sites from less privileged zones such as Internet sites can navigate into
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop.If you enable this policy setting In
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide always in Inter
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.If you enable this policy se
This policy setting allows you to manage if users can see the button (next to the New Tab button) that opens Microsoft Edge.If
This policy setting determines whether phone numbers are recognized and turned into hyperlinks which can be used to invoke
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional
This policy setting specifies whether the user can conduct a search on the Address bar.If you enable this policy setting you mu
This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on th
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on c
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Addre
This policy setting prevents the user from specifying a URL that contains update information about cipher strength. When the
This policy setting prevents the user from changing the default URL for checking updates to Internet Explorer and Internet Too
This policy setting prevents the user from specifying the update check interval. The default value is 30 days.If you enable this p
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode.The threshold sets the number
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode.The threshold sets the numbe
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default dur
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode.The data consist
This policy setting allows you to turn off the InPrivate Browsing feature.InPrivate Browsing prevents Internet Explorer from sto
This policy setting allows you to turn off InPrivate Filtering.InPrivate Filtering helps users control whether third parties can aut
This policy setting allows you to turn off Tracking Protection.Tracking Protection helps users control whether third parties can
This policy setting allows you to block an insecure fallback to SSL 3.0. When this policy is enabled Internet Explorer will attemp
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The re
This policy setting allows you to turn off the Data Execution Prevention feature for Internet Explorer on Windows Server 2008
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are
This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Ad
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are deni
This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as enter
This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX contr
This policy setting determines whether Internet Explorer saves log information for ActiveX controls.If you enable this policy se
This policy setting allows the user to run natively implemented scriptable XMLHTTP.If you enable this policy setting the user ca
This policy setting allows you to change the default connection limit for HTTP 1.1 from 6 connections per host to a limit of you
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can s
This policy setting allows you to manage whether documents can request data across third-party domains embedded in the pa
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. T
This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest obje
For each zone the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved
Internet Explorer contains dynamic binary behaviors: components that encapsulate specific functionality for the HTML elemen
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed wit
Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files rece
Internet Explorer places zone restrictions on each Web page it opens which are dependent upon the location of the Web page
This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more d
The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources host
Internet Explorer may be configured to prevent active content obtained through restricted protocols from running in an unsaf
File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from ru
For each zone the Network Protocol Lockdown security restriction may be configured to prevent active content obtained thro
This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explor
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or
This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code insta
This policy setting defines whether a reference to an object is accessible when the user navigates within the same domain or t
Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of ActiveX control inst
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.If you enable this po
This policy setting enables applications hosting the Web Browser Control to block automatic prompting of file downloads that
This policy setting enables blocking of file download prompts that are not user initiated.If you enable this policy setting file dow
Internet Explorer allows scripts to programmatically open resize and reposition windows of various types. The Window Restric
This policy setting allows you to choose among three different labels for command buttons: show all text labels show selective
This policy setting allows you to manage where tabs are displayed.If you enable this policy setting tabs are displayed on a sepa
This policy setting allows you to show or hide the Command bar.If you enable this policy setting the Command bar is hidden an
This policy setting allows you to show or hide the status bar.If you enable this policy setting the status bar is hidden and the us
This policy setting allows you to lock or unlock the toolbars on the user interface.If you enable this policy setting the toolbars a
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons.If you enable this pol
This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer.If you enable this p
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible
This policy setting allows you increase the size of icons for command buttons.If you enable this policy setting icons for comman
This policy setting prevents installation of Internet Information Services (IIS) on this computer. If you enable this policy setting
This policy setting turns off the location feature for this computer. If you enable this policy setting the location feature
This policy setting turns off scripting for the location feature. If you enable this policy setting scripts for the location fe
This policy setting turns off the sensor feature for this computer. If you enable this policy setting the sensor feature is
This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting
This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation
This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance rand
This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy
Enables or disables the automatic download and update of map data.If you enable this setting the automatic download and up
This policy setting allows you to turn on or turn off unsolicited network traffic on the Offline Maps page in Settings > System >
This policy setting specifies whether Mobile Device Management (MDM) Enrollment is allowed. When MDM is enabled it allow
This policy setting specifies whether to automatically enroll the device to the Mobile Device Management (MDM) servic
This policy setting allows backup and restore of cellular text messages to Microsoft's cloud services.
This setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this settin
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispy
This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service
Enable or disable detection for potentially unwanted applications. You can choose to block audit or allow when potentiall
This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Pol
This policy setting allows you to configure scheduled scan start time and the scheduled security intelligence update start time
This policy if defined will prevent antimalware from using the configured proxy server when communicating with the specified
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network fo
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the ne
This policy setting allows you to configure the directory path where the support log files would be copied to. The value of this
This policy setting allows you to configure the scheduled scan and the scheduled security intelligence update start time windo
This policy setting turns off Microsoft Defender Antivirus. If you enable this policy setting Microsoft Defender Antivirus doe
This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected t
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an ac
This policy setting allows you to configure whether or not to display AM UI to the users. If you enable this setting AM
Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients. If you disable o
This policy setting allows user to supress reboot notifications in UI only mode (for cases where UI can't be in lockdown mod
Please follow the device control policy groups xml schema to fill out the policy groups data.
Please follow the device control policy rules xml schema to fill out the policy rules data.
This policy setting allows you specify a list of file types that should be excluded from scheduled custom and real-time scanning
Allows an administrator to explicitly disable network packet inspection made by wdnisdrv on a particular set of IP addresses.
This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qu
This policy setting allows you to disable real-time scanning for any file opened by any of the specified processes. This policy do
Allows an administrator to specify if Automatic Exclusions feature for Server SKUs should be turned off. Disabled (Defa
This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Grou
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to r
This policy setting configures behaviour of samples submission when opt-in for MAPS telemetry is set. Possible option
Set the state for each Attack Surface Reduction (ASR) rule. After enabling this setting you can set each rule to the following
Exclude files and paths from Attack Surface Reduction (ASR) rules. Enabled: Specify the folders or files and resources tha
Add additional applications that should be considered "trusted" by controlled folder access. These applications are allowe
Enable or disable controlled folder access for untrusted applications. You can choose to block audit or allow attempts by u
Specify additional folders that should be guarded by the Controlled folder access feature. Files in these folders cannot be m
Enable or disable Microsoft Defender Exploit Guard network protection to prevent employees from using any application to
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit m
This feature allows Microsoft Defender Antivirus to block a suspicious file for up to 60 seconds and scan it in the cloud to m
Enable or disable file hash computation feature. Enabled: When this feature is enabled Microsoft Defender will co
This policy setting determines how aggressive Microsoft Defender Antivirus will be in blocking and scanning suspicious files
This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be ad
Disabled (Default): If Not Configured or Disabled network protection is not allowed to be configured into block or audit m
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilitie
This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilitie
This policy setting configures a local override for the configuration of the number of days items should be kept in the Quaranti
This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you en
This policy setting configures a local override for the configuration of monitoring for file and program activity on your compute
This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This se
This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This s
This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Grou
This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set
This policy setting allows you to configure monitoring for incoming and outgoing files without having to turn off monitoring en
This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you e
This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setti
This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configu
This policy setting turns off real-time protection prompts for known malware detection. Microsoft Defender Antivirus alerts y
This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting behavior monit
This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malwa
This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not c
This policy setting allows you to configure script scanning. If you enable or do not configure this setting script scanning will b
This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remedi
This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete re
This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remedi
This policy setting configures the time in minutes before a detection in the “critically failed” state to moves to either the “addi
This policy setting configures the time in minutes before a detection in the "non-critically failed" state moves to the "cleared"
This policy setting configures the time in minutes before a detection in the "completed" state moves to the "cleared" state.
This policy setting configures the time in minutes before a detection in the "additional action" state moves to the "cleared" sta
This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setti
This policy configures Windows software trace preprocessor (WPP Software Tracing) components.
This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing
Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not confi
This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur before run
This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This
This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group
This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by
This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Grou
This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This settin
This policy setting allows you to enable or disable low CPU priority for scheduled scans. If you enable this setting low C
This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enab
This policy setting allows you to define the number of consecutive scheduled scans that can be missed after which a catch-u
This policy setting allows you to configure scanning mapped network drives. If you enable this setting mapped network drive
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the content
This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be config
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the num
This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are u
This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for th
This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The valu
This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (
This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented a
This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented a
This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enab
This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated bec
This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated b
This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled the engine will parse the mailbox
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the eng
This policy setting defines the number of days items should be kept in the scan history folder before being permanently remov
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned there is a possible
This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intellig
This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS.
This policy setting allows you to enable download of security intelligence updates from Microsoft Update even if the Automati
This policy setting allows you to configure security intelligence updates when the computer is running on battery power. If yo
Disabled (Default): Updates and communications are not allowed over metered connections. Enabled: Allow managed
This policy setting allows you to manage whether a check for new virus and spyware security intelligence will occur immediate
This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will b
This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do n
This policy setting allows you to define the number of days after which a catch-up security intelligence update will be required
This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered o
This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out o
This policy setting allows you to define the order in which different security intelligence update sources should be contacted. T
This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine prese
This policy setting allows you to specify the day of the week on which to check for security intelligence updates. The check can
This policy setting allows you to specify an interval at which to check for security intelligence updates. The time value is repres
This policy setting allows you to specify the time of day at which to check for security intelligence updates. The time value is re
This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
This policy setting allows you to customize which automatic remediation action will be taken for each threat alert level.Threat
This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan
This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.I
The policy allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s
This policy setting allows you to decide whether data should persist across different sessions in Microsoft Defender Application
This policy setting determines whether to save downloaded files to the host operating system from the Microsoft Defender Ap
This policy setting determines whether Microsoft Defender Application Guard renders graphics using hardware or software ac
This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard con
This policy setting allows you to decide how the clipboard behaves while in Microsoft Defender Application Guard.If you enabl
This policy setting allows you to decide how the print functionality behaves while in Microsoft Defender Application Guard.If y
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Expl
This policy setting enables application isolation through Microsoft Defender Application Guard.Application Guard uses Window
Specify a common set of Microsoft Defender Exploit Guard system and application mitigation settings that can be applied to a
This policy setting lets you decide whether Microsoft Edge stores books from the Books tab to a default shared folder for Wind
This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recomm
This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.If you enable or don't configure this setti
This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.If you enable this policy setting
This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Libra
This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.If you enable or don't configur
This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in M
This setting lets you decide whether employees can load extensions in Microsoft Edge.If you enable or don't configure this setti
With this policy you can specify whether to allow full-screen mode which shows only the web content and hides the Microsoft
This policy setting lets you decide whether employees can browse using InPrivate website browsing.If you enable or don't con
This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites wit
This policy setting lets you decide whether Microsoft Edge can pre-launch during Windows sign in when the system is idle and
This policy setting lets you decide whether Microsoft Edge can load the Start and New Tab page during Windows sign in and ea
With this policy you can restrict whether printing web content in Microsoft Edge is allowed.If enabled printing is allowed.If dis
Microsoft Edge saves your user's browsing history which is made up of info about the websites they visit on their devices.If en
This policy setting lets you decide whether users can change their search engine. If you disable this setting users can't add new
Sideloading installs and runs unverified extensions in Microsoft Edge. With this policy you can specify whether unverified exte
This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default Microsoft Edge opens th
This policy setting helps you to decide whether to make the Books tab visible regardless of a device's country or region setting
This policy setting lets you add up to 5 additional search engines which can't be removed by your employees but can be made
This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft
This setting lets you configure how to work with cookies.If you enable this setting you must also decide whether to: Allow al
This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. B
This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their
The favorites bar shows your user's links to sites they have added to it. With this policy you can specify whether to set the favo
The Home button loads either the default Start page the New tab page or a URL defined in the Set Home Button URL policy.By
Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access either as a single app or as one o
You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset ti
You can configure Microsoft Edge to lock down the Start page preventing users from changing or customizing it.If enabled you
This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default Pa
This policy setting lets you decide whether to turn on Pop-up Blocker. By default Pop-up Blocker is turned on..If you enable thi
This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default employ
When you enable the Configure Open Microsoft Edge With policy you can configure one or more Start pages. When you enabl
If you enable or don’t configure the Adobe Flash Click-to-Run setting Microsoft Edge will require a user to click the Click-to
This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common co
This policy setting lets you configure whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen pr
You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pag
With this policy you can print PDF files based on per page orientation in Microsoft Edge.If enabled mixed mode printing is allow
This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.If you enab
This policy settings lets you decide whether employees can access the about:flags page which is used to change developer setti
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about down
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about poten
Web security certificates are used to ensure a site your users go to is legitimate and in some circumstances encrypts the data.
This policy setting lets you decide whether employees can add import sort or edit the Favorites list on Microsoft Edge.If you en
This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to p
This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the
You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any availa
This policy setting lets you decide whether an employee's LocalHost IP address shows while making calls using the WebRTC pr
This policy setting allows you to configure a default set of favorites which will appear for employees. Employees cannot modif
This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should on
This policy setting lets you configure the default search engine for your employees. Your employees can change the default se
The home button can be configured to load a custom URL when your user clicks the home button.If enabled or configured and
You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New
You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification befo
By default when enabling Configure Home Button or Set Home Button URL the home button is locked down to prevent your u
This policy allows users to use a companion device such as a phone fitness band or IoT device to sign on to a desktop compute
This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ c
This policy setting specifies the text of the Contact IT URL hyperlink in the Company Settings Center.If you enable this policy se
This policy setting specifies the URL for the Contact IT link in the Company Settings Center.If you enable this policy setting the
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.By
This policy setting allows you to enable or disable User Experience Virtualization (UE-V) feature. Reboot is needed for enable t
This policy setting enables a notification in the system tray that appears when the User Experience Virtualization (UE-V) Agent
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package fi
This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy se
This policy setting configures where custom settings location templates are stored and if the catalog will be used to replace th
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings over metered connec
This policy setting defines the default settings sync behavior of the User Experience Virtualization (UE-V) Agent for Windows a
This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settin
This policy setting configures the synchronization of Windows settings between computers.Certain Windows settings will sync
This policy setting enables the User Experience Virtualization (UE-V) tray icon. By default an icon appears in the system tray th
This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers r
This policy setting configures the backup of certain user settings for Microsoft Access 2013.Microsoft Access 2013 has user setti
This policy setting configures the synchronization of user settings of Calculator.By default the user settings of Calculator synch
This policy setting configures the backup of certain user settings which are common between the Microsoft Office Suite 2013 a
This policy setting configures the backup of certain user settings for Microsoft Excel 2013.Microsoft Excel 2013 has user setting
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013.Microsoft InfoPath 2013 has user
This policy setting configures the synchronization of user settings of Internet Explorer 10.By default the user settings of Interne
This policy setting configures the synchronization of user settings for Internet Explorer 8.By default the user settings of Interne
This policy setting configures the synchronization of user settings which are common between the versions of Internet Explore
This policy setting configures the backup of certain user settings for Microsoft Lync 2013.Microsoft Lync 2013 has user settings
This policy setting configures the synchronization of user settings for Microsoft Access 2010.By default the user settings of Mic
This policy setting configures the synchronization of user settings for Microsoft Excel 2010.By default the user settings of Micro
This policy setting configures the synchronization of user settings for Microsoft InfoPath 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft Lync 2010.By default the user settings of Micro
This policy setting configures the synchronization of user settings which are common between the Microsoft Office Suite 2010
This policy setting configures the synchronization of user settings for Microsoft Office 2013 Upload Center.By default the user
This policy setting configures the synchronization of user settings for Microsoft Office 365 Access 2013.Microsoft Office 365 sy
This policy setting configures the synchronization of user settings for Microsoft Office 365 Excel 2013.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013.Microsoft Office 365 s
This policy setting configures the synchronization of user settings for Microsoft Office 365 Lync 2013.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 OneNote 2013.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 Outlook 2013.Microsoft Office 365 s
This policy setting configures the synchronization of user settings for Microsoft Office 365 PowerPoint 2013.Microsoft Office 3
This policy setting configures the synchronization of user settings for Microsoft Office 365 Project 2013.Microsoft Office 365 sy
This policy setting configures the synchronization of user settings for Microsoft Office 365 Publisher 2013.Microsoft Office 365
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013.Microsoft
This policy setting configures the synchronization of user settings for Microsoft Office 365 Visio 2013.Microsoft Office 365 sync
This policy setting configures the synchronization of user settings for Microsoft Office 365 Word 2013.Microsoft Office 365 syn
This policy setting configures the synchronization of user settings for OneDrive for Business 2013.By default the user settings o
This policy setting configures the synchronization of user settings for Microsoft OneNote 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft Outlook 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft PowerPoint 2010.By default the user settings o
This policy setting configures the synchronization of user settings for Microsoft Project 2010.By default the user settings of Mic
This policy setting configures the synchronization of user settings for Microsoft Publisher 2010.By default the user settings of M
This policy setting configures the synchronization of user settings for Microsoft SharePoint Designer 2010.By default the user s
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010.By default the use
This policy setting configures the synchronization of user settings for Microsoft Visio 2010.By default the user settings of Micro
This policy setting configures the synchronization of user settings for Microsoft Word 2010.By default the user settings of Micr
This policy setting configures the synchronization of user settings of Notepad.By default the user settings of Notepad synchron
This policy setting configures the backup of certain user settings for Microsoft OneNote 2013.Microsoft OneNote 2013 has use
This policy setting configures the backup of certain user settings for Microsoft Outlook 2013.Microsoft Outlook 2013 has user s
This policy setting configures the backup of certain user settings for Microsoft PowerPoint 2013.Microsoft PowerPoint 2013 ha
This policy setting configures the backup of certain user settings for Microsoft Project 2013.Microsoft Project 2013 has user se
This policy setting configures the backup of certain user settings for Microsoft Publisher 2013.Microsoft Publisher 2013 has use
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013.Microsoft SharePoint
This policy setting configures the backup of certain user settings for Microsoft Visio 2013.Microsoft Visio 2013 has user setting
This policy setting configures the backup of certain user settings for Microsoft Word 2013.Microsoft Word 2013 has user settin
This policy setting configures the synchronization of user settings of WordPad.By default the user settings of WordPad synchro
This policy setting configures the synchronization of user settings for the Finance app.By default the user settings of Finance sy
This policy setting configures the synchronization of user settings for the Games app.By default the user settings of Games syn
This policy setting configures the synchronization of user settings for the Maps app.By default the user settings of Maps sync b
This policy setting configures the synchronization of user settings for the Music app.By default the user settings of Music sync
This policy setting configures the synchronization of user settings for the News app.By default the user settings of News sync b
This policy setting configures the synchronization of user settings for the Reader app.By default the user settings of Reader syn
This policy setting configures the synchronization of user settings for the Sports app.By default the user settings of Sports sync
This policy setting configures the synchronization of user settings for the Travel app.By default the user settings of Travel sync
This policy setting configures the synchronization of user settings for the Video app.By default the user settings of Video sync b
This policy setting configures the synchronization of user settings for the Weather app.By default the user settings of Weather
Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use it for controlling their co
This policy setting allows configuration of OneDrive file sync behavior on metered connections.
Enable this setting to prevent the OneDrive sync client (OneDrive.exe) from generating network traffic (checking for updates e
This policy setting lets you prevent apps and features from working with files on OneDrive.If you enable this policy setting:* Us
This policy setting lets you prevent apps and features from working with files on OneDrive for Windows 8.1.If you enable this p
This policy setting lets you disable OneDrive as the default save location. It does not prevent apps and users from saving files o
This policy setting specifies whether active content links in trusted assistance content are rendered. By default the Help viewe
When logging into a new user account for the first time or after an upgrade in some scenarios that user may be presented wit
Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace.If you enab
Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace.If you enable t
This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace
This policy setting turns off Windows presentation settings.If you enable this policy setting Windows presentation settings can
If you enable this setting users will not be able to push Apps to this device from the Microsoft Store running on other devices o
This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remo
This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote De
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files fro
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signe
This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the
This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is
Controls whether passwords can be saved on this computer from Remote Desktop Connection.If you enable this setting the pa
This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote con
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted
This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. If you enab
This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redire
This policy setting allows you to configure remote access to computers by using Remote Desktop Services.If you enable this po
Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host s
This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is co
This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off
Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server.You can use this setti
This policy setting allows you to restrict users to a single Remote Desktop Services session.If you enable this policy setting user
This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth an
This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server.I
If you enable this policy setting administrators can interact with a user's Remote Desktop Services session based on the option
This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user
This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remot
This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services
This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services ses
This policy setting determines whether User Interface (UI) Automation client applications running on the local computer can a
This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote co
This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Rem
This policy setting specifies whether to prevent the mapping of client drives in a Remote Desktop Services session (drive redire
This policy setting lets you control the redirection of location data to the remote computer in a Remote Desktop Services sessi
This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services se
This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session.If you enab
This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices such as Windows Por
This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Serv
This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of
This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with
This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is require
This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop licen
This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services session
This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a sessio
This policy setting allows you to specify the RD Session Host server fallback printer driver behavior.By default the RD Session H
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client pr
This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting on
This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles.By defa
Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's h
This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting re
This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the fa
This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and red
This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Co
This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote D
This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initi
This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use.By default server
This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. When you enable
This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remot
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host
Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services.You can use this s
This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections
This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Re
This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session
This policy setting prioritizes the H.264/AVC 444 graphics mode for non-RemoteFX vGPU scenarios. When you use this setting
This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop
Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this
Configures Remote Desktop Services to run a specified program automatically upon connection.You can use this setting to spe
This policy setting allows you to enable RemoteApp programs to use advanced graphics including support for transparency live
This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions.If
This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections.If you enable or do not con
This policy setting allows you to control the availability of RemoteFX on both a Remote Desktop Virtualization Host (RD Virtual
This policy setting allows you to specify the visual experience that remote users receive in Remote Desktop Services sessions. R
This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC
This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection.You
This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desk
Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecu
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients a
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host
This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically
Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD
This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it.Y
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be i
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active be
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.You can use this po
This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff.You can
This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders.You can us
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Win
This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's compute
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice.If you enable this policy setting the m
This policy setting controls whether to have background synchronization for feeds and Web Slices.If you enable this policy setti
This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypte
Enabling this policy allows you to add a primary intranet search location within Windows Desktop Search. The value of this tex
Enabling this policy allows you to add intranet search locations in addition to the primary intranet search location defined in th
Allow search and Cortana to search cloud sources like OneDrive and SharePoint
This policy setting specifies whether Cortana is allowed on the device. If you enable or don't configure this setting Cortana wil
This policy setting determines whether or not the user can interact with Cortana using speech while the system is locked.If you
Allow the cortana opt-in page during windows setup out of the box experience
This policy setting allows encrypted items to be indexed. If you enable this policy setting indexing will attempt to decrypt and
This policy setting specifies whether search and Cortana can provide location aware search and Cortana results. If this is enabl
This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setti
This policy setting determines when Windows uses automatic language detection results and when it relies on indexing history
Enabling this policy defines a semicolon-delimited list of file extensions which will be allowed to have rich attachment preview
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths
Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude the
If enabled the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is
This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this poli
Enabling this policy removes the option of searching the Web from Windows Desktop Search.When this policy is disabled or n
This policy setting allows you to control whether or not Search can perform queries on the web and if the web results are disp
This policy setting allows you to control whether or not Search can perform queries on the web over metered connections and
Enabling this policy allows indexing of items for online delegate mailboxes on a Microsoft Exchange server. This policy affects o
Enabling this policy allows indexing of mail items on a Microsoft Exchange server when Microsoft Outlook is not running in cac
When using Microsoft Office Outlook in online mode you can enable this policy to control how fast online mail is indexed on a
Store indexer database in this directory. This directory must be located on a local fixed drive.
Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Pa
This policy setting allows you to enable or disable the Add/Remove location options on the All Locations menu as well as any d
This policy setting configures how Windows Search adds shared folders to the search index.If you enable this policy setting Wi
If enabled clients will be unable to query this computer's index remotely. Thus when they are browsing network shares that a
If enabled Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can
If you enable this policy setting you specify a list of paths to exclude from indexing. The user cannot enter any path that starts
Enable this policy setting to prevent the indexing of the content of e-mail attachments. If enabled indexing service component
If enabled files on network shares made available offline are not indexed. Otherwise they are indexed. Disabled by default.
Enable this policy to prevent indexing of any Microsoft Outlook items. The default is to automatically index Outlook items. If th
Enabling this policy allows you to edit the list of file types to exclude from indexing. The end user cannot modify this list. You s
Enable this policy to prevent indexing public folders in Microsoft Office Outlook. When this policy is disabled or not configured
If enabled the indexer pauses whenever the computer is running on battery. If disabled the indexing follows the default behav
This policy setting hides or displays the Advanced Options dialog for Search and Indexing Options in the Control Panel.If you en
Enabling this policy prevents Windows Desktop Search from using iFilters and protocol handlers unless they are specified in th
Enabling this policy allows you to set the location of the preview pane in the Desktop Search results. You can also turn off the
Enabling this policy allows you to specify whether you want large icon or small icon view for your Desktop Search results. The
This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this poli
This policy setting allows you to control what information is shared with Bing in Search.If you enable this policy setting you can
Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the sa
This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory do
This policy setting configures the number of minutes the system waits for the hung logon sessions before proceeding with the
This policy setting controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface i
This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon.In versions of Wind
This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to lo
This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI)
This policy setting lets you allow signature key-based certificates to be enumerated and available for logon.If you enable this p
This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid.Under previous v
This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user
This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root c
This policy setting allows you to manage the displayed message when a smart card is blocked.If you enable this policy setting t
This policy settings lets you configure if all your valid logon certificates are displayed.During the certificate renewal period a us
This policy setting allows you to manage the reading of all certificates from the smart card for logon.During logon Windows wi
This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is instal
This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting Creden
This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon.
This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted.If you enable or
This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted.If you enab
This policy setting allows you to control whether Smart Card Plug and Play is enabled.If you enable or do not configure this po
This policy setting controls whether OS Reactivation is blocked on a device. Policy Options: - Not Confi
This policy setting lets you opt-out of sending KMS client activation data to Microsoft automatically. Enabling this setting pr
Specifies whether Sound Recorder can run.Sound Recorder is a feature of Microsoft Windows Vista that can be used to record
Specifies whether the device will receive updates to the speech recognition and speech synthesis models. A speech model
Disable turns off the launch of all apps from the Microsoft Store that came pre-installed or were downloaded. Apps will not be
Denies access to the retail catalog in the Microsoft Store but displays the private store.If you enable this setting users will not
Enables or disables the automatic download and installation of app updates.If you enable this setting the automatic download
Enables or disables the automatic download of app updates on PCs running Windows 8.If you enable this setting the automati
Enables or disables the Store offer to update to the latest version of Windows.If you enable this setting the Store application w
Denies or allows access to the Store application.If you enable this setting access to the Store application is denied. Access to th
Prevent syncing to and from this PC. This turns off and disables the "sync your settings" switch on the "sync your settings" pag
Prevent the "app settings" group from syncing to and from this PC. This turns off and disables the "app settings" group on the
Prevent the "AppSync" group from syncing to and from this PC. This turns off and disables the "AppSync" group on the "s
Prevent the "browser" group from syncing to and from this PC. This turns off and disables the "browser" group on the "sync y
Prevent the "desktop personalization" group from syncing to and from this PC. This turns off and disables the "desktop person
Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables "sync your settings on
Prevent the "Other Windows settings" group from syncing to and from this PC. This turns off and disables the "Other Window
Prevent the "passwords" group from syncing to and from this PC. This turns off and disables the "passwords" group on the "sy
Prevent the "personalize" group from syncing to and from this PC. This turns off and disables the "personalize" group on the "
Prevent the "Start layout" group from syncing to and from this PC. This turns off and disables the "Start layout" group on t
Prevents start of InkBall game.If you enable this policy the InkBall game will not run.If you disable this policy the InkBall game
Prevents printing to Journal Note Writer.If you enable this policy the Journal Note Writer printer driver will not allow printing t
Prevents the snipping tool from running.If you enable this policy setting the Snipping Tool will not run.If you disable this policy
Prevents start of Windows Journal.If you enable this policy the Windows Journal accessory will not run.If you disable this polic
Disables visual pen action feedback except for press and hold feedback.If you enable this policy all visual pen action feedback
Removes the Back->ESC mapping that normally occurs when menus are visible and for applications that subscribe to this beha
Prevents the user from launching an application from a Tablet PC hardware button.If you enable this policy applications canno
Prevents press and hold actions on hardware buttons so that only one action is available per button.If you enable this policy p
Turns off Tablet PC hardware buttons.If you enable this policy no actions will occur when the buttons are pressed and the butt
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from prov
Prevents the Tablet PC Input Panel icon from appearing next to any text entry area in applications where this behavior is availa
Includes rarely used Chinese Kanji and Hanja characters when handwriting is converted to typed text. This policy applies only t
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.Tablet PC Input Panel is a Tablet PC accessory th
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is av
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and W
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out ge
Makes pen flicks learning mode unavailable.If you enable this policy pen flicks are still available but learning mode is not. Pen
Makes pen flicks and all related features unavailable.If you enable this policy pen flicks and all related features are unavailable
Turns off Tablet PC Pen Training.If you enable this policy setting users cannot open Tablet PC Pen Training.If you disable or do
Turn off Tablet PC touch inputTurns off touch input which allows the user to interact with their computer using their finger.If y
Turn off Panning Turns off touch panning which allows users pan inside windows by touch. On a compatible PC with a touc
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from the last page of the Sched
Prevents users from viewing and changing the properties of an existing task.This setting removes the Properties item from the
Prevents users from starting and stopping tasks manually.This setting removes the Run and End Task items from the context m
Limits newly scheduled to items on the user's Start menu and prevents the user from changing the scheduled program for exis
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.This setting disabl
Prevents users from creating new tasks.This setting removes the Add Scheduled Task item that starts the New Task Wizard. Al
Prevents users from deleting tasks from the Scheduled Tasks folder.This setting removes the Delete command from the Edit m
This setting enables and configures the device-based tenant restrictions feature for Azure Active Directory.When you enable t
When this policy setting is enabled some language features (such as handwriting recognizers and spell checking dictionaries) in
This policy setting controls the ability to send inking and typing data to Microsoft to improve the language recognition and sug
This policy specifies whether the widgets feature is allowed on the device.Widgets will be turned on by default unless you cha
Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars publishing
This policy setting affects the ability of users to install or uninstall color profiles.If you enable this policy setting users cannot in
If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Man
This policy setting will enable tagging of Windows Customer Experience Improvement data when a study is being conducted.If
App Install Control is a feature of Windows Defender SmartScreen that helps protect PCs by allowing users to install apps only
This policy allows you to turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users befo
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automa
This policy setting configures how errors are reported to Microsoft and what information is sent when Windows Error Reportin
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event lo
This policy setting turns off Windows Error Reporting so that reports are not collected or sent to either Microsoft or internal se
This policy setting controls whether users are shown an error dialog box that lets them report an error.If you enable this policy
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.If you en
This policy setting determines whether Windows Error Reporting (WER) sends additional second-level report data even if a CA
This policy setting prevents the display of the user interface for critical errors.If you enable or do not configure this policy setti
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. B
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amo
This policy setting specifies a corporate server to which Windows Error Reporting sends reports (if you do not want to send err
This policy setting controls the behavior of the Windows Error Reporting archive.If you enable this policy setting you can config
This policy setting determines the behavior of the Windows Error Reporting report queue.If you enable this policy setting you
This policy setting controls whether errors in general applications are included in reports when Windows Error Reporting is en
This policy setting specifies applications for which Windows Error Reporting should always report errors.To create a list of app
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is
This policy setting controls Windows Error Reporting behavior for errors in general applications when Windows Error Reportin
This policy setting controls whether errors in the operating system are included Windows Error Reporting is enabled.If you ena
This policy setting controls whether or not unplanned shutdown events can be reported when error reporting is enabled.If you
This policy setting determines the default consent behavior of Windows Error Reporting.If you enable this policy setting you ca
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.If you enable this poli
This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.If y
Windows Game Recording and Broadcasting.This setting enables or disables the Windows Game Recording and Broadcasting f
Windows prevents users on the same computer from enumerating provisioned Windows Hello for Business credentials for oth
Configure a comma separated list of credential provider GUIDs such as face and fingerprint provider GUIDs to be used as the fi
Configure a comma separated list of signal rules in the form of xml for each signal type.If you enable this policy setting these s
Windows Hello for Business automatically provides smart card emulation for compatibility with smart card enabled application
A Trusted Platform Module (TPM) provides additional security benefits over software because data protected by it cannot be u
Windows Hello for Business enables users to use biometric gestures such as face and fingerprints as an alternative to the PIN g
Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authenticati
Use this policy setting to configure Windows Hello for Business to use Azure AD Kerberos for on-premises authentication.If you
PIN recovery enables a user to change a forgotten PIN using the Windows Hello for Business PIN recovery service without losin
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Dire
If you enable this policy setting applications use Windows Hello for Business certificates as smart card certificates. Biometric fa
Allow suggested apps in Windows Ink Workspace
Allow Windows Ink Workspace
This policy setting permits users to change installation options that typically are available only to system administrators.If you
This policy setting allows users to search for installation files during privileged installations.If you enable this policy setting the
This policy setting allows users to patch elevated products.If you enable this policy setting all users are permitted to install pat
This policy setting allows users to install programs from removable media during privileged installations.If you enable this polic
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.If you ena
This policy controls the percentage of disk space available to the Windows Installer baseline file cache. The Windows
This policy setting causes the Windows Installer to enforce strict rules for component upgrades.If you enable this policy setting
This policy setting controls the ability to prevent embedded UI.If you enable this policy setting no packages on the system can
This policy setting allows Web-based programs to install software on the computer without notifying the user.If you disable or
This policy setting prevents users from using Windows Installer to install patches.If you enable this policy setting users are pre
This policy setting controls the ability to turn off all patch optimizations.If you enable this policy setting all Patch Optimization
This policy setting controls the ability of non-administrators to install updates that have been digitally signed by the applicatio
This policy setting controls the ability for users or administrators to remove Windows Installer based updates.This policy settin
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuc
This policy setting controls Windows Installer's interaction with the Restart Manager. The Restart Manager API can eliminate o
This policy setting allows you to configure user installs. To configure this policy setting set it to enabled and use the drop-down
This policy setting prevents users from searching for installation files when they add features or components to an installe
This policy setting saves copies of transform files in a secure location on the local computer.Transform files consist of instructi
Specifies the types of events that Windows Installer records in its transaction log for each installation. The log Msi.log app
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed.
This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installati
This policy setting controls the ability to turn off shared components.If you enable this policy setting no packages on the system
This policy setting restricts the use of Windows Installer.If you enable this policy setting you can prevent users from installing s
This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or co
This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).If you enable this policy
This policy setting controls whether or not the system displays information about previous logons and logon failures to the use
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and
This policy setting controls whether a device will automatically sign in and lock the last interactive user after the system restar
Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet).When enabled Windows
This policy setting allows you to prevent the anchor window from being displayed when Windows Media Player is in skin mode
This policy setting allows you to turn off do not show first use dialog boxes.If you enable this policy setting the Privacy Options
This policy setting allows you to prevent a shortcut icon for the Player from being added to the user's desktop.If you enable th
This policy setting allows you to prevent media sharing from Windows Media Player.If you enable this policy setting any user o
This policy setting allows you to prevent a shortcut for the Player from being added to the Quick Launch bar.If you enable this
This policy setting allows you to prevent video smoothing from occurring.If you enable this policy setting video smoothing is pr
This policy setting allows you to prevent Windows Messenger from running.If you enable this policy setting Windows Messeng
This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting Window
This policy setting turns off Windows Mobility Center.If you enable this policy setting the user is unable to invoke Windows Mo
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.If you enable th
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting pip
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
This policy setting lets you configure the script execution policy controlling which scripts are allowed to run.If you enable this p
This policy setting allows the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilitymetrics and W
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authenticatio
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentica
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unen
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authenticati
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Kerberos authentic
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Negotiate authenti
This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses the list specified in
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentic
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authe
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens o
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives une
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Kerberos crede
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Negotiate auth
This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs cr
This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to
This policy setting turns on or turns off an HTTP listener created for backward compatibility purposes in the Windows Remote
This policy setting turns on or turns off an HTTPS listener created for backward compatibility purposes in the Windows Remote
This policy setting configures access to remote shells.If you enable or do not configure this policy setting new remote shell con
This policy setting configures the maximum number of users able to concurrently perform remote shell operations on the syst
This policy setting configures the maximum time in milliseconds remote shell will stay open without any user activity until it is
This policy setting configures the maximum total amount of memory in megabytes that can be allocated by any active remote
This policy setting configures the maximum number of processes a remote shell is allowed to launch.If you enable this policy s
This policy setting configures the maximum number of concurrent shells any user can remotely open on the same system.Any
This policy setting is deprecated and has no effect when set to any state: Enabled Disabled or Not Configured.
This policy setting enables or disables audio input to the Sandbox. If you enable this policy setting Windows Sandbox will be ab
This policy setting enables or disables clipboard sharing with the sandbox.If you enable this policy setting copy and paste betw
This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surfa
This policy setting enables or disables printer sharing from the host into the Sandbox.If you enable this policy setting host prin
This policy setting is to enable or disable the virtualized GPU. If you enable this policy setting vGPU will be supported in the Wi
This policy setting enables or disables video input to the Sandbox. If you enable this policy setting video input is enabled in Win
Hide the Account protection area in Windows Security. Enabled: The Account protection area will be hidden. D
Hide the App and browser protection area in Windows Security. Enabled: The App and browser protection area w
Prevent users from making changes to the Exploit protection settings area in Windows Security. Enabled: Local us
Hide the Device performance and health area in Windows Security. Enabled: The Device performance and health
Disable the Clear TPM button in Windows Security. Enabled: The Clear TPM button will be unavailable for use.
Hide the Device security area in Windows Security. Enabled: The Device security area will be hidden. Disabled
Hide the Secure boot area in Windows Security. Enabled: The Secure boot area will be hidden. Disabled: T
Hide the Security processor (TPM) troubleshooting area in Windows Security. Enabled: The Security processor (TP
Hide the recommendation to update TPM Firmware when a vulnerable firmware is detected. Enabled: Users will n
Display specified contact information to local users in a contact card flyout menu in Windows Security Enabled: Yo
Display specified contact information to local users in Windows Security notifications. Enabled: Your company con
Specify the company name that will be displayed in Windows Security and associated notifications. This setting must be e
Specify the email address or email ID that will be displayed in Windows Security and associated notifications. Users ca
Specify the phone number or Skype ID that will be displayed in Windows Security and associated notifications. Users
Specify the URL that will be displayed in Windows Security and associated notifications. Users can click on the contac
Hide the Family options area in Windows Security. Enabled: The Family options area will be hidden. Disabled:
Hide the Firewall and network protection area in Windows Security. Enabled: The Firewall and network protection
Hide notifications from Windows Security. Enabled: Local users will not see notifications from Windows Secur
Only show critical notifications from Windows Security. If the Suppress all notifications GP setting has been enabled th
This policy setting hides the Windows Security notification area control. The user needs to either sign out and sign in o
Hide the Ransomware data recovery area in Windows Security. Enabled: The Ransomware data recovery area will
Hide the Virus and threat protection area in Windows Security. Enabled: The Virus and threat protection area will
Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor
This policy setting allows you to control whether non-administrative users will receive update notifications based on the "Confi
Enable this policy to specify when auto-restart reminders are displayed.You can specify the amount of time prior to a schedule
Enable this policy to specify the method by which the auto-restart required notification is dismissed. When a restart is require
Enable this policy to control when notifications are displayed to warn users about a scheduled restart for the update installatio
Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart.If the status is set to E
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choic
Enable this policy to not allow update deferral policies to cause scans against Windows Update.If this policy is disabled or not
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Wi
Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the syst
Specifies that to complete a scheduled installation Automatic Updates will wait for the computer to be restarted by any user w
Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the st
Specifies the amount of time for Automatic Updates to wait following system startup before proceeding with a scheduled inst
Specify the deadline before the PC will automatically restart to apply updates. The deadline can be set 2 to 14 days past the de
Enable this policy to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged re
This policy setting allows you to control whether users receive notifications for auto restarts for update installations including
Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update
This policy setting allows you to control whether users see detailed enhanced notification messages about featured software f
Enabling this policy will automatically download updates even over metered data connections (charges may apply)
If you enable this policy a restart timer will always begin immediately after Windows Update installs important updates instea
Specifies whether this computer will receive security updates and other important downloads through the Windows automati
0 (default) – Use the default Windows Update notifications1 – Turn off all notifications excluding restart warnings2 – Turn off a
This setting allows to remove access to "Pause updates" feature.Once enabled user access to pause updates is removed.
This setting allows you to remove access to scan Windows Update.If you enable this setting user access to Windows Update sc
Enable this policy to specify the maximum number of hours from the start time that users can set their active hours.The max a
This policy lets you specify the number of days before quality and feature updates are installed on devices automatically and a
If you enable this policy the PC will not automatically restart after updates during active hours. The PC will attempt to restart o
Enabling this policy for EDU devices that remain on Carts overnight will skip power checks to ensure update reboots will happe
This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft
Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wai
Even when Windows Update is configured to receive updates from an intranet update service it will periodically retrieve infor
Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service.If
Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically
When this policy is enabled devices will receive Windows updates for the classes listed from the specified update source: eithe
Enable this setting when Feature Updates should be deployed to devices without blocking on any safeguard holds. Safeg
Enable this policy to not include drivers with Windows quality updates.If you disable or do not configure this policy Windows U
Enable this policy to manage which updates you receive prior to the update being released to the world.Dev ChannelIdeal for
Enter the product and version as listed on the Windows Update target version page: aka.ms/WindowsTargetVers
Enable this policy to specify when to receive Feature Updates.Defer Updates | This enables devices to defer taking the next Fe
Enable this policy to specify when to receive quality updates.You can defer receiving quality updates for up to 30 days.To prev
This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If y
not contact Microsoft content services to retrieve tips and help content.
strator to block a given set of pages from the System Settings app. Blocked pages will not be visible in the app and if all pages in a category
g users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.If you disable or d
cified in hex as #RGB.By default users can change the background and accent colors.If this setting is enabled the background and accent co
location) of the image file. The same image will be used for both the lock and logon screens.This setting lets you specify the default lock sc
from changing it.If this setting is set to zero or not configured then Start uses the default background and users can change it.If this setting
n the logon screen.By default users can change the background image shown when the machine is locked or displaying the logon screen.If
default users can change the look of their start menu background such as its color or accent.If you enable this setting the user will be assig
ked on the lock screen.By default users can enable invocation of an available camera on the lock screen.If you enable this setting users wil
the lock screen.By default users can enable a slide show that will run after they lock the machine.If you enable this setting users will no lo
ven by the device's accelerometer output.If you enable this setting motion will be prevented and the user will see the traditional static lock
nition services. If this policy is enabled or not configured control is deferred to users and users may choose whether to enable spe
talled on a machine but are not used by any users on that machine. If you enable this policy setting language packs that are installed
e installed.If you enable this policy setting the UI language of Windows menus and dialogs for systems with more than one language is rest
mand packages. This policy does not restrict switching the Windows language if you want to restrict the Windows language use the follow
rs with more than one UI language installed.If you enable this policy setting the UI language of Windows menus and dialogs for systems w
onalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting re
em to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo.Note: Th
assword Settings" policy is NOT allowed. When such expiration is detected password is changed immediately and password expiration is s
ministrator password is managedIf you disable or not configure this setting local administrator password is NOT managed
T configure when you use built-in admin account. Built-in admin account is auto-detected by well-known SID even when renamed DO con
a new password Default: Large letters + small letters + numbers + special charactersPassword length Minimum: 8 characters Maximum: 6
on (e.g. NET USE connecting to C$ etc.). Local accounts are at high risk for credential theft when the same account and password is configu
Note that activation blocking applies only within Office processes.If you enable this policy setting you can choose from three options to con
e client-side processing of the SMBv1 protocol (recommended) do ALL of the following:* Set the SMBv1 client driver to "Disable driver" us
col select the "Enabled" radio button then select "Disable driver" from the dropdown.WARNING: DO NOT SELECT THE "DISABLED" RADIO
ng this setting enables server-side processing of the SMBv1 protocol. (Default.)Changes to this setting require a reboot to take effect.For m
m/en-us/help/956607/how-to-enable-structured-exception-handling-overwrite-protection-sehop-in-windows-operating-systems.If this setti
moved to Security Options\Domain controller: LDAP server channel binding token requirements.
fault users that aren't Administrators can't install print drivers on this computer.If you enable this setting or do not configure it the system
see http://technet.microsoft.com/en-us/library/dn408187.aspx
A B-node computer uses broadcasts.* A P-node computer uses only point-to-point name queries to a name server (WINS).* An M-node co
for .bat .cmd .exe and .msc files.Enabled (recommended): Keeps "Run As Different User" from appearing in the context menu when the us
wser Control (WebOC) for Office applications.It's important to determine whether legacy JScript is being used to provide business-critical f
onfigured through the following Group Policy setting:Computer Configuration\Administrative Templates\Windows Components\Windows
n memory where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed.If this setting is not
ept for highly secure environments)

vironments)
xcept from WINS servers
uld lead to DoS)
recommended)
est is not acknowledged

recommended 5 is default)
mmended 5 is default)
ate a warning
to discover domain controllers on a network. By default a DFS client attempts to discover domain controllers every 15 minutes.If you enab
ure is enabled on a specific computer. By default the files in a BITS job are downloaded only from the origin server specified by the job's o
s Branch Cache component is installed and enabled on a computer BITS jobs on that computer can use Windows Branch Cache by default.
when BITS peer caching is enabled the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (dow
when BITS peer caching is enabled the computer acts as both a peer caching server (offering files to its peers) and a peer caching client (do
TS) peer cache. In order to make the most efficient use of disk space by default BITS removes any files in the peer cache that have not been
e as a percentage of the total system disk size. BITS will add files to the peer cache and make those files available to peers until the cache
ake to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumu
uses for background transfers. (This policy setting does not affect foreground transfers.) You can specify a limit to use during a specifi
does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers by def
s the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS
y default BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this policy setting to raise or lo
ed to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable this polic
es in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ranges per file. If yo
e (BITS) uses for background transfers when the system is connected to a costed network (3G etc.). Download behavior policies further lim
uses for background transfers during the maintenance days and hours. Maintenance schedules further limit the network bandwidth that is
uses for background transfers during the work and nonwork days and hours. The work schedule is defined using a weekly calendar which c
b is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be
ers at your main office. This policy setting specifies when client computers in branch offices start caching content from file servers based o
d mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache v
provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client co
f hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's curre
data cache on client computers.If you enable this policy setting you can configure the age for segments in the data cache.If you disable or
uters to which this policy is applied. In addition to this policy you must use the policy "Turn on BranchCache" to enable BranchCache on cl
s to which this policy is applied. In addition to this policy you must use the policy "Turn on BranchCache" to enable BranchCache on client
hCache disk cache on client computers.If you enable this policy setting you can configure the percentage of total disk space to allocate for
y is applied. In addition to this policy setting you must specify whether the client computers are hosted cache mode or distributed cache m
is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: - A DNS nam
n addition to default log commands.
actively all the time. If this setting is not configured NCA probing is in active mode by default.
notification area icon. For example you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.If thi
nable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured t
user clicks the Networking notification area icon.If the user clicks the Disconnect option NCA removes the DirectAccess rules from the Na
network administrator. When the user sends the log files to the Administrator NCA uses the default e-mail client to open a new message w
ng notification area icon.Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAc
sequent DNS queries if the original name query fails.A name containing dots but not dot-terminated is called an unqualified multi-label na
u enable this policy setting NetBT queries will be issued for multi-label and fully qualified domain names such as "www.example.com" in a
DNS client will do classic DNS name resolution (over UDP or TCP). This setting can enhance the DNS client to use DoH protocol to resolve do
NS suffixes and those configured using DHCP.To use this policy setting click Enabled and then enter a string value representing the DNS suffi
s policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting click Enable
query for that name.An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a
tically register and update their DNS resource records with a DNS server.If you enable this policy setting or you do not configure this policy
eprep form a canonical Unicode representation of the string.If this policy setting is enabled IDNs are converted to the Nameprep form.If th
e that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link
tion.To use this policy setting click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com.Import
ss.With devolution a DNS client creates queries by appending a single-label unqualified domain name with the parent suffix of the primary
on during the name resolution process.With devolution a DNS client creates queries by appending a single-label unqualified domain name
s with a concatenation of its computer name and a connection-specific DNS suffix in addition to registering these records with a concaten
d to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A
etting only applies to computers performing dynamic DNS updates.Computers configured to perform dynamic DNS registration of A and PT
ng IP addresses.This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secur
computers to which this policy setting is applied.To specify the TTL click Enabled and then enter a value in seconds (for example 900 is 15
e when the computer is on non-domain networks with no WINS servers configured.If this policy setting is enabled IDNs are not converted
a secondary name resolution protocol. With LLMNR queries are sent using multicast over a local network link on a single subnet from a cl
tting improves performance by issuing parallel DNS link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries a
on-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include lin
n select one of the following values:Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic
e also known as top-level domain zones for example: "com."By default a DNS client that is configured to perform dynamic DNS update wil
data from an online font provider. If you enable this policy setting Windows periodically queries an online font provider to determine
r roaming (WISPr) protocol support.If a WLAN hotspot supports the WISPr protocol users can submit credentials when manually connectin
tting cipher suites are prioritized in the order specified.If you enable this policy setting and do not specify at least one supported cipher suite
information for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services ro
1) hashes version 2 (V2) hashes or both V1 and V2 hashes. Hashes also called content information are created based on the data in shared
nnection with an SMB client.If you enable this policy setting the SMB server will select the cipher suite it most prefers from the list of clien
ng cipher suites are prioritized in the order specified.If you enable this policy setting and do not specify at least one supported cipher suite
you enable this policy setting or if you do not configure this policy setting the SMB client will allow insecure guest logons.If you disable this
SMB share where the Continuous Availability (CA) flag is enabled. If you enable this policy setting the SMB client will allow cached hand
e where the Continuous Availability (CA) flag is enabled. If you enable this policy setting the "Always Available offline" option will appe
DIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requ
Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the netw
or such a Group is changed) Peer Grouping validates that the password meets the password complexity requirements for the local system
pendent applications to stop working.Peer-to-Peer protocols allow for applications in the areas of RTC collaboration content distribution a
ution Protocol (PNRP) cloud.This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example a client com
Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol in some ca
ers on the local subnet in the global cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6
otocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then
r Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol in some
ers on the local subnet in the link local cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an I
r Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol in some
ers on the local subnet in the site local cloud.The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an I
for Internet access will be shown in the system tray even when a user is connected to a network with local access only.If you disable this s
ocation aware. It only applies when a computer is connected to the same DNS domain network it was connected to when the setting was
ers can enable the Internet Connection Firewall feature on a connection and if the Internet Connection Firewall service can run on a compu
feature of an Internet connection and if the ICS service can run on the computer.ICS lets administrators configure their system as an Inter
location.If you enable this policy setting domain users must elevate when setting a network's location.If you disable or do not configure th
e internal network or whether the client accesses the Internet directly.When a remote client computer connects to an internal network us
sport.If you enable this policy setting you must type a security descriptor containing a list of computers or groups of computers. If a compu
Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example Ping uses the echo request me
and 138 and TCP ports 139 and 445.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer c
nagement Console (MMC) and Windows Management Instrumentation (WMI). To do this Windows Defender Firewall opens TCP ports 135
irewall opens TCP port 3389.If you enable this policy setting Windows Defender Firewall opens this port so that this computer can receive
s such as routers with built-in firewalls. To do this Windows Defender Firewall opens TCP port 2869 and UDP port 1900.If you enable this p
a local port exceptions list. Windows Defender Firewall uses two port exceptions lists; the other is defined by the "Windows Defender Fire
a local program exceptions list. Windows Defender Firewall uses two program exceptions lists; the other is defined by the "Windows Defen
that it receives.If you enable this policy setting Windows Defender Firewall writes the information to a log file. You must provide the name
Defender Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender
nder Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender
ng overrides all other Windows Defender Firewall policy settings that allow such messages.If you enable this policy setting in the Windows
ests that Windows Defender Firewall add the program to the program exceptions list.If you enable this policy setting Windows Defender F
sages.If you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Defender Fir
ns and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connectio
Firewall allows. Utilities can use ICMP messages to determine the status of other computers. For example Ping uses the echo request me
and 138 and TCP ports 139 and 445.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer c
nagement Console (MMC) and Windows Management Instrumentation (WMI). To do this Windows Defender Firewall opens TCP ports 135
irewall opens TCP port 3389.If you enable this policy setting Windows Defender Firewall opens this port so that this computer can receive
s such as routers with built-in firewalls. To do this Windows Defender Firewall opens TCP port 2869 and UDP port 1900.If you enable this p
a local port exceptions list. Windows Defender Firewall uses two port exceptions lists; the other is defined by the "Windows Defender Fire
a local program exceptions list. Windows Defender Firewall uses two program exceptions lists; the other is defined by the "Windows Defen
that it receives.If you enable this policy setting Windows Defender Firewall writes the information to a log file. You must provide the name
Defender Firewall uses two port exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender
nder Firewall uses two program exception lists: one is defined by Group Policy settings and the other is defined by the Windows Defender
ng overrides all other Windows Defender Firewall policy settings that allow such messages.If you enable this policy setting in the Windows
ests that Windows Defender Firewall add the program to the program exceptions list.If you enable this policy setting Windows Defender F
sages.If you enable this policy setting and this computer sends multicast or broadcast messages to other computers Windows Defender Fir
ns and ignores the "Computer Configuration\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connectio
probe. Successful resolution of the host name to this address indicates corporate connectivity.
e network. Successful resolution of this host name to the expected address indicates corporate connectivity.
rate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
robe is performed.
determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL de
kups to the interface it is currently probing on. If you enable this setting NCSI will allow the DNS lookups to happen on any interface.
throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the p
sed as both work or personal resource.For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
loud resource can also be paired optionally with an internal proxy server by using a trailing comma followed by the proxy address.Contain
ddresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Cli
ddresses. These addresses are categorized as private by Windows Network Isolation and are accessible to apps that have the Home/Work
your corporate network.If you enable this policy setting it ensures that apps with the Home/Work Networking capability have appropriat
discovery in the domain corporate environment.If you enable this policy setting it turns off Windows Network Isolation's automatic proxy
very of private network hosts in the domain corporate environment.If you enable this policy setting it turns off Windows Network Isolatio
ws access to the specified UNC paths after fulfilling additional security requirements.
he server hosting the files.This setting also disables the "When a network connection is lost" option on the Offline Files tab. This prevents
of network files on the user's computer for use when the computer is not connected to the network.If you enable this policy setting Offlin
atically and manually cached offline files are retained only while the user is logged on to the computer. When the user logs off the system
ode and applies to any user who logs onto the specified machine while this policy is in effect. To control slow-link mode use the "Configure
ny network speed below this value is considered to be slow.When a connection is considered slow Offline Files automatically adjust its be
omputers to transition files and folders that are already available offline to the slow-link mode so that the user's access to this data is not d
offline files.This setting also disables the "Amount of disk space to use for temporary offline files" option on the Offline Files tab. This preve
s that have been made available offline.If you enable this policy setting a user will be unable to create files with the specified file extension
d result in extra charges on cell phone or broadband plans.If you enable this setting synchronization can occur in the background when the
cached in the Offline Files cache for future reads. When a user tries to access a file that has been transparently cached Windows reads fro
es of files from a network share. Encrypting this cache reduces the likelihood that a user could access files from the Offline Files cache wit
ts in the Application log in Event Viewer when it detects errors. By default Offline Files records an event only when the offline files storage
automatic and manual caching for offline use. The system does not cache files of the type specified in this setting even when they reside
balloons appear when the user's connection to a network file is lost or reconnected and they are updated periodically. By default the first
s the space used by automatically cached files and files that are specifically made available offline. Files can be automatically cached if the
. This setting overrides the default response a user-specified response and the response specified in the "Action on server disconnect" setti
As a result users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also they cannot use
moves the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and dis
w often reminder balloons updates appear and also prevent users from changing this setting.Reminder balloons appear when the user's co
e user's connection to a network file is lost or reconnected and they are updated periodically. By default the first reminder for an event is d
le this policy setting users cannot designate files to be saved on their computer for offline use. However Windows will still cache local copi
Make Available Offline" command.If you enable this policy setting the "Make Available Offline" command is not available for the files and fo
ally changing whether Offline Files is in online mode or offline mode.If you enable this policy setting the "Work offline" command is not dis
s that the specified files and folders are available offline to users of the computer.If you enable this policy setting the files you enter are al
g automatically extends the "make available offline" setting to all new and existing subfolders of a folder. Users do not have the option of e
he "Synchronize all offline files before logging off" option on the Offline Files tab. This prevents users from trying to change the option wh
he "Synchronize all offline files before logging on" option on the Offline Files tab. This prevents users from trying to change the option wh
setting offline files are synchronized whenever the computer is suspended. Setting the synchronization action to "Quick" ensures only tha
s appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are
Files.If you enable or do not configure this policy setting only new files and folders in administratively assigned folders are synchronized at
of outstanding packets reaches this limit the Packet Scheduler postpones all submissions to network adapters until the number falls below
he combined bandwidth reservations of all programs running on the system.By default the Packet Scheduler limits the system to 80 perce
ansmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry.If yo
est Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets
ontrolled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of t
Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pack
Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of
Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packet
est Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets
ontrolled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of t
Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the pack
Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of
Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packet
ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable th
type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If yo
(ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enab
type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If y
pecification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable this setting y
(ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets.If you enable
Protocol (SNMP) service.SNMP is a protocol designed to give a user the capability to remotely manage a computer network by polling and
work Management (SNMP) agent running on the client computer.Simple Network Management Protocol is a protocol designed to give a us
agent.Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network
enable this policy setting ECC curves are prioritized in the order specified.(Enter one Curve name per line)If you disable or do not configure
his policy setting SSL cipher suites are prioritized in the order specified.If you disable or do not configure this policy setting default cipher s
efault gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not availabl
lay name resolution interval setting has no effect if 6to4 connectivity is not available on the host.If you enable this policy setting you can s
tic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses
ocol to provide IP connectivity to a remote network.If you disable or do not configure this policy setting the local host settings are used.If
or an ISATAP router.If you enable this policy setting you can specify a router name or IPv4 address for an ISATAP router. If you enter an IP
an address-to-router and host-to-host host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IP
u leave the default of 0 the operating system will select a port (recommended). If you select a UDP port that is already in use by a system t
alification. By default Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state.If you disab
ult every 30 seconds) Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Adver
d on the Teredo client computer where this policy setting is applied.If you enable this policy setting you can specify a Teredo server name
echnology that provides unicast IPv6 connectivity across the IPv4 Internet.If you disable or do not configure this policy setting the local hos
not configure this policy setting IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured ad
n algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Wind
The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP) over In-band 802.11 WLAN through the Wind
y setting the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks including "Set u
d standby mode.If this policy setting is enabled Windows Connection Manager does not manage adapter radios to reduce power consump
this policy setting is enabled or not configured Windows will soft-disconnect a computer from a network when it determines that the com
a Windows domain. If multiple connections are allowed it then determines how network traffic will be routed. If this policy setting is s
domain based network at the same time.If this policy setting is enabled the computer responds to automatic and manual network connec
is registered on a roaming provider network.If this policy setting is enabled all automatic and manual connection attempts to roaming pro
pairing methods.When enabled it makes the connections to prefer a PIN for pairing to Wireless Display devices over the Push Button pairin
g to Wireless Display devices is required rather than optional.Conversely it means that Push Button is NOT allowed.If this policy setting is d
his policy setting is enabled a drop-down list box presenting possible cost values will be active. Selecting one of the following values from t
uggested open hotspots" "Connect to networks shared by my contacts" and "Enable paid services"."Connect to suggested open hotspots"
default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by
enabled a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the
g is enabled a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set t
ge in the cellular setting UX.If this policy setting is enabled a drop-down list box presenting possible values will be active. Select "Hide" or
d used across the Internet or an intranet. If you enable this policy setting Internet printing is activated on this server. If you disab
Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller e.g. a domain-jo
lay on a computer on an unmanaged network (when the computer is not able to reach a domain controller e.g. a domain-joined laptop on
sable or do not configure this policy setting the print job name will not be included. If you enable this policy setting the print job name
nfigured or enabled the spooler will always accept client connections.When the policy is disabled the spooler will not accept client connec
ou enable this setting or do not configure it users can use the "List in directory" option in the Printer's Properties' Sharing tab to publish sh
blished by this computer. By default the pruning service on the domain controller prunes printer objects from Active Directory if the
se a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages.This setting may improve the performance of the XP
s print jobs itself or pass them on to the server to do the work.This policy setting only effects printing to a Windows print server.If you ena
in Active Directory. If you enable this setting or do not configure it the Add Printer Wizard automatically publishes all shared printers.
0 Windows 10 and Windows Server 2022. If you enable this group policy setting the default MXDW output format is the legacy Micro
Active Directory. This setting also specifies how often the system repeats the verification. By default the system only verifies publish
ers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting enable Location Tracking by
h printing". It can also include a link to a Web page supplied by the vendor of the currently selected printer. If you enable this policy s
eir printers are operational. The pruning service periodically contacts computers that have published printers. If a computer does no
lers deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This proce
a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printe
rnel-mode drivers have access to system-wide memory and therefore poorly-written kernel-mode drivers can cause stop errors.If you disa
ers may include an optional customized user interface known as a printer extension. These extensions may provide access to more device
puter. By default there are no restrictions to printing based on connection type or printer Make/Model. If you enable this setting
eparate process. When print drivers are loaded in an isolated process (or isolated processes) a print driver failure will not cause the print s
.If you enable this policy setting the client computer will continue to search for compatible Point and Print drivers from Windows Update
em into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.Not all applications
ble Device Control Printing by enabling the "Enable Device Control Printing Restrictions" setting. When Device Control Printing is en
contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published
sers will only be able to point and print to printers that use package-aware drivers. When using package point and print client computers w
ity reported by the print driver. This enables executing print drivers in an isolated process even if the driver does not report compatibility.
print connections to approved servers. This setting only applies to Package Point and Print connections and is completely independent fro
ndows Vista computers. The policy setting applies only to non-Print Administrator clients and only to computers that are members of a dom
a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the stand
ins with Active Directory shared printer resources are available in Active Directory and are not announced.If you enable this setting the pr
automatically republished whenever the host computer does not respondjust as it does with Windows 2000 printers. This setting applies t
you enable this policy then invocations of context menus within the Start Menu will be ignored.
ently opened documents.If you enable this setting the system and Windows programs do not create shortcuts to documents opened while
will be unable to change the size of Start in Settings. If you disable or don’t configure this policy setting Windows will automatically select t
ons.If you enable this policy the Start Menu will no longer display the "Recently added" list. The corresponding setting will also be disabled
t menu.Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to o
rity screen the logon screen and the Start menu: Shut Down Restart Sleep and Hibernate. This policy setting does not prevent users from r
sable this setting or do not configure it the frequently used programs list remains on the simple Start menu.
used apps regardless of user settings.Selecting "Show" will force the "Most used" list to be shown and user cannot change to hide it using
ts them from changing its configuration. The Start layout you specify must be stored in an XML file that was generated by the Export-Start
tiles tile badges toast or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notificatio
The system state data file contains information about the basic system state as well as the state of all running processes.If you enable this
DLT) server which runs on domain controllers. The DLT client enables programs to track linked files that are moved within an NTFS volum
designed for advanced users who require this information.If you enable this policy setting the system displays status messages that reflec
an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the co
r.If you enable this policy setting File Explorer will not automatically encrypt files that are moved to an encrypted folder.If you disable or d
ou enable this policy setting the Manage Your Server page is not displayed each time an administrator logs on to the server. If you disable o
s shutdown completes. This setting does not affect Windows shutdown behavior when shutdown is manually selected using the Start men
el (COM) components that a program requires.Many Windows programs such as the MMC snap-ins use the interfaces provided by the COM
rent time to disk on a schedule controlled by the Timestamp Interval.If you enable this policy setting you are able to specify how often the
display a message reminding users to wait while their system starts or shuts down or while users log on or off.If you disable or do not con
p (.chm) files within specified folders and their subfolders. Alternatively you can disable these commands on the entire system. It is strongl
ou enable this policy setting you can prevent specified programs from being run from Help. When you enable this policy setting enter the fi
m corruption and for enabling optional features that have had their payload files removed.If you enable this policy setting and specify the n
e fully qualified path to the new location in the "Windows Setup file path" box. If you disable or do not configure this policy setting the Wi
tting enter the fully qualified path to the new location in the "Windows Service Pack Setup file path" box.If you disable or do not configure
nforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exc
er. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send a
re. Reboot is needed for disable to take effect.

Virtualization without interrupting you. This helps Microsoft identify which Microsoft Application Virtualization features to improve. No in
previous version of App-V.
package. Shortcuts file type associations etc. are created pointing to this path. If empty symbolic links are not used during publishing. Exa
d package. Shortcuts file type associations etc. are created pointing to this path. If empty symbolic links are not used during publishing. Ex
ge: /FILEEXCLUSIONLIST='desktop;my pictures'.
ONLIST=software\classes;software\clients.
URL: Displays the URL of publishing server. Global Publishing Refresh: Enables global publishing refresh (Boolean). Global Publ
should be reported to the server. Acceptable range is 0~23 corresponding to the 24 hours in a day. A good practice is don't set this time t
ed via a metered network connection (e.g. 4G).

upport is not desired this should be disabled. The client can then apply HTTP optimizations which are incompatible with BranchCache
onents (shell extensions browser helper objects etc). Only processes whose full path matches one of these items can use virtual componen
ss has been created.This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the comm
top Connection).This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.If you
top Connection).This policy setting applies when server authentication was achieved via NTLM.If you enable this policy setting you can spe
top Connection).This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.If you enab
top Connection).This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.If you enab
top Connection).If you enable this policy setting you can specify the servers to which the user's default credentials cannot be delegated (d
top Connection).If you enable this policy setting you can specify the servers to which the user's fresh credentials cannot be delegated (fres
top Connection).If you enable this policy setting you can specify the servers to which the user's saved credentials cannot be delegated (sav
ent (for example: Remote Desktop Connection).Some versions of the CredSSP protocol are vulnerable to an encryption oracle attack again
ces provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the
ose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks fr
licy to a machine to control what is allowed to run on that machine.If you deploy a Code Integrity Policy Windows will restrict what can ru
ndows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enable
enables supported devices to send Device Health Attestation related information (device boot logs PCR values TPM certificate etc.) to Dev
nable this policy setting remote connections to the Plug and Play interface are allowed.If you disable or do not configure this policy setting
ation task to complete. If you enable this policy setting Windows waits for the number of seconds you specify before terminating the insta
porting infrastructure. This policy allows you to disable the feature.If you enable this policy setting an error report is not sent when a gener
e activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driv
et. If you enable this policy setting Windows does not retrieve device metadata for installed devices from the Internet. This policy setti
ows Error Reporting infrastructure. This policy allows you to disable the feature.If you enable this policy setting Windows will not send an e
rtificate are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardl
evice drivers. If you enable this policy setting you can select whether Windows searches for drivers on Windows Update unconditionally on
ice drivers.If you enable this policy setting you can select whether Windows searches Windows Update (WU) searches a Managed Server
f you enable this policy setting "Found New Hardware" balloons do not appear while a device is being installed.If you disable or do not co
ll and update the drivers for any device regardless of other policy settings.If you enable this policy setting members of the Administrators g
evices that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for A
ndows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of evaluation for Allow and Preve
) for driver packages that Windows is allowed to install. This policy setting is intended to be used only when the "Apply layered order of ev
plied when more than one install policy setting is applicable for a given device. Enable this policy setting to ensure that overlapping device
lation is attempted and a policy setting prevents the installation.If you enable this policy setting Windows displays the text you type in the
stallation is attempted and a policy setting prevents the installation.If you enable this policy setting Windows displays the text you type in
d by any other policy setting.NOTE: This policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent d
evices that Windows is prevented from installing. By default this policy setting takes precedence over any other policy setting that allows W
ndows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a dev
) for driver packages that Windows is prevented from installing. By default this policy setting takes precedence over any other policy settin
sidered removable when the driver for the device to which it is connected indicates that the device is removable. For example a Universa
order to enforce a change in device installation restriction policies.If you enable this policy setting set the amount of seconds you want th
m.If you enable this policy setting the system does not use the non-volatile (NV) cache to optimize boot and resume.If you disable this pol
his policy setting the hard disks are not put into NV cache power save mode and no power savings are achieved.If you disable this policy se
system. To check if you have hybrid hard disks in the system from Device Manager right-click the disk drive and select Properties. The NV
etting frequently written files such as the file system metadata and registry may not be stored in the NV cache.If you disable this policy setti
vable media.If you disable or do not configure this policy setting the disk quota policies established in this folder apply to fixed-media NTF
ter and prevents users from changing the setting.If you enable this policy setting disk quota management is turned on and users cannot tu
ging the setting.If you enable this policy setting disk quota limits are enforced. If you disable this policy setting disk quota limits are not enf
n users reach their disk quota limit on a volume and prevents users from changing the logging setting.If you enable this policy setting the s
rs reach their disk quota warning level on a volume.If you enable this policy setting the system records an event. If you disable this policy s
me.This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. I
ender properly after a display-scale factor (DPI) change. When the display scale factor of the primary display changes (which can happen w
policy setting lets you specify legacy applications that have GDI DPI Scaling turned off.If you enable this policy setting GDI DPI Scaling is turn
policy setting lets you specify legacy applications that have GDI DPI Scaling turned on.If you enable this policy setting GDI DPI Scaling is turn
urity Check exemptions" list.If you enable this policy setting and DCOM does not find an explicit entry for a DCOM server application id (ap
om the DCOM Activation security check. DCOM uses two such lists one configured via Group Policy through this policy setting and the oth
ministrator members of the built-in Users group may install on the system.If you enable this policy setting members of the Users group ma
device drivers using the Internet.Note: This setting only has effect if "Turn off Windows Update device driver searching" in "Administrativ
on determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following
s are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data
roduct ID that are usable on your computer.If you enable this policy setting only Enhanced Storage devices that contain a manufacturer an
cal and Electronics Engineers Inc. (IEEE) 1667 specification that are usable on your computer.If you enable this policy setting only IEEE 166
on your computer.If you enable this policy setting non-Enhanced Storage removable devices are not allowed on your computer.If you disa
e device.If you enable this policy setting a password cannot be used to unlock an Enhanced Storage device.If you disable or do not configu
ou enable this policy setting Windows will not activate unactivated Enhanced Storage devices.If you disable or do not configure this policy
supported in Windows Server SKUs only.If you enable this policy setting the Enhanced Storage device remains locked when the computer
File Explorer.The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the
ters.Administrators can define the properties for the organization by using Active Directory Domain Services (AD DS) and then group these
ed.VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS a
due to a file delete operation.A value of 0 the default will enable delete notifications for all volumes.A value of 1 will disable delete notifica
s to access paths beyond the normal 260 character limit per node on file systems that support it. Enabling this setting will cause the long p
ectively enable or disable the evaluation of these types of symbolic links:Local Link to a Local TargetLocal Link to a Remote TargetRemote L
prevent access to and creation of compressed files.A reboot is required for this setting to take effect
revent access to and creation of encrypted files.A reboot is required for this setting to take effect
able it if you want to use these APIs.
ling this setting tells NTFS to use non-pageable memory for all allocations. NTFS also changes all of its code sections to be non-pageable.T
also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.
efault to the Performance tier.Server systems default to the Capacity tier.
how many files are currently open. This setting gives control over the open file threshold used to trigger parallel flush.
how many files are currently open. This setting gives control over how many threads will be used.Making this value larger may decrease th
Some applications require short names for compatibility but short names have a negative performance impact on the system.If you enabl
policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want t
d names for the All Programs Startup My Music My Pictures and My Videos subfolders when redirecting the parent Start Menu and legacy
cripts for interactive logons across forests.This policy setting affects all user accounts that interactively log on to a computer in a different
ou edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in the ADM files are loaded from that GPO into the Group P
synchronous processing (that is whether computers wait for the network to be fully initialized during computer startup and user logon) w
fast network connection for the purposes of applying and updating Group Policy.When Group Policy detects the bandwidth speed of a Di
icies that use the disk quota component of Group Policy such as those in Computer Configuration\Administrative Templates\System\Disk
licies that use the encryption component of Group Policy such as policies related to encryption in Windows Settings\Security Settings.It ov
s all policies that use the folder redirection component of Group Policy such as those in WindowsSettings\Folder Redirection. You can only
o not configure this policy setting Group Policy caches policy information after every background processing session. This cache saves appl
he rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the
setting affects all policies that use the Internet Explorer Maintenance component of Group Policy such as those in Windows Settings\Inter
icies that use the IP security component of Group Policy such as policies in Computer Configuration\Windows Settings\Security Settings\IP
the Group Policy client waits after logon before running scripts. By default the Group Policy client waits five minutes before running lo
es in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the p
g affects all policies that use the scripts component of Group Policy such as those in WindowsSettings\Scripts. It overrides customized setti
es that use the security component of Group Policy such as those in Windows Settings\Security Settings.This policy setting overrides custo
ects all policy settings that use the software installation component of Group Policy such as policy settings in Software Settings\Software In
y user who logs on to a computer affected by this setting. It is intended for special-use computers such as those in public places laboratori
s.Enabling this policy setting enables web-to-app linking so that apps can be launched with a http(s) URI.Disabling this policy disables web-
icy setting affects all policies that use the wired network component of Group Policy such as those in Windows Settings\Wired Network Po
policy setting affects all policies that use the wireless network component of Group Policy such as those in WindowsSettings\Wireless Netw
experiences (continue experiences).If you enable this policy setting the Windows device is discoverable by other Windows devices that be
fault interactively logged on users can view their own Resultant Set of Policy (RSoP) data.If you enable this policy setting interactive users
DFS shares as is being used for Active Directory.
achines. If you enable this policy setting Group Policy caches policy information after every background processing session. This cache
iling and other tasks that requires linking between Phone and PC.If you enable this policy setting the Windows device will be able to enrol
able this policy setting users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an
in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder.In
running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.By defa
during startup policy processing. If the startup policy processing is synchronous the computer is blocked until the network is available or th
ns during startup policy processing. If the startup policy processing is synchronous the computer is blocked until workplace connectivity is
cy setting applies to Group Policy for computers users and domain controllers.If you enable this policy setting the system waits until the cu
he policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and
er.RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Gro
ire Internet resources.If you enable this setting all of the the policy settings listed in the "Internet Communication settings" section are set
all Windows Update features are removed. This includes blocking access to the Windows Update website at http://windowsupdate.micros
with an unhandled file type or protocol association.When a user opens a file type or protocol that is not associated with any applications o
date website. Typically a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue
P.To set up HTTP printing non-inbox drivers need to be downloaded over HTTP.Note: This policy setting does not prevent the client from p
nt Viewer application.The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In
nition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing sam
ng tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Micro
er.This content is dynamically updated when users who are connected to the Internet open Help and Support Center and provides up-to-d
Help and Support Center.The Knowledge Base is an online source of technical support information and self-help tools for Microsoft produ
wnload a list of Internet Service Providers (ISPs).If you enable this policy setting the "Choose a list of Internet Service Providers" path in th
shing and online ordering wizards.These wizards allow users to select from a list of companies that provide services such as online storage
pen a file with an unhandled file association.When a user opens a file that has an extension that is not associated with any applications on
allows a client to print to printers on the intranet as well as the Internet.Note: This policy setting affects the client side of Internet printing
r online registration.If you enable this policy setting it blocks users from connecting to Microsoft.com for online registration and users can
ates during local and Internet searches.When users search the local computer or the Internet Search Companion occasionally connects to
Windows folders.The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online.If you enabl
e Web" and "Publish the selected items to the Web" are available from File and Folder Tasks in Windows folders.The Web Publishing Wiza
w Windows Messenger software and service is used.With the Customer Experience Improvement program users can allow Microsoft to co
s Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and
o report information about a system or application that has failed or has stopped responding and is used to improve the quality of the pro
Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network.As part of determining th
o local drivers for a device are present.If you enable this policy setting Windows Update is not searched when a new device is installed.If yo
no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established.
name may be changed.
HAP secret may be changed.
then connections that are configured for IPSec or connections not configured for IPSec may be established.
bled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.
abled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if th
t portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually con
ets may be manually configured. Note: if enabled there may be cases where this will break VDS.
servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via th
tals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on tho
hentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication.If you enable this policy setting client compu
. If the domain controller’s domain is not at Windows Server 2016 DFL or higher this policy will not be applied.This policy setting allows yo
ns to client computers.If you enable this policy setting the domain controller provides the information message about previous logons.For
Note: For a domain controller to request compound authentication the policy "KDC support for claims compound authentication and Kerb
when attempting to resolve two-part service principal names (SPNs).If you enable this policy setting the KDC will search the forests in this
t issued during Kerberos authentication. The ticket size warnings are logged in the System log.If you enable this policy setting you can set
ot configure this policy setting the cloud kerberos ticket is not retrieved during the logon.If you enable this policy setting the cloud kerbero
n the resource domain requests compound identity.Note: For a domain controller to request compound authentication the policies "KDC s
to a Kerberos realm.If you enable this policy setting you can view and change the list of DNS host names and DNS suffixes mapped to a Ker
eros V5 realms as defined by this policy setting. If you enable this policy setting you can view and change the list of interoperable Kerbe
proxy server.If you enable this policy setting revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos clie
red when communicating with a domain controller.Warning: When a domain does not support Kerberos armoring by enabling "Support D
ynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this
card and system certificate logon. If you enable this policy setting the Kerberos client requires that the KDC's X.509 certificate contains the
tains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for
size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens
on their DNS suffix names.If you enable this policy setting the Kerberos client will use the KDC proxy server for a domain when a domain c
cation.Support for providing compound authentication which is used for access control will require enough domain controllers in the reso
ount domain which supports certificate authentication for computer accounts. This policy setting allows you to set support for Kerberos to
ting to resolve two-part service principal names (SPNs).If you enable this policy setting the Kerberos client searches the forests in this list if
y only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394 PCMCIA
ble this policy setting users cannot change their GeoID.If you disable or do not configure this policy setting users may select any GeoID.If yo
the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect
The user is restricted to the set of locales that are installed with the operating system.This does not affect the selection of replacement loc
Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides first reset the user(s) values to
ks the system locale to its current value. This policy setting does not change the existing system locale; however the next time that an adm
y it locks all user locales to their current values. This policy setting does not change existing user locale settings; however the next time a u
quired when a Connected Standby device screen turns off.If you enable this policy setting a user on a Connected Standby device can chan
dows give preference to a custom logon background. If you enable this policy setting the logon screen always attempts to load a custom b
puters wait for the network to be fully initialized during computer startup and user logon). By default on client computers Group Policy pr
edential provider.If you enable this policy setting the specified credential provider is selected on other user tile.If you disable or do not con
ain to which the computer is joined. Without this policy setting at logon if a user does not specify a domain for logon the domain to which
-in screen.If you enable this policy setting the user cannot choose to show account details on the sign-in screen.If you disable or do not co
the logon screen.If you enable this policy setting the PC's network connectivity state cannot be changed without signing into Windows.If y
me the user logs on.If you enable this policy setting the welcome screen is hidden from the user logging on to a computer where this polic
f you enable this policy setting the Logon UI will not enumerate any connected users on domain-joined computers.If you disable or do not
rams and documents that the system starts automatically when it runs on Windows Vista Windows XP Professional and Windows 2000 Pr
rograms and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to
this policy setting Logon UI will enumerate all local users on domain-joined computers.If you disable or do not configure this policy setting
ring authentication.Note: credential providers are used to process and validate usercredentials during logon or when authentication is req
he Task Manager.If you enable this policy setting the Switch User interface is hidden from the user who is attempting to log on or is logged
hen a user logs on to the system.If you enable this policy setting you can specify which programs can run at the time the user logs on to th
policy the logon background image shows without blur. If you disable or do not configure this policy the logon background image adop
n to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are
enable this policy setting no app notifications are displayed on the lock screen.If you disable or do not configure this policy setting users ca
.If you enable this policy setting a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy s
If you enable this policy setting a domain user can set up and sign in with a convenience PIN.If you disable or don't configure this policy se
you enable this policy setting users can sign in with external security keys.If you disable or don't configure this policy setting users can't sig
. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name in
trusted fonts are any font installed outside of the %windir%\Fonts directory. This feature can be configured to be in 3 modes: On Off and
lgorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer a
provided by a client with the PDC emulator if the DC failed to validate the password.Contacting the PDC emulator is useful in case the clien
a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.If you enable this policy setting the
erations:- Checks if a password on a secure channel needs to be modified and modifies it if necessary.- On the domain controllers (DC) disc
domain controller (DC) should support compatibility in file sharing semantics with earlier applications.When this setting is enabled the SYS
(DC) response when logging on to the network.To specify the expected dial-up delay at logon click Enabled and then enter the desired val
ce outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default no debug information is logged.If yo
windir%\debug when logging is enabled.By default the maximum size of the log file is 20MB. If you enable this policy setting the maximum
n controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting D
pplied to caller programs that do not periodically attempt to locate DCs and it is applied before the returning the DC information to the cal
site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specif
odic searches for domain controllers (DC) are unable to find a DC. For example retires may be set to occur according to the Use maximum
cations that perform periodic searches for domain controllers (DC) that are unable to find a DC.The default value for this setting is 10 minu
eriodic searches for Domain Controllers (DCs) are unable to find a DC.For example the retry intervals may be set at 10 minutes then 20 min
pplied to caller programs that periodically attempt to locate DCs and it is applied before returning the DC information to the caller program
ssive when trying to locate a domain controller (DC).When an environment has a large number of DCs running both old and new operating
main controller (DC).Note: To locate a remote DC based on its NetBIOS (single-label) domain name DC Locator first gets the list of DCs from
e DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS dom
.The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When
C Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6 the returned DC IP address w
ollers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate t
e registered by the Net Logon service. These DNS records are dynamically registered and they are used to locate the domain controller (DC
ontrollers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and they are used to
ose IP address does not map to any configured site.Domain controllers use the client IP address during a DC locator ping request to compu
rvice.If you enable this policy setting select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS
urce records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to
which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorit
directory partition should register the site-specific application directory partition-specific DC Locator DNS SRV resource records. These rec
DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where
C locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where
link cost if a DC in same the site is not found. In scenarios with multiple sites failing over to the try next closest site during DC Location str
site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). Th
me resolution of single-lablel domain names by appending different registered DNS suffixes and uses NetBIOS name resolution only if DNS
me resolution of a single-label domain names.By default the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSe
wercase their DNS host name when registering SRV records.If enabled domain controllers will lowercase their DNS host name when registe
y. If you enable this policy setting history of Clipboard contents are allowed to be stored. If you disable this policy setting histo
s. If you enable this policy setting Clipboard contents are allowed to be synchronized across devices logged in under the same Micro
his policy setting activities of type User Activity are allowed to be published. If you disable this policy setting activities of type User A
u enable this policy setting activities of type User Activity are allowed to be uploaded. If you disable this policy setting activities of ty
setting all activity types (as applicable) are allowed to be published and ActivityFeed shall roam these activities across device graph of the
the user to change it. The PIN can be set to expire after any number of days between 1 and 730 or PINs can be set to never expire if the po
reused. This policy enables administrators to enhance security by ensuring that old PINs are not reused continually. PIN history is not pres
st number you can configure for this policy setting is 127. The lowest number you can configure must be larger than the number configure
st number you can configure for this policy setting is 4. The largest number you can configure must be less than the number configured in
ws requires the user to include at least one digit in their PIN.If you disable this policy setting Windows does not allow the user to include d
tting Windows requires the user to include at least one lowercase letter in their PIN.If you disable this policy setting Windows does not all
ters are: ! " # $ % & ' ( ) * + - . / : ; < = > ? @ [ \ ]
etting Windows requires the user to include at least one uppercase letter in their PIN.If you disable this policy setting Windows does not al
ecify a custom power plan use the Custom Active Power Plan setting.If you enable this policy setting specify a power plan from the Active
a custom power plan GUID can be retrieved by using powercfg the power configuration command line tool. If you enable this policy settin
.Possible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If y
.Possible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If y
ossible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you
ossible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you
sible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you
sible actions include:-Take no action-Sleep-Hibernate-Shut downIf you enable this policy setting you must select the desired action.If you
er button.If you enable this policy setting select one of the following actions:-Sleep-Hibernate-Shut downIf you disable this policy or do no
er button.If you enable this policy setting select one of the following actions:-Sleep-Hibernate-Shut downIf you disable this policy or do no
u enable this policy setting you must provide a percent value indicating the battery charge level. Energy Saver will be automatically turned
u enable this policy setting you must provide a percent value indicating the battery charge level. Energy Saver will be automatically turned
able this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns off the har
able this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns off the har
l battery notification level.If you enable this policy setting select one of the following actions:-Take no action-Sleep-Hibernate-Shut downIf
ttery notification action.If you enable this policy setting you must enter a numeric value (percentage) to set the battery level that triggers t
attery notification level.If you enable this policy setting select one of the following actions:-Take no action-Sleep-Hibernate-Shut downIf yo
ry notification action.If you enable this policy setting you must enter a numeric value (percentage) to set the battery level that triggers the
ower mode.If you enable this policy setting you must enter a numeric value (percentage) to set the battery level that triggers the reserve p
w battery notification level.If you enable this policy setting Windows shows a notification when the battery capacity remaining equals the lo
ottling will be turned off.If you disable or do not configure this policy setting users control this setting.
cy setting any application service or device driver prevents Windows from automatically transitioning to sleep after a period of user inactiv
cy setting any application service or device driver prevents Windows from automatically transitioning to sleep after a period of user inactiv
policy setting the computer automatically sleeps when network files are open.If you disable or do not configure this policy setting the com
policy setting the computer automatically sleeps when network files are open.If you disable or do not configure this policy setting the com
by-capable systems.If you enable this policy setting network connectivity will be maintained in standby.If you disable this policy setting net
by-capable systems.If you enable this policy setting network connectivity will be maintained in standby.If you disable this policy setting net
the computer in a sleep state.If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sl
the computer in a sleep state.If you enable or do not configure this policy setting Windows uses standby states to put the computer in a sl
sumes from sleep.If you enable or do not configure this policy setting the user is prompted for a password when the system resumes from
sumes from sleep.If you enable or do not configure this policy setting the user is prompted for a password when the system resumes from
em to hibernate.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before W
em to hibernate.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before W
em to sleep.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Wind
em to sleep.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Wind
automatically when a user is not present at the computer.If you enable this policy setting you must provide a value in seconds indicating h
automatically when a user is not present at the computer.If you enable this policy setting you must provide a value in seconds indicating h
t generated when the system transitions to sleep (Stand By).If you disable or do not configure this policy setting users control this setting.
t generated when the system transitions to sleep (Stand By).If you disable or do not configure this policy setting users control this setting.
m from sleeping.If you enable this policy setting an application or service may prevent the system from sleeping (Hybrid Sleep Stand By or
m from sleeping.If you enable this policy setting an application or service may prevent the system from sleeping (Hybrid Sleep Stand By or
es brightness of the display.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elap
es brightness of the display.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elap
educes brightness of the display.If you enable this policy setting you must provide a value in percentage indicating the display brightness w
educes brightness of the display.If you enable this policy setting you must provide a value in percentage indicating the display brightness w
ns off the computer’s display.If you enable this policy setting Windows automatically adjusts the setting based on what users do with their
ns off the computer’s display.If you enable this policy setting Windows automatically adjusts the setting based on what users do with their
.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns o
.If you enable this policy setting you must provide a value in seconds indicating how much idle time should elapse before Windows turns o
w.If you enable this policy setting desktop background slideshow is enabled.If you disable this policy setting the desktop background slides
w.If you enable this policy setting desktop background slideshow is enabled.If you disable this policy setting the desktop background slides
options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image. If you enable o
so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Rem
mputer.If you enable this policy setting users on this computer can get help from their corporate technical support staff using Offer (Unsoli
mputer.If you enable this policy setting users on this computer can use email or file transfer to ask someone for help. Also users can use ins
ng control" policy setting allows you to specify a custom message to display before a user shares control of his or her computer.The "Displ
rementally scaled from "No optimization" to "Full optimization". Each incremental setting includes the previous optimization setting.For e
folder under Remote Assistance.If you enable this policy setting log files are generated.If you disable this policy setting log files are not gen
n the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all se
requested.The constrained delegation model introduced in Windows Server 2003 does not report that delegation was enabled on a secur
stem and how much information it maintains. Basic state information which consists only of the most commonly needed state data is requ
n error occurs.Extended error information includes the local time that the error occurred the RPC version and the name of the computer o
ting to RPC servers.This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with cautio
g is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running
vidual removable storage policy settings. To manage individual classes use the policy settings available for each class.If you enable this poli
s.If you enable this policy setting remote users can open direct handles to removable storage devices in remote sessions.If you disable or d
his policy setting execute access is denied to this removable storage class.If you disable or do not configure this policy setting execute acce
policy setting read access is denied to this removable storage class.If you disable or do not configure this policy setting read access is allow
policy setting write access is denied to this removable storage class.If you disable or do not configure this policy setting write access is allo
setting read access is denied to these removable storage classes.If you disable or do not configure this policy setting read access is allowed
setting write access is denied to these removable storage classes.If you disable or do not configure this policy setting write access is allowe
Floppy Drives.If you enable this policy setting execute access is denied to this removable storage class.If you disable or do not configure t
ppy Drives.If you enable this policy setting read access is denied to this removable storage class.If you disable or do not configure this poli
oppy Drives.If you enable this policy setting write access is denied to this removable storage class.If you disable or do not configure this po
access is denied to this removable storage class.If you disable or do not configure this policy setting execute access is allowed to this remo
is denied to this removable storage class.If you disable or do not configure this policy setting read access is allowed to this removable sto
ss is denied to this removable storage class.If you disable or do not configure this policy setting write access is allowed to this removable s
boot in order to enforce a change in access rights to removable storage devices.If you enable this policy setting you can set the number of
s policy setting execute access is denied to this removable storage class.If you disable or do not configure this policy setting execute acces
olicy setting read access is denied to this removable storage class.If you disable or do not configure this policy setting read access is allowe
olicy setting write access is denied to this removable storage class.If you disable or do not configure this policy setting write access is allow
hones auxiliary displays and CE devices.If you enable this policy setting read access is denied to this removable storage class.If you disable
phones auxiliary displays and CE devices.If you enable this policy setting write access is denied to this removable storage class.If you disabl
configured and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.If you ena
ch files of instructions that run when the user restarts the system or shuts it down. By default the system does not display the instructions
es of instructions that run before the user is invited to log on. By default the system does not display the instructions in the startup script.I
e Explorer interface program and creates the desktop.If you enable this policy setting File Explorer does not start until the logon scripts ha
hat run before the user is invited to log on. By default the system waits for each startup script to complete before it runs the next startup s
owerShell scripts during computer startup and shutdown. By default Windows PowerShell scripts run after non-Windows PowerShell script
owerShell scripts during user logon and logoff. By default Windows PowerShell scripts run after non-Windows PowerShell scripts. If you en
This setting limits the total time allowed for all logon logoff startup and shutdown scripts applied by Group Policy to finish running. If the s
ss (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.For more information on the ROCA vulner
erver Manager with updated information about which roles and features are installed on servers that you are managing by using Server M
dow at logon on Windows Server 2008 and Windows Server 2008 R2. If you enable this policy setting the Initial Configuration Tasks window
able this policy setting Server Manager is not displayed automatically when a user logs on to the server.If you disable this policy setting Ser
licy setting built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.This includes a poli
es hibernate to be enabled.If you disable or do not configure this policy setting the local setting is used.
without visible top-level windows to block or cancel shutdown. By default such applications are automatically terminated if they attempt to
Enabled: Updates would be downloaded for the Disk Failure Prediction Failure Model. Disabled: Updates would not be dow
age Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage
icy "Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:Storage Sense will delete the user’s temporary files
cy "Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:You must provide the desired Storage Sense cadenc
in amount of days.If the group policy "Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:You must provid
r a certain amount of days.If the group policy "Allow Storage Sense" is disabled then this policy does not have any effect.Enabled:You mus
ned for more than a certain number of days.If the group policy "Allow Storage Sense" is disabled then this policy does not have any effect.
ows you to turn off System Restore configuration through System Protection.System Restore enables users in the event of a problem to re
m Restore enables users in the event of a problem to restore their computers to a previous state without losing personal data files. By def
enable this policy setting you must select an execution level from the drop-down menu. If you select problem detection and troubleshoo
ata.If you enable this policy setting you must enter the maximum size of scenario data that should be retained in megabytes. Detailed trou
nfigure the Program Compatibility Assistant use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Adm
plication and driver compatibility. If you enable this policy setting the PCA is configured to detect failures during application installation fai
tates:Regular: Detection troubleshooting and recovery of corrupted files will automatically start with a minimal UI display. Windows will a
a disk reports a S.M.A.R.T. fault. If you enable this policy setting Windows displays custom alert text in the disk diagnostic message. The cu
ring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a
ng any heap corruption problems.If you enable this policy setting the DPS detects troubleshoots and attempts to resolve automatically an
upport Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.If you enable this policy setting administrators
ft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems MSDT may prompt the
with the support provider. MSDT gathers diagnostic data for analysis by support professionals.If you enable this policy setting users can us
e and lets administrators configure how it's applied to their domains/IT environments.Not configuring this policy setting will allow the user
ree states:Prompt for Resolution: Detection troubleshooting and recovery of corrupted MSI applications will be turned on. Windows will p
ms.If you enable this policy setting you must choose an execution level. If you choose detection and troubleshooting only Windows will pe
e signed by untrusted publishers.If you enable this policy setting the scripted diagnostics execution engine validates the signer of any diagn
Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers.If you enable or do no
ting content that is hosted on Microsoft content servers. Users can access online troubleshooting content from within the Troubleshooting
setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the Diagno
ems.If you enable or do not configure this policy setting the DPS enables Windows Memory Leak Diagnosis by default.If you disable this po
nable this policy setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshootin
policy setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the D
le this policy setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting on
policy setting you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only the D
e registry of the local computer. Depending on the amount of TPM owner authorization information stored locally the operating system an
mmands blocked by Windows.If you enable this policy setting Windows will block the specified commands from being sent to the TPM on t
to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready including if the TPM
hreshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only
tform Module (TPM) commands.If you enable this policy setting Windows will ignore the computer's default list of blocked TPM command
rm Module (TPM) commands.If you enable this policy setting Windows will ignore the computer's local list of blocked TPM commands and
ndard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard U
zation failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorizati
dard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration fo
administrator has configured a user's roaming profile the profile will be created at the user's next login. The profile is created at the locatio
two tests of network speed. To determine the network performance characteristics a connection is made to the file share storing the use
al computer's hard drive when the user logs off. Roaming profiles reside on a network server. By default when users with roaming profiles
at have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user profile was accesse
s the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system de
.After an administrator has configured a user's roaming profile the profile will be created at the user's next login. The profile is created at t
there are open handles to the per-user registry keys. Note: This policy setting should only be used for cases where you may be running int
ws cannot access the user profile folder or the profile contains errors that prevent it from loading Windows logs on the user with a tempo
user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on compu
r profile for roaming user profiles.The default user profile is applied when the user does not respond to messages explaining that any of th
roup Policy based software installation data on their profile deletion.By default Windows deletes all information related to a roaming user
ortion of a user profile. When the number of trials specified by this policy setting is exhausted the system stops trying. As a result the user
hen roaming profile users log on to a computer their roaming profile is copied down to the local computer. If they have already logged on
the server copy of their profile.By default when a user with a roaming profile logs on to a computer the roaming profile is copied down to
w network connection with their roaming profile server is detected.If you enable this policy setting users will be allowed to define whethe
g on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in w
g user profile path for all users logging onto this computer.To use this policy setting type the path to the network share in the form \\Comp
e (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's registry file (other user data and regular profiles ar
me folder for a logon session.If you enable this policy setting the user's home folder is configured to the specified local or network location
oss apps.If you enable this policy setting the advertising ID is turned off. Apps can't use the ID for experiences across apps.If you disable or
picture and domain information.If you enable this policy setting sharing of user name picture and domain information may be controlled
even when loading is slow. Also the system waits for the remote copy when the user is notified about a slow connection but does not res
sophisticated users but it might confuse novices.If you enable this policy setting the file scan window does not appear during file scanning.
le Protection file cache.Windows File Protection adds protected files to the cache until the cache content reaches the quota. If the quota i
setting directs Windows File Protection to enumerate and scan all system files for changes.If you enable this policy setting select a rate fro
e this policy setting enter the fully qualified local path to the new location in the "Cache file path" box.If you disable this setting or do not c
ervice (W32time) for domain controllers including RODCs.If this policy setting is enabled W32time Service on target machines use the settin
e this policy setting you can specify the following parameters for the Windows NTP Client.If you disable or do not configure this policy setti
Client allows your computer to synchronize its computer clock with other NTP servers. You might want to disable this service if you decide
his policy setting for the Windows NTP Server your computer can service NTP requests from other computers.If you disable or do not confi
n use to install ActiveX controls on their computers. When this setting is enabled the administrator can create a list of approved Activex In
this policy setting ActiveX controls are installed according to the settings defined by this policy setting. If you disable or do not configu
tting the wizard will not run.If you disable this policy setting or set it to Not Configured the wizard will run.
u enable this policy a Windows app can share app data with other instances of that app. Data is shared through the SharedLocal folder. Th
er-signed Windows Store apps.If you enable this policy setting you can install any LOB or developer-signed Windows Store app (which mu
gned in using a special profile. Special profiles are the following user profiles where changes are discarded after the user signs off:Roaming
an IDE. If you enable this setting and enable the "Allow all trusted apps to install" Group Policy you can develop Microsoft Store apps a
s policy setting then the system will periodically check for and archive infrequently used apps.If you disable this policy setting then the syst
secondary partitions USB drives or SD cards. If you enable this setting you can't move or install Windows apps on volumes that are no
ideloaded apps will not auto-update in the background. If you disable this policy sideloaded apps will auto-update in the background.
you enable this policy sideloaded apps will not auto-update in the background on a metered network. If you disable this policy sideloa
licy non-Administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will nee
another location. If you enable this setting all users' app data will stay on the system volume regardless of where the app is installed.
either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an
r a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app
efault setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by u
ault setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by usin
dows apps including user name.You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Nam
t setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using t
ault setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by usin
an specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Na
setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using th
default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by u
er a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app
nds motion controllers and other tracked objects while the apps are running in the background.You can specify either a default setting for
er is in control" option employees in your organization can decide whether Windows apps can be activated with a voice keyword by using S
ked.If you choose the "User is in control" option employees in your organization can decide whether users can interact with applications u
s.You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Fa
her a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an ap
efault setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by us
lays.You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package
ify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for
that require an account to sign in. This policy only affects Windows Store apps that support it.If you enable this policy setting Windows St
ktop app for a file type. Because desktop apps run at a higher integrity level than Windows Store apps there is a risk that a Windows Store
sktop app for a URI scheme. Because desktop apps run at a higher integrity level than Windows Store apps there is a risk that a URI schem
directly from web content can be launched. If you enable this policy setting Universal Windows apps which declare Windows Runtime
at were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a com
his setting affects the launching of 16-bit applications in the operating system.You can use this setting to turn off the MS-DOS subsystem w
ell extension is visible on the property context-menu of any program shortcut or executable file.The compatibility property page displays
t of the loader and looks through a compatibility database every time an application is started on the system. If a match for the applicatio
ry is a mechanism that tracks anonymous usage of specific Windows system components by applications.Turning Application Telemetry off
es applications files devices and drivers on the system and sends the information to Microsoft. This information is used to help diagnose c
ors applications run by the user. When a potential compatibility issue with an application is detected the PCA will prompt the user with re
by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers
mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new be
s policy setting AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting A
hen a device is connected. If you enable this policy setting AutoPlay prompts the user to choose what to do when a device is connecte
nerally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista when media c
drive as soon as you insert media in the drive. As a result the setup file of programs and the music on audio media start immediately.
h OS and data volumes can be backed up.If you enable this policy setting machine administrator/backup operator can backup only volume
torage or not.If you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run backups
or not.If you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run backups to a ne
or not.If you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run backups to an o
If you enable this policy setting machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-on
ount Control (UAC) permissions using biometrics.If you enable or do not configure this policy setting Windows allows domain users to log o
you enable or do not configure this policy setting the Windows Biometric Service is available and users can run applications that use biom
missions using biometrics. By default local users will be able to log on to the local computer but the "Allow domain users to log on using bio
ve before the switch is initiated. By default a fast user switch event is active for 10 seconds before becoming inactive.If you enable this po
uthentication.If you enable this setting Windows requires all users on managed devices to use enhanced anti-spoofing for Windows Hello
Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is app
Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already
play and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. T
e PCI downstream ports until a user logs into Windows. Once a user logs in Windows will enumerate the PCI devices connected to the hos
This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting ap
abled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allows yo
Locker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to preve
cker-protected drive. This policy setting is applied when you turn on BitLocker.The object identifier is specified in the enhanced key usage
n be unlocked and viewed on computers running Windows Server 2008 Windows Vista Windows XP with Service Pack 3 (SP3) or Windows
the absence of the required credentials. This policy setting is applied when you turn on BitLocker.The "Allow data recovery agent" check b
a drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improv
drives. If you choose to permit the use of a password you can require that a password be used enforce complexity requirements on the p
s to the BitLocker-protected fixed data drives on a computer.If you enable this policy setting smart cards can be used to authenticate user
ritable on a computer.If you enable this policy setting all fixed data drives that are not BitLocker-protected will be mounted as read-only. I
his policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if e
Security Test Interface (HSTI) to not have a PIN for pre-boot authentication. This overrides the "Require startup PIN with TPM" and "Requ
ocker.Enhanced startup PINs permit the use of characters including uppercase and lowercase letters symbols numbers and spaces. This po
wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automa
grity provider for BitLocker operating system drives.Secure Boot ensures that the PC's pre-boot environment only loads firmware that is di
ered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker.The "Allow certificate
PM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can
e displayed on the pre-boot key recovery screen when the OS drive is locked.If you select the "Use default recovery message and URL" op
rity hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or
system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can
ting system drives. If non-TPM protectors are allowed on operating system drives you can provision a password enforce complexity require
ocker volume PINs provided they are able to provide the existing PIN first.This policy setting is applied when you turn on BitLocker.If you e
e-boot environment even if the platform lacks pre-boot input capability.The Windows touch keyboard (such as that used by tablets) isn't a
h time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is ap
able to set up an additional authentication method that is required each time the computer starts. This policy setting is applied when you
Windows is started following BitLocker recovery.If you enable this policy setting platform validation data will be refreshed when Windows i
ng platform validation.If you enable this policy setting you will be able to add additional settings remove the default settings or both.If you
em can be unlocked and viewed on computers running Windows Server 2008 Windows Vista Windows XP with Service Pack 3 (SP3) or Win
ed in the absence of the required credentials. This policy setting is applied when you turn on BitLocker.The "Allow data recovery agent" ch
e data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can i
e data drives. If you choose to allow use of a password you can require a password to be used enforce complexity requirements and config
s to BitLocker-protected removable data drives on a computer.If you enable this policy setting smart cards can be used to authenticate us
ed when you turn on BitLocker.When this policy setting is enabled you can select property settings that control how users can configure Bi
write data to a removable data drive.If you enable this policy setting all removable data drives that are not BitLocker-protected will be mo
not configure this policy setting Camera devices will be enabled. If you disable this property setting Camera devices will be disable
ng and set it to Show the Chat icon will be displayed on the taskbar by default. Users can show or hide it in Settings.If you enable this polic
users will no longer see Windows tips.If you disable or do not configure this policy setting users may see contextual popups explaining ho
es. If you enable this policy Windows experiences that use the cloud consumer account state content client component will instead p
e this policy Windows experiences that use the cloud optimized content client component will instead present the default fallback content
crosoft account.If you enable this policy setting users will no longer see personalized recommendations from Microsoft and notifications a
ble and can't be projected to except if the user manually launches the Connect app. If you turn it off or don't configure it your PC is discov
d for pairing.If you set this to 'First Time' the pairing ceremony for new devices will always require a PIN.If you set this to 'Always' all pairin
try user experiences.If you enable this policy setting the password reveal button will not be displayed after a user types a password in the
levate a running application. By default administrator accounts are not displayed when the user attempts to elevate a running application
et their passwords.
prevent a Trojan horse or other types of malicious code from stealing the user’s Windows credentials.Note: This policy affects nonlogon au
diagnostic data collected from this device.If you enable this policy Microsoft will be the processor of Windows diagnostic data collected fro
tics. The following list shows the supported values: 0 (default)– Diagnostic data is not processed by Desktop Analytics.
disable or do not configure this policy setting then device name will not be sent to Microsoft as part of Windows diagnostic data.
s policy setting also restricts the user from increasing the amount of diagnostic data collection via the Settings app. The diagnostic data co
ance. The following list shows the supported values: 0 (default)– Diagnostic data is not processed by Update Compliance.
ate for Business cloud. The following list shows the supported values: 0 (default)– Diagnostic data is not processed by Windo
using an authenticated proxy to send data back to Microsoft on Windows 10. If you disable or do not configure this policy setting the Conn
top Analytics for enterprise devices with a configured Commercial ID. If disabled or not configured Microsoft Edge does not send browsing
oxy server.If you enable this policy setting you can specify the FQDN or IP address of the destination device within your organization’s netw
pt-in settings on first logon and when the changes occur in settings.If you set this policy setting to "Disable diagnostic data change notificati
gs app.If you set this policy setting to "Disable diagnostic data opt-in settings" diagnostic data settings are disabled in the Settings app.If yo
s program.If your organization is participating in the program and has been instructed to configure a custom upload endpoint then use this
as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belongin
dback Settings page.If you enable this policy setting the Delete diagnostic data button will be disabled in Settings page preventing the dele
he Diagnostic & feedback Settings page.If you enable this policy setting the Diagnostic Data Viewer will not be enabled in Settings page and
ou enable this policy Windows will not attempt to connect with the OneSettings Service.If you disable or don't configure this policy setting
om Microsoft.If you enable this policy setting users will no longer see feedback notifications through the Windows Feedback app.If you dis
vice to the EventLog.If you enable this policy Windows will record attempts to connect with the OneSettings service to the Microsoft\Wind
is needed to troubleshoot a problem on the device. Diagnostic logs are only sent when the device has been configured to send optional di
to troubleshoot a problem. Dumps are only sent when the device has been configured to send optional diagnostic data.By enabling this se
ons to send the minimum data required by Desktop Analytics.To enable the behavior described above complete the following steps: 1. En
rols in Settings > Update and security > Windows Insider Program.If you enable or do not configure this policy setting users can download
cheSize policy.The value 0 (zero) means "unlimited" cache; Delivery Optimization will clear the cache when the device runs low on disk sp
Group peers while on DC power (Battery).The recommended value to set if you allow uploads on battery is 40 (for 40%). The device can do
e used by your client(s).One or more values can be added as either fully qualified domain names (FQDN) or IP addresses. To add multiple v
ache servers dynamically.Options available are:1 = DHCP Option 235.2 = DHCP Option 235 Force.For both options the client will query DHC
download by X seconds.Note: if you set the policy to delay background download from http it will apply first (to allow downloads from pee
to use P2P.After the max delay has reached the download will resume using HTTP either downloading the entire payload or complementin
download by X seconds.Note: if you set the policy to delay foreground download from http it will apply first (to allow downloads from pee
t is allowed to use P2P.After the max delay has reached the download will resume using HTTP either downloading the entire payload or co
es Apps and App updates.The following list shows the supported values:0 = HTTP only no peering.1 = HTTP blended with peering behind t
main network.This means the device can download from or upload to other domain network devices either on VPN or on the corporate do
o.Use this if you need to create a single group for Local Network Peering for branches that are on different domains or are not on the same
r downloading successfully.The value 0 (zero) means "unlimited"; Delivery Optimization will hold the files in the cache longer and make the
size (1-100).
se across all concurrent download activities using Delivery Optimization.The default value 0 (zero) means that Delivery Optimization dynam
concurrent download activities as a percentage of available download bandwidth.The default value 0 (zero) means that Delivery Optimiza
e across all concurrent download activities using Delivery Optimization.The default value 0 (zero) means that Delivery Optimization dynam
concurrent download activities as a percentage of available download bandwidth.The default value 0 (zero) means that Delivery Optimizati
oBytes/second.This policy affects the blending of peer and HTTP sources. Delivery Optimization complements the download from HTTP so
ud service set default value will be used.Recommended values: 64 GB to 256 GB.Note: If the DOModifyCacheDrive policy is set the disk siz
MB to 100000 MB.
t is 1 GB then devices with 1 GB or higher available RAM will be allowed to use Peer caching.Recommended values: 1 GB to 4 GB.
store the cache. The drive location can be specified using environment variables drive letter or using a full path.
peers in each calendar month.The value 0 (zero) means "unlimited"; No monthly upload limit is applied if 0 is set.
mask.2 = Local discovery (DNS-SD).The default value has changed from 0 (no restriction) to 1 (restrict to the subnet).These options apply
henticated domain SID.3 = DHCP Option ID.4 = DNS Suffix.5 = AAD Tenant ID.When set the Group ID will be assigned automatically from th
d outside business hours across all concurrent download activities as a percentage of available download bandwidth.
d outside business hours across all concurrent download activities as a percentage of available download bandwidth.
e deployed as compressed files either digitally signed or unsigned.If you enable this setting gadgets that have not been digitally signed wi
ormation or utilities on the desktop.If you enable this setting desktop gadgets will be turned off.If you disable or do not configure this setti
enable this setting Windows will not run any user-installed gadgets.If you disable or do not configure this setting Windows will run user-in
user to view items on the Windows desktop as they are being flipped through in three dimensions. If you enable this policy setting Flip 3D
ng minimizing and maximizing windows. If you enable this policy setting window animations are turned off. If you disable or do not configu
ckground will use a solid color.If you disable or do not configure this policy setting the Start background will use the default visuals.Note: If
y setting you prevent users from changing the default window frame color. If you disable or do not configure this policy setting you allow u
lor. If you enable this policy setting and specify a default color this color is used in glass window frames if the user does not specify a color
ou enable this setting domain joined computers automatically and silently get registered as devices with Azure Active Directory.Note: Add
with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the use
y screen edge.If you enable or do not configure this policy setting users will be able to invoke system UI by swiping in from the screen edge
until the user has successfully completed the scenarios.If this setting is enabled Windows will not show any help tips to the user.
vents/per second sent to the Event Collector.If you enable this policy setting you can control the volume of events sent to the Event Collec
uthority (CA) of a target Subscription Manager.If you enable this policy setting you can configure the Source Computer to contact a specifi
effect only if the "Retain old events" policy setting is enabled.If you enable this policy setting and the "Retain old events" policy setting is e
efinition Language (SDDL) string.If you enable this policy setting only those users matching the security descriptor can access the log.If you
efinition Language (SDDL) string. You must set both "configure log access" policy settings for this log in order to affect the both modern and
ble this policy setting and a log file reaches its maximum size new events are not written to the log and are lost.If you disable or do not co
e Event Log service and should only be accessible to administrators.If you enable this policy setting the Event Log uses the path specified in
tting you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilo
efinition Language (SDDL) string. You cannot configure write permissions for this log. You must set both "configure log access" policy settin
efinition Language (SDDL) string. You cannot configure write permissions for this log.If you enable this policy setting only those users whos
tting you can configure the maximum log file size to be between 20 megabytes (20480 kilobytes) and 2 terabytes (2147483647 kilobytes) in
efinition Language (SDDL) string.If you enable this policy setting only those users matching the security descriptor can access the log.If you
an be written to this log.If the policy setting is disabled then no new events can be logged. Events can always be read from the log regardl
efinition Language (SDDL) string.If you enable this policy setting only users whose security descriptor matches the configured value can acc
onents that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Da
e this value if you want to use a different Web server to handle event information requests.
you enable this policy setting file shortcut icons are allowed to be obtained from remote paths.If you disable or do not configure this policy
PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an inter
to the IPropertySetStorage implementation and to include the intermediate layers provided by the Property System. This behavior is con
elete Cached Roaming Profile Group Policy setting to ensure that Explorer will not reinitialize default program associations and other settin
e based on file types (e.g. *.txt) or protocols (e.g. http:)If this group policy is enabled no notifications will be shown. If the group policy is n
machines reside.If you enable this policy setting administrators can specify a path where all default Library definition files for users reside.
ns file type and protocol default application associations. This file can be created using the DISM tool.For example:Dism.exe /Online /Expo
program that is blocked by policy.
te option will be shown in the Power Options menu (as long as it is supported by the machine's hardware).If you disable this policy setting
hown in the User Tile menu.If you disable this policy setting the lock option will never be shown in the User Tile menu.If you do not config
will be shown in the Power Options menu (as long as it is supported by the machine's hardware).If you disable this policy setting the sleep
File Explorer windows are opened. If you enable this policy setting you can set how the ribbon appears the first time users open File Explor
t terminating Explorer.
ithout terminating Explorer immediately although Explorer may still terminate unexpectedly later.
her than in numerical order.If you enable this policy setting File Explorer will sort file names by each digit in a file name (for example 111 <
ve. When using the full functionality of this protocol applications can open folders and launch files. The protected mode reduces the functi
edirection and the new and old targets point to the same network share but have different network paths.If you enable this policy setting F
ous versions could come from the on-disk restore points or from backup media.If you enable this policy setting users cannot list or restore
ous versions come from the on-disk restore points on the file share.If you enable this policy setting users cannot list or restore previous ve
version is located on backup media. Previous versions can come from the on-disk restore points or the backup media.If you enable this po
n the user has selected a previous version of a local file.If you enable this policy setting the Restore button is disabled when the user select
n the user has selected a previous version of a local file in which the previous version is stored on a backup.If you enable this policy setting
ser has selected a previous version of a file on a file share.If you enable this policy setting the Restore button is disabled when the user sel
not be activated to create regular automatic backups.If you disable or do not configure this policy setting File History can be activated to cr
ered in the cloud so that the device can be located when the user initiates a Find command from account.microsoft.com. On devices that
n. Default is floating near text box. If you want the panel to be fixed use this policy to fix it to the bottom.
add their computer to a homegroup on a private network.If you enable this policy setting users cannot add computers to a homegroup. T
change this setting and the toggle in the UI will be greyed out.
to change this setting and the toggle in the UI will be greyed out.
nge this setting and the toggle in the UI will be greyed out.
rch providers. Normally search providers can be added from third-party toolbars or in Setup. The user can also add a search provider from
e.If you enable this policy "Save Target As" will show up in the Internet Explorer mode context menu and work the same as Internet Explor
ipt handlers to display UI during shutdown. This policy setting may be needed to fix compatibility problems with particular web application
Address bar. To provide enhanced suggestions the user's keystrokes are sent to Microsoft through Microsoft services.If you enable this po
ted in the Internet Explorer 9 browser. Any add-ons that were activated in a previous version of Internet Explorer are considered to be the
f preference). Use this policy if your environment is configured to redirect sites from Internet Explorer 11 to Microsoft Edge. If any of the c
ervers in the HTTP User Agent header.If you enable this policy setting Internet Explorer sends the specified custom string in the version po
ents Internet Explorer from downloading a component when users browse to a Web site that needs that component.If you disable this po
et and customize Internet Explorer. This setting specifies that Internet explorer use the configuration settings provided in a file by the syste
nnections tab in the Internet Options dialog box appears dimmed.If you disable this policy or do not configure it users can change their setti
m the home page whenever the browser is run. This policy setting allows you to set default secondary home pages.If you enable this policy
ttings from another browser import settings from a file or export settings to a file. Importing settings from another browser allows the user
policy it:- Prevents Internet Explorer 11 from launching as a standalone browser.- Restricts Internet Explorer's usage to Microsoft Edge's n
nable this policy it prevents Internet Explorer from checking to see whether it is the latest available browser version and notifying users if
able this policy the splash screen which displays the program name licensing and copyright information is not displayed.If you disable this
n they install new components. The Software Distribution Channel is a means of updating software dynamically on users' computers by usi
ough Add-On Manager.If you enable this policy setting users cannot enable or disable add-ons through Add-On Manager.If you disable or
h as "Ctrl+S" to have "Save as" functionality.If you enable this policy extended hotkey functionality is enabled in Internet Explorer mode an
nu bar and the Command bar. Starting with Windows 8 this policy only applies to Internet Explorer on the desktop.The navigation bar inclu
orer when they are available.If you enable this policy setting automatic upgrade of Internet Explorer will be turned on.If you disable this po
the ‘Send all sites not included in the Enterprise Mode Site List to Microsoft Edge’ (‘RestrictIE’) policy isn’t enabled this policy has no effect
mpatibility issues. Optionally this policy also lets you specify where to get reports (through post messages) about the websites for which us
f the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the domains con
of the Internet Explorer Site discovery Toolkit(SDTK). When enabled the feature will collect data from sites that are part of the zones confi
er-specific proxy settings. They must use the zones created for all users of the computer.If you disable this policy or do not configure it use
ws regardless of the Internet Explorer process's Pop-Up Blocker settings.If you enable this policy setting you can enter a list of sites which
ttings Check.If you enable this policy setting the user cannot use the "Fix settings" functionality.If you disable or do not configure this polic
y setting the following occur: • The Help menu on the menu bar is not functional. • Help is removed from the Command bar. • The sh
tScreen Filter prevents the user from browsing to or downloading from sites that are known to host malicious content. SmartScreen Filter
tScreen Filter warns the user about executable files that Internet Explorer users do not commonly download from the Internet.If you enab
are as follows: High: Block all pop-ups. Medium: Block most automatic pop-ups. Low: Allow pop-ups from secure sites.If you enable t
er will not be able to configure proxy settings.If you disable or do not configure this policy setting the user can configure proxy settings.
and the toolbar Search box.If you enable this policy setting the user cannot change the default search provider.If you disable or do not con
cks links from other applications.If you enable this policy setting the user cannot configure how windows open in Internet Explorer when h
If you enable this policy setting the user cannot configure how new tabs are created by default. You must specify whether tabs should ope
ox is available it includes all installed search providers and a link to search settings.If you enable this policy setting the Search box does not
this policy setting the user cannot add websites to or remove websites from the exception list.If you disable or do not configure this policy
website being visited is known for fraudulent attempts to gather personal information through "phishing" or is known to host malware.If y
visited is known for fraudulent attempts to gather personal information through "phishing."If you enable this policy setting the user is not
ogram (CEIP).If you enable this policy setting the user cannot participate in the CEIP and the Customer Feedback Options command does n
u enable this policy setting ActiveX controls cannot be installed on a per-user basis.If you disable or do not configure this policy setting Acti
starts the browser after installing Internet Explorer or Windows.If you enable this policy setting you must make one of the following choic
nvocations. If you enable this policy setting JScript9Legacy will be loaded in situations where JScript is instantiated.If you disable this po
et Explorer to those defined in the list of policy keys for search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Intern
sites with the same security level.If you enable this policy the site management settings for security zones are disabled. (To see the site m
e same security level.If you enable this policy the Custom Level button and security-level slider on the Security tab in the Internet Options d
eb sites with the same security level.If you enable this policy changes that the user makes to a security zone will apply to all users of that c
Microsoft Edge. If you use this setting you must also turn on the Administrative Templates\Windows Components\Internet Explorer\Use
here are two algorithms that Internet Explorer uses.The default algorithm has four settings: low medium high or default. Low creates very
stating that a site has been opened using Microsoft Edge with Enterprise Mode.If you enable this setting employees see an additional pag
ble this policy setting you can choose which page to display when the user opens a new tab: blank page (about:blank) the first home page
etting ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of Activ
owed such as the taskbar the desktop or File Explorer.If you enable this policy setting users cannot pin sites.If you disable or do not config
es from loading any ActiveX control without prior approval. If a website attempts to load an ActiveX control that Internet Explorer has not u
o load all the user's enabled add-ons exceeds the threshold. The notification informs the user that add-ons are slowing his or her browsing
ash Recovery does not prompt the user to recover his or her data after a program stops responding.If you disable or do not configure this p
m requesting location data about the user.If you enable this policy setting browser geolocation support is turned off.If you disable this poli
in tabbed browsing in Internet Explorer.If you enable this policy setting the user cannot configure pop-up windows in tabbed browsing. Yo
enable this policy setting a crash in Internet Explorer will exhibit behavior found in Windows XP Professional Service Pack 1 and earlier nam
xplorer.If you enable this policy setting the Favorites bar is turned off.If you disable this policy setting the Favorites bar is turned on.If you
ite being visited is known for fraudulent attempts to gather personal information through "phishing" or is known to host malware.If you e
you enable this policy setting applications that host MSHTML do not respond to user input that causes the content to be re-rendered at a
u enable this policy setting the Control Panel information relating to pop-up management will be unavailable (grayed out) and all other po
le this policy setting the entry points to Quick Tabs are removed from the Internet Explorer user interface.If you disable or do not configur
sion feature in Internet Explorer.If you enable this policy setting the user cannot use the Reopen Last Browsing Session feature.If you disa
ble this policy setting the user cannot view suggestions for user-installed search providers.If you disable or do not configure this policy setti
Explorer user interface. Starting with Windows 8 this policy only applies to Internet Explorer on the desktop.If you enable this policy setti
e browser address bar.If you enable this policy setting user will not be suggested matches when entering Web addresses. The user cannot
he Search box.If you enable this policy setting when a user clicks in the Search box the quick pick menu does not appear until the user start
ity settings to determine when the settings put Internet Explorer at risk.If you enable this policy setting the feature is turned off.If you disa
ls. The user can choose to turn off ActiveX Filtering for specific websites so that ActiveX controls can run properly.If you enable this policy
compatibility information is displayed in the Windows Event Viewer.If you enable this policy setting the user can log information that is blo
w) in Internet Explorer.If you enable this policy setting the menu bar appears in Internet Explorer by default and the user cannot turn it off.
discovery Toolkit(SDTK). When enabled the feature will write data collected to a WMI class which can then be aggregated using a client ma
iscovery Toolkit(SDTK). When enabled the feature will write data collected to an XML file at a location specified when setting this policy. W
ser’s browsing activity. Suggested Sites reports a user’s browsing history to Microsoft to suggest sites that the user might want to visit.If yo
se Mode IE instead of Standard mode because of compatibility issues. Users can't edit this list.If you enable this policy setting Internet Exp
ed Accelerators are added to the user's browser. The user can append other Accelerators to this list but the user cannot remove or change
ecified Accelerators are added to the user's browser. The user can append other Accelerators to this list but the user cannot remove or ch
through Group Policy.If you enable this policy setting the user can access only Accelerators that are deployed through Group Policy. The us
olicy setting users cannot access Accelerators.If you disable or do not configure this policy setting users can access Accelerators and install
e computer attempts to perform a Clipboard operation (delete copy or paste).If you enable this policy setting the user is not prompted wh
orer process attempts to perform a Clipboard operation (delete copy or paste) and the URL action for the zone is set to prompt.If you enab
hout prompting the user.Note: Do not enter the Internet Explorer processes in this list. To enable or disable Internet Explorer processes us
ndows 8 this policy setting also allows you to manage whether users can access the Print flyout for Internet Explorer and any printers unde
sing a menu option.If you enable this policy setting a menu option won’t be available in Internet Explorer settings or in the tools menu in t
s are available on Windows Update.If you enable this policy setting the Microsoft-provided website lists are used during browser navigatio
ay problems that he or she may encounter while browsing.If you enable this policy setting the user cannot use the Compatibility View butt
utton allows the user to fix website display problems that he or she may encounter while browsing.If you enable this policy setting the use
ermines how Internet Explorer identifies itself to a web server and determines whether content is rendered in Internet Explorer 7 Standar
defined as any webpage that belongs to the local intranet security zone.If you enable this policy setting Internet Explorer uses the current
tibility View.If you enable this policy setting the user can add and remove sites from the list but the user cannot remove the entries that yo
s whether content is rendered in Quirks Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this
e Internet Component Download service exposes a function that is called by an application to download verify and install code for an Obje
oses. The preferences selected in the Delete Browsing History dialog box (such as deleting temporary Internet files cookies history form d
List. To access the Temporary Internet Files and History Settings dialog box from the Menu bar on the Tools menu click Internet Options cli
more information on browsing history Group Policy settings see "Group Policies Settings in Internet Explorer 10" in the TechNet technical
eX Filtering and Tracking Protection data which includes the list of websites for which the user has chosen to disable ActiveX Filtering or Tr
owsing History dialog box.If you enable this policy setting cookies are preserved when the user clicks Delete.If you disable this policy settin
ble in the Delete Browsing History dialog box.If you enable this policy setting download history is preserved when the user clicks Delete.If
Delete Browsing History dialog box.If you enable this policy setting favorites site data is preserved when the user clicks Delete.If you disab
Browsing History dialog box.If you enable this policy setting form data is preserved when the user clicks Delete.If you disable this policy setti
InPrivate Filtering data during browser sessions other than InPrivate Browsing sessions to determine which third-party items should be bl
owsing History dialog box.If you enable this policy setting passwords are preserved when the user clicks Delete.If you disable this policy setti
in the Delete Browsing History dialog box.If you enable this policy setting temporary Internet files are preserved when the user clicks Dele
This feature is available in the Delete Browsing History dialog box.If you enable this policy setting websites that the user has visited are pr
net browsing history available by clicking Tools Internet Options and then Delete Browsing History in Internet Explorer.If you enable this p
policy users are prevented from seeing and changing advanced Internet settings such as security multimedia and printing.If you disable this
s policy users are prevented from seeing and changing connection and proxy settings.If you disable this policy or do not configure it users
utoComplete Wallet and Profile Assistant settings.If you disable this policy or do not configure it users can see and change these settings.
icy users are unable to see and change settings for the home page the cache history Web page appearance and accessibility.If you disable
cy users are prevented from seeing and changing default settings for privacy.If you disable this policy or do not configure it users can see a
olicy users are prevented from seeing and changing default settings for Internet programs.If you disable this policy or do not configure it u
licy it prevents users from seeing and changing settings for security zones such as scripting downloads and user authentication.If you disab
SL/TLS) certificate errors that interrupt browsing (such as "expired" "revoked" or "name mismatch" errors) in Internet Explorer.If you enab
s to internationalized domain name (IDN) format (Punycode) before sending them to Domain Name System (DNS) servers or to proxy serve
on Format (UTF-8) for mailto links.If you enable this policy setting Internet Explorer encodes mailto links in UTF-8.If you disable or do not c
ctive content on a CD to run.If you enable this policy setting active content on a CD will run without a prompt.If you disable this policy setti
ram files (non-Internet Explorer components) that are registered with Internet Explorer (such as Macromedia and Java) that are required i
components (such as fonts) that can installed by Internet Explorer Active Setup. For example if you open a Web page that requires Japan
equests help optimize the latency of network requests through compression multiplexing and prioritization.If you enable this policy setting
works with HTTP requests to optimize the latency of network requests through compression multiplexing and prioritization.If you enable
ads can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered
as browser helper objects such as toolbars. Browser helper objects may contain flaws such as buffer overruns which impact Internet Explo
er.If you enable this policy setting Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests. The DNT:1 header signals to
rsions. When Internet Explorer is set to do this the checks occur approximately every 30 days and users are prompted to install new versio
ervers' certificates. Certificates are revoked when they have been compromised or are no longer valid and this option protects users from
ch identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloadi
cted Mode is enabled. When a user has an ActiveX control installed that is not compatible with Enhanced Protected Mode and a website a
nternet Explorer Settings allows the user to reset all settings changed since installation delete browsing history and disable add-ons that ar
ontain secure (HTTPS) information such as passwords and credit card numbers to the Internet Explorer cache which may be insecure.If you
porary Internet Files folder after all browser windows are closed. This protects against storing dangerous files on the computer or storing s
und in Web content. Generally only animated GIF files are affected by this setting; active Web content such as java applets are not.If you e
ntent. Generally only sound files such as MIDI files are affected by this setting; active Web content such as java applets are not.If you enab
content. Generally only embedded video files are affected by this setting; active Web content such as java applets are not.If you enable th
nology that enhances the readability of text on LCD displays.If you enable this policy setting applications that host MSHTML do not render
2 Secure Sockets Layer (SSL) 2.0 or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browse
n the background speeding up performance such that when the user clicks a hyperlink the background page seamlessly switches into view
ormation.If you enable this policy setting Profile Assistant information will not be provided and users will not be prompted to provide info
(UTF-8) to encode query strings in URLs before sending them to servers or to proxy servers.If you enable this policy setting you must spec
e next pre-loaded page of a website.Microsoft collects your browsing history to improve how flip ahead with page prediction works. This fe
ty) or 32-bit processes (for greater compatibility) when running in Enhanced Protected Mode on 64-bit versions of Windows.Important: So
e to a webpage by using the keyboard to move the cursor. Caret Browsing supports standard text-editor functionality such as using the Sh
processes on 64-bit versions of Windows. For computers running at least Windows 8 Enhanced Protected Mode also limits the locations I
policy setting Internet Explorer uses HTTP 1.1.If you disable this policy setting Internet Explorer does not use HTTP 1.1.If you do not config
nnections.If you enable this policy setting Internet Explorer uses HTTP 1.1 through proxy connections.If you disable this policy setting Inter
og box.If you enable this policy setting Internet Explorer displays the Content Advisor setting on the Content tab of the Internet Options d
d. By default Internet Explorer displays the home page. In Internet Explorer 10 Internet Explorer can start a new browsing session with the
f you enable this policy setting websites will be able to store application caches on client computers. Allow website database and caches o
.If you enable this policy setting websites will be able to store an indexed database on client computers. Allow website database and cach
o exceed their storage limit. The “Set default storage limits for websites” policy setting sets the data storage limits for application caches.
ed. If the application cache is used before the expiration time limit it will not be automatically removed. When you set this policy setting yo
l websites. When you set this policy setting you provide the cache limit in MB.If you enable this policy setting Internet Explorer displays a n
d to exceed their storage limit. The “Set default storage limits for websites” policy setting sets the data storage limits for indexed database
The manifest file is used to create the application cache. If any file in the manifest exceeds the allowed size Internet Explorer sends an erro
file associated with an application cache. If the manifest associated with an application cache exceeds the number of resources allowed in
u set this policy setting you provide the storage limit in MB. When the limit is reached Internet Explorer notifies the user and the user must
ou set this policy setting you provide the storage limit in MB. When the limit is reached Internet Explorer notifies the user and the user mu
cted security level for example Low Medium Low Medium or High.If you enable this template policy setting and select a security level all v
e are forced into the local Intranet security zone.If you enable this policy setting local sites which are not explicitly mapped into a zone are
urity zone.If you enable this policy setting all network paths are mapped into the Intranet Zone.If you disable this policy setting network pa
ntranet security zone.If you enable this policy setting sites which bypass the proxy server are mapped into the Intranet Zone.If you disable
curity zone. These zone numbers have associated security settings that apply to all of the sites in the zone.Internet Explorer has 4 security
gs to a domain.If you enable this policy setting automatic detection of the intranet is turned on and intranet mapping rules are applied aut
is policy setting is turned on the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different
nd the intranet mapping rules have not been configured. The Notification bar allows the user to enable intranet mappings if they require t
curity zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).If you enable this policy setting users can load a page i
l in the Intranet Zone can run active content such as script ActiveX Java and Binary Behaviors. The list of restricted protocols may be set in
le this policy setting script code on pages in the zone can run automatically. If you select Prompt in the drop-down box users are queried t
apsulate specific functionality for HTML elements to which they were attached.If you enable this policy setting binary and script behaviors
mple cut copy and paste) in a specified region.If you enable this policy setting a script can perform a clipboard operation.If you select Prom
source within the zone.If you enable this policy setting users can drag files or copy and paste files from this zone automatically. If you selec
option is determined by the zone of the page with the link causing the download not the zone from which the file is delivered.If you enable
u enable this policy setting HTML fonts can be downloaded automatically. If you enable this policy setting and Prompt is selected in the dr
ne. The settings for this option are: If you enable this policy setting users can install desktop items from this zone automatically.If you sele
re browser-hosted ClickOnce-deployed applications built via WinFX. These applications run in a security sandbox and take advantage of th
ML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take adva
presentation of paginated content and are portable across platforms devices and applications.If you enable this policy setting and set the
b page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.If you enable this polic
websites other than the website that installed the ActiveX control.If you enable this policy setting the user is prompted before ActiveX con
bsites.If you enable this policy setting the TDC ActiveX control will not run from websites in this zone.If you disable this policy setting the TD
d using Search Connectors in File Explorer. Search Connectors allow rich searching of remote sources from within File Explorer. Search res
lay custom thumbnails in the preview pane in File Explorer. While this policy setting usually applies to items returned by OpenSearch quer
pt.If you enable this policy setting script access to the WebBrowser control is allowed.If you disable this policy setting script access to the W
ws that include the title and status bars.If you enable this policy setting Windows Restrictions security will not apply in this zone. The secur
setting the user can run scriptlets.If you disable this policy setting the user cannot run scriptlets.If you do not configure this policy setting
he zone.If you enable this policy setting script is allowed to update the status bar.If you disable or do not configure this policy setting script
one in Internet Explorer.If you selected Enable in the drop-down box VBScript can run without user intervention.If you selected Prompt in
d zones. Video and animation playback through the object tag may still be allowed because this involves external controls or media player
status bar or Address bar.If you enable this policy setting websites can open new Internet Explorer windows that have no status bar or Ad
his policy setting scripted windows are displayed.If you disable this policy setting the user must choose to display any scripted windows by
ations.If you enable this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.If y
Regardless of this setting users will receive file download dialogs for user-initiated downloads.If you enable this setting users will receive
hether users receive a security information message to display pages containing both secure and nonsecure items.If you enable this policy
o certificate or only one certificate exists.If you enable this policy setting Internet Explorer does not prompt users with a "Client Authentica
X controls to check if they're safe to load on pages.If you enable this policy setting Internet Explorer won't check with your antimalware pr
a page in the zone.If you enable this policy users can download signed controls without user intervention. If you select Prompt in the drop
om the zone. Such code is potentially harmful especially when coming from an untrusted zone.If you enable this policy setting users can ru
main when the source and destination are in different windows.If you enable this policy setting and click Enable users can drag content fro
main when the source and destination are in the same window.If you enable this policy setting and click Enable users can drag content from
based on a MIME sniff. A MIME sniff is the recognition by Internet Explorer of the file type based on a bit signature.If you enable this polic
a file via an HTML form. If the local path information is sent some information may be unintentionally revealed to the server. For instance
y setting ActiveX controls are run loaded with parameters and scripted without setting object safety for untrusted data or scripts. This setti
g you can choose options from the drop-down box. Custom to control permissions settings individually.Low Safety enables applets to perfo
ded from an IFRAME reference in the HTML of the pages in this zone.If you enable this policy setting users can run applications and downl
ou can choose from the following logon options.Anonymous logon to disable HTTP authentication and use the guest account only for the C
ons across different domains.If you enable this policy setting users can open windows and frames from othe domains and access applicati
enable this policy setting you can control whether or not Internet Explorer renders legacy filters by selecting Enable or Disable under Opti
with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag an
Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and m
from the specified zone.If you enable this policy setting controls and plug-ins can run without user intervention.If you selected Prompt in
teract with a script.If you enable this policy setting script interaction can occur automatically without user intervention.If you select Promp
ou enable this policy setting scripts can access applets automatically without user intervention.If you select Prompt in the drop-down box
n the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer for example).If y
ng you can choose the following options from the drop-down box.Low safety to allow users to be notified of software updates by e-mail so
submitted. Forms sent with SSL (Secure Sockets Layer) encryption are always allowed; this setting only affects non-SSL form data submissi
n the user is browsing to .NET Framework content in Internet Explorer. The .NET Framework is the next-generation platform for Windows
the user encounters a new control that has not previously run in Internet Explorer he or she may be prompted to approve the control. This
site script injections into websites in this zone.If you enable this policy setting the XSS Filter is turned on for sites in this zone and the XSS F
plorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.If you e
t.If you enable this policy setting SmartScreen Filter scans pages in this zone for malicious content.If you disable this policy setting SmartSc
ws that are opened when the end user clicks a link are not blocked.If you enable this policy setting most unwanted pop-up windows are p
favorites in an XML store or directly within a Web page saved to disk. When a user returns to a persisted page the state of the page can be
icted Sites can navigate into this zone.If you enable this policy setting Web sites from less privileged zones can open new windows in or na
net sites can navigate into this zone.If you enable this policy setting Web sites from less privileged zones can open new windows in or navi
ons across different domains.If you enable this policy setting users can open additional windows and frames from other domains and acce
l in the Trusted Sites Zone can run active content such as script ActiveX Java and Binary Behaviors. The list of restricted protocols may be s
ons across different domains.If you enable this policy setting users can open additional windows and frames from other domains and acce
enable this policy setting Internet Explorer opens tiles only on the desktop.If you disable this policy setting Internet Explorer does not open
orer decide always in Internet Explorer or always in Internet Explorer on the desktop.If you enable this policy setting Internet Explorer enfo
f you enable this policy setting Internet Explorer goes directly to an intranet site for a one-word entry in the Address bar if it is available.If
at opens Microsoft Edge.If you enable this policy setting the button to open Microsoft Edge from Internet Explorer will be hidden.If you dis
hich can be used to invoke the default phone application on the system.If you enable this policy setting phone number detection is turned
nd that require additional software.If you enable this policy setting Internet Explorer plays these files if the appropriate software is installe
this policy setting you must specify which of the following actions applies to searches on the Address bar. The user cannot change the spe
en search is enabled on the Address bar. The possible options are: • Disable top result search: When a user performs a search in the Add
he address bar based on common URLs. The list of common URLs is stored locally and is updated once a month. No user data is sent over
e Internet Explorer Address bar.Windows Search AutoComplete suggests possible matches when a user is entering a web address in the b
ipher strength. When the user logs on to a secure page the page cannot grant access unless the Internet browser connects with a prespec
Explorer and Internet Tools.If you enable this policy setting the user cannot change the URL that is displayed for checking updates to Inte
30 days.If you enable this policy setting the user cannot specify the update check interval. You must specify the update check interval.If yo
hreshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this valu
e threshold sets the number of first-party sites that a particular third-party item can be referenced from before it is blocked. Setting this va
are loaded by default during an InPrivate Browsing session.Toolbars and BHOs may store data about a user's browsing session. By default
atic mode.The data consists of the URLs of third-party content along with data about the first-party websites that referenced it. It is collec
Internet Explorer from storing data about a user's browsing session. This includes cookies temporary Internet files history and other data.
ether third parties can automatically collect information about their browsing based on the sites that they visit. InPrivate Filtering does thi
whether third parties can automatically collect information about their browsing based on the sites that they visit. Tracking Protection do
ernet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.We recommend that you do not allow i
sers for a password. The reveal password button is displayed during password entry. When the user clicks the button the current password
on Windows Server 2008 Windows Vista with SP1 and Windows XP with SP3.If you enable this policy setting Internet Explorer does not tu
pers to encapsulate images and .css files within the body of the URL and optionally encode them by using base 64 encoding. Malware filter
er. Add-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which are specifically written to ext
rences (as reflected by Add-on Manager) or policy settings. By default any process other than the Internet Explorer processes or those lis
List' policy setting are denied. Add-ons in this case are controls like ActiveX Controls Toolbars and Browser Helper Objects (BHOs) which ar
user preferences (as entered into Add-on Manager) or policy settings. By default only Internet Explorer processes use the add-on managem
specific outdated ActiveX controls in Internet Explorer.If you enable this policy setting users won't see the "Run this time" button on the w
Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting Internet Explorer stops blocking outdated
ng outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.If you enable this policy setting you can en
f you enable this policy setting Internet Explorer logs ActiveX control information (including the source URI that loaded the control and wh
s policy setting the user can run natively implemented scriptable XMLHTTP.If you disable this policy setting the user cannot run natively im
s per host to a limit of your choice (from 2 through 128).If you enable this policy setting Internet Explorer uses the connection limit of your
s per host to a limit of your choice (from 2 through 128).If you disable or do not configure this policy setting Internet Explorer will use the
default limit is 6; you can select a value from 2 through 128.If you enable this policy setting Internet Explorer uses the WebSocket connecti
mains embedded in the page.If you enable this policy setting documents cannot request data across third-party domains embedded in the
the WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not p
the XDomainRequest object. Note that this policy setting does not block client-side communication across domains through other feature
y a list of admin-approved behaviors. This list may be configured here and applies to all processes which have opted in to the behavior and
nality for the HTML elements to which they are attached. This policy setting controls whether the Binary Behavior Security Restriction setti
d other binaries signed with MD2 and MD4 signing technologies. Internet Explorer 9 does not support MD2 and MD4 signing technologies
g procedures for files received through a Web server.This policy setting determines whether Internet Explorer requires that all file-type inf
e location of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restricti
e location of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security restricti
e location of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest security re
file of one type to a more dangerous file type.If you enable this policy setting the Mime Sniffing Safety Feature is enabled for all processes.
file of one type to a more dangerous file type.If you enable this policy setting MIME sniffing will never promote a file of one type to a more
file of one type to a more dangerous file type.This policy setting allows administrators to define applications for which they want this secu
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting the MK Protocol is disabled for all processes. Any
K protocol. Resources hosted on the MK protocol will fail.If you enable this policy setting the MK Protocol is prevented for File Explorer and
K protocol. Resources hosted on the MK protocol will fail.This policy setting allows administrators to define applications for which they wa
s from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is preve
estricted protocols from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted
s from running in an unsafe manner. This policy setting controls whether restricting content obtained through restricted protocols is preve
tive content obtained through restricted protocols from running in an unsafe manner either by prompting the user or simply disabling the
er than the Internet Explorer processes when file or code installs are restricted. By default the Notification bar is not displayed for any proc
rer processes when file or code installs are restricted. By default the Notification bar is displayed for Internet Explorer processes.If you ena
sses when file or code installs are restricted. By default the Notification bar is not displayed for any process when file or code installs are re
thin the same domain or to a new domain.If you enable this policy setting object reference is no longer accessible when navigating within
thin the same domain or to a new domain.If you enable this policy setting an object reference is no longer accessible when navigating wit
thin the same domain or to a new domain.This policy setting allows administrators to define applications for which they want this security
n the location of the Web page (Internet Intranet Local Machine zone and so on). For example Web pages on the local computer have the
n the location of the Web page (Internet Intranet Local Machine zone etc.). Web pages on the local computer have the fewest security res
n the location of the Web page (Internet Intranet Local Machine zone and so on). Web pages on the local computer have the fewest secur
ting of ActiveX control installation.If you enable this policy setting the Web Browser Control will block automatic prompting of ActiveX con
cesses.If you enable this policy setting prompting for ActiveX control installations will be blocked for Internet Explorer processes.If you disa
ting of ActiveX control installation.If you enable this policy setting and enter a Value of 1 automatic prompting of ActiveX control installatio
ting of file downloads that are not user initiated.If you enable this policy setting the Web Browser Control will block automatic prompting o
e this policy setting file download prompts that are not user initiated will be blocked for Internet Explorer processes.If you disable this poli
ting of file downloads that are not user initiated.If you enable this policy setting and enter a Value of 1 automatic prompting of non-initiate
types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title a
text labels show selective text or show only icons.If you enable this policy setting command buttons are displayed according to which one
bs are displayed on a separate row.If you disable this policy setting tabs are not displayed on a separate row.If you do not configure this p
Command bar is hidden and the user cannot choose to show it.If you disable this policy setting the Command bar is shown and the user ca
us bar is hidden and the user cannot choose to show it.If you disable this policy setting the status bar is shown and the user cannot choose
olicy setting the toolbars are locked and the user cannot move them.If you disable this policy setting the toolbars are unlocked and the us
ttons.If you enable this policy setting the Stop and Refresh buttons are next to the Forward and Back buttons and the user cannot move th
plorer.If you enable this policy setting the user cannot access Developer Tools.If you disable or do not configure this policy setting the use
nes whether incompatible toolbars or Browser Helper Objects are installed when Internet Explorer starts. If the tool detects an incompatib
y setting icons for command buttons are 20 x 20 pixels and cannot be made smaller (16 x 16 pixels).If you disable this policy setting icons f
u enable this policy setting Internet Information Services (IIS) cannot be installed and you will not be able to install Windows components o
etting the location feature is turned off and all programs on this computer are prevented from using location information from the locatio
g scripts for the location feature will not run. If you disable or do not configure this policy setting all location scripts will run.
tting the sensor feature is turned off and all programs on this computer cannot use the sensor feature. If you disable or do not configu
enable this policy setting the Windows Location Provider feature will be turned off and all programs on this computer will not be able to u
he maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts If you enable this policy settin
The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Bound
aintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance
utomatic download and update of map data is turned off.If you disable this setting the automatic download and update of map data is tur
age in Settings > System > Offline Maps.If you enable this policy setting features that generate network traffic on the Offline Maps settings
en MDM is enabled it allows the user to have the computer remotely managed by a MDM Server. If you do not configure this policy settin
Management (MDM) service configured in Azure Active Directory (Azure AD). If the enrollment is successful the device will remotely mana
ns or services. If this setting is enabled all applications and services on the device are prevented from using Microsoft accounts for authenti
when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled. If you enable this s
will allow for faster service startup but may impact performance. If you enable or do not configure this setting the antimalware service w
t or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer. Enabled: Speci
are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you disable or do not configure this se
lligence update start time window in hours. If you disable or do not configure this setting scheduled tasks will begin at a random time wi
nicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting the proxy server w
to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-con
empts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy spec
opied to. The value of this setting should be a valid directory path. If you enable this setting the support log files will be copied to the spe
e update start time window in hours. If you disable or do not configure this setting scheduled tasks will begin at a random time within 4
oft Defender Antivirus does not run and will not scan computers for malware or other potentially unwanted software. If you disable this
kes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined acti
hey need to perform an action. The text displayed is a custom administrator-defined string. For example the phone number to call the com
ou enable this setting AM UI won't be available to users.
clients. If you disable or do not configure this setting Microsoft Defender Antivirus notifications will display on clients. If you enable t
I can't be in lockdown mode). If you enable this setting AM UI won't show reboot notifications.
om and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair w
cular set of IP addresses.
pecified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed a
d processes. This policy does not apply to scheduled scans. The process itself will not be excluded. To exclude the process use the Path exc
ned off. Disabled (Default): Microsoft Defender will exclude pre-defined list of paths from the scan to improve performance. E
ng can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disa
PS) before allowing certain content to be run or accessed. If this feature is disabled the check will not occur which will lower the protectio
helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections. Y
is set. Possible options are: (0x0) Always prompt (0x1) Send safe samples automatically (0x2) Never send (0x3) Send a
t each rule to the following in the Options section: - Block: the rule will be applied - Audit Mode: if the rule would normally cause an ev
or files and resources that should be excluded from ASR rules in the Options section. Enter each rule on a new line as a name-value pair
se applications are allowed to modify or delete files in controlled folder access folders. Microsoft Defender Antivirus automatically deter
udit or allow attempts by untrusted apps to: - Modify or delete files in protected folders such as the Documents folder - Write to d
n these folders cannot be modified or deleted by untrusted applications. Default system folders are automatically protected. You can con
m using any application to access dangerous domains that may host phishing scams exploit-hosting sites and other malicious content on th
ured into block or audit mode on Windows Server. Enabled: If Enabled administrators can control whether Network Protection is allow
nd scan it in the cloud to make sure it's safe. The typical cloud check timeout is 10 seconds. To enable the extended cloud check feat
Microsoft Defender will compute hash value for files it scans. Disabled: File hash value is not computed Not configured:
d scanning suspicious files. If this setting is on Microsoft Defender Antivirus will be more aggressive when identifying suspicious files to
on set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair where the name should be
ured into block or audit mode on Windows Server. Enabled: If Enabled administrators can control whether Network Protection is allow
oits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it ag
its of known vulnerabilities. If you enable or do not configure this setting protocol recognition will be enabled. If you disable this settin
uld be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. If you enable this setting the loca
being removed. If you enable this setting items will be removed from the Quarantine folder after the number of days specified. If you d
m activity on your computer. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take p
utgoing file activity. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority ov
es and attachments. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority o
his setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If y
g to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file activity but for pe
t will be scanned. If you enable this setting downloaded files and attachments smaller than the size specified will be scanned. If you disa
r do not configure this setting monitoring for file and program activity will be enabled. If you disable this setting monitoring for file and p
u enable or do not configure this setting scanning for all downloaded files and attachments will be enabled. If you disable this setting sca
Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer. If yo
his setting behavior monitoring will be enabled. If you disable this setting behavior monitoring will be disabled.
This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this setting a pr
If you enable or do not configure this setting raw write notifications will be enabled. If you disable this setting raw write notifications b
tting script scanning will be enabled. If you disable this setting script scanning will be disabled.
l scan to complete remediation. This setting can only be set by Group Policy. If you enable this setting the local preference setting will ta
an in order to complete remediation. The scan can also be configured to run every day or to never run at all. This setting can be configur
order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is
moves to either the “additional action” state or the “cleared” state.
te moves to the "cleared" state.
s to the "cleared" state.
moves to the "cleared" state.
r do not configure this setting Watson events will be sent. If you disable this setting Watson events will not be sent.
ftware Tracing). Tracing levels are defined as: 1 - Error 2 - Warning 3 - Info 4 - Debug
to display on clients. If you disable or do not configure this setting Microsoft Defender Antivirus enhanced notifications will display
you enable or do not configure this setting a new context menu will be added to the task tray icon to allow the user to pause a scan. If y
ence will occur before running a scan. This setting applies to scheduled scans as well as the command line "mpcmdrun -SigUpdate" but
utilization during scan. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority
g can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If you disab
s setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over Group Policy. If yo
scheduled scan. This setting can only be set by Group Policy. If you enable this setting the local preference setting will take priority over G
ou enable this setting low CPU priority will be used during scheduled scans. If you disable or do not configure this setting not changes w
to cleaning. If you enable this setting a system restore point will be created. If you disable or do not configure this setting a system re
ssed after which a catch-up scan will be forced. By default the value of this setting is 2 consecutive scheduled scans. If you enable this se
tting mapped network drives will be scanned. If you disable or do not configure this setting mapped network drives will not be scanned.
chive files such as .ZIP or .CAB files. If you enable or do not configure this setting archive files will be scanned. If you disable this setting
not enable this setting. If you enable this setting network files will be scanned. If you disable or do not configure this setting network fi
ed software in the contents of removable drives such as USB flash drives when running a full scan. If you enable this setting removable dr
The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number
is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero inte
s such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting archive files will be s
g a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should be no
t will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scanning.
ons are: 1 = Quick Scan (default) 2 = Full Scan If you enable this setting the scan type will be set to the specified value. If you disable
time value is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equivalent to 02:00 AM. By default th
me value is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equivalent to 02:00 AM. By default th
ut not in use. If you enable or do not configure this setting scheduled scans will only run when the computer is on but not in use. If you
a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer w
is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the compute
ine will parse the mailbox and mail files according to their specific format in order to analyze the mail bodies and attachments. Several e-m
before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do no
being permanently removed. The value represents the number of days to keep items in the folder. If set to zero items will be kept foreve
canned there is a possible risk of recursion. However the engine supports following reparse points to a maximum depth so at worst scann
individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable secu
s sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update
pdate even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable th
ng on battery power. If you enable or do not configure this setting security intelligence updates will occur as usual regardless of power st
Enabled: Allow managed devices to update through metered connections. Data charges may apply.
ence will occur immediately after service startup. If you enable this setting a check for new security intelligence will occur after service s
ce updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enume
ers. If you disable or do not configure this setting security intelligence will be referred from the default local source.
ce update will be required. By default the value of this setting is 1 day. If you enable this setting a catch-up security intelligence update w
ntelligence is considered out of date. If security intelligence is determined to be out of date this state may trigger several additional action
ligence is considered out of date. If security intelligence is determined to be out of date this state may trigger several additional actions in
ces should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence upda
antimalware engine present. If you enable or do not configure this setting security intelligence updates will be initiated on startup when
ce updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following or
s. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per d
pdates. The time value is represented as the number of minutes past midnight (00:00). For example 120 (0x78) is equivalent to 02:00 AM.
ce update has occurred. If you enable or do not configure this setting a scan will start following a security intelligence update. If you dis
h threat alert level.Threat alert levels should be added under the Options for this setting. Each entry must be listed as a name value pair. T
t is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The
fender Application Guard.If you enable this setting Application Guard inherits auditing policies from your device and logs system events fro
rd can access the device’s camera and microphone when these settings are enabled on the user’s device.If you enable this policy applicati
osoft Defender Application Guard.If you enable this setting Application Guard saves user-downloaded files and other items (such as cookie
the Microsoft Defender Application Guard container.If you enable this setting people can save downloaded files from the Microsoft Defen
g hardware or software acceleration.If you enable this setting Microsoft Defender Application Guard uses Hyper-V to access supported hig
nder Application Guard container.If you enable this setting certificates with a thumbprint matching the ones specified will be transferred in
lication Guard.If you enable this setting you must choose from the following behaviors:- Disable clipboard functionality completely betwee
nder Application Guard.If you enable this setting you must choose one or many of the following behaviors:- Disable all print functionality in
oft Edge and Internet Explorer.If you enable this setting non-enterprise content embedded on enterprise sites are stopped from opening i
cation Guard uses Windows Hypervisor to create a virtualized environment for apps that are configured to use virtualization-based securi
gs that can be applied to all endpoints that have this GP setting configured.There are some prerequisites before you can enable this setting
ault shared folder for Windows.If you enable this setting Microsoft Edge automatically downloads book files to a common shared folder an
Microsoft Edge. We recommend disabling this setting if you want to minimize network connections from Microsoft Edge to Microsoft servic
or don't configure this setting employees can use Adobe Flash.If you disable this setting employees can't use Adobe Flash.
enable this policy setting clearing browsing history on exit is turned on.If you disable or don't configure this policy setting it can be turned
on data for the Books Library.If you enable (default) or don't configure this setting Microsoft Edge automatically updates the configuration
ou enable or don't configure this setting the F12 Developer Tools are available in Microsoft Edge.If you disable this setting the F12 Develop
ng from the Books tab in Microsoft Edge.If you enable this setting Microsoft Edge sends additional telemetry data on top of the basic telem
or don't configure this setting employees can use Microsoft Edge Extensions.If you disable this setting employees can't use Microsoft Edge
nt and hides the Microsoft Edge UI.If enabled or not configured full-screen mode is available for use in Microsoft Edge. Your users and ext
If you enable or don't configure this setting employees can use InPrivate website browsing.If you disable this setting employees can't use
ded list that helps sites with known compatibility issues to display properly) in Microsoft Edge. By default the Microsoft Compatibility List i
hen the system is idle and each time Microsoft Edge is closed. By default this setting is to allow pre-launch.If you allow pre-launch disable
ng Windows sign in and each time Microsoft Edge is closed. By default this setting is to allow preloading.If you allow preloading disable or
ed printing is allowed.If disabled printing is not allowed.
visit on their devices.If enabled or not configured the browsing history is saved and visible in the History pane.If disabled the browsing his
etting users can't add new search engines or change the default used in the address bar.ImportantThis setting can only be used with dom
y whether unverified extensions can be sideloaded in Microsoft Edge.If enabled or not configured sideloading of unverified extensions in M
t Microsoft Edge opens the New Tab page.If you enable this setting Microsoft Edge opens a new tab with the New Tab page.If you disable
s country or region setting as configured in the Country or region area of Windows settings.If you enable this setting Microsoft Edge shows
mployees but can be made a personal default engine. This setting doesn't set the default search engine. For that you must use the "Set def
elds while using Microsoft Edge. By default employees can choose whether to use Autofill.If you enable this setting employees can use Aut
ide whether to: Allow all cookies (default): Allows all cookies from all websites. Block all cookies: Blocks all cookies from all websites.
hat ask for tracking info. By default Do Not Track requests aren't sent but employees can choose to turn on and send requests.If you enab
mployees can change their favorites by adding or removing items at any time.If you enable this setting you can configure what default Favo
cify whether to set the favorites bar to always be visible or hidden on any page.If enabled favorites bar is always visible on any page and th
ome Button URL policy.By default this policy is disabled or not configured and clicking the home button loads the default Start page.When
as a single app or as one of multiple apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen In
nt of idle time. The reset timer begins after the last user interaction. Resetting to the configured start experience deletes the current user’
stomizing it.If enabled you can choose one of the following options:- Start page: the Start page loads ignoring the Configure Start Pages po
ord Manager. By default Password Manager is turned on.If you enable this setting employees can use Password Manager to save their pass
urned on..If you enable this setting Pop-up Blocker is turned on stopping pop-up windows from appearing.If you disable this setting Pop-up
ft Edge. By default employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.If you enable this settin
art pages. When you enable this policy users are not allowed to make changes to their Start pages.If enabled you must include URLs to the
e a user to click the Click-to-Run button to click the content or for the site to appear on the auto-allowed list before loading and running th
List to address common compatibility problems with legacy apps.If you enable this setting Microsoft Edge looks for the Enterprise Mode S
Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software
r customize their start pages. To do this you must also enable the Configure Start Pages or Configure Open Microsoft With policy. When e
mixed mode printing is allowed.If disabled mixed mode printing is not allowed.
Microsoft Edge.If you enable this setting employees can sync their favorites between Internet Explorer and Microsoft Edge.If you disable o
d to change developer settings and to enable experimental features.If you enable this policy setting employees can't access the about:flag
reen warnings about downloading unverified files.If you enable this setting employees can't ignore Windows Defender SmartScreen warni
reen warnings about potentially malicious websites.If you enable this setting employees can't ignore Windows Defender SmartScreen war
stances encrypts the data. With this policy you can specify whether to prevent users from bypassing the security warning to sites that have
on Microsoft Edge.If you enable this setting employees won't be able to add import or change anything in the Favorites list. Also as part of
microsoft.com service to provide a better experience while pinning a Live Tile to the Start menu.If you enable this setting Microsoft Edge w
ning Microsoft Edge for the first time.If you enable this setting employees won't see the First Run page when opening Microsoft Edge for th
ensions through any available enterprise deployment channel such as Microsoft Intune. When you enable this policy users cannot uninsta
calls using the WebRTC protocol.If you enable this setting LocalHost IP addresses are hidden while making calls using the WebRTC protoco
. Employees cannot modify sort move export or delete these provisioned favorites.If you enable this setting you can set favorite URL's and
r 11. This setting should only be used if there are known compatibility problems with Microsoft Edge.If you enable this setting all intranet s
can change the default search engine at any time.ImportantThis setting can only be used with domain-joined or MDM-enrolled devices. F
enabled or configured and the Configure Home Button policy is enabled and the Show home button & set a specific page is selected a cust
rs from changing the New tab page setting. When enabled and the Allow web content on New Tab page policy is disabled Microsoft Edge
display a notification before the site opens. If you want to display a notification you must enable Configure the Enterprise Mode Site List o
d down to prevent your users from changing what page loads when clicking the home button. Use this policy to let users change the hom
n on to a desktop computer running Windows 10. The companion device provides a second factor of authentication with Windows Hello.If
c settings between users’ computers. With Sync Method set to ”SyncProvider” the UE-V Agent uses a built-in sync provider to keep user se
If you enable this policy setting the Company Settings Center displays the specified text in the link to the Contact IT URL.If you disable this
able this policy setting the Company Settings Center Contact IT text links to the specified URL. The link can be of any standard protocol such
ttings for Windows apps.By default the UE-V Agent synchronizes settings for Windows apps between the computer and the settings storag
oot is needed for enable to take effect. With Auto-register inbox templates enabled the UE-V inbox templates such as Office 2016 will be a
Virtualization (UE-V) Agent runs for the first time.By default a notification informs users that Company Settings Center the user-facing nam
ping the settings storage path before attempting to sync settings. If the ping is successful then the sync provider attempts to synchronize
when a settings package file size reaches a defined threshold. By default the UE-V Agent does not report information about package file si
f you enable this policy setting the user settings are stored in the specified location. If you disable or do not configure this policy setting th
will be used to replace the default Microsoft templates installed with the UE-V Agent.If you enable this policy setting the UE-V Agent chec
ttings over metered connections.By default the UE-V Agent does not synchronize settings over a metered connection.With this setting enab
ttings over metered connections outside of the home provider network for example when connected via a roaming connection.By default t
E-V) Agent for Windows apps that are not explicitly listed in Windows App List.By default the UE-V Agent only synchronizes settings of tho
ser settings from the settings storage location. You can use this setting to override the default value of 2000 milliseconds. If you enable thi
Windows settings will synchronize between computers by default. These settings include Windows themes Windows desktop settings Ease
pears in the system tray that displays notifications for UE-V. This icon also provides a link to the UE-V Agent application Company Settings
s to Windows 10 or earlier.
nformation for computers running in a non-persistent pooled VDI environment. UE-V settings rollback data and checkpoints are normally s
ft Access 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the bac
ft Access 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the bac
ettings of Calculator synchronize between computers. Use the policy setting to prevent the user settings of Calculator from synchronization
icrosoft Office Suite 2013 applications.Microsoft Office Suite 2013 has user settings which are common between applications and are back
icrosoft Office Suite 2016 applications.Microsoft Office Suite 2016 has user settings which are common between applications and are back
Excel 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
Excel 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
oft InfoPath 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the
the user settings of Internet Explorer 10 synchronize between computers. Use the policy setting to prevent the user settings for Internet E
the user settings of Internet Explorer 11 synchronize between computers. Use the policy setting to prevent the user settings for Internet E
he user settings of Internet Explorer 8 synchronize between computers. Use the policy setting to prevent the user settings for Internet Exp
he user settings of Internet Explorer 9 synchronize between computers. Use the policy setting to prevent the user settings for Internet Exp
ersions of Internet Explorer.By default the user settings which are common between the versions of Internet Explorer synchronize betwee
ync 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
ync 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
ult the user settings of Microsoft Access 2010 synchronize between computers. Use the policy setting to prevent the user settings of Micro
t the user settings of Microsoft Excel 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
ault the user settings of Microsoft InfoPath 2010 synchronize between computers. Use the policy setting to prevent the user settings of M
ault the user settings of Microsoft InfoPath 2013 synchronize between computers. Use the policy setting to prevent the user settings of M
the user settings of Microsoft Lync 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
Microsoft Office Suite 2010 applications.By default the user settings which are common between the Microsoft Office Suite 2010 applicatio
Center.By default the user settings of Microsoft Office 2013 Upload Center synchronize between computers. Use the policy setting to preve
Center.By default the user settings of Microsoft Office 2016 Upload Center synchronize between computers. Use the policy setting to preve
13.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 ar
16.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 ar
Microsoft Office Suite 2013 applications.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization c
Microsoft Office Suite 2016 applications.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization c
3.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are
2013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365
.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are
.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 are
013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 365 a
nt 2013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 3
nt 2016.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft Office 3
t Designer 2013.Microsoft Office 365 synchronizes certain settings by default without UE-V. If the synchronization capabilities of Microsoft
default the user settings of OneDrive for Business 2013 synchronize between computers. Use the policy setting to prevent the user setting
default the user settings of OneDrive for Business 2016 synchronize between computers. Use the policy setting to prevent the user setting
fault the user settings of Microsoft OneNote 2010 synchronize between computers. Use the policy setting to prevent the user settings of M
ault the user settings of Microsoft Outlook 2010 synchronize between computers. Use the policy setting to prevent the user settings of Mi
default the user settings of Microsoft PowerPoint 2010 synchronize between computers. Use the policy setting to prevent the user setting
ult the user settings of Microsoft Project 2010 synchronize between computers. Use the policy setting to prevent the user settings of Micr
fault the user settings of Microsoft Publisher 2010 synchronize between computers. Use the policy setting to prevent the user settings of
2010.By default the user settings of Microsoft SharePoint Designer 2010 synchronize between computers. Use the policy setting to preven
2013.By default the user settings of Microsoft SharePoint Designer 2013 synchronize between computers. Use the policy setting to preven
ce 2010.By default the user settings of Microsoft SharePoint Workspace 2010 synchronize between computers. Use the policy setting to pr
t the user settings of Microsoft Visio 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microsoft
lt the user settings of Microsoft Word 2010 synchronize between computers. Use the policy setting to prevent the user settings of Microso
ttings of Notepad synchronize between computers. Use the policy setting to prevent the user settings of Notepad from synchronization be
soft OneNote 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
soft OneNote 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
oft Outlook 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the
oft Outlook 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the
rosoft PowerPoint 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppre
rosoft PowerPoint 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppre
ft Project 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the ba
ft Project 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the ba
soft Publisher 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
soft Publisher 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress th
2013.Microsoft SharePoint Designer 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy
Visio 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
Visio 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup
Word 2013 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
Word 2016 has user settings that are backed up instead of synchronizing between computers. Use the policy setting to suppress the backu
ttings of WordPad synchronize between computers. Use the policy setting to prevent the user settings of WordPad from synchronization b
user settings of Finance sync between computers. Use the policy setting to prevent the user settings of Finance from synchronizing betwe
user settings of Games sync between computers. Use the policy setting to prevent the user settings of Games from synchronizing between
ser settings of Maps sync between computers. Use the policy setting to prevent the user settings of Maps from synchronizing between com
ser settings of Music sync between computers. Use the policy setting to prevent the user settings of Music from synchronizing between co
ser settings of News sync between computers. Use the policy setting to prevent the user settings of News from synchronizing between com
user settings of Reader sync between computers. Use the policy setting to prevent the user settings of Reader from synchronizing between
ser settings of Sports sync between computers. Use the policy setting to prevent the user settings of Sports from synchronizing between c
ser settings of Travel sync between computers. Use the policy setting to prevent the user settings of Travel from synchronizing between co
ser settings of Video sync between computers. Use the policy setting to prevent the user settings of Video from synchronizing between com
e user settings of Weather sync between computers. Use the policy setting to prevent the user settings of Weather from synchronizing bet
e it for controlling their computers remotely.
ffic (checking for updates etc.) until the user signs in to OneDrive or starts syncing files to the local computer.If you enable this setting user
able this policy setting:* Users can’t access OneDrive from the OneDrive app and file picker.* Windows Store apps can’t access OneDrive u
ows 8.1.If you enable this policy setting:* Users can’t access OneDrive from the OneDrive app and file picker.* Windows Store apps can’t a
nd users from saving files on OneDrive. If you disable this policy setting files will be saved locally by default. Users will still be able to chang
By default the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links.If yo
user may be presented with a screen or series of screens that prompts the user to choose privacy settings for their account. Enable this pol
Go workspace.If you enable this setting Windows when started from a Windows To Go workspace can hibernate the PC.If you disable or d
workspace.If you enable this setting Windows when started from a Windows To Go workspace can't use standby states to make the PC sle
Windows To Go workspace is connected and controls whether users can make changes using the Windows To Go Startup Options Control
presentation settings cannot be invoked.If you disable this policy setting Windows presentation settings can be invoked. The presentation
running on other devices or the web.
nse server will offer Remote Desktop Services client access licenses (RDS CALs).You can use this policy setting to control which RD Session
nse (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-
rdp) files and .rdp files from unknown publishers on the client computer.If you enable or do not configure this policy setting users can run
from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client
ion Host server when the client cannot authenticate the RD Session Host server.If you enable this policy setting you must specify one of th
n if supported hardware is available. If you use this setting the Remote Desktop Client will use only software decoding. For example if you h
u enable this setting the password saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save
edentials for a remote connection to an RD Session Host server.If you enable this policy setting a user will be prompted on the client comp
ints that represent trusted Remote Desktop Protocol (.rdp) file publishers.If you enable this policy setting any certificate with an SHA1 thu
ktop Protocol. If you enable this policy setting Remote Desktop Protocol traffic will only use the TCP protocol.If you disable or do not confi
rom this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer.If you enable this policy settin
rvices.If you enable this policy setting users who are members of the Remote Desktop Users group on the target computer can connect re
ns on an RD Session Host server if their network link is temporarily lost. By default a maximum of twenty reconnection attempts are made
D Session Host server is consistent with the client state.After an RD Session Host server client loses the connection to an RD Session Host s
sole of a server can log off an administrator currently logged on to the console.This policy is useful when the currently connected administ
erver.You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is e
able this policy setting users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or d
work quality (bandwidth and latency).You can choose to disable Connect Time Detect Continuous Network Detect or both Connect Time D
RDP) access to this server.If you enable this policy setting you must specify if you would like RDP to use UDP.You can select one of the follo
ession based on the option selected. Select the desired level of control and permission from the options list:1. No remote control allowed:
he Start screen to the user. By default when a new user signs in to a computer the Start screen is shown and apps are registered in the bac
d video output in a Remote Desktop Services session.Users can specify where to play the remote computer's audio output by configuring t
a Remote Desktop Services session.Users can specify whether to record audio to the remote computer by configuring the remote audio se
mote Desktop Services session.If you enable this policy setting clients that are capable of time zone redirection send their time zone inform
n the local computer can access UI elements on the server.UI Automation gives programs access to most UI elements which lets you use a
tion) between a remote computer and a client computer during a Remote Desktop Services session.You can use this setting to prevent use
remote computer in a Remote Desktop Services session.You can use this setting to prevent users from redirecting data to COM port perip
rvices session (drive redirection).By default an RD Session Host server maps client drives automatically upon connection. Mapped drives a
ote Desktop Services session.By default Remote Desktop Services allows redirection of location data.If you enable this policy setting users
emote Desktop Services session.You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remo
ervices session.If you enable this policy setting Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Ser
vices such as Windows Portable Devices to the remote computer in a Remote Desktop Services session. By default Remote Desktop Servic
in a Remote Desktop Services session. By default Remote Desktop Services allows redirection of video capture devices.If you enable this p
on. Limiting the quality of audio playback can improve connection performance particularly over slow links.If you enable this policy setting
n there are problems with RD Licensing that affect the RD Session Host server.By default notifications are displayed on an RD Session Hos
se (RDS CAL) that is required to connect to this RD Session Host server. You can use this policy setting to select one of two licensing mo
cate Remote Desktop license servers.If you enable this policy setting an RD Session Host server first attempts to locate the specified license
e Desktop Services sessions.You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a prin
default printer in a session on an RD Session Host server.By default Remote Desktop Services automatically designates the client default p
y default the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that ma
d first to install all client printers. If you enable or do not configure this policy setting the RD Session Host server first tries to use the Remo
ive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed.Note: If you want to
aming user profiles.By default Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this polic
as the root of the user's home directory for a Remote Desktop Services session.To use this setting select the location for the home directo
for all users connecting remotely to the RD Session Host server.If you enable this policy setting Remote Desktop Services uses the path sp
nection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore yo
erver uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Re
Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced
cts to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Ho
emote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote c
m to use.By default servers use an RDP compression algorithm that is based on the server's hardware configuration.If you enable this poli
ections. When you enable hardware encoding if an error occurs we will attempt to use software encoding. If you disable or do not configu
computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual qu
op Session Host or Remote Desktop Virtualization Host servers. By default the system will choose the best experience based on available n
mote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server
Services.You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default Windows XP Pr
ktop Services connections.You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the col
onitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connectio
e Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection perfor
When you use this setting on the RDP server the server will use H.264/AVC 444 as the codec in an RDP 10 connection where both the clien
og box in Remote Desktop Services sessions.You can use this policy setting to prevent users from using this familiar method to disconnect
p clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently.If the statu
can use this setting to specify a program to run automatically when a user logs on to a remote computer.By default Remote Desktop Serv
pport for transparency live thumbnails and seamless application moves. This policy setting applies only to RemoteApp programs and does
esktop Services sessions.If you enable this policy setting all Remote Desktop Services sessions use the hardware graphics renderer instead
you enable or do not configure this policy setting Remote Desktop Connections will use WDDM graphics display driver.If you disable this p
ualization Host (RD Virtualization Host) server and a Remote Desktop Session Host (RD Session Host) server.When deployed on an RD Virtu
esktop Services sessions. Remote sessions on the remote computer are then optimized to support this visual experience.By default Remo
Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type
word upon connection.You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services even if they
sions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user gro
all clients or allows unsecured communication.You can use this setting to strengthen the security of RPC communication with clients by allo
ications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.If you enable this policy setting
ons to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authe
certificate is automatically selected to authenticate an RD Session Host server.A certificate is needed to authenticate an RD Session Host s
en client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are
stead of disconnecting it.You can use this setting to direct Remote Desktop Services to end a session (that is the user is logged off and the
p Services session can be idle (without user input) before it is automatically disconnected.If you enable this policy setting you must select
es session can be active before it is automatically disconnected.If you enable this policy setting you must select the desired time limit in th
ssions.You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By
y folders at logoff.You can use this setting to maintain a user's session-specific temporary folders on a remote computer even if the user lo
mporary folders.You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each sessio
g has no impact on the Windows RSS Platform.If you enable this policy setting the user cannot access the feed list in the Favorites Center.I
ed or Web Slice is available for an associated webpage.If you enable this policy setting the user does not receive a notification on the toolb
eed to the user's computer.If you enable this policy setting the user cannot set the Feed Sync Engine to download an enclosure through th
ble this policy setting the menu command to subscribe to a feed and the menu command to delete a feed are disabled and access to Web
you enable this policy setting the ability to synchronize feeds and Web Slices in the background is turned off.If you disable or do not confi
cheme over an unencrypted HTTP connection.If you enable this policy setting the Windows RSS Platform authenticates feeds to servers by
earch. The value of this text should be:nameurlFor example:Intranethttp://intranetsearch.aspx?k=$w You must provide the following:1) A
earch location defined in the Add Primary Intranet Search Location policy. The value of this text should be:name1url1;name2url2;...nameN
ure this setting Cortana will be allowed on the device. If you disable this setting Cortana will be turned off. When Cortana is off users will s
the system is locked.If you enable or don’t configure this setting the user can interact with Cortana using speech while the system is locke
ill attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service compon
ana results. If this is enabled search and Cortana can access location information.
you enable this policy setting words that only differ in diacritics are treated as different words. If you disable this policy setting words with
it relies on indexing history. If you enable this policy setting Windows will always use automatic language detection to index (as it did in W
e rich attachment previews.When this policy is disabled or not configured the default settings will be set to .bmp;.emf;.gif;.jpg;.jpeg;.png;.
r may override these paths and include them in indexing.
hese paths and exclude them from indexing.
en when system activity is high. If disabled backoff logic will be used to throttle back indexing activity when system activity is high. Default
s. If you enable this policy setting locations on removable drives cannot be added to libraries. In addition locations on removable drives
this policy is disabled or not configured the Web option is available and users can search the Web via their default browser search engine
if the web results are displayed in Search.If you enable this policy setting queries won't be performed on the web and web results won't b
r metered connections and if the web results are displayed in Search.If you enable this policy setting queries won't be performed on the w
server. This policy affects only delegate mailboxes that are online. Microsoft Outlook 2007 allows users to cache portions of delegate mail
utlook is not running in cached mode. The default behavior for search is to not index uncached Exchange folders. Disabling this policy will b
online mail is indexed on a Microsoft Exchange server. The lower you set this policy the lower the burden will be on the corresponding Mic
exing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed.When this p
tions menu as well as any defined locations that were made by a user. When this policy is not configured the default behavior is to allow u
nable this policy setting Windows Search is prevented from automatically adding shared folders to the index. Windows Search does not au
sing network shares that are stored on this computer they will not search them using the index. If disabled client search requests will use t
ns dialog. Otherwise it can be opened. Disabled by default.
enter any path that starts with one of the paths you specified.If you enable and then disable this policy setting users can index any path n
dexing service components (including non-Microsoft components) are expected not to index e-mail attachments. Consider enabling this p
ed. Disabled by default.
y index Outlook items. If this policy is enabled then the user's Outlook items will not be added to the index and the user will not see them
nnot modify this list. You should separate each extension type with a semicolon.Note that limitations of Group Policy Object Editor require
disabled or not configured the user has the option to index cached public folders in Outlook. Public folders are only indexed when using O
follows the default behavior. Default is disabled.
the Control Panel.If you enable this policy setting the Advanced Options dialog for Search and Indexing Options in the Control Panel canno
ess they are specified in the allow list. However This policy will not prevent iFilters or protocol handlers from being installed nor will it prev
You can also turn off the preview pane. The four options are:- Auto- Right- Bottom- OffYou should consider enabling this policy to turn off
esktop Search results. The two options are:- Large Icon- Small Icon.If you have disabled the preview pane because your organization does n
rch. If you enable this policy setting you can specify one of three SafeSearch settings which users won't be able to change: -Strict: Filter o
this policy setting you can specify one of four settings which users won't be able to change: -User info and location: Share a user's searc
drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB.Enable this policy if computers in your en
d to an Active Directory domain. When Security Center is turned on it monitors essential security settings and notifies the user when the co
efore proceeding with the system shutdown.If you enable this policy setting the system waits for the hung logon sessions for the number
mote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system.If you e
r logon.In versions of Windows prior to Windows Vista smart card certificates that are used for logon require an enhanced key usage (EKU
mart card can be used to log on to a domain.If you enable this policy setting ECC certificates on a smart card can be used to log on to a dom
e logon User Interface (UI).In order to use the integrated unblock feature your smart card must support this feature. Please check with yo
r logon.If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logo
yet valid.Under previous versions of Microsoft Windows certificates were required to contain a valid time and not be expired. The certific
evation that allows a user to enter his or her user name or user name and domain thereby associating a certificate with that user.If you en
s policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then
enable this policy setting the specified message will be displayed to the user when the smart card is blocked. Note: The following policy se
tificate renewal period a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion
.During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certificates in
card device driver is installed.If you enable or do not configure this policy setting a confirmation message will be displayed when a smart c
this policy setting Credential Manager does not return a plaintext PIN. If you disable or do not configure this policy setting plaintext PINs c
playing it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help users distingu
s inserted.If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card.If yo
ard is inserted.If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart
or do not configure this policy setting Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device d
ons: - Not Configured (default -- Windows registration and reactivation is allowed) - Disabled (Windows registration an
ly. Enabling this setting prevents this computer from sending data to Microsoft regarding its activation state. If you disable or do not con
that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file.If you enabl
odels. A speech model contains data used by the speech engine to convert audio to text (or vice-versa). The models are periodically up
wnloaded. Apps will not be updated. Your Store will also be disabled. Enable turns all of it back on. This setting applies only to Enterprise a
this setting users will not be able to view the retail catalog in the Microsoft Store but they will be able to view apps in the private store.If y
g the automatic download and installation of app updates is turned off.If you disable this setting the automatic download and installation
e this setting the automatic download of app updates is turned off.If you disable this setting the automatic download of app updates is tur
tting the Store application will not offer updates to the latest version of Windows.If you disable or do not configure this setting the Store ap
tion is denied. Access to the Store is required for installing app updates.If you disable or don't configure this setting access to the Store ap
he "sync your settings" page in PC Settings.If you enable this policy setting "sync your settings" will be turned off and none of the "sync you
app settings" group on the "sync your settings" page in PC settings.If you enable this policy setting the "app settings" group will not be sync
"AppSync" group on the "sync your settings" page in PC settings.If you enable this policy setting the "AppSync" group will not be synced.Us
wser" group on the "sync your settings" page in PC settings. The "browser" group contains settings and info like history and favorites.If you
sables the "desktop personalization" group on the "sync your settings" page in PC settings.If you enable this policy setting the "desktop pe
bles "sync your settings on metered connections" switch on the "sync your settings" page in PC Settings.If you enable this policy setting syn
sables the "Other Windows settings" group on the "sync your settings" page in PC settings.If you enable this policy setting the "Other Wind
asswords" group on the "sync your settings" page in PC settings.If you enable this policy setting the "passwords" group will not be synced.U
ersonalize" group on the "sync your settings" page in PC settings.If you enable this policy setting the "personalize" group will not be synce
e "Start layout" group on the "sync your settings" page in PC settings. If you enable this policy setting the "Start layout" group will not
is policy the InkBall game will run.If you do not configure this policy the InkBall game will run.
ver will not allow printing to it. It will remain displayed in the list of available printers but attempts to print to it will fail.If you disable this p
un.If you disable this policy setting the Snipping Tool will run.If you do not configure this policy setting the Snipping Tool will run.
un.If you disable this policy the Windows Journal accessory will run.If you do not configure this policy the Windows Journal accessory will
isual pen action feedback is disabled except for press and hold feedback. Additionally the mouse cursors are shown instead of the pen cu
that subscribe to this behavior.If you enable this policy a button assigned to Back will not map to ESC.If you disable this policy Back->ESC m
s policy applications cannot be launched from a hardware button and "Launch an application" is removed from the drop down menu for co
.If you enable this policy press and hold actions are unavailable and the button configuration dialog will display the following text: "Some
s are pressed and the buttons tab in Tablet PC Control Panel will be removed.If you disable this policy user and OEM defined button action
Windows Vista) from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab w
here this behavior is available. This policy applies only when using a tablet pen as an input device.Tablet PC Input Panel is a Tablet PC acce
here this behavior is available. This policy applies only when a user is using touch input.Tablet PC Input Panel is a Tablet PC accessory that
t. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified) Chinese (Traditional) Japanese and Korean. This s
s a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcu
s where this behavior is available.Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keybo
Panel in Windows 7 and Windows Vista). These settings include using the on-screen keyboard by default preventing users from switching
e Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch o
earning mode is not. Pen flicks are off by default and can be turned on system-wide but cannot be restricted to learning mode application
ed features are unavailable. This includes: pen flicks themselves pen flicks training pen flicks training triggers in Internet Explorer the pen fl
aining.If you disable or do not configure this policy setting users can open Tablet PC Pen Training.
puter using their finger.If you enable this setting the user will not be able to produce input with touch. They will not be able to use touch i
compatible PC with a touch digitizer by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the
the last page of the Scheduled Task Wizard. This policy is only designed to simplify task creation for beginning users.The checkbox when
e Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result u
k items from the context menu that appears when you right-click a task. As a result users cannot start tasks manually or force tasks to end
cheduled program for existing tasks.This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the
ks folder.This setting disables the Cut Copy Paste and Paste Shortcut items on the context menu and the Edit menu in Scheduled Tasks. It a
s the New Task Wizard. Also the system does not respond when users try to move paste or drag programs or documents into the Schedule
command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also the system
ectory.When you enable this setting compliant applications will be prevented from accessing disallowed tenants according to a policy set i
ell checking dictionaries) included with a language can be uninstalled from a user’s machine when the language is uninstalled. The languag
guage recognition and suggestion capabilities of apps and services running on Windows.
by default unless you change this in your settings.If you turned this feature on before it will stay on automatically unless you turn it off.
sonal calendars publishing them and subscribing to other users calendars.If you enable this setting Windows Calendar will be turned off.If
licy setting users cannot install new color profiles or uninstall previously installed color profiles.If you disable or do not configure this polic
Microsoft Operations Manager server.If you disable this setting uploads are not redirected to a Microsoft Operations Manager server.If you
study is being conducted.If you enable this setting then Windows CEIP data uploaded will be tagged.If you do not configure this setting or d
g users to install apps only from the Store. SmartScreen must be enabled for this feature to work properly.If you enable this setting you m
PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an inter
Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software
reen warnings about potentially malicious websites.If you enable this setting employees can't ignore Windows Defender SmartScreen war
e sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products or additional data other than
en Windows Error Reporting is enabled.This policy setting does not enable or disable Windows Error Reporting. To turn Windows Error Rep
ges to the system event log.If you enable this policy setting Windows Error Reporting events are not recorded in the system event log.If yo
her Microsoft or internal servers within your organization when software unexpectedly stops working or fails.If you enable this policy settin
or.If you enable this policy setting users are notified in a dialog box that an error has occurred and can display more details about the erro
soft automatically.If you enable this policy setting any additional data requests from Microsoft in response to a Windows Error Reporting re
el report data even if a CAB file containing data about the same event types has already been uploaded to the server.If you enable this po
t configure this policy setting Windows Error Reporting does not display any GUI-based error messages or dialog boxes for critical errors.If
nning on battery power. By default when a computer is running on battery power WER only checks for solutions but does not upload addi
olicy that restricts the amount of data that is sent over the network.If you enable this policy setting WER does not check for network cost p
ou do not want to send error reports to Microsoft).If you enable this policy setting you can specify the name or IP address of an error repo
olicy setting you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all all data collected for each
ble this policy setting you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pul
dows Error Reporting is enabled.If you enable this policy setting you can instruct Windows Error Reporting in the Default pull-down menu t
rors.To create a list of applications for which Windows Error Reporting never reports errors click Show under the Exclude errors for applica
Windows Error Reporting is turned on.If you enable this policy setting you can create a list of applications that are never included in error r
n Windows Error Reporting is turned on.If you enable this policy setting you can create a list of applications that are never included in erro
orting is enabled.If you enable this policy setting Windows Error Reporting includes operating system errors.If you disable this policy settin
reporting is enabled.If you enable this policy setting error reporting includes unplanned shutdown events.If you disable this policy setting
le this policy setting you can set the default consent handling for error reports. The following list describes the Consent level settings that
ypes.If you enable this policy setting you can add specific event types to a list by clicking Show and typing event types in the Value Name c
ustom consent settings.If you enable this policy setting the default consent levels of Windows Error Reporting always override any other co
cording and Broadcasting features. If you disable this setting Windows Game Recording will not be allowed.If the setting is enabled or not
usiness credentials for other users.If you enable this policy setting Windows allows all users of the computer to enumerate all Windows H
GUIDs to be used as the first and second unlock factors. If the trusted signal provider is specified as one of the unlock factors you should a
e this policy setting these signal rules will be evaluated to detect user absence and automatically lock the device.If you disable or do not co
rt card enabled applications.If you enable this policy setting Windows Hello for Business provisions Windows Hello for Business credential
protected by it cannot be used on other devices.If you enable this policy setting Windows Hello for Business provisioning only occurs on de
an alternative to the PIN gesture. However users must still configure a PIN to use in case of failures.If you enable or do not configure this
on-premises authentication.If you enable this policy setting Windows Hello for Business enrolls a sign-in certificate that is used for on-pre
mises authentication.If you enable this policy setting Windows Hello for Business will use a Kerberos ticket retrieved from authenticating t
overy service without losing any associated credentials or certificates including any keys associated with the user's personal accounts on t
ectory or Azure Active Directory account that can replace passwords Smart Cards and Virtual Smart Cards.If you enable this policy the devi
rd certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy settin
tem administrators.If you enable this policy setting some of the security features of Windows Installer are bypassed. It permits installation
able this policy setting the Browse button in the "Use feature from" dialog box is enabled. As a result users can search for installation files
re permitted to install patches even when the installation program is running with elevated system privileges. Patches are updates or upg
ons.If you enable this policy setting all users are permitted to install programs from removable media such as floppy disks and CD-ROMs e
m on the system.If you enable this policy setting privileges are extended to all programs. These privileges are usually reserved for program
cache. The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache
u enable this policy setting strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrade
ckages on the system can run embedded UI.If you disable or do not configure this policy setting embedded UI is allowed to run.
g the user.If you disable or do not configure this policy setting by default when a script hosted by an Internet browser tries to install a prog
olicy setting users are prevented from using Windows Installer to install patches. Patches are updates or upgrades that replace only those
ng all Patch Optimization options are turned off during the installation.If you disable or do not configure this policy setting it enables faste
ly signed by the application vendor.Non-administrator updates provide a mechanism for the author of an application to create digitally sig
d updates.This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment
se an interrupted or unsuccessful installation.If you enable this policy setting Windows Installer is prevented from recording the original st
anager API can eliminate or reduce the number of system restarts that are required to complete an installation or update.If you enable th
ed and use the drop-down list to select the behavior you want.If you do not configure this policy setting or if the policy setting is enabled a
components to an installed program. If you enable this policy setting the Browse button beside the "Use feature from" list in the Wind
m files consist of instructions to modify or customize a program during installation.If you enable this policy setting the transform file is sav
lation. The log Msi.log appears in the Temp directory of the system volume. When you enable this policy setting you can specify the ty
an application is installed. System Restore enables users in the event of a problem to restore their computers to a previous state without
ng property in an installation package can be used to enable automatic logging of all install operations for the package.If you enable this p
no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Co
vent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You
occurs after a restart or cold boot. If you chose “Disabled” in the “Sign-in and lock last interactive user automatically after a restart” policy
AS).If you enable this policy setting you have one of four options:If you set this policy setting to "None" user mode software cannot simulat
nd logon failures to the user.For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional lev
ontacted during logon and he has been logged on using previously stored account information.If enabled a notification popup will be displ
ser after the system restarts or after a shutdown and cold boot.This only occurs if the last interactive user didn’t sign out before the restar
t).When enabled Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades
Media Player is in skin mode.If you enable this policy setting the anchor window is hidden when the Player is in skin mode. In addition the o
etting the Privacy Options and Installation Options dialog boxes are prevented from being displayed the first time a user starts Windows M
s desktop.If you enable this policy setting users cannot add the Player shortcut icon to their desktops.If you disable or do not configure th
is policy setting any user on this computer is prevented from sharing digital media content from Windows Media Player with other compu
nch bar.If you enable this policy setting the user cannot add the shortcut for the Player to the Quick Launch bar.If you disable or do not co
tting video smoothing is prevented which can improve video playback on computers with limited resources. In addition the Use Video Smo
setting Windows Messenger does not run.If you disable or do not configure this policy setting Windows Messenger can be used.Note: If y
this policy setting Windows Messenger is not loaded automatically when a user logs on.If you disable or do not configure this policy settin
ble to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not l
elp cmdlet.If you enable this policy setting the Update-Help cmdlet will use the specified value as the default value for the SourcePath par
able this policy setting pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Ev
erShell/Operational event log. If you enable this policy setting Windows PowerShell will log the processing of commands script blocks f
o text-based transcripts. If you enable this policy setting Windows PowerShell will enable transcripting for Windows PowerShell the W
d to run.If you enable this policy setting the scripts selected in the drop-down list are allowed to run.The "Allow only signed scripts" policy
bilityStabilitymetrics and Win32_ReliabilityRecords to provide data to Reliability Monitor in the Security and Maintenance control panel an
nt uses Basic authentication.If you enable this policy setting the WinRM client uses Basic authentication. If WinRM is configured to use HTT
nt uses CredSSP authentication.If you enable this policy setting the WinRM client uses CredSSP authentication.If you disable or do not confi
nt sends and receives unencrypted messages over the network.If you enable this policy setting the WinRM client sends and receives unenc
nt uses Digest authentication.If you enable this policy setting the WinRM client does not use Digest authentication.If you disable or do not
nt uses Kerberos authentication directly.If you enable this policy setting the Windows Remote Management (WinRM) client does not use K
nt uses Negotiate authentication.If you enable this policy setting the WinRM client does not use Negotiate authentication.If you disable or
nt uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity.If you enable this policy setting the WinR
ice accepts Basic authentication from a remote client. If you enable this policy setting the WinRM service accepts Basic authentication
ice accepts CredSSP authentication from a remote client. If you enable this policy setting the WinRM service accepts CredSSP authenti
ice automatically listens on the network for requests on the HTTP transport over the default HTTP port.If you enable this policy setting the
ice sends and receives unencrypted messages over the network.If you enable this policy setting the WinRM client sends and receives unen
ice accepts Kerberos credentials over the network. If you enable this policy setting the WinRM service does not accept Kerberos crede
ice accepts Negotiate authentication from a remote client. If you enable this policy setting the WinRM service does not accept Negotia
ice will not allow RunAs credentials to be stored for any plug-ins.If you enable this policy setting the WinRM service will not allow the Run
RM) service with regard to channel binding tokens. If you enable this policy setting the WinRM service uses the level specified in Harde
s in the Windows Remote Management (WinRM) service. If you enable this policy setting the HTTP listener always appears. If you
es in the Windows Remote Management (WinRM) service. If you enable this policy setting the HTTPS listener always appears. If yo
tting new remote shell connections are accepted by the server.If you set this policy to ‘disabled’ new remote shell connections are rejected
hell operations on the system.The value can be any number from 1 to 100.If you enable this policy setting the new shell connections are r
any user activity until it is automatically deleted.Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute)
ated by any active remote shell and all its child processes.Any value from 0 to 0x7FFFFFFF can be set where 0 equals unlimited memory wh
.If you enable this policy setting you can specify any number from 0 to 0x7FFFFFFF to set the maximum number of process per shell. Zero
n on the same system.Any number from 0 to 0x7FFFFFFF cand be set where 0 means unlimited number of shells.If you enable this policy s
onfigured.
indows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting.If you disable
tting copy and paste between the host and Windows Sandbox are permitted. If you disable this policy setting copy and paste in and out of
decrease the attack surface exposed by the sandbox.If you enable this policy setting networking is done by creating a virtual switch on th
his policy setting host printers will be shared into Windows Sandbox. If you disable this policy setting Windows Sandbox will not be able to
will be supported in the Windows Sandbox.If you disable this policy setting Windows Sandbox will use software rendering which can be slo
deo input is enabled in Windows Sandbox.If you disable this policy setting video input is disabled in Windows Sandbox. Applications using
n area will be hidden. Disabled: The Account protection area will be shown. Not configured: Same as Disabled.
browser protection area will be hidden. Disabled: The App and browser protection area will be shown. Not configured: Sam
Enabled: Local users can not make changes in the Exploit protection settings area. Disabled: Local users are allowed to ma
e performance and health area will be hidden. Disabled: The Device performance and health area will be shown. Not configure
be unavailable for use. Disabled: The Clear TPM button will be available for use. Not configured: Same as Disabled.
ill be hidden. Disabled: The Device security area will be shown. Not configured: Same as Disabled.
idden. Disabled: The Secure boot area will be shown. Not configured: Same as Disabled.
The Security processor (TPM) troubleshooting area will be hidden. Disabled: The Security processor (TPM) troubleshooting area wi
Enabled: Users will not be shown a recommendation to update their TPM Firmware. Disabled: Users will see a recommenda
ecurity Enabled: Your company contact information will be displayed in a flyout menu in Windows Security. After setting this to
ed: Your company contact information will be displayed in notifications that come from Windows Security. After setting this to Ena
ons. This setting must be enabled for any contact information to appear. Enabled: Enter the company name in the Options section.
notifications. Users can click on the contact information to create an email that will be sent to the specified address. The default ema
d notifications. Users can click on the contact information to automatically call the supplied number. Skype will be used to initiate the
ers can click on the contact information to visit the specified website. The default web browser will be used. Enabled: Enter the UR
l be hidden. Disabled: The Family options area will be shown. Not configured: Same as Disabled.
all and network protection area will be hidden. Disabled: The Firewall and network protection area will be shown. Not configu
tions from Windows Security. Disabled: Local users can see notifications from Windows Security. Not configured:
etting has been enabled this setting will have no effect. Enabled: Local users will only see critical notifications from Windows Secur
ither sign out and sign in or reboot the computer for this setting to take effect. Enabled: Windows Security notification area contro
are data recovery area will be hidden. Disabled: The Ransomware data recovery area will be shown. Not configured: Same
hreat protection area will be hidden. Disabled: The Virus and threat protection area will be shown. Not configured: Same a
rupt Windows services nor restart Windows.If the status is set to Enabled Automatic Updates will immediately install these updates once
cations based on the "Configure Automatic Updates" policy setting.If you enable this policy setting Windows Automatic Update and Micros
of time prior to a scheduled restart to notify the user.If you disable or do not configure this policy the default period will be used.
. When a restart is required to install updates the auto-restart required notification is displayed. By default the notification is automatically
rt for the update installation deadline. Users are not able to postpone the scheduled restart once the deadline has been reached and the r
tart.If the status is set to Enabled a scheduled restart will occur the specified number of minutes after the installation is finished.If the stat
wed to be the default choice in the Shut Down Windows dialog.If you enable this policy setting the user's last shut down choice (Hibernate
s policy is disabled or not configured then the Windows Update client may initiate automatic scans against Windows Update while update
ayed in the Shut Down Windows dialog box.If you enable this policy setting 'Install Updates and Shut Down' will not appear as a choice in
matically wake up the system from sleep if there are updates scheduled for installation.Windows Update will only automatically wake up t
be restarted by any user who is logged on instead of causing the computer to restart automatically.If the status is set to Enabled Automati
eduled restart. If the status is set to Enabled a scheduled restart will occur the specified number of minutes after the previous prompt
ding with a scheduled installation that was missed previously.If the status is set to Enabled a scheduled installation that did not take place
et 2 to 14 days past the default restart date.The restart may happen inside active hours.If you disable or do not configure this policy the P
active hours to Engaged restart which requires the user to schedule. The period can be set between 0 and 30 days from the time the resta
ate installations including reminder and warning notifications.Enable this policy to turn off all auto restart notifications.If you disable or do
from the Windows Update update service.When this policy is enabled Automatic Updates will install recommended updates as well as imp
about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installatio
ges may apply)
important updates instead of first notifying users on the login screen for at least two days.The restart timer can be configured to start wit
gh the Windows automatic updating service.Note: This policy does not apply to Windows RT.This setting lets you specify whether automa
tart warnings2 – Turn off all notifications including restart warningsThis policy allows you to define what Windows Update notifications us
updates is removed.
ess to Windows Update scan download and install is removed.
eir active hours.The max active hours range can be set between 8 and 18 hours.If you disable or do not configure this policy the default m
evices automatically and a grace period after which required restarts occur automatically.Set deadlines for feature updates and quality up
PC will attempt to restart outside of active hours.Note that the PC must restart for certain updates to take effect.If you disable or do not co
update reboots will happen at the scheduled install time.
tities other than Microsoft when the update is found on an intranet Microsoft update service location.If you enable this policy setting Auto
ble updates. The exact wait time is a sum of the specific value and a random variant of 0-4 hours. If the status is set to Enabled Window
periodically retrieve information from the public Windows Update service to enable future connections to Windows Update and other se
Microsoft update service.If the status is set to Enabled the specified target group information is sent to the intranet Microsoft update servi
te service to automatically update computers on your network. This setting lets you specify a server on your network to function as an
cified update source: either Windows Update or Windows Server Update Service. Note: To receive any updates from the Windows Se
any safeguard holds. Safeguard holds are known compatibility issues that block the upgrade from being deployed to affected devices until
gure this policy Windows Update will include updates that have a Driver classification.
orld.Dev ChannelIdeal for highly technical users. Insiders in the Dev Channel will receive builds from our active development branch that i
a.ms/WindowsTargetVersioninfoThe device will request that Windows Update product and version in subsequent scans.Entering a target
to defer taking the next Feature Update available to your channel for up to 14 days for all the pre-release channels and up to 365 days for
s for up to 30 days.To prevent quality updates from being received on their scheduled time you can temporarily pause quality updates. Th
affected computer. If you enable this policy setting Work Folders will be set up automatically for all users of the affected computer. Th
p and if all pages in a category are blocked the category will be hidden as well. Direct navigation to a blocked page via URI context menu i
ng their PC.If you disable or do not configure this policy setting users that are not required to press CTRL + ALT + DEL before signing in will
the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will no
you specify the default lock screen and logon image shown when no user is signed in and also sets the specified image as the default for a
ers can change it.If this setting is set to a nonzero value then Start uses the specified background and users cannot change it. If the specifi
displaying the logon screen.If you enable this setting the user will not be able to change their lock screen and logon image and they will in
his setting the user will be assigned the default start menu background and colors and will not be allowed to change them.If the "Force a s
ou enable this setting users will no longer be able to enable or disable lock screen camera access in PC Settings and the camera cannot be i
ble this setting users will no longer be able to modify slide show settings in PC Settings and no slide show will ever start.
ll see the traditional static lock screen background image.If you disable this setting (and the device has an accelerometer) the user will see
choose whether to enable speech services via settings. If this policy is disabled speech services will be disabled and users cannot e
guage packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. I
more than one language is restricted to a specified language. If the specified language is not installed on the target computer or you disabl
dows language use the following policy: "Restricts the UI languages Windows uses for all logged users." If you enable this policy setti
nus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languag
r to help adapt handwriting recognition to the vocabulary and handwriting style of the user. Text that is collected includes all outgoing me
es to a company logo.Note: The default account picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\user.jpg. The de
y and password expiration is set according to policy.When you disable or not configure this setting password expiration time may be longe
OT managed
even when renamed DO configure when you use custom local admin account
mum: 8 characters Maximum: 64 characters Default: 14 charactersPassword age in days Minimum: 1 day Maximum: 365 days Default: 30
count and password is configured on multiple systems. Enabling this policy significantly reduces that risk.Enabled (recommended): Applie
oose from three options to control whether and how Flash is blocked from activation:1. "Block all activation" prevents the Flash control fro
nt driver to "Disable driver" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure LanmanWorkstation
ELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!For Windows 7 and Servers 2008 2008R2 and 2012 you must also co
e a reboot to take effect.For more information see https://support.microsoft.com/kb/2696547
s-operating-systems.If this setting is disabled or not configured SEHOP is not enforced for 32-bit processes.
do not configure it the system will limit installation of print drivers to Administrators of this computer.If you disable this setting the system
server (WINS).* An M-node computer broadcasts first and then queries the name server.* An H-node computer queries the name server
the context menu when the user holds Shift while right-clicking on a .bat .cmd .exe or .msc file in Explorer.Disabled: Restores the Windows
d to provide business-critical functionality before you enable this setting.If Enabled Office applications will not execute legacy JScript for th
ndows Components\Windows Defender Antivirus\Configure detection for potentially unwanted applications.
is needed.If this setting is not configured WDigest authentication is disabled in Windows 8.1 and in Windows Server 2012 R2; it is enabled
s every 15 minutes.If you enable this policy setting you can configure how often a DFS client attempts to discover domain controllers. This
server specified by the job's owner. If BITS peer caching is enabled BITS caches downloaded files and makes them available to other
ows Branch Cache by default. If you enable this policy setting the BITS client does not use Windows Branch Cache. If you disable
and a peer caching client (downloading files from its peers). If you enable this policy setting the computer will no longer use the BITS
) and a peer caching client (downloading files from its peers). If you enable this policy setting the computer will no longer cache down
peer cache that have not been accessed in the past 90 days. If you enable this policy setting you can specify in days the maximum age
lable to peers until the cache content reaches the specified cache size. By default BITS will use 1 percent of the total system disk for the p
nloading files. When the cumulative download time exceeds this limit the job is placed in the error state. By default BITS uses a maxim
y a limit to use during a specific time interval and at all other times. For example limit the use of network bandwidth to 10 Kbps from 8:00
by serving other peers by default BITS will use up to 30 percent of the bandwidth of the slowest active network interface. For example if a
the maximum number of BITS jobs a user can create. If you enable this policy setting BITS will limit the maximum number of BITS jobs
this policy setting to raise or lower the maximum number of user BITS jobs. If you enable this policy setting BITS will limit the maximu
n. If you enable this policy setting BITS will limit the maximum number of files a job can contain to the specified number. If you d
mber ranges per file. If you enable this policy setting BITS will limit the maximum number of ranges that can be added to a file to the s
ad behavior policies further limit the network usage of background transfers. If you enable this policy setting you can define a default
the network bandwidth that is used for background transfers. If you enable this policy setting you can define a separate set of netwo
sing a weekly calendar which consists of days of the week and hours of the day. All hours and days that are not defined in a work schedule
After a job is determined to be abandoned the job is deleted from BITS and any downloaded files for the job are deleted from the disk.
ntent from file servers based on the network latency - or delay - that occurs when the clients download content from the main office over
ot use the same BranchCache version cache efficiency might be reduced because client computers that are using different versions of Bran
d cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in th
ociated with the client's current Active Directory site. If you enable this policy setting client computers to which the policy setting is applie
he data cache.If you disable or do not configure this policy setting the age is set to 28 days.Policy configurationSelect one of the following:-
" to enable BranchCache on client computers.In distributed cache mode client computers download content from BranchCache-enabled m
enable BranchCache on client computers.When a client computer is configured as a hosted cache mode client it is able to download cache
otal disk space to allocate for the cache.If you disable or do not configure this policy setting the cache is set to 5 percent of the total disk s
e mode or distributed cache mode clients. To do so configure one of the following the policy settings: - Set BranchCache Distributed Cache
following types: - A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) th
the Contoso Corporation.If this setting is not configured the string that appears for DirectAccess connectivity is “Corporate Connection”.
tting through these configured tunnel endpoints. By default NCA uses the same DirectAccess server that the DirectAccess client computer c
DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolu
lient to open a new message with the support email address in the To: field of the message then attaches the generated log files as a .htm
to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access. If this setting is not con
d an unqualified multi-label name for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an
h as "www.example.com" in addition to single-label names. If you disable this policy setting or if you do not configure this policy setting N
use DoH protocol to resolve domain names.To use this policy setting click Enabled and then select one of the following options from the dr
alue representing the DNS suffix.If you enable this policy setting the DNS suffix that you enter will be applied to all network connections u
e this policy setting click Enabled and then enter a space-delimited list of IP addresses in the available field. To use this policy setting you m
l name. This is different from a fully qualified domain name such as "example.microsoft.com."Client computers that receive this policy setti
ou do not configure this policy setting computers will attempt to use dynamic DNS registration on all network connections that have conn
ed to the Nameprep form.If this policy setting is disabled or if this policy setting is not configured IDNs are not converted to the Nameprep
binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP
xample: microsoft.com.Important: In order for changes to this policy setting to be applied on computers that receive it you must restart W
he parent suffix of the primary DNS suffix name and the parent of that suffix and so on stopping if the name is successfully resolved or at a
bel unqualified domain name with the parent suffix of the primary DNS suffix name and the parent of that suffix and so on stopping if the
these records with a concatenation of its computer name and the primary DNS suffix.By default a DNS client performing dynamic DNS regi
registered the corresponding A resource record.If you enable this policy setting registration of PTR records will be determined by the optio
ic DNS registration of A and PTR resource records periodically reregister their records with DNS servers even if the record has not changed
NS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a
econds (for example 900 is 15 minutes).If you enable this policy setting the TTL value that you specify will be applied to DNS resource reco
abled IDNs are not converted to Punycode.If this policy setting is disabled or if this policy setting is not configured IDNs are converted to P
nk on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does no
over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received the network binding order is u
esolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT).If you enable this policy setting
only when nonsecure dynamic updates are refused.Only unsecure - computers send only nonsecure dynamic updates.Only secure - comp
form dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top
ne font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or rend
tials when manually connecting to the network. If authentication is successful users will be connected automatically on subsequent attem
ast one supported cipher suite or if you disable or do not configure this policy setting the default cipher suite order is used.SMB 3.11 ciphe
that have the File Services role and both the File Server and the BranchCache for Network Files role services installed.Policy configuration
ed based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported content informatio
st prefers from the list of client-supported cipher suites ignoring the client's preferences.If you disable or do not configure this policy settin
ast one supported cipher suite or if you disable or do not configure this policy setting the default cipher suite order is used.SMB 3.11 ciphe
uest logons.If you disable this policy setting the SMB client will reject insecure guest logons.Insecure guest logons are used by file servers
B client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of
ailable offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of file
nitiate Quality-of-Service requests such as bandwidth estimation and network health analysis.If you enable this policy setting additional op
vered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation an
uirements for the local system. Thus it will not allow any passwords to be used for a Peer Group that are weaker than what would be allow
oration content distribution and distributed processing.If you enable this setting peer-to-peer protocols will be turned off.If you disable th
rios. For example a client computer can detect other computers to initiate chat sessions but other computers cannot detect that client and
mber. The protocol in some cases requires a seed server from which to get bootstrapped.Any node running peer to peer can be used as a
esolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the sam
address. Other hosts can then resolve the name retrieve the corresponding address and establish peer-to-peer (P2P) connections. The PN
number. The protocol in some cases requires a seed server from which to get bootstrapped. This setting allows for setting the seed server
d resolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the s
number. The protocol in some cases requires a seed server from which to get bootstrapped. This setting allows for setting the seed server
d resolution of a name to an IPV6 address and port number. One of the ways in which PNRP bootstraps itself is by using multicast on the s
access only.If you disable this setting or do not configure it the "local access only" icon will be used when a user is connected to a network
ected to when the setting was refreshed on that computer. If a computer is connected to a DNS domain network other than the one it was
wall service can run on a computer.Important: This setting is location aware. It only applies when a computer is connected to the same DNS
figure their system as an Internet gateway for a small network and provides network services such as name resolution and addressing thro
disable or do not configure this policy setting domain users can set a network's location without elevating.
ects to an internal network using DirectAccess it can access the Internet in two ways: through the secure tunnel that DirectAccess establis
oups of computers. If a computer on that list authenticates using IPsec Windows Defender Firewall does not block its unsolicited message
ing uses the echo request message. If you do not enable the "Allow inbound echo request" message type Windows Defender Firewall bloc
e ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets fr
r Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distribu
hat this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messag
P port 1900.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer can receive Plug and Play
y the "Windows Defender Firewall: Define inbound port exceptions" policy setting.If you enable this policy setting the Windows Defender
efined by the "Windows Defender Firewall: Define inbound program exceptions" policy setting.If you enable this policy setting the Window
e. You must provide the name location and maximum size of the log file. The location can contain environment variables. You must also sp
ed by the Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the inbound p
ed by the Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the program e
policy setting in the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is selected a
y setting Windows Defender Firewall prevents the display of these notifications.If you disable this policy setting Windows Defender Firewa
mputers Windows Defender Firewall blocks the unicast responses sent by those other computers.If you disable or do not configure this pol
hibit use of Internet Connection Firewall on your DNS domain network" policy setting.If you disable this policy setting Windows Defender F
ing uses the echo request message. If you do not enable the "Allow inbound echo request" message type Windows Defender Firewall bloc
e ports so that this computer can receive print jobs and requests for access to shared files. You must specify the IP addresses or subnets fr
r Firewall opens TCP ports 135 and 445. Services typically use these ports to communicate using remote procedure calls (RPC) and Distribu
hat this computer can receive Remote Desktop requests. You must specify the IP addresses or subnets from which these incoming messag
P port 1900.If you enable this policy setting Windows Defender Firewall opens these ports so that this computer can receive Plug and Play
y the "Windows Defender Firewall: Define inbound port exceptions" policy setting.If you enable this policy setting the Windows Defender
efined by the "Windows Defender Firewall: Define inbound program exceptions" policy setting.If you enable this policy setting the Window
e. You must provide the name location and maximum size of the log file. The location can contain environment variables. You must also sp
ed by the Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the inbound p
ed by the Windows Defender Firewall component in Control Panel.If you enable this policy setting you can view and change the program e
policy setting in the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is selected a
y setting Windows Defender Firewall prevents the display of these notifications.If you disable this policy setting Windows Defender Firewa
mputers Windows Defender Firewall blocks the unicast responses sent by those other computers.If you disable or do not configure this pol
hibit use of Internet Connection Firewall on your DNS domain network" policy setting.If you disable this policy setting Windows Defender F
rk). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
appen on any interface.
e the options to control the passive polling behavior.
by the proxy address.Contains a list of Enterprise resource domains hosted in the cloud. Connections to these resources are considered co
apps that have the Internet Client or Internet Client/Server capabilities.If you enable this policy setting apps on proxied networks can acce
pps that have the Home/Work Networking capability.If you enable this policy setting it allows an administrator to configure a set of proxie
ing capability have appropriate access to your corporate network. These addresses are only accessible to apps if and only if the app has d
ork Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritativ
off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. Only network hosts
Offline Files tab. This prevents users from trying to change the option while a setting controls it.If you enable this setting you can use the "A
enable this policy setting Offline Files is enabled and users cannot disable it.If you disable this policy setting Offline Files is disabled and use
n the user logs off the system deletes all local copies of offline files.If you disable this setting or do not configure it automatically and man
-link mode use the "Configure slow-link mode" policy setting.If you enable this policy setting you can control when Windows synchronizes
les automatically adjust its behavior to avoid excessive synchronization traffic and will not automatically reconnect to a server when the p
er's access to this data is not degraded due to network slowness. When Offline Files is operating in the slow-link mode all network file requ
he Offline Files tab. This prevents users from trying to change the option while a setting controls it.Automatic caching can be set on any ne
with the specified file extensions in any of the folders that have been made available offline.If you disable or do not configure this policy se
ur in the background when the user's network is roaming near or over the plan's data limit. This may result in extra charges on cell phone
ntly cached Windows reads from the cached copy after verifying its integrity. This improves end-user response times and decreases bandw
om the Offline Files cache without proper permissions.If you enable this policy setting all files in the Offline Files cache are encrypted. Thi
when the offline files storage cache is corrupted. However you can use this setting to specify additional events you want Offline Files to re
etting even when they reside on a network share configured for automatic caching. Also if users try to make a file of this type available offl
eriodically. By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed
be automatically cached if the user accesses a file on an automatic caching network share.This setting also disables the ability to adjust thr
tion on server disconnect" setting.To use this setting click Show. In the Show Contents dialog box in the Value Name column box type the s
omputer. Also they cannot use the folder to view characteristics of offline files such as their server status type or location.This setting does
ine Files context menu and disables the Settings button on the Offline Files Status dialog box. As a result users cannot view or change the
ons appear when the user's connection to a network file is lost or reconnected and they are updated periodically. By default the first rem
first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for 15 seconds. You can u
ndows will still cache local copies of files that reside on network shares designated for automatic caching.If you disable or do not configure
ot available for the files and folders that you list. To specify these files and folders click Show. In the Show Contents dialog box in the Value
ork offline" command is not displayed in File Explorer.If you disable or do not configure this policy setting the "Work offline" command is d
etting the files you enter are always available offline to users of the computer. To specify a file or folder click Show. In the Show Contents d
ers do not have the option of excluding subfolders.If you enable this setting when you make a folder available offline all folders within that
rying to change the option while a setting controls it.If you enable this setting offline files are fully synchronized. Full synchronization ensu
rying to change the option while a setting controls it.If you enable this setting offline files are fully synchronized at logon. Full synchronizati
on to "Quick" ensures only that all files in the cache are complete. Setting the synchronization action to "Full" ensures that all cached files
tion to a networked file and are working on a local copy of the file. Users can then decide how to proceed.If you enable this setting the syst
ed folders are synchronized at logon. Files and folders that are already available offline are skipped and are synchronized later.If you disab
ers until the number falls below this limit."Outstanding packets" are packets that the Packet Scheduler has submitted to a network adapte
r limits the system to 80 percent of the bandwidth of a connection but you can use this setting to override the default.If you enable this se
by the value of this entry.If you enable this setting you can override the default timer resolution established for the system usually units o
n the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you can
SCP value in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this settin
ue in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you c
DSCP value in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setti
in the IP header of the packets.This setting applies only to packets that conform to the flow specification.If you enable this setting you can
n the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting y
SCP value in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable th
ue in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this settin
DSCP value in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable t
in the IP header of the packets.This setting applies only to packets that do not conform to the flow specification.If you enable this setting
of the packets.If you enable this setting you can change the default priority value associated with the Best Effort service type.If you disabl
r-2 header of the packets.If you enable this setting you can change the default priority value associated with the Controlled Load service ty
der of the packets.If you enable this setting you can change the default priority value associated with the Guaranteed service type.If you d
er-2 header of the packets.If you enable this setting you can change the default priority value associated with the Network Control service
kets.If you enable this setting you can change the default priority value associated with nonconforming packets.If you disable this setting th
r of the packets.If you enable this setting you can change the default priority value associated with the Qualitative service type.If you disa
mputer network by polling and setting terminal values and monitoring network events.A valid community is a community recognized by th
protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal values and monito
manage a computer network by polling and setting terminal values and monitoring network events.This policy setting allows you to config
ou disable or do not configure this policy setting the default ECC curve order is used.Default Curve Order============curve25519NistP2
s policy setting default cipher suite order is used.Link for all the cipherSuites: http://go.microsoft.com/fwlink/?LinkId=517265
o4 connectivity is not available on the host.If you enable this policy setting you can specify a relay name for a 6to4 host.If you disable or d
le this policy setting you can specify the value for the duration at which the relay name is resolved periodically.If you disable or do not con
s the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of th
local host settings are used.If you enable this policy setting you can specify an IP-HTTPS server URL. You will be able to configure IP-HTTPS
ATAP router. If you enter an IPv4 address of the ISATAP router in the text box DNS services are not required.If you disable or do not configu
at is used to provide unicast IPv6 connectivity between IPv6 hosts across an IPv4 intranet.If you disable or do not configure this policy setti
is already in use by a system the Teredo client will fail to initialize.If you enable this policy setting you can customize a UDP port for the Te
of a dormant state.If you disable or do not configure this policy setting the local host setting is used.This policy setting contains only one st
do server sends a Router Advertisement Packet in response. This periodic packet refreshes the IP address and UDP port mapping in the tra
specify a Teredo server name that applies to a Teredo client.If you disable or do not configure this policy setting the local settings on the c
this policy setting the local host settings are used.If you enable this policy setting you can configure Teredo with one of the following settin
e number of autoconfigured addresses and routes.If you disable this policy setting IP Stateless Autoconfiguration Limits will be disabled an
oxes that don't interpret Window Scaling option correctly.If you do not configure this policy setting the local host settings are used.If you e
02.11 WLAN through the Windows Portable Device API (WPD) and via USB Flash drives.Additional options are available to allow discovery
n related tasks including "Set up a wireless router or access point" and "Add a wireless device" are disabled. If you disable or do not config
dios to reduce power consumption when the machine enters connected standby mode.If this policy setting is not configured or is disabled
en it determines that the computer should no longer be connected to a network.If this policy setting is disabled Windows will disconnect a
ed. If this policy setting is set to 0 a computer can have simultaneous connections to the internet to a Windows domain or to both. Int
c and manual network connection attempts based on the following circumstances:Automatic connection attempts- When the computer is
ction attempts to roaming provider networks are blocked until the client registers with the home provider network.If this policy setting is n
ces over the Push Button pairing method.If this policy setting is disabled or is not configured by default Push Button pairing is preferred (if
llowed.If this policy setting is disabled or is not configured by default Push Button pairing is allowed (but not necessarily preferred).
of the following values from the list will set the cost of all WLAN connections on the local machine:- Unrestricted: Use of this connection i
t to suggested open hotspots" enables Windows to automatically connect users to open hotspots it knows about by crowdsourcing netwo
ge Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If yo
alues from the list will set the cost of all 3G connections on the local machine:- Unrestricted: Use of this connection is unlimited and not re
g values from the list will set the cost of all 4G connections on the local machine:- Unrestricted: Use of this connection is unlimited and no
will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page.If this policy setting is dis
on this server. If you disable this policy setting or do not configure it Internet printing is not activated. Internet printing is an exte
ain controller e.g. a domain-joined laptop on a corporate network.) If this policy setting is disabled the network scan page will not be
e.g. a domain-joined laptop on a home network.)If this setting is disabled the network scan page will not be displayed.If this setting is not c
licy setting the print job name will be included in new log entries. Note: This setting does not apply to Branch Office Direct Printing job
er will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared.The spooler
rties' Sharing tab to publish shared printers in Active Directory. If you disable this setting this computer's shared printers cannot be p
cts from Active Directory if the computer that published them does not respond to contact requests. When the computer that published t
ove the performance of the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) on machines that have a relatively powerful CPU
indows print server.If you enable this policy setting on a client machine the client spooler will not process print jobs before sending them t
publishes all shared printers. If you disable this setting the Add Printer Wizard does not automatically publish printers. However you can
put format is the legacy Microsoft XPS (*.xps). If you disable or do not configure this policy setting the default MXDW output format i
he system only verifies published printers at startup. This setting allows for periodic verification while the computer is operating. To
g enable Location Tracking by enabling the "Pre-populate printer search location text" setting. When Location Tracking is enabled the
If you enable this policy setting you replace the "Get help with printing" default link with a link to a Web page customized for your en
printers. If a computer does not respond to the contact message (optionally after repeated attempts) the pruning service "prunes" (deletes
o contact attempts. This process keeps printer information in Active Directory current. The thread priority influences the order in wh
ers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact messag
n cause stop errors.If you disable this setting or do not configure it then printers using a kernel-mode drivers may be installed on the local
provide access to more device features but this may not be appropriate for all enterprises. If you enable this policy setting then all prin
. If you enable this setting the computer will restrict printing to printer connections on the corporate network or approved USB-conn
ailure will not cause the print spooler service to fail.If you enable or do not configure this policy setting the print spooler will execute print
rivers from Windows Update after it fails to find the compatible driver from the local driver store and the server driver cache.If you disabl
ation crash.Not all applications support driver isolation. By default Microsoft Excel 2007 Excel 2010 Word 2007 Word 2010 and certain othe
n Device Control Printing is enabled the system uses the specified list of vid/pid values to determine if the current USB connected printer i
computers that have published printers to verify that the printers are still available for use. If a computer does not respond to the contact
nt and print client computers will check the driver signature of all drivers that are downloaded from print servers.If this setting is disabled o
does not report compatibility.If you enable this policy setting the print spooler isolates all print drivers that do not explicitly opt out of Driv
is completely independent from the "Point and Print Restrictions" policy that governs the behavior of non-package point and print connec
ters that are members of a domain. If you enable this policy setting: -Windows XP and later clients will only download print drive
on Tracking overrides the standard method used to locate and associate computers and printers. The standard method uses a printer's IP a
you enable this setting the print spooler announces shared printers to the print browse master servers.If you disable this setting shared p
printers. This setting applies to printers running operating systems other than Windows 2000 and to Windows 2000 printers published ou
ts to documents opened while the setting is in effect. Also they retain but do not display existing document shortcuts. The system empties
ows will automatically select the size based on hardware form factor and users will be able to change the size of Start in Settings.
ng setting will also be disabled in Settings.
n will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.Selecting "Col
does not prevent users from running Windows-based programs that perform these functions.If you enable this policy setting the shutdow
cannot change to hide it using the Settings app.Selecting "Hide" will force the "Most used" list to be hidden and user cannot change to sho
generated by the Export-StartLayout PowerShell cmdlet.To use this setting you must first manually configure a device's Start layout to the
the Windows Push Notification Service (WNS). This policy setting also stops applications from being able to poll application services to upd
ng processes.If you enable this policy setting the System State Data feature is activated when the user indicates that the shutdown or resta
e moved within an NTFS volume to another NTFS volume on the same computer or to an NTFS volume on another computer. The DLT cli
ys status messages that reflect each step in the process of starting shutting down logging on or logging off the system.If you disable or do
y you are shutting down the computer.If you enable this setting and choose "Always" from the drop-down menu list the Shutdown Event T
pted folder.If you disable or do not configure this policy setting File Explorer automatically encrypts files that are moved to an encrypted f
n to the server. If you disable or do not configure this policy setting the Manage Your Server page is displayed each time an administrator l
ly selected using the Start menu or Task Manager user interfaces. Applications such as UPS software may rely on Windows shutdown beh
nterfaces provided by the COM components. These programs cannot perform all their functions unless Windows has internally registered
able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timest
off.If you disable or do not configure this policy setting the system displays the message reminding users to wait while their system starts o
the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting. If yo
e this policy setting enter the file names names of the programs you want to restrict separated by commas. If you disable or do no
policy setting and specify the new location the files in that location will be used to repair operating system corruption and for enabling opti
figure this policy setting the Windows Setup source path will be the location used during the last time Windows Setup was run on the syste
ou disable or do not configure this policy setting the Windows Service Pack Setup source path will be the location used during the last tim
de that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system m
sers with the ability to send an email to request access to the file or folder to which they were denied access.If you enable this policy setti
tion features to improve. No information collected is used to identify or contact you. For more details read about the program online at htt
ot used during publishing. Example: %allusersprofile%\Microsoft\AppV\Client\Integration.

not used during publishing. Example: %localappdata%\Microsoft\AppV\Client\Integration.
h (Boolean). Global Publishing Refresh On Logon: Triggers a global publishing refresh on logon (Boolean). Global Publishing Re
practice is don't set this time to a busy hour e.g. 9AM. Delay reporting for the random minutes: The maximum minutes of random d
patible with BranchCache
tems can use virtual components.

e this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Aud
9 certificate or Kerberos.If you enable this policy setting you can specify the servers to which the user's default credentials can be delegate
this policy setting you can specify the servers to which the user's default credentials can be delegated (default credentials are those that y
ficate or Kerberos.If you enable this policy setting you can specify the servers to which the user's fresh credentials can be delegated (fresh
this policy setting you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you
ficate or Kerberos.If you enable this policy setting you can specify the servers to which the user's saved credentials can be delegated (save
this policy setting you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you
entials cannot be delegated (default credentials are those that you use when first logging on to Windows).If you disable or do not configur
tials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).If you disable or do not c
ntials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).If you di
encryption oracle attack against the client. This policy controls compatibility with vulnerable clients and servers. This policy allows you to
tial theft from attackers on the remote host.If you enable this policy setting the host supports Restricted Admin or Remote Credential Gua
n other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access t
ndows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine
and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on
ues TPM certificate etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service va
ot configure this policy setting remote connections to the Plug and Play interface are not allowed.
fy before terminating the installation.If you disable or do not configure this policy setting Windows waits 240 seconds for a device installati
eport is not sent when a generic driver is installed.If you disable or do not configure this policy setting an error report is sent when a gener
s restore points for certain driver activity such as the installation of an unsigned driver. A system restore point enables you to more easily r
m the Internet. This policy setting overrides the setting in the Device Installation Settings dialog box (Control Panel > System and Security >
ng Windows will not send an error report to request additional software even if this is specified by the device driver.If you disable or do no
d installation process. Regardless of this policy setting a signed driver is still preferred over a driver that is not signed at all.If you enable or
ows Update unconditionally only if necessary or not at all.Note that searching always implies that Windows will attempt to search Window
) searches a Managed Server or a combination of both.Note that if both are specified then Windows will first search the Managed Server
led.If you disable or do not configure this policy setting "Found New Hardware" balloons appear while a device is being installed unless the
embers of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any
ered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled howev
evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is enabled however it may also
the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting is en
ensure that overlapping device match criteria is applied based on an established hierarchy where more specific match criteria supersedes l
splays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.If you disab
s displays the text you type in the Detail Text box when a policy setting prevents device installation.If you disable or do not configure this
uation for Allow and Prevent device installation policies across all device match criteria" policy setting to provide more granular control. It
her policy setting that allows Windows to install a device.NOTE: To enable the "Allow installation of devices that match any of these devic
lows Windows to install a device.If you enable this policy setting Windows is prevented from installing a device whose device instance ID a
ce over any other policy setting that allows Windows to install a device.NOTE: To enable the "Allow installation of devices that match any
vable. For example a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is co
mount of seconds you want the system to wait until a reboot.If you disable or do not configure this policy setting the system does not forc
resume.If you disable this policy setting the system uses the NV cache to achieve faster boot and resume. The system determines the data
ed.If you disable this policy setting the hard disks are put into an NV cache power saving mode. In this mode the system tries to save powe
and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning
he.If you disable this policy setting the system will store frequently written data into the non-volatile (NV) cache. This allows the system to
older apply to fixed-media NTFS volumes only. Note: When this policy setting is applied the computer will apply the disk quota to both fixe
turned on and users cannot turn it off.If you disable the policy setting disk quota management is turned off and users cannot turn it on.If t
ng disk quota limits are not enforced. When you enable or disable this policy setting the system disables the "Deny disk space to users exce
enable this policy setting the system records an event when the user reaches their limit. If you disable this policy setting no event is record
ent. If you disable this policy setting no event is recorded. When you enable or disable this policy setting the system disables the correspo
tem volumes on a computer. It also specifies the warning level the point at which the user's status in the Quota Entries window changes to
changes (which can happen when you connect or disconnect a display that has a different display scale factor (DPI) connect remotely from
y setting GDI DPI Scaling is turned off for all applications in the list even if they are enabled by using ApplicationCompatibility database App
y setting GDI DPI Scaling is turned on for all legacy applications in the list.If you disable or do not configure this policy setting GDI DPI Scalin
DCOM server application id (appid) in the "Define Activation Security Check exemptions" policy (if enabled) DCOM will look for an entry in
this policy setting and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is
embers of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Window
er searching" in "Administrative Templates/System/Internet Communication Management/Internet Communication settings" is disabled o
driver can return the following classifications for each boot-start driver:- Good: The driver has been signed and has not been tampered wi
orized USB device reading data on an Enhanced Storage device.If you enable this policy setting only USB root hub connected Enhanced Sto
hat contain a manufacturer and product ID specified in this policy are usable on your computer.If you disable or do not configure this polic
his policy setting only IEEE 1667 silos that match a silo type identifier specified in this policy are usable on your computer.If you disable or d
d on your computer.If you disable or do not configure this policy setting non-Enhanced Storage removable devices are allowed on your com
you disable or do not configure this policy setting a password can be used to unlock an Enhanced Storage device.
or do not configure this policy setting Windows will activate unactivated Enhanced Storage devices.
ins locked when the computer is locked.If you disable or do not configure this policy setting the Enhanced Storage device state is not chan
Administrators can define the properties for the organization by using Group Policy and supplement these with properties defined on ind
(AD DS) and then group these properties into lists. Administrators can supplement these properties on individual file servers by using File
nt backup and restore of VSS aware applications storing data on SMB2 File Shares.By default the RPC protocol message between File Serve
of 1 will disable delete notifications for all volumes.
his setting will cause the long paths to be accessible within the process.
k to a Remote TargetRemote Link to Remote TargetRemote Link to Local TargetFor further information please refer to the Windows Help
sections to be non-pageable.The benefit of enabling this feature is a reduction in page-faults and stack usage at the cost of additional mem
e encrypted.
is value larger may decrease the time it takes to flush a volume but the flush may have a larger impact on other concurrent IO operations.
act on the system.If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes
here the user might not want to download private data such as on a meeting room computer or on a computer in a remote office.To desig
parent Start Menu and legacy My Documents folder respectively.If you enable this policy setting Windows Vista Windows 7 Windows 8 an
n to a computer in a different forest when a trust across forests or a two-way forest trust exists.If you do not configure this policy setting:-
rom that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to crea
uter startup and user logon) when a slow network connection is detected.If you enable this policy setting when a slow network connection
s the bandwidth speed of a Direct Access connection the detection can sometimes fail to provide any bandwidth speed information. If Gro
ative Templates\System\Disk Quotas.This policy setting overrides customized settings that the program implementing the disk quota polic
Settings\Security Settings.It overrides customized settings that the program implementing the encryption policy set when it was installed.I
lder Redirection. You can only set folder redirection policy for Group Policy objects stored in Active Directory not for Group Policy objects
session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mo
n this group is slower than the rate specified by this setting the system considers the connection to be slow.The system's response to a slo
ose in Windows Settings\Internet Explorer Maintenance.This policy setting overrides customized settings that the program implementing t
ws Settings\Security Settings\IP Security Policies on Local Machine.This policy setting overrides customized settings that the program imple
five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention. If you en
customized settings that the program implementing a registry policy set when it was installed.If you enable this policy setting you can use
s. It overrides customized settings that the program implementing the scripts policy set when it was installed.If you enable this policy setti
policy setting overrides customized settings that the program implementing the security policy set when it was installed.If you enable this
Software Settings\Software Installation. You can set software installation policy only for Group Policy Objects stored in Active Directory no
ose in public places laboratories and classrooms where you must modify the user setting based on the computer that is being used.By def
bling this policy disables web-to-app linking and http(s) URIs will be opened in the default browser instead of launching the associated app
ws Settings\Wired Network Policies.It overrides customized settings that the program implementing the wired network set when it was in
WindowsSettings\Wireless Network Policies.It overrides customized settings that the program implementing the wireless network set when
other Windows devices that belong to the same user and can participate in cross-device experiences.If you disable this policy setting the W
policy setting interactive users cannot generate RSoP data.If you disable or do not configure this policy setting interactive users can genera
processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous fore
ws device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.If you disable this policy setti
applied at startup or when an official policy refresh occurs.If you disable or do not configure this policy setting the default behavior applie
mputer Configuration folder.In addition to background updates Group Policy for the computer is always updated when the system starts.B
hen the system starts.By default Group Policy on the domain controllers is updated every five minutes.If you enable this setting you can s
l the network is available or the default wait time is reached. If the startup policy processing is asynchronous the computer is not blocked
until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous the computer is not b
g the system waits until the current user logs off the system before updating the computer and user settings.If you disable or do not config
gs can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only do
udes details such as which Group Policy Objects (GPO) were applied where they came from and the client-side extension settings that wer
ation settings" section are set such that their respective features cannot access the Internet.If you disable this policy setting all of the the
http://windowsupdate.microsoft.com from the Windows Update hyperlink on the Start menu and also on the Tools menu in Internet Exp
ociated with any applications on the computer the user is given the choice to select a local application or use the Store service to find an a
cure email. Anyone can issue certificates but to have transactions that are as secure as possible certificates must be issued by a trusted ce
not prevent the client from printing to printers on the Intranet or the Internet over HTTP. It only prohibits downloading drivers that are n
ernet browser when clicked. In addition "More Information" is placed at the end of the description text if the event is created by a Microso
g style by providing writing samples. The tool can optionally share user writing samples with Microsoft to improve handwriting recognition
s and transmits them to Microsoft over a secure connection. Microsoft uses these error reports to improve handwriting recognition in futu
rt Center and provides up-to-date information about Windows and the computer.If you enable this policy setting the Help and Support Ce
-help tools for Microsoft products and is searched as part of all Help and Support Center searches with the default search options.If you en
t Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs w
ervices such as online storage and photographic printing. By default Windows displays providers downloaded from a Windows website in
iated with any applications on the computer the user is given the choice to select a local application or use the Web service to find an app
client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared prin
line registration and users cannot register their copy of Windows online.If you disable or do not configure this policy setting users can con
anion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display re
rder prints online.If you enable this policy setting the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.If yo
ders.The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.If you enable this po
users can allow Microsoft to collect anonymous information about how the product is used. This information is used to improve the produ
how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name address or any other pe
improve the quality of the product.If you enable this policy setting users are not given the option to report errors.If you disable or do not c
work.As part of determining the connectivity level NCSI performs one of two active tests: downloading a page from a dedicated Web serve
n a new device is installed.If you disable this policy setting Windows Update is always searched for drivers when no local drivers are presen
ay be established.
established.
y be established. Note that if the "Do not allow sessions without mutual CHAP" setting is enabled then that setting overrides this one.
d targets may be manually configured. Note: if enabled there may be cases where this will break VDS.
s new targets discovered via those iSNS servers; existing iSNS servers may be removed.
new targets discovered on those portals; existing target portals may be removed.
this policy setting client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor
d.This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.If you enable this policy se
age about previous logons.For Windows Logon to leverage this feature the "Display information about previous logons during user logon"
pound authentication and Kerberos armoring" must be configured and enabled. If you enable this policy setting domain controllers will req
C will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a glob
this policy setting you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high then authentication f
olicy setting the cloud kerberos ticket is retrieved during the logon.
hentication the policies "KDC support for claims compound authentication and Kerberos armoring" and "Request compound authenticatio
DNS suffixes mapped to a Kerberos realm as defined by Group Policy. To view the list of mappings enable the policy setting and then click
the list of interoperable Kerberos V5 realms and their settings. To view the list of interoperable Kerberos V5 realms enable the policy settin
is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. Warning: When revoc
moring by enabling "Support Dynamic Access Control and Kerberos armoring" then all authentication for all its users will fail from compute
se features. If you enable this policy setting the client computers will request claims provide information required to create compounded
s X.509 certificate contains the KDC key purpose object identifier in the Extended Key Usage (EKU) extensions and that the KDC's X.509 cer
is server with a NULL value for the service principal name (SPN) computers running Windows 7 or later attempt to use Kerberos by genera
um size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group membe
or a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain ena
domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Suppo
u to set support for Kerberos to attempt authentication using the certificate for the device to the domain.If you enable this policy setting th
arches the forests in this list if it is unable to resolve a two-part SPN. If a match is found the Kerberos client requests a referral ticket to the
oes not apply to 1394 PCMCIA or ExpressCard devices.

ers may select any GeoID.If you enable this policy setting at the computer level it cannot be disabled by a per-user policy setting. If you dis
. Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. If the policy is Enabled
e selection of replacement locales. To prevent the selection of replacement locales adjust the permissions of the %windir%\Globalization
rst reset the user(s) values to the defaults and then apply this policy.When this policy setting is enabled users can still choose alternate loc
ever the next time that an administrator attempts to change the computer's system locale they will be restricted to the specified list.The lo
ngs; however the next time a user attempts to change their user locale their choices will be restricted to locales in this list.To set this policy
cted Standby device can change the amount of time after the device's screen turns off before a password is required when waking the dev
s attempts to load a custom background instead of the Windows-branded logon background. If you disable or do not configure this policy
ent computers Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at s
tile.If you disable or do not configure this policy setting the system picks the default credential provider on other user tile.Note: A list of re
for logon the domain to which the computer belongs is assumed as the default domain. For example if the computer belongs to the Fabrik
een.If you disable or do not configure this policy setting the user may choose to show account details on the sign-in screen.
hout signing into Windows.If you disable or don't configure this policy setting any user can disconnect the PC from the network or can con
to a computer where this policy is applied.Users can still display the welcome screen by selecting it on the Start menu or by typing ""Welco
puters.If you disable or do not configure this policy setting connected users will be enumerated on domain-joined computers.
essional and Windows 2000 Professional. These programs are added to the standard run list of programs and services that the system star
These programs are added to the standard list of programs and services that the system starts.If you enable this policy setting the system
ot configure this policy setting the Logon UI will not enumerate local users on domain-joined computers.
or when authentication is required.Windows Vista provides two default credential providers:Password and Smart Card. An administrator
ttempting to log on or is logged on to the computer that has this policy applied. The locations that Switch User interface appear are in the L
he time the user logs on to this computer that has this policy applied.To specify values for this policy setting click Show. In the Show Conte
logon background image adopts the acrylic blur effect.
nitial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt fo
ure this policy setting users can choose which apps display notifications on the lock screen.
or don't configure this policy setting a domain user can set up and use a picture password.Note that the user's domain password will be ca
r don't configure this policy setting a domain user can't set up and use a convenience PIN.Note: The user's domain password will be cached
is policy setting users can't sign in with external security keys.
pecified as the Value name including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be
to be in 3 modes: On Off and Audit. By default it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your o
r are not as secure as newer algorithms used in Windows 2000 or later including this version of Windows.By default Net Logon will not allo
lator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feat
u enable this policy setting the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the
e domain controllers (DC) discovers a DC that has not been discovered.- On the PDC attempts to add the <DomainName>[1B] NetBIOS nam
this setting is enabled the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share
and then enter the desired value in seconds (for example the value "60" is 1 minute).If you do not configure this policy setting it is not app
bug information is logged.If you enable this policy setting and specify a non-zero value debug information will be logged to the file. Higher
is policy setting the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak a
n the time set in this setting DC Discovery immediately fails without attempting to find the DC.The default value for this setting is 45 secon
the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the
ccess and replication.To specify the site name for this setting click Enabled and then enter the site name. When the site to which a comput
cording to the Use maximum DC discovery retry interval policy setting but when the value set in this policy setting is reached no more retr
value for this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value
set at 10 minutes then 20 minutes and then 40 minutes but when the interval reaches the value set in this setting that value becomes the
ormation to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967
ng both old and new operating systems the default DC locator discovery behavior may be insufficient to find DCs running a newer operatin
r first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to eac
ery fails and the NetBIOS domain name is known the algorithm then uses NetBIOS-based discovery as a fallback mechanism.NetBIOS-base
tive Directory domain. When DC Locator finds a domain controller it caches domain controllers to improve the efficiency of the location a
6 the returned DC IP address was IPv4. But with the support of IPv6 the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC
ervice and are used to locate the DC.The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s T
cate the domain controller (DC).To specify the TTL for DC Locator DNS records click Enabled and then enter a value in seconds (for exampl
on service and they are used to locate the DC.The Weight field in the SRV record can be used in addition to the Priority value to provide a lo
locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed the DC may do an
tions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.Select the mnemonics from the
d by the Locator algorithm to locate the DC.If you enable this policy setting DCs to which this setting is applied dynamically register DC Loc
used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.DCs configured to perfor
RV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides a
ds registered for the site where the DC resides and records registered by a DC configured to register DC Locator DNS SRV records for those
s registered for the site where the GC resides and records registered by a GC configured to register GC Locator DNS SRV records for those s
est site during DC Location streamlines network traffic more effectively.The DC Locator service is used by clients to find domain controllers
for the same forest exists). These DNS records are dynamically registered by the Net Logon service and they are used to locate the DC.If yo
S name resolution only if DNS name resolution fails. This policy including the specified default behavior is not used if the AllowSingleLabelD
s used. If the AllowDnsSuffixSearch policy is disabled then NetBIOS name resolution is used exclusively to locate a domain controller hostin
r DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered S
disable this policy setting history of Clipboard contents are not allowed to be stored. Policy change takes effect immediately.
gged in under the same Microsoft account or Azure AD account. If you disable this policy setting Clipboard contents cannot be share
etting activities of type User Activity are not allowed to be published. Policy change takes effect immediately.
is policy setting activities of type User Activity are not allowed to be uploaded. Deletion of activities of type User Activity are indepe
ties across device graph of the user. If you disable this policy setting activities can't be published and ActivityFeed shall disable cloud
be set to never expire if the policy is set to 0.Default: 0.
tinually. PIN history is not preserved through PIN reset.The value must be between 0 to 50 PINs. If this policy is set to 0 then storage of pre
ger than the number configured in the Minimum PIN length policy setting or the number 4 whichever is greater.If you configure this policy
han the number configured in the Maximum PIN length policy setting or the number 127 whichever is the lowest.If you configure this polic
not allow the user to include digits in their PINs.If you do not configure this policy setting Windows allows but does not require digits in th
setting Windows does not allow the user to include lowercase letters in their PIN.If you do not configure this policy setting Windows allow
y setting Windows does not allow the user to include uppercase letters in their PIN.If you do not configure this policy setting Windows allo
a power plan from the Active Power Plan list.If you disable or do not configure this policy setting users control this setting.
If you enable this policy setting you must specify a power plan specified as a GUID using the following format: XXXXXXXX-XXXX-XXXX-XXXX
st select the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
st select the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
select the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
select the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
elect the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
elect the desired action.If you disable this policy setting or do not configure it users can see and change this setting.
ou disable this policy or do not configure this policy setting users control this setting.
ou disable this policy or do not configure this policy setting users control this setting.
er will be automatically turned on at (and below) the specified level.If you disable or do not configure this policy setting users control this s
er will be automatically turned on at (and below) the specified level.If you disable or do not configure this policy setting users control this s
ore Windows turns off the hard disk.If you disable or do not configure this policy setting users can see and change this setting.
ore Windows turns off the hard disk.If you disable or do not configure this policy setting users can see and change this setting.
-Sleep-Hibernate-Shut downIf you disable or do not configure this policy setting users control this setting.
the battery level that triggers the critical notification.To set the action that is triggered see the "Critical Battery Notification Action" policy s
eep-Hibernate-Shut downIf you disable or do not configure this policy setting users control this setting.
battery level that triggers the low notification.To set the action that is triggered see the "Low Battery Notification Action" policy setting.If
evel that triggers the reserve power notification.If you disable or do not configure this policy setting users can see and change this setting.
apacity remaining equals the low battery notification level. To configure the low battery notification level see the "Low Battery Notification
ep after a period of user inactivity.If you disable or do not configure this policy setting applications services or drivers do not prevent Wind
ep after a period of user inactivity.If you disable or do not configure this policy setting applications services or drivers do not prevent Wind
ure this policy setting the computer does not automatically sleep when network files are open.
ure this policy setting the computer does not automatically sleep when network files are open.
u disable this policy setting network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN netw
u disable this policy setting network connectivity in standby is not guaranteed. This connectivity restriction currently applies to WLAN netw
tes to put the computer in a sleep state.If you disable this policy setting standby states (S1-S3) are not allowed.
tes to put the computer in a sleep state.If you disable this policy setting standby states (S1-S3) are not allowed.
when the system resumes from sleep.If you disable this policy setting the user is not prompted for a password when the system resumes fr
when the system resumes from sleep.If you disable this policy setting the user is not prompted for a password when the system resumes fr
le time should elapse before Windows transitions to hibernate.If you disable or do not configure this policy setting users control this settin
le time should elapse before Windows transitions to hibernate.If you disable or do not configure this policy setting users control this settin
me should elapse before Windows transitions to sleep.If you disable or do not configure this policy setting users control this setting.If the u
me should elapse before Windows transitions to sleep.If you disable or do not configure this policy setting users control this setting.If the u
a value in seconds indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended.
a value in seconds indicating how much idle time should elapse before Windows automatically transitions to sleep when left unattended.
tting users control this setting.
tting users control this setting.
ping (Hybrid Sleep Stand By or Hibernate).If you disable or do not configure this policy setting users control this setting.
ping (Hybrid Sleep Stand By or Hibernate).If you disable or do not configure this policy setting users control this setting.
ow much idle time should elapse before Windows automatically reduces the brightness of the display.Windows will only reduce the brigh
ow much idle time should elapse before Windows automatically reduces the brightness of the display.Windows will only reduce the brigh
cating the display brightness when Windows automatically reduces brightness of the display.If you disable or do not configure this policy s
cating the display brightness when Windows automatically reduces brightness of the display.If you disable or do not configure this policy s
ed on what users do with their keyboard or mouse to keep the display on.If you disable this policy setting Windows uses the same setting
ed on what users do with their keyboard or mouse to keep the display on.If you disable this policy setting Windows uses the same setting
elapse before Windows turns off the display.If you disable or do not configure this policy setting users control this setting.If the user has co
elapse before Windows turns off the display.If you disable or do not configure this policy setting users control this setting.If the user has co
the desktop background slideshow is disabled.If you disable or do not configure this policy setting users control this setting.
the desktop background slideshow is disabled.If you disable or do not configure this policy setting users control this setting.
ystem image. If you enable or do not configure this policy setting the items "Use a system image you created earlier to recover your com
licy setting does not affect Remote Assistance connections that are initiated by instant messaging contacts or the unsolicited Offer Remote
upport staff using Offer (Unsolicited) Remote Assistance.If you disable this policy setting users on this computer cannot get help from their
or help. Also users can use instant messaging programs to allow connections to this computer and you can configure additional Remote A
his or her computer.The "Display warning message before connecting" policy setting allows you to specify a custom message to display bef
ous optimization setting.For example:"Turn off background" will include the following optimizations:-No full window drag-Turn off backgro
licy setting log files are not generated.If you do not configure this setting application-based settings are used.
rs running Windows NT4 (all service packs) cannot process authentication information supplied in this manner. If you disable this policy se
gation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QO
only needed state data is required for troubleshooting RPC problems.If you disable this policy setting the RPC runtime defaults to "Auto2"
d the name of the computer on which the error occurred or from which it was propagated. Programs can retrieve the extended error infor
tting should be used with caution as it can impact a wide range of functionality including group policy processing itself. Reverting a change
ut than the IIS server running the RPC/HTTP proxy. In such cases RPC/HTTP clients may encounter errors because connections will be time
ch class.If you enable this policy setting no access is allowed to any removable storage class.If you disable or do not configure this policy s
ote sessions.If you disable or do not configure this policy setting remote users cannot open direct handles to removable storage devices in
his policy setting execute access is allowed to this removable storage class.
icy setting read access is allowed to this removable storage class.
olicy setting write access is allowed to this removable storage class.
setting read access is allowed to these removable storage classes.
cy setting write access is allowed to these removable storage classes.
u disable or do not configure this policy setting execute access is allowed to this removable storage class.
le or do not configure this policy setting read access is allowed to this removable storage class.
ble or do not configure this policy setting write access is allowed to this removable storage class.
e access is allowed to this removable storage class.
allowed to this removable storage class.
is allowed to this removable storage class.Note: To require that users write data to BitLocker-protected storage enable the policy setting "
ng you can set the number of seconds you want the system to wait until a reboot.If you disable or do not configure this setting the operati
is policy setting execute access is allowed to this removable storage class.
y setting read access is allowed to this removable storage class.
cy setting write access is allowed to this removable storage class.
ble storage class.If you disable or do not configure this policy setting read access is allowed to this removable storage class.
able storage class.If you disable or do not configure this policy setting write access is allowed to this removable storage class.
on to the computer.If you enable this policy setting user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons withou
oes not display the instructions in the shutdown script.If you enable this policy setting the system displays each instruction in the shutdown
ructions in the startup script.If you enable this policy setting the system displays each instruction in the startup script as it runs. Instruction
start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user start
efore it runs the next startup script.If you enable this policy setting the system does not coordinate the running of startup scripts. As a resu
on-Windows PowerShell scripts. If you enable this policy setting within each applicable Group Policy Object (GPO) Windows PowerShell sc
s PowerShell scripts. If you enable this policy setting within each applicable Group Policy Object (GPO) PowerShell scripts are run before n
olicy to finish running. If the scripts have not finished running when the specified time expires the system stops script processing and reco
formation on the ROCA vulnerability please see:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361https://en.wikipedia.or
e managing by using Server Manager. Server Manager also monitors the status of roles and features installed on managed servers.If you e
tial Configuration Tasks window is not displayed when an administrator logs on to the server. If you disable this policy setting the Initial Con
u disable this policy setting Server Manager is displayed automatically when a user logs on to the server.If you do not configure this policy
d on them.This includes a policy requiring all binaries loaded in these processes to be signed by microsoft as well as a policy disallowing dy
y terminated if they attempt to cancel shutdown or block it indefinitely.If you enable this setting console applications or GUI applications w
Updates would not be downloaded for the Disk Failure Prediction Failure Model. Not configured: Same as Enabled.
the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the "Configure Storage Sense cadence
lete the user’s temporary files that are not in use. Users cannot disable this setting in Storage settings.Disabled:Storage Sense will not dele
desired Storage Sense cadence. Supported options are: daily weekly monthly and during low free disk space. The default is 0 (during low
ffect.Enabled:You must provide the minimum number of days a cloud-backed file can remain unopened before Storage Sense dehydrates
e any effect.Enabled:You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it.
olicy does not have any effect.Enabled:You must provide the minimum number of days a file can remain unopened before Storage Sense d
n the event of a problem to restore their computers to a previous state without losing personal data files. The behavior of this policy setti
sing personal data files. By default System Restore is turned on for the boot volume.If you enable this policy setting System Restore is turn
em detection and troubleshooting only the DPS will detect problems and attempt to determine their root causes. These root causes will be
d in megabytes. Detailed troubleshooting data related to scenarios will be retained until this limit is reached.If you disable or do not confi
Computer Configuration\Administrative Templates\Windows Components\Application Compatibility.
ring application installation failures during application runtime and drivers blocked due to compatibility issues. When failures are detected
mal UI display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery beha
disk diagnostic message. The custom text may not exceed 512 characters. If you disable or do not configure this policy setting Windows dis
Windows. A disk that reports a S.M.A.R.T. fault may need to be repaired or replaced. The Diagnostic Policy Service (DPS) detects and logs S
ts to resolve automatically any heap corruption problems.If you disable this policy setting Windows cannot detect troubleshoot and attem
s policy setting administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.If you disa
oblems MSDT may prompt the user to download additional tools for troubleshooting.These tools are required to completely troubleshoot
this policy setting users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.By default the sup
olicy setting will allow the user to configure how troubleshooting is applied.Enabling this policy allows you to configure how troubleshootin
be turned on. Windows will prompt the user with a dialog box when application reinstallation is required. This is the default recovery beh
shooting only Windows will periodically detect and troubleshoot problems. The user will be notified of the problem for interactive resoluti
alidates the signer of any diagnostic package and runs only those signed by trusted publishers.If you disable or do not configure this policy
mputers.If you enable or do not configure this policy setting users can access and run the troubleshooting tools from the Troubleshooting C
om within the Troubleshooting Control Panel UI by clicking "Yes" when they are prompted by a message that states "Do you want the mos
oubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Boot Performance problems and attempt to determine their ro
by default.If you disable this policy setting the DPS is not able to diagnose memory leak problems.This policy setting takes effect only unde
detection and troubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Resource Exhaustion problems and attempt to
and troubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Shutdown Performance problems and attempt to determ
ection and troubleshooting only the Diagnostic Policy Service (DPS) will detect Windows Standby/Resume Performance problems and atte
and troubleshooting only the Diagnostic Policy Service (DPS) will detect Windows System Responsiveness problems and attempt to determ
ocally the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization withou
om being sent to the TPM on the computer. TPM commands are referenced by a command number. For example command number 129 i
an Ready including if the TPM is “Ready with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboo
this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the
list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list.The default list of block
f blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list.The local list of blocked TP
n the duration for Standard User Lockout Duration equals this value the standard user is prevented from sending commands to the Truste
commands with an authorization failure within the duration equals a threshold a standard user is prevented from sending commands req
rd users within the duration for Standard User Lockout Duration equals this value all standard users are prevented from sending command
profile is created at the location that is specified by the administrator.For the Windows XP Professional and Windows 2000 Professional op
o the file share storing the user's profile and 64 kilobytes of data is transfered. From that connection and data transfer the network's laten
en users with roaming profiles log off the system also saves a copy of their roaming profile on the hard drive of the computer they are usin
ecific user profile was accessed.If you enable this policy setting the User Profile Service will automatically delete on the next system restar
er profile. When the system detects a slow link the related policy settings in this folder tell the computer how to respond.If you enable this
ogin. The profile is created at the location that is specified by the administrator.For Windows 2000 Professional pre-SP4 and Windows XP p
where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable th
logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior preventing Windows from lo
curity for user data on computers where the user might not want to download private data such as on a meeting room computer or on a c
sages explaining that any of the following events has occurred:-- The system detects a slow connection between the user's computer and
tion related to a roaming user (which includes the user's settings data Windows Installer related data and the like) when their profile is de
ops trying. As a result the user profile might not be current and local and roaming user profiles might not match.When a user logs off of th
f they have already logged on to this computer in the past the roaming profile is merged with the local profile. Similarly when the user logs
ming profile is copied down to the local computer. If the user has logged on to the computer in the past the roaming profile is merged with
l be allowed to define whether they want their roaming profile to be downloaded when a slow link with their roaming profile server is det
tting is useful for the cases in which a network might take typically longer to initialize such as with a wireless network.Note: Windows doesn
work share in the form \\Computername\Sharename\. It is recommended to use a path such as \\Computername\Sharename\%USERNAM
er data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming
ified local or network location creating a new folder for each user name.To use this policy setting in the Location list choose the location fo
s across apps.If you disable or do not configure this policy setting users can control whether apps can use the advertising ID for experience
nformation may be controlled by setting one of the following options:"Always on" - users will not be able to change this setting and the us
w connection but does not respond in the time allowed.This policy setting and related policy settings in this folder together define the syst
ot appear during file scanning.If you disable or do not configure this policy setting the file scan progress window appears.
aches the quota. If the quota is greater than 50 MB Windows File Protection adds other important Windows XP files to the cache until the
policy setting select a rate from the "Scanning Frequency" box. You can use this setting to direct Windows File Protection to scan files mo
disable this setting or do not configure it the Windows File Protection cache is located in the %Systemroot%\System32\Dllcache directory
target machines use the settings provided here. Otherwise the service on target machines use locally configured settings values.For more
not configure this policy setting the WIndows NTP Client uses the defaults of each of the following parameters.NtpServerThe Domain Nam
sable this service if you decide to use a third-party time provider.If you enable this policy setting you can set the local computer clock to sy
s.If you disable or do not configure this policy setting your computer cannot service NTP requests from other computers.
te a list of approved Activex Install sites specified by host URL. If you enable this setting the administrator can create a list of approved Acti
you disable or do not configure this policy setting ActiveX controls prompt the user before installation. If the trusted site uses the HTTPS p
ugh the SharedLocal folder. This folder is available through the Windows.Storage API. If you disable this policy a Windows app can't sh
Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer).If you disable o
fter the user signs off:Roaming user profiles to which the "Delete cached copies of roaming profiles" Group Policy setting appliesMandator
develop Microsoft Store apps and install them directly from an IDE. If you disable or do not configure this setting you cannot develop M
his policy setting then the system will not archive any apps.If you do not configure this policy setting (default) then the system will follow d
s apps on volumes that are not the system volume. If you disable or do not configure this setting you can move or install Windows app
to-update in the background. Default is 'disabled' (key not present).
you disable this policy sideloaded apps will auto-update in the background on a metered network. Default is 'disabled' (key not prese
wish to install an app will need to do so from an Administrator context (for example an Administrator PowerShell window). All users will s
of where the app is installed. If you disable or do not configure this setting then when an app is moved to a different volume the users
e Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setti
kage Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If
e Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you
amily Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you ch
ecifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmd
ily Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choo
amily Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you ch
can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the d
ly Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choos
e Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you
ckage Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.I
ify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for
with a voice keyword by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to be acti
an interact with applications using speech while the system is locked by using Settings > Privacy on the device.If you choose the "Force All
me. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting override
Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting
Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you
Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting over
the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default s
this policy setting Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise acc
is a risk that a Windows Store app might compromise the system by opening a file in the default desktop app for a file type.If you enable
here is a risk that a URI scheme launched by a Windows Store app might compromise the system by launching a desktop app.If you enable
hich declare Windows Runtime API access in ApplicationContentUriRules section of the manifest cannot be launched; Universal Windows a
hentication capability on a computer.If you enable this policy setting you can define additional Content URI Rules that all Windows Store ap
n off the MS-DOS subsystem which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit applic
tibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affec
m. If a match for the application is found it provides either run-time solutions or compatibility fixes or displays an Application Help messag
rning Application Telemetry off by selecting "enable" will stop the collection of usage data.If the customer Experience Improvement progr
tion is used to help diagnose compatibility problems.If you enable this policy setting the Inventory Collector will be turned off and data wil
A will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA go to System->Troubleshooting and
Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input user i
o old applications and new behavior to new applications. Switchback is on by default.If you enable this policy setting Switchback will be tu
t configure this policy setting AutoPlay is enabled for non-volume devices.
o do when a device is connected. If you disable or do not configure this policy setting AutoPlay remembers user's choice of what to d
Windows Vista when media containing an autorun command is inserted the system will automatically execute the program without user
media start immediately. Prior to Windows XP SP2 Autoplay is disabled by default on removable drives such as the floppy disk drive (b
rator can backup only volumes hosting OS components and no data only volumes can be backed up.If you disable or do not configure this
Server Backup to run backups to a locally attached storage or disk.If you disable or do not configure this policy setting there is no restrictio
Backup to run backups to a network share.If you disable or do not configure this policy setting there is no restriction on network share bein
Backup to run backups to an optical media.If you disable or do not configure this policy setting there is no restriction on optical media bein
to run non-scheduled run-once backups.If you disable or do not configure this policy setting there is no restriction on running run-once ba
s allows domain users to log on to a domain-joined computer using biometrics.If you disable this policy setting Windows prevents domain
un applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics you must also configure the "A
omain users to log on using biometrics" policy setting will need to be enabled for domain users to log on to the domain.If you enable or do
g inactive.If you enable this policy setting you can configure the fast user switch event timeout to specify the number of seconds the event
ti-spoofing for Windows Hello face authentication. This disables Windows Hello face authentication on devices that do not support enhanc
word. This policy setting is applied when you turn on BitLocker.If you enable this policy setting you can specify the path that will be used a
no effect if the drive is already encrypted or if encryption is in progress.If you enable this policy setting you will be able to configure an enc
no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Micr
no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Micr
rver 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker.Two recovery options can be used to unlock BitLock
devices connected to the host Thunderbolt PCI ports. Every time the user locks the machine DMA will be blocked on hot plug Thunderbol
ypt data. This policy setting applies only when BitLocker protection is enabled.If you enable this policy setting memory will not be overwritt
he identification field allows you to associate a unique organizational identifier to BitLocker-protected drives. This identifier is automatical
crypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windo
ed in the enhanced key usage (EKU) of a certificate. BitLocker can identify which certificates may be used to authenticate a user certificat
rvice Pack 3 (SP3) or Windows XP with Service Pack 2 (SP2) operating systems.If this policy setting is enabled or not configured fixed data d
data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected fixed data drives. B
e-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you enable
plexity requirements on the password and configure a minimum length for the password. For the complexity requirement setting to be eff
n be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart card
will be mounted as read-only. If the drive is protected by BitLocker it will be mounted with read and write access.If you disable or do not co
ve is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker
tup PIN with TPM" and "Require startup key and PIN with TPM" options of the "Require additional authentication at startup" policy on co
s numbers and spaces. This policy setting is applied when you turn on BitLocker.If you enable this policy setting all new BitLocker startup P
enabled computers to automatically unlock the operating system drive when the computer is started.If you enable this policy clients confi
only loads firmware that is digitally signed by authorized software publishers. Secure Boot also provides more flexibility for managing pre
BitLocker.The "Allow certificate-based data recovery agent" check box is used to specify whether a data recovery agent can be used with B
mum length of 4 digits and can have a maximum length of 20 digits. If you enable this policy setting you can require a minimum numb
ecovery message and URL" option the default BitLocker recovery message and URL will be displayed in the pre-boot key recovery screen. I
not have a compatible TPM or if BitLocker has already been turned on with TPM protection.If you enable this policy setting before turning
not have a compatible TPM or if BitLocker has already been turned on with TPM protection.Important: This group policy only applies to co
not have a compatible TPM or if BitLocker has already been turned on with TPM protection.Important: This group policy only applies to co
ardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you
ord enforce complexity requirements on the password and configure a minimum length for the password. For the complexity requirement
you turn on BitLocker.If you enable this policy setting standard users will not be allowed to change BitLocker PINs or passwords.If you disa
as that used by tablets) isn't available in the pre-boot environment where BitLocker requires additional information such as a PIN or Passw
(TPM). This policy setting is applied when you turn on BitLocker.Note: Only one of the additional authentication options can be required a
cy setting is applied when you turn on BitLocker.Note: This policy is only applicable to computers running Windows Server 2008 or Windo
be refreshed when Windows is started following BitLocker recovery.If you disable this policy setting platform validation data will not be re
default settings or both.If you disable this policy setting the computer will revert to a BCD profile similar to the default BCD profile used b
ith Service Pack 3 (SP3) or Windows XP with Service Pack 2 (SP2) operating systems.If this policy setting is enabled or not configured remo
Allow data recovery agent" check box is used to specify whether a data recovery agent can be used with BitLocker-protected removable d
dware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.If you e
lexity requirements and configure a minimum length. For the complexity requirement setting to be effective the Group Policy setting "Pas
an be used to authenticate user access to the drive. You can require a smart card authentication by selecting the "Require use of smart ca
rol how users can configure BitLocker. Choose "Allow users to apply BitLocker protection on removable data drives" to permit the user to
itLocker-protected will be mounted as read-only. If the drive is protected by BitLocker it will be mounted with read and write access.If the
Camera devices will be disabled.
ettings.If you enable this policy setting and set it to Hide the Chat icon will be hidden by default. Users can show or hide it in Settings.If yo
ntextual popups explaining how to use Windows. Microsoft uses diagnostic data to determine which tips to show.Note: If you disable or d
lient component will instead present the default fallback content. If you disable or do not configure this policy Windows experience
nt the default fallback content.If you disable or do not configure this policy Windows experiences will be able to use cloud optimized cont
m Microsoft and notifications about their Microsoft account.If you disable or do not configure this policy setting users may see suggestions
t configure it your PC is discoverable and can be projected to above lock screen only. The user has an option to turn it always on or off exc
ou set this to 'Always' all pairings will require PIN.
user types a password in the password entry text box.If you disable or do not configure this policy setting the password reveal button will
o elevate a running application.If you enable this policy setting all local administrator accounts on the PC will be displayed so the user can c
This policy affects nonlogon authentication tasks only. As a security best practice this policy should be enabled.If you enable this policy setti
ws diagnostic data collected from the Windows device and the customer will be the controller. The device must be registered in Azure AD f
ed by Desktop Analytics. 2 – Diagnostic data is allowed to be processed by Desktop Analytics. If you disable or do not configu
dows diagnostic data.
gs app. The diagnostic data collected under this policy impacts the operating system and apps that are considered part of Windows and do
ssed by Update Compliance. 16 – Diagnostic data is allowed to be processed by Update Compliance. If you disable or do not
data is not processed by Windows Update for Business cloud.. 8 – Diagnostic data is allowed to be processed by Windows Update f
ure this policy setting the Connected User Experience and Telemetry service will automatically use an authenticated proxy to send data ba
Edge does not send browsing history data to Desktop Analytics.Supported versions: Microsoft Edge on Windows 10 version 1809Default s
within your organization’s network (and optionally a port number if desired). The connection will be made over a Secure Sockets Layer (SSL
agnostic data change notifications" diagnostic data opt-in change notifications will not appear.If you set this policy setting to "Enable diagn
sabled in the Settings app.If you don’t configure this policy setting or you set it to "Enable diagnostic data opt-in settings" end users can ch
upload endpoint then use this setting to define that endpoint.The value for this setting will be provided by Microsoft as part of the onboa
ice to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be p
ttings page preventing the deletion of diagnostic data collected by Microsoft from the device.If you disable or don't configure this policy se
e enabled in Settings page and it will prevent the viewer from showing diagnostic data collected by Microsoft from the device.If you disabl
't configure this policy setting Windows will periodically attempt to connect with the OneSettings service to download configuration settin
dows Feedback app.If you disable or do not configure this policy setting users may see notifications through the Windows Feedback app a
service to the Microsoft\Windows\Privacy-Auditing\Operational EventLog channel.If you disable or don't configure this policy setting Win
configured to send optional diagnostic data.By enabling this policy setting diagnostic logs will not be collected.If you disable or do not con
nostic data.By enabling this setting Windows Error Reporting is limited to sending kernel mini dumps and user mode triage dumps.If you d
ete the following steps: 1. Enable this policy setting 2. Set the "Allow Diagnostic Data" policy to "Send optional diagnostic data" 3. En
cy setting users can download and install preview builds of Windows by configuring Windows Insider Program settings.If you disable this p
the device runs low on disk space.
40 (for 40%). The device can download from peers while on battery regardless of this policy.The value 0 means "not-limited"; The cloud se
P addresses. To add multiple values separate each FQDN or IP address by commas.
tions the client will query DHCP Option ID 235 and use the returned value as the Cache Server Hostname. Option 2 overrides the Cache Se
(to allow downloads from peers first).
ntire payload or complementing the bytes that could not be downloaded from Peers.Note that a download that is waiting for peer sources
(to allow downloads from peers first).
oading the entire payload or complementing the bytes that could not be downloaded from Peers.Note that a download that is waiting for
blended with peering behind the same NAT.2 = HTTP blended with peering across a private group. Peering occurs on devices in the same A
n VPN or on the corporate domain network.
omains or are not on the same LAN.Note: this is a best effort optimization and should not be relied on for an authentication of identity.
the cache longer and make the files available for uploads to other devices as long as the cache size has not exceeded.
at Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
means that Delivery Optimization dynamically adjusts to use the available bandwidth for background downloads.
t Delivery Optimization dynamically adjusts to use the available bandwidth for downloads.
means that Delivery Optimization dynamically adjusts to use the available bandwidth for foreground downloads.
ts the download from HTTP source to achieve the specified minimum QoS value.
eDrive policy is set the disk size check will apply to the new working directory specified by this policy.
values: 1 GB to 4 GB.
e subnet).These options apply to both Download Mode LAN (1) and Group (2).
assigned automatically from the selected source. If you set this policy the GroupID policy will be ignored.The options set in this policy only
ve not been digitally signed will not be extracted.If you disable or do not configure this setting both signed and unsigned gadgets will be ex
e or do not configure this setting desktop gadgets will be turned on.The default is for desktop gadgets to be turned on.
tting Windows will run user-installed gadgets.The default is for Windows to run user installed gadgets.
able this policy setting Flip 3D is inaccessible. If you disable or do not configure this policy setting Flip 3D is accessible if desktop compositio
f you disable or do not configure this policy setting window animations are turned on. Changing this policy setting requires a logoff for it to
use the default visuals.Note: If this policy setting is enabled users can continue to select a color in Start Personalization. However setting th
e this policy setting you allow users to change the default window frame color. Note: This policy setting can be used in conjunction with the
e user does not specify a color. If you disable or do not configure this policy setting the default internal color is used if the user does not sp
re Active Directory.Note: Additional requirements may apply on certain Windows SKUs. Refer to Azure Active Directory Device Registratio
acquired and stored in the user's Windows Marketplace Digital Locker.If you enable this setting Digital Locker will not run.If you disable or
wiping in from the screen edges.
help tips to the user.
vents sent to the Event Collector by the source computer. This may be required in high volume environments.If you disable or do not con
Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics.Use the following sy
n old events" policy setting is enabled the Event Log file is automatically closed and renamed when it is full. A new file is then started.If yo
iptor can access the log.If you disable or do not configure this policy setting all authenticated users and system services can write read or c
to affect the both modern and legacy tools.If you enable this policy setting only those users matching the security descriptor can access th
ost.If you disable or do not configure this policy setting and a log file reaches its maximum size new events overwrite old events.Note: Old
t Log uses the path specified in this policy setting.If you disable or do not configure this policy setting the Event Log uses the folder %SYSTE
(2147483647 kilobytes) in kilobyte increments.If you disable or do not configure this policy setting the maximum size of the log file will be
figure log access" policy settings for this log in order to affect the both modern and legacy tools.If you enable this policy setting only those
setting only those users whose security descriptor matches the configured specified value can access the log.If you disable this policy setti
ytes (2147483647 kilobytes) in kilobyte increments.If you disable or do not configure this policy setting the maximum size of the log file wi
iptor can access the log.If you disable or do not configure this policy setting all authenticated users and system services can write read or c
to affect the both modern and legacy tools.If you enable this policy setting only those users matching the security descriptor can access th
s be read from the log regardless of this policy setting.
to affect the both modern and legacy tools.If you enable this policy setting only users whose security descriptor matches the configured v
s the configured value can access the log.If you disable this policy setting only system software and administrators can write or clear this lo
e writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provid
or do not configure this policy setting file shortcut icons that use remote paths are prevented from being displayed.Note: Allowing the use
arning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized
y System. This behavior is consistent with Windows Vista's behavior in this scenario.This disables access to user-defined properties and pr
m associations and other settings to default values. If you enable this policy setting on a machine that does not contain all programs install
shown. If the group policy is not configured or disabled notifications will be shown to the end user if a new application has been installed
efinition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon the policy setti
ample:Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txtFor more information refer to the DISM documentation on TechN
you disable this policy setting the hibernate option will never be shown in the Power Options menu.If you do not configure this policy setti
Tile menu.If you do not configure this policy setting users will be able to choose whether they want lock to show through the Power Optio
ble this policy setting the sleep option will never be shown in the Power Options menu.If you do not configure this policy setting users will
rst time users open File Explorer and whenever they open new windows. If you disable or do not configure this policy setting users can cho
a file name (for example 111 < 22 < 3).If you disable or do not configure this policy setting File Explorer will sort file names by increasing nu
ected mode reduces the functionality of this protocol allowing applications to only open a limited set of folders. Applications are not able
you enable this policy setting Folder Redirection creates a temporary file in the old location in order to verify that new and old locations po
ng users cannot list or restore previous versions of files on local disks.If you disable this policy setting users cannot list and restore previou
not list or restore previous versions of files on file shares.If you disable this policy setting users can list and restore previous versions of file
up media.If you enable this policy setting users cannot see any previous versions corresponding to backup copies and can see only previou
disabled when the user selects a previous version corresponding to a local file.If you disable this policy setting the Restore button remains
you enable this policy setting the Restore button is disabled when the user selects a previous version corresponding to a backup.If you dis
n is disabled when the user selects a previous version corresponding to a file on a file share.If you disable this policy setting the Restore bu
History can be activated to create regular automatic backups.
icrosoft.com. On devices that are compatible with active digitizers enabling Find My Device will also allow the user to view the last locatio
computers to a homegroup. This policy setting does not affect other network sharing features.If you disable or do not configure this policy
so add a search provider from the provider's website.If you enable this policy setting the user can add and remove search providers but on
rk the same as Internet Explorer.If you disable or do not configure this policy setting "Save Target As" will not show up in the Internet Exp
with particular web applications.If you enable this policy setting OnUnLoad script handlers display UI during shutdown.If you disable or do
ft services.If you enable this policy setting users receive enhanced suggestions while typing in the Address bar. In addition users won't be a
lorer are considered to be the same as newly installed add-ons and are not activated when the user upgrades to Internet Explorer 9.In Int
Microsoft Edge. If any of the chosen versions are not installed on the device that preference will be bypassed.If both the Windows Update
ustom string in the version portion of the User Agent header.If you disable or do not configure this policy setting Internet Explorer sends th
mponent.If you disable this policy or do not configure it users will be prompted to download and install a component when visiting a Web
s provided in a file by the system administrator.If you enable this policy setting the user will not be able to do automatic configuration. You
re it users can change their settings for dial-up connections.If you set the "Disable the Connections page" policy (located in \User Configura
pages.If you enable this policy setting you can specify which default home pages should load as secondary home pages. The user cannot se
other browser allows the user to import favorites and feeds from other browsers. Importing settings from a file allows the user to import fa
r's usage to Microsoft Edge's native 'Internet Explorer mode'.- Redirects all attempts at launching Internet Explorer 11 to Microsoft Edge S
version and notifying users if a new version is available.If you disable this policy or do not configure it Internet Explorer checks every 30 d
ot displayed.If you disable this policy or do not configure it the splash screen will be displayed when users start their browsers.
ally on users' computers by using Open Software Distribution (.osd) technologies.If you enable this policy users will not be notified if their p
-On Manager.If you disable or do not configure this policy setting the appropriate controls in the Add-On Manager will be available to the
d in Internet Explorer mode and work the same as Internet Explorer.If you disable or don't configure this policy extended hotkeys will not w
sktop.The navigation bar includes features for browsing webpages searching the web by using a selection of search tools viewing a history
turned on.If you disable this policy setting automatic upgrade of Internet Explorer will be turned off.If you do not configure this policy user
nabled this policy has no effect.If you enable this policy all intranet sites are opened in Internet Explorer 11. The only exceptions are sites li
out the websites for which users turn on Enterprise Mode using the Tools menu.If you turn this setting on users can see and use the Enter
at are part of the domains configured in the policy. When disabled or not configured all domains will be included in site discovery. This pol
hat are part of the zones configured in the policy. When disabled or not configured all Zones will be included in site discovery. This policy c
olicy or do not configure it users of the same computer can establish their own proxy settings.This policy is intended to ensure that proxy
can enter a list of sites which will be allowed to open pop-up windows regardless of user settings. Only the domain name is allowed so ww
e or do not configure this policy setting the user can use the "Fix settings" functionality.Note: When this policy setting is enabled the "Fix se
m the Command bar. • The shortcut key F1 does not make Help appear. • Help cannot be accessed from the Settings charm (starting wi
us content. SmartScreen Filter also prevents the execution of files that are known to be malicious.If you enable this policy setting SmartScr
from the Internet.If you enable this policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy
om secure sites.If you enable this policy setting the user cannot change the filter level. You can specify the filter level by importing Privacy
an configure proxy settings.
er.If you disable or do not configure this policy setting the user can change the default search provider.
en in Internet Explorer when he or she clicks links from other applications. You must specify one of the following: • Open in an existing In
ecify whether tabs should open in the foreground or in the background. The user cannot open the tabs in the background by pressing Ctrl
tting the Search box does not appear in the Internet Explorer frame.If you disable or do not configure this policy setting the Search box ap
or do not configure this policy setting the user can add websites to or remove websites from the exception list.Note: You can allow a defau
is known to host malware.If you enable this policy setting the user is not prompted to turn on SmartScreen Filter. All website addresses th
s policy setting the user is not prompted to enable the phishing filter. You must specify which mode the phishing filter uses: manual autom
back Options command does not appear on the Help menu.If you disable this policy setting the user must participate in the CEIP and the C
onfigure this policy setting ActiveX controls can be installed on a per-user basis.
ake one of the following choices: • Skip the First Run wizard and go directly to the user's home page. • Skip the First Run wizard and go
tantiated.If you disable this policy or do not configure it then JScript will be utilized.
ware\policies\Microsoft\Internet Explorer\SearchScopes]). Normally search providers can be added from third-party toolbars or in Setup b
are disabled. (To see the site management settings for security zones in the Internet Options dialog box click the Security tab and then click
ty tab in the Internet Options dialog box are disabled.If you disable this policy or do not configure it users can change the settings for secur
will apply to all users of that computer.If you disable this policy or do not configure it users of the same computer can establish their own
onents\Internet Explorer\Use the Enterprise Mode IE website list policy setting and you must include at least one site in the Enterprise Mo
h or default. Low creates very few tab processes; medium creates a moderate amount of tab processes; and high allows the tab process t
mployees see an additional page in Internet Explorer 11 stating that a site has been opened using Microsoft Edge with Enterprise Mode.If y
ut:blank) the first home page the new tab page or the new tab page with my news feed.If you disable or do not configure this policy settin
o allow the installation of ActiveX controls.If you disable or do not configure this policy setting ActiveX controls including per-user controls
.If you disable or do not configure this policy setting users can pin sites.
hat Internet Explorer has not used before a Notification bar will appear asking the user for approval.If you enable this policy setting the Ac
are slowing his or her browsing and displays a button that opens the Disable Add-ons dialog box. The Disable Add-ons dialog box displays t
sable or do not configure this policy setting Automatic Crash Recovery prompts the user to recover his or her data after a program stops re
rned off.If you disable this policy setting browser geolocation support is turned on.If you do not configure this policy setting browser geolo
ndows in tabbed browsing. You must specify one of the following values: 0: Let Internet Explorer decide. 1: Force pop-up windows to o
Service Pack 1 and earlier namely to invoke Windows Error Reporting. All policy settings for Windows Error Reporting continue to apply.If
vorites bar is turned on.If you do not configure this policy setting the user can turn on or turn off the Favorites bar.
nown to host malware.If you enable this policy setting the user is not prompted to turn on SmartScreen Filter. You must specify which mod
ontent to be re-rendered at a scaled size.If you disable or do not configure this policy setting applications that host MSHTML respond to u
e (grayed out) and all other pop-up manager controls notifications and dialog boxes will not appear. Pop-up windows will continue to func
you disable or do not configure this policy setting Quick Tabs is turned on.
ing Session feature.If you disable or do not configure this policy setting the user can use the Reopen Last Browsing Session feature.
do not configure this policy setting the user can choose to view suggestions for all user-installed search providers that offer suggestions.
p.If you enable this policy setting tabbed browsing and related entry points are turned off for Internet Explorer and the user cannot turn th
eb addresses. The user cannot change the auto-complete for web-address setting.If you disable this policy setting user will be suggested m
not appear until the user starts typing.If you disable or do not configure this policy setting when a user clicks in the Search box the quick p
eature is turned off.If you disable or do not configure this policy setting the feature is turned on.
perly.If you enable this policy setting ActiveX Filtering is enabled by default for the user. The user cannot turn off ActiveX Filtering althoug
can log information that is blocked by new Internet Explorer features. The user cannot turn off logging.If you disable this policy setting the
nd the user cannot turn it off.If you disable this policy setting the menu bar appears in Internet Explorer by default and the user cannot tu
e aggregated using a client management solution(SCCM) or other means. When disabled no data will be written to the WMI class. Enablin
fied when setting this policy. When disabled no data will be written to the XML file. Enabling or disabling this setting will not impact other o
e user might want to visit.If you enable this policy setting the user is not prompted to enable Suggested Sites. The user’s browsing history
this policy setting Internet Explorer downloads the website list from your location (HKCU or HKLM\Software\policies\Microsoft\Internet Ex
user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not overlap
the user cannot remove or change the Accelerators that this policy setting has added. Default and non-default Accelerators should not ov
d through Group Policy. The user cannot add or delete Accelerators.If you disable or do not configure this policy setting the user can acces
ccess Accelerators and install new Accelerators.
g the user is not prompted when a script that is running in any process on the computer performs a Clipboard operation. This means that
ne is set to prompt.If you enable this policy setting the user is not prompted when a script that is running in the Internet Explorer process p
Internet Explorer processes use the "Bypass prompting for Clipboard access for scripts running in the Internet Explorer process" policy. If t
Explorer and any printers under the Devices charm.If you enable this policy setting the Print menu in Internet Explorer will not be available
ttings or in the tools menu in the desktop. Users won’t be able to use it to launch the report site problems dialog box.If you disable or do n
used during browser navigation. If a user visits a site on the compatibility lists the pages are automatically displayed in Compatibility View.
se the Compatibility View button or manage the Compatibility View sites list.If you disable or do not configure this policy setting the user c
able this policy setting the user cannot use the Compatibility View button.If you disable or do not configure this policy setting the user can
in Internet Explorer 7 Standards Mode or the Standards Mode available in the latest version of Internet Explorer.If you enable this policy
rnet Explorer uses the current user agent string for local intranet content. Additionally all local intranet Standards Mode pages appear in t
not remove the entries that you specify.If you disable or do not configure this policy setting the user can add and remove sites from the lis
net Explorer.If you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appe
ify and install code for an Object Linking and Embedding (OLE) component.If you enable this policy setting the user cannot specify the dow
et files cookies history form data and passwords) are applied and those items are deleted.If you enable this policy setting deleting browsin
menu click Internet Options click the General tab and then click Settings under Browsing history.If you enable this policy setting a user cann
r 10" in the TechNet technical library.If you enable this policy setting the user cannot access the Delete Browsing History dialog box. Starti
o disable ActiveX Filtering or Tracking Protection. In addition Tracking Protection data is also collected if users turn on the Personalized Tra
f you disable this policy setting cookies are deleted when the user clicks Delete.If you do not configure this policy setting the user can cho
when the user clicks Delete.If you disable this policy setting download history is deleted when the user clicks Delete.If you do not configur
user clicks Delete.If you disable this policy setting favorites site data is deleted when the user clicks Delete.If you do not configure this po
te.If you disable this policy setting form data is deleted when the user clicks Delete.If you do not configure this policy setting the user can
third-party items should be blocked when InPrivate Filtering is enabled. This feature is available in the Delete Browsing History dialog box
te.If you disable this policy setting passwords are deleted when the user clicks Delete.If you do not configure this policy setting the user ca
ved when the user clicks Delete.If you disable this policy setting temporary Internet files are deleted when the user clicks Delete.If you do
hat the user has visited are preserved when he or she clicks Delete.If you disable this policy setting websites that the user has visited are d
et Explorer.If you enable this policy setting users will not be able to delete temporary Internet files and cookies.If you disable or do not con
and printing.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do not n
cy or do not configure it users can see and change these settings.When you set this policy you do not need to set the following policies for
e and change these settings.
and accessibility.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do no
not configure it users can see and change these settings.
policy or do not configure it users can see and change these settings.When you set this policy you do not need to set the following policie
ser authentication.If you disable this policy or do not configure it users can see and change these settings.When you set this policy you do
n Internet Explorer.If you enable this policy setting the user cannot continue browsing.If you disable or do not configure this policy setting
(DNS) servers or to proxy servers.If you enable this policy setting you must specify when IDN server names should be sent: 0) Unicode do
UTF-8.If you disable or do not configure this policy setting Internet Explorer sends mailto links encoded through the user's code page. This b
t.If you disable this policy setting active content on a CD will always prompt before running.If you do not configure this policy users can ch
a and Java) that are required in order to view web pages as intended.If you enable this policy setting non-Internet Explorer components w
Web page that requires Japanese-text display support Internet Explorer could prompt the user to download the Japanese Language Pack
f you enable this policy setting Internet Explorer uses the HTTP2 network protocol.If you disable this policy setting Internet Explorer won't
nd prioritization.If you enable this policy setting Internet Explorer uses the SPDY/3 network protocol.If you disable this policy setting Intern
te that someone has tampered with the file.If you enable this policy setting users will be prompted to install or run files with an invalid sign
ns which impact Internet Explorer's performance or stability.If you enable this policy setting Internet Explorer automatically launches any
. The DNT:1 header signals to the servers not to track the user.For Internet Explorer 9 and 10:If you disable this policy setting Internet Exp
prompted to install new versions as they become available.If you enable this policy setting Internet Explorer checks the Internet for a new
his option protects users from submitting confidential data to a site that may be fraudulent or not secure.If you enable this policy setting In
computers before downloading executable programs.If you enable this policy setting Internet Explorer will check the digital signatures of
otected Mode and a website attempts to load the control Internet Explorer notifies the user and gives the option to run the website in reg
ry and disable add-ons that are not preapproved.If you enable this policy setting the user cannot use Reset Internet Explorer Settings.If yo
e which may be insecure.If you enable this policy setting Internet Explorer will not save encrypted pages containing secure (HTTPS) inform
s on the computer or storing sensitive files that other users could see in addition to managing total disk space usage.If you enable this pol
as java applets are not.If you enable this policy setting Internet Explorer will play animated pictures found in Web content.If you disable th
ava applets are not.If you enable this policy setting Internet Explorer will play sounds found in Web content.If you disable this policy settin
pplets are not.If you enable this policy setting Internet Explorer will play videos found in Web content.If you disable this policy setting Inte
host MSHTML do not render text by using the Microsoft ClearType rendering engine.If you disable or do not configure this policy setting a
unication between the browser and the target server. When the browser attempts to set up a protected communication with the target s
seamlessly switches into view.If you enable this policy setting Internet Explorer doesn't load any websites or content in the background.If
t be prompted to provide information.If you disable this policy setting then when a Web site requests Profile Assistant information users w
s policy setting you must specify when to use UTF-8 to encode query strings: 0) Never encode query strings. 1) Only encode query strin
page prediction works. This feature isn't available for Internet Explorer for the desktop.If you enable this policy setting flip ahead with pa
ons of Windows.Important: Some ActiveX controls and toolbars may not be available when 64-bit processes are used.If you enable this po
ctionality such as using the Shift key to select text and copying a selection to the clipboard. This policy setting is particularly useful to user
Mode also limits the locations Internet Explorer can read from in the registry and the file system.If you enable this policy setting Enhanced
e HTTP 1.1.If you do not configure this policy setting users can configure Internet Explorer to use or not use HTTP 1.1.
disable this policy setting Internet Explorer does not use HTTP 1.1 through proxy connections.If you do not configure this policy setting use
t tab of the Internet Options dialog box. Users can change Content Advisor settings.If you disable or do not configure this policy setting Inte
new browsing session with the tabs from the last browsing session.If you enable this policy setting Internet Explorer starts a new browsing
website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting websites will not be abl
ow website database and caches on Website Data Settings will be unavailable to users.If you disable this policy setting websites will not be
e limits for application caches. If a domain exceeds the application cache storage limit for an individual domain Internet Explorer sends an e
en you set this policy setting you provide the expiration time limit in days.If you enable this policy setting Internet Explorer will remove app
g Internet Explorer displays a notification when a website exceeds the configured storage limit.If you disable or do not configure this policy
ge limits for indexed databases. If a domain exceeds the indexed database storage limit for an individual domain Internet Explorer sends a
nternet Explorer sends an error to the website. No notification will be displayed to the user. When you set this policy setting you provide t
umber of resources allowed including the page that referenced the manifest Internet Explorer sends an error to the website. No notificati
fies the user and the user must delete application caches before an updated one can be saved on their computer. The default maximum st
tifies the user and the user must delete indexed databases before an updated database can be saved on their computer. The default maxim
and select a security level all values for individual settings in the zone will be overwritten by the standard template defaults.If you disable
plicitly mapped into a zone are considered to be in the Intranet Zone.If you disable this policy setting local sites which are not explicitly ma
this policy setting network paths are not necessarily mapped into the Intranet Zone (other rules might map one there).If you do not confi
e Intranet Zone.If you disable this policy setting sites which bypass the proxy server aren't necessarily mapped into the Intranet Zone (othe
nternet Explorer has 4 security zones numbered 1-4 and these are used by this policy setting to associate sites to zones. They are: (1) Intran
mapping rules are applied automatically if the computer belongs to a domain.If you disable this policy setting automatic detection of the
rtificates issued for a different website address. This warning helps prevent spoofing attacks.If you enable this policy setting the certificate
net mappings if they require them.If you enable this policy setting a Notification bar notification appears whenever the user browses to a
setting users can load a page in the zone that uses MSXML or ADO to access data from another site in the zone. If you select Prompt in the
ricted protocols may be set in the Intranet Zone Restricted Protocols section under Network Protocol Lockdown policy.If you enable this p
-down box users are queried to choose whether to allow script code on pages in the zone to run.If you disable this policy setting script cod
ng binary and script behaviors are available. If you select Administrator approved in the drop-down box only behaviors listed in the Admin
rd operation.If you select Prompt in the drop-down box users are queried as to whether to perform clipboard operations.If you disable thi
one automatically. If you select Prompt in the drop-down box users are queried to choose whether to drag or copy files from this zone.If y
e file is delivered.If you enable this policy setting files can be downloaded from the zone.If you disable this policy setting files are prevente
nd Prompt is selected in the drop-down box users are queried whether to allow HTML fonts to download.If you disable this policy setting H
zone automatically.If you select Prompt in the drop-down box users are queried to choose whether to install desktop items from this zone
dbox and take advantage of the Windows Presentation Foundation platform for the web.If you enable this policy setting and set the drop-
es and graphics that take advantage of the Windows Presentation Foundation.If you enable this policy setting and set the drop-down box
this policy setting and set the drop-down box to Enable XPS files are automatically loaded inside Internet Explorer. The user cannot chang
eb page.If you enable this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to a
prompted before ActiveX controls can run from websites in this zone. The user can choose to allow the control to run from the current sit
isable this policy setting the TDC Active X control will run from all sites in this zone.
within File Explorer. Search results will be returned in File Explorer and can be acted upon like local files.If you enable this policy setting us
returned by OpenSearch queries using Search Connectors (which allow rich searching of remote sources from within the File Explorer) it m
y setting script access to the WebBrowser control is not allowed.If you do not configure this policy setting the user can enable or disable sc
t apply in this zone. The security zone runs without the added layer of security provided by this feature.If you disable this policy setting the
ot configure this policy setting the user can enable or disable scriptlets.
figure this policy setting script is not allowed to update the status bar.
tion.If you selected Prompt in the drop-down box users are asked to choose whether to allow VBScript to run.If you selected Disable in the
ernal controls or media players.The dynsrc attribute on the img tag specifies an older media player. Also as of Internet Explorer 8 this polic
s that have no status bar or Address bar.If you disable this policy setting websites cannot open new Internet Explorer windows that have n
splay any scripted windows by using the Notification bar.If you do not configure this policy setting the user can enable or disable the Notifi
l they do not have installed.If you disable this policy setting ActiveX control installations will be blocked using the Notification bar. Users ca
this setting users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting file do
items.If you enable this policy setting and the drop-down box is set to Enable the user does not receive a security information message (Th
users with a "Client Authentication" message when they connect to a Web site that has no certificate or only one certificate.If you disable
eck with your antimalware program to see if it's safe to create an instance of the ActiveX control.If you disable this policy setting Internet
you select Prompt in the drop-down box users are queried whether to download controls signed by publishers who aren't trusted. Code s
this policy setting users can run unsigned controls without user intervention. If you select Prompt in the drop-down box users are queried
ble users can drag content from one domain to a different domain when the source and destination are in different windows. Users canno
ble users can drag content from one domain to a different domain when the source and destination are in the same window. Users canno
nature.If you enable this policy setting the MIME Sniffing Safety Feature will not apply in this zone. The security zone will run without the a
led to the server. For instance files sent from the user's desktop may contain the user name as a part of the path.If you enable this policy s
usted data or scripts. This setting is not recommended except for secure and administered zones. This setting causes both unsafe and safe
Safety enables applets to perform all operations.Medium Safety enables applets to run in their sandbox (an area in memory outside of wh
an run applications and download files from IFRAMEs on the pages in this zone without user intervention. If you select Prompt in the drop
he guest account only for the Common Internet File System (CIFS) protocol.Prompt for user name and password to query users for user ID
domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to allow wind
g Enable or Disable under Options in Group Policy Editor.If you disable or do not configure this policy setting users can choose whether or n
ferenced from an object tag and managed executables referenced from a link.If you enable this policy setting Internet Explorer will execut
nced from an object tag and managed executables referenced from a link.If you enable this policy setting Internet Explorer will execute sig
tion.If you selected Prompt in the drop-down box users are asked to choose whether to allow the controls or plug-in to run.If you disable t
ntervention.If you select Prompt in the drop-down box users are queried to choose whether to allow script interaction.If you disable this p
Prompt in the drop-down box users are queried to choose whether to allow scripts to access applets.If you disable this policy setting script
File Explorer for example).If you enable this policy setting and set the drop-down box to Enable these files open without a security warnin
software updates by e-mail software packages to be automatically downloaded to users' computers and software packages to be automa
ts non-SSL form data submission.If you enable this policy setting information using HTML forms on pages in this zone can be submitted au
eration platform for Windows. It uses the common language runtime and incorporates support from multiple developer tools. It includes
ed to approve the control. This policy setting determines whether the user is prompted.If you enable this policy setting the first-run promp
sites in this zone and the XSS Filter attempts to block cross-site script injections.If you disable this policy setting the XSS Filter is turned off
try and the file system.If you enable this policy setting Protected Mode is turned on. The user cannot turn off Protected Mode.If you disab
able this policy setting SmartScreen Filter does not scan pages in this zone for malicious content.If you do not configure this policy setting t
wanted pop-up windows are prevented from appearing.If you disable this policy setting pop-up windows are not prevented from appearin
ge the state of the page can be restored if this policy setting is appropriately configured.If you enable this policy setting users can preserve
an open new windows in or navigate into this zone. The security zone will run without the added layer of security that is provided by the P
figure this policy setting script is allowed to update the status bar.
this setting users will receive a file download dialog for automatic download attempts.If you disable or do not configure this setting users
open new windows in or navigate into this zone. The security zone will run without the added layer of security that is provided by the Pro
from other domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to
f restricted protocols may be set in the Trusted Sites Zone Restricted Protocols section under Network Protocol Lockdown policy.If you ena
from other domains and access applications from other domains. If you select Prompt in the drop-down box users are queried whether to
nternet Explorer does not open tiles on the desktop.If you do not configure this policy users can choose how Internet Explorer tiles are ope
setting Internet Explorer enforces your choice. Users cannot change the setting.If you disable or do not configure this policy setting users
Address bar if it is available.If you disable or do not configure this policy setting Internet Explorer does not go directly to an intranet site fo
plorer will be hidden.If you disable this policy setting the button to open Microsoft Edge from Internet Explorer will be shown.If you do no
ne number detection is turned off. Users won't be able to modify this setting.If you disable this policy setting phone number detection is tu
appropriate software is installed.If you disable this policy setting Internet Explorer does not play these files.If you do not configure this pol
he user cannot change the specified action. • Do not search from the Address bar: The user cannot use the Address bar for searches. The
r performs a search in the Address bar a list of search results from the selected search provider is displayed in the main window. • Enab
nth. No user data is sent over the internet by this feature.If you enable this policy setting URL Suggestions will be turned off. Users will not
ntering a web address in the browser Address bar. This feature provides more relevant results in the browser Address bar.If you enable th
owser connects with a prespecified encryption. To ensure that the browser meets this requirement this policy setting allows you to specify
d for checking updates to Internet Explorer and Internet Tools. You must specify this URL.If you disable or do not configure this policy setti
he update check interval.If you disable or do not configure this policy setting the user can specify the update check interval.
e it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However do
ore it is blocked. Setting this value lower can help prevent more third-party sites from obtaining details about a user's browsing. However d
's browsing session. By default the computer does not load them when InPrivate Browsing starts.If you enable this policy setting toolbars a
s that referenced it. It is collected during non-InPrivate (normal) browsing sessions.If you enable this policy setting InPrivate Filtering data c
et files history and other data.If you enable this policy setting InPrivate Browsing is turned off.If you disable this policy setting InPrivate Bro
sit. InPrivate Filtering does this by identifying third-party content that is used by multiple websites that users have visited.If you enable thi
y visit. Tracking Protection does this by identifying third-party content that is used by multiple websites that users have visited.If you enab
mmend that you do not allow insecure fallback in order to prevent a man-in-the-middle attack.This policy does not affect which security pr
e button the current password value is visible until the mouse button is released (or until the tap ends).If you enable this policy setting the
g Internet Explorer does not turn on Data Execution Prevention on platforms that support the SetProcessDEPPolicy function.If you disable
se 64 encoding. Malware filters or other network-based filters may not properly filter encapsulated data.If you enable this policy setting D
h are specifically written to extend or enhance the functionality of the browser or web pages.This list can be used with the 'Deny all add-on
Explorer processes or those listed in the 'Process List' policy setting ignore add-on management user preferences and policy settings.If you
elper Objects (BHOs) which are specifically written to extend or enhance the functionality of the browser or web pages.By default the 'Add
esses use the add-on management user preferences and policy settings. This policy setting allows you to extend support for these user pre
Run this time" button on the warning message that appears when Internet Explorer blocks an outdated ActiveX control.If you disable or d
plorer stops blocking outdated ActiveX controls.If you disable or don't configure this policy setting Internet Explorer continues to block spe
e this policy setting you can enter a custom list of domains for which outdated ActiveX controls won't be blocked in Internet Explorer. Eac
hat loaded the control and whether it was blocked) to a local file.If you disable or don't configure this policy setting Internet Explorer won
he user cannot run natively implemented scriptable XMLHTTP.If you do not configure this policy setting the user can choose to run native
es the connection limit of your choice for HTTP 1.1.If you disable or do not configure this policy setting Internet Explorer uses the default c
Internet Explorer will use the default connection limit for HTTP 1.0 (6 connections per host).In versions of Internet Explorer prior to Intern
r uses the WebSocket connection limit that you set with this policy setting.If you disable or do not configure this policy setting Internet Exp
arty domains embedded in the page.If you disable or do not configure this policy setting documents can request data across third-party do
. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also this policy
domains through other features in Internet Explorer 8 and it does not prevent a site from requesting cross-domain data through a server.If
e opted in to the behavior and to all zones. (Behaviors are components that encapsulate specific functionality or behavior on a page.)If you
avior Security Restriction setting is prevented or allowed.If you enable this policy setting binary behaviors are prevented for all processes.
and MD4 signing technologies by default because they are not as secure as other technologies.If you enable this policy setting Internet Exp
avior Security Restriction setting is prevented or allowed.If you enable this policy setting binary behaviors are prevented for the File Explor
avior Security Restriction setting is prevented or allowed.This policy setting allows administrators to define applications for which they wa
er requires that all file-type information provided by Web servers be consistent. For example if the MIME type of a file is text/plain but the
ve the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content. T
ve the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and content p
ter have the fewest security restrictions and reside in the Local Machine zone.Local Machine zone security applies to all local files and con
re is enabled for all processes.If you disable or do not configure this policy setting the Mime Sniffing Safety Feature is disabled for all proce
ote a file of one type to a more dangerous file type.If you disable this policy setting Internet Explorer processes will allow a MIME sniff prom
for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 this protection
disabled for all processes. Any use of the MK Protocol is blocked.If you disable or do not configure this policy setting the MK Protocol is en
prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.If you disable this policy setting applica
applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 use
gh restricted protocols is prevented or allowed.If you enable this policy setting restricting content obtained through restricted protocols is
t obtained through restricted protocols is prevented or allowed.If you enable this policy setting restricting content obtained through restr
gh restricted protocols is prevented or allowed.This policy setting allows administrators to define applications for which they want restricti
e user or simply disabling the content. For each zone this list of protocols may be configured here and applies to all processes which have
ar is not displayed for any process when file or code installs are restricted (except for the Internet Explorer Processes for which the Notific
t Explorer processes.If you enable this policy setting the Notification bar will be displayed for Internet Explorer Processes.If you disable this
when file or code installs are restricted (except for the Internet Explorer Processes for which the Notification bar is displayed by default).If
ssible when navigating within or across domains for all processes.If you disable or do not configure this policy setting object reference is r
ccessible when navigating within or across domains for Internet Explorer processes.If you disable this policy setting an object reference is
r which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 references to ob
n the local computer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a
er have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target for m
omputer have the fewest security restrictions and reside in the Local Machine zone making the Local Machine security zone a prime target
atic prompting of ActiveX control installation for all processes.If you disable or do not configure this policy setting the Web Browser Contr
Explorer processes.If you disable this policy setting prompting for ActiveX control installations will not be blocked for Internet Explorer pr
ng of ActiveX control installation is blocked. If you enter a Value of 0 automatic prompting of ActiveX control installation is allowed. The Va
ll block automatic prompting of file downloads that are not user initiated for all processes.If you disable this policy setting the Web Browse
ocesses.If you disable this policy setting prompting will occur for file downloads that are not user initiated for Internet Explorer processes.
matic prompting of non-initiated file downloads is blocked. If you enter a Value of 0 automatic prompting of non-initiated file downloads is
ng windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable thi
ng windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.If you enable thi
ng windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars.This policy settin
played according to which one of the following options you choose and the user cannot change how command buttons are displayed:Show
w.If you do not configure this policy setting the user can change where tabs are displayed.
d bar is shown and the user cannot choose to hide it.If you do not configure this policy setting the Command bar is shown by default and
wn and the user cannot choose to hide it.If you do not configure this policy setting the status bar is shown by default and the user can choo
olbars are unlocked and the user can move them.If you do not configure this policy setting the toolbars are locked by default but the user c
s and the user cannot move them.If you disable this policy setting the Stop and Refresh buttons are next to the Address bar and the user ca
gure this policy setting the user can access Developer Tools.
the tool detects an incompatible toolbar the user is prompted to update or disable the toolbar. Specific toolbars or Browser Helper Object
sable this policy setting icons for command buttons are 16 x 16 pixels (the default) and cannot be made bigger (20 x 20 pixels).If you do no
nstall Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might n
n information from the location feature. If you disable or do not configure this policy setting all programs on this computer will not be
tion scripts will run.
f you disable or do not configure this policy setting all programs on this computer can use the sensor feature.
computer will not be able to use the Windows Location Provider feature. If you disable or do not configure this policy setting all progr
If you enable this policy setting this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Ma
rting from its Activation Boundary. If you enable this policy setting Automatic Maintenance will delay starting from its Activation Bou
e daily scheduled maintenance. Note that if the OS power wake policy is explicitly disabled then this setting has no effect. If you enab
and update of map data is turned on.If you don't configure this setting the automatic download and update of map data is determined by
c on the Offline Maps settings page are turned off. Note: This may turn off the entire settings page. If you disable or do not configure this p
not configure this policy setting MDM Enrollment will be enabled. If you enable this policy setting MDM Enrollment will be disabled for all
he device will remotely managed by the MDM service. Important: The device must be registered in Azure AD for enrollment to succ
Microsoft accounts for authentication. This applies both to existing users of a device and new users who may be added. However any appl
disabled. If you enable this setting the antimalware service will always remain running even if both antivirus and antispyware security int
tting the antimalware service will load as a normal priority task. If you disable this setting the antimalware service will load as a low priori
mputer. Enabled: Specify the mode in the Options section: -Block: Potentially unwanted software will be blocked. -Audit Mo
able or do not configure this setting unique items defined in Group Policy and in preference settings configured by the local administrator w
will begin at a random time within an interval of 4 hours after the specified start time. If you enable this setting you must pick a randomiz
this setting the proxy server will be bypassed for the specified addresses. If you disable or do not configure this setting the proxy server
r if there is no proxy auto-config specified the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2.
ails or if there is no proxy specified the client will fall back to the alternative options (in order): 1. Proxy server (if specified) 2. Proxy .p
files will be copied to the specified support log location path. If you disable or do not configure this setting the support logs files will not
gin at a random time within 4 hours after the time specified in Task Scheduler. If you enable this setting you can widen or narrow this ran
software. If you disable this policy setting Microsoft Defender Antivirus will run regardless of any other installed antivirus product. If yo
ation of the policy-defined action user-defined action and the signature-defined action. If you enable this policy setting Microsoft Defend
e phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be
ay on clients. If you enable this setting Microsoft Defender Antivirus notifications will not display on clients.
e listed as a name value pair where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value
ng. Each entry must be listed as a name value pair where the name should be a string representation of a path or a fully qualified resource
e the process use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name va
o improve performance. Enabled: Microsoft Defender will not exclude pre-defined list of paths from scans. This can impact machin
over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
which will lower the protection state of the device. Enabled – The Block at First Sight setting is turned on. Disabled – The Block at First
alicious software infections. You can choose to send basic or additional information about detected software. Additional information hel
2) Never send (0x3) Send all samples automatically
e would normally cause an event then it will be recorded (although the rule will not actually be applied) - Off: the rule will not be applied
new line as a name-value pair: - Name column: Enter a folder path or a fully qualified resource name. For example ""C:\Windows"" will e
r Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications. E
uments folder - Write to disk sectors You can also choose to only block or audit writes to disk sectors while still allowing the modifi
atically protected. You can configure this setting to add additional folders. The list of default system folders that are protected is shown
d other malicious content on the Internet. Enabled: Specify the mode in the Options section: -Block: Users and applications will not be
her Network Protection is allowed to be configured into block or audit mode on Windows Server. Note that this configuration is depende
the extended cloud check feature specify the extended time in seconds up to an additional 50 seconds. For example if the desired time
ed Not configured: Same as Disabled.
identifying suspicious files to block and scan; otherwise it will be less aggressive and therefore block and scan with less frequency.
pair where the name should be a string representation of a definition set GUID. As an example the definition set GUID to enable test secur
her Network Protection is allowed to be configured into block or audit mode on Windows Server. Note that this configuration is depende
ates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition then th
led. If you disable this setting protocol recognition will be disabled.
you enable this setting the local preference setting will take priority over Group Policy. If you disable or do not configure this setting Grou
ber of days specified. If you disable or do not configure this setting items will be kept in the quarantine folder indefinitely and will not be
l preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over
nce setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local
ence setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the loca
riority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
outgoing file activity but for performance reasons need to have scanning disabled for a particular scan direction. The appropriate configura
ed will be scanned. If you disable or do not configure this setting a default size will be applied.
tting monitoring for file and program activity will be disabled.
If you disable this setting scanning for all downloaded files and attachments will be disabled.
o run on your computer. If you enable this policy setting Microsoft Defender Antivirus will not prompt users to take actions on malware d
not configure this setting a process scan will be initiated when real-time protection is turned on. If you disable this setting a process scan
etting raw write notifications be disabled.
ocal preference setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority o
This setting can be configured with the following ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesd
00). For example 120 (0x78) is equivalent to 02:00 AM. The schedule is based on local time on the computer where the scan is executing.
nced notifications will display on clients. If you enable this setting Microsoft Defender Antivirus enhanced notifications will not displ
he user to pause a scan. If you disable this setting users will not be able to pause scans.
"mpcmdrun -SigUpdate" but it has no effect on scans initiated manually from the user interface. If you enable this setting a check for ne
rence setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the loc
ver Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
ority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local preference setting.
setting will take priority over Group Policy. If you disable or do not configure this setting Group Policy will take priority over the local pref
gure this setting not changes will be made to CPU priority for scheduled scans.
nfigure this setting a system restore point will not be created.
d scans. If you enable this setting a catch-up scan will occur after the specified number consecutive missed scheduled scans. If you disa
k drives will not be scanned.
ed. If you disable this setting archive files will not be scanned.
onfigure this setting network files will not be scanned.
nable this setting removable drives will be scanned during any type of scan. If you disable or do not configure this setting removable drive
the following ordinal number values: (0x0) Every Day (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursda
nce per day). If set to zero interval quick scans will not occur. By default this setting is set to 0. If you enable this setting a quick scan will
his setting archive files will be scanned to the directory depth level specified. If you disable or do not configure this setting archive files w
cates that there should be no throttling of CPU utilization. The default value is 50. If you enable this setting CPU utilization will not excee
it to archive size for scanning. If you enable this setting archive files less than or equal to the size specified will be scanned. If you disab
pecified value. If you disable or do not configure this setting the default scan type will used.
lent to 02:00 AM. By default this setting is set to disabled. The schedule is based on local time on the computer where the scan is executin
ent to 02:00 AM. By default this setting is set to a time value of 2:00 AM. The schedule is based on local time on the computer where the
er is on but not in use. If you disable this setting scheduled scans will run at the scheduled time.
missed because the computer was turned off at the scheduled time. If you enable this setting catch-up scans for scheduled full scans will
e missed because the computer was turned off at the scheduled time. If you enable this setting catch-up scans for scheduled quick scans
s and attachments. Several e-mail formats are currently supported for example: pst (Outlook) dbx mbx mime (Outlook Express) binhex (M
recommended that you do not turn off heuristics. If you enable or do not configure this setting heuristics will be enabled. If you disabl
zero items will be kept forever and will not be automatically removed. By default the value is set to 30 days. If you enable this setting ite
mum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for thi
se notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Mic
st security intelligence update has security intelligence for a threat involving that file the service will receive all of the latest security intellig
ows Update. If you enable this setting security intelligence updates will be downloaded from Microsoft Update. If you disable or do not
s usual regardless of power state. If you disable this setting security intelligence updates will be turned off while the computer is running
gence will occur after service startup. If you disable this setting or do not configure this setting a check for new security intelligence will n
pipe-separated string enumerating the security intelligence update sources. For example: "{\\unc1 | \\unc2 }". The list is empty by defaul
security intelligence update will occur after the specified number of days. If you disable or do not configure this setting a catch-up secur
igger several additional actions including falling back to an alternative update source or displaying a warning icon in the user interface. By
er several additional actions including falling back to an alternative update source or displaying a warning icon in the user interface. By def
the security intelligence update sources in order. Possible values are: “InternalDefinitionUpdateServer” “MicrosoftUpdateServer” “MMPC
l be initiated on startup when there is no antimalware engine present. If you disable this setting security intelligence updates will not be
nfigured with the following ordinal number values: (0x0) Every Day (default) (0x1) Sunday (0x2) Monday (0x3) Tuesday (0x4) Wed
(every hour) to 24 (once per day). If you enable this setting checks for security intelligence updates will occur at the interval specified. I
78) is equivalent to 02:00 AM. By default this setting is configured to check for security intelligence updates 15 minutes before the schedul
ntelligence update. If you disable this setting a scan will not start following a security intelligence update.
e listed as a name value pair. The name defines a threat alert level. The value contains the action ID for the remediation action that should
sted as a name value pair. The name defines a valid Threat ID while the value contains the action ID for the remediation action that should
vice and logs system events from the Application Guard container to your host.If you disable or don't configure this setting event logs aren
ou enable this policy applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the u
nd other items (such as cookies Favorites and so on) for use in future Application Guard sessions.Note:If you enable this setting you can sti
files from the Microsoft Defender Application Guard container to the host operating system.If you disable or don't configure this setting pe
per-V to access supported high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life
specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for ea
nctionality completely between the host and Application Guard- Enable the clipboard to copy content from Application Guard to the host
Disable all print functionality in Application Guard.- Enable printing to existing network printers.- Enable printing to local printers.- Enable p
es are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.If you disable or don
use virtualization-based security isolation. While in isolation improper user interactions and app vulnerabilities can’t compromise the kerne
ore you can enable this setting:- Manually configure a device's system and application mitigation settings using the Set-ProcessMitigation
to a common shared folder and prevents students and teachers from removing the book from the Books tab. For this to work properly yo
osoft Edge to Microsoft services. Note: Disabling this setting turns off the Address bar drop-down functionality. Therefore because sea
e Adobe Flash.
policy setting it can be turned on and configured by the employee in the Clear browsing data options under Settings.
ally updates the configuration data for the Books Library.If you disable this setting Microsoft Edge won't automatically download updated
le this setting the F12 Developer Tools aren't available in Microsoft Edge.
data on top of the basic telemetry data from the Books tab.If you disable or don't configure this setting Microsoft Edge only sends basic te
oyees can't use Microsoft Edge Extensions.
osoft Edge. Your users and extensions must have the proper permissions.If disabled full-screen mode is unavailable for use in Microsoft Ed
s setting employees can't use InPrivate website browsing.
e Microsoft Compatibility List is enabled and can be viewed by visiting about:compat.If you enable or don’t configure this setting Microsoft
you allow pre-launch disable or don’t configure this policy setting Microsoft Edge pre-launches during Windows sign in when the system i
ou allow preloading disable or don’t configure this policy setting Microsoft Edge loads the Start and New Tab page during Windows sign in
ne.If disabled the browsing history stops saving and is not visible in the History pane. If browsing history exists before this policy was disab
ng can only be used with domain-joined or MDM-enrolled devices. For more info see the Microsoft browser extension policy (aka.ms/brow
ng of unverified extensions in Microsoft Edge is allowed.If disabled sideloading of unverified extensions in Microsoft Edge is not allowed. E
e New Tab page.If you disable this setting Microsoft Edge opens a new tab with a blank page. If you use this setting employees can't chang
s setting Microsoft Edge shows the Books Library regardless of the device's country or region.If you disable or don't configure this setting M
hat you must use the "Set default search engine" setting.ImportantThis setting can only be used with domain-joined or MDM-enrolled dev
setting employees can use Autofill to automatically fill in forms while using Microsoft Edge.If you disable this setting employees can't use A
all cookies from all websites. Block only 3rd-party cookies: Blocks only cookies from 3rd-party websites.If you disable or don't configure
and send requests.If you enable this setting Do Not Tracker requests are always sent to websites asking for tracking info.If you disable this
n configure what default Favorites appear for your employees. If this setting is enabled you must also provide a list of Favorites in the Opti
ways visible on any page and the favorites bar toggle in Settings sets to On but disabled preventing your users from making changes. An err
ds the default Start page.When enabled the home button is locked down preventing your users from making changes in Microsoft Edge's U
dge runs InPrivate full screen InPrivate multi-tab with limited functionality or normal Microsoft Edge.You need to configure Microsoft Edge
ence deletes the current user’s browsing data.If enabled you can set the idle time in minutes (0-1440). You must set the Configure kiosk m
g the Configure Start Pages policy.- New tab page: the New tab page loads ignoring the Configure Start Pages policy.- Previous pages: all ta
ord Manager to save their passwords locally.If you disable this setting employees can't use Password Manager to save their passwords loca
you disable this setting Pop-up Blocker is turned off letting pop-ups windows appear.If you don't configure this setting employees can cho
ft Edge.If you enable this setting employees can see search suggestions in the Address bar of Microsoft Edge.If you disable this setting emp
d you must include URLs to the pages separating multiple pages using angle brackets in the following format: <support.contoso.com><su
before loading and running the content.Sites get onto the auto-allowed list based on user feedback specifically by how often the content
oks for the Enterprise Mode Site List XML file. This file includes the sites and domains that need to be viewed using Internet Explorer 11 an
scams and malicious software. By default Windows Defender SmartScreen is turned on.If you enable this setting Windows Defender Smar
Microsoft With policy. When enabled all configured start pages are editable. Any Start page configured using the Configure Start pages pol
Microsoft Edge.If you disable or don't configure this setting employees can’t sync their favorites between Internet Explorer and Microsoft E
ees can't access the about:flags page.If you disable or don't configure this setting employees can access the about:flags page.
s Defender SmartScreen warnings and they are blocked from downloading the unverified files.If you disable or don't configure this setting
ws Defender SmartScreen warnings and they are blocked from continuing to the site.If you disable or don't configure this setting employee
urity warning to sites that have SSL errors.If enabled overriding certificate errors are not allowed.If disabled or not configured overriding ce
e Favorites list. Also as part of this Save a Favorite Import settings and the context menu items (such as Create a new folder) are all turned
e this setting Microsoft Edge won't gather the Live Tile metadata providing a minimal experience when a user pins a Live Tile to the Start m
opening Microsoft Edge for the first time.If you disable or don't configure this setting employees will see the First Run page when opening
his policy users cannot uninstall extensions from their computer but they can configure options for extensions defined in this policy such a
alls using the WebRTC protocol.If you disable or don't configure this setting LocalHost IP addresses are shown while making calls using the
you can set favorite URL's and favorite folders to appear on top of users' favorites list (either in the Hub or Favorites Bar). The user favorit
enable this setting all intranet sites are automatically opened using Internet Explorer 11.If you disable or don't configure this setting all intr
d or MDM-enrolled devices. For more info see the Microsoft browser extension policy (aka.ms/browserpolicy).If you enable this setting yo
specific page is selected a custom URL loads when your user clicks the home button.Default setting: Blank or not configuredRelated policy
icy is disabled Microsoft Edge ignores the URL specified in this policy and opens about:blank.If enabled you can set the default New Tab pa
the Enterprise Mode Site List or Send all intranets sites to Internet Explorer 11 or both.If enabled the notification appears on a new page.
y to let users change the home button even when Configure Home Button or Set Home Button URL are enabled.If enabled the UI settings
tication with Windows Hello.If you enable or do not configure this policy setting users can authenticate to Windows Hello using a compan
sync provider to keep user settings synchronized between the computer and the settings storage location. This is the default value. You c
ntact IT URL.If you disable this policy setting the Company Settings Center does not display an IT Contact link.If you do not configure this po
e of any standard protocol such as http or mailto. If you disable this policy setting the Company Settings Center does not display an IT Cont
mputer and the settings storage location. If you enable this policy setting the UE-V Agent will not synchronize settings for Windows apps.If
es such as Office 2016 will be automatically registered when the UE-V Service is enabled. If this option is changed it will only take effect wh
gs Center the user-facing name for the UE-V Agent now helps to synchronize settings between their work computers.With this setting ena
vider attempts to synchronize the settings packages. If the ping is unsuccessful then the sync provider doesn’t attempt the synchronization
ormation about package file size. If you enable this policy setting specify the threshold file size in bytes. When the settings package file exc
configure this policy setting the user settings are stored in the user’s home directory if configured for your environment.
cy setting the UE-V Agent checks the specified location once each day and updates its synchronization behavior based on the templates in
nnection.With this setting enabled the UE-V Agent synchronizes settings over a metered connection.With this setting disabled the UE-V Ag
oaming connection.By default the UE-V Agent does not synchronize settings over a metered connection that is roaming.With this setting en
ly synchronizes settings of those Windows apps included in the Windows App List.With this setting enabled the settings of all Windows ap
milliseconds. If you enable this policy setting set the number of milliseconds that the system waits to retrieve settings. If you disable or do
Windows desktop settings Ease of Access settings and network printers. Use this policy setting to specify which Windows settings synchron
application Company Settings Center. Users can open the Company Settings Center by right-clicking the icon and selecting Open or by dou
nd checkpoints are normally stored only on the local computer. With this policy setting enabled the rollback information is copied to the s
licy setting to suppress the backup of specific Microsoft Access 2013 settings.If you enable this policy setting certain user settings of Micro
licy setting to suppress the backup of specific Microsoft Access 2016 settings.If you enable this policy setting certain user settings of Micro
alculator from synchronization between computers. If you enable this policy setting the Calculator user settings continue to synchronize. I
een applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific
een applications and are backed up instead of synchronizing between computers. Use the policy setting to suppress the backup of specific
setting to suppress the backup of specific Microsoft Excel 2013 settings.If you enable this policy setting certain user settings of Microsoft E
setting to suppress the backup of specific Microsoft Excel 2016 settings.If you enable this policy setting certain user settings of Microsoft E
e policy setting to suppress the backup of specific Microsoft InfoPath 2013 settings.If you enable this policy setting certain user settings of M
he user settings for Internet Explorer 10 from synchronization between computers. If you enable this policy setting the Internet Explorer 1
he user settings for Internet Explorer 11 from synchronization between computers.If you enable this policy setting the Internet Explorer 1
e user settings for Internet Explorer 8 from synchronization between computers. If you enable this policy setting the Internet Explorer 8 us
e user settings for Internet Explorer 9 from synchronization between computers. If you enable this policy setting the Internet Explorer 9 us
t Explorer synchronize between computers. Use the policy setting to prevent the user settings of Internet Explorer from synchronization b
etting to suppress the backup of specific Microsoft Lync 2013 settings.If you enable this policy setting certain user settings of Microsoft Lyn
etting to suppress the backup of specific Microsoft Lync 2016 settings.If you enable this policy setting certain user settings of Microsoft Lyn
vent the user settings of Microsoft Access 2010 from synchronization between computers. If you enable this policy setting Microsoft Acces
vent the user settings of Microsoft Access 2013 from synchronization between computers.If you enable this policy setting Microsoft Acces
vent the user settings of Microsoft Access 2016 from synchronization between computers.If you enable this policy setting Microsoft Acces
t the user settings of Microsoft Excel 2010 from synchronization between computers. If you enable this policy setting Microsoft Excel 2010
t the user settings of Microsoft Excel 2013 from synchronization between computers.If you enable this policy setting Microsoft Excel 2013
t the user settings of Microsoft Excel 2016 from synchronization between computers.If you enable this policy setting Microsoft Excel 2016
prevent the user settings of Microsoft InfoPath 2010 from synchronization between computers.If you enable this policy setting Microsoft I
prevent the user settings of Microsoft InfoPath 2013 from synchronization between computers.If you enable this policy setting Microsoft I
the user settings of Microsoft Lync 2010 from synchronization between computers. If you enable this policy setting Microsoft Lync 2010 u
the user settings of Microsoft Lync 2013 from synchronization between computers.If you enable this policy setting Microsoft Lync 2013 us
the user settings of Microsoft Lync 2016 from synchronization between computers.If you enable this policy setting Microsoft Lync 2016 us
oft Office Suite 2010 applications synchronize between computers. Use the policy setting to prevent the user settings which are common b
Use the policy setting to prevent the user settings of Microsoft Office 2013 Upload Center from synchronization between computers.If you
Use the policy setting to prevent the user settings of Microsoft Office 2016 Upload Center from synchronization between computers.If you
ities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Access 2013 will synchronize between a user’s wor
ities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Access 2016 will synchronize between a user’s wor
UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled then the user settings which are common between the Micro
UE-V. If the synchronization capabilities of Microsoft Office 365 are disabled then the user settings which are common between the Micro
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Excel 2013 will synchronize between a user’s work co
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Excel 2016 will synchronize between a user’s work co
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 InfoPath 2013 will synchronize between a user’s
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Lync 2013 will synchronize between a user’s work com
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Lync 2016 will synchronize between a user’s work com
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 OneNote 2013 will synchronize between a user’s
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 OneNote 2016 will synchronize between a user’s
ilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Outlook 2013 will synchronize between a user’s w
ilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Outlook 2016 will synchronize between a user’s w
pabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 PowerPoint 2013 will synchronize between a u
pabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 PowerPoint 2016 will synchronize between a u
lities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Project 2013 will synchronize between a user’s wo
lities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Project 2016 will synchronize between a user’s wo
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Publisher 2013 will synchronize between a user’
bilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Publisher 2016 will synchronize between a user’
zation capabilities of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 SharePoint Designer 2013 will synchr
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Visio 2013 will synchronize between a user’s work co
es of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Visio 2016 will synchronize between a user’s work co
ties of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Word 2013 will synchronize between a user’s work c
ties of Microsoft Office 365 are disabled then the user settings of Microsoft Office 365 Word 2016 will synchronize between a user’s work c
tting to prevent the user settings of OneDrive for Business 2013 from synchronization between computers.If you enable this policy setting O
tting to prevent the user settings of OneDrive for Business 2016 from synchronization between computers.If you enable this policy setting O
o prevent the user settings of Microsoft OneNote 2010 from synchronization between computers.If you enable this policy setting Microsoft
revent the user settings of Microsoft Outlook 2010 from synchronization between computers.If you enable this policy setting Microsoft Ou
tting to prevent the user settings of Microsoft PowerPoint 2010 from synchronization between computers.If you enable this policy setting M
event the user settings of Microsoft Project 2010 from synchronization between computers.If you enable this policy setting Microsoft Proje
o prevent the user settings of Microsoft Publisher 2010 from synchronization between computers.If you enable this policy setting Microso
Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2010 from synchronization between computers.If you e
Use the policy setting to prevent the user settings of Microsoft SharePoint Designer 2013 from synchronization between computers.If you e
ers. Use the policy setting to prevent the user settings of Microsoft SharePoint Workspace 2010 from synchronization between computers
the user settings of Microsoft Visio 2010 from synchronization between computers.If you enable this policy setting Microsoft Visio 2010 u
nt the user settings of Microsoft Word 2010 from synchronization between computers.If you enable this policy setting Microsoft Word 201
epad from synchronization between computers. If you enable this policy setting the Notepad user settings continue to synchronize. If you
e policy setting to suppress the backup of specific Microsoft OneNote 2013 settings.If you enable this policy setting certain user settings o
e policy setting to suppress the backup of specific Microsoft OneNote 2016 settings.If you enable this policy setting certain user settings o
policy setting to suppress the backup of specific Microsoft Outlook 2013 settings.If you enable this policy setting certain user settings of M
policy setting to suppress the backup of specific Microsoft Outlook 2016 settings.If you enable this policy setting certain user settings of M
Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2013 settings.If you enable this policy setting certain user se
Use the policy setting to suppress the backup of specific Microsoft PowerPoint 2016 settings.If you enable this policy setting certain user se
olicy setting to suppress the backup of specific Microsoft Project 2013 settings.If you enable this policy setting certain user settings of Micr
olicy setting to suppress the backup of specific Microsoft Project 2016 settings.If you enable this policy setting certain user settings of Micr
he policy setting to suppress the backup of specific Microsoft Publisher 2013 settings.If you enable this policy setting certain user settings o
he policy setting to suppress the backup of specific Microsoft Publisher 2016 settings.If you enable this policy setting certain user settings o
een computers. Use the policy setting to suppress the backup of specific Microsoft SharePoint Designer 2013 settings.If you enable this po
setting to suppress the backup of specific Microsoft Visio 2013 settings.If you enable this policy setting certain user settings of Microsoft V
setting to suppress the backup of specific Microsoft Visio 2016 settings.If you enable this policy setting certain user settings of Microsoft V
y setting to suppress the backup of specific Microsoft Word 2013 settings.If you enable this policy setting certain user settings of Microsoft
y setting to suppress the backup of specific Microsoft Word 2016 settings.If you enable this policy setting certain user settings of Microsoft
ordPad from synchronization between computers. If you enable this policy setting the WordPad user settings continue to synchronize. If yo
nce from synchronizing between computers.If you enable this policy setting Finance user settings continue to sync.If you disable this polic
s from synchronizing between computers.If you enable this policy setting Games user settings continue to sync.If you disable this policy se
om synchronizing between computers.If you enable this policy setting Maps user settings continue to sync.If you disable this policy setting
om synchronizing between computers.If you enable this policy setting Music user settings continue to sync.If you disable this policy settin
om synchronizing between computers.If you enable this policy setting News user settings continue to sync.If you disable this policy setting
er from synchronizing between computers.If you enable this policy setting Reader user settings continue to sync.If you disable this policy s
from synchronizing between computers.If you enable this policy setting Sports user settings continue to sync.If you disable this policy setti
rom synchronizing between computers.If you enable this policy setting Travel user settings continue to sync.If you disable this policy settin
om synchronizing between computers.If you enable this policy setting Video user settings continue to sync.If you disable this policy setting
eather from synchronizing between computers.If you enable this policy setting Weather user settings continue to sync.If you disable this p
.If you enable this setting users must sign in to the OneDrive sync client on the local computer or select to sync OneDrive or SharePoint file
e apps can’t access OneDrive using the WinRT API.* OneDrive doesn’t appear in the navigation pane in File Explorer.* OneDrive files aren’t
.* Windows Store apps can’t access OneDrive using the WinRT API.* OneDrive doesn’t appear in the navigation pane in File Explorer.* One
Users will still be able to change the value of this setting to save to OneDrive by default. They will also be able to open and save files on On
nks and Guided Help links.If you enable this policy setting active content links are not rendered. The text is displayed but there are no clicka
r their account. Enable this policy to prevent this experience from launching.If this policy is enabled the privacy experience will not launch
nate the PC.If you disable or don't configure this setting Windows when started from a Windows To Go workspace can't hibernate the PC.
ndby states to make the PC sleep.If you disable or don't configure this setting Windows when started from a Windows To Go workspace ca
To Go Startup Options Control Panel item.If you enable this setting booting to Windows To Go when a USB device is connected will be ena
n be invoked. The presentation settings icon will be displayed in the notification area. This will give users a quick and easy way to configure
g to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default a license server issues an
rvers running other Windows-based operating systems.A license server attempts to provide the most appropriate RDS or TS CAL for a con
his policy setting users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an R
ority recognized by the client such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy settin
tting you must specify one of the following settings:Always connect even if authentication fails: The client connects to the RD Session Host
decoding. For example if you have a problem that you suspect may be related to hardware acceleration use this setting to disable the acce
s will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings any pa
e prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Sessi
y certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a
l.If you disable or do not configure this policy setting Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
If you enable this policy setting you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users
rget computer can connect remotely to the target computer by using Remote Desktop Services.If you disable this policy setting users cann
connection attempts are made at five second intervals.If the status is set to Enabled automatic reconnection is attempted for all clients run
ection to an RD Session Host server the session on the RD Session Host server might remain active instead of changing to a disconnected s
currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off a
on a server. If this number is exceeded addtional users who try to connect receive an error message telling them that the server is busy an
ngle session (either active or disconnected) on that server. If the user leaves the session in a disconnected state the user automatically rec
Detect or both Connect Time Detect and Continuous Network Detect. If you disable Connect Time Detect Remote Desktop Protocol will not
You can select one of the following options: "Use both UDP and TCP" "Use only TCP" or "Use either UDP or TCP (default)" If you select "Us
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.2. Full Control with user's p
apps are registered in the background. However some apps may not work until app registration is complete.If you enable this policy settin
s audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choos
onfiguring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can record audio by using an
tion send their time zone information to the server. The server base time is then used to calculate the current session time (current session
elements which lets you use assistive technology products like Magnifier and Narrator that need to interact with the UI in order to work pr
use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default Rem
ecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By defau
connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format <driveletter> on <computername
enable this policy setting users cannot redirect their location data to the remote computer.If you disable or do not configure this policy setti
edirecting data from the remote computer to local LPT port peripherals. By default Remote Desktop Services allows LPT port redirection.I
g on to a Remote Desktop Services session.If you disable or do not configure this policy setting smart card device redirection is allowed. By
default Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices.If you disable this polic
re devices.If you enable this policy setting users cannot redirect their video capture devices to the remote computer. If you disable or do n
f you enable this policy setting you must select one of the following: High Medium or Dynamic. If you select High the audio will be sent w
splayed on an RD Session Host server after you log on as a local administrator if there are problems with RD Licensing that affect the RD Se
select one of two licensing modes: Per User or Per Device. Per User licensing mode requires that each user account connecting to this
s to locate the specified license servers. If the specified license servers cannot be located the RD Session Host server will attempt automati
the remote computer to a printer attached to their local (client) computer. By default Remote Desktop Services allows this client printer m
designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to ove
t have a printer driver that matches the client's printer no printer will be available for the Remote Desktop Services session.If you enable t
rver first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy P
installed.Note: If you want to limit the size of an individual user profile use the "Limit profile size" policy setting located in User Configura
server. You can use this policy setting to specify a network share where user profiles can be centrally stored allowing a user to access the
e location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network sh
ktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder f
Host server farm. Therefore you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm n
server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use th
ng session in a load-balanced RD Session Host server farm. To participate in RD Connection Broker the Remote Desktop Session Host role
ng applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server.If you
a client connects to a remote computer even if an initial program is already specified in the default user profile Remote Desktop Connectio
uration.If you enable this policy setting you can specify which RDP compression algorithm to use. If you select the algorithm that is optimi
f you disable or do not configure this policy we will always use software encoding.
width usage with the visual quality that is delivered. If you enable this policy setting and set quality to Low RemoteFX Adaptive Graphic
xperience based on available nework bandwidth.If you enable this policy setting the RemoteFX experience could be set to one of the follo
designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.If you enable thi
ion. By default Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop depending on the clien
that uses RDP. Limiting the color depth can improve connection performance particularly over slow links and reduce server load.If you ena
ession can improve connection performance particularly over slow links and reduce server load.If you enable this policy setting you must s
an improve connection performance particularly over slow links and reduce server load.If you enable this policy setting you can specify the
nnection where both the client and server can use H.264/AVC 444.
amiliar method to disconnect their client from an RD Session Host server.If you enable this policy setting "Disconnect" does not appear as
vices inadvertently.If the status is set to Enabled Windows Security does not appear in Settings on the Start menu. As a result users must t
default Remote Desktop Services sessions provide access to the full Windows desktop unless otherwise specified with this setting by the s
emoteApp programs and does not apply to remote desktop sessions.If you enable or do not configure this policy setting RemoteApp progr
are graphics renderer instead of the Microsoft Basic Render Driver as the default adapter.If you disable this policy setting all Remote Desk
play driver.If you disable this policy setting Remote Desktop Connections will NOT use WDDM graphics display driver. In this case the Rem
When deployed on an RD Virtualization Host server RemoteFX delivers a rich user experience by rendering content on the server by using
al experience.By default Remote Desktop Services sessions are optimized for rich multimedia such as applications that use Silverlight or Wi
bandwidth usage with the type of graphics experience that is delivered.Depending on the requirements of your users you can reduce netw
Desktop Services even if they already provided the password in the Remote Desktop Connection client.By default Remote Desktop Servic
making changes to the user groups allowed to connect remotely to the RD Session Host server. By default administrators are able to make
munication with clients by allowing only authenticated and encrypted requests.If the status is set to Enabled Remote Desktop Services ac
you enable this policy setting all communications between clients and RD Session Host servers during remote connections must use the se
ty by requiring that user authentication occur earlier in the remote connection process.If you enable this policy setting only client comput
henticate an RD Session Host server when TLS 1.0 1.1 or 1.2 is used to secure communication between a client and an RD Session Host ser
olicy only applies when you are using native RDP encryption. However native RDP encryption (as opposed to SSL encryption) is not recomm
the user is logged off and the session is deleted from the server) after time limits for active or idle sessions are reached. By default Remot
policy setting you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect acti
ect the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the sp
mains active on the server. By default Remote Desktop Services allows users to disconnect from a Remote Desktop Services session witho
e computer even if the user logs off from a session. By default Remote Desktop Services deletes a user's temporary folders when the user
mote computer for each session. By default Remote Desktop Services creates a separate temporary folder for each active session that a us
ed list in the Favorites Center.If you disable or do not configure this policy setting the user can access the feed list in the Favorites Center.
eive a notification on the toolbar that a feed or Web Slice is available.If you disable or do not configure this policy setting the user receives
nload an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs.If you disabl
e disabled and access to Web Slices is turned off. A developer cannot add a feed or Web Slice or delete a feed or Web Slice by using the Fe
ff.If you disable or do not configure this policy setting the user can synchronize feeds and Web Slices in the background.
henticates feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.If you disable or
ust provide the following:1) A name for the scope such as 'Intranet'.2) The URL to the search service. Use $w in place of the query term for
me1url1;name2url2;...nameNurlNFor example:MySearchhttp://mysearch.aspx?q=$w;MySearch2http://mysearch2?q=$w.For each search
When Cortana is off users will still be able to use search to find things on the device.
eech while the system is locked.If you disable this setting the system will need to be unlocked for the user to interact with Cortana using s
ng the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores.
this policy setting words with diacritics and words without diacritics are treated as identical words. This policy setting is not configured by
tection to index (as it did in Windows 7). Using automatic language detection can increase memory usage. We recommend enabling this p
bmp;.emf;.gif;.jpg;.jpeg;.png;.wmf;.wrn;.txt;.err;.xml;.cpp;.c;.h;.cxx;.hxx;.idl;.cs;.vb;.idl;.xsd;.doc;.docx;.xls;.xlsx;.ppt;.pptx;.vsd;.xlsb;.xltx;.d
system activity is high. Default is disabled.

locations on removable drives cannot be indexed.If you disable or do not configure this policy setting locations on removable drives can b
default browser search engine.
e web and web results won't be displayed when a user performs a query in Search.If you disable this policy setting queries will be perform
won't be performed on the web over metered connections and web results won't be displayed when a user performs a query in Search.If
ache portions of delegate mailboxes locally (for example contacts or a calendar). This policy will not affect portions of a delegate mailbox t
ders. Disabling this policy will block any indexing of uncached Exchange folders. Delegate mailboxes are managed separately from online m
l be on the corresponding Microsoft Exchange server. The default value for this policy is 120 items per minute. To lower the burden on Mi
ll not be removed.When this policy is disabled or not configured users will be able to add UNC locations to the index.This policy has no effe
e default behavior is to allow users to add and remove new locations to the locations menu. When the policy is enabled the Add and Remo
Windows Search does not automatically add shares created on the computer to the scope of the index.If you disable or do not configure
lient search requests will use this computer's index. Default is disabled.
ng users can index any path not restricted by other policies but their original list of paths to index is not restored.
ments. Consider enabling this policy if you are concerned about the security or indexing performance of non-Microsoft document filters (iFi
nd the user will not see them in search results.

up Policy Object Editor require this list to be split across multiple values. Desktop Search combines all these into a single exclusion list.Whe
re only indexed when using Outlook 2003 or later. The user must be running in cached mode and the Download Public Folder Favorites op
ons in the Control Panel cannot be opened.If you disable or do not configure this policy setting users can acess the Advanced Options dialo
being installed nor will it prevent them from being used by other applications or services. You can also specify an allow list of add-ins by p
enabling this policy to turn off the preview pane if your environment does not support Office XP or later. The full preview pane functional
cause your organization does not support Office XP or above you should enforce the large icon view so that users can see snippets related
ble to change: -Strict: Filter out adult text images and videos from search results; -Moderate: Filter adult images and videos but not tex
d location: Share a user's search history some Microsoft account info and specific location to personalize their search and other Microsoft e
policy if computers in your environment have extremely limited hard drive space.When this policy is disabled or not configured Windows
d notifies the user when the computer might be at risk. The Security Center Control Panel category view also contains a status section whe
ogon sessions for the number of minutes specified.If you disable or do not configure this policy setting the default timeout value is 3 minut
ws Server 2003 system.If you enable this policy setting the system does not create the named pipe remote shutdown interface.If you disab
e an enhanced key usage (EKU) extension with a smart card logon object identifier. This policy setting can be used to modify that restrictio
can be used to log on to a domain.If you disable or do not configure this policy setting ECC certificates on a smart card cannot be used to
feature. Please check with your hardware manufacturer to see if your smart card supports this feature.If you enable this policy setting the
y key will be listed on the logon screen.If you disable or do not configure this policy setting any available smart card signature key-based ce
nd not be expired. The certificate must still be accepted by the domain controller in order to be used. This setting only controls the display
tificate with that user.If you enable this policy setting then an optional field that allows a user to enter their user name or user name and d
not configure this setting then root certificate clean up will occur on log off.
. Note: The following policy setting must be enabled - Allow Integrated Unblock screen to be displayed at the time of logon.If you disable
plate. This can cause confusion as to which certificate to select for logon. The common case for this behavior is when a certificate is renew
s retrieval of all certificates in a single call. This setting forces Windows to read all the certificates from the card. This can introduce a sign
ll be displayed when a smart card device driver is installed.If you disable this policy setting a confirmation message will not be displayed w
s policy setting plaintext PINs can be returned by Credential Manager.Note: Enabling this policy setting could prevent certain smart cards f
on name to help users distinguish one certificate from another. For example if the certificate subject was CN=User1 OU=Users DN=examp
ou insert your smart card.If you disable this policy setting certificate propagation will not occur and the certificates will not be made availa
ur when you insert your smart card. Note: For this policy setting to work the following policy setting must also be enabled: Turn on certific
o install a Smart Card device driver when a card is inserted in a Smart Card Reader for the first time.If you disable this policy setting Smart
bled (Windows registration and reactivation is not allowed) - Enabled (Windows registration is allowed)
. If you disable or do not configure this policy setting KMS client activation data will be sent to Microsoft services when this device activa
ed as an audio file.If you enable this policy setting Sound Recorder will not run.If you disable or do not configure this policy setting Sound R
The models are periodically updated to improve accuracy and performance. Models are non-executable data files. If enabled (default) the
ng applies only to Enterprise and Education editions of Windows.
w apps in the private store.If you disable or don't configure this setting users can access the retail catalog in the Microsoft Store.
atic download and installation of app updates is turned on.If you don't configure this setting the automatic download and installation of ap
ownload of app updates is turned on.If you don't configure this setting the automatic download of app updates is determined by a registr
figure this setting the Store application will offer updates to the latest version of Windows.
setting access to the Store application is allowed.
off and none of the "sync your setting" groups will be synced on this PC.Use the option "Allow users to turn syncing on" so that syncing it
ettings" group will not be synced.Use the option "Allow users to turn app settings syncing on" so that syncing it turned off by default but n
c" group will not be synced.Use the option "Allow users to turn app syncing on" so that syncing it turned off by default but not disabled.If
ike history and favorites.If you enable this policy setting the "browser" group including info like history and favorites will not be synced.Us
policy setting the "desktop personalization" group will not be synced.Use the option "Allow users to turn desktop personalization syncing
u enable this policy setting syncing on metered connections will be turned off and no syncing will take place when this PC is on a metered
policy setting the "Other Windows settings" group will not be synced.Use the option "Allow users to turn other Windows settings syncing
ds" group will not be synced.Use the option "Allow users to turn passwords syncing on" so that syncing it turned off by default but not dis
nalize" group will not be synced.Use the option "Allow users to turn personalize syncing on" so that syncing it turned off by default but not
e "Start layout" group will not be synced. Use the option "Allow users to turn start syncing on" so that syncing is turned off by default b
o it will fail.If you disable this policy you will be able to use this feature to print to a Journal Note.If you do not configure this policy users w
ipping Tool will run.
indows Journal accessory will run.
e shown instead of the pen cursors.If you disable or do not configure this policy visual feedback and pen cursors will be shown unless the u
disable this policy Back->ESC mapping will occur.If you do not configure this policy Back->ESC mapping will occur.
om the drop down menu for configuring button actions (in the Tablet PC Control Panel buttons tab).If you disable this policy applications c
ay the following text: "Some settings are controlled by Group Policy. If a setting is unavailable contact your system administrator."If you d
nd OEM defined button actions will occur when the buttons are pressed.If you do not configure this policy user and OEM defined button a
oard and the handwriting tab when the feature is available for the current input area and input language.Touch Keyboard and Handwriting
Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyb
el is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard short
al) Japanese and Korean. This setting appears in Input Panel Options (in Windows 7 and Windows Vista only) only when these input langua
numbers or keyboard shortcuts.If you enable this policy Input Panel tab will not appear on the edge of the Tablet PC screen. Users will no
dwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy application auto complet
eventing users from switching to another Input Panel skin (the writing pad or character pad) and not showing what keys are tapped when
ant gestures let users scratch out ink in Input Panel by using strikethrough and other scratch-out gesture shapes. Tablet PC Input Panel
d to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks noti
in Internet Explorer the pen flicks notification and the pen flicks tray icon.If you disable or do not configure this policy pen flicks and relate
will not be able to use touch input or touch gestures such as tap and double tap the touch pointer and other touch-specific features.If you
ging up or down directly on the scrolling content.If you enable this setting the user will not be able to pan windows by touch. If you disable
ing users.The checkbox when checked instructs Task Scheduler to automatically open the newly created task's property sheet upon compl
right-click a task. As a result users cannot change any properties of a task. They can only see the properties that appear in Detail view and
manually or force tasks to end before they are finished.Note: This setting appears in the Computer Configuration and User Configuration fo
and from the Task tab of the properties dialog box for a task. Also users cannot edit the "Run" box or the "Start in" box that determine th
menu in Scheduled Tasks. It also disables the drag-and-drop features of the Scheduled Tasks folder.As a result users cannot add new sche
r documents into the Scheduled Tasks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If b
ht-click a task. Also the system does not respond when users try to cut or drag a task from the Scheduled Tasks folder.Note: This setting ap
ants according to a policy set in your Azure AD tenant.Note: Creation of a policy in your home tenant is required and additional security m
age is uninstalled. The language can be reinstalled with a different selection of included language features if needed. When this policy setti
tically unless you turn it off.

Calendar will be turned off.If you disable or do not configure this setting Windows Calendar will be turned on.The default is for Windows
or do not configure this policy setting all users can install new color profiles. Standard users can uninstall color profiles that they previous
erations Manager server.If you do not configure this setting uploads are not redirected to a Microsoft Operations Manager server.
o not configure this setting or disable it then CEIP data will not be tagged with the Study Identifier.
you enable this setting you must choose from the following behaviors: - Turn off app recommendations - Show me app recommenda
arning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized
scams and malicious software. By default Windows Defender SmartScreen is turned on.If you enable this setting Windows Defender Smar
ws Defender SmartScreen warnings and they are blocked from continuing to the site.If you disable or don't configure this setting employee
s or additional data other than memory dumps.If you enable or do not configure this policy setting any memory dumps generated for erro
ng. To turn Windows Error Reporting on or off see the Turn off Windows Error Reporting policy setting in Computer Configuration/Adminis
d in the system event log.If you disable or do not configure this policy setting Windows Error Reporting events and errors are logged to the
.If you enable this policy setting Windows Error Reporting does not send any problem information to Microsoft. Additionally solution infor
ay more details about the error. If the Configure Error Reporting policy setting is also enabled the user can also report the error.If you disa
o a Windows Error Reporting report are automatically declined without notification to the user.If you disable or do not configure this policy
he server.If you enable this policy setting WER does not throttle data; that is WER uploads additional CAB files that can contain data about
alog boxes for critical errors.If you disable this policy setting Windows Error Reporting displays the GUI-based error messages or dialog box
tions but does not upload additional report data until the computer is connected to a more permanent power source.If you enable this pol
es not check for network cost policy restrictions and transmits data even if network cost is restricted.If you disable or do not configure this
or IP address of an error report destination server on your organization’s network. You can also select Connect using SSL to transmit error
re all all data collected for each error report is stored in the appropriate location. If Archive behavior is set to Store parameters only only th
hen the Queuing behavior pull-down list is set to Default Windows determines when a problem occurs whether the report should be place
the Default pull-down menu to report either all application errors (the default setting) or no application errors.If the Report all errors in M
r the Exclude errors for applications on this list setting and then add or remove applications from the list of application file names in the Sh
at are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors click Show an
that are never included in error reports. To create a list of applications for which Windows Error Reporting never reports errors click Show
f you disable this policy setting operating system errors are not included in error reports.If you do not configure this policy setting users ca
you disable this policy setting unplanned shutdown events are not included in error reporting.If you do not configure this policy setting us
he Consent level settings that are available in the pull-down menu in this policy setting:- Always ask before sending data: Windows prompt
ent types in the Value Name column of the Show Contents dialog box. Event types are those for generic non-fatal errors: crash no respons
g always override any other consent policy setting.If you disable or do not configure this policy setting custom consent policy settings for e
f the setting is enabled or not configured then Recording and Broadcasting (streaming) will be allowed.
r to enumerate all Windows Hello for Business credentials but still require each user to provide their own factors for authentication.If you
he unlock factors you should also configure a comma separated list of signal rules in the form of xml for each signal type to be verified.If y
vice.If you disable or do not configure this policy setting users can continue to lock with existing locking options.For more information see:
s Hello for Business credentials that are not compatible with smart card applications.If you disable or do not configure this policy setting W
provisioning only occurs on devices with usable 1.2 or 2.0 TPMs. You can optionally exclude security devices which prevents Windows Hel
nable or do not configure this policy setting Windows Hello for Business allows the use biometric gestures.If you disable this policy setting
rtificate that is used for on-premises authentication.If you disable or do not configure this policy setting Windows Hello for Business will us
etrieved from authenticating to Azure for on-premises authentication.If you disable or do not configure this policy setting Windows Hello f
user's personal accounts on the device. To achieve this the Azure-based PIN recovery service encrypts a recovery secret which is stored o
you enable this policy the device provisions Windows Hello for Business using keys or certificates for all users.If you disable this policy setti
private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.If you dis
ypassed. It permits installations to complete that otherwise would be halted due to a security violation.If you disable or do not configure t
an search for installation files even when the installation program is running with elevated system privileges.Because the installation is run
es. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for m
s floppy disks and CD-ROMs even when the installation program is running with elevated system privileges.This policy setting does not aff
usually reserved for programs that have been assigned to the user (offered on the desktop) assigned to the computer (installed automati
difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media
ome upgrades to fail. Upgrades can fail if they attempt to do one of the following:(1) Remove a component from a feature.This can also o
UI is allowed to run.
t browser tries to install a program on the system the system warns users and allows them to select or refuse the installation.If you enable
grades that replace only those program files that have changed. Because patches can be easy vehicles for malicious programs some install
s policy setting it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is prim
plication to create digitally signed updates that can be applied by non-privileged users.If you enable this policy setting only administrators
le is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.If you
from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer fr
tion or update.If you enable this policy setting you can use the options in the Prohibit Use of Restart Manager box to control file in use dete
f the policy setting is enabled and "Allow User Installs" is selected the installer allows and makes use of products that are installed per use
e feature from" list in the Windows Installer dialog box is disabled. As a result users must select an installation file source from the "Use fe
setting the transform file is saved in a secure location on the user's computer.If you do not configure this policy setting on Windows Server
y setting you can specify the types of events you want Windows Installer to record. To indicate that an event type is recorded type the lett
rs to a previous state without losing personal data files.If you enable this policy setting the Windows Installer does not generate System Re
e package.If you enable this policy setting you can use the options in the Disable logging via package settings box to control automatic log
utesShared attribute in the Component Table.If you disable or do not configure this policy setting by default the shared component functio
y a system administrator. You can use the options in the Disable Windows Installer box to establish an installation setting.-- The "Never" o
matically after a restart” policy then automatic sign on will not occur and this policy does not need to be configured.If you enable this polic
mode software cannot simulate the SAS.If you set this policy setting to "Services" services can simulate the SAS.If you set this policy setting
ows Server 2008 functional level if you enable this setting a message appears after the user logs on that displays the date and time of the
notification popup will be displayed to the user when the user logs on with cached credentials.If disabled or not configured no popup will b
dn’t sign out before the restart or shutdown. If the device is joined to Active Directory or Azure Active Directory this policy only applies to
uisition and security upgrades.When this policy is enabled programs are not able to acquire licenses for secure content upgrade Windows
n skin mode. In addition the option on the Player tab in the Player that enables users to choose whether the anchor window displays is no
t time a user starts Windows Media Player.This policy setting prevents the dialog boxes which allow users to select privacy file types and o
disable or do not configure this policy setting users can choose whether to add the Player shortcut icon to their desktops.
Media Player with other computers and devices that are on the same network. Media sharing is disabled from Windows Media Player or fro
bar.If you disable or do not configure this policy setting the user can choose whether to add the shortcut for the Player to the Quick Launc
In addition the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is cleared and is not available.If
ssenger can be used.Note: If you enable this policy setting Remote Assistance also cannot use Windows Messenger.Note: This policy settin
not configure this policy setting Windows Messenger will be loaded automatically at logon.Note: This policy setting simply prevents Windo
nts and the .exe file does not launch it.If you disable this policy setting the user is able to invoke Windows Mobility Center and the .exe file
t value for the SourcePath parameter. This default value can be overridden by specifying a different value with the SourcePath parameter
Windows PowerShell log in Event Viewer. Enabling this policy setting for a module is equivalent to setting the LogPipelineExecutionDetails
ng of commands script blocks functions and scripts - whether invoked interactively or through automation. If you disable this polic
or Windows PowerShell the Windows PowerShell ISE and any other applications that leverage the Windows PowerShell engine. By def
ow only signed scripts" policy setting allows scripts to execute only if they are signed by a trusted publisher.The "Allow local scripts and rem
Maintenance control panel and to respond to WMI requests.If you enable or do not configure this policy setting the listed providers will r
inRM is configured to use HTTP transport the user name and password are sent over the network as clear text.If you disable or do not con
n.If you disable or do not configure this policy setting the WinRM client does not use CredSSP authentication.
ient sends and receives unencrypted messages over the network.If you disable or do not configure this policy setting the WinRM client se
cation.If you disable or do not configure this policy setting the WinRM client uses Digest authentication.
(WinRM) client does not use Kerberos authentication directly. Kerberos can still be used if the WinRM client is using the Negotiate authen
uthentication.If you disable or do not configure this policy setting the WinRM client uses Negotiate authentication.
ble this policy setting the WinRM client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. Th
e accepts Basic authentication from a remote client. If you disable or do not configure this policy setting the WinRM service does not a
vice accepts CredSSP authentication from a remote client. If you disable or do not configure this policy setting the WinRM service doe
u enable this policy setting the WinRM service automatically listens on the network for requests on the HTTP transport over the default HT
client sends and receives unencrypted messages over the network.If you disable or do not configure this policy setting the WinRM client s
oes not accept Kerberos credentials over the network. If you disable or do not configure this policy setting the WinRM service accepts
ervice does not accept Negotiate authentication from a remote client. If you disable or do not configure this policy setting the WinRM
service will not allow the RunAsUser or RunAsPassword configuration values to be set for any plug-ins. If a plug-in has already set the Run
ses the level specified in HardeningLevel to determine whether or not to accept a received request based on a supplied channel binding to
ner always appears. If you disable or do not configure this policy setting the HTTP listener never appears. When certain port 80 list
tener always appears. If you disable or do not configure this policy setting the HTTPS listener never appears. When certain port 443
e shell connections are rejected by the server.
he new shell connections are rejected if they exceed the specified limit.If you disable or do not configure this policy setting the default num
60000 milliseconds (1 minute) is used for smaller values.If you enable this policy setting the server will wait for the specified amount of tim
0 equals unlimited memory which means the ability of remote operations to allocate memory is only limited by the available virtual memo
mber of process per shell. Zero (0) means unlimited number of processes.If you disable or do not configure this policy setting the limit is fiv
hells.If you enable this policy setting the user cannot open new remote shells if the count exceeds the specified limit.If you disable or do no
uire this setting.If you disable this policy setting Windows Sandbox will not be able to receive audio input from the user. Applications using
g copy and paste in and out of Sandbox will be restricted.If you do not configure this policy setting clipboard sharing will be enabled.
creating a virtual switch on the host and connects the Windows Sandbox to it via a virtual NIC.If you disable this policy setting networking
ws Sandbox will not be able to view printers from the host.If you do not configure this policy setting printer redirection will be disabled.
are rendering which can be slower than virtualized GPU.If you do not configure this policy setting vGPU will be enabled. Note that enabling
s Sandbox. Applications using video input may not function properly in Windows Sandbox.If you do not configure this policy setting video i
Same as Disabled.
n. Not configured: Same as Disabled.
Local users are allowed to make changes in the Exploit protection settings area. Not configured: Same as Disabled.
l be shown. Not configured: Same as Disabled.
Same as Disabled.
TPM) troubleshooting area will be shown. Not configured: Same as Disabled.

Users will see a recommendation to update their TPM Firmware if Windows Security detects the system contains a TPM with vulnerable fi
ecurity. After setting this to Enabled you must configure the Specify contact company name GP setting and at least one of the following
ty. After setting this to Enabled you must configure the Specify contact company name GP setting and at least one of the following GP
y name in the Options section. Disabled: Company information will not be shown at all in either Windows Security or any notificati
ified address. The default email application will be used. Enabled: Enter the email address or email ID in the Options section. D
ype will be used to initiate the call. Enabled: Enter the phone number or Skype ID in the Options section. Disabled: A conta
Enabled: Enter the URL in the Options section. Disabled: A contact website URL will not be shown in either Windows Secu
will be shown. Not configured: Same as Disabled.

. Not configured: Same as Disabled.
fications from Windows Security. They will not see other types of notifications such as regular PC or device health information. Disable
ecurity notification area control will be hidden. Disabled: Windows Security notification area control will be shown. Not configu
Not configured: Same as Disabled.
ely install these updates once they are downloaded and ready to install.If the status is set to Disabled such updates will not be installed im
Automatic Update and Microsoft Update will include non-administrators when determining which logged-on user should receive update n
lt period will be used.
he notification is automatically dismissed after 25 seconds.The method can be set to require user action to dismiss the notification.If you d
ne has been reached and the restart is automatically executed.Specifies the amount of time prior to a scheduled restart to display the war
stallation is finished.If the status is set to Disabled or Not Configured the default wait time is 15 minutes.Note: This policy applies only wh
t shut down choice (Hibernate Restart etc.) is the default option in the Shut Down Windows dialog box regardless of whether the 'Install U
Windows Update while update deferral policies are enabled.Note: This policy applies only when the intranet Microsoft update service this
will not appear as a choice in the Shut Down Windows dialog box even if updates are available for installation when the user selects the S
l only automatically wake up the system if Windows Update is configured to install updates automatically. If the system is in sleep when th
atus is set to Enabled Automatic Updates will not restart a computer automatically during a scheduled installation if a user is logged in to t
tes after the previous prompt for restart was postponed. If the status is set to Disabled or Not Configured the default interval is 10 min
allation that did not take place earlier will occur the specified number of minutes after the computer is next started.If the status is set to D
not configure this policy the PC will restart according to the default schedule.Enabling either of the following two policies will override the
0 days from the time the restart becomes pending.You can specify the number of days a user can snooze Engaged restart reminder notific
otifications.If you disable or do not configure this policy the default notification behaviors will be unchanged.
mended updates as well as important updates from Windows Update update service.When disabled or not configured Automatic Updates
lue and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in w
can be configured to start with any value from 15 to 180 minutes. When the timer runs out the restart will proceed even if the PC has sign
s you specify whether automatic updates are enabled on this computer. If the service is enabled you must select one of the four options in
ndows Update notifications users see. This policy doesn’t control how and when updates are downloaded and installed.Important: if you c
figure this policy the default max active hours range will be used.
eature updates and quality updates to meet your compliance goals. Updates will be downloaded and installed as soon as they are offered
ffect.If you disable or do not configure this policy and have no other reboot group policies the user selected active hours will be in effect.If
enable this policy setting Automatic Updates accepts updates received through an intranet Microsoft update service location if they are si
tatus is set to Enabled Windows will check for available updates at the specified interval. If the status is set to Disabled or Not Configur
Windows Update and other services like Microsoft Update or the Windows Store.Enabling this policy will disable that functionality and ma
ntranet Microsoft update service which uses it to determine which updates should be deployed to this computer.If the intranet Microsoft
your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the
updates from the Windows Server Update Service you must have properly configured an intranet Microsoft update service location via th
oyed to affected devices until the issue is resolved. Enabling this policy can allow an organization to deploy the Feature Update to devices
ve development branch that is earliest in a development cycle. These builds are not matched to a specific Windows 10 release.Beta Chann
quent scans.Entering a target product and clicking OK or Apply means I accept the Microsoft Software License Terms for it found at aka.m
hannels and up to 365 days for the Semi-Annual Channel. Or if the device is updating from the Semi-Annual Channel a version for the devic
arily pause quality updates. The pause will remain in effect for 35 days or until you clear the start date field.To resume receiving Quality Up
of the affected computer. This prevents users from choosing not to use Work Folders on the computer; it also prevents them from manu
d page via URI context menu in Explorer or other means will result in the front page of Settings being shown instead.This policy has two m
ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch the keyboard or by d
hose colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
fied image as the default for all users (it replaces the inbox default image).To use this setting type the fully qualified path and name of the
cannot change it. If the specified background is not supported the default background is used.
d logon image and they will instead see the default image.
change them.If the "Force a specific background and accent color" policy is also set on a supported version of Windows then those colors
gs and the camera cannot be invoked on the lock screen.
ll ever start.
ccelerometer) the user will see the lock screen background pan around a still image as they physically move their device.
be disabled and users cannot enable speech services via settings.
any user on that system. If you disable or do not configure this policy setting language packs that are installed as part of the system im
target computer or you disable this policy setting the language selection defaults to the language selected by the local administrator.If you
If you enable this policy setting the installation of language packs and language features is prevented for all users. If you disable or do
rator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages
ected includes all outgoing messages in Windows Mail and MAPI enabled email clients as well as URLs from the Internet Explorer browser
ount Pictures\user.jpg. The default guest picture is stored at %PROGRAMDATA%\Microsoft\User Account Pictures\guest.jpg. If the defaul
d expiration time may be longer than required by "Password Settings" policy.
Maximum: 365 days Default: 30 days

abled (recommended): Applies UAC token-filtering to local accounts on network logons. Membership in powerful group such as Administr
" prevents the Flash control from being loaded whether directly referenced by the document or indirectly by another embedded object.2.
Configure LanmanWorkstation dependencies" text box enter the following three lines of text:BowserMRxSmb20NSITo restore the default
8R2 and 2012 you must also configure the "Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)" setting.To restore defa
disable this setting the system will not limit installation of print drivers to this computer.Additional Information: https://support.microsoft
uter queries the name server first and then broadcasts.Resolution through LMHOSTS or DNS follows these methods. If the NodeType valu
sabled: Restores the Windows default behavior for "Run As Different User."
ot execute legacy JScript for the Internet or Restricted Sites zones and users aren’t notified by the application that legacy JScript execution
s Server 2012 R2; it is enabled by default in earlier versions of Windows and Windows Server.Update KB2871997 must first be installed to
cover domain controllers. This value is specified in minutes.If you disable or do not configure this policy setting the default value of 15 min
makes them available to other BITS peers. When transferring a download job BITS first requests the files for the job from its peers in the sa
anch Cache. If you disable or do not configure this policy setting the BITS client uses Windows Branch Cache. Note: This policy se
uter will no longer use the BITS peer caching feature to download files; files will be downloaded only from the origin server. However the c
uter will no longer cache downloaded files and offer them to its peers. However the computer will still download files from peers. If y
ecify in days the maximum age of files in the cache. You can enter a value between 1 and 120 days. If you disable or do not configure
the total system disk for the peercache. If you enable this policy setting you can enter the percentage of disk space to be used for the
By default BITS uses a maximum download time of 90 days (7776000 seconds). If you enable this policy setting you can set the max
ndwidth to 10 Kbps from 8:00 A.M. to 5:00 P.M. and use all available unused bandwidth the rest of the day's hours. If you enable this
work interface. For example if a computer has both a 100 Mbps network card and a 56 Kbps modem and both are active BITS will use a ma
maximum number of BITS jobs a user can create to the specified number. If you disable or do not configure this policy setting BITS wi
tting BITS will limit the maximum number of BITS jobs to the specified number. If you disable or do not configure this policy setting BIT
pecified number. If you disable or do not configure this policy setting BITS will use the default value of 200 for the maximum number
can be added to a file to the specified number. If you disable or do not configure this policy setting BITS will limit ranges to 500 range
tting you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly config
define a separate set of network bandwidth limits and set up a schedule for the maintenance period. You can specify a limit to use for
not defined in a work schedule are considered non-work hours. If you enable this policy setting you can set up a schedule for limiting
are deleted from the disk. Note: Any property changes to the job or any successful download action will reset this timeout. Con
ent from the main office over a Wide Area Network (WAN) link. When you configure a value for this setting which is the maximum round
sing different versions of BranchCache might store cache data in incompatible formats.If you enable this policy setting all clients use the v
servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configu
hich the policy setting is applied search for hosted cache servers using Active Directory and will prefer both these servers and hosted cach
onSelect one of the following:- Not Configured. With this selection BranchCache client computer cache age settings are not applied to clien
t from BranchCache-enabled main office content servers cache the content locally and serve the content to other BranchCache distributed
nt it is able to download cached content from a hosted cache server that is located at the branch office. In addition when the hosted cach
to 5 percent of the total disk space on the client computer.Policy configurationSelect one of the following:- Not Configured. With this sele
BranchCache Distributed Cache mode- Set BranchCache Hosted Cache mode- Configure Hosted Cache ServersPolicy configurationSelect on
alified domain name (FQDN) that resolves to an IPv6 address or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:200
y is “Corporate Connection”.
DirectAccess client computer connection is using. In default configurations of DirectAccess there are typically two IPsec tunnel endpoints: o
whatever normal name resolution is available to the client computer in its current network configuration including sending all DNS querie
he generated log files as a .html file. The user can review the message and add additional information before sending the message.
access. If this setting is not configured the entry for DirectAccess connectivity appears.
erver.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot.For example if attaching suffixes is
configure this policy setting NetBT queries will only be issued for single-label names such as "example" and not for multi-label and fully q
e following options from the drop-down list:Prohibit DoH: No DoH name resolution will be performed.Allow DoH: Perform DoH queries if t
d to all network connections used by computers that receive this policy setting.If you disable this policy setting or if you do not configure th
o use this policy setting you must enter at least one IP address.If you enable this policy setting the list of DNS servers is applied to all netw
ers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example a DNS query for the
rk connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a networ
ot converted to the Nameprep form.
LLMNR) and NetBIOS over TCP/IP (NetBT).If you enable this policy setting responses from link local protocols will be preferred over DNS re
receive it you must restart Windows.If you enable this policy setting it supersedes the primary DNS suffix configured in the DNS Suffix and
is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a quer
uffix and so on stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when
performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary D
will be determined by the option that you choose under Register PTR records.To use this policy setting click Enabled and then select one of
n if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be autom
e records and does not allow a DNS client to overwrite records that are registered by other computers.During dynamic update of resource
e applied to DNS resource records registered for all network connections used by computers that receive this policy setting.If you disable t
gured IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
LMNR enabled. LLMNR does not require a DNS server or DNS client configuration and provides name resolution in scenarios in which conv
the network binding order is used to determine which response to accept.If you enable this policy setting the DNS client will not perform a
you enable this policy setting the DNS client will prefer DNS responses followed by LLMNR followed by NetBT for all networks. If you disa
c updates.Only secure - computers send only secure dynamic updates.If you enable this policy setting computers that attempt to send dyn
the authoritative zone is a top-level domain or root zone.If you enable this policy setting computers send dynamic updates to any zone th
ta if needed to format or render text. If you disable this policy setting Windows does not connect to an online font provider and only e
matically on subsequent attempts. Credentials can also be configured by network operators.If you enable this policy setting or if you do no
e order is used.SMB 3.11 cipher suites:AES_128_GCMAES_128_CCMAES_256_GCMAES_256_CCMSMB 3.0 and 3.02 cipher suites:AES_128
s installed.Policy configurationSelect one of the following:- Not Configured. With this selection hash publication settings are not applied to
supported content information for that version is the only type that is generated by BranchCache and it is the only type of content inform
not configure this policy setting the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher
e order is used.SMB 3.11 cipher suites:AES_128_GCMAES_128_CCMAES_256_GCMAES_256_CCMSMB 3.0 and 3.02 cipher suites:AES_128
ogons are used by file servers to allow unauthenticated access to shared folders. While uncommon in an enterprise environment insecure
ly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files. If you disable or do not configure
A-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible. If you disable or do not configure
his policy setting additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" optio
ch as bandwidth estimation and network health analysis.If you enable this policy setting additional options are available to fine-tune your
aker than what would be allowed for a login password.This setting controls this validation behavior. If set to 1 then this validation will not
be turned off.If you disable this setting or do not configure it the peer-to-peer protocols will be turned on.
s cannot detect that client and initiate sessions with it.If you enable this policy setting this computer cannot register PNRP names and can
peer to peer can be used as a seed server. No configuration is needed for the seed server itself.This setting provides the added flexibility o
by using multicast on the same subnet. That is PNRP publishes itself on the local subnet so that other computers can find it when needed
eer (P2P) connections. The PNRP cloud is a group of connected PNRP nodes in which connections exist between peers so that a node in th
ws for setting the seed server to a specified node in an enterprise.To use this setting click Enable and then enter a semicolon-delimited list
f is by using multicast on the same subnet. That is PNRP publishes itself on the local subnet so that other computers can find it when need
ws for setting the seed server to a specified node in an enterprise.To use this setting click Enable and then enter a semicolon-delimited list
f is by using multicast on the same subnet. That is PNRP publishes itself on the local subnet so that other computers can find it when need
ser is connected to a network with local access only.
work other than the one it was connected to when the setting was refreshed this setting does not apply.The Network Bridge allows users t
is connected to the same DNS domain network it was connected to when the setting was refreshed on that computer. If a computer is co
resolution and addressing through DHCP to the local private network.If you enable this setting ICS cannot be enabled or configured by adm
nnel that DirectAccess establishes between the computer and the internal network or directly through the local default gateway.If you ena
t block its unsolicited messages. This policy setting overrides other policy settings that would block those messages.If you disable or do no
indows Defender Firewall blocks echo request messages sent by Ping running on other computers but it does not block outbound echo re
the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control P
cedure calls (RPC) and Distributed Component Object Model (DCOM). Additionally on Windows XP Professional with at least SP2 and Wind
which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" check
uter can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. I
etting the Windows Defender Firewall component in Control Panel allows administrators to define a local port exceptions list.If you disable
e this policy setting the Windows Defender Firewall component in Control Panel allows administrators to define a local program exceptions
ent variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and informati
iew and change the inbound port exceptions list defined by Group Policy. To view this port exceptions list enable the policy setting and th
iew and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled that pro
ctions" check box is selected and administrators cannot clear it. You should also enable the "Windows Defender Firewall: Protect all netwo
tting Windows Defender Firewall allows the display of these notifications. In the Windows Defender Firewall component of Control Panel th
ble or do not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Defende
y setting Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and admin
indows Defender Firewall blocks echo request messages sent by Ping running on other computers but it does not block outbound echo re
the IP addresses or subnets from which these incoming messages are allowed. In the Windows Defender Firewall component of Control P
cedure calls (RPC) and Distributed Component Object Model (DCOM). Additionally on Windows XP Professional with at least SP2 and Wind
which these incoming messages are allowed. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" check
uter can receive Plug and Play messages. You must specify the IP addresses or subnets from which these incoming messages are allowed. I
etting the Windows Defender Firewall component in Control Panel allows administrators to define a local port exceptions list.If you disable
e this policy setting the Windows Defender Firewall component in Control Panel allows administrators to define a local program exceptions
ent variables. You must also specify whether to record information about incoming messages that the firewall blocks (drops) and informati
iew and change the inbound port exceptions list defined by Group Policy. To view this port exceptions list enable the policy setting and th
iew and change the program exceptions list defined by Group Policy. If you add a program to this list and set its status to Enabled that pro
ctions" check box is selected and administrators cannot clear it. You should also enable the "Windows Defender Firewall: Protect all netwo
tting Windows Defender Firewall allows the display of these notifications. In the Windows Defender Firewall component of Control Panel th
ble or do not configure this policy setting and this computer sends a multicast or broadcast message to other computers Windows Defende
y setting Windows Defender Firewall does not run. This is the only way to ensure that Windows Defender Firewall does not run and admin
wise it is outside the network.
se resources are considered connections to enterprise networks.If a proxy is paired with a cloud resource traffic to the cloud resource will
on proxied networks can access the Internet without relying on the Private Network capability. However in most situations Windows Netw
tor to configure a set of proxies that provide access to intranet resources.If you disable or do not configure this policy setting Windows Ne
pps if and only if the app has declared the Home/Work Networking capability.Windows Network Isolation attempts to automatically discov
h Group Policy are authoritative. This applies to both Internet and intranet proxies.If you disable or do not configure this policy setting Win
ironment. Only network hosts within the address ranges configured via Group Policy will be classified as private.If you disable or do not co
this setting you can use the "Action" box to specify how computers in the group respond.-- "Work offline" indicates that the computer ca
Offline Files is disabled and users cannot enable it.If you do not configure this policy setting Offline Files is enabled on Windows client comp
gure it automatically and manually cached copies are retained on the user's computer for later offline use.Caution: Files are not synchroni
l when Windows synchronizes in the background while operating in slow-link mode. Use the 'Sync Interval' and 'Sync Variance' values to o
onnect to a server when the presence of a server is detected.If you enable this setting you can configure the threshold value that will be u
link mode all network file requests are satisfied from the Offline Files cache. This is similar to a user working offline.If you enable this polic
c caching can be set on any network share. When a user opens a file on the share the system automatically stores a copy of the file on the
do not configure this policy setting a user can create a file of any type in the folders that have been made available offline.
n extra charges on cell phone or broadband plans.If this setting is disabled or not configured synchronization will not run in the backgroun
se times and decreases bandwidth consumption over WAN links.The cached files are temporary and are not available to the user when offl
Files cache are encrypted. This includes existing files as well as files added later. The cached copy on the local computer is affected but the
nts you want Offline Files to record.To use this setting in the "Enter" box select the number corresponding to the events you want the sys
a file of this type available offline the operation will fail and the following message will be displayed in the Synchronization Manager prog
60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.This setting appears in
isables the ability to adjust through the Offline Files control panel applet the disk space limits on the Offline Files cache. This prevents user
e Name column box type the server's computer name. Then in the Value column box type "0" if users can work offline when they are disco
e or location.This setting does not prevent users from working offline or from saving local copies of files available offline. Also it does not p
rs cannot view or change the options on the Offline Files tab or Offline Files dialog box.This is a comprehensive setting that locks down the
ically. By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are displayed for
ayed for 15 seconds. You can use this setting to change the duration of the update reminder.This setting appears in the Computer Configu
ou disable or do not configure this policy setting users can manually specify files and folders that they want to make available offline.Note
ontents dialog box in the Value Name column box type the fully qualified UNC path to the file or folder. Leave the Value column field blank
e "Work offline" command is displayed in File Explorer.
Show. In the Show Contents dialog box in the Value Name column type the fully qualified UNC path to the file or folder. Leave the Value c
e offline all folders within that folder are also made available offline. Also new folders that you create within a folder that is available offlin
zed. Full synchronization ensures that offline files are complete and current.If you disable this setting the system only performs a quick syn
zed at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables logon sync
" ensures that all cached files and folders are up-to-date with the most current version.If you disable or do not configuring this setting files
you enable this setting the system hides the reminder balloons and prevents users from displaying them.If you disable the setting the syste
synchronized later.If you disable this policy setting all administratively assigned folders are synchronized at logon.
ubmitted to a network adapter for transmission but which have not yet been sent.If you enable this setting you can limit the number of ou
he default.If you enable this setting you can use the "Bandwidth limit" box to adjust the amount of bandwidth the system can reserve.If yo
d for the system usually units of 10 microseconds.If you disable this setting or do not configure it the setting has no effect on the system.Im
ou enable this setting you can change the default DSCP value associated with the Best Effort service type.If you disable this setting the syst
fication.If you enable this setting you can change the default DSCP value associated with the Controlled Load service type.If you disable thi
If you enable this setting you can change the default DSCP value associated with the Guaranteed service type.If you disable this setting the
ification.If you enable this setting you can change the default DSCP value associated with the Network Control service type.If you disable t
you enable this setting you can change the default DSCP value associated with the Qualitative service type.If you disable this setting the sy
tion.If you enable this setting you can change the default DSCP value associated with the Best Effort service type.If you disable this setting t
w specification.If you enable this setting you can change the default DSCP value associated with the Controlled Load service type.If you disa
cation.If you enable this setting you can change the default DSCP value associated with the Guaranteed service type.If you disable this setti
ow specification.If you enable this setting you can change the default DSCP value associated with the Network Control service type.If you d
ation.If you enable this setting you can change the default DSCP value associated with the Qualitative service type.If you disable this settin
ffort service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for this se
the Controlled Load service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority
aranteed service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for t
th the Network Control service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 prior
ets.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for nonconforming pack
itative service type.If you disable this setting the system uses the default priority value of 0.Important: If the Layer-2 priority value for this
a community recognized by the SNMP service while a community is a group of hosts (servers workstations hubs and routers) that are adm
ng terminal values and monitoring network events.The manager is located on the host computer on the network. The manager's role is to
cy setting allows you to configure the name of the hosts that receive trap messages for the community sent by the SNMP service. A trap m
==========curve25519NistP256NistP384To See all the curves supported on the system Use the following command:CertUtil.exe -DisplayE
/?LinkId=517265
a 6to4 host.If you disable or do not configure this policy setting the local host setting is used and you cannot specify a relay name for a 6to
lly.If you disable or do not configure this policy setting the local host setting is used.
adecimal representation of the global IPv4 address (w.x.y.z) assigned to a site.If you disable or do not configure this policy setting the loca
be able to configure IP-HTTPS with one of the following settings:Policy Default State: The IP-HTTPS interface is used when there are no ot
If you disable or do not configure this policy setting the local host setting is used.
o not configure this policy setting the local host setting is used.If you enable this policy setting you can configure ISATAP with one of the fo
ustomize a UDP port for the Teredo client.If you disable or do not configure this policy setting the local host setting is used.
cy setting contains only one state:Policy Enabled State: If Default Qualified is enabled Teredo will attempt qualification immediately and re
d UDP port mapping in the translation table of the Teredo client's NAT device.If you enable this policy setting you can specify the refresh r
tting the local settings on the computer are used to determine the Teredo server name.
with one of the following settings:Default: The default state is "Client."Disabled: No Teredo interfaces are present on the host.Client: The T
tion Limits will be disabled and system will not limit the number of autoconfigured addresses and routes.
host settings are used.If you enable this policy setting Window Scaling Heuristics will be enabled and system will try to identify connectivit
e available to allow discovery and configuration over a specific medium. If you enable this policy setting additional choices are available to
If you disable or do not configure this policy setting users can access the wizard tasks including "Set up a wireless router or access point" a
s not configured or is disabled power management is enabled when the machine enters connected standby mode.
led Windows will disconnect a computer from a network immediately when it determines that the computer should no longer be connect
indows domain or to both. Internet traffic can be routed over any connection - including a cellular connection and any metered network. T
ttempts- When the computer is already connected to a domain based network all automatic connection attempts to non-domain networks
etwork.If this policy setting is not configured or is disabled clients are allowed to connect to roaming provider Mobile Broadband networks
Button pairing is preferred (if allowed by other policies).
necessarily preferred).
ricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is no
bout by crowdsourcing networks that other people using Windows have connected to."Connect to networks shared by my contacts" enab
rrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps c
nection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restricted by usage
onnection is unlimited and not restricted by usage charges and capacity constraints. - Fixed: Use of this connection is not restricted by usa
page.If this policy setting is disabled or is not configured the link to the per-application cellular access control page is showed by default.
Internet printing is an extension of Internet Information Services (IIS). To use Internet printing IIS must be installed and printing suppor
network scan page will not be displayed. If this policy setting is not configured the Add Printer wizard will display the default number
displayed.If this setting is not configured the Add Printer wizard will display the default number of printers of each type:TCP/IP printers: 50
anch Office Direct Printing jobs.
nue to be shared.The spooler must be restarted for changes to this policy to take effect.
r's shared printers cannot be published in Active Directory and the "List in directory" option is not available. Note: This settings takes
he computer that published the printers restarts it republishes any deleted printer objects. If you enable this setting or do not confi
have a relatively powerful CPU as compared to the machine’s GPU.
int jobs before sending them to the print server. This decreases the workload on the client at the expense of increasing the load on the se
blish printers. However you can publish shared printers manually. The default behavior is to automatically publish shared printers in Acti
efault MXDW output format is OpenXPS (*.oxps).
mputer is operating. To enable this additional verification enable this setting and then select a verification interval. To disable
ocation Tracking is enabled the system uses the specified location as a criterion when users search for printers. The value you type here ov
b page customized for your enterprise. If you disable this setting or do not configure it or if you do not enter an alternate Internet ad
uning service "prunes" (deletes from Active Directory) printer objects the computer has published. By default the pruning service con
ority influences the order in which the thread receives processor time and determines how likely it is to be preempted by higher priority th
espond to the contact message the message is repeated for the specified number of times. If the computer still fails to respond then the p
s may be installed on the local computer running Windows XP Home Edition and Windows XP Professional.If you do not configure this setti
this policy setting then all printer extensions will not be allowed to run. If you disable this policy setting or do not configure it then all p
etwork or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to printing base
rint spooler will execute print drivers in an isolated process by default.If you disable this policy setting the print spooler will execute print d
rver driver cache.If you disable this policy setting the client computer will only search the local driver store and server driver cache for com
07 Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers
urrent USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by commas) that
es not respond to the contact attempt the attempt is retried a specified number of times at a specified interval. The "Directory pruning ret
vers.If this setting is disabled or not configured users will not be restricted to package-aware point and print only.
do not explicitly opt out of Driver Isolation.If you disable or do not configure this policy setting the print spooler uses the Driver Isolation co
ackage point and print connections.Windows Vista and later clients will attempt to make a non-package point and print connection anytim
will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the client a p
rd method uses a printer's IP address and subnet mask to estimate its physical location and proximity to computers.If you enable this setti
u disable this setting shared printers are not announced to print browse master servers even if Active Directory is not available.If you do n
ws 2000 printers published outside their forest. The Windows pruning service prunes printer objects from Active Directory when the
shortcuts. The system empties the Recent Items menu on the Start menu and Windows programs do not display shortcuts at the bottom o
e of Start in Settings.
n Settings to Off.Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start men
this policy setting the shutdown restart sleep and hibernate commands are removed from the Start menu. The Power button is also remov
and user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this policy setting
e a device's Start layout to the desired look and feel. Once you are done run the Export-StartLayout PowerShell cmdlet on that same devic
poll application services to update tiles. If you enable this policy setting applications and system features will not be able receive noti
tes that the shutdown or restart is unplanned.If you disable this policy setting the System State Data feature is never activated.If you do n
nother computer. The DLT client can more reliably track links when allowed to use the DLT server. This policy should not be set unless th
he system.If you disable or do not configure this policy setting only the default status messages are displayed to the user during these proc
menu list the Shutdown Event Tracker is displayed when the computer shuts down.If you enable this policy setting and choose "Server Only
t are moved to an encrypted folder.This setting applies only to files moved within a volume. When files are moved to other volumes or if y
d each time an administrator logs on to the server. However if the administrator has selected the "Don’t display this page at logon" option
ly on Windows shutdown behavior.This setting is only applicable when Windows shutdown is initiated by software programs invoking the
dows has internally registered the required components.If you enable this policy setting and a component registration is missing the syste
sk. You can specify the Timestamp Interval in seconds.If you disable this policy setting the Persistent System Timestamp is turned off and t
wait while their system starts or shuts down or while users log on or off.
d to this policy setting. If you enable this policy setting the commands function only for .chm files in the specified folders and their subf
If you disable or do not configure this policy setting users can run all applications from online Help. Note: You can also res
orruption and for enabling optional features that have had their payload files removed. You must enter the fully qualified path to the new
ws Setup was run on the system.
ation used during the last time Windows Service Pack Setup was run on the system.
ke sure that they use system memory safely. If you enable this policy setting DEP for HTML Help Executable is turned off. This will allo
s.If you enable this policy setting users receive a customized Access Denied message from the file servers on which this policy setting is ap
bout the program online at http://go.microsoft.com/fwlink/?LinkID=184686.
n). Global Publishing Refresh Interval: Specifies the publishing refresh interval using the GlobalRefreshIntervalUnit. To disable packa
aximum minutes of random delay on top of the reporting time. For a busy system the random delay will help reduce the server load.
ty event log as part of the Audit Process Creation event 4688 "a new process has been created" on the workstations and servers on which
ult credentials can be delegated (default credentials are those that you use when first logging on to Windows).The policy becomes effectiv
ult credentials are those that you use when first logging on to Windows).If you disable or do not configure (by default) this policy setting d
entials can be delegated (fresh credentials are those that you are prompted for when executing the application).If you do not configure (by
redentials are those that you are prompted for when executing the application).If you do not configure (by default) this policy setting afte
entials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).If you do n
credentials are those that you elect to save/remember using the Windows credential manager).If you do not configure (by default) this po
you disable or do not configure (by default) this policy setting this policy setting does not specify any server.Note: The "Deny delegating de
tion).If you disable or do not configure (by default) this policy setting this policy setting does not specify any server.Note: The "Deny deleg
credential manager).If you disable or do not configure (by default) this policy setting this policy setting does not specify any server.Note: T
vers. This policy allows you to set the level of protection desired for the encryption oracle vulnerability.If you enable this policy setting Cre
min or Remote Credential Guard mode.If you disable or do not configure this policy setting Restricted Administration and Remote Credenti
l Guard does not limit access to resources because it redirects all requests back to the client device.Participating apps:Remote Desktop Cli
nable this policy the machine must be rebooted. The file path must be either a UNC path (for example \\ServerName\ShareName\SIPolicy
t and will only be enabled on correctly configured devices.Virtualization Based Protection of Code IntegrityThis setting enables virtualizati
e Health Attestation Service validates the security state and health of the devices and makes the findings accessible to enterprise administ
0 seconds for a device installation task to complete before terminating the installation.
or report is sent when a generic driver is installed.
nt enables you to more easily restore your system to its state before the activity. If you enable this policy setting Windows does not create
Panel > System and Security > System > Advanced System Settings > Hardware tab).If you disable or do not configure this policy setting th
e driver.If you disable or do not configure this policy setting Windows sends an error report when a device driver that requests additional
ot signed at all.If you enable or do not configure this policy setting drivers that are signed by a Microsoft Windows Publisher certificate and
will attempt to search Windows Update exactly one time. With this setting Windows will not continually search for updates. This setting is
t search the Managed Server such as a Windows Server Update Services (WSUS) server. Only if no update is found will Windows then also
ice is being installed unless the driver for the device suppresses the balloons.
and update the drivers for any device. If you enable this policy setting on a remote desktop server the policy setting affects redirection of
olicy setting is enabled however it may also be used with the "Prevent installation of devices not described by other policy settings" policy
enabled however it may also be used with the "Prevent installation of devices not described by other policy settings" policy setting for leg
tch criteria" policy setting is enabled however it may also be used with the "Prevent installation of devices not described by other policy se
fic match criteria supersedes less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match
device installation.If you disable or do not configure this policy setting Windows displays a default title in a notification when a policy setti
sable or do not configure this policy setting Windows displays a default message when a policy setting prevents device installation.
vide more granular control. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device installatio
that match any of these device instance IDs" policy setting to supersede this policy setting for applicable devices enable the "Apply layere
ice whose device instance ID appears in the list you create. If you enable this policy setting on a remote desktop server the policy setting a
tion of devices that match any of these device IDs" and "Allow installation of devices that match any of these device instance IDs" policy se
B hub to which the device is connected. By default this policy setting takes precedence over any other policy setting that allows Windows t
tting the system does not force a reboot.Note: If no reboot is forced the device installation restriction right will not take effect until the sys
he system determines the data that will be stored in the NV cache to optimize boot and resume. The required data is stored in the NV cach
the system tries to save power by aggressively spinning down the disk.If you do not configure this policy setting the default behavior is to
he while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spu
che. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power. Note that th
ply the disk quota to both fixed and removable media.
and users cannot turn it on.If this policy setting is not configured disk quota management is turned off by default but administrators can tu
"Deny disk space to users exceeding quota limit" option on the Quota tab so administrators cannot make changes while the setting is in eff
olicy setting no event is recorded. Also when you enable or disable this policy setting the system disables the "Log event when a user exce
e system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators c
ota Entries window changes to indicate that the user is approaching the disk quota limit.This setting overrides new users’ settings for the d
or (DPI) connect remotely from a device with a different display scale factor or manually change the display scale factor) many desktop ap
tionCompatibility database ApplicationCompatibility UI System (Enhanced) setting or an application manifest.If you disable or do not config
his policy setting GDI DPI Scaling will not be enabled for an application except when an application is enabled by using ApplicationCompatib
DCOM will look for an entry in the locally configured list.If you disable this policy setting DCOM will not look in the locally configured DCOM
d list when this policy setting is configured unless the "Allow local activation security check exemptions" policy is enabled.DCOM server app
e signed according to Windows Driver Signing Policy or be signed by publishers already in the TrustedPublisher store.If you disable or do n
nication settings" is disabled or not configured.If you enable this setting administrators will not be prompted to search Windows Update.If
and has not been tampered with.- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad dr
hub connected Enhanced Storage devices are allowed.If you disable or do not configure this policy setting USB Enhanced Storage devices
e or do not configure this policy setting all Enhanced Storage devices are usable on your computer.
ur computer.If you disable or do not configure this policy setting all IEEE 1667 silos on Enhanced Storage devices are usable on your compu
evices are allowed on your computer.
orage device state is not changed when the computer is locked.

with properties defined on individual file servers by using File Classification Infrastructure which is part of the File Server Resource Manage
vidual file servers by using File Classification Infrastructure which is part of the File Server Resource Manager role service.If you enable this
ol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. Note: To make changes to this setting
se refer to the Windows Help sectionNOTE: If this policy is Disabled or Not Configured local administrators may select the types of symbol
e at the cost of additional memory consumption.A reboot is required for this setting to take effect
her concurrent IO operations.Values with special meaning: 0: Use the system calculated default 1: Disable parallel flushThe default val
ou disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis
ter in a remote office.To designate a user's primary computers an administrator must use management software or a script to add primar
Vista Windows 7 Windows 8 and Windows Server 2012 will use localized folder names for these subfolders when redirecting the Start Men
t configure this policy setting:- No user-based policy settings are applied from the user's forest.- Users do not receive their roaming profile
M files that were used to create the GPO while editing this GPO.This leads to the following behavior:- If you originally created the GPO wit
en a slow network connection is detected Group Policy processing will always run in an asynchronous manner.Client computers will not w
width speed information. If Group Policy detects a bandwidth speed Group Policy will follow the normal rules for evaluating if the Direct Ac
lementing the disk quota policy set when it was installed.If you enable this policy setting you can use the check boxes provided to change
licy set when it was installed.If you enable this policy setting you can use the check boxes provided to change the options. If you disable o
y not for Group Policy objects on the local computer.This policy setting overrides customized settings that the program implementing the
in synchronous foreground mode it refers to this cache which enables it to run faster. When the cache is read Group Policy attempts to co
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response t
at the program implementing the Internet Explorer Maintenance policy set when it was installed.If you enable this policy setting you can u
ettings that the program implementing the IP security policy set when it was installed.If you enable this policy setting you can use the chec
g disk contention. If you enable this policy setting Group Policy will wait for the specified amount of time before running logon scripts.
this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has n
d.If you enable this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this settin
was installed.If you enable this policy setting you can use the check boxes provided to change the options. If you disable or do not configur
ts stored in Active Directory not for Group Policy Objects on the local computer.This policy setting overrides customized settings that the p
puter that is being used.By default the user's Group Policy Objects determine which user settings apply. If this setting is enabled then when
f launching the associated app.If you do not configure this policy setting the default behavior depends on the Windows edition. Changes t
ed network set when it was installed.If you enable this policy you can use the check boxes provided to change the options.If you disable th
the wireless network set when it was installed.If you enable this policy you can use the check boxes provided to change the options.If you
isable this policy setting the Windows device is not discoverable by other devices and cannot participate in cross-device experiences.If you
g interactive users can generate RSoP.Note: This policy setting does not affect administrators. If you enable or disable this policy setting by
olicy runs in synchronous foreground mode it refers to this cache which enables it to run faster. When the cache is read Group Policy atte
es.If you disable this policy setting the Windows device is not allowed to be linked to Phones will remove itself from the device list of any l
tting the default behavior applies. By default computer policy is applied when the computer starts up. It also applies at a specified refresh in
ated when the system starts.By default computer Group Policy is updated in the background every 90 minutes with a random offset of 0 to
u enable this setting you can specify an update rate from 0 to 64800 minutes (45 days). If you select 0 minutes the domain controller tries
s the computer is not blocked and policy processing will occur in the background. In either case configuring this policy setting overrides an
hronous the computer is not blocked and policy processing will occur in the background. In either case configuring this policy setting overri
.If you disable or do not configure this policy setting updates can be applied while users are working. The frequency of updates is determin
al GPOs to ensure that only domain-based GPOs are applied.If you enable this policy setting the system does not process and apply any Lo
de extension settings that were included.If you enable this setting RSoP logging is turned off.If you disable or do not configure this setting R
his policy setting all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective featu
he Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive cr
e the Store service to find an application.If you enable this policy setting the "Look for an app in the Store" item in the Open With dialog is
must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and or
downloading drivers that are not already installed locally.If you enable this policy setting print drivers cannot be downloaded over HTTP.If
e event is created by a Microsoft component. This text contains a link (URL) that if clicked sends information about the event to Microsoft
prove handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a secure co
handwriting recognition in future versions of Windows.If you enable this policy users cannot start the handwriting recognition error reporti
tting the Help and Support Center no longer retrieves nor displays "Did you know?" content.If you disable or do not configure this policy s
efault search options.If you enable this policy setting it removes the Knowledge Base section from the Help and Support Center "Set searc
om retrieving the list of ISPs which resides on Microsoft servers.If you disable or do not configure this policy setting users can connect to M
d from a Windows website in addition to providers specified in the registry.If you enable this policy setting Windows does not download p
he Web service to find an application.If you enable this policy setting the link and the dialog for using the Web service to open an unhand
ver and making its shared printers available via HTTP.If you enable this policy setting it prevents this client from printing to Internet printe
is policy setting users can connect to Microsoft.com to complete the online Windows Registration.Note that registration is optional and in
used to format and display results.If you enable this policy setting Search Companion does not download content updates during searche
ks in File Explorer folders.If you disable or do not configure this policy setting the task is displayed.
o the web.If you enable this policy setting these tasks are removed from the File and Folder tasks in Windows folders.If you disable or do n
n is used to improve the product in future releases.If you enable this policy setting Windows Messenger does not collect usage informatio
name address or any other personally identifiable information. There are no surveys to complete no salesperson will call and you can conti
errors.If you disable or do not configure this policy setting the errors may be reported to Microsoft via the Internet or to a corporate file sh
ge from a dedicated Web server or making a DNS request for a dedicated address.If you enable this policy setting NCSI does not run either
hen no local drivers are present.If you do not configure this policy setting searching Windows Update is optional when installing a device.A
etting overrides this one.
ontrol and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domai
ion.If you enable this policy setting the following options are supported:Supported: PKInit Freshness Extension is supported on request. Ke
ous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be en
tting domain controllers will request compound authentication. The returned service ticket will contain compound authentication only whe
h is performed by using a global catalog or name suffix hints. If a match is found the KDC will return a referral ticket to the client for the ap
too high then authentication failures might be occurring even though warning events are not being logged. If set too low then there will b
quest compound authentication" must be configured and enabled in the resource account domain. If you enable this policy setting and the
he policy setting and then click the Show button. To add a mapping enable the policy setting note the syntax and then click Show. In the Sh
realms enable the policy setting and then click the Show button. To add an interoperable Kerberos V5 realm enable the policy setting note
ections. Warning: When revocation check is ignored the server represented by the certificate is not guaranteed valid. If you disable or do n
ts users will fail from computers with this policy setting enabled.If you enable this policy setting the client computers in the domain enforc
quired to create compounded authentication and armor Kerberos messages in domains which support claims and compound authenticatio
s and that the KDC's X.509 certificate contains a dNSName subjectAltName (SAN) extension that matches the DNS name of the domain. If
mpt to use Kerberos by generating an SPN. If you enable this policy setting only services running as LocalSystem or NetworkService
processing and group memberships the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy se
proxy server to a domain enable the policy setting click Show and then map the KDC proxy server name(s) to the DNS name for the doma
st configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.If you
ou enable this policy setting the device s credentials will be selected based on the following options:Automatic: Device will attempt to aut
equests a referral ticket to the appropriate domain.If you disable or do not configure this policy setting the Kerberos client does not searc
er-user policy setting. If you disable this policy setting at the computer level the per-user policy is ignored. If you do not configure this polic
mpt. If the policy is Enabled then the user will get input methods enabled for the system account on the sign-in page. If the policy i
of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.The policy setting "Restrict user locales
s can still choose alternate locales installed on the system unless prevented by other policies however they will be unable to customize th
cted to the specified list.The locale list is specified using language names separated by a semicolon (;). For example en-US is English (Unite
les in this list.To set this policy setting on a per-user basis make sure that you do not configure the per-computer policy setting.The locale
required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a dev
or do not configure this policy setting Windows uses the default Windows logon background or custom background.
work to be fully initialized at startup and logon. Existing users are logged on using cached credentials which results in shorter logon times.
ther user tile.Note: A list of registered credential providers and their GUIDs can be found in the registry at HKEY_LOCAL_MACHINE\SOFTW
omputer belongs to the Fabrikam domain the default domain for user logon is Fabrikam. If you enable this policy setting the default logon
sign-in screen.
C from the network or can connect the PC to other available networks without signing into Windows.
art menu or by typing ""Welcome"" in the Run dialog box.If you disable or do not configure this policy the welcome screen is displayed ea
oined computers.
d services that the system starts.If you enable this policy setting the system ignores the run list for Windows Vista Windows XP Professiona
this policy setting the system ignores the run-once list.If you disable or do not configure this policy setting the system runs the programs i
Smart Card. An administrator can install additionalcredential providers for different sets of credentials(for example to support biometric a
er interface appear are in the Logon UI the Start menu and the Task Manager.If you disable or do not configure this policy setting the Switc
click Show. In the Show Contents dialog box in the Value column type the name of the executable program (.exe) file or document file. To
e offered the opt-in prompt for services during their first sign-in.If you enable this policy setting Microsoft account users will see the opt-in
r's domain password will be cached in the system vault when using this feature.
omain password will be cached in the system vault when using this feature.To configure Windows Hello for Business use the Administrativ
articular positions. Bits can be set to either 0 (setting is forced off) 1 (setting is forced on) or ? (setting retains its existing value prior to GPO
deploy this feature into your organization you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatib
default Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptograph
s may want to disable this feature if the PDC emulator is located over a slow WAN connection.If you enable this policy setting the DCs to w
sive read access to files on the share even when the caller has only read permission.If you disable or do not configure this policy setting th
omainName>[1B] NetBIOS name if it hasn’t already been successfully added.None of these operations are critical. 15 minutes is optimal in
ad access to files on the share even when the caller has only read permission.When this setting is disabled or not configured the SYSVOL s
this policy setting it is not applied to any computers and computers use their local configuration.
ll be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.If yo
file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.If you disab
alue for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.Warn
me that have not specified the DS_BACKGROUND_ONLY flag.The default value for this setting is 30 minutes (1800). The maximum value for
hen the site to which a computer belongs is not specified the computer automatically discovers its site from Active Directory.If you do not
setting is reached no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry in
4233600). The minimum value for this setting is 0.This setting is relevant only to those callers of DsGetDcName that have specified the DS_
setting that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.The
ue for this setting is (4294967200) while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value
DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to l
nds a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot me
back mechanism.NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not
he efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running DC Locator will co
ddress. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to supp
specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with
a value in seconds (for example the value "900" is 15 minutes).If you do not configure this policy setting it is not applied to any DCs and DC
he Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set
e computed the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to comp
elect the mnemonics from the following list:Mnemonic Type DNS RecordLdapIpAddress A <DnsDomainName>Ldap SRV _
ed dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.If you disable this po
date.DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DN
he site where the DC resides and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC
tor DNS SRV records for those sites without a DC that are closest to it. The DC Locator DNS records are dynamically registered by the Net L
or DNS SRV records for those sites without a GC that are closest to it. The GC Locator DNS records and the site-specific SRV records are dyn
ents to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If non
are used to locate the DC.If you enable this policy setting the DCs to which this setting is applied dynamically register DC Locator site-spec
t used if the AllowSingleLabelDnsDomain policy setting is enabled.By default when no setting is specified for this policy the behavior is the
ate a domain controller hosting an Active Directory domain specified with a single-label name.If you enable this policy setting computers t
ete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup pr
es effect immediately.
oard contents cannot be shared to other devices. Policy change takes effect immediately.
diately.
type User Activity are independent of this setting. Policy change takes effect immediately.
ActivityFeed shall disable cloud sync. Policy change takes effect immediately.
y is set to 0 then storage of previous PINs is not required.Default: 0.

ter.If you configure this policy setting the PIN length must be less than or equal to this number.If you disable or do not configure this polic
west.If you configure this policy setting the PIN length must be greater than or equal to this number.If you disable or do not configure this
ut does not require digits in the PIN.
is policy setting Windows allows but does not require lowercase letters in the PIN.
his policy setting Windows allows but does not require uppercase letters in the PIN.
ol this setting.
at: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX (For example 103eea6e-9fcd-4544-a713-c282d8e50083) indicating the power plan to be a
his setting.
his setting.
licy setting users control this setting.

licy setting users control this setting.
hange this setting.
hange this setting.
ry Notification Action" policy setting.If you disable this policy setting or do not configure it users control this setting.
cation Action" policy setting.If you disable this policy setting or do not configure it users control this setting.
n see and change this setting.
e the "Low Battery Notification Level" policy setting.The notification will only be shown if the "Low Battery Notification Action" policy settin
r drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should autom
r drivers do not prevent Windows from automatically transitioning to sleep. Only user input is used to determine if Windows should autom
urrently applies to WLAN networks only and is subject to change.If you do not configure this policy setting users control this setting.
urrently applies to WLAN networks only and is subject to change.If you do not configure this policy setting users control this setting.
d when the system resumes from sleep.

d when the system resumes from sleep.
setting users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prev
setting users control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prev
ers control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the sl
ers control this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the sl
o sleep when left unattended. If you specify 0 seconds Windows does not automatically transition to sleep.If you disable or do not configu
o sleep when left unattended. If you specify 0 seconds Windows does not automatically transition to sleep.If you disable or do not configu
his setting.
his setting.
ows will only reduce the brightness of the primary display integrated into the computer.If you disable or do not configure this policy settin
ows will only reduce the brightness of the primary display integrated into the computer.If you disable or do not configure this policy settin
or do not configure this policy setting users control this setting.
or do not configure this policy setting users control this setting.
indows uses the same setting regardless of users’ keyboard or mouse behavior.If you do not configure this policy setting users control this
indows uses the same setting regardless of users’ keyboard or mouse behavior.If you do not configure this policy setting users control this
ol this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the display from
ol this setting.If the user has configured a slide show to run on the lock screen when the machine is locked this can prevent the display from
rol this setting.
rol this setting.
ed earlier to recover your computer" and "Reinstall Windows" (or "Return your computer to factory condition") appears on the "Advance
r the unsolicited Offer Remote Assistance.If you enable this policy setting only computers running this version (or later versions) of the op
ter cannot get help from their corporate technical support staff using Offer (Unsolicited) Remote Assistance.If you do not configure this po
onfigure additional Remote Assistance settings.If you disable this policy setting users on this computer cannot use email or file transfer to
custom message to display before a user allows a connection to his or her computer.If you enable this policy setting the warning message
window drag-Turn off background"Full optimization" will include the following optimizations:-Use 16-bit color (8-bit color in Windows Vis
er. If you disable this policy setting RPC clients will not authenticate to the Endpoint Mapper Service but they will be able to communicate
ouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag but some applications written for the traditional delegati
C runtime defaults to "Auto2" level.If you do not configure this policy setting the RPC defaults to "Auto2" level. If you enable this policy se
rieve the extended error information by using standard Windows application programming interfaces (APIs).If you disable this policy setti
ing itself. Reverting a change to this policy setting can require manual intervention on each affected machine. This policy setting should n
cause connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy
r do not configure this policy setting write and read accesses are allowed to all removable storage classes.
o removable storage devices in remote sessions.
age enable the policy setting "Deny write access to drives not protected by BitLocker" which is located in "Computer Configuration\Admin
nfigure this setting the operating system does not force a reboot.Note: If no reboot is forced the access right does not take effect until the
e storage class.
ble storage class.
ring cross-forest logons without the DNS suffixes being configured.If you disable or do not configure this policy setting user account cross-f
ch instruction in the shutdown script as it runs. The instructions appear in a command window.If you disable or do not configure this polic
tup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not c
complete before the user starts working but it can delay the appearance of the desktop.If you disable or do not configure this policy settin
ing of startup scripts. As a result startup scripts can run simultaneously.If you disable or do not configure this policy setting a startup canno
(GPO) Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. For example
erShell scripts are run before non-PowerShell scripts during user logon and logoff. For example assume the following scenario: There are th
ops script processing and records an error event.If you enable this setting then in the Seconds box you can type a number from 1 to 32000
-15361https://en.wikipedia.org/wiki/ROCA_vulnerabilityIf you enable this policy setting the following options are supported:Ignore: durin
d on managed servers.If you enable this policy setting Server Manager uses the refresh interval specified in the policy setting instead of th
his policy setting the Initial Configuration Tasks window is displayed when an administrator logs on to the server.If you do not configure th
u do not configure this policy setting Server Manager is displayed when a user logs on to the server. However if the "Do not show me this
well as a policy disallowing dynamically-generated code.If you disable or do not configure this policy setting these stricter security setting
lications or GUI applications without visible top-level windows that block or cancel shutdown will not be automatically terminated during
Same as Enabled.
nfigure Storage Sense cadence" group policy.Enabled:Storage Sense is turned on for the machine with the default cadence as ‘during low f
led:Storage Sense will not delete the user’s temporary files. Users cannot enable this setting in Storage settings.Not Configured:By default
e. The default is 0 (during low free disk space).Disabled or Not Configured:By default the Storage Sense cadence is set to “during low free d
ore Storage Sense dehydrates it from the sync root. Supported values are: 0 - 365.If you set this value to zero Storage Sense will not dehyd
re Storage Sense will delete it. Supported values are: 0 - 365.If you set this value to zero Storage Sense will not delete files in the user’s Rec
pened before Storage Sense deletes it from Downloads folder. Supported values are: 0 - 365.If you set this value to zero Storage Sense wi
he behavior of this policy setting depends on the "Turn off System Restore" policy setting.If you enable this policy setting the option to con
setting System Restore is turned off and the System Restore Wizard cannot be accessed. The option to configure System Restore or create
uses. These root causes will be logged to the event log when detected but no corrective action will be taken. If you select detection troub
d.If you disable or do not configure this policy setting the DPS deletes scenario data once it exceeds 128 megabytes in size.No reboots or se
es. When failures are detected the PCA will provide options to run the application in a compatibility mode or get help online through a Mic
s is the default recovery behavior for corrupted files.Silent: Detection troubleshooting and recovery of corrupted files will automatically st
his policy setting Windows displays the default alert text in the disk diagnostic message. No reboots or service restarts are required for thi
ervice (DPS) detects and logs S.M.A.R.T. faults to the event log when they occur. If you enable this policy setting the DPS also warns users o
detect troubleshoot and attempt to resolve automatically any heap corruption problems that are handled by the DPS.If you do not configu
o resolve a problem.If you disable this policy setting MSDT cannot gather diagnostic data.If you do not configure this policy setting MSDT is
ed to completely troubleshoot the problem. If tool download is restricted it may not be possible to find the root cause of the problem.If yo
e a problem.By default the support provider is set to Microsoft Corporation.If you disable this policy setting MSDT cannot run in support m
configure how troubleshooting is applied on the user's device. You can select from one of the following values:0 = Do not allow users syst
his is the default recovery behavior on Windows client.Silent: Detection troubleshooting and notification of MSI application to reinstall wi
problem for interactive resolution. If you choose detection troubleshooting and resolution Windows will resolve some of these problems s
or do not configure this policy setting the scripted diagnostics execution engine runs all digitally signed packages.
ols from the Troubleshooting Control Panel.If you disable this policy setting users cannot access or run the troubleshooting tools from the C
t states "Do you want the most up-to-date troubleshooting content?"If you enable or do not configure this policy setting users who are co
d attempt to determine their root causes. These root causes will be logged to the event log when detected but no corrective action will be
setting takes effect only under the following conditions: -- If the diagnostics-wide scenario execution policy is not configured. -- When the
stion problems and attempt to determine their root causes. These root causes will be logged to the event log when detected but no corre
oblems and attempt to determine their root causes. These root causes will be logged to the event log when detected but no corrective acti
erformance problems and attempt to determine their root causes. These root causes will be logged to the event log when detected but no
oblems and attempt to determine their root causes. These root causes will be logged to the event log when detected but no corrective acti
M owner authorization without requiring the user to enter the TPM owner password.You can choose to have the operating system store e
mple command number 129 is TPM_OwnerReadInternalPub and command number 170 is TPM_FieldUpgrade. To find the command num
occurring after the next reboot upon user login only if the logged in user is part of the Administrators group for the system. The prompt ca
ws 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task ru
cal list.The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc" navig
list.The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the W
nding commands to the Trusted Platform Module (TPM) that require authorization.This setting helps administrators prevent the TPM hard
d from sending commands requiring authorization to the TPM.This setting helps administrators prevent the TPM hardware from entering a
vented from sending commands to the Trusted Platform Module (TPM) that require authorization.This setting helps administrators preven
Windows 2000 Professional operating systems the default file permissions for the newly generated profile are full control or read and writ
ta transfer the network's latency and connection speed are determined.This policy setting and related policy settings in this folder togethe
of the computer they are using in case the server that stores the roaming profile is unavailable when the user logs on again. The local cop
lete on the next system restart all user profiles on the computer that have not been used within the specified number of days. If you disab
w to respond.If you enable this policy setting the system does not detect slow connections or recognize any connections as being slow. As a
nal pre-SP4 and Windows XP pre-SP1 operating systems the default file permissions for the newly generated profile are full control access
ot recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile.If y
or preventing Windows from loggin on the user with a temporary profile.If you enable this policy setting Windows will not log on a user wit
eting room computer or on a computer in a remote office.To designate a user's primary computers an administrator must use manageme
ween the user's computer and the server that stores users' roaming user profiles.-- The system cannot access users' server-based profiles
he like) when their profile is deleted. As a result the next time a roaming user whose profile was previously deleted on that client logs on th
tch.When a user logs off of the computer the system unloads the user-specific section of the registry (HKEY_CURRENT_USER) into a file (N
e. Similarly when the user logs off this computer the local copy of their profile including any changes they have made is merged with the s
oaming profile is merged with the local profile. Similarly when the user logs off the computer the local copy of their profile including any c
r roaming profile server is detected.In operating systems earlier than Microsoft Windows Vista a dialog box will be shown to the user duri
network.Note: Windows doesn't wait for the network if the physical network connection is not available on the computer (if the media is d
name\Sharename\%USERNAME% to give each user an individual profile folder. If not specified all users logging onto this computer will use
tting does not stop the roaming user profile's registry file from being uploaded at user logoff.If "Run at set interval" is chosen then an interv
ation list choose the location for the home folder. If you choose “On the network” enter the path to a file share in the Path box (for examp
e advertising ID for experiences across apps.
change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop ap
older together define the system's response when roaming user profiles are slow to load.If you enable this policy setting the system waits
dow appears.
XP files to the cache until the cache size reaches the quota.If you enable this policy setting enter the maximum amount of disk space to b
ile Protection to scan files more often.-- "Do not scan during startup" the default scans files only during setup.-- "Scan during startup" als
\System32\Dllcache directory.Note: Do not put the cache on a network shared directory.
ured settings values.For more details on individual parameters combinations of parameter values as well as definitions of flags see https:/
ers.NtpServerThe Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsNameflags"" w
the local computer clock to synchronize time with NTP servers.If you disable or do not configure this policy setting the local computer cloc
r computers.
n create a list of approved ActiveX Install sites specified by host URL. If you disable or do not configure this policy setting ActiveX contro
e trusted site uses the HTTPS protocol this policy setting can also control how ActiveX Installer Service responds to certificate errors. By de
policy a Windows app can't share app data with other instances of that app. If this policy was previously enabled any previously shared ap
ocal computer).If you disable or do not configure this policy setting you cannot install LOB or developer-signed Windows Store apps.
Policy setting appliesMandatory user profiles and super-mandatory profiles which are created by an administratorTemporary user profiles
s setting you cannot develop Microsoft Store apps or install them directly from an IDE.
t) then the system will follow default behavior which is to periodically check for and archive infrequently used apps and the user will be ab
n move or install Windows apps on other volumes.
ult is 'disabled' (key not present).

rShell window). All users will still be able to install Windows app packages via the Microsoft Store if permitted by other policies. If you
o a different volume the users' app data will also move to this volume.
tting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Window
overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows app
rides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps ca
es the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can
kage Windows PowerShell cmdlet. A per-app setting overrides the default setting.If you choose the "User is in control" option employees in
the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acc
es the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can a
er-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide wheth
he default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps can acce
errides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps
rides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps ca
overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows ap
overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows ap
t the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default s
ws apps are allowed to be activated with a voice keyword and employees in your organization cannot change it.If you choose the "Force D
ce.If you choose the "Force Allow" option users can interact with applications using speech while the system is locked and employees in yo
dlet. A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide
g overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows
ides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows apps ca
overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Windows app
cmdlet. A per-app setting overrides the default setting.If you choose the "User is in control" option employees in your organization can dec
setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Wind
o sign in with an enterprise account instead.If you disable or do not configure this policy setting users will need to sign in with a Microsoft
pp for a file type.If you enable this policy setting Windows Store apps cannot open files in the default desktop app for a file type; they can o
ng a desktop app.If you enable this policy setting Windows Store apps cannot open URIs in the default desktop app for a URI scheme; they
aunched; Universal Windows apps which have not declared Windows Runtime API access in the manifest are not affected. If you disab
ules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use.If you disable or don't set this po
ations. To run any 16-bit application or any application with 16-bit components ntvdm.exe must be allowed to run. The MS-DOS subsystem
the most common issues affecting legacy applications. Enabling this policy setting removes the property page from the context-menus bu
ys an Application Help message if the application has a know problem.Turning off the application compatibility engine will boost system pe
xperience Improvement program is turned off Application Telemetry will be turned off regardless of how this policy is set.Disabling teleme
will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also
System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting the PCA will be turned o
d input and mouse input user interface data and screen shots. Steps Recorder includes an option to turn on and off data collection.If you e
y setting Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful fo
bers user's choice of what to do when a device is connected.

ute the program without user intervention. This creates a major security concern as code may be executed without user's knowledge
such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2 Autoplay is enabled fo
isable or do not configure this policy setting backups can include both system or data volumes.
cy setting there is no restriction on locally attached storage or disk being backup target.
striction on network share being backup target.
striction on optical media being backup target.
riction on running run-once backups.
ng Windows prevents domain users from logging on to a domain-joined computer using biometrics.Note: Prior to Windows 10 not configu
you must also configure the "Allow users to log on using biometrics" policy setting.If you disable this policy setting the Windows Biometric
he domain.If you enable or do not configure this policy setting all users can log on to a local Windows-based computer and can elevate pe
number of seconds the event remains active. This value cannot exceed 60 seconds.If you disable or do not configure this policy setting a d
es that do not support enhanced anti-spoofing.If you disable or don't configure this setting Windows doesn't require enhanced anti-spoofi
ify the path that will be used as the default folder location when the user chooses the option to save the recovery password in a folder. Yo
will be able to configure an encryption algorithm and key cipher strength for fixed data drives operating system drives and removable data
on Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to
on Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to
can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digi
ocked on hot plug Thunderbolt PCI ports with no children devices until the user logs in again. Devices which were already enumerated wh
g memory will not be overwritten when the computer restarts. Preventing memory overwrite may improve restart performance but will in
. This identifier is automatically added to new BitLocker-protected drives and can be updated on existing BitLocker-protected drives using
e to computers running Windows Server 2008 or Windows Vista.If you enable this policy setting BitLocker recovery information is automati
o authenticate a user certificate to a BitLocker-protected drive by matching the object identifier in the certificate with the object identifier
or not configured fixed data drives formatted with the FAT file system can be unlocked on computers running Windows Server 2008 Wind
r-protected fixed data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in either the Gr
data to the drive.If you enable this policy setting you can specify additional options that control whether BitLocker software-based encryp
y requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in Computer Config
he "Require use of smart cards on fixed data drives" check box.Note: These settings are enforced when turning on BitLocker not when un
cess.If you disable or do not configure this policy setting all fixed data drives on the computer will be mounted with read and write access.
be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store d
cation at startup" policy on compliant hardware.If you enable this policy setting users on InstantGo and HSTI compliant devices will have th
ng all new BitLocker startup PINs set will be enhanced PINs.Note: Not all computers may support enhanced PINs in the pre-boot environm
enable this policy clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors.To
ore flexibility for managing pre-boot configuration than legacy BitLocker integrity checks.If you enable or do not configure this policy settin
very agent can be used with BitLocker-protected operating system drives. Before a data recovery agent can be used it must be added from
can require a minimum number of digits to be used when setting the startup PIN. If you disable or do not configure this policy settin
re-boot key recovery screen. If you have previously configured a custom recovery message or URL and want to revert to the default messa
s policy setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to t
group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (
group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatib
iting of data to the drive.If you enable this policy setting you can specify additional options that control whether BitLocker software-based
or the complexity requirement setting to be effective the Group Policy setting "Password must meet complexity requirements" located in C
r PINs or passwords.If you disable or do not configure this policy setting standard users will be permitted to change BitLocker PINs and pas
rmation such as a PIN or Password.If you enable this policy setting devices must have an alternative means of pre-boot input (such as an a
tion options can be required at startup otherwise a policy error occurs.If you want to use BitLocker on a computer without a TPM select th
Windows Server 2008 or Windows Vista.On a computer with a compatible Trusted Platform Module (TPM) two authentication methods can
m validation data will not be refreshed when Windows is started following BitLocker recovery.If you do not configure this policy setting pla
the default BCD profile used by Windows 7.If you do not configure this policy setting the computer will verify the default Windows BCD se
nabled or not configured removable data drives formatted with the FAT file system can be unlocked on computers running Windows Serve
Locker-protected removable data drives. Before a data recovery agent can be used it must be added from the Public Key Policies item in e
ting of data to the drive.If you enable this policy setting you can specify additional options that control whether BitLocker software-based e
e the Group Policy setting "Password must meet complexity requirements" located in Computer Configuration\Windows Settings\Security
g the "Require use of smart cards on removable data drives" check box.Note: These settings are enforced when turning on BitLocker not w
drives" to permit the user to run the BitLocker setup wizard on a removable data drive. Choose "Allow users to suspend and decrypt BitLo
th read and write access.If the "Deny write access to devices configured in another organization" option is selected only drives with identifi
how or hide it in Settings.If you enable this policy setting and set it to Disabled the Chat icon will not be displayed and users cannot show o
show.Note: If you disable or do not configure this policy setting but enable the "Computer Configuration\Administrative Templates\Windo
his policy Windows experiences will be able to use cloud consumer account state content.
e to use cloud optimized content.
ng users may see suggestions from Microsoft and notifications about their Microsoft account.Note: This setting only applies to Enterprise
n to turn it always on or off except for manual launch too.
he password reveal button will be displayed after a user types a password in the password entry text box.By default the password reveal b
be displayed so the user can choose one and enter the correct password.If you disable this policy setting users will always be required to t
ed.If you enable this policy setting users will be required to enter Windows credentials on the Secure Desktop by means of the trusted pat
ust be registered in Azure AD for this policy to succeed.If you disable or don't configure this policy setting Microsoft will be the controller o
f you disable or do not configure this policy setting diagnostic data from this device will not be processed by Desktop Analytics.
dered part of Windows and does not apply to any additional apps installed by your organization. - Diagnostic data off (not recommended
If you disable or do not configure this policy setting diagnostic data from this device will not be processed by Update Compliance.
ocessed by Windows Update for Business cloud.. If you disable or do not configure this policy setting diagnostic data from this device
nticated proxy to send data back to Microsoft. Enabling this policy will block the Connected User Experience and Telemetry service from au
dows 10 version 1809Default setting: Disabled or not configured (no data collected or sent)
ver a Secure Sockets Layer (SSL) connection. If the named proxy fails or if you disable or do not configure this policy setting Connected Use
policy setting to "Enable diagnostic data change notifications" or don't configure this policy setting diagnostic data opt-in change notificati
t-in settings" end users can change the device diagnostic settings in the Settings app.Note:To set a limit on the amount of diagnostic data
Microsoft as part of the onboarding process for the program.
value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure th
r don't configure this policy setting the Delete diagnostic data button will be enabled in Settings page which allows people to erase all diag
ft from the device.If you disable or don't configure this policy setting the Diagnostic Data Viewer will be enabled in Settings page.
download configuration settings.
the Windows Feedback app asking users for feedback.Note: If you disable or do not configure this policy setting users can control how oft
onfigure this policy setting Windows will not record attempts to connect with the OneSettings service to the EventLog.
ed.If you disable or do not configure this policy setting we may occasionally collect diagnostic logs if the device has been configured to sen
er mode triage dumps.If you disable or do not configure this policy setting we may occasionally collect full or heap dumps if the user has o
tional diagnostic data" 3. Enable the "Limit Dump Collection" policy 4. Enable the "Limit Diagnostic Log Collection" policyWhen these p
m settings.If you disable this policy setting Windows Insider Program settings will be unavailable to users through the Settings app.This pol
ns "not-limited"; The cloud service set default value will be used.
ption 2 overrides the Cache Server Hostname policy if configured.
hat is waiting for peer sources will appear to be stuck for the end user.The recommended value is 1 hour (3600).
a download that is waiting for peer sources will appear to be stuck for the end user.The recommended value is 1 minute (60).
ccurs on devices in the same Active Directory Site (if exist) or the same domain by default. When this option is selected peering will cross N
n authentication of identity.
options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode this policy will be ignored.For o
nd unsigned gadgets will be extracted.The default is for Windows to extract both signed and unsigned gadgets.
turned on.
ccessible if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab keys a visual version of the deskt
etting requires a logoff for it to be applied.
onalization. However setting the accent will have no effect.
be used in conjunction with the "Specify a default color for window frames" policy setting to enforce a specific color for window frames tha
is used if the user does not specify a color. Note: This policy setting can be used in conjunction with the "Prevent color changes of window
ve Directory Device Registration Overview.http://go.microsoft.com/fwlink/?LinkId=307136

er will not run.If you disable or do not configure this setting Digital Locker can be run.
ts.If you disable or do not configure this policy setting forwarder resource usage is not specified.This setting applies across all subscription
specifics.Use the following syntax when using the HTTPS protocol:Server=https://<FQDN of the collector>:5986/wsman/SubscriptionMan
A new file is then started.If you disable this policy setting and the "Retain old events" policy setting is enabled new events are discarded an
em services can write read or clear this log.Note: If you enable this policy setting some tools and APIs may ignore it. The same change shou
ecurity descriptor can access the log.If you disable this policy setting all authenticated users and system services can write read or clear thi
overwrite old events.Note: Old events may or may not be retained according to the "Backup log automatically when full" policy setting.
ent Log uses the folder %SYSTEMROOT%\System32\winevt\Logs.
mum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log Prop
e this policy setting only those users whose security descriptor matches the configured specified value can access the log.If you disable or
g.If you disable this policy setting only system software and administrators can read or clear this log.If you do not configure this policy setti
maximum size of the log file will be set to the locally configured value. This value can be changed by the local administrator using the Log P
em services can write read or clear this log.Note: If you enable this policy setting some tools and APIs may ignore it. The same change shou
ecurity descriptor can access the log.If you disable this policy setting all authenticated users and system services can write read or clear thi
ptor matches the configured value can access the log.If you disable or do not configure this policy setting only system software and admin
rators can write or clear this log and any authenticated user can read events from it.If you do not configure this policy setting the previous
and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages provide
splayed.Note: Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks.
e Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.Some informati
ser-defined properties and properties stored in NTFS secondary streams.
ot contain all programs installed in the same manner as it was on the machine on which the user had last logged on unexpected behavior
application has been installed that can handle the file type or protocol association that was invoked.
On every logon the policy settings are verified and Libraries for the user are updated or changed according to the path defined.If you disab
DISM documentation on TechNet.If this group policy is enabled and the client machine is domain-joined the file will be processed and defa
o not configure this policy setting users will be able to choose whether they want hibernate to show through the Power Options Control P
how through the Power Options Control Panel.
re this policy setting users will be able to choose whether they want sleep to show through the Power Options Control Panel.
his policy setting users can choose how the ribbon appears when they open new windows.
ort file names by increasing number value (for example 3 < 22 < 111).
ers. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this protocol in
y that new and old locations point to the same network share. If both new and old locations point to the same share the target path is upd
annot list and restore previous versions of files on local disks.If you do not configure this policy setting it defaults to disabled.
estore previous versions of files on file shares.If you do not configure this policy setting it is disabled by default.
opies and can see only previous versions corresponding to on-disk restore points.If you disable this policy setting users can see previous ve
ng the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button Windows atte
ponding to a backup.If you disable this policy setting the Restore button remains active for a previous version corresponding to a backup.
s policy setting the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks the Restore
he user to view the last location of use of their active digitizer on their device; this location is stored locally on the user's device after each u
or do not configure this policy setting users can add computers to a homegroup. However data on a domain-joined computer is not share
emove search providers but only from the set of search providers specified in the list of policy keys for search providers (found under [HKC
ot show up in the Internet Explorer mode context menu.For more information see https://go.microsoft.com/fwlink/?linkid=2102115
shutdown.If you disable or do not configure this policy setting OnUnLoad script handlers do not display UI during shutdown (default behav
ar. In addition users won't be able to change the Suggestions setting on the Settings charm.If you disable this policy setting users won't rec
es to Internet Explorer 9.In Internet Explorer 9 add-ons are defined as toolbars Browser Helper Objects or Explorer bars. ActiveX controls a
ed.If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed the following beha
tting Internet Explorer sends the current Internet Explorer version in the User Agent header (for example "MSIE 7.0").
mponent when visiting a Web site that uses that component.This policy is intended to help the administrator control which components t
o automatic configuration. You can import your current connection settings from your machine using Internet Explorer Maintenance unde
licy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do no
ome pages. The user cannot set custom default secondary home pages.If you disable or do not configure this policy setting the user can ad
file allows the user to import favorites feeds and cookies from a file. Exporting settings to a file allows the user to export favorites feeds an
xplorer 11 to Microsoft Edge Stable Channel browser.- Overrides any other policies that redirect to Internet Explorer 11.If you disable or d
net Explorer checks every 30 days by default and then notifies users if a new version is available.This policy is intended to help the adminis
art their browsers.
ers will not be notified if their programs are updated using Software Distribution Channels.If you disable this policy or do not configure it u
anager will be available to the user.
cy extended hotkeys will not work in Internet Explorer mode.For more information see https://go.microsoft.com/fwlink/?linkid=2102115
search tools viewing a history of visited pages printing and accessing email and newsgroups. The menu bar contains menus that open list
o not configure this policy users can turn on or turn off automatic updates from the About Internet Explorer dialog.Note: This policy is depr
The only exceptions are sites listed in your Enterprise Mode Site List.If you disable or don’t configure this policy all intranet sites are autom
sers can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on but don't specify a report location Enterp
uded in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configure th
in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configure zone(s
ntended to ensure that proxy settings apply uniformly to the same computer and do not vary from user to user.
domain name is allowed so www.contoso.com is valid but not http://www.contoso.com. Wildcards are allowed so *.contoso.com is also v
cy setting is enabled the "Fix settings" command on the Notification bar shortcut menu should be disabled.
he Settings charm (starting with Internet Explorer 10 on Windows 8).If you disable or do not configure this policy setting the Internet Expl
ble this policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting the user can bypass S
or do not configure this policy setting the user can bypass SmartScreen Filter warnings.
ter level by importing Privacy settings from your computer under Internet Explorer Maintenance.If you disable or do not configure this po
wing: • Open in an existing Internet Explorer window. If tabbed browsing is enabled a new tab is created in this scenario. • Open a new
e background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select.If you disable or do not config
olicy setting the Search box appears by default in the Internet Explorer frame.Note: If you enable this policy setting Internet Explorer does
ist.Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up Blocker se
Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disa
shing filter uses: manual automatic or off.If you select manual mode the phishing filter performs only local analysis and the user is prompte
rticipate in the CEIP and the Customer Feedback Options command does not appear on the Help menu.If you do not configure this policy
ip the First Run wizard and go directly to the "Welcome to Internet Explorer" webpage.Starting with Windows 8 the "Welcome to Interne
rd-party toolbars or in Setup but the user can also add them from a search provider's website.If you enable this policy setting the user can
the Security tab and then click the Sites button.)If you disable this policy or do not configure it users can add Web sites to or remove sites
n change the settings for security zones.This policy prevents users from changing security zone settings established by the administrator.N
mputer can establish their own security zone settings.This policy is intended to ensure that security zone settings apply uniformly to the sam
t one site in the Enterprise Mode Site List.Enabling this setting automatically opens all sites not included in the Enterprise Mode Site List in
d high allows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The default settin
Edge with Enterprise Mode.If you disable or don't configure this setting the default app behavior occurs and no additional page appears.
not configure this policy setting the user can select his or her preference for this behavior.
ols including per-user controls are installed through the standard installation process.
nable this policy setting the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to load an Acti
Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-ons and con
r data after a program stops responding.
s policy setting browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs.If you disable or do not configure this
Reporting continue to apply.If you disable or do not configure this policy setting the crash detection feature for add-on management will b
r. You must specify which mode the SmartScreen Filter uses: on or off.All website addresses that are not on the filter's allow list are sent a
at host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
windows will continue to function as they did in Windows XP Service Pack 1 or earlier although windows launched off screen will continue
owsing Session feature.

ders that offer suggestions.
er and the user cannot turn them on.If you disable this policy setting tabbed browsing and related entry points appear on the user interfac
etting user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-address setting.I
s in the Search box the quick pick menu appears.
n off ActiveX Filtering although they may add per-site exceptions.If you disable or do not configure this policy setting ActiveX Filtering is no
u disable this policy setting the user cannot log information that is blocked by new Internet Explorer features. The user cannot turn on log
default and the user cannot turn it on.If you do not configure this policy setting the menu bar is turned off by default. The user can turn on
tten to the WMI class. Enabling or disabling this setting will not impact other output methods available for the SDTK.
setting will not impact other output methods available for the SDTK.
s. The user’s browsing history is sent to Microsoft to produce suggestions.If you disable this policy setting the entry points and functionalit
\policies\Microsoft\Internet Explorer\Main\EnterpriseMode) opening all listed websites using Enterprise Mode IE.If you disable or don't co
ccelerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided through firs
ult Accelerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided throug
olicy setting the user can access any Accelerators that he or she has installed.
rd operation. This means that if the zone behavior is currently set to prompt it will be bypassed and enabled.If you disable this policy settin
he Internet Explorer process performs a Clipboard operation. In the Internet Explorer process if the zone behavior is currently set to prom
et Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enabled the p
t Explorer will not be available. Starting with Windows 8 the Print flyout for Internet Explorer will not be available and users will not see pr
ialog box.If you disable or do not configure this policy setting the menu options will be available.
splayed in Compatibility View.If you disable this policy setting the Microsoft-provided website lists are not used. Additionally the user cann
re this policy setting the user can use the Compatibility View button and manage the Compatibility View sites list.
his policy setting the user can use the Compatibility View button.
lorer.If you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended). A
dards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change this behav
d and remove sites from the list.
with an additional string appended). Additionally webpages included in this list appear in Quirks Mode.
he user cannot specify the download path for the code. You must specify the download path.If you disable or do not configure this policy s
policy setting deleting browsing history on exit is turned on.If you disable this policy setting deleting browsing history on exit is turned off.
e this policy setting a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You must spec
wsing History dialog box. Starting with Windows 8 users cannot click the Delete Browsing History button on the Settings charm.If you disab
s turn on the Personalized Tracking Protection List which blocks third-party items while the user is browsing.With at least Internet Explore
policy setting the user can choose whether to delete or preserve cookies when he or she clicks Delete.If the "Prevent access to Delete Brow
s Delete.If you do not configure this policy setting the user can choose whether to delete or preserve download history when he or she clic
f you do not configure this policy setting the user can choose whether to delete or preserve favorites site data when he or she clicks Delet
his policy setting the user can choose whether to delete or preserve form data when he or she clicks Delete.If the "Prevent access to Delet
e Browsing History dialog box.If you enable this policy setting InPrivate Filtering data is preserved when the user clicks Delete.If you disabl
e this policy setting the user can choose whether to delete or preserve passwords when he or she clicks Delete.If the "Prevent access to De
he user clicks Delete.If you do not configure this policy setting the user can choose whether to delete or preserve temporary Internet files
s that the user has visited are deleted when he or she clicks Delete.If you do not configure this policy setting the user can choose whether
ies.If you disable or do not configure this policy setting users will be able to delete temporary Internet files and cookies.
ou set this policy you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Administrati
o set the following policies for the Content tab because this policy removes the Connections tab from the interface:"Disable Internet Conn
en you set this policy you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrative Templa
eed to set the following policies for the Programs tab because this policy removes the Programs tab from the interface:"Disable changing M
hen you set this policy you do not need to set the following Internet Explorer policies because this policy removes the Security tab from th
ot configure this policy setting the user can choose to ignore certificate errors and continue browsing.
hould be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN format o
gh the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavior on the I
nfigure this policy users can choose whether to be prompted before running active content on a CD.
ternet Explorer components will be automatically installed as necessary.If you disable this policy setting users will be prompted when non-
the Japanese Language Pack component if it is not already installed.If you enable this policy setting Web components such as fonts will b
setting Internet Explorer won't use the HTTP2 network protocol.If you don't configure this policy setting users can turn this behavior on or
isable this policy setting Internet Explorer won't use the SPDY/3 network protocol.If you don't configure this policy setting users can turn t
or run files with an invalid signature.If you disable this policy setting users cannot run or install files with an invalid signature.If you do not
er automatically launches any browser helper objects that are installed on the user's computer.If you disable this policy setting browser he
this policy setting Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Browsing mode
checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they are availa
ou enable this policy setting Internet Explorer will check to see if server certificates have been revoked.If you disable this policy setting Int
check the digital signatures of executable programs and display their identities before downloading them to user computers.If you disable
ption to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in Enhanced
nternet Explorer Settings.If you disable or do not configure this policy setting the user can use Reset Internet Explorer Settings.
taining secure (HTTPS) information to the cache.If you disable this policy setting Internet Explorer will save encrypted pages containing se
ce usage.If you enable this policy setting Internet Explorer will delete the contents of the user's Temporary Internet Files folder when all br
Web content.If you disable this policy setting Internet Explorer will not play or download animated pictures helping pages display more q
f you disable this policy setting Internet Explorer will not play or download sounds in Web content helping pages display more quickly.If yo
disable this policy setting Internet Explorer will not play or download videos helping pages display more quickly.If you do not configure th
t configure this policy setting applications that host MSHTML render text by using the Microsoft ClearType rendering engine.
mmunication with the target server the browser and server negotiate which protocol and version to use. The browser and server attempt
r content in the background.If you disable this policy setting Internet Explorer preemptively loads websites and content in the background
e Assistant information users will be prompted to choose which information to share. At that time users can also choose to allow this infor
s. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the Intranet z
olicy setting flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.If you disable this policy s
s are used.If you enable this policy setting Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected Mode on
ng is particularly useful to users who do not use a mouse.If you enable this policy setting Caret Browsing is turned on.If you disable this pol
e this policy setting Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced Protected
onfigure this policy setting users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections.
onfigure this policy setting Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Options dialo
xplorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with the hom
etting websites will not be able to store application caches on client computers. Allow website database and caches on Website Data Setti
cy setting websites will not be able to store an indexed database on client computers. Allow website database and caches on Website Dat
in Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maximum file st
ernet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting.If you disable or do no
or do not configure this policy setting users can set default data storage limits for indexed databases and application caches.
main Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data storage l
his policy setting you provide the resource size limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow
or to the website. No notification will be displayed to the user. When you set this policy setting you provide the resource limit as a number
uter. The default maximum storage limit for all application caches is 1 GB.If you enable this policy setting you can set the maximum storag
ir computer. The default maximum storage limit for all indexed databases is 4 GB.If you enable this policy setting you can set the maximum
mplate defaults.If you disable this template policy setting no security level is configured.If you do not configure this template policy setting
tes which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Internet Zon
one there).If you do not configure this policy setting users choose whether network paths are mapped into the Intranet Zone.
ed into the Intranet Zone (other rules might map one there).If you do not configure this policy setting users choose whether sites which by
es to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can be set fo
ng automatic detection of the intranet is turned off and intranet mapping rules are applied however they are configured.If this policy settin
is policy setting the certificate address mismatch warning always appears.If you disable or do not configure this policy setting the user can
henever the user browses to a page that loads content from an intranet site.If you disable this policy setting a Notification bar notification
one. If you select Prompt in the drop-down box users are queried to choose whether to allow a page to be loaded in the zone that uses MS
own policy.If you enable this policy setting no Intranet Zone content accessed is affected even for protocols on the restricted list. If you se
le this policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting script code on p
behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.If you disable this polic
d operations.If you disable this policy setting a script cannot perform a clipboard operation.If you do not configure this policy setting a scri
or copy files from this zone.If you disable this policy setting users are prevented from dragging files or copying and pasting files from this zo
olicy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files can be downloaded
ou disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting HTML fonts can be do
l desktop items from this zone.If you disable this policy setting users are prevented from installing desktop items from this zone.If you do
olicy setting and set the drop-down box to Enable XBAPs are automatically loaded inside Internet Explorer. The user cannot change this be
ng and set the drop-down box to Enable XAML files are automatically loaded inside Internet Explorer. The user cannot change this behavio
plorer. The user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XPS files.If you disa
h setting can be redirected to another Web page.If you disable this policy setting a user's browser that loads a page containing an active M
trol to run from the current site or from all sites.If you disable this policy setting the user does not see the per-site ActiveX prompt and Acti
u enable this policy setting users can perform OpenSearch queries in this zone using Search Connectors.If you disable this policy setting us
m within the File Explorer) it might affect other items as well that are marked from this zone. For example some application-specific items
e user can enable or disable script access to the WebBrowser control. By default script access to the WebBrowser control is allowed only i
u disable this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that include the title a
n.If you selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting VBS
of Internet Explorer 8 this policy setting controls HTML+TIME media elements that refer to audio and video files.If you enable this policy se
Explorer windows that have no status bar or Address bar.If you do not configure this policy setting the user can choose whether websites
an enable or disable the Notification bar behavior.
g the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.If you do not configure this policy setting
ot configure this setting file downloads that are not user-initiated will be blocked and users will see the Notification bar instead of the file
curity information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?) and nonse
one certificate.If you disable this policy setting Internet Explorer prompts users with a "Client Authentication" message when they connec
ble this policy setting Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of the ActiveX
ers who aren't trusted. Code signed by trusted publishers is silently downloaded.If you disable the policy setting signed controls cannot be
p-down box users are queried to choose whether to allow the unsigned control to run.If you disable this policy setting users cannot run un
ifferent windows. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content from one d
he same window. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content from one do
rity zone will run without the added layer of security provided by this feature.If you disable this policy setting the actions that may be harm
path.If you enable this policy setting path information is sent when the user is uploading a file via an HTML form.If you disable this policy s
g causes both unsafe and safe controls to be initialized and scripted ignoring the Script ActiveX controls marked safe for scripting option.If
area in memory outside of which the program cannot make calls) plus capabilities like scratch space (a safe and secure storage area on the
you select Prompt in the drop-down box users are queried to choose whether to run applications and download files from IFRAMEs on th
ord to query users for user IDs and passwords. After a user is queried these values can be used silently for the remainder of the session.Au
queried whether to allow windows and frames to access applications from other domains.If you disable this policy setting users cannot op
users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet Options dia
g Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box Internet Explorer will prompt
ternet Explorer will execute signed managed components. If you select Prompt in the drop-down box Internet Explorer will prompt the use
r plug-in to run.If you disable this policy setting controls and plug-ins are prevented from running.If you do not configure this policy setting
nteraction.If you disable this policy setting script interaction is prevented from occurring.If you do not configure this policy setting script in
isable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts can access applets a
open without a security warning. If you set the drop-down box to Prompt a security warning appears before the files open.If you disable th
ftware packages to be automatically installed on users' computers.Medium safety to allow users to be notified of software updates by e-m
this zone can be submitted automatically. If you select Prompt in the drop-down box users are queried to choose whether to allow inform
e developer tools. It includes the new managed code APIs for Windows.If you enable this policy setting .NET Framework Setup is turned o
licy setting the first-run prompt is turned off in the corresponding zone.If you disable this policy setting the first-run prompt is turned on in
tting the XSS Filter is turned off for sites in this zone and Internet Explorer permits cross-site script injections.
ff Protected Mode.If you disable this policy setting Protected Mode is turned off. The user cannot turn on Protected Mode.If you do not co
t configure this policy setting the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.Note: In Inter
not prevented from appearing.If you do not configure this policy setting most unwanted pop-up windows are prevented from appearing.
licy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page saved to disk
curity that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning is issue
ot configure this setting users will receive a file download dialog for automatic download attempts.
not prevented from appearing.If you do not configure this policy setting pop-up windows are not prevented from appearing.
rity that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning is issued
le this policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting users are querie
n.If you selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy setting use
olicy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are prevented from
ou disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are queried whe
x users are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy s
isable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are prevented from
col Lockdown policy.If you enable this policy setting no Trusted Sites Zone content accessed is affected even for protocols on the restricte
olicy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are prevented from
ou disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are queried whe
x users are queried whether to allow additional windows and frames to access applications from other domains.If you disable this policy s
isable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are prevented from
Internet Explorer tiles are opened.
figure this policy setting users can choose how links are opened in Internet Explorer.
o directly to an intranet site for a one-word entry in the Address bar.
rer will be shown.If you do not configure this policy setting the button to open Microsoft Edge from Internet Explorer can be configured b
g phone number detection is turned on. Users won't be able to modify this setting.If you don't configure this policy setting users can turn t
you do not configure this policy setting the user can change the "Enable alternative codecs in HTML5 media elements" setting on the Adv
Address bar for searches. The user can still perform searches on the Search bar by clicking the Search button. • Display the results in the
in the main window. • Enable top result search: When a user performs a search in the Address bar the user is directed to an external top
ill be turned off. Users will not be able to turn on URL Suggestions.If you disable this policy setting URL Suggestions will be turned on. User
er Address bar.If you enable this policy setting Internet Explorer does not use Windows Search AutoComplete for providing relevant results
y setting allows you to specify the URL to update the browser security setting.If you enable this policy setting the user cannot specify the c
o not configure this policy setting the user can change the URL that is displayed for checking updates to Internet Explorer and Internet Too
e check interval.
a user's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you ena
t a user's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.If you en
le this policy setting toolbars and BHOs are not loaded by default during an InPrivate Browsing session.If you disable this policy setting too
etting InPrivate Filtering data collection is turned off.If you disable this policy setting InPrivate Filtering collection is turned on.If you do no
this policy setting InPrivate Browsing is available for use.If you do not configure this policy setting InPrivate Browsing can be turned on or o
s have visited.If you enable this policy setting InPrivate Filtering is turned off in all browsing sessions and InPrivate Filtering data is not colle
users have visited.If you enable this policy setting Tracking Protection is disabled in all browsing sessions and Tracking Protection data is n
es not affect which security protocols are enabled.If you disable this policy system defaults will be used.
u enable this policy setting the reveal password button will be hidden for all password fields. Users and developers will not be able to depe
PPolicy function.If you disable or do not configure this policy setting Internet Explorer uses the SetProcessDEPPolicy function to turn on Da
ou enable this policy setting Data URI support is turned off. Without Data URI support a Data URI will be interpreted as a failed URL.If you
used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting which defines whether add-ons not listed here
nces and policy settings.If you enable this policy setting all processes will respect add-on management user preferences and policy settings
web pages.By default the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. However user
end support for these user preferences and policy settings to specific processes listed in the process list.If you enable this policy setting an
veX control.If you disable or don't configure this policy setting users will see the "Run this time" button on the warning message that appe
Explorer continues to block specific outdated ActiveX controls.For more information see "Outdated ActiveX Controls" in the Internet Explo
ocked in Internet Explorer. Each domain entry must be formatted like one of the following:1. "domain.name.TLD". For example if you want
setting Internet Explorer won't log ActiveX control information.Note that you can turn this policy setting on or off regardless of the "Turn
user can choose to run natively implemented scriptable XMLHTTP.
net Explorer uses the default connection limit for HTTP 1.1 (6 connections per host).In versions of Internet Explorer before Internet Explor
ternet Explorer prior to Internet Explorer 8 the default connection limit for HTTP 1.0 was 4.
this policy setting Internet Explorer uses the default limit of 6 WebSocket connections per server.
uest data across third-party domains embedded in the page.
et Explorer 10. Also this policy setting does not prevent a site from requesting cross-domain data through a server.If you enable this policy
omain data through a server.If you enable this policy setting websites cannot request data across domains by using the XDomainRequest o
y or behavior on a page.)If you enable this policy setting this sets the list of behaviors permitted in each zone for which Script and Binary B
e prevented for all processes. Any use of binary behaviors for HTML rendering is blocked.If you disable or do not configure this policy setti
this policy setting Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies.If you disable or do not configure this p
e prevented for the File Explorer and Internet Explorer processes.If you disable this policy setting binary behaviors are allowed for the File
applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 bi
pe of a file is text/plain but the MIME sniff indicates that the file is really an executable file Internet Explorer renames the file by saving it in
to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load malic
to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone is used a
pplies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to load
eature is disabled for all processes.
es will allow a MIME sniff promoting a file of one type to a more dangerous file type.If you do not configure this policy setting MIME sniffin
ter a Value of 1 this protection will be in effect. If you enter a Value of 0 any file may be promoted to more dangerous file types. The Value
y setting the MK Protocol is enabled.
able this policy setting applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Explorer and I
tting and enter a Value of 1 use of the MK protocol is prevented. If you enter a Value of 0 use of the MK protocol is allowed. If a Value Nam
hrough restricted protocols is allowed for all processes other than File Explorer or Internet Explorer.If you disable this policy setting restric
ontent obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example you can restrict acti
s for which they want restricting content obtained through restricted protocols to be prevented or allowed.If you enable this policy setting
es to all processes which have opted in to the security restriction.If you enable this policy setting for a zone this sets the list of protocols to
rocesses for which the Notification bar is displayed by default). If you enable this policy setting the Notification bar will be displayed for al
er Processes.If you disable this policy setting the Notification bar will not be displayed for Internet Explorer processes.If you do not configu
bar is displayed by default).If you enable this policy setting and enter a Value of 1 the Notification bar is displayed. If you enter a Value of
cy setting object reference is retained when navigating within or across domains in the Restricted Zone sites.
setting an object reference is retained when navigating within or across domains for Internet Explorer processes.If you do not configure th
a Value of 1 references to objects are inaccessible after navigation. If you enter a Value of 0 references to objects are still accessible after
Local Machine security zone a prime target for malicious users.If you enable this policy setting any zone can be protected from zone eleva
urity zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.If you enable
e security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.This po
etting the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
ocked for Internet Explorer processes.If you do not configure this policy setting the user's preference will be used to determine whether to
installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy settin
policy setting the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all processes.
r Internet Explorer processes.If you do not configure this policy setting the user's preference determines whether to prompt for file down
non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1
d status bars.If you enable this policy setting scripted windows are restricted for all processes.If you disable or do not configure this policy
d status bars.If you enable this policy setting popup windows and other restrictions apply for File Explorer and Internet Explorer processes
d status bars.This policy setting allows administrators to define applications for which they want this security feature to be prevented or a
nd buttons are displayed:Show all text labels: All command buttons have only text.Show selective text: Some command buttons have only
d bar is shown by default and the user can choose to hide it.
default and the user can choose to hide it.
ocked by default but the user can unlock them through the shortcut menu of the Command bar.
he Address bar and the user cannot move them.If you do not configure this policy setting the Stop and Refresh buttons are next to the Ad
bars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check.If you enable this policy setting t
er (20 x 20 pixels).If you do not configure this policy setting icons for command buttons are 16 x 16 pixels and the user can make them big
ations that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. Enabling this setting wi
s on this computer will not be prevented from using location information from the location feature.
ure this policy setting all programs on this computer can use the Windows Location Provider feature.
d Maintenance/Automatic Maintenance Control Panel. If you disable or do not configure this policy setting the daily scheduled time
arting from its Activation Boundary by upto this time. If you do not configure this policy setting 4 hour random delay will be applied t
has no effect. If you enable this policy setting Automatic Maintenance will attempt to set OS wake policy and make a wake request fo
of map data is determined by a registry setting that the user can change using Windows Settings.
sable or do not configure this policy setting the Offline Maps setting page may generate network traffic.
ollment will be disabled for all users. It will not unenroll existing MDM enrollments.If you disable this policy setting MDM Enrollment will b
zure AD for enrollment to succeed. If you do not configure this policy setting automatic MDM enrollment will not be initiated.
y be added. However any application or service that has already authenticated a user will not be affected by enabling this setting until the
us and antispyware security intelligence is disabled. If you disable or do not configure this setting the antimalware service will be stopped
service will load as a low priority task.
will be blocked. -Audit Mode: Potentially unwanted software will not be blocked however if this feature would have blocked access if
ed by the local administrator will be merged into the resulting effective policy. In the case of conflicts Group policy Settings will override p
tting you must pick a randomization window in hours. The possible randomization window interval is between 1 and 23 hours.
e this setting the proxy server will not be bypassed for the specified addresses.
Proxy server (if specified) 2. Proxy .pac URL (if specified) 3. None 4. Internet Explorer proxy settings 5. Autodetect If you enab
rver (if specified) 2. Proxy .pac URL (if specified) 3. None 4. Internet Explorer proxy settings 5. Autodetect If you enable this s
g the support logs files will not be copied to any location.
u can widen or narrow this randomization period. Specify a randomization window of between 1 and 23 hours.
stalled antivirus product. If you do not configure this policy setting Windows will internally manage Microsoft Defender Antivirus. If you in
policy setting Microsoft Defender Antivirus does not automatically take action on the detected threats but prompts users to choose from t
racters. Longer strings will be truncated before display. If you enable this setting the additional text specified will be displayed. If you d
ch as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
th or a fully qualified resource name. As an example a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully q
try must be listed as a name value pair where the name should be a string representation of the path to the process image. Note that only
scans. This can impact machine performance in some scenarios. Not configured: Same as Disabled.
l preference setting.
Disabled – The Block at First Sight setting is turned off. This feature requires these Group Policy settings to be set as follows: MAPS
re. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can incl
Off: the rule will not be applied - Not Configured: the rule is enabled with default values - Warn: the rule will be applied and the end-us
example ""C:\Windows"" will exclude all files in that directory. ""C:\Windows\App.exe"" will exclude only that specific file in that specific f
add additional applications. Enabled: Specify additional allowed applications in the Options section.. Disabled: No additional applica
s while still allowing the modification or deletion of files in protected folders. Microsoft Defender Antivirus automatically determines w
rs that are protected is shown in Windows Security. Enabled: Specify additional folders that should be protected in the Options section
ers and applications will not be able to access dangerous domains -Audit Mode: Users and applications can connect to dangerous domain
this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection wil
or example if the desired timeout is 60 seconds specify 50 seconds in this setting which will enable the extended cloud check feature and w
an with less frequency. For more information about specific values that are supported see the Microsoft Defender Antivirus docume
set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is re
this configuration is dependent on the EnableNetworkProtection configuration. If this configuration is false EnableNetworkProtection wil
etected by a definition then that definition is "retired". If all security intelligence for a given protocal are retired then that protocol is no lon
not configure this setting Group Policy will take priority over the local preference setting.
der indefinitely and will not be automatically removed.
p Policy will take priority over the local preference setting.
will take priority over the local preference setting.
will take priority over the local preference setting.
the local preference setting.
tion. The appropriate configuration should be evaluated based on the server role. Note that this configuration is only honored for NTFS v
s to take actions on malware detections. If you disable or do not configure this policy setting Microsoft Defender Antivirus will prompt us
able this setting a process scan will not be initiated when real-time protection is turned on.
roup Policy will take priority over the local preference setting.
(0x2) Monday (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) If you enable
r where the scan is executing. If you enable this setting a scheduled full scan to complete remediation will run at the time of day specifie
ced notifications will not display on clients.
able this setting a check for new security intelligence will occur before running a scan. If you disable this setting or do not configure this
y will take priority over the local preference setting.
preference setting.
e local preference setting.
ake priority over the local preference setting.
scheduled scans. If you disable or do not configure this setting a catch-up scan will occur after the 2 consecutive missed scheduled scan
re this setting removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom
4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never (default) If you enable this setting a scheduled scan will run
e this setting a quick scan will run at the interval specified. If you disable or do not configure this setting quick scan controlled by this con
ure this setting archive files will be scanned to the default directory depth level.
g CPU utilization will not exceed the percentage specified. If you disable or do not configure this setting CPU utilization will not exceed th
will be scanned. If you disable or do not configure this setting archive files will be scanned according to the default value.
ter where the scan is executing. If you enable this setting a daily quick scan will run at the time of day specified. If you disable or do no
e on the computer where the scan is executing. If you enable this setting a scheduled scan will run at the time of day specified. If you d
ns for scheduled full scans will be turned on. If a computer is offline for two consecutive scheduled scans a catch-up scan is started the ne
cans for scheduled quick scans will be turned on. If a computer is offline for two consecutive scheduled scans a catch-up scan is started the
e (Outlook Express) binhex (Mac). If you enable this setting e-mail scanning will be enabled. If you disable or do not configure this settin
will be enabled. If you disable this setting heuristics will be disabled.
If you enable this setting items will be removed from the scan history folder after the number of days specified. If you disable or do no
he recommended state for this functionality. If you enable this setting reparse point scanning will be enabled. If you disable or do not
red your computer to join Microsoft MAPS for this functionality to work. If you enable this setting or do not configure the antimalware s
all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this
date. If you disable or do not configure this setting security intelligence updates will be downloaded from the configured download sourc
while the computer is running on battery power.
new security intelligence will not occur after service startup.

2 }". The list is empty by default. If you enable this setting the specified sources will be contacted for security intelligence updates. Once s
re this setting a catch-up security intelligence update will be required after the default number of days.
g icon in the user interface. By default this value is set to 7 days. If you enable this setting spyware security intelligence will be considered
on in the user interface. By default this value is set to 7 days. If you enable this setting virus security intelligence will be considered out of
icrosoftUpdateServer” “MMPC” and “FileShares” For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } If
ntelligence updates will not be initiated on startup when there is no antimalware engine present.
ay (0x3) Tuesday (0x4) Wednesday (0x5) Thursday (0x6) Friday (0x7) Saturday (0x8) Never If you enable this setting the check fo
cur at the interval specified. If you disable or do not configure this setting checks for security intelligence updates will occur at the defaul
15 minutes before the scheduled scan time. The schedule is based on local time on the computer where the check is occurring. If you en
emediation action that should be taken. Valid threat alert levels are: 1 = Low 2 = Medium 4 = High 5 = Severe Valid remediation
remediation action that should be taken. Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore
ure this setting event logs aren't collected from your Application Guard container.
mera and microphone on the user’s device.If you disable or don't configure this policy applications inside Microsoft Defender Application G
u enable this setting you can still delete a user's data from a specific device using the Reset-ApplicationGuard PowerShell command. Runni
don't configure this setting people can't save downloaded files from the Microsoft Defender Application Guard container to the host oper
g performance and battery life while using Microsoft Defender Application Guard particularly for video playback and other graphics-intens
eparate the thumbprints for each certificate you want to transfer.If you disable or don’t configure this setting certificates are not shared w
Application Guard to the host- Enable the clipboard to copy content from the host to Application Guard.Note:We recommend that you do
ting to local printers.- Enable printing to PDF allows people to print as PDF and save the resulting file on the host.- Enable printing to XPS a
on Guard.If you disable or don't configure this setting non-enterprise sites can open outside of the Microsoft Defender Application Guard c
es can’t compromise the kernel or any other apps running outside of the virtualized environment.If you enable this setting Application Gua
ng the Set-ProcessMitigation PowerShell cmdlet the ConvertTo-ProcessMitigationPolicy PowerShell cmdlet or directly in Windows Securit
b. For this to work properly your students and teachers must be signed in using a school account.If you disable or don't configure this setti
onality. Therefore because search suggestions are shown in the drop-down this setting takes precedence over the "Configure search sugge
Settings.
omatically download updated configuration data for the Books Library.
rosoft Edge only sends basic telemetry data depending on your device configuration.
ailable for use in Microsoft Edge.
onfigure this setting Microsoft Edge periodically downloads the latest version of the list from Microsoft applying the updates during brows
ows sign in when the system is idle and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft
b page during Windows sign in and each time Microsoft Edge is closed; minimizing the amount of time required to start up Microsoft Edge
ts before this policy was disabled the previous browsing history remains visible in the History pane. This policy when disabled does not sto
extension policy (aka.ms/browserpolicy).If you enable or don't configure this policy users can add new search engines and change the def
icrosoft Edge is not allowed. Extensions can be installed only through Microsoft store (including a store for business) enterprise storefront
setting employees can't change it.If you don't configure this setting employees can choose how new tabs appears.
r don't configure this setting Microsoft Edge shows the Books Library only in countries or regions where it's supported.
n-joined or MDM-enrolled devices. For more info see the Microsoft browser extension policy (aka.ms/browserpolicy).If you enable this se
setting employees can't use Autofill to automatically fill in forms while using Microsoft Edge.If you don't configure this setting employees
you disable or don't configure this setting all cookies are allowed from all sites.
racking info.If you disable this setting Do Not Track requests are never sent to websites asking for tracking info.If you don't configure this s
de a list of Favorites in the Options section. This list is imported after your policy is deployed.If you disable or don't configure this setting em
s from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settin
changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings enable the Unlock Home Button policy.If E
d to configure Microsoft Edge in assigned access for this policy to take effect; otherwise these settings are ignored. To learn more about a
must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to work. Once
s policy.- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages policy.- A sp
er to save their passwords locally.If you don't configure this setting employees can choose whether to use Password Manager to save their
his setting employees can choose whether to use Pop-up Blocker.
.If you disable this setting employees can't see search suggestions in the Address bar of Microsoft Edge.If you don't configure this setting e
<support.contoso.com><support.microsoft.com>If disabled or not configured the webpages specified in App settings loads as the defa
ally by how often the content is allowed to load and run.
d using Internet Explorer 11 and Enterprise Mode.If you disable or don't configure this setting Microsoft Edge won't use the Enterprise Mo
tting Windows Defender SmartScreen is turned on and employees can't turn it off.If you disable this setting Windows Defender SmartScre
the Configure Start pages policy is not locked down allowing users to edit their Start pages.If disabled or not configured the Start pages co
ernet Explorer and Microsoft Edge.

about:flags page.
or don't configure this setting employees can ignore Windows Defender SmartScreen warnings and continue the download process.
onfigure this setting employees can ignore Windows Defender SmartScreen warnings and continue to the site.
or not configured overriding certificate errors are allowed.
te a new folder) are all turned off.ImportantDon't enable both this setting and the Keep favorites in sync between Internet Explorer and M
er pins a Live Tile to the Start menu.If you disable or don't configure this setting Microsoft Edge gathers the Live Tile metadata providing a f
e First Run page when opening Microsoft Edge for the first time.
ns defined in this policy such as allow for InPrivate browsing. Any additional permissions requested by future updates of the extension gets
n while making calls using the WebRTC protocol.
avorites Bar). The user favorites will appear after these provisioned favorites.ImportantDon't enable both this setting and the Keep favorit
't configure this setting all intranet sites are automatically opened using Microsoft Edge.
cy).If you enable this setting you can choose a default search engine for your employees. If this setting is enabled you must also add the de
r not configuredRelated policy: Configure Home Button
can set the default New Tab page URL.If disabled or not configured the default Microsoft Edge new tab page is used.Default setting: Disab
ation appears on a new page. If you want users to continue in Microsoft Edge select the Show Keep going in Microsoft Edge option from th
bled.If enabled the UI settings for the home button are enabled allowing your users to make changes including hiding and showing the hom
Windows Hello using a companion device.If you disable this policy users cannot use a companion device to authenticate with Windows Hell
This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the settings sto
.If you do not configure this policy setting any defined values will be deleted.
er does not display an IT Contact link.If you do not configure this policy setting any defined values will be deleted.
e settings for Windows apps.If you disable this policy setting the UE-V Agent will synchronize settings for Windows apps. If you do not confi
nged it will only take effect when UE-V service is re-enabled.
mputers.With this setting enabled the notification appears the first time that the UE-V Agent runs.With this setting disabled no notificatio
’t attempt the synchronization. If you enable this policy setting the sync provider pings the settings storage location before synchronizing s
n the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.If you disable or do not config
nvironment.
vior based on the templates in this location. Settings location templates added or updated since the last check are registered by the UE-V A
s setting disabled the UE-V Agent does not synchronize settings over a metered connection.If you do not configure this policy setting any d
is roaming.With this setting enabled the UE-V Agent synchronizes settings over a metered connection that is roaming.With this setting dis
the settings of all Windows apps not expressly disable in the Windows App List are synchronized.With this setting disabled only the setting
e settings. If you disable or do not configure this policy setting the default value of 2000 milliseconds is used.
ch Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in informati
n and selecting Open or by double-clicking the icon. When this group policy setting is enabled the UE-V tray icon is visible the UE-V notifica
information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting to registe
certain user settings of Microsoft Access 2013 will continue to be backed up.If you disable this policy setting certain user settings of Micro
certain user settings of Microsoft Access 2016 will continue to be backed up.If you disable this policy setting certain user settings of Micro
ngs continue to synchronize. If you disable this policy setting Calculator user settings are excluded from the synchronization settings.If you
uppress the backup of specific common Microsoft Office Suite 2013 applications.If you enable this policy setting certain user settings whic
uppress the backup of specific common Microsoft Office Suite 2016 applications.If you enable this policy setting certain user settings whic
ain user settings of Microsoft Excel 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Ex
ain user settings of Microsoft Excel 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Ex
etting certain user settings of Microsoft InfoPath 2013 will continue to be backed up.If you disable this policy setting certain user settings o
setting the Internet Explorer 10 user settings continue to synchronize. If you disable this policy setting Internet Explorer 10 user settings ar
setting the Internet Explorer 11 user settings continue to synchronize.If you disable this policy setting Internet Explorer 11 user settings are
tting the Internet Explorer 8 user settings continue to synchronize. If you disable this policy setting Internet Explorer 8 user settings are exc
tting the Internet Explorer 9 user settings continue to synchronize. If you disable this policy setting Internet Explorer 9 user settings are exc
plorer from synchronization between computers. If you enable this policy setting the user settings which are common between the versio
n user settings of Microsoft Lync 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Lync
n user settings of Microsoft Lync 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Lync
policy setting Microsoft Access 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Access 2010 user setti
cy setting Microsoft Excel 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2010 user settings are
y setting Microsoft Excel 2013 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2013 user settings are
y setting Microsoft Excel 2016 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2016 user settings are
e this policy setting Microsoft InfoPath 2010 user settings continue to synchronize.If you disable this policy setting Microsoft InfoPath 2010
e this policy setting Microsoft InfoPath 2013 user settings continue to synchronize.If you disable this policy setting Microsoft InfoPath 2013
setting Microsoft Lync 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2010 user settings are ex
settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If you enabl
settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.If you enable
tion between computers.If you enable this policy setting Microsoft Office 2013 Upload Center user settings continue to synchronize.If you
settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.If you enable
tion between computers.If you enable this policy setting Microsoft Office 2016 Upload Center user settings continue to synchronize.If you
hronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365
hronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365
e common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V by default.
e common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V by default.
onize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Ex
onize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Ex
synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office
nize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lyn
nize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Lyn
ynchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 3
ynchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 3
3 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft
chronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 36
chronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 36
l synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offic
oint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user setti
nize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Vis
nize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 Vis
onize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 W
onize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Office 365 W
you enable this policy setting OneDrive for Business 2013 user settings continue to synchronize.If you disable this policy setting OneDrive f
you enable this policy setting OneDrive for Business 2016 user settings continue to synchronize.If you disable this policy setting OneDrive f
ble this policy setting Microsoft OneNote 2010 user settings continue to synchronize.If you disable this policy setting Microsoft OneNote 20
this policy setting Microsoft Outlook 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Outlook 2010 us
ou enable this policy setting Microsoft PowerPoint 2010 user settings continue to synchronize.If you disable this policy setting Microsoft P
s policy setting Microsoft Project 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Project 2010 user se
ble this policy setting Microsoft Publisher 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Publisher 2
on between computers.If you enable this policy setting Microsoft SharePoint Designer 2010 user settings continue to synchronize.If you dis
on between computers.If you enable this policy setting Microsoft SharePoint Designer 2013 user settings continue to synchronize.If you dis
onization between computers.If you enable this policy setting Microsoft SharePoint Workspace 2010 user settings continue to synchronize
setting Microsoft Visio 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Visio 2010 user settings are e
icy setting Microsoft Word 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Word 2010 user settings a
ontinue to synchronize. If you disable this policy setting Notepad user settings are excluded from the synchronization settings.If you do no
setting certain user settings of Microsoft OneNote 2013 will continue to be backed up.If you disable this policy setting certain user setting
setting certain user settings of Microsoft OneNote 2016 will continue to be backed up.If you disable this policy setting certain user setting
tting certain user settings of Microsoft Outlook 2013 will continue to be backed up.If you disable this policy setting certain user settings of
tting certain user settings of Microsoft Outlook 2016 will continue to be backed up.If you disable this policy setting certain user settings of
s policy setting certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.If you disable this policy setting certain u
s policy setting certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.If you disable this policy setting certain u
g certain user settings of Microsoft Project 2013 will continue to be backed up.If you disable this policy setting certain user settings of Mic
g certain user settings of Microsoft Project 2016 will continue to be backed up.If you disable this policy setting certain user settings of Mic
y setting certain user settings of Microsoft Publisher 2013 will continue to be backed up.If you disable this policy setting certain user setting
y setting certain user settings of Microsoft Publisher 2016 will continue to be backed up.If you disable this policy setting certain user setting
3 settings.If you enable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed up.If you
in user settings of Microsoft Visio 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Vis
in user settings of Microsoft Visio 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft Vis
rtain user settings of Microsoft Word 2013 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft
rtain user settings of Microsoft Word 2016 will continue to be backed up.If you disable this policy setting certain user settings of Microsoft
s continue to synchronize. If you disable this policy setting WordPad user settings are excluded from the synchronization settings.If you do
o sync.If you disable this policy setting Finance user settings are excluded from synchronization.If you do not configure this policy setting a
ync.If you disable this policy setting Games user settings are excluded from synchronization.If you do not configure this policy setting any d
you disable this policy setting Maps user settings are excluded from synchronization.If you do not configure this policy setting any defined
If you disable this policy setting Music user settings are excluded from the synchronizing settings.If you do not configure this policy setting
you disable this policy setting News user settings are excluded from synchronization.If you do not configure this policy setting any defined
ync.If you disable this policy setting Reader user settings are excluded from the synchronization.If you do not configure this policy setting
c.If you disable this policy setting Sports user settings are excluded from synchronization.If you do not configure this policy setting any defi
.If you disable this policy setting Travel user settings are excluded from synchronization.If you do not configure this policy setting any defin
you disable this policy setting Video user settings are excluded from synchronization.If you do not configure this policy setting any defined
ue to sync.If you disable this policy setting Weather user settings are excluded from synchronization.If you do not configure this policy setti
nc OneDrive or SharePoint files on the computer for the sync client to start automatically.If this setting is not enabled the OneDrive sync c
xplorer.* OneDrive files aren’t kept in sync with the cloud.* Users can’t automatically upload photos and videos from the camera roll folde
tion pane in File Explorer.* OneDrive files aren’t kept in sync with the cloud.* Users can’t automatically upload photos and videos from the
e to open and save files on OneDrive using the OneDrive app and file picker and Windows Store apps will still be able to access OneDrive u
splayed but there are no clickable links for these elements.If you disable or do not configure this policy setting the default behavior applie
acy experience will not launch for newly-created user accounts or for accounts that would have been prompted to choose their privacy setti
kspace can't hibernate the PC.
Windows To Go workspace can use standby states to make the PC sleep.
evice is connected will be enabled and users will not be able to make changes using the Windows To Go Startup Options Control Panel item
uick and easy way to configure their system settings before a presentation to block system notifications and screen blanking adjust speake
fault a license server issues an RDS CAL to any RD Session Host server that requests one.If you enable this policy setting and this policy setti
priate RDS or TS CAL for a connection. For example a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL f
uter. Before a user starts an RDP session the user receives a warning message and is asked to confirm whether they want to connect.If you
tificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example when a
nnects to the RD Session Host server even if the client cannot authenticate the RD Session Host server.Warn me if authentication fails: The
this setting to disable the acceleration; then if the problem still occurs you will know that there are additional issues to investigate. If you
n and saves his settings any password that previously existed in the RDP file will be deleted.If you disable this setting or leave it not configu
mote connection to an RD Session Host server. If saved credentials for the user are available on the client computer the user will not be pro
an .rdp file that is signed by a trusted certificate the user does not receive any warning messages when they start the file. To obtain the th
th TCP and UDP protocols.
B devices over RDP to all users or only to users who are in the Administrators group on the computer.If you disable or do not configure this
e this policy setting users cannot connect remotely to the target computer by using Remote Desktop Services. The target computer will m
is attempted for all clients running Remote Desktop Connection whenever their network connection is lost.If the status is set to Disabled
f changing to a disconnected state even if the client is physically disconnected from the RD Session Host server. If the client logs on to the
ed administrator is logged off any data not previously saved is lost.If you enable this policy setting logging off the connected administrator
them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are d
ate the user automatically reconnects to that session at the next logon.If you disable this policy setting users are allowed to make unlimite
mote Desktop Protocol will not determine the network quality at the connect time and it will assume that all traffic to this server originate
TCP (default)" If you select "Use either UDP or TCP" and the UDP connection is successful most of the RDP traffic will use UDP.If the UDP co
on.2. Full Control with user's permission: Allows the administrator to interact with the session with the user's consent.3. Full Control witho
e.If you enable this policy setting user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting
ection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not
can record audio by using an audio input device on the local computer such as a built-in microphone.By default audio recording redirectio
t session time (current session time = server base time + client time zone).If you disable or do not configure this policy setting the client co
with the UI in order to work properly. UI information also allows automated test scripts to interact with the UI.Remote Desktop sessions d
local computer. By default Remote Desktop Services allows Clipboard redirection.If you enable this policy setting users cannot redirect Clip
ktop Services session. By default Remote Desktop Services allows this COM port redirection.If you enable this policy setting users cannot re
veletter> on <computername>. You can use this policy setting to override this behavior.If you enable this policy setting client drive redirec
o not configure this policy setting users can redirect their location data to the remote computer.
s allows LPT port redirection.If you enable this policy setting users in a Remote Desktop Services session cannot redirect server data to the
evice redirection is allowed. By default Remote Desktop Services automatically redirects smart card devices on connection.Note: The clien
evices.If you disable this policy setting users can redirect their supported Plug and Play devices to the remote computer. Users can use the
omputer. If you disable or do not configure this policy setting users can redirect their video capture devices to the remote computer. User
High the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select
Licensing that affect the RD Session Host server. If applicable a notification will also be displayed that notes the number of days until the l
ser account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. Per Device licensin
t server will attempt automatic license server discovery. In the automatic license server discovery process an RD Session Host server in a W
ces allows this client printer mapping.If you enable this policy setting users cannot redirect print jobs from the remote computer to a local
n use this policy setting to override this behavior.If you enable this policy setting the default printer is the printer specified on the remote c
ervices session.If you enable this policy setting the fallback printer driver is enabled and the default behavior is for the RD Session Host se
on the Remote Desktop Easy Print printer driver cannot be used a printer driver on the RD Session Host server that matches the client prin
tting located in User Configuration\Policies\Administrative Templates\System\User Profiles.If you enable this policy setting you must spec
d allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for use
the directory on a network share type the Home Dir Root Path in the form \\Computername\Sharename and then select the drive letter t
licy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same use
oad-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services.If you specify a new farm n
d-balanced farm should use the same RD Connection Broker server.If you enable this policy setting you must specify the RD Connection Br
ote Desktop Session Host role service must be installed on the server.If the policy setting is enabled the RD Session Host server joins the fa
onnection Broker server.If you enable this policy setting a Remote Desktop Services client queries the RD Connection Broker server and is r
file Remote Desktop Connection Remote Desktop Services client or through Group Policy.If you enable this policy setting the desktop is alw
ct the algorithm that is optimized to use less memory this option is less memory-intensive but uses more network bandwidth. If you selec
w RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount o
ould be set to one of the following options:1. Let the system choose the experience for the network condition2. Optimize for server scalab
moteFX Codec.If you enable this policy setting users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec
esktop depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). S
d reduce server load.If you enable this policy setting the color depth that you specify is the maximum color depth allowed for a user's RDP
e this policy setting you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be u
olicy setting you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a num
sconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.If you disable or do not configure this
menu. As a result users must type a security attention sequence such as CTRL+ALT+END to open the Windows Security dialog box on the c
cified with this setting by the server administrator or by the user in configuring the client connection. Enabling this setting overrides the "S
olicy setting RemoteApp programs published from this RD Session Host server will use these advanced graphics.If you disable this policy se
policy setting all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter.If you do not configure th
ay driver. In this case the Remote Desktop Connections will use XDDM graphics display driver.For this change to take effect you must rest
ontent on the server by using graphics processing units (GPUs). By default RemoteFX for RD Virtualization Host uses server-side GPUs to d
tions that use Silverlight or Windows Presentation Foundation.If you enable this policy setting you must select the visual experience for w
our users you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage b
efault Remote Desktop Services allows users to automatically log on by entering a password in the Remote Desktop Connection client.If yo
dministrators are able to make such changes.If you enable this policy setting the default security descriptors for existing groups on the RD
d Remote Desktop Services accepts requests from RPC clients that support secure requests and does not allow unsecured communication
e connections must use the security method specified in this setting. The following security methods are available:* Negotiate: The Negoti
licy setting only client computers that support Network Level Authentication can connect to the RD Session Host server.To determine whe
nt and an RD Session Host server during RDP connections.If you enable this policy setting you need to specify a certificate template name.
SSL encryption) is not recommended. This policy does not apply to SSL encryption.If you enable this policy setting all communications bet
are reached. By default Remote Desktop Services disconnects sessions that reach their time limits.Time limits are set locally by the server
ll automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the
ect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services sessi
Desktop Services session without logging off and ending the session.When a session is in a disconnected state running programs are kept a
mporary folders when the user logs off.If you enable this policy setting a user's per-session temporary folders are retained when the user lo
r each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Tem
d list in the Favorites Center.
policy setting the user receives a notification when a feed or Web Slice is available and can click the feed discovery button.
ugh the Feed APIs.If you disable or do not configure this policy setting the user can set the Feed Sync Engine to download an enclosure thro
ed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders.If you disable or do not configure this policy settin
ackground.
P connection.If you disable or do not configure this policy setting the Windows RSS Platform does not authenticate feeds to servers by usin
w in place of the query term for the search service URL.If your intranet search service is SharePoint Portal Server your query should resemb
earch2?q=$w.For each search scope provide:1) A name for the scope such as 'IT Web'.2) The URL to the search service. Use $w in place of
o interact with Cortana using speech.
ed items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting con
cy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be u
We recommend enabling this policy setting only on PCs where documents are stored in many languages. If you disable or do not configure
lsx;.ppt;.pptx;.vsd;.xlsb;.xltx;.dot;.rtf
ons on removable drives can be added to libraries. In addition locations on removable drives can be indexed.
etting queries will be performed on the web and web results will be displayed when a user performs a query in Search.If you don't configu
performs a query in Search.If you disable this policy setting queries will be performed on the web over metered connections and web res
ortions of a delegate mailbox that are cached locally. To have this policy affect all parts of a delegate mailbox ensure that for Microsoft Out
aged separately from online mailboxes. The "Enable Indexing of Uncached Exchange Folders" has no effect on delegate mailboxes. To stop
te. To lower the burden on Microsoft Exchange servers lower the rate of items indexed per minute. If you disable this policy then online m
he index.This policy has no effect if the Files on Microsoft Networks add-in is not installed.Disabled by default.
y is enabled the Add and Remove locations options and any previously defined user locations will not be visible. When the policy is disable
ou disable or do not configure this policy setting Windows Search monitors which folders are shared or not shared on this computer and au
Microsoft document filters (iFilters). This policy is disabled by default.
into a single exclusion list.When this policy is disabled or not configured the user can edit the default list of excluded file types. If you enab
load Public Folder Favorites option must be turned on.
ess the Advanced Options dialog for Search and Indexing Options in the Control Panel. This is the default for this policy setting.
ify an allow list of add-ins by providing the classID or ProgId string. For example if you plan to deploy a particular iFilter make sure that thi
e full preview pane functionality is only available for Office documents in Office XP or later.When this policy is disabled or not configured t
users can see snippets related to their desktop search query.When this policy is disabled or not configured the default is small icon view.
images and videos but not text from search results; -Off: Don't filter adult content from search results.If you disable or don't configure t
r search and other Microsoft experiences. -User info only: Share a user's search history and some Microsoft account info to personaliz
ed or not configured Windows Desktop Search automatically manages your index size.
o contains a status section where the user can get recommendations to help increase the computer's security. When Security Center is not
efault timeout value is 3 minutes for workstations and 15 minutes for servers.
hutdown interface.If you disable or do not configure this policy setting the system creates the named pipe remote shutdown interface.
used to modify that restriction.If you enable this policy setting certificates with the following attributes can also be used to log on with a s
smart card cannot be used to log on to a domain. Note: This policy setting only affects a user's ability to log on to a domain. ECC certificate
u enable this policy setting the integrated unblock feature will be available.If you disable or do not configure this policy setting then the in
art card signature key-based certificates will not be listed on the logon screen.
etting only controls the displaying of the certificate on the client machine. If you enable this policy setting certificates will be listed on the
user name or user name and domain will be displayed.If you disable or do not configure this policy setting an optional field that allows use
he time of logon.If you disable or do not configure this policy setting the default message will be displayed to the user when the smart card
or is when a certificate is renewed and the old one has not yet expired. Two certificates are determined to be the same if they are issued f
card. This can introduce a significant performance decrease in certain situations. Please contact your smart card vendor to determine if yo
essage will not be displayed when a smart card device driver is installed.Note: This policy setting is applied only for smart cards that have p
d prevent certain smart cards from working on Windows. Please consult your smart card manufacturer to find out whether you will be affe
N=User1 OU=Users DN=example DN=com and had an UPN of user1@example.com then "User1" will be displayed along with "user1@exam
ficates will not be made available to applications such as Outlook.
so be enabled: Turn on certificate propagation from smart card.If you disable this policy setting then root certificates will not be propagate
sable this policy setting Smart Card Plug and Play will be disabled and a device driver will not be installed when a card is inserted in a Smar
ervices when this device activates. Policy Options: - Not Configured (default -- data will be automatically sent to Microsoft) - D
ure this policy setting Sound Recorder can be run.
a files. If enabled (default) the device will periodically check for updated speech models and then download them from a Microsoft service
the Microsoft Store.

ownload and installation of app updates is determined by a registry setting that the user can change using Settings in the Microsoft Store.
ates is determined by a registry setting that the user can change using Settings in the Microsoft Store.
syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting "sync your settings" is on by de
g it turned off by default but not disabled.If you do not set or disable this setting syncing of the "app settings" group is on by default and c
by default but not disabled.If you do not set or disable this setting syncing of the "AppSync" group is on by default and configurable by the
avorites will not be synced.Use the option "Allow users to turn browser syncing on" so that syncing is turned off by default but not disable
sktop personalization syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting syncing o
when this PC is on a metered connection.If you do not set or disable this setting syncing on metered connections is configurable by the us
her Windows settings syncing on" so that syncing it turned off by default but not disabled.If you do not set or disable this setting syncing o
rned off by default but not disabled.If you do not set or disable this setting syncing of the "passwords" group is on by default and configur
t turned off by default but not disabled.If you do not set or disable this setting syncing of the "personalize" group is on by default and confi
ncing is turned off by default but not disabled. If you do not set or disable this setting syncing of the "Start layout" group is on by defa
ot configure this policy users will be able to use this feature to print to a Journal Note.
sors will be shown unless the user disables them in Control Panel.
sable this policy applications can be launched from a hardware button.If you do not configure this policy applications can be launched from
system administrator."If you disable this policy press and hold actions for buttons will be available.If you do not configure this policy press
ser and OEM defined button actions will occur when the buttons are pressed.
uch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard
text symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to text entry areas when using a t
ols numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to any text entry area when a user is using t
only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Wind
Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Panel
olicy application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the Input Pane
g what keys are tapped when entering a password.Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen
pes. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text symbo
bled and that the pen flicks notification will never be displayed. However pen flicks the pen flicks tray icon and pen flicks training (that can
this policy pen flicks and related features are available.
r touch-specific features.If you disable this setting the user can produce input with touch by using gestures the touch pointer and other-to
ndows by touch. If you disable this setting the user can pan windows by touch.If you do not configure this setting Touch Panning is on by d
k's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task characteris
that appear in Detail view and in the task preview.This setting prevents users from viewing and changing characteristics such as the progra
ation and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setti
tart in" box that determine the program and path for a task.As a result when users create a task they must select a program from the list i
ult users cannot add new scheduled tasks by dragging moving or copying a document or program into the Scheduled tasks folder.This setti
User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User
ks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setti
ired and additional security measures for managed devices are recommended for best protection. Refer to Azure AD Tenant Restrictions f
needed. When this policy setting is disabled language features remain on the user’s machine when the language is uninstalled.
on.The default is for Windows Calendar to be turned on.

lor profiles that they previously installed. Administrators will be able to uninstall all color profiles.
tions Manager server.
- Show me app recommendations - Warn me before installing apps from outside the Store - Allow apps from Store onlyIf you disable
e Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious.Some informati
tting Windows Defender SmartScreen is turned on and employees can't turn it off.If you disable this setting Windows Defender SmartScre
onfigure this setting employees can ignore Windows Defender SmartScreen warnings and continue to the site.
mory dumps generated for error reports by Microsoft Windows are automatically uploaded without notification to the user.If you disable th
mputer Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.Importa
nts and errors are logged to the system event log as with other Windows-based programs.
oft. Additionally solution information is not available in Security and Maintenance in Control Panel.If you disable or do not configure this p
so report the error.If you disable this policy setting users are not notified that errors have occurred. If the Configure Error Reporting policy
or do not configure this policy setting then consent policy settings in Computer Configuration/Administrative Templates/Windows Compo
es that can contain data about the same event types as an earlier uploaded report.If you disable or do not configure this policy setting WER
d error messages or dialog boxes for critical errors.
r source.If you enable this policy setting WER does not determine whether the computer is running on battery power but checks for soluti
isable or do not configure this policy setting WER does not send data but will check the network cost policy again if the network profile is c
ect using SSL to transmit error reports over a Secure Sockets Layer (SSL) connection and specify a port number on the destination server f
o Store parameters only only the minimum information required to check for an existing solution is stored. The Maximum number of repor
her the report should be placed in the reporting queue or the user should be prompted to send it immediately. When Queuing behavior is
ors.If the Report all errors in Microsoft applications check box is filled all errors in Microsoft applications are reported regardless of the setti
pplication file names in the Show Contents dialog box (example: notepad.exe). Errors that are generated by applications in this list are no
er reports errors click Show and then add or remove applications from the list of application file names in the Show Contents dialog box (e
ever reports errors click Show under the Exclude errors for applications on this list setting and then add or remove applications from the li
gure this policy setting users can change this setting in Control Panel. By default Windows Error Reporting settings in Control Panel are set
configure this policy setting users can adjust this setting using the control panel which is set to "Upload unplanned shutdown events" by d
ending data: Windows prompts users for consent to send reports.- Send parameters: Only the minimum data that is required to check for
-fatal errors: crash no response and kernel fault errors. For each specified event type you can set a consent level of 0 1 2 3 or 4.- 0 (Disable
m consent policy settings for error reporting determine the consent level for specified event types and the default consent setting determ
ctors for authentication.If you disable or do not configure this policy setting Windows does not allow the enumeration of provisioned Wind
h signal type to be verified.If you enable this policy setting the user will have to use one factor from each list to successfully unlock.If you d
ons.For more information see: https://go.microsoft.com/fwlink/?linkid=849684
configure this policy setting Windows Hello for Business provisions Windows Hello for Business credentials compatible with smart card ap
s which prevents Windows Hello for Business provisioning from using those devices.If you disable or do not configure this policy setting the
you disable this policy setting Windows Hello for Business prevents the use of biometric gestures.NOTE: Disabling this policy prevents the
dows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication.NOTE: Disab
policy setting Windows Hello for Business will use a key or certificate (depending on other policy settings) for on-premises authentication.
overy secret which is stored on the device and requires both the PIN recovery service and the device to decrypt. PIN recovery requires the
s.If you disable this policy setting the device does not provision Windows Hello for Business for any user.If you do not configure this policy
mart card certificates.If you disable or do not configure this policy setting applications do not use Windows Hello for Business certificates a
u disable or do not configure this policy setting the security features of Windows Installer prevent users from changing installation options
.Because the installation is running with elevated system privileges users can browse through directories that their own permissions woul
es can easily be vehicles for malicious programs some installations prohibit their use.If you disable or do not configure this policy setting b
This policy setting does not affect installations that run in the user's security context. By default users can install from removable media wh
computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users install pro
user prompts for source media when new updates are applied. If you enable this policy setting you can modify the maximum size of th
from a feature.This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be r
e the installation.If you enable this policy setting the warning is suppressed and allows the installation to proceed.This policy setting is des
alicious programs some installations prohibit their use.Note: This policy setting applies only to installations that run in the user's security c
yweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch f
icy setting only administrators or users with administrative privileges can apply updates to Windows Installer based applications.If you dis
users or administrators.If you enable this policy setting updates cannot be removed from the computer by a user or an administrator. The
prevents Windows Installer from retaining files it intends to delete later. As a result Windows Installer cannot restore the computer to its
r box to control file in use detection behavior.-- The "Restart Manager On" option instructs Windows Installer to use Restart Manager to d
ucts that are installed per user and products that are installed per computer. If the installer finds a per-user install of an application this hi
on file source from the "Use features from" list that the system administrator configures. This policy setting applies even when the inst
icy setting on Windows Server 2003 Windows Installer requires the transform file in order to repeat an installation in which the transform
type is recorded type the letter representing the event type. You can type the letters in any order and list as many or as few event types a
r does not generate System Restore checkpoints when installing applications.If you disable or do not configure this policy setting by defau
s box to control automatic logging via package settings behavior.-- The "Logging via package settings on" option instructs Windows Installe
the shared component functionality is allowed.
ation setting.-- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software. This is the default
figured.If you enable this policy setting you can choose one of the following two options:1. “Enabled if BitLocker is on and not suspended”
AS.If you set this policy setting to "Ease of Access applications" Ease of Access applications can simulate the SAS.If you set this policy settin
lays the date and time of the last successful logon by that user the date and time of the last unsuccessful logon attempted with that user n
not configured no popup will be displayed to the user.
ory this policy only applies to Windows Update restarts. Otherwise this will apply to both Windows Update restarts and user-initiated rest
ure content upgrade Windows Media DRM security components or restore backed up content licenses. Secure content that is already lice
e anchor window displays is not available.If you disable or do not configure this policy setting users can show or hide the anchor window w
select privacy file types and other desktop options from being displayed when the Player is first started. Some of the options can be confi
heir desktops.
m Windows Media Player or from programs that depend on the Player's media sharing feature.If you disable or do not configure this policy
r the Player to the Quick Launch bar.
cleared and is not available.If you disable this policy setting video smoothing occurs if necessary and the Use Video Smoothing check box
senger.Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present the Computer
setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows Messenger from that point on W
obility Center and the .exe file launches it.If you do not configure this policy setting Windows Mobility Center is on by default.
ith the SourcePath parameter on the Update-Help cmdlet.If this policy setting is disabled or not configured this policy setting does not set
e LogPipelineExecutionDetails property of the module to True. If you disable this policy setting logging of execution events is disabled
If you disable this policy setting logging of PowerShell script input is disabled. If you enable the Script Block Invocation Logg
ows PowerShell engine. By default Windows PowerShell will record transcript output to each users' My Documents directory with a file
The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Internet mus
tting the listed providers will respond to WMI queries and Reliability Monitor will display system reliability information.If you disable this p
ext.If you disable or do not configure this policy setting the WinRM client does not use Basic authentication.
cy setting the WinRM client sends or receives only encrypted messages over the network.
is using the Negotiate authentication and Kerberos is selected.If you disable or do not configure this policy setting the WinRM client uses
tion host is a trusted entity. The WinRM client uses this list when neither HTTPS nor Kerberos are used to authenticate the identity of the
the WinRM service does not accept Basic authentication from a remote client.
etting the WinRM service does not accept CredSSP authentication from a remote client.
P transport over the default HTTP port.To allow WinRM service to receive requests over the network configure the Windows Firewall polic
icy setting the WinRM client sends or receives only encrypted messages over the network.
ng the WinRM service accepts Kerberos authentication from a remote client.
this policy setting the WinRM service accepts Negotiate authentication from a remote client.
plug-in has already set the RunAsUser and RunAsPassword configuration values the RunAsPassword configuration value will be erased from
a supplied channel binding token. If you disable or do not configure this policy setting you can configure the hardening level locally on
When certain port 80 listeners are migrated to WinRM 2.0 the listener port number changes to 5985. A listener might be automa
ars. When certain port 443 listeners are migrated to WinRM 2.0 the listener port number changes to 5986. A listener might be aut
policy setting the default number is five users.
or the specified amount of time since the last received message from the client before terminating the open shell.If you do not configure o
by the available virtual memory.If you enable this policy setting the remote operation is terminated when a new allocation exceeds the sp
is policy setting the limit is five processes per shell.
ed limit.If you disable or do not configure this policy setting by default the limit is set to two remote shells per user.
om the user. Applications using a microphone may not function properly with this setting.If you do not configure this policy setting audio in
sharing will be enabled.
this policy setting networking is disabled in Windows Sandbox.If you do not configure this policy setting networking will be enabled. Note
redirection will be disabled.
e enabled. Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox.
figure this policy setting video input will be disabled. Applications that use video input may not function properly in Windows Sandbox. Not
me as Disabled.
ntains a TPM with vulnerable firmware. Not configured: Same as Disabled.

nd at least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID
t least one of the following GP settings: -Specify contact phone number or Skype ID -Specify contact email number or email ID
dows Security or any notifications that it creates. Not configured: Same as Disabled.
D in the Options section. Disabled: A contact email address or email ID will not be shown in either Windows Security or any notific
tion. Disabled: A contact phone number or Skype ID will not be shown in either Windows Security or any notifications it creates.
hown in either Windows Security or any notifications it creates. Not configured: Same as Disabled.
health information. Disabled: Local users will see all types of notifications from Windows Security. Not configured: Same as
will be shown. Not configured: Same as Disabled.
pdates will not be installed immediately.Note: If the "Configure Automatic Updates" policy is disabled this policy has no effect.
n user should receive update notifications. Non-administrative users will be able to install all optional recommended and important conte
dismiss the notification.If you disable or do not configure this policy the default method will be used.
uled restart to display the warning reminder to the user.You can specify the amount of time prior to a scheduled restart to notify the user
te: This policy applies only when Automatic Updates is configured to perform scheduled installations of updates. If the "Configure Automa
dless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.If you disable
Microsoft update service this computer is directed to is configured to support client-side targeting. If the "Specify intranet Microsoft upda
on when the user selects the Shut Down option in the Start menu.If you disable or do not configure this policy setting the 'Install Updates a
the system is in sleep when the scheduled install time occurs and there are updates to be applied then Windows Update will use the Win
lation if a user is logged in to the computer. Instead Automatic Updates will notify the user to restart the computer.Be aware that the com
d the default interval is 10 minutes. Note: This policy applies only when Automatic Updates is configured to perform scheduled installa
started.If the status is set to Disabled a missed scheduled installation will occur with the next scheduled installation.If the status is set to N
g two policies will override the above policy: 1. No auto-restart with logged on users for scheduled automatic updates installations. 2. A
gaged restart reminder notifications. The snooze period can be set between 1 and 3 days.You can specify the deadline in days before auto
onfigured Automatic Updates will continue to deliver important updates if it is already configured to do so.
ly managed environments in which you allow the end user access to the Microsoft Update service.If you enable this policy setting a notific
proceed even if the PC has signed-in users.If you disable or do not configure this policy Windows Update will not alter its restart behavior.
elect one of the four options in the Group Policy Setting: 2 = Notify before downloading and installing any updates. When Window
nd installed.Important: if you choose not to get update notifications and also define other Group policy so that devices aren’t automaticall
ed as soon as they are offered and automatic restarts will be attempted outside of active hours. Once the deadline has passed restarts wil
active hours will be in effect.If any of the following two policies are enabled this policy has no effect: 1. No auto-restart with logged on u
e service location if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.If you disable o
set to Disabled or Not Configured Windows will check for available updates at the default interval of 22 hours. Note: The "Specify intra
able that functionality and may cause connection to public services such as the Windows Store to stop working.Note: This policy applies on
uter.If the intranet Microsoft update service supports multiple target groups this policy can specify multiple group names separated by se
for updates that apply to the computers on your network. To use this setting you must set two server name values: the server from w
update service location via the “Specify intranet Microsoft update service location” policy. If this policy is not configured or is disabled
he Feature Update to devices for testing or to deploy the Feature Update without blocking on safeguard holds.
Windows 10 release.Beta ChannelIdeal for feature explorers who want to see upcoming Windows 10 features. Your feedback will be especi
se Terms for it found at aka.ms/WindowsTargetVersioninfo. If an organization is licensing the software I am authorized to bind the organiz
Channel a version for the device to move to and/or stay on until the policy is updated or the device reaches end of service can be specified
o resume receiving Quality Updates which are paused clear the start date field.If you disable or do not configure this policy Windows Upd
lso prevents them from manually specifying the local folder in which Work Folders stores files. Work Folders will use the settings specified
instead.This policy has two modes: it can either specify a list of settings pages to show or a list of pages to hide. To specify a list of pages t
ng touch the keyboard or by dragging it with the mouse.
ualified path and name of the file that stores the default lock screen and logon image. You can type a local path such as C:\Windows\Web
of Windows then those colors take precedence over this policy.If the "Force a specific Start background" policy is also set on a supported v
their device.
stalled as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task.
y the local administrator.If you disable or do not configure this policy setting there is no restriction of a specific language used for the Win
l users. If you disable or do not configure this policy setting there is no language packs or feature installation restriction for any user.
ny of the system UI languages.If you disable or do not configure this policy setting the user can specify which UI language is used.
he Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the ha
ctures\guest.jpg. If the default pictures do not exist an empty frame is displayed.If you enable this policy setting the default user account p
werful group such as Administrators is disabled and powerful privileges are removed from the resulting access token. This configures the Lo
y another embedded object.2. "Block embedding/linking allow other activation" prevents the Flash control from being loaded when direct
mb20NSITo restore the default behavior for client-side SMBv1 protocol processing do ALL of the following:* Set the SMBv1 client driver to
12R2)" setting.To restore default SMBv1 client-side behavior select "Enabled" and choose the correct default from the dropdown:* "Manu
tion: https://support.microsoft.com/en-us/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-u
methods. If the NodeType value is present it overrides any DhcpNodeType value.If neither NodeType nor DhcpNodeType is present the com
n that legacy JScript execution is restricted. Modern JScript9 will continue to function for all zones.If Disabled or Not Configured JScript wi
1997 must first be installed to disable WDigest authentication using this setting in Windows 7 Windows 8 Windows Server 2008 R2 and Wi
ng the default value of 15 minutes applies.Note: The minimum value you can select is 15 minutes. If you try to set this setting to a value le
he job from its peers in the same IP subnet. If none of the peers in the subnet have the requested files BITS downloads them from the orig
ache. Note: This policy setting does not affect the use of Windows Branch Cache by applications other than BITS. This policy setting do
e origin server. However the computer will still make files available to its peers. If you disable or do not configure this policy setting th
nload files from peers. If you disable or do not configure this policy setting the computer will offer downloaded and cached files to its
ou disable or do not configure this policy setting files that have not been accessed for the past 90 days will be removed from the peer cach
f disk space to be used for the BITS peer cache. You can enter a value between 1 percent and 80 percent. If you disable or do not con
cy setting you can set the maximum job download time to a specified number of seconds. If you disable or do not configure this polic
hours. If you enable this policy setting BITS will limit its bandwidth usage to the specified values. You can specify the limit in kilobits p
h are active BITS will use a maximum of 30 percent of 56 Kbps. You can change the default behavior of BITS and specify a fixed maxim
gure this policy setting BITS will use the default user BITS job limit of 300 jobs. Note: This limit must be lower than the setting specifie
configure this policy setting BITS will use the default BITS job limit of 300 jobs. Note: BITS jobs created by services and the local admin
200 for the maximum number of files a job can contain. Note: BITS Jobs created by services and the local administrator account do no
S will limit ranges to 500 ranges per file. Note: BITS Jobs created by services and the local administrator account do not count toward
wnload policy explicitly configured by the application that created the BITS job but does apply to jobs that are created by specifying only a
ou can specify a limit to use for background jobs during a maintenance schedule. For example if normal priority jobs are currently limited t
set up a schedule for limiting network bandwidth during both work and nonwork hours. After the work schedule is defined you can set th
ill reset this timeout. Consider increasing the timeout value if computers tend to stay offline for a long period of time and still have pe
which is the maximum round trip network latency allowed before caching begins clients do not cache content until the network latency re
icy setting all clients use the version of BranchCache that you specify in "Select from the following versions."If you do not configure this se
ent computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office.If you
these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policie
ettings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do no
other BranchCache distributed cache mode clients in the branch office.Policy configurationSelect one of the following:- Not Configured. W
ddition when the hosted cache client obtains content from a content server the client can upload the content to the hosted cache server
Not Configured. With this selection BranchCache client computer cache settings are not applied to client computers by this policy. In the c
sPolicy configurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client comp
orp.contoso.com or PING:2002:836b:1::1. Note We recommend that you use FQDNs instead of IPv6 addresses wherever possible.Importa
two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for eac
cluding sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and
sending the message.
xample if attaching suffixes is allowed an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the
not for multi-label and fully qualified domain names.
DoH: Perform DoH queries if the configured DNS servers support it. If they don't support it try classic name resolution.Require DoH: Allow
ng or if you do not configure this policy setting computers will use the local or DHCP supplied connection specific DNS suffix if configured.
S servers is applied to all network connections used by computers that receive this policy setting. If you disable this policy setting or if you
r example a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DN
tion to be enabled on a network connection the connection-specific configuration must allow dynamic DNS registration and this policy setti
will be preferred over DNS responses if the local responses are from a network with a higher binding order.If you disable this policy settin
onfigured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel.You can use this policy setting to preve
or application submits a query for a single-label domain name.The DNS client appends DNS suffixes to the single-label unqualified domain
Devolution can be used when a user or application submits a query for a single-label domain name.The DNS client appends DNS suffixes to
puter name and the primary DNS suffix. For example a computer name of mycomputer and a primary DNS suffix of microsoft.com will be r
nabled and then select one of the following options from the drop-down list:Do not register: Computers will not attempt to register PTR r
rent and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.Warning: If record sca
g dynamic update of resource records in a zone that does not use Secure Dynamic Updates an A resource record might exist that associate
s policy setting.If you disable this policy setting or if you do not configure this policy setting computers will use the TTL settings specified in
s configured.
tion in scenarios in which conventional DNS name resolution is not possible.If you enable this policy setting LLMNR will be disabled on all av
e DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DN
T for all networks. If you disable this policy setting or if you do not configure this policy setting the DNS client will prefer link local respons
uters that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.If you disable this policy se
ynamic updates to any zone that is authoritative for the resource records that the computer needs to update except the root zone.If you d
nline font provider and only enumerates locally-installed fonts. If you do not configure this policy setting the default behavior depend
s policy setting or if you do not configure this policy setting WLAN hotspots are automatically probed for WISPR protocol support.If you dis
nd 3.02 cipher suites:AES_128_CCMHow to modify this setting:Arrange the desired cipher suites in the edit box one cipher suite per line i
tion settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable Bra
he only type of content information that can be retrieved by client computers. For example if you enable support for V1 hashes BranchCac
ist of server-supported cipher suites.Note: When configuring this security setting changes will not take effect until you restart Windows.
nd 3.02 cipher suites:AES_128_CCMHow to modify this setting:Arrange the desired cipher suites in the edit box one cipher suite per line in
erprise environment insecure guest logons are frequently used by consumer Network Attached Storage (NAS) appliances acting as file ser
ou disable or do not configure this policy setting Windows will prevent use of cached handles to files opened through CA shares. Note:
ou disable or do not configure this policy setting Windows will prevent use of Offline Files with CA-enabled shares. Note: Microsoft doe
eration while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other h
re available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate
o 1 then this validation will not be performed and any password will be allowed. If set to 0 the validation will be performed.
register PNRP names and cannot help other computers perform PNRP lookups.If you disable or do not configure this policy setting this co
provides the added flexibility of allowing your users to use their peer-to-peer applications at home as well. Here are the four ways in which
uters can find it when needed.If you enable this setting PNRP will not use multicast for bootstrapping. Specifying this registry key will brea
ween peers so that a node in the PNRP cloud can resolve names published by other nodes.PNRP creates a global cloud if the computer has
nter a semicolon-delimited list of IPV6 addresses in the available field. If you enable this setting and you don’t enter any address no seed s
mputers can find it when needed.If you enable this setting PNRP will not use multicast for bootstrapping. Specifying this registry key will b
nter a semicolon-delimited list of DNS names or IPV6 addresses in the available field. If you enable this setting and you don’t enter any add
mputers can find it when needed.If you enable this setting PNRP will not use multicast for bootstrapping. Specifying this registry key will b
Network Bridge allows users to create a layer 2 MAC bridge enabling them to connect two or more network segements together. This con
computer. If a computer is connected to a DNS domain network other than the one it was connected to when the setting was refreshed t
e enabled or configured by administrators and the ICS service cannot run on the computer. The Advanced tab in the Properties dialog box
cal default gateway.If you enable this policy setting all traffic between a remote client computer running DirectAccess and the Internet is
ssages.If you disable or do not configure this policy setting Windows Defender Firewall makes no exception for messages sent by compute
es not block outbound echo request messages sent by Ping running on this computer.If you enable this policy setting you must specify whi
ewall component of Control Panel the "File and Printer Sharing" check box is selected and administrators cannot clear it.If you disable this
nal with at least SP2 and Windows Server 2003 with at least SP1 this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive uns
el the "Remote Desktop" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firew
oming messages are allowed. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is selected
rt exceptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not allow administrato
fine a local program exceptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not a
all blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an o
nable the policy setting and then click the Show button. To add a port enable the policy setting note the syntax click the Show button. In th
t its status to Enabled that program can receive unsolicited incoming messages on any port that it asks Windows Defender Firewall to open
der Firewall: Protect all network connections" policy setting; otherwise administrators who log on locally can work around the "Windows
component of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected and administr
computers Windows Defender Firewall waits as long as three seconds for unicast responses from the other computers and then blocks al
rewall does not run and administrators who log on locally cannot start it.If you do not configure this policy setting administrators can use
es not block outbound echo request messages sent by Ping running on this computer.If you enable this policy setting you must specify whi
ewall component of Control Panel the "File and Printer Sharing" check box is selected and administrators cannot clear it.If you disable this
nal with at least SP2 and Windows Server 2003 with at least SP1 this policy setting also allows SVCHOST.EXE and LSASS.EXE to receive uns
el the "Remote Desktop" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firew
oming messages are allowed. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is selected
rt exceptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not allow administrato
fine a local program exceptions list.If you disable this policy setting the Windows Defender Firewall component in Control Panel does not a
all blocks (drops) and information about successful incoming and outgoing connections. Windows Defender Firewall does not provide an o
nable the policy setting and then click the Show button. To add a port enable the policy setting note the syntax click the Show button. In th
t its status to Enabled that program can receive unsolicited incoming messages on any port that it asks Windows Defender Firewall to open
der Firewall: Protect all network connections" policy setting; otherwise administrators who log on locally can work around the "Windows
component of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected and administr
computers Windows Defender Firewall waits as long as three seconds for unicast responses from the other computers and then blocks al
rewall does not run and administrators who log on locally cannot start it.If you do not configure this policy setting administrators can use
affic to the cloud resource will be routed through the enterprise network via the denoted proxy server (on Port 80). A proxy server used fo
most situations Windows Network Isolation will be able to correctly discover proxies. By default any proxies configured with this setting ar
his policy setting Windows Network Isolation attempts to discover proxies and configures them as Internet nodes. This setting should NO
ttempts to automatically discover private network hosts. By default the addresses configured with this policy setting are merged with the h
onfigure this policy setting Windows Network Isolation attempts to automatically discover your proxy server addresses. For more informa
ate.If you disable or do not configure this policy setting Windows Network Isolation attempts to automatically discover your private netwo
ndicates that the computer can use local copies of network files while the server is inaccessible.-- "Never go offline" indicates that networ
abled on Windows client computers and disabled on computers running Windows Server unless changed by the user.Note: Changes to thi
aution: Files are not synchronized before they are deleted. Any changes to local files since the last synchronization are lost.
and 'Sync Variance' values to override the default sync interval and variance settings. Use 'Blockout Start Time' and 'Blockout Duration' to
e threshold value that will be used to determine a slow network connection.If this setting is disabled or not configured the default threshol
offline.If you enable this policy setting Offline Files uses the slow-link mode if the network throughput between the client and the server i
stores a copy of the file on the user's computer.This setting does not limit the disk space available for files that user's make available offlin
ailable offline.
n will not run in the background on network folders when the user's network is roaming near or over the plan's data limit. The network fol
available to the user when offline. The cached files are not kept in sync with the version on the server and the most current version from
al computer is affected but the associated network copy is not. The user cannot unencrypt Offline Files through the user interface.If you d
o the events you want the system to log. The levels are cumulative; that is each level includes the events in all preceding levels."0" records
ynchronization Manager progress dialog box: "Files of this type cannot be made available offline."This setting is designed to protect files t
minder.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Com
Files cache. This prevents users from trying to change the option while a policy setting controls it.If you enable this policy setting you can s
ork offline when they are disconnected from this server or type "1" if they cannot.This setting appears in the Computer Configuration and
lable offline. Also it does not prevent them from using other programs such as Windows Explorer to view their offline files.This setting app
ive setting that locks down the configuration you establish by using other settings in this folder.This setting appears in the Computer Confi
minutes and are displayed for 15 seconds. You can use this setting to change the update interval.This setting appears in the Computer Con
pears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration t
to make available offline.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy setti
e the Value column field blank.If you disable this policy setting the list of files and folders is deleted including any lists inherited from lowe
le or folder. Leave the Value column field blank.If you disable this policy setting the list of files or folders made always available offline (inc
n a folder that is available offline are made available offline when the parent folder is synchronized.If you disable this setting or do not con
tem only performs a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are curre
tomatically enables logon synchronization in Synchronization Manager.If this setting is disabled and Synchronization Manager is configure
ot configuring this setting files are not synchronized when the computer is suspended.Note: If the computer is suspended by closing the d
ou disable the setting the system displays the reminder balloons and prevents users from hiding them.If this setting is not configured remin
you can limit the number of outstanding packets.If you disable this setting or do not configure it then the setting has no effect on the syste
th the system can reserve.If you disable this setting or do not configure it the system uses the default value of 80 percent of the connectio
has no effect on the system.Important: If a timer resolution is specified in the registry for a particular network adapter then this setting is i
ou disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the regi
service type.If you disable this setting the system uses the default DSCP value of 24 (0x18).Important: If the DSCP value for this service typ
e.If you disable this setting the system uses the default DSCP value of 40 (0x28).Important: If the DSCP value for this service type is specifie
rol service type.If you disable this setting the system uses the default DSCP value of 48 (0x30).Important: If the DSCP value for this service
you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in the re
ype.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in t
ed Load service type.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service typ
vice type.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specifie
k Control service type.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service ty
e type.If you disable this setting the system uses the default DSCP value of 0.Important: If the DSCP value for this service type is specified in
ayer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when configurin
mportant: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored
the Layer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when confi
Important: If the Layer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignore
value for nonconforming packets is specified in the registry for a particular network adapter this setting is ignored when configuring that n
e Layer-2 priority value for this service type is specified in the registry for a particular network adapter this setting is ignored when configur
ubs and routers) that are administered together by SNMP. The SNMP service is a managed network node that receives SNMP packets from
work. The manager's role is to poll the agents for certain requested information.If you enable this policy setting the SNMP agent only acce
by the SNMP service. A trap message is an alert or significant event that allows the SNMP agent to notify management systems asynchron
ommand:CertUtil.exe -DisplayEccCurve
specify a relay name for a 6to4 host.
ure this policy setting the local host setting is used.If you enable this policy setting you can configure 6to4 with one of the following setting
e is used when there are no other connectivity options.Policy Enabled State: The IP-HTTPS interface is always present even if the host has o
gure ISATAP with one of the following settings:Policy Default State: No ISATAP interfaces are present on the host.Policy Enabled State: If th
etting is used.
ualification immediately and remain qualified if the qualification process succeeds.
g you can specify the refresh rate. If you choose a refresh rate longer than the port mapping in the Teredo client's NAT device Teredo mig
esent on the host.Client: The Teredo interface is present only when the host is not on a network that includes a domain controller.Enterpri
m will try to identify connectivity and throughput problems and take appropriate measures.If you disable this policy setting Window Scaling
itional choices are available to turn off the operations over a specific medium. If you disable this policy setting operations are disabled ove
eless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
r should no longer be connected to a network.When soft disconnect is enabled:- When Windows decides that the computer should no lon
n and any metered network. This was previously the Disabled state for this policy setting. This option was first available in Windows 8.
mpts to non-domain networks are blocked.- When the computer is already connected to a non-domain based network automatic connecti
r Mobile Broadband networks.
ed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection
s shared by my contacts" enables Windows to automatically connect to networks that the user's contacts have shared with them and enab
ecide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device.If you choose the "For
tion is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is costed on a per byt
nection is not restricted by usage charges and capacity constraints up to a certain data limit. - Variable: This connection is costed on a per b
l page is showed by default.
e installed and printing support and this setting must be enabled. Note: This setting affects the server side of Internet printing only. It
will display the default number of printers of each type: Directory printers: 20 TCP/IP printers: 0 Web Services printers: 0
f each type:TCP/IP printers: 50Web Services printers: 50Bluetooth printers: 10Shared printers: 50If you would like to not display printers o
Note: This settings takes priority over the setting "Automatically publish new printers in the Active Directory".
ble this setting or do not configure it the domain controller prunes this computer's printers when the computer does not respond. If
f increasing the load on the server.If you disable this policy setting on a client machine the client itself will process print jobs into printer d
publish shared printers in Active Directory. Note: This setting is ignored if the "Allow printers to be published" setting is disabled.
tion interval. To disable verification disable this setting or enable this setting and select "Never" for the verification interval.
rs. The value you type here overrides the actual location of the computer conducting the search. Type the location of the user's comp
enter an alternate Internet address the default link will appear in the Printers folder. Note: Web pages links only appear in the Printe
default the pruning service contacts computers every eight hours and allows two repeated contact attempts before deleting printers from
reempted by higher priority threads. By default the pruning thread runs at normal priority. However you can adjust the priority to im
still fails to respond then the pruning service "prunes" (deletes from Active Directory) printer objects the computer has published. B
you do not configure this setting on Windows Server 2003 family products the installation of kernel-mode printer drivers will be blocked.
or do not configure it then all printer extensions that have been installed will be allowed to run.
no restrictions to printing based on connection type or printer Make/Model.
int spooler will execute print drivers in the print spooler process.Notes:-Other system or driver policy settings may alter the process in wh
and server driver cache for compatible Point and Print drivers. If it is unable to find a compatible driver then the Point and Print connection
pable of isolating print drivers depending on whether they are configured for it.If you enable or do not configure this policy setting then ap
s (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the device vi
val. The "Directory pruning retry" setting determines the number of times the attempt is retried; the default value is two retries. The "Dire
oler uses the Driver Isolation compatibility flag value reported by the print driver.Notes:-Other system or driver policy settings may alter th
nt and print connection anytime a package point and print connection fails including attempts that are blocked by this policy. Administrato
er is available on the client a printer connection will be made. If a compatible print driver is not available on the client no connection will b
mputers.If you enable this setting users can browse for printers by location without knowing the printer's location or location naming schem
ory is not available.If you do not configure this setting shared printers are announced to browse master servers only when Active Director
rom Active Directory when the computer that published them does not respond to contact requests. Computers running Windows 2000 P
play shortcuts at the bottom of the File menu. In addition the Jump Lists off of programs in the Start Menu and Taskbar do not show lists o
he "Show app list in Start menu" in Settings so users cannot turn it to On.Selecting "Remove and disable setting" will remove the all apps l
he Power button is also removed from the Windows Security screen which appears when you press CTRL+ALT+DELETE and from the logon
ot configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is default beh
ell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured.Once the XML file is generate
es will not be able receive notifications from the network from WNS or via notification polling APIs. If you enable this policy setting no
e is never activated.If you do not configure this policy setting the default behavior for the System State Data feature occurs.Note: By defau
cy should not be set unless the DLT server is running on all domain controllers in the domain.
d to the user during these processes.Note: This policy setting is ignored if the ""Remove Boot/Shutdown/Logon/Logoff status messages"" p
etting and choose "Server Only" from the drop-down menu list the Shutdown Event Tracker is displayed when you shut down a computer
moved to other volumes or if you create a new file in an encrypted folder File Explorer encrypts those files automatically.
play this page at logon" option at the bottom of the Manage Your Server page the page is not displayed.
ftware programs invoking the Windows programming interfaces ExitWindowsEx() or InitiateSystemShutdown().If you enable this policy se
egistration is missing the system searches for it in Active Directory and if it is found downloads it. The resulting searches might make some
Timestamp is turned off and the timing of unexpected shutdowns is not recorded.If you do not configure this policy setting the Persistent
pecified folders and their subfolders. To restrict the commands to one or more folders enable the policy setting and enter the desired
Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer
ully qualified path to the new location in the ""Alternate source file path"" text box. Multiple locations can be specified when each path is
able is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. If you
which this policy setting is applied. If you disable this policy setting users see a standard Access Denied message that doesn't provide any
IntervalUnit. To disable package refresh select 0. Global Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23 Day 0
p reduce the server load. Repeat reporting for every (days): The periodical interval in days for sending the reporting data. Data
stations and servers on which this policy setting is applied.If you disable or do not configure this policy setting the process's command line
s).The policy becomes effective the next time the user signs on to a computer running Windows.If you disable or do not configure (by defa
by default) this policy setting delegation of default credentials is not permitted to any machine.Note: The "Allow delegating default creden
on).If you do not configure (by default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted t
default) this policy setting after proper mutual authentication delegation of fresh credentials is permitted to Remote Desktop Session Host
redential manager).If you do not configure (by default) this policy setting after proper mutual authentication delegation of saved credenti
ot configure (by default) this policy setting after proper mutual authentication delegation of saved credentials is permitted to Remote Desk
Note: The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represen
server.Note: The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN rep
s not specify any server.Note: The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SP
u enable this policy setting CredSSP version support will be selected based on the following options:Force Updated Clients: Client applicati
istration and Remote Credential Guard mode are not supported. User will always need to pass their credentials to the host.
ating apps:Remote Desktop ClientIf you enable this policy setting the following options are supported: Restrict credential delegation: Parti
verName\ShareName\SIPolicy.p7b) or a locally valid path (for example C:\FolderName\SIPolicy.p7b). The local machine account (LOCAL S
his setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled kernel mode memory protections
essible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by devi
tting Windows does not create a system restore point when one would normally be created.If you disable or do not configure this policy se
configure this policy setting the setting in the Device Installation Settings dialog box controls whether Windows retrieves device metadata
driver that requests additional software is installed.
dows Publisher certificate and drivers that are signed by other Authenticode certificates are prioritized equally during the driver selection
rch for updates. This setting is used to ensure that the best software will be found for the device even if the network is temporarily availab
found will Windows then also search Windows Update.If you disable or do not configure this policy setting members of the Administrator
y setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not con
by other policy settings" policy setting for legacy policy definitions.When this policy setting is enabled together with the "Apply layered ord
settings" policy setting for legacy policy definitions.When this policy setting is enabled together with the "Apply layered order of evaluatio
ot described by other policy settings" policy setting for legacy policy definitions.When this policy setting is enabled together with the "App
ngs that specify device match criteria is as follows:Device instance IDs > Device IDs > Device setup class > Removable devicesDevice instan
notification when a policy setting prevents device installation.
nts device installation.
and Prevent device installation policies across all device match criteria" policy setting instead of this policy setting.If you enable this polic
vices enable the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" polic
ktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you
device instance IDs" policy settings to supersede this policy setting for applicable devices enable the "Apply layered order of evaluation fo
setting that allows Windows to install a device.NOTE: To enable the "Allow installation of devices using drivers that match these device se
will not take effect until the system is restarted.
d data is stored in the NV cache during shutdown and hibernate respectively. This might cause a slight increase in the time taken for shutd
tting the default behavior is to allow the hybrid hard disks to be in power save mode.Note: This policy setting is applicable only if the NV ca
ystem by keeping the disks spun down while satisfying reads and writes from the cache.If you enable this policy setting the system will not
ds to save power. Note that this can cause increased wear of the NV cache.If you do not configure this policy setting the default behavior o
ault but administrators can turn it on.To prevent users from changing the setting while a setting is in effect the system disables the "Enabl
anges while the setting is in effect.If you do not configure this policy setting the disk quota limit is not enforced by default but administrato
e "Log event when a user exceeds their quota limit" option on the Quota tab so administrators cannot change the setting while a setting is
ta tab so that administrators cannot change logging while a policy setting is in effect.If you do not configure this policy setting no event is r
es new users’ settings for the disk quota limit and warning level on their volumes and it disables the corresponding options in the "Select t
scale factor) many desktop applications can display blurry. Desktop applications that have not been updated to display properly in this sce
.If you disable or do not configure this policy setting GDI DPI Scaling might still be turned on for legacy applications.If GDI DPI Scaling is con
d by using ApplicationCompatibility database ApplicationCompatibility UI System (Enhanced) setting or an application manifest.If GDI DPI S
n the locally configured DCOM activation security check exemption list.If you do not configure this policy setting DCOM will only look in th
cy is enabled.DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6
her store.If you disable or do not configure this policy setting only members of the Administrators group are allowed to install new driver p
to search Windows Update.If you disable or do not configure this setting and "Turn off Windows Update device driver searching" is disabl
ou do not allow known bad drivers to be initialized.- Bad but required for boot: The driver has been identified as malware but the comput
USB Enhanced Storage devices connected to both USB root hubs and non-root hubs will be allowed.
ices are usable on your computer.
e File Server Resource Manager role service.If you enable this policy setting the Classification tab is displayed.If you disable or do not confi
r role service.If you enable this policy setting you can select which list of properties is available for classification on the affected computers
make changes to this setting effective you must restart Volume Shadow Copy (VSS) Service .
may select the types of symbolic links to be evaluated.
e parallel flushThe default value and limit for this setting varies based on the number of available processors on a given system: - Defaul
gurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disab
ware or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setting a
when redirecting the Start Menu or legacy My Documents folder.If you disable or not configure this policy setting Windows Vista Windows
ot receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user
originally created the GPO with for example an English system the GPO contains English ADM files.- If you later edit the GPO from a differ
er.Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached c
s for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected Group Policy will de
eck boxes provided to change the options. If you disable or do not configure this policy setting it has no effect on the system.The "Allow pr
e the options. If you disable or do not configure this policy setting it has no effect on the system.The "Allow processing across a slow netw
he program implementing the folder redirection policy setting set when it was installed.If you enable this policy setting you can use the che
d Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode o
licy can specify the response to a slow link. Also the policy processing settings in this folder lets you override the programs' specified respo
le this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it ha
y setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has no effect
e before running logon scripts. If you disable this policy setting Group Policy will run scripts immediately after logon. If you do not c
figure this policy setting it has no effect on the system.The "Do not apply during periodic background processing" option prevents the syste
or do not configure this setting it has no effect on the system.The "Allow processing across a slow network connection" option updates th
you disable or do not configure this policy setting it has no effect on the system.The "Do not apply during periodic background processing
customized settings that the program implementing the software installation policy set when it was installed.If you enable this policy setti
is setting is enabled then when a user logs on to this computer the computer's Group Policy Objects determine which set of Group Policy O
e Windows edition. Changes to this policy take effect on reboot.
ge the options.If you disable this setting or do not configure it it has no effect on the system.The "Allow processing across a slow network c
d to change the options.If you disable this setting or do not configure it it has no effect on the system.The "Allow processing across a slow
cross-device experiences.If you do not configure this policy setting the default behavior depends on the Windows edition. Changes to this
or disable this policy setting by default administrators can view RSoP data.Note: To view RSoP data on a client computer use the RSoP snap
ache is read Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in backgrou
elf from the device list of any linked Phones and cannot participate in Continue on PC experiences.If you do not configure this policy settin
applies at a specified refresh interval or when manually invoked by the user.Note: This policy setting applies only to non-administrators. Ad
es with a random offset of 0 to 30 minutes.If you enable this setting you can specify an update rate from 0 to 64800 minutes (45 days). If y
es the domain controller tries to update Group Policy every 7 seconds. However because updates might interfere with users' work and inc
this policy setting overrides any system-computed wait times.If you enable this policy setting Group Policy will use this administratively con
guring this policy setting overrides any system-computed wait times.If you enable this policy setting Group Policy uses this administratively
quency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users"
not process and apply any Local GPOs.If you disable or do not configure this policy setting Local GPOs continue to be applied.Note: For co
do not configure this setting RSoP logging is turned on. By default RSoP logging is always on.Note: To view the RSoP information logged o
such that their respective features can access the Internet.If you do not configure this policy setting all of the the policy settings in the "Int
d about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically in
em in the Open With dialog is removed.If you disable or do not configure this policy setting the user is allowed to use the Store service and
products of companies and organizations that it considers trusted authorities.If you enable this policy setting when you are presented wit
t be downloaded over HTTP.If you disable or do not configure this policy setting users can download print drivers over HTTP.
about the event to Microsoft and allows users to learn more about why that event occurred.If you enable this policy setting event descrip
m to Microsoft over a secure connection.If you enable this policy Tablet PC users cannot choose to share writing samples from the handwr
riting recognition error reporting tool or send error reports to Microsoft.If you disable this policy Tablet PC users can report handwriting re
r do not configure this policy setting the Help and Support Center retrieves and displays "Did you know?" content.You might want to enab
and Support Center "Set search options" page and only Help content on the local computer is searched. If you disable or do not configure
setting users can connect to Microsoft to download a list of ISPs for their area.
Windows does not download providers and only the service providers that are cached in the local registry are displayed.If you disable or do
eb service to open an unhandled file association are removed.If you disable or do not configure this policy setting the user is allowed to us
om printing to Internet printers over HTTP.If you disable or do not configure this policy setting users can choose to print to Internet printe
registration is optional and involves submitting some personal information to Microsoft. However Windows Product Activation is required
ntent updates during searches.If you disable or do not configure this policy setting Search Companion downloads content updates unless
s folders.If you disable or do not configure this policy setting the tasks are shown.
s not collect usage information and the user settings to enable the collection of usage information are not shown.If you disable this policy
rson will call and you can continue working without interruption. It is simple and user-friendly.If you enable this policy setting all users are
ternet or to a corporate file share.This policy setting overrides any user setting made from the Control Panel for error reporting.Also see th
tting NCSI does not run either of the two active tests. This may reduce the ability of NCSI and of other components that use NCSI to determ
onal when installing a device.Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System" whi
should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure
on is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key id
omponents also needs to be enabled.If you disable or do not configure this policy setting the domain controller does not provide informati
ound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consis
al ticket to the client for the appropriate domain.If you disable or do not configure this policy setting the KDC will not search the listed fore
If set too low then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as
able this policy setting and the resource domain requests compound authentication devices that support compound authentication alway
and then click Show. In the Show Contents dialog box in the Value Name column type a realm name. In the Value column type the list of D
enable the policy setting note the syntax and then click Show. In the Show Contents dialog box in the Value Name column type the intero
eed valid. If you disable or do not configure this policy setting the Kerberos client enforces the revocation check for the SSL certificate. The
omputers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message
s and compound authentication for Dynamic Access Control and Kerberos armoring.If you disable or do not configure this policy setting th
e DNS name of the domain. If the computer is joined to a domain the Kerberos client requires that the KDC's X.509 certificate must be sign
ocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or Netwo
en. If you enable this policy setting the Kerberos client or server uses the configured value or the locally allowed maximum value whicheve
o the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name colum
ers to support this policy.If you enable this policy setting the device's Active Directory account will be configured for compound authentica
tic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates
Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name i
you do not configure this policy setting at the computer level restrictions are based on per-user policy settings.To set this policy setting on
sign-in page. If the policy is Disabled or Not Configured then the user will be able to use input methods enabled for their user account
cy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale even if this policy setting is not configured.If y
will be unable to customize those choices. The user cannot customize their user locale with user overrides.If this policy setting is disabled
xample en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (C
puter policy setting.The locale list is specified using language tags separated by a semicolon (;). For example en-US is English (United States
aximum idle time before a device locks. Additionally if a password is required when a screensaver turns on the screensaver timeout will lim
results in shorter logon times. Group Policy is applied in the background after the network becomes available. Note that because this is a
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers.
policy setting the default logon domain is set to the specified domain which might be different than the domain to which the computer is jo
welcome screen is displayed each time a user logs on to the computer.This setting applies only to Windows 2000 Professional. It does not a
Vista Windows XP Professional and Windows 2000 Professional.If you disable or do not configure this policy setting Windows Vista adds a
he system runs the programs in the run-once list.This policy setting appears in the Computer Configuration and User Configuration folders.
xample to support biometric authentication).If you enable this policy an administrator can specify the CLSIDsof the credential providers to
ure this policy setting the Switch User interface is accessible to the user in the three locations.
(.exe) file or document file. To specify another name press ENTER and type the name. Unless the file is located in the %Systemroot% direc
count users will see the opt-in prompt for services and users with other accounts will see the sign-in animation.If you disable this policy se
Business use the Administrative Template policies under Windows Hello for Business.
s its existing value prior to GPO evaluation). The recognized bit locations are: PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE
uses any usability or compatibility issues.
the negotiation of cryptography algorithms. Therefore computers running Windows NT 4.0 will not be able to establish a connection to thi
this policy setting the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to valid
configure this policy setting the Netlogon share will grant shared read access to files on the share when exclusive access is requested and t
ritical. 15 minutes is optimal in all but extreme cases. For instance if a DC is separated from a trusted domain by an expensive (e.g. ISDN) li
r not configured the SYSVOL share will grant shared read access to files on the share when exclusive access is requested and the caller has
sed as an optimal setting.If you specify zero for this policy setting the default behavior occurs as described above.If you disable this policy
hould be specified.If you disable or do not configure this policy setting the default behavior occurs as indicated above.
value for this setting is 0.Warning: If the value for this setting is too large a client will not attempt to find any DCs that were initially unavai
1800). The maximum value for this setting is (4294967200) while the maximum that is not treated as infinity is 49 days (49*24*60*60=423
Active Directory.If you do not configure this policy setting it is not applied to any computers and computers use their local configuration.
maximum DC discovery retry interval policy setting the value for Use maximum DC discovery retry interval policy setting is used.The defaul
me that have specified the DS_BACKGROUND_ONLY flag.If the value of this setting is less than the value specified in the NegativeCachePer
ry Retry Setting is reached.The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x49*24
0=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
re aggressive about trying to locate a DC in such an environment by pinging DCs at a higher frequency. Enabling this setting may result in
C responds to the mailslot message.This policy setting is recommended to reduce the attack surface on a DC and can be used in an environ
nformation. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC ev
d is running DC Locator will continue to return it. If a new domain controller is introduced existing clients will only discover it when a Force
this policy is provided to support such scenarios.By default DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are
ct the first reachable host with the lowest priority number listed.To specify the Priority in the DC Locator DNS SRV resource records click En
not applied to any DCs and DCs use their local configuration.
ords Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be conta
hich may then be used to compute a matching site for the client. The allowable values for this setting result in the following behaviors:0 - D
mainName>Ldap SRV _ldap._tcp.<DnsDomainName>LdapAtSite SRV _ldap._tcp.<SiteName>._sites.<DnsDomainName>Pdc
nnections.If you disable this policy setting DCs will not register DC Locator DNS resource records.If you do not configure this policy setting
register their records with DNS servers even if their records’ data has not changed. If authoritative DNS servers are configured to perform
ds for those sites without a DC that are closest to it. The application directory partition DC Locator DNS records and the site-specific SRV r
mically registered by the Net Logon service and they are used to locate the DC. An Active Directory site is one or more well-connected TCP
te-specific SRV records are dynamically registered by the Net Logon service and they are used to locate the GC. An Active Directory site is
nd a DC in the same site. If none are found in the same site a DC in another site which might be several site-hops away could be returned b
y register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain or no Global Catalog for the sam
this policy the behavior is the same as explicitly enabling this policy unless the AllowSingleLabelDnsDomain policy setting is enabled.If you
this policy setting computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain s
d potential manual cleanup procedures see the link below.If disabled domain controllers will use their configured DNS host name as-is wh
e or do not configure this policy setting the PIN length must be less than or equal to 127.NOTE: If the above specified conditions for the ma
isable or do not configure this policy setting the PIN length must be greater than or equal to 4.NOTE: If the above specified conditions for
cating the power plan to be active.If you disable or do not configure this policy setting users can see and change this setting.
otification Action" policy setting is configured to "No Action".If you disable or do not configure this policy setting users can control this setti
mine if Windows should automatically sleep.

mine if Windows should automatically sleep.
sers control this setting.

sers control this setting.
machine is locked this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be u
machine is locked this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be u
locked this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to di
locked this can prevent the sleep transition from occuring. The "Prevent enabling lock screen slide show" policy setting can be used to di
you disable or do not configure this policy setting users control this setting.If the user has configured a slide show to run on the lock scree
you disable or do not configure this policy setting users control this setting.If the user has configured a slide show to run on the lock scree
not configure this policy setting users control this setting.

not configure this policy setting users control this setting.
olicy setting users control this setting.

olicy setting users control this setting.
is can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide sh
is can prevent the display from turning off. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide sh
on") appears on the "Advanced recovery methods" page of Recovery (in Control Panel) and will allow the user to restore the computer to
on (or later versions) of the operating system can connect to this computer.If you disable this policy setting computers running this version
.If you do not configure this policy setting users on this computer cannot get help from their corporate technical support staff using Offer (
ot use email or file transfer to ask someone for help. Also users cannot use instant messaging programs to allow connections to this comp
setting the warning message you specify overrides the default message that is seen by the novice.If you disable this policy setting the use
lor (8-bit color in Windows Vista)-Turn off font smoothing (not supported in Windows Vista)-No full window drag-Turn off backgroundIf yo
y will be able to communicate with the Endpoint Mapper Service on Windows NT4 Server.If you enable this policy setting RPC clients will a
tten for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR w
vel. If you enable this policy setting you can use the drop-down box to determine which systems maintain RPC state information.-- "None
.If you disable this policy setting the RPC Runtime only generates a status code to indicate an error condition.If you do not configure this p
e. This policy setting should never be applied to a domain controller.If you disable this policy setting the RPC server runtime uses the valu
ntime and the RPC/HTTP Proxy to use a lower connection timeout.This policy setting is only applicable when the RPC Client the RPC Server
omputer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."

t does not take effect until the operating system is restarted.
cy setting user account cross-forest interactive logging cannot run logon scripts if NetBIOS or WINS is disabled and the DNS suffixes are no
e or do not configure this policy setting the instructions are suppressed.
users.If you disable or do not configure this policy setting the instructions are suppressed.Note: Starting with Windows Vista operating sys
not configure this policy setting the logon scripts and File Explorer are not synchronized and can run simultaneously.This policy setting app
s policy setting a startup cannot run until the previous script is complete.Note: Starting with Windows Vista operating system scripts that a
p and shutdown. For example assume the following scenario: There are three GPOs (GPO A GPO B and GPO C). This policy setting is enable
ollowing scenario: There are three GPOs (GPO A GPO B and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the f
ype a number from 1 to 32000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system
ns are supported:Ignore: during authentication the domain controller will not probe any WHfB keys for the ROCA vulnerability.Audit: durin
the policy setting instead of the “Configure Refresh Interval” setting (in Windows Server 2008 and Windows Server 2008 R2) or the “Refre
rver.If you do not configure this policy setting the Initial Configuration Tasks window is displayed when an administrator logs on to the serv
er if the "Do not show me this console at logon" (Windows Server 2008 and Windows Server 2008 R2) or “Do not start Server Manager aut
g these stricter security settings will not be applied.
omatically terminated during shutdown.If you disable or do not configure this setting these applications will be automatically terminated
efault cadence as ‘during low free disk space’. Users cannot disable Storage Sense but they can adjust the cadence (unless you also configu
ngs.Not Configured:By default Storage Sense will delete the user’s temporary files. Users can configure this setting in Storage settings.
nce is set to “during low free disk space”. Users can configure this setting in Storage settings.
o Storage Sense will not dehydrate any cloud-backed content. The default value is 0 or never dehydrating cloud-backed content.Disabled o
ot delete files in the user’s Recycle Bin. The default is 30 days.Disabled or Not Configured:By default Storage Sense will delete files in the u
value to zero Storage Sense will not delete files in the user’s Downloads folder. The default is 0 or never deleting files in the Downloads fol
policy setting the option to configure System Restore through System Protection is disabled.If you disable or do not configure this policy se
gure System Restore or create a restore point through System Protection is also disabled.If you disable or do not configure this policy setti
If you select detection troubleshooting and resolution the DPS will attempt to automatically fix problems it detects or indicate to the use
abytes in size.No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.This policy s
get help online through a Microsoft website.If you disable this policy setting the PCA does not detect compatibility issues for applications
upted files will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is r
ce restarts are required for this policy setting to take effect: changes take effect immediately. This policy setting only takes effect if the Dis
tting the DPS also warns users of S.M.A.R.T. faults and guides them through backup and recovery to minimize potential data loss. If you disa
y the DPS.If you do not configure this policy setting the DPS enables Fault Tolerant Heap for resolution by default.This policy setting takes e
ure this policy setting MSDT is turned on by default.This policy setting takes effect only if the diagnostics-wide scenario execution policy is
root cause of the problem.If you enable this policy setting for remote troubleshooting MSDT prompts the user to download additional too
MSDT cannot run in support mode and no data can be collected or sent to the support provider.If you do not configure this policy setting
ues:0 = Do not allow users system features or Microsoft to apply troubleshooting.1 = Only automatically apply troubleshooting for critical p
MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the applicatio
olve some of these problems silently without requiring user input.If you disable this policy setting Windows will not be able to detect troub
oubleshooting tools from the Control Panel.Note that this setting also controls a user's ability to launch standalone troubleshooting packs
policy setting users who are connected to the Internet can access and search troubleshooting content that is hosted on Microsoft content
ut no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows Boot Performanc
is not configured. -- When the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenario
g when detected but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Window
detected but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows Shutd
ent log when detected but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect W
detected but no corrective action will be taken. If you select detection troubleshooting and resolution the DPS will detect Windows System
e the operating system store either the full TPM owner authorization value the TPM administrative delegation blob plus the TPM user dele
de. To find the command number associated with each TPM command with TPM 1.2 run "tpm.msc" and navigate to the "Command Mana
for the system. The prompt can be dismissed but will reappear after every reboot and login until the policy is disabled or until the TPM is i
r the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has
st by running "tpm.msc" navigating to the "Command Management" section and making visible the "On Default Block List" column. The lo
through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the rela
strators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requirin
TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the
g helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send com
re full control or read and write access for the user and no file access for the administrators group.By configuring this policy setting you ca
settings in this folder together define the system's response when roaming user profiles are slow to load.If you enable this policy setting y
er logs on again. The local copy is also used when the remote copy of the roaming user profile is slow to load.If you enable this policy setti
d number of days. If you disable or do not configure this policy setting User Profile Service will not automatically delete any profiles on the
onnections as being slow. As a result the system does not respond to slow connections to user profiles and it ignores the policy settings th
d profile are full control access for the user and no file access for the administrators group. No checks are made for the correct permissions
their roaming user profile.If you enable this policy setting Windows will not forcefully unload the users registry at logoff but will unload th
dows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded.If you disable this policy se
nistrator must use management software or a script to add primary computer attributes to the user's account in Active Directory Domain S
s users' server-based profiles when users log on or off.-- Users' local profiles are newer than their server-based profiles.If you enable this
eleted on that client logs on they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy s
_CURRENT_USER) into a file (NTUSER.DAT) and updates it. However if another program or service is reading or editing the registry the syst
ave made is merged with the server copy of their profile.Using the setting you can prevent users configured to use roaming profiles from r
of their profile including any changes is merged with the server copy of the profile.Using this policy setting you can prevent changes made
will be shown to the user during logon if a slow network connection is detected. The user then is able to choose to download the remote c
the computer (if the media is disconnected or the network adapter is not available).If you enable this policy setting Windows waits for the
ing onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appro
erval" is chosen then an interval must be set with a value of 1-720 hours. Once set Windows uploads the profile's registry file at the specifi
are in the Path box (for example \\ComputerName\ShareName) and then choose the drive letter to assign to the file share. If you choose “
addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN SIP/URI and
policy setting the system waits for the remote copy of the roaming user profile to load even when loading is slow.If you disable this policy s
um amount of disk space to be used (in MB). To indicate that the cache size is unlimited select "4294967295" as the maximum amount of
up.-- "Scan during startup" also scans files each time you start Windows XP. This setting delays each startup.If you disable or do not config
definitions of flags see https://go.microsoft.com/fwlink/?linkid=847809. FrequencyCorrectRateThis parameter controls the rate at wh

e form of ""dnsNameflags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information see the NTP Client G
setting the local computer clock does not synchronize time with NTP servers.
is policy setting ActiveX controls prompt the user for administrative credentials before installation. Note: Wild card characters cannot be u
nds to certificate errors. By default all HTTPS connections must supply a server certificate that passes all validation criteria. If you are awar
bled any previously shared app data will remain in the SharedLocal folder.
ed Windows Store apps.
tratorTemporary user profiles which are created when an error prevents the correct profile from loadingUser profiles for the Guest accoun
ed apps and the user will be able to configure this setting themselves.
d by other policies. If you disable or do not configure this policy all users will be able to initiate installation of Windows app packages.
n can decide whether Windows apps can access account information by using Settings > Privacy on the device.If you choose the "Force Al
decide whether Windows apps can access the eye tracker by using Settings > Privacy on the device.If you choose the "Force Allow" option
ide whether Windows apps can access call history by using Settings > Privacy on the device.If you choose the "Force Allow" option Window
e whether Windows apps can access contacts by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows ap
n control" option employees in your organization can decide whether Windows apps can get diagnostic information about other apps usin
hether Windows apps can access email by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are
e whether Windows apps can access location by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows ap
rganization can decide whether Windows apps can read or send messages by using Settings > Privacy on the device.If you choose the "For
ecide whether Windows apps can access motion data by using Settings > Privacy on the device.If you choose the "Force Allow" option Win
ecide whether Windows apps can access notifications by using Settings > Privacy on the device.If you choose the "Force Allow" option Win
hether Windows apps can access tasks by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are
ecide whether Windows apps can access the calendar by using Settings > Privacy on the device.If you choose the "Force Allow" option Win
cide whether Windows apps can access the camera by using Settings > Privacy on the device.If you choose the "Force Allow" option Windo
n decide whether Windows apps can access the microphone by using Settings > Privacy on the device.If you choose the "Force Allow" opti
n decide whether Windows apps can access trusted devices by using Settings > Privacy on the device.If you choose the "Force Allow" optio
setting overrides the default setting.If you choose the "User is in control" option employees in your organization can decide whether Wind
e it.If you choose the "Force Deny" option Windows apps are not allowed to be activated with a voice keyword and employees in your org
is locked and employees in your organization cannot change it.If you choose the "Force Deny" option users cannot interact with applicati
n your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Privacy on the
can decide whether Windows apps have access to control radios by using Settings > Privacy on the device.If you choose the "Force Allow"
de whether Windows apps can make phone calls by using Settings > Privacy on the device.If you choose the "Force Allow" option Window
decide whether Windows apps can run in the background by using Settings > Privacy on the device.If you choose the "Force Allow" option
es in your organization can decide whether Windows apps can take screenshots of various windows or displays by using Settings > Privacy
ation can decide whether Windows apps can turn off the screenshot border by using Settings > Privacy on the device.If you choose the "Fo
ed to sign in with a Microsoft account.
p app for a file type; they can open files only in other Windows Store apps.If you disable or do not configure this policy setting Windows St
op app for a URI scheme; they can open URIs only in other Windows Store apps.If you disable or do not configure this policy setting Windo
e not affected. If you disable or do not configure this policy setting all Universal Windows apps can be launched. This policy should
you disable or don't set this policy setting Windows Store apps will only use the static Content URI Rules.
to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running any subsequen
ge from the context-menus but does not affect previous compatibility settings applied to application using this interface.
ty engine will boost system performance. However this will degrade the compatibility of many popular legacy applications and will not bl
s policy is set.Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for
Compatibility Assistant is also disabled.If you disable or do not configure this policy setting the Inventory Collector will be turned on.Note:
etting the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Tu
and off data collection.If you enable this policy setting Steps Recorder will be disabled.If you disable or do not configure this policy setting
cations. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are
uted without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be
s XP SP2 Autoplay is enabled for removable drives as well including Zip drives and some USB mass storage devices. If you enable this p
ior to Windows 10 not configuring this policy setting would have prevented domain users from using biometrics to log on.
etting the Windows Biometric Service is unavailable and users cannot use any biometric feature in Windows.Note: Users who log on using
computer and can elevate permissions with UAC using biometrics.If you disable this policy setting biometrics cannot be used by any users
configure this policy setting a default value of 10 seconds is used for fast-user switch event timeouts.
t require enhanced anti-spoofing for Windows Hello face authentication.Note that enhanced anti-spoofing for Windows Hello face authen
overy password in a folder. You can specify either a fully qualified path or include the target computer's environment variables in the path
em drives and removable data drives individually. For fixed and operating system drives we recommend that you use the XTS-AES algorithm
This policy is only applicable to computers running Windows 8 and later.If you enable this policy setting you will be able to choose an encr
This policy is only applicable to computers running Windows Server 2008 Windows Vista Windows Server 2008 R2 or Windows 7.If you en
user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key.If you enable thi
were already enumerated when the machine was unlocked will continue to function until unplugged or the system is rebooted or hiberna
estart performance but will increase the risk of exposing BitLocker secrets.If you disable or do not configure this policy setting BitLocker se
Locker-protected drives using the manage-bde command-line tool. An identification field is required for management of certificate-based
covery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is appl
cate with the object identifier that is defined by this policy setting.Default object identifier is 1.3.6.1.4.1.311.67.1.1Note: BitLocker does n
ng Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 and their content can be viewed. These operating
y Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive Encryption De
Locker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encry
ts" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.Note:
ning on BitLocker not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you
ed with read and write access.
tion of the drive used to store data is encrypted when BitLocker is turned on.If you enable this policy setting the encryption type that BitLo
compliant devices will have the choice to turn on BitLocker without pre-boot authentication.If this policy is not enabled the options of "R
d PINs in the pre-boot environment. It is strongly recommended that users perform a system check during BitLocker setup.If you disable or
se Network Key Protectors.To use a Network Key Protector to unlock the computer both the computer and the BitLocker Drive Encryption
not configure this policy setting BitLocker will use Secure Boot for platform integrity if the platform is capable of Secure Boot-based integri
be used it must be added from the Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Edit
not configure this policy setting users can configure a startup PIN of any length between 6 and 20 digits. NOTE: If minimum PIN length
to revert to the default message you must keep the policy enabled and select the "Use default recovery message and URL" option.If you s
e before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protectio
Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platfor
EFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). U
ther BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-base
xity requirements" located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also
change BitLocker PINs and passwords.
of pre-boot input (such as an attached USB keyboard).If this policy is not enabled the Windows Recovery Environment must be enabled on
puter without a TPM select the "Allow BitLocker without a compatible TPM" check box. In this mode either a password or a USB drive is re
o authentication methods can be used at startup to provide added protection for encrypted data. When the computer starts it can requir
onfigure this policy setting platform validation data will be refreshed when Windows is started following BitLocker recovery.
y the default Windows BCD settings. Note: When BitLocker is using Secure Boot for platform and Boot Configuration Data (BCD) integrity v
puters running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 and their content can be viewed. Thes
he Public Key Policies item in either the Group Policy Management Console or the Local Group Policy Editor. Consult the BitLocker Drive En
her BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based
n\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.Note: These settings are enforced when tu
hen turning on BitLocker not when unlocking a drive. BitLocker will allow unlocking a drive with any of the protectors available on the driv
s to suspend and decrypt BitLocker on removable data drives" to permit the user to remove BitLocker Drive encryption from the drive or s
elected only drives with identification fields matching the computer's identification fields will be given write access. When a removable dat
layed and users cannot show or hide it in Settings.If you disable or do not configure this policy setting the Chat icon will be configured acco
ministrative Templates\Windows Components\Data Collection and Preview Builds\Allow Telemetry" policy setting with a level of "Basic" o
tting only applies to Enterprise and Education SKUs.
default the password reveal button is displayed after a user types a password in the password entry text box. To display the password click
ers will always be required to type a user name and password to elevate.
op by means of the trusted path mechanism.If you disable or do not configure this policy setting users will enter Windows credentials with
crosoft will be the controller of Windows diagnostic data collected from this device.This policy only controls if Microsoft is a processor for
Desktop Analytics.
tic data off (not recommended). Using this value no diagnostic data is sent from the device. This value is only supported on Enterprise Edu
essed by Update Compliance.
iagnostic data from this device will not be processed by Windows Update for Business cloud.
and Telemetry service from automatically using an authenticated proxy.
s policy setting Connected User Experience and Telemetry data will be sent to Microsoft using the default proxy configuration.The format
tic data opt-in change notifications appear at first logon and when the changes occur in Settings.
he amount of diagnostic data that is sent to Microsoft by your organization use the "Allow Diagnostic Data" policy setting.
disable or do not configure this policy setting then Microsoft will not be able to use this identifier to associate this machine and its diagno
allows people to erase all diagnostic data collected by Microsoft from that device.
led in Settings page.
tting users can control how often they receive feedback questions.
EventLog.
ce has been configured to send optional diagnostic data.
heap dumps if the user has opted to send optional diagnostic data.
Collection" policyWhen these policies are configured Microsoft will collect only required diagnostic data and the events required by Deskto
ough the Settings app.This policy is only supported up to Windows 10 Version 1703. Please use 'Manage preview builds' under 'Windows U
is 1 minute (60).
is selected peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.3 = HTTP blended with Internet P
his policy will be ignored.For option 3 - DHCP Option ID the client will query DHCP Option ID 234 and use the returned GUID value as the G
ys a visual version of the desktop is presented and items can be flipped through to select. Changing this policy setting requires a logoff for
fic color for window frames that cannot be changed by users.

event color changes of window frames" setting to enforce a specific color for window frames that cannot be changed by users.
applies across all subscriptions for the forwarder (source computer).
986/wsman/SubscriptionManager/WECRefresh=<Refresh interval in seconds>IssuerCA=<Thumb print of the client authentication certifica
d new events are discarded and old events are retained.If you do not configure this policy setting and the "Retain old events" policy settin
nore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and A
ces can write read or clear this log.If you do not configure this policy setting the previous policy setting configuration remains in effect.
y when full" policy setting.
ministrator using the Log Properties dialog and it defaults to 1 megabyte.

ccess the log.If you disable or do not configure this policy setting only system software and administrators can read or clear this log.Note:
o not configure this policy setting the previous policy setting configuration remains in effect.
administrator using the Log Properties dialog and it defaults to 20 megabytes.

nore it. The same change should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and A
ces can write read or clear this log.If you do not configure this policy setting the previous policy setting configuration remains in effect.
ly system software and administrators can write or clear this log and any authenticated user can read events from it.Note: If you enable th
this policy setting the previous policy setting configuration remains in effect.

e encrypted messages provided that you have access to the private key corresponding to the public key that they were encrypted with.If y
be suspicious.Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.If you enable this polic
gged on unexpected behavior could occur.
o the path defined.If you disable or do not configure this policy setting no changes are made to the location of the default Library definition
file will be processed and default associations will be applied at logon time.If the group policy is not configured disabled or the client mach
h the Power Options Control Panel.
ns Control Panel.
ended to leave this protocol in the protected mode to increase the security of Windows.If you enable this policy setting the protocol is full
me share the target path is updated and files are not copied or deleted. The temporary file is deleted.If you disable or do not configure this
aults to disabled.
tting users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore points.I
e Restore button Windows attempts to restore the file from the local disk.If you do not configure this policy setting it is disabled by default
n corresponding to a backup. If the Restore button is clicked Windows attempts to restore the file from the backup media.If you do not co
e. If the user clicks the Restore button Windows attempts to restore the file from the file share.If you do not configure this policy setting it
n the user's device after each use of their active digitizer.When Find My Device is off the device and its location are not registered and the
n-joined computer is not shared with the homegroup.This policy setting is not configured by default.You must restart the computer for this
h providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be created fro
/fwlink/?linkid=2102115
uring shutdown (default behavior in Internet Explorer 9).
policy setting users won't receive enhanced suggestions while typing in the Address bar. In addition users won't be able to change the Su
plorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition.If you enable this policy setting newly installed a
re installed the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge Stable channel is used. This is the de
r control which components the user installs.

et Explorer Maintenance under Admin Templates using group policy editor.If you disable or do no configure this policy setting the user wil
rnet Control Panel) you do not need to set this policy because the "Disable the Connections page" policy removes the Connections tab fro
s policy setting the user can add secondary home pages.Note: If the “Disable Changing Home Page Settings” policy is enabled the user can
er to export favorites feeds and cookies to a file.If you enable this policy setting the user will not be able to use the Import/Export Settings
Explorer 11.If you disable or don’t configure this policy all sites are opened using the current active browser settings. Note: Microsoft Edge
intended to help the administrator maintain version control for Internet Explorer by preventing users from being notified about new vers
policy or do not configure it users will be notified before their programs are updated.This policy is intended for administrators who want t
.com/fwlink/?linkid=2102115
contains menus that open lists of commands for printing customizing Internet Explorer copying and pasting text managing favorites and a
dialog.Note: This policy is deprecated starting with Windows 10 version 1703.
icy all intranet sites are automatically opened in Microsoft Edge.We strongly recommend keeping this policy in sync with the ‘Send all intra
pecify a report location Enterprise Mode will still be available to your users but you won't get any reports.If you disable or don't configure
Site Discovery.To configure the domain(s) included in data collection for the IE Site Discovery Toolkit Add one domain per line to the text b
Discovery.To configure zone(s) included in site discovery a binary number is formed based on the selected zones. The decimal representati
wed so *.contoso.com is also valid.If you disable this or do not configure this policy setting you will not be able to provide a default Pop-up
policy setting the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access Help.
y setting the user can bypass SmartScreen Filter warnings.
ble or do not configure this policy setting the user can manage pop-ups by changing the filter level.You may also want to enable the "Preve
this scenario. • Open a new Internet Explorer window.If you disable or do not configure this policy setting the user can configure how w
If you disable or do not configure this policy setting the user can configure how new tabs are created by default.
setting Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on users can
er process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
prompting the user.If you disable or do not configure this policy setting the user is prompted to decide whether to turn on SmartScreen F
nalysis and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled all website addresses that are no
u do not configure this policy setting the user can choose to participate in the CEIP.
ws 8 the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is chosen.
this policy setting the user cannot configure the list of search providers on his or her computer and any default providers installed do not a
d Web sites to or remove sites from the Trusted Sites and Restricted Sites zones and alter settings for the Local Intranet zone.This policy pr
blished by the administrator.Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windo
ttings apply uniformly to the same computer and do not vary from user to user.Also see the "Security zones: Do not allow users to change p
he Enterprise Mode Site List in Microsoft Edge.Disabling or not configuring this setting opens all sites based on the currently active browse
cal memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical mem
no additional page appears.
for permission to load an ActiveX control and Internet Explorer loads the control if it passes all other internal security checks.If you disable
ser to disable add-ons and configure the threshold.If you enable this policy setting users are not notified when the average time to load al
disable or do not configure this policy setting Internet Explorer uses the user's setting for pop-up windows in tabbed browsing.
for add-on management will be functional.
the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setting th
nched off screen will continue to be re-positioned onscreen.If you disable or do not configure this policy setting the popup management f
nts appear on the user interface for Internet Explorer and the user cannot turn them off.If you do not configure this policy setting the user
plete for web-address setting.If you do not configure this policy setting a user will have the freedom to choose to turn the auto-complete s
cy setting ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
s. The user cannot turn on logging.If you do not configure this policy setting the user can change the logging settings.
y default. The user can turn on or turn off the menu bar.
e entry points and functionality associated with this feature are turned off.If you do not configure this policy setting the user can turn on a
ode IE.If you disable or don't configure this policy setting Internet Explorer opens all websites using Standards mode.
that are provided through first use of the browser.
ators that are provided through first use of the browser.
.If you disable this policy setting the user is prompted when a script that is running in any process on the computer attempts to perform a
havior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting the user is prompted when a script that i
policy setting is enabled the processes configured in this policy setting take precedence over that policy setting.If you enable this policy se
ilable and users will not see printers under the Devices charm.If you disable or do not configure this policy setting the Print menu in Intern
sed. Additionally the user cannot activate the feature by using the Compatibility View Settings dialog box.If you do not configure this policy
additional string appended). Additionally all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option results
user cannot change this behavior through the Compatibility View Settings dialog box.If you disable this policy setting Internet Explorer use
r do not configure this policy setting the user can specify the download path for the code.
ng history on exit is turned off.If you do not configure this policy setting it can be configured on the General tab in Internet Options.If the "
the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not delete
he Settings charm.If you disable or do not configure this policy setting the user can access the Delete Browsing History dialog box. Starting
.With at least Internet Explorer 11:This policy setting prevents users from deleting ActiveX Filtering data Tracking Protection data and Do N
"Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
oad history when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is en
ata when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect
If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
user clicks Delete.If you disable this policy setting InPrivate Filtering data is deleted when the user clicks Delete.If you do not configure thi
te.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
serve temporary Internet files when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this
the user can choose whether to delete or preserve visited websites when he or she clicks Delete.If the "Prevent access to Delete Browsing
nd cookies.
ser Configuration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the Advanced tab fro
terface:"Disable Internet Connection Wizard""Disable changing connection settings""Prevent changing proxy settings""Disable changing A
uration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the General tab from the interfa
e interface:"Disable changing Messaging settings""Disable changing Calendar and Contact settings""Disable the Reset Web Settings feature
moves the Security tab from the interface:"Security zones: Do not allow users to change policies""Security zones: Do not allow users to add
are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN format
change this behavior on the Internet Explorer Tools menu: Click Internet Options click the Advanced tab and then under International sel
s will be prompted when non-Internet Explorer components would be installed.If you do not configure this policy setting non-Internet Exp
mponents such as fonts will be automatically installed as necessary.If you disable this policy setting users will be prompted when Web Com
s can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
policy setting users can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
invalid signature.If you do not configure this policy users can choose to run or install files with an invalid signature.
this policy setting browser helper objects do not launch.If you do not configure this policy Internet Explorer automatically launches any b
d or inPrivate Browsing mode is used.For at least Internet Explorer 11:If you disable this policy setting Internet Explorer only sends the Do
versions when they are available.If you disable this policy setting Internet Explorer does not check the Internet for new versions of the bro
u disable this policy setting Internet Explorer will not check server certificates to see if they have been revoked.If you do not configure this
user computers.If you disable this policy setting Internet Explorer will not check the digital signatures of executable programs or display t
l websites to run in Enhanced Protected Mode.Enhanced Protected Mode provides additional protection against malicious websites by us
t Explorer Settings.
encrypted pages containing secure (HTTPS) information to the cache.If you do not configure this policy Internet Explorer will save encrypte
nternet Files folder when all browser windows are closed.If you disable this policy setting Internet Explorer will not delete the contents of
helping pages display more quickly.If you do not configure this policy setting Internet Explorer will play animated pictures found in Web c
ages display more quickly.If you enable this policy setting Internet Explorer will play sounds found in Web content.
ckly.If you do not configure this policy setting Internet Explorer will play videos found in Web content.
endering engine.
e browser and server attempt to match each other’s list of supported protocols and versions and they select the most preferred match.If y
nd content in the background.If you don't configure this policy setting users can turn this behavior on or off using Internet Explorer setting
also choose to allow this information to be shared with the Web site in the future without being prompted.If you do not configure this po
URLs that are in the Intranet zone. 3) Always encode query strings.If you disable or don't configure this policy setting users can turn this
und.If you disable this policy setting flip ahead with page prediction is turned on and the next webpage is loaded into the background.If yo
Enhanced Protected Mode on 64-bit versions of Windows.If you disable this policy setting Internet Explorer 11 will use 32-bit tab processe
rned on.If you disable this policy setting Caret Browsing is turned off.If you do not configure this policy setting Caret Browsing support can
d will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.If you disable this policy setting Enhanced
nnections.
b of the Internet Options dialog box.Note: This policy is no longer supported starting with Windows 10 Version 1607.
s option to start with the home page.If you disable this policy setting Internet Explorer starts a new browsing session with the home page.
caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store appli
se and caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store
olicy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting you provide the cache lim
setting.If you disable or do not configure this policy setting Internet Explorer will use the default application cache expiration time limit fo
pplication caches.
s the maximum data storage limit for domains that are trusted by users. When you set this policy setting you provide the cache limit in MB
tting Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the size s
he resource limit as a number. The default is 1000 resources.If you enable this policy setting Internet Explorer will allow the creation of ap
u can set the maximum storage limit for all application caches. The default is 1 GB.If you disable or do not configure this policy setting Inte
tting you can set the maximum storage limit for all indexed databases. The default is 4 GB.If you disable or do not configure this policy setti
ure this template policy setting no security level is configured.Note. Local Machine Zone Lockdown Security and Network Protocol Lockdow
ypically be in the Internet Zone).If you do not configure this policy setting users choose whether to force local sites into the Intranet Zone.
the Intranet Zone.
choose whether sites which bypass the proxy server are mapped into the Intranet Zone.
Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Low tem
e configured.If this policy setting is not configured the user can choose whether or not to automatically detect the intranet through the int
this policy setting the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the Inter
a Notification bar notification does not appear when the user loads content from an intranet site that is being treated as though it is in the
aded in the zone that uses MSXML or ADO to access data from another site in the zone.If you disable this policy setting users cannot load
on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over questionable con
policy setting script code on pages in the zone can run automatically.
ailable.If you disable this policy setting binary and script behaviors are not available unless applications have implemented a custom secur
nfigure this policy setting a script can perform a clipboard operation.
ng and pasting files from this zone.If you do not configure this policy setting users can drag files or copy and paste files from this zone auto
etting files can be downloaded from the zone.
y setting HTML fonts can be downloaded automatically.
tems from this zone.If you do not configure this policy setting users are queried to choose whether to install desktop items from this zone.
The user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XBAPs.If you disable this p
er cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XAML files.If you disable this pol
for loading XPS files.If you disable this policy setting XPS files are not loaded inside Internet Explorer. The user cannot change this behavio
a page containing an active Meta Refresh setting cannot be redirected to another Web page.If you do not configure this policy setting a us
er-site ActiveX prompt and ActiveX controls can run from all sites in this zone.
ou disable this policy setting users are prevented from performing OpenSearch queries in this zone using Search Connectors.If you do not c
ome application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search results in Fi
owser control is allowed only in the Local Machine and Intranet zones.
indows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated by the
r disable this policy setting VBScript is prevented from running.

les.If you enable this policy setting video and animation can be played through older media players in specified zones.If you disable this po
can choose whether websites can open new Internet Explorer Windows that have no status bar or Address bar.
ot configure this policy setting ActiveX control installations will be blocked using the Notification bar. Users can click on the Notification ba
fication bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
e nonsecure items?) and nonsecure content can be displayed.If the drop-down box is set to Prompt the user will receive the security inform
n" message when they connect to a Web site that has no certificate or only one certificate.If you do not configure this policy setting Intern
eate an instance of the ActiveX control.If you don't configure this policy setting Internet Explorer always checks with your antimalware pro
tting signed controls cannot be downloaded.If you do not configure this policy setting users are queried whether to download controls sign
cy setting users cannot run unsigned controls.If you do not configure this policy setting users cannot run unsigned controls.
nnot drag content from one domain to a different domain when both the source and destination are in different windows. Users cannot c
nnot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot change
g the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the featu
orm.If you disable this policy setting path information is removed when the user is uploading a file via an HTML form.If you do not configu
ked safe for scripting option.If you enable this policy setting and select Prompt in the drop-down box users are queried whether to allow t
and secure storage area on the client computer) and user-controlled file I/O.High Safety enables applets to run in their sandbox. Disable Ja
load files from IFRAMEs on the pages in this zone.If you disable this policy setting users are prevented from running applications and down
he remainder of the session.Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a user is
policy setting users cannot open windows and frames to access applications from different domains.If you do not configure this policy setti
tab of the Internet Options dialog box. Filters are not rendered by default in this zone.
Internet Explorer will prompt the user to determine whether to execute unsigned managed components.If you disable this policy setting I
et Explorer will prompt the user to determine whether to execute signed managed components.If you disable this policy setting Internet E
ot configure this policy setting controls and plug-ins can run without user intervention.
ure this policy setting script interaction can occur automatically without user intervention.
ng scripts can access applets automatically without user intervention.
the files open.If you disable this policy setting these files do not open.If you do not configure this policy setting the user can configure how
ed of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.High s
oose whether to allow information using HTML forms on pages in this zone to be submitted.If you disable this policy setting information u
Framework Setup is turned off. The user cannot change this behavior.If you disable this policy setting .NET Framework Setup is turned on
first-run prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned off by defa
otected Mode.If you do not configure this policy setting the user can turn on or turn off Protected Mode.
alicious content.Note: In Internet Explorer 7 this policy setting controls whether Phishing Filter scans pages in this zone for malicious cont
re prevented from appearing.
thin a Web page saved to disk.If you disable this policy setting users cannot preserve information in the browser's history in favorites in an
op-down box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possibly
r disable this policy setting VBScript will run without user intervention.
ot configure this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
eate an instance of the ActiveX control.If you don't configure this policy setting Internet Explorer won't check with your antimalware progr
tab of the Internet Options dialog box. Filters are rendered by default in this zone.
first-run prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned on by defau
d from appearing.
tems from this zone.If you do not configure this policy setting users can install desktop items from this zone automatically.
tting signed controls cannot be downloaded.If you do not configure this policy setting users can download signed controls without user int
cy setting users cannot run unsigned controls.If you do not configure this policy setting users can run unsigned controls without user inter
d from appearing.
down box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possibly ha
policy setting users are queried to choose whether to allow script code on pages in the Local Machine zone to run.

ot configure this policy setting controls and plug-ins are prevented from running.
r disable this policy setting users are asked to choose whether to allow VBScript to run.
d from appearing.
d from appearing.
policy setting script code on pages in the zone is prevented from running.
nfigure this policy setting a script cannot perform a clipboard operation.
ng and pasting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files from
etting files are prevented from being downloaded from the zone.
y setting users are queried whether to allow HTML fonts to download.
tems from this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

tting signed controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
ains.If you disable this policy setting users cannot open other windows and frames from other domains or access applications from differe
ure this policy setting script interaction is prevented from occurring.
ng scripts are prevented from accessing applets.
d from appearing.
for protocols on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over que
policy setting script code on pages in the zone is prevented from running.
nfigure this policy setting a script cannot perform a clipboard operation.
ng and pasting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files from
etting files are prevented from being downloaded from the zone.
y setting users are queried whether to allow HTML fonts to download.
tems from this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

tting signed controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
ains.If you disable this policy setting users cannot open other windows and frames from other domains or access applications from differe
ure this policy setting script interaction is prevented from occurring.
ng scripts are prevented from accessing applets.
cy setting users cannot run unsigned controls.If you do not configure this policy setting users are queried to choose whether to allow the u
d from appearing.
t Explorer can be configured by the user.

policy setting users can turn this behavior on or off using Internet Explorer settings. The default is on.
a elements" setting on the Advanced tab in the Internet Options dialog box.
n. • Display the results in the main window: When the user searches on the Address bar the list of search results is displayed in the main
r is directed to an external top result website determined by the search provider if available.If you enable this policy setting you can choos
estions will be turned on. Users will not be able to turn off URL Suggestions.If you do not configure this policy setting URL Suggestions will b
e for providing relevant results in the Address bar. The user cannot change this setting.If you disable this policy setting Internet Explorer us
g the user cannot specify the cipher strength update information URL. You must specify the cipher strength update information URL.If you
net Explorer and Internet Tools.
nge is 3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting the u
range is 3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting the
u disable this policy setting toolbars and BHOs are loaded by default during an InPrivate Browsing session.If you do not configure this polic
ction is turned on.If you do not configure this policy setting InPrivate Filtering data collection can be turned on or off on the Privacy tab in I
rowsing can be turned on or off through the registry.
rivate Filtering data is not collected.If you disable this policy setting InPrivate Filtering is available for use.If you do not configure this policy
d Tracking Protection data is not collected.If you disable this policy setting Tracking Protection is available for use.If you do not configure t
lopers will not be able to depend on the reveal password button being displayed in any web form or web application.If you disable or do n
PPolicy function to turn on Data Execution Prevention on platforms that support the function.This policy setting has no effect if Windows h
erpreted as a failed URL.If you disable this policy setting Data URI support is turned on.If you do not configure this policy setting Data URI s
hether add-ons not listed here are assumed to be denied.If you enable this policy setting you can enter a list of add-ons to be allowed or d
preferences and policy settings.If you disable or do not configure this policy setting all processes will not respect add-on management user
gh Group Policy. However users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'Add-on
ou enable this policy setting and enter a Value of 1 the process entered will respect the add-on management user preferences and policy s
he warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run the outd
Controls" in the Internet Explorer TechNet library.
TLD". For example if you want to include *.contoso.com/* use "contoso.com"2. "hostname". For example if you want to include http://ex
or off regardless of the "Turn off blocking of outdated ActiveX controls for Internet Explorer" or "Turn off blocking of outdated ActiveX con
xplorer before Internet Explorer 8 the default connection limit for HTTP 1.1 was 2.
server.If you enable this policy setting websites cannot request data across domains by using the WebSocket object.If you disable or do no
y using the XDomainRequest object.If you disable or do not configure this policy setting websites can request data across domains by usin
e for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation e.g. #defaul
o not configure this policy setting binary behaviors are allowed for all processes.
sable or do not configure this policy setting Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies.
aviors are allowed for the File Explorer and Internet Explorer processes.If you do not configure this policy setting binary behaviors are pre
tting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name is the
renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Consistent Mime Ha
renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Internet Explorer re
renames the file by saving it in the Internet Explorer cache and changing its extension.This policy setting allows administrators to define a
an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone security applies to all local files and
e Local Machine zone is used as an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone secu
sed as an attack vector to load malicious HTML code.If you enable this policy setting and enter a value of 1 Local Machine Zone security ap
this policy setting MIME sniffing will never promote a file of one type to a more dangerous file type.
dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting i
work for the File Explorer and Internet Explorer processes.If you do not configure this policy setting the MK Protocol is prevented for File E
ocol is allowed. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processe
sable this policy setting restricting content obtained through restricted protocols is prevented for all processes other than File Explorer or
r example you can restrict active content from pages served over the http and https protocols by adding the value names http and https.If
If you enable this policy setting and enter a Value of 1 restricting content obtained through restricted protocols is allowed. If you enter a V
his sets the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active content over restricted protocols to a
on bar will be displayed for all processes.If you disable or do not configure this policy setting the Notification bar will not be displayed for
processes.If you do not configure this policy setting the Notification bar will be displayed for Internet Explorer Processes.
played. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name is em
esses.If you do not configure this policy setting an object reference is no longer accessible when navigating within or across domains for In
bjects are still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 o
be protected from zone elevation for all processes.If you disable or do not configure this policy setting processes other than Internet Explo
security context.If you enable this policy setting any zone can be protected from zone elevation by Internet Explorer processes.If you disab
is no security context.This policy setting allows administrators to define applications for which they want this security feature to be preve
used to determine whether to block ActiveX control installations for Internet Explorer processes.
e is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Proces
ser initiated for all processes.
ether to prompt for file downloads that are not user initiated for Internet Explorer processes.
mpty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Interne
or do not configure this policy setting scripted windows are not restricted.
nd Internet Explorer processes.If you disable this policy setting scripts can continue to create popup windows and windows that obfuscate
y feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 such windows may not be opened. If you ente
e command buttons have only text; some have icons and text.Show only icons: All command buttons have only icons.If you disable or do n
esh buttons are next to the Address bar by default and the user can choose to move them.
you enable this policy setting the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted and incompatib
d the user can make them bigger (20 x 20 pixels).
etting. Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. If you disable or do not configure this
tting the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
random delay will be applied to Automatic Maintenance. If you disable this policy setting no random delay will be applied to Automati
y and make a wake request for the daily scheduled time if required. If you disable or do not configure this policy setting the wake setti
setting MDM Enrollment will be enabled for all users.

ent will not be initiated. If you enable this policy setting a task is created to initiate enrollment of the device to MDM service specifie
enabling this setting until the authentication cache expires. It is recommended to enable this setting before any user signs in to a device t
alware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted the servi
would have blocked access if it were set to Block then a record of the event will be in the event logs. Disabled: Potentially unwant
policy Settings will override preference settings. If you enable this setting only items defined by Group Policy will be used in the resultin
en 1 and 23 hours.
5. Autodetect If you enable this setting the proxy setting will be set to use the specified proxy .pac according to the order specified ab
todetect If you enable this setting the proxy will be set to the specified URL according to the order specified above. The URL should be p
oft Defender Antivirus. If you install another antivirus program Windows automatically disables Microsoft Defender Antivirus. Otherwise M
ompts users to choose from the actions available for each threat. If you disable or do not configure this policy setting Microsoft Defende
ed will be displayed. If you disable or do not configure this setting there will be no additional text displayed.
files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recomm
process image. Note that only executables can be excluded. For example a process might be defined as: "c:\windows\app.exe". The value
s to be set as follows: MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function. MAPS
uter. This information can include things like location of detected items on your computer if harmful software was removed. The informati
will be applied and the end-user will have the option to bypass the block Unless the ASR rule is disabled a subsample of audit events are
at specific file in that specific folder - Value column: Enter ""0"" for each item Disabled: No exclusions will be applied to the ASR rules
sabled: No additional applications will be added to the trusted list. Not configured: Same as Disabled. You can enable controlled fol
us automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applic
otected in the Options section. Disabled: No additional folders will be protected. Not configured: Same as Disabled. You can enabl
connect to dangerous domains however if this feature would have blocked access if it were set to Block then a record of the event will be
EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNe
ded cloud check feature and will raise the total time to 60 seconds. Note: This feature depends on three other MAPS settings - "Configu
oft Defender Antivirus documentation site. Note: This feature requires the "Join Microsoft MAPS" setting enabled in order to function.
he value is not used and it is recommended that this be set to 0.
EnableNetworkProtection will be ignored otherwise network protection will start on Windows Server depending on the value of EnableNe
ed then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all t
tion is only honored for NTFS volumes. For any other file system type full monitoring of file and program activity will be present on those v
ender Antivirus will prompt users to take actions on malware detections.
Never (default) If you enable this setting a scheduled full scan to complete remediation will run at the frequency specified. If you disab
run at the time of day specified. If you disable or do not configure this setting a scheduled full scan to complete remediation will run at a
etting or do not configure this setting the scan will start using the existing security intelligence.
ecutive missed scheduled scans.
d during quick scan and custom scan.

tting a scheduled scan will run at the frequency specified. If you disable or do not configure this setting a scheduled scan will run at a def
uick scan controlled by this config will not be run.
U utilization will not exceed the default value.

e default value.
ified. If you disable or do not configure this setting daily quick scan controlled by this config will not be run.
time of day specified. If you disable or do not configure this setting a scheduled scan will run at a default time.
atch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured there will be no catch-up
s a catch-up scan is started the next time someone logs on to the computer. If there is no scheduled scan configured there will be no catc
or do not configure this setting e-mail scanning will be disabled.
cified. If you disable or do not configure this setting items will be kept in the scan history folder for the default number of days.
bled. If you disable or do not configure this setting reparse point scanning will be disabled.
t configure the antimalware service will receive notifications to disable security intelligence. If you disable this setting the antimalware s
o join Microsoft MAPS for this functionality to work. If you enable or do not configure this setting real-time security intelligence updates
he configured download source.
ty intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source the remaining so
intelligence will be considered out of date after the number of days specified have passed without an update. If you disable or do not co
ence will be considered out of date after the number of days specified have passed without an update. If you disable or do not configure
ftUpdateServer | MMPC } If you enable this setting security intelligence update sources will be contacted in the order specified. Once se
enable this setting the check for security intelligence updates will occur at the frequency specified. If you disable or do not configure this
pdates will occur at the default interval.
check is occurring. If you enable this setting the check for security intelligence updates will occur at the time of day specified. If you dis
5 = Severe Valid remediation action values are: 2 = Quarantine 3 = Remove 6 = Ignore

ve 6 = Ignore
crosoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.Important: If you turn on thi
d PowerShell command. Running this command deletes all employee data regardless of configuration and can result in data loss for the em
ard container to the host operating system.
back and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware M
g certificates are not shared with the Microsoft Defender Application Guard container.Example: b4e72779a8a362c860c36a6461f31e3aa7
e:We recommend that you don't enable copying from the host to Application Guard. If you enable this functionality a potentially comprom
host.- Enable printing to XPS allows people to print as XPS and save the resulting file on the host.If you disable or don't configure this settin
Defender Application Guard container directly in Internet Explorer and Microsoft Edge.
ble this setting Application Guard is turned on for your organization.
or directly in Windows Security.- Generate an XML file with the settings from the device by running the Get-ProcessMitigation PowerShell
le or don't configure this setting Microsoft Edge downloads book files to a per-user folder for each student or teacher.
er the "Configure search suggestions in Address bar" setting. If you enable or don't configure this setting employees can see the Addre
ying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Internet Exp
required to start up Microsoft Edge.If you prevent pre-launch Microsoft Edge won’t pre-launch during Windows sign in when the system is
ed to start up Microsoft Edge and to start a new tab.If you prevent preloading Microsoft Edge won’t load the Start or New Tab page durin
cy when disabled does not stop roaming of existing history or history coming from other roamed devices.
ch engines and change the default used in the address bar from within Microsoft Edge Settings.If you disable this setting users can't add se
usiness) enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled this policy does not prev
serpolicy).If you enable this setting you can add up to 5 additional search engines. For each additional engine you must also add a link to yo
nfigure this setting employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.
nfo.If you don't configure this setting employees can choose whether to send Do Not Track requests to websites asking for tracking info.
don't configure this setting employees will see the Favorites that they set in the Favorites hub.
anization manages some settings. The show bar/hide bar option is hidden from the context menu.If disabled the favorites bar is hidden an
Unlock Home Button policy.If Enabled AND:- Show home button & set to Start page is selected clicking the home button loads the Start pa
gnored. To learn more about assigned access and kiosk configuration see “Configure kiosk and shared devices running Windows desktop e
p for this policy to work. Once the idle time meets the time specified a confirmation message prompts the user to continue and if no user a
figure Start Pages policy.- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected you must spec
assword Manager to save their passwords locally.
u don't configure this setting employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
App settings loads as the default Start pages.Version 1703 or later:If you do not want to send traffic to Microsoft enable this policy and us
e won't use the Enterprise Mode Site List XML file. In this case employees might experience compatibility problems while using legacy app
Windows Defender SmartScreen is turned off and employees can't turn it on.If you don't configure this setting employees can choose whe
t configured the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down.Supported devices
e the download process.
ween Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Internet
ive Tile metadata providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.
updates of the extension gets granted automatically.When you enable this policy you must provide a semi-colon delimited list of extensio
his setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees fro
bled you must also add the default engine to the “Set default search engine” setting by adding a link to your OpenSearch XML file includin
is used.Default setting: Disabled or not configuredRelated policy: Allow web content on New Tab page
Microsoft Edge option from the drop-down list under Options.If disabled or not configured the default app behavior occurs and no additio
ng hiding and showing the home button as well as configuring a custom URL.If disabled or not configured the UI settings for the home butt
thenticate with Windows Hello.
s connected to the settings storage location.When SyncMethod is set to “None” the UE-V Agent uses no sync provider. Settings are writte
ndows apps. If you do not configure this policy setting any defined values are deleted.Note: If the user connects their Microsoft account fo
setting disabled no notification appears.If you do not configure this policy setting any defined values are deleted.
ocation before synchronizing settings packages.If you disable this policy setting the sync provider doesn’t ping the settings storage location
.If you disable or do not configure this policy setting no event is written to the event log to report settings package size.
ck are registered by the UE-V Agent. The UE-V Agent deregisters templates that were removed from this location.If you specify a UNC path
nfigure this policy setting any defined values are deleted.
s roaming.With this setting disabled the UE-V Agent will not synchronize settings over a metered connection that is roaming.If you do not c
etting disabled only the settings of the Windows apps set to synchronize in the Windows App List are synchronized.If you do not configure
tion of users' sign-in information for certain apps networks and certificates.If you enable this policy setting only the selected Windows setti
con is visible the UE-V notifications display and the Company Settings Center is accessible from the tray icon.With this setting disabled the
. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments that r
g certain user settings of Microsoft Access 2013 will not be backed up.If you do not configure this policy setting any defined values will be d
g certain user settings of Microsoft Access 2016 will not be backed up.If you do not configure this policy setting any defined values will be d
synchronization settings.If you do not configure this policy setting any defined values will be deleted.
tting certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.If you dis
tting certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.If you dis
in user settings of Microsoft Excel 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
in user settings of Microsoft Excel 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
y setting certain user settings of Microsoft InfoPath 2013 will not be backed up.If you do not configure this policy setting any defined value
net Explorer 10 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
et Explorer 11 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values wi
xplorer 8 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
xplorer 9 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
common between the versions of Internet Explorer continue to synchronize.If you disable this policy setting the user settings which are c
user settings of Microsoft Lync 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
user settings of Microsoft Lync 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
Microsoft Access 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined v
Microsoft Access 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined va
Microsoft Access 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined va
oft Excel 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values w
oft Excel 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values wil
oft Excel 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values wil
etting Microsoft InfoPath 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any d
etting Microsoft InfoPath 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any d
Lync 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values will b
Lync 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
Lync 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be
ween computers. If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2010 application
ween computers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2013 application
ontinue to synchronize.If you disable this policy setting Microsoft Office 2013 Upload Center user settings are excluded from the synchron
ween computers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2016 application
ontinue to synchronize.If you disable this policy setting Microsoft Office 2016 Upload Center user settings are excluded from the synchron
ettings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
ettings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
mputers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 20
mputers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Suite 20
ngs of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
ngs of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
er settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.If you enable this policy setting Mic
gs of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office
gs of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Office
ser settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.If you enable this policy setting M
ser settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.If you enable this policy setting M
r settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.If you enable this policy setting Micro
r settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.If you enable this policy setting Micro
the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.If you enable this policy se
the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.If you enable this policy se
settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.If you enable this policy setting Microso
settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.If you enable this policy setting Microso
user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.If you enable this policy setting M
user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.If you enable this policy setting M
etting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with UE-V.
ngs of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offic
ngs of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offic
ttings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
ttings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft Offi
e this policy setting OneDrive for Business 2013 user settings are excluded from the synchronization settings.If you do not configure this po
e this policy setting OneDrive for Business 2016 user settings are excluded from the synchronization settings.If you do not configure this po
setting Microsoft OneNote 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting an
tting Microsoft Outlook 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defi
this policy setting Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings.If you do not configure this pol
Microsoft Project 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined
y setting Microsoft Publisher 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting a
tinue to synchronize.If you disable this policy setting Microsoft SharePoint Designer 2010 user settings are excluded from the synchroniza
tinue to synchronize.If you disable this policy setting Microsoft SharePoint Designer 2013 user settings are excluded from the synchroniza
ttings continue to synchronize.If you disable this policy setting Microsoft SharePoint Workspace 2010 user settings are excluded from the
ft Visio 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will b
soft Word 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values
onization settings.If you do not configure this policy setting any defined values will be deleted.
icy setting certain user settings of Microsoft OneNote 2013 will not be backed up.If you do not configure this policy setting any defined val
icy setting certain user settings of Microsoft OneNote 2016 will not be backed up.If you do not configure this policy setting any defined val
etting certain user settings of Microsoft Outlook 2013 will not be backed up.If you do not configure this policy setting any defined values w
etting certain user settings of Microsoft Outlook 2016 will not be backed up.If you do not configure this policy setting any defined values w
ble this policy setting certain user settings of Microsoft PowerPoint 2013 will not be backed up.If you do not configure this policy setting an
ble this policy setting certain user settings of Microsoft PowerPoint 2016 will not be backed up.If you do not configure this policy setting an
ng certain user settings of Microsoft Project 2013 will not be backed up.If you do not configure this policy setting any defined values will be
ng certain user settings of Microsoft Project 2016 will not be backed up.If you do not configure this policy setting any defined values will be
licy setting certain user settings of Microsoft Publisher 2013 will not be backed up.If you do not configure this policy setting any defined va
licy setting certain user settings of Microsoft Publisher 2016 will not be backed up.If you do not configure this policy setting any defined va
ntinue to be backed up.If you disable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will not be backed up.
user settings of Microsoft Visio 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
user settings of Microsoft Visio 2016 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
tain user settings of Microsoft Word 2013 will not be backed up.If you do not configure this policy setting any defined values will be delete
tain user settings of Microsoft Word 2016 will not be backed up.If you do not configure this policy setting any defined values will be delete
chronization settings.If you do not configure this policy setting any defined values will be deleted.
t configure this policy setting any defined values will be deleted.
figure this policy setting any defined values will be deleted.
this policy setting any defined values will be deleted.
ot configure this policy setting any defined values will be deleted.
ure this policy setting any defined values will be deleted.
e this policy setting any defined values will be deleted.
do not configure this policy setting any defined values will be deleted.
t enabled the OneDrive sync client will start automatically when users sign in to Windows.If you enable or disable this setting do not retur
eos from the camera roll folder.If you disable or do not configure this policy setting apps and features can work with OneDrive file storage
ad photos and videos from the camera roll folder.If you disable or do not configure this policy setting apps and features can work with One
l be able to access OneDrive using the WinRT API. If you enable or do not configure this policy setting users with a connected account will
ng the default behavior applies (Help viewer renders trusted assistance content with active elements).
ted to choose their privacy settings after an upgrade.If this policy is disabled or not configured then the privacy experience may launch for
rtup Options Control Panel item.If you disable this setting booting to Windows To Go when a USB device is connected will not be enabled u
screen blanking adjust speaker volume and apply a custom background image.Note: Users will be able to customize their system settings f
olicy setting and this policy setting is applied to a Remote Desktop license server the license server will only respond to RDS CAL requests f
Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008 and will try to issue a Windows Serv
her they want to connect.If you disable this policy setting users cannot run unsigned .rdp files and .rdp files from unknown publishers on th
p settings (for example when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).If you enab
me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticat
al issues to investigate. If you disable this setting or leave it not configured the Remote Desktop client will use hardware accelerated decod
s setting or leave it not configured the user will be able to save passwords using Remote Desktop Connection.
mputer the user will not be prompted to provide credentials.Note: If you enable this policy setting in releases of Windows Server 2008 R2 w
y start the file. To obtain the thumbprint view the certificate details and then click the Thumbprint field.If you disable or do not configure t
disable or do not configure this policy setting other supported RemoteFX USB devices are not available for RDP redirection by using any us
s. The target computer will maintain any current connections but will not accept any new incoming connections.If you do not configure th
If the status is set to Disabled automatic reconnection of clients is prohibited.If the status is set to Not Configured automatic reconnection
ver. If the client logs on to the same RD Session Host server again a new session might be established (if the RD Session Host server is confi
the connected administrator is not allowed.If you disable or do not configure this policy setting logging off the connected administrator is
e because fewer sessions are demanding system resources. By default RD Session Host servers allow an unlimited number of Remote Desk
s are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services.If you do not configure this policy se
traffic to this server originates from a low-speed connection.If you disable Continuous Network Detect Remote Desktop Protocol will not
affic will use UDP.If the UDP connection is not successful or if you select "Use only TCP" all of the RDP traffic will use TCP.If you disable or d
s consent.3. Full Control without user's permission: Allows the administrator to interact with the session without the user's consent.4. View
You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. If you disable or do not config
Users can also choose to not play the audio. Video playback can be configured by using the videoplayback setting in a Remote Desktop Pr
ault audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirec
this policy setting the client computer does not redirect its time zone information and the session time zone is the same as the server time
UI.Remote Desktop sessions don't currently support UI Automation redirection.If you enable or don't configure this policy setting any UI A
tting users cannot redirect Clipboard data.If you disable this policy setting Remote Desktop Services always allows Clipboard redirection.If
s policy setting users cannot redirect server data to the local COM port.If you disable this policy setting Remote Desktop Services always a
olicy setting client drive redirection is not allowed in Remote Desktop Services sessions and Clipboard file copy redirection is not allowed o
not redirect server data to the local LPT port.If you disable this policy setting LPT port redirection is always allowed.If you do not configure
on connection.Note: The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Profe
e computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and
to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video ca
unt of bandwidth. If you select Medium the audio will be sent with some compression and with minimum latency as determined by the cod
the number of days until the licensing grace period for the RD Session Host server will expire.If you enable this policy setting these notifica
server. Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL iss
n RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Deskt
he remote computer to a local client printer in Remote Desktop Services sessions.If you disable this policy setting users can redirect print j
nter specified on the remote computer.If you disable this policy setting the RD Session Host server automatically maps the client default p
r is for the RD Session Host server to find a suitable printer driver. If one is not found the client's printer is not available. You can choose to
er that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer the cl
s policy setting you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile c
use the network share for user profiles.If you enable this policy setting Remote Desktop Services uses the specified path as the root direc
d then select the drive letter to which you want the network share to be mapped.If you choose to keep the home directory on the local co
n Host server use the same user profile.If you disable or do not configure this policy setting mandatory user profiles are not used by users c
ces.If you specify a new farm name a new farm is created in RD Connection Broker. If you specify an existing farm name the server joins th
specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012 for a high availability s
ession Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connec
nnection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session
olicy setting the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program
twork bandwidth. If you select the algorithm that is optimized to use less network bandwidth this option uses less network bandwidth but
onsumes the lowest amount of network bandwidth of the quality modes. If you enable this policy setting and set quality to Medium Rem
on2. Optimize for server scalability3. Optimize for minimum bandwidth usageIf you disable or do not configure this policy setting the Remo
2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008
tions for more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessio
epth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the c
mum resolution that can be used by each monitor used to display a Remote Desktop Services session.If you disable or do not configure th
session. You can specify a number from 1 to 16.If you disable or do not configure this policy setting the number of monitors that can be us
isable or do not configure this policy setting "Disconnect" is not removed from the list in the Shut Down Windows dialog box.Note: This po
ws Security dialog box on the client computer.If the status is set to Disabled or Not Configured Windows Security remains in the Settings m
ng this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop are no
hics.If you disable this policy setting RemoteApp programs published from this RD Session Host server will not use these advanced graphics
pter.If you do not configure this policy setting Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Re
e to take effect you must restart Windows.
ost uses server-side GPUs to deliver a rich user experience over LAN connections and RDP 7.1.When deployed on an RD Session Host serve
ct the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.
e network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed).If you have a h
Desktop Connection client.If you enable this policy setting users cannot automatically log on to Remote Desktop Services by supplying thei
for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.If you disable or do not co
ow unsecured communication with untrusted clients.If the status is set to Disabled Remote Desktop Services always requests security for a
ailable:* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TL
Host server.To determine whether a client computer supports Network Level Authentication start Remote Desktop Connection on the clie
y a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to
etting all communications between clients and RD Session Host servers during remote connections must use the encryption method speci
s are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Serv
arning two minutes before the session disconnects which allows the user to press a key or move the mouse to keep the session active. If y
Remote Desktop Services session disconnects which allows the user to save open files and close programs. If you have a console session ac
e running programs are kept active even though the user is no longer actively connected. By default these disconnected sessions are main
are retained when the user logs off from a session.If you disable this policy setting temporary folders are deleted when a user logs off eve
he remote computer in a Temp folder under the user's profile folder and are named with the sessionid.If you enable this policy setting per
covery button.
to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
not configure this policy setting the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and delete
nticate feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.A developer cannot c
ver your query should resemble the following:http://sitename/Search.aspx?k=$wIf your intranet search service is Windows SharePoint Se
rch service. Use $w in place of the query term for the search service URL.If your intranet search service is SharePoint Portal Server your qu
icy setting the local setting configured through Control Panel will be used. By default the Control Panel setting is set to not index encrypted
through Control Panel will be used. Note: By default the Control Panel setting is set to treat words that differ only because of diacritics as t
ou disable or do not configure this policy setting Windows will use automatic language detection only when it can determine the language
y in Search.If you don't configure this policy setting a user can choose whether or not Search can perform queries on the web and if the we
ered connections and web results will be displayed when a user performs a query in Search.If you don't configure this policy setting a user
ensure that for Microsoft Outlook 2007 no portions of the delegate mailbox are cached locally. The default behavior for Search is to not i
on delegate mailboxes. To stop indexing of online and delegate mailboxes you must disable both policies.
sable this policy then online mail items will be indexed at the speed that the Microsoft Exchange server can support. If you set this policy t
ble. When the policy is disabled both the Add and Remove locations options as well as any previously specified user locations will be visib
hared on this computer and automatically adds them to or removes them from the index.
excluded file types. If you enable and then disable this policy the user's original list is restored.If you want to specify an initial default list of
this policy setting.

cular iFilter make sure that this iFilter is on the allow list either as a GUID such as {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} (include the brace
is disabled or not configured the preview pane shows automatically to the right of the Desktop Search results and your users can choose t
he default is small icon view.
ou disable or don't configure this policy setting users can specify the SafeSearch setting.Windows 10 users should use Search/DoNotUseW
soft account info to personalize their search and other Microsoft experiences. -Anonymous info: Share usage information but don't sha
y. When Security Center is not enabled on the domain neither the notifications nor the Security Center status section are displayed. Note
mote shutdown interface.

also be used to log on with a smart card:- Certificates with no EKU- Certificates with an All Purpose EKU- Certificates with a Client Authenti
on to a domain. ECC certificates on a smart card that are used for other applications such as document signing are not affected by this poli
e this policy setting then the integrated unblock feature will not be available.
rtificates will be listed on the logon screen regardless of whether they have an invalid time or their time validity has expired.If you disable
n optional field that allows users to enter their user name or user name and domain will not be displayed.
the user when the smart card is blocked if the integrated unblock feature is enabled.
e the same if they are issued from the same template with the same major version and they are for the same user (determined by their U
card vendor to determine if your smart card and associated CSP supports the required behavior.If you enable this setting then Windows w
nly for smart cards that have passed the Windows Hardware Quality Labs (WHQL) testing process.
d out whether you will be affected by this policy setting.
layed along with "user1@example.com." If the UPN is not present then the entire subject name will be displayed. This setting controls th
rtificates will not be propagated from the smart card.

en a card is inserted in a Smart Card Reader.Note: This policy setting is applied only for smart cards that have passed the Windows Hardwa
ally sent to Microsoft) - Disabled (data will be automatically sent to Microsoft) - Enabled (data will not be sent to Microsoft)
them from a Microsoft service using the Background Internet Transfer Service (BITS).
ettings in the Microsoft Store.
"sync your settings" is on by default and configurable by the user.

s" group is on by default and configurable by the user.
default and configurable by the user.
d off by default but not disabled.If you do not set or disable this setting syncing of the "browser" group is on by default and configurable b
r disable this setting syncing of the "desktop personalization" group is on by default and configurable by the user.
tions is configurable by the user.
r disable this setting syncing of the "Other Windows settings" group is on by default and configurable by the user.
p is on by default and configurable by the user.
roup is on by default and configurable by the user.
art layout" group is on by default and configurable by the user.
plications can be launched from a hardware button.
not configure this policy press and hold actions will be available.
symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will not provide text prediction suggestions. Users will not be
ext entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options dialog
try area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disabl
Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text symbols n
disable this policy Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in the Inp
e this setting in the Input Panel Options dialog box.If you disable this policy application auto complete lists will appear next to Input Panel i
se handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy and choose “Low”
keyboard to enter text symbols numbers or keyboard shortcuts. If you enable this policy and choose “All” from the drop-down menu n
d pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks poli
he touch pointer and other-touch specific features.If you do not configure this setting touch input is on by default.Note: Changes to this se
etting Touch Panning is on by default.Note: Changes to this setting will not take effect until the user logs off.
sers to change task characteristics such as: the program the task runs details of its schedule idle time and power management settings and
aracteristics such as the program the task runs its schedule details idle time and power management settings and its security context.Note
kes precedence over the setting in User Configuration.
select a program from the list in the Scheduled Task Wizard which displays only the tasks that appear on the Start menu and its submenus
cheduled tasks folder.This setting does not prevent users from using other methods to create new tasks and it does not prevent users from
dence over the setting in User Configuration.Important: This setting does not prevent administrators of a computer from using At.exe to c
ettings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Important: This settin
Azure AD Tenant Restrictions for more details.https://go.microsoft.com/fwlink/?linkid=2148762Before enabling firewall protection ensure
uage is uninstalled.
s from Store onlyIf you disable or don't configure this setting users will be able to install apps from anywhere including files downloaded fr
be suspicious.Some information is sent to Microsoft about files and programs run on PCs with this feature enabled.If you enable this polic
Windows Defender SmartScreen is turned off and employees can't turn it on.If you don't configure this setting employees can choose whe
on to the user.If you disable this policy setting then all memory dumps are uploaded according to the default consent and notification setti
mmunication settings.Important: If the Turn off Windows Error Reporting policy setting is not configured then Control Panel settings for W
able or do not configure this policy setting the Turn off Windows Error Reporting policy setting in Computer Configuration/Administrative
onfigure Error Reporting policy setting is also enabled errors are reported but users receive no notification. Disabling this policy setting is u
e Templates/Windows Components/Windows Error Reporting/Consent take precedence.
onfigure this policy setting WER throttles data by default; that is WER does not upload more than one CAB file for a report that contains da
ery power but checks for solutions and uploads report data normally.If you disable or do not configure this policy setting WER checks for so
again if the network profile is changed.
ber on the destination server for transmission.If you disable or do not configure this policy setting Windows Error Reporting sends error rep
he Maximum number of reports to store setting determines how many reports are stored before older reports are automatically deleted.I
ely. When Queuing behavior is set to Always queue all reports are added to the queue until the user is prompted to send the reports or un
reported regardless of the setting in the Default pull-down menu. When the Report all errors in Windows check box is filled all errors in W
applications in this list are not reported even if the Default Application Reporting Settings policy setting is configured to report all applicati
e Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an applicati
emove applications from the list of application file names in the Show Contents dialog box (example: notepad.exe). File names must alway
ttings in Control Panel are set to upload operating system errors.See also the Configure Error Reporting policy setting.
anned shutdown events" by default.Also see the "Configure Error Reporting" policy setting.
a that is required to check for an existing solution is sent automatically and Windows prompts users for consent to send any additional da
evel of 0 1 2 3 or 4.- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.- 1 (Always ask before sending da
efault consent setting determines only the consent level of any other error reports.
umeration of provisioned Windows Hello for Business credentials for other users on the same device.This policy setting is designed for a si
to successfully unlock.If you disable or do not configure this policy setting users can continue to unlock with existing unlock options.For m
compatible with smart card applications.NOTE: This policy affects Windows Hello for Business credentials at the time of creation. Credenti
configure this policy setting the TPM is still preferred but all devices may provision Windows Hello for Business using software if the TPM is
abling this policy prevents the user of biometric gestures on the device for all account types.
ses authentication.NOTE: Disabling or not configuring this policy setting and enabling the "Use Windows Hello for Business" policy setting r
r on-premises authentication. NOTE: An environment that enables both this policy setting and the "Use Windows Hello for Business" polic
rypt. PIN recovery requires the user to perform multi-factor authentication to Azure Active Directory.If you enable this policy setting Wind
ou do not configure this policy setting users can provision Windows Hello for Business as a convenience credential that encrypts their dom
Hello for Business certificates as smart card certificates and biometric factors are available when a user is asked to authorize the use of the
m changing installation options typically reserved for system administrators such as specifying the directory to which files are installed.If W
at their own permissions would not allow.This policy setting does not affect installations that run in the user's security context. Also see th
configure this policy setting by default only system administrators can apply patches during installations with elevated privileges such as i
tall from removable media when the installation runs in their own security context.If you disable or do not configure this policy setting by
file setting lets users install programs that require access to directories that the user might not have permission to view or change includin
modify the maximum size of the Windows Installer baseline file cache. If you set the baseline cache size to 0 the Windows Installer will
original GUID appears to be removed and the component as identified by the new GUID appears as a new component.(2) Add a new feat
ceed.This policy setting is designed for enterprises that use Web-based tools to distribute programs to their employees. However because
hat run in the user's security context.If you disable or do not configure this policy setting by default users who are not system administrato
nstaller will analyze the patch for specific changes to determine if optimization is possible. If so the patch will be applied using a minimal se
r based applications.If you disable or do not configure this policy setting users without administrative privileges can install non-administra
a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.If you disable or do
ot restore the computer to its original state if the installation does not complete.This policy setting is designed to reduce the amount of te
er to use Restart Manager to detect files in use and mitigate a system restart when possible.-- The "Restart Manager Off" option turns off R
install of an application this hides a per-computer installation of that same product.If you enable this policy setting and "Hide User Installs
ng applies even when the installation is running in the user's security context. If you disable or do not configure this policy setting the
llation in which the transform file was used therefore the user must be using the same computer or be connected to the original or identi
s many or as few event types as you want. To disable logging delete all of the letters from the box. If you disable or do not configur
ure this policy setting by default the Windows Installer automatically creates a System Restore checkpoint each time an application is insta
tion instructs Windows Installer to automatically generate log files for packages that include the MsiLogging property.-- The "Logging via p
de software. This is the default behavior for Windows Installer on Windows 2000 Professional Windows XP Professional and Windows Vist
cker is on and not suspended” specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the
SAS.If you set this policy setting to "Services and Ease of Access applications" both services and Ease of Access applications can simulate t
gon attempted with that user name and the number of unsuccessful logons since the last successful logon by that user. This message must
restarts and user-initiated restarts and shutdowns. If you don’t configure this policy setting it is enabled by default. When the policy is ena
ure content that is already licensed to the local computer will continue to play. Users are also able to protect music that they copy from a C
or hide the anchor window when the Player is in skin mode by using the Player tab in the Player.If you do not configure this policy setting
me of the options can be configured by using other Windows Media Player group policies.If you disable or do not configure this policy setti
or do not configure this policy setting anyone using Windows Media Player can turn media sharing on or off.
e Video Smoothing check box is selected and is not available.If you do not configure this policy setting video smoothing occurs if necessary
oth are present the Computer Configuration version of this policy setting takes precedence.
essenger from that point on Windows Messenger will be loaded.The user can also configure this behavior on the Preferences tab on the T
er is on by default.
his policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.Note: This policy setting exists und
f execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting the Lo
he Script Block Invocation Logging PowerShell additionally logs events when invocation of a command script block function or script st
ments directory with a file name that includes 'PowerShell_transcript' along with the computer name and time started. Enabling this p
iginate from the Internet must be signed by a trusted publisher.The "Allow all scripts" policy setting allows all scripts to run.If you disable
formation.If you disable this policy setting Reliability Monitor will not display system reliability information and WMI-capable applications
setting the WinRM client uses the Kerberos authentication directly.
thenticate the identity of the host.If you disable or do not configure this policy setting and the WinRM client needs to use the list of truste
ure the Windows Firewall policy setting with exceptions for Port 5985 (default port for HTTP).If you disable or do not configure this policy s
ration value will be erased from the credential store on this computer.If you disable or do not configure this policy setting the WinRM serv
e the hardening level locally on each computer. If HardeningLevel is set to Strict any request not containing a valid channel binding tok
A listener might be automatically created on port 80 to ensure backward compatibility.
86. A listener might be automatically created on port 443 to ensure backward compatibility.
shell.If you do not configure or disable this policy setting the default value of 900000 or 15 min will be used.
new allocation exceeds the specified quota.If you disable or do not configure this policy setting the value 150 is used by default.
er user.
gure this policy setting audio input will be enabled. Note that there may be security implications of exposing host audio input to the contai
working will be enabled. Note that enabling networking can expose untrusted applications to the internal network.
erly in Windows Sandbox. Note that there may be security implications of exposing host video input to the container.
act email number or email ID -Specify contact website Disabled: No contact information will be shown in Windows Security.
email number or email ID -Specify contact website Please note that in some cases we will be limiting the contact options that are d
indows Security or any notifications it creates. Not configured: Same as Disabled.

r any notifications it creates. Not configured: Same as Disabled.
olicy has no effect.

mended and important content for which they received a notification. Users will not see a User Account Control window and do not need
uled restart to notify the user that the auto restart is imminent to allow them time to save their work.If you disable or do not configure th
ates. If the "Configure Automatic Updates" policy is disabled this policy has no effect.
uter to do?' list.If you disable or do not configure this policy setting the 'Install Updates and Shut Down' option will be the default option in
pecify intranet Microsoft update service location" policy is disabled or not configured this policy has no effect.
cy setting the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available when
dows Update will use the Windows Power management features to automatically wake the system up to install the updates.Windows upd
mputer.Be aware that the computer needs to be restarted for the updates to take effect.If the status is set to Disabled or Not Configured A
d to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled this policy has no effect. This policy
allation.If the status is set to Not Configured a missed scheduled installation will occur one minute after the computer is next started.Note
atic updates installations. 2. Always automatically restart at scheduled time.
e deadline in days before automatically scheduling and executing a pending restart regardless of active hours. The deadline can be set bet
able this policy setting a notification message will appear on the user's computer when featured software is available. The user can click th
not alter its restart behavior.If the "No auto-restart with logged on users for scheduled automatic updates installations" policy is enabled
y updates. When Windows finds updates that apply to this computer users will be notified that updates are ready to be downloaded. A
hat devices aren’t automatically getting updates neither you nor device users will be aware of critical security quality or feature updates an
eadline has passed restarts will occur regardless of active hours and users will not be able to reschedule. If the deadline is set to 0 days the
auto-restart with logged on users for scheduled automatic updates installations. 2. Always automatically restart at scheduled time.Note
ocal computer.If you disable or do not configure this policy setting updates from an intranet Microsoft update service location must be sig
s. Note: The "Specify intranet Microsoft update service location" setting must be enabled for this policy to have effect. Note: If the
ng.Note: This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft
group names separated by semicolons. Otherwise a single group must be specified.If the status is set to Disabled or Not Configured no tar
ame values: the server from which the Automatic Updates client detects and downloads updates and the server to which updated worksta
s not configured or is disabled the device will continue to detect updates per your other policy configurations. Note: If you are using “
. Your feedback will be especially important here as it will help our engineers ensure key issues are fixed before a major release.Release P
authorized to bind the organization.If you enter an invalid value you will remain on your current version until you correct the values to a s
end of service can be specified. Note: If you set both policies the version specified will take precedence and the deferrals will not be in effe
gure this policy Windows Update will not alter its behavior.
will use the settings specified in the "Specify Work Folders settings" policy setting in User Configuration\Administrative Templates\Windo
ide. To specify a list of pages to show the policy string must begin with "showonly:" (without quotes) and to specify a list of pages to hide
path such as C:\Windows\Web\Screen\img104.jpg or a UNC path such as \\Server\Share\Corp.jpg.This can be used in conjunction with the
icy is also set on a supported version of Windows then that background takes precedence over this policy.
scheduled clean up task.

ific language used for the Windows menus and dialogs.
tion restriction for any user.
h UI language is used.
s not already known to the handwriting recognition engines (for example proper names and acronyms). Deleting email content or the bro
tting the default user account picture will display for all users on the system with no customization allowed.If you disable or do not configu
s token. This configures the LocalAccountTokenFilterPolicy registry value to 0. This is the default behavior for Windows.Disabled: Allows lo
rom being loaded when directly referenced by the document but does not prevent activation through another object.3. "Allow all activatio
Set the SMBv1 client driver to "Manual start" using the "Configure SMB v1 client driver" setting;* Enable this setting;* In the "Configure La
t from the dropdown:* "Manual start" for Windows 7 and Windows Servers 2008 2008R2 and 2012;* "Automatic start" for Windows 8.1 a
fter-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7 for additional information.
cpNodeType is present the computer uses B-node if there are no WINS servers configured for the network or H-node if there is at least on
d or Not Configured JScript will function without any restrictions.The values are set in hexadecimal and should be converted prior to chan
ndows Server 2008 R2 and Windows Server 2012.Enabled: Enables WDigest authentication.Disabled (recommended): Disables WDigest au
to set this setting to a value less than 15 minutes the default value of 15 minutes is applied.
downloads them from the origin server. If you enable this policy setting BITS downloads files from peers caches the files and respond
han BITS. This policy setting does not apply to BITS transfers over SMB. This setting has no effect if the computer's administrative settings
configure this policy setting the computer attempts to download peer-enabled BITS jobs from peer computers before reverting to the orig
loaded and cached files to its peers. Note: This setting has no effect if the "Allow BITS peer caching" setting is disabled or not configu
e removed from the peer cache. Note: This policy setting has no effect if the "Allow BITS Peercaching" policy setting is disabled or no
If you disable or do not configure this policy setting the default size of the BITS peer cache is 1 percent of the total system disk size.
e or do not configure this policy setting the default value of 90 days (7776000 seconds) will be used.
an specify the limit in kilobits per second (Kbps). If you specify a value less than 2 kilobits BITS will continue to use approximately 2 kilobits
BITS and specify a fixed maximum bandwidth that BITS will use for peer caching. If you enable this policy setting you can enter a valu
ower than the setting specified in the "Maximum number of BITS jobs for this computer" policy setting or 300 if the "Maximum number o
y services and the local administrator account do not count toward this limit.
al administrator account do not count toward this limit.
account do not count toward this limit.
re created by specifying only a priority. For example you can specify that background jobs are by default to transfer only when on unc
ity jobs are currently limited to 256 Kbps on a work schedule you can further limit the network bandwidth of normal priority jobs to 0 Kbp
edule is defined you can set the bandwidth usage limits for each of the three BITS background priority levels: high normal and low. Yo
period of time and still have pending jobs. Consider decreasing this value if you are concerned about orphaned jobs occupying disk sp
nt until the network latency reaches the specified value; when network latency is greater than the value clients begin caching content afte
"If you do not configure this setting all clients will use the version of BranchCache that matches their operating system.Policy configuration
vers in the branch office.If you enable this policy setting and specify valid computer names of hosted cache servers hosted cache mode is
guration by other group policies.If you enable this policy setting in addition to the "Turn on BranchCache" policy setting BranchCache client
omain members but you do not want to configure a BranchCache client computer cache age setting on all client computers you can specif
following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy. In the circumstanc
nt to the hosted cache server for access by other hosted cache clients at the branch office.Policy configurationSelect one of the following:-
mputers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache
are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want t
ses wherever possible.Important At least one of the entries must be a PING: resource.-A Uniform Resource Locator (URL) that NCA querie
onfigure one endpoint for each tunnel. Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Ex
e the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather
d by the DNS client first. If the query succeeds the response is returned to the client. If the query fails the unqualified multi-label name is a
esolution.Require DoH: Allow only DoH name resolution. If there are no DoH capable DNS servers configured name resolution will fail.If yo
cific DNS suffix if configured.
ble this policy setting or if you do not configure this policy setting computers will use the local or DHCP supplied list of DNS servers if config
fore sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."To use this policy setting click Enabl
egistration and this policy setting must not be disabled.If you disable this policy setting computers may not use dynamic DNS registration f
If you disable this policy setting or if you do not configure this policy setting then DNS responses from networks lower in the binding order
use this policy setting to prevent users including local administrators from changing the primary DNS suffix.If you disable this policy setting
ingle-label unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and App
client appends DNS suffixes to the single-label unqualified domain name based on the state of the Append primary and connection specifi
uffix of microsoft.com will be registered as: mycomputer.microsoft.com.If you enable this policy setting a computer will register A and PTR
l not attempt to register PTR resource records.Register: Computers will attempt to register PTR resource records even if registration of the
records.Warning: If record scavenging is enabled on the zone the value of this policy setting should never be longer than the value of the D
cord might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default th
se the TTL settings specified in DNS. By default the TTL is 1200 seconds (20 minutes).
LMNR will be disabled on all available network adapters on the client computer.If you disable this policy setting or you do not configure th
queries will be issued if the DNS queries fail followed by NetBT queries if LLMNR queries fail.If you disable this policy setting or if you do no
nt will prefer link local responses for flat name queries on non-domain networks. Note: This policy setting is applicable only if the turn off
tting.If you disable this policy setting or if you do not configure this policy setting computers will use local settings. By default DNS clients att
e except the root zone.If you disable this policy setting or if you do not configure this policy setting computers do not send dynamic update
g the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
SPR protocol support.If you disable this policy setting WLAN hotspots are not probed for WISPr protocol support and users can only authen
box one cipher suite per line in order from most to least preferred with the most preferred cipher suite at the top. Remove any cipher suit
you do not want to enable BranchCache on all file servers you can specify Not Configured for this domain Group Policy setting and then co
port for V1 hashes BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.Policy configurationSelect on
t until you restart Windows.
box one cipher suite per line in order from most to least preferred with the most preferred cipher suite at the top. Remove any cipher suite
S) appliances acting as file servers. Windows file servers require authentication and do not use insecure guest logons by default. Since inse
through CA shares. Note: This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Micro
hares. Note: Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition tim
naged network. On the other hand if a network interface is connected to an unmanaged network you may choose the "Allow operation w
ow the Responder to operate on a network interface that's connected to a managed network. On the other hand if a network interface is
l be performed.
gure this policy setting this computer can publish PNRP names and help other computers perform PNRP lookups.
ere are the four ways in which you can use this setting to control the seed server used in your corporation.1. In order to use the global we
fying this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disable
obal cloud if the computer has a global IPv6 address but creates a site-local cloud if the computer has a site-local address.If you enable this
’t enter any address no seed server will be used.If this setting is not configured the protocol will revert to using a public registry key to det
ecifying this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disa
ng and you don’t enter any address no seed server will be used.If this setting is not configured the protocol will revert to using a public reg
ecifying this registry key will break scenarios where there is no seed server for bootstrap (such as ad hoc networking scenarios).If you disa
segements together. This connection appears in the Network Connections folder.If you disable this setting or do not configure it the user
en the setting was refreshed this setting does not apply.The Internet Connection Firewall is a stateful packet filter for home and small offic
b in the Properties dialog box for a LAN or remote access connection is removed. The Internet Connection Sharing page is removed from t
ectAccess and the Internet is routed through the internal network.If you disable this policy setting traffic between remote client compute
for messages sent by computers that authenticate using IPsec. If you enable this policy setting and add systems to the list upon disabling t
y setting you must specify which ICMP message types Windows Defender Firewall allows this computer to send or receive.If you disable th
nnot clear it.If you disable this policy setting Windows Defender Firewall blocks these ports which prevents this computer from sharing file
and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports typica
tting Windows Defender Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrat
mework" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firewall blocks these
el does not allow administrators to define a local port exceptions list. However local administrators will still be allowed to create firewall r
nt in Control Panel does not allow administrators to define a local program exceptions list. However local administrators will still be allow
Firewall does not provide an option to log successful incoming messages.If you are configuring the log file name ensure that the Windows
ax click the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port click its de
ows Defender Firewall to open even if that port is blocked by another policy setting such as the "Windows Defender Firewall: Define inbou
n work around the "Windows Defender Firewall: Do not allow exceptions" policy setting by turning off the firewall.If you disable this policy
box is selected and administrators cannot clear it.If you do not configure this policy setting Windows Defender Firewall behaves as if the p
computers and then blocks all later responses.Note: This policy setting has no effect if the unicast message is a response to a Dynamic Ho
etting administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off un
y setting you must specify which ICMP message types Windows Defender Firewall allows this computer to send or receive.If you disable th
nnot clear it.If you disable this policy setting Windows Defender Firewall blocks these ports which prevents this computer from sharing file
and LSASS.EXE to receive unsolicited incoming messages and allows hosted services to open additional dynamically-assigned ports typica
tting Windows Defender Firewall blocks this port which prevents this computer from receiving Remote Desktop requests. If an administrat
mework" check box is selected and administrators cannot clear it.If you disable this policy setting Windows Defender Firewall blocks these
el does not allow administrators to define a local port exceptions list. However local administrators will still be allowed to create firewall r
nt in Control Panel does not allow administrators to define a local program exceptions list. However local administrators will still be allow
Firewall does not provide an option to log successful incoming messages.If you are configuring the log file name ensure that the Windows
ax click the Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a port click its de
ows Defender Firewall to open even if that port is blocked by another policy setting such as the "Windows Defender Firewall: Define inbou
n work around the "Windows Defender Firewall: Do not allow exceptions" policy setting by turning off the firewall.If you disable this policy
box is selected and administrators cannot clear it.If you do not configure this policy setting Windows Defender Firewall behaves as if the p
computers and then blocks all later responses.Note: This policy setting has no effect if the unicast message is a response to a Dynamic Ho
etting administrators can use the Windows Defender Firewall component in Control Panel to turn Windows Defender Firewall on or off un
ort 80). A proxy server used for this purpose must also be configured using the Intranet proxy servers for apps policy.Example: [cloudresou
configured with this setting are merged with proxies that are auto-discovered. To make this policy configuration the sole list of allowed pr
nodes. This setting should NOT be used to configure Internet proxies.Example: [3efe:3022::1000]; 18.0.0.1; 18.0.0.2For more information
setting are merged with the hosts that are declared as private through automatic discovery.To ensure that these addresses are the only a
addresses. For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
lly discover your private network hosts in the domain corporate environment. For more information see: http://go.microsoft.com/fwlink/p
o offline" indicates that network files are not available while the server is inaccessible.If you disable this setting or select the "Work offline"
the user.Note: Changes to this policy setting do not take effect until the affected computer is restarted.
zation are lost.
me' and 'Blockout Duration' to set a period of time where background sync is disabled. Use the 'Maximum Allowed Time Without A Sync' va
onfigured the default threshold value of 64000 bps is used to determine if a network connection is considered to be slow.Note: Use the fo
een the client and the server is below (slower than) the Throughput threshold parameter or if the round-trip network latency is above (slo
at user's make available offline manually.If you enable this setting you can specify an automatic-cache disk space limit.If you disable this s
n's data limit. The network folder must also be in "slow-link" mode as specified by the "Configure slow-link mode" policy to avoid network
he most current version from the server is always available for subsequent reads.This policy setting is triggered by the configured round tr
ugh the user interface.If you disable this policy setting all files in the Offline Files cache are unencrypted. This includes existing files as well
all preceding levels."0" records an error when the offline storage cache is corrupted."1" also records an event when the server hosting the
ng is designed to protect files that cannot be separated such as database components.To use this setting type the file name extension in th
e configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
ble this policy setting you can specify the disk space limit (in megabytes) for offline files and also specify how much of that disk space can b
Computer Configuration and User Configuration folders. If both settings are configured for a particular server the setting in Computer Co
eir offline files.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the settin
ppears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuratio
appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configurati
ng in Computer Configuration takes precedence over the setting in User Configuration.
ation folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence.The "Make Available Offl
g any lists inherited from lower precedence GPOs and the "Make Available Offline" command is displayed for all files and folders.If you do
de always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made available fo
able this setting or do not configure it the system asks users whether they want subfolders to be made available offline when they make a
not ensure that they are current.If you do not configure this setting the system performs a quick synchronization by default but users can
nization Manager is configured for logon synchronization the system performs only a quick synchronization. Quick synchronization ensure
r is suspended by closing the display on a portable computer files are not synchronized. If multiple users are logged on to the computer at
setting is not configured reminder balloons are displayed by default when you enable offline files but users can change the setting.To prev
tting has no effect on the system.Important: If the maximum number of outstanding packets is specified in the registry for a particular netw
of 80 percent of the connection.Important: If a bandwidth limit is set for a particular network adapter in the registry this setting is ignored
rk adapter then this setting is ignored when configuring that network adapter.
ce type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
DSCP value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that ne
for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adap
he DSCP value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that
rvice type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
his service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
DSCP value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that net
for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapt
e DSCP value for this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that n
this service type is specified in the registry for a particular network adapter this setting is ignored when configuring that network adapter.
tting is ignored when configuring that network adapter.
adapter this setting is ignored when configuring that network adapter.
s setting is ignored when configuring that network adapter.
rk adapter this setting is ignored when configuring that network adapter.
nored when configuring that network adapter.
tting is ignored when configuring that network adapter.
at receives SNMP packets from the network.If you enable this policy setting the SNMP agent only accepts requests from management sys
tting the SNMP agent only accepts requests from the list of permitted managers that you configure using this setting.If you disable or do no
anagement systems asynchronously.If you enable this policy setting the SNMP service sends trap messages to the hosts within the "public
ith one of the following settings:Policy Default State: 6to4 is turned off and connectivity with 6to4 will not be available.Policy Enabled Stat
s present even if the host has other connectivity options.Policy Disabled State: No IP-HTTPS interfaces are present on the host.
host.Policy Enabled State: If the ISATAP name is resolved successfully the host will have ISATAP configured with a link-local address and an
lient's NAT device Teredo might stop working or connectivity might be intermittent.If you disable or do not configure this policy setting th
s a domain controller.Enterprise Client: The Teredo interface is always present even if the host is on a network that includes a domain con
policy setting Window Scaling Heuristics will be disabled and system will not try to identify connectivity and throughput problems casued
ng operations are disabled over all media. If you do not configure this policy setting operations are enabled over all media. The default for
ccess all WCN wizards.
at the computer should no longer be connected to a network it waits for traffic to settle on that network. The existing TCP session will con
rst available in Windows 8. If this policy setting is set to 1 any new automatic internet connection is blocked when the computer has at
d network automatic connection attempts to domain based networks are blocked.Manual connection attempts- When the computer is al
mit. - Variable: This connection is costed on a per byte basis.If this policy setting is disabled or is not configured the cost of Wireless LAN con
ve shared with them and enables users on this device to share networks with their contacts."Enable paid services" enables Windows to te
e device.If you choose the "Force Allow" option Windows apps are allowed to access cellular data and employees in your organization cann
nnection is costed on a per byte basis.If this policy setting is disabled or is not configured the cost of 3G connections is Fixed by default.
connection is costed on a per byte basis.If this policy setting is disabled or is not configured the cost of 4G connections is Fixed by default.
de of Internet printing only. It does not prevent the print client on the computer from printing across the Internet. Also see the "Cust
Web Services printers: 0 Bluetooth printers: 10 Shared printers: 0 In order to view available Web Services printers on you
ld like to not display printers of a certain type enable this policy and set the number of printers to display to 0.In Windows 10 and later on
uter does not respond. If you disable this setting the domain controller does not prune this computer's printers. This setting is design
ocess print jobs into printer device commands. These commands will then be sent to the print server and the server will simply pass the c
hed" setting is disabled.
e verification interval.
he location of the user's computer. When users search for printers the system uses the specified location (and other search criteria) to fin
links only appear in the Printers folder when Web view is enabled. If Web view is disabled the setting has no effect. (To enable Web view o
before deleting printers from Active Directory. If you enable this setting you can change the interval between contact attempts.
ou can adjust the priority to improve the performance of this service. Note: This setting is used only on domain controllers.
mputer has published. By default the pruning service contacts computers every eight hours and allows two retries before deleting p
printer drivers will be blocked.If you enable this setting installation of a printer using a kernel-mode driver will not be allowed.Note: By app
gs may alter the process in which a print driver is executed.-This policy setting applies only to print drivers loaded by the print spooler. Prin
the Point and Print connection will fail.This policy setting is not configured by default and the behavior depends on the version of Window
gure this policy setting then applications that are configured to support driver isolation will be isolated.If you disable this policy setting the
SB printer queue the device vid/pid will be compared to the approved list.
value is two retries. The "Directory Pruning Interval" setting determines the time interval between retries; the default value is every eight
ver policy settings may alter the process in which a print driver is executed.-This policy setting applies only to print drivers loaded by the pr
ed by this policy. Administrators may need to set both policies to block all print connections to a specific print server.If this setting is enab
the client no connection will be made. -You can configure Windows Vista clients so that security warnings and elevated command pr
ation or location naming scheme. Enabling Location Tracking adds a Browse button in the Add Printer wizard's Printer Name and Sharing L
vers only when Active Directory is not available.Note: A client license is used each time a client computer announces a printer to a print br
uters running Windows 2000 Professional detect and republish deleted printer objects when they rejoin the network. However because no
and Taskbar do not show lists of recently or frequently used files folders or websites.If you disable or do not configure this setting the syste
tting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings so users cannot turn it to On. Select t
LT+DELETE and from the logon screen.If you disable or do not configure this policy setting the Power button and the Shut Down Restart Sl
ettings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supercede
d.Once the XML file is generated and moved to the desired file path type the fully qualified path and name of the XML file. You can type a l
ou enable this policy setting notifications can still be raised by applications running on the machine via local API calls from within the applic
feature occurs.Note: By default the System State Data feature is always enabled on Windows Server 2003. See "Supported on" for all supp
on/Logoff status messages"" policy setting is enabled.

en you shut down a computer running Windows Server. (See "Supported on" for supported versions.)If you enable this policy setting and c
utomatically.
wn().If you enable this policy setting the computer system safely shuts down and remains in a powered state ready for power to be safely r
ng searches might make some programs start or run slowly.If you disable or do not configure this policy setting the program continues wit
is policy setting the Persistent System Timestamp is refreshed according the default which is every 60 seconds beginning with Windows Se
setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate fo
ettings available in Computer Configuration\Security Settings. Note: This policy setting is available under Computer Configuration
be specified when each path is separated by a semicolon. The network location can be either a folder or a WIM file. If it is a WIM file the lo
L Help Executable. If you disable or do not configure this policy setting DEP is turned on for HTML Help Executable. This provides an a
sage that doesn't provide any of the functionality controlled by this policy setting regardless of the file server configuration.If you do not c
interval unit (Hour 0-23 Day 0-31). User Publishing Refresh: Enables user publishing refresh (Boolean). User Publishing Refres
the reporting data. Data Cache Limit: This value specifies the maximum size in megabytes (MB) of the XML cache for storing reporti
ng the process's command line information will not be included in Audit Process Creation events.Default: Not configuredNote: When this p
e or do not configure (by default) this policy setting delegation of default credentials is not permitted to any computer. Applications depe
low delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names
resh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setting deleg
Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this policy setting delegation of fresh credentials is not
n delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).If you disable this po
s is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain
ames (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard characte
pal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard ch
re Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a s
pdated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will n
tials to the host.
rict credential delegation: Participating applications must use Restricted Admin or Remote Credential Guard to connect to remote hosts. R
cal machine account (LOCAL SYSTEM) must have access permission to the policy file. If using a signed and protected policy then disabling
el mode memory protections are enforced and the Code Integrity validation path is protected by the Virtualization Based Security feature
ports that are initiated by device manageability solutions (like MDM or SCCM) and will not interfere with their workflows.
do not configure this policy setting Windows creates a system restore point as it normally would.
ws retrieves device metadata from the Internet.
lly during the driver selection process. Selection is based on other criteria such as version number or when the driver was created. If you d
network is temporarily available.If the setting for searching only if needed is specified then Windows will search for a driver only if a driver
members of the Administrators group can determine the server used in the search for device drivers.
ver.If you disable or do not configure this policy setting members of the Administrators group are subject to all policy settings that restrict
er with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setti
pply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting Windows i
nabled together with the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criter
movable devicesDevice instance IDs1. Prevent installation of devices using drivers that match these device instance IDs2. Allow installation
setting.If you enable this policy setting Windows is prevented from installing or updating the driver package for any device that is not desc
all device match criteria" policy setting.If you enable this policy setting Windows is prevented from installing a device whose hardware ID o
remote desktop server.If you disable or do not configure this policy setting devices can be installed and updated as allowed or prevented
layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting. If you enable
ers that match these device setup classes" "Allow installation of devices that match any of these device IDs" and "Allow installation of dev
ase in the time taken for shutdown and hibernate.If you do not configure this policy setting the default behavior is observed and the NV c
g is applicable only if the NV cache feature is on.
licy setting the system will not manage the NV cache and will not enable NV cache power saving mode.If you disable this policy setting the
y setting the default behavior of the system is observed and frequently written files will be stored in the NV cache.Note: This policy setting
he system disables the "Enable quota management" option on the Quota tab of NTFS volumes.Note: This policy setting turns on disk quot
ced by default but administrators can change the setting.Enforcement is optional. When users reach an enforced disk quota limit the syste
e the setting while a setting is in effect.If you do not configure this policy setting no events are recorded but administrators can use the Qu
this policy setting no event is recorded but administrators can use the Quota tab option to change the logging setting.This policy setting do
onding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.This policy setting applies to a
d to display properly in this scenario will be blurry until the user logs out and back in to Windows. When you enable this policy some blurry
cations.If GDI DPI Scaling is configured to both turn off and turn on an application the application will be turned off.
plication manifest.If GDI DPI Scaling is configured to both turn off and turn on an application the application will be turned off.
tting DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configu
5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without c
allowed to install new driver packages on the system.
vice driver searching" is disabled or not configured the administrator will be prompted for consent before going to Windows Update to se
ed as malware but the computer cannot successfully boot without loading this driver.- Unknown: This driver has not been attested to by y
d.If you disable or do not configure this policy setting the Classification tab is hidden.
tion on the affected computers. If you disable or do not configure this policy setting the Global Resource Property List in AD DS provides the
s on a given system: - Default value calculation is: (([NumProcessors]/2) + 1) - Default max value calculation is: ([NumProcessors]*2)
n a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the
s (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.If you enable this
tting Windows Vista Windows 7 Windows 8 and Windows Server 2012 will use the standard English names for these subfolders when redi
g message appears to the user and an event log message (1529) is posted.- Loopback Group Policy processing is applied using the Group P
ater edit the GPO from a different-language system you get the English ADM files as they were in the GPO.You can change this behavior by
ill be logged on using cached credentialswhich will result in shorter logon times. Group Policy will be applied in the background after the n
s detected Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the d
ct on the system.The "Allow processing across a slow network connection" option updates the policies even when the update is being tran
processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow netwo
icy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy setting it has no effec
icy runs in background mode or asynchronous foreground mode it continues to download the latest version of the policy information and
the programs' specified responses to slow links.If you enable this setting you can in the "Connection speed" box type a decimal number b
nfigure this policy setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the polic
policy setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies even w
after logon. If you do not configure this policy setting Group Policy will wait five minutes before running logon scripts.
sing" option prevents the system from updating affected policies in the background while the computer is in use. When background updat
connection" option updates the policies even when the update is being transmitted across a slow network connection such as a telephone
eriodic background processing" option prevents the system from updating affected policies in the background while the computer is in use
d.If you enable this policy setting you can use the check boxes provided to change the options. If you disable or do not configure this policy
ne which set of Group Policy Objects applies.If you enable this setting you can select one of the following modes from the Mode box:"Rep
essing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network co
llow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow n
dows edition. Changes to this policy take effect on reboot.
nt computer use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typ
Group Policy runs in background mode or asynchronous foreground mode it continues to download the latest version of the policy inform
not configure this policy setting the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
only to non-administrators. Administrators can still invoke a refresh of computer policy at any time no matter how this policy setting is con
o 64800 minutes (45 days). If you select 0 minutes the computer tries to update Group Policy every 7 seconds. However because updates
erfere with users' work and increase network traffic very short update intervals are not appropriate for most installations.If you disable or
ill use this administratively configured maximum wait time and override any default or system-computed wait time.If you disable or do no
olicy uses this administratively configured maximum wait time for workplace connectivity and overrides any default or system-computed w
olicy refresh interval for users" policy settings.Note: If you make changes to this policy setting you must restart your computer for it to take
nue to be applied.Note: For computers joined to a domain it is strongly recommended that you only configure this policy setting in domai
he RSoP information logged on a client computer you can use the RSoP snap-in in the Microsoft Management Console (MMC).
e the policy settings in the "Internet Communication settings" section are set to not configured.
Manager from automatically installing driver updates from the Windows Update website.If you disable or do not configure this policy setti
ed to use the Store service and the Store item is available in the Open With dialog.
g when you are presented with a certificate issued by an untrusted root authority your computer will not contact the Windows Update we
ivers over HTTP.
his policy setting event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the descripti
ting samples from the handwriting recognition personalization tool with Microsoft.If you disable this policy Tablet PC user writing samples
users can report handwriting recognition errors to Microsoft.If you do not configure this policy Tablet PC users can report handwriting reco
ntent.You might want to enable this policy setting for users who do not have Internet access because the content in the "Did you know?" s
ou disable or do not configure this policy setting the Knowledge Base is searched if the user has a connection to the Internet and has not d
e displayed.If you disable or do not configure this policy setting a list of providers are downloaded when the user uses the web publishing
etting the user is allowed to use the Web service.
oose to print to Internet printers over HTTP.Also see the "Web-based printing" policy setting in Computer Configuration/Administrative Te
s Product Activation is required but does not involve submitting any personal information (except the country/region you live in).
loads content updates unless the user is using Classic Search.Note: Internet searches still send the search text and information about the
hown.If you disable this policy setting Windows Messenger collects anonymous usage information and the setting is not shown.If you do n
this policy setting all users are opted out of the Windows Customer Experience Improvement Program.If you disable this policy setting all
for error reporting.Also see the "Configure Error Reporting" "Display Error Notification" and "Disable Windows Error Reporting" policy setti
onents that use NCSI to determine Internet access. If you disable or do not configure this policy setting NCSI runs one of the two active tes
rative Templates/System" which governs whether an administrator is prompted before searching Windows Update for device drivers if a d
ou disable or do not configure this policy setting the domain controller does not support claims compound authentication or armoring.If yo
will get the fresh public key identity SID.Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients w
ler does not provide information about previous logons unless the "Display information about previous logons during user logon" policy se
ain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting domain con
C will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found NTLM authenti
ld be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize u
mpound authentication always send a compound authentication request. If you disable or do not configure this policy setting and the reso
Value column type the list of DNS host names and DNS suffixes using the appropriate syntax format. To remove a mapping from the list cl
Name column type the interoperable Kerberos V5 realm name. In the Value column type the realm flags and host names of the host KDC
eck for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
granting service (TGS) message exchanges with the domain controllers. Note: The Kerberos Group Policy "Kerberos client support for claim
configure this policy setting the client devices will not request claims provide information required to create compounded authentication a
s X.509 certificate must be signed by a Certificate Authority (CA) in the NTAuth store. If the computer is not joined to a domain the Kerber
nt from LocalSystem or NetworkService might fail to authenticate.If you disable or do not configure this policy setting any service is allowe
wed maximum value whichever is smaller.If you disable or do not configure this policy setting the Kerberos client or server uses the locally
box in the Value Name column type a DNS suffix name. In the Value column type the list of proxy servers using the appropriate syntax for
ured for compound authentication by the following options:Never: Compound authentication is never provided for this computer account.
thentication using certificates then authentication with password will be attempted.Force: Device will always authenticate using its certifi
e the SPN because the name is not found NTLM authentication might be used.
gs.To set this policy setting on a per-user basis make sure that the per-computer policy setting is not configured.
enabled for their user account on the sign-in page.
cy setting is not configured.If you enable this policy setting the user cannot select a custom locale as their user locale but they can still sele
f this policy setting is disabled or not configured then the user can customize their user locale overrides.If this policy is set to Enabled at th
(United States) and English (Canada).If you enable this policy setting administrators can select a system locale only from the specified sys
en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).If you ena
he screensaver timeout will limit the options the user may choose.If you disable this policy setting a user cannot change the amount of tim
e. Note that because this is a background refresh extensions such as Software Installation and Folder Redirection take two logons to apply
ain to which the computer is joined. If you disable or do not configure this policy setting the default logon domain is always set to the dom
000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server.Note: This se
setting Windows Vista adds any customized run list configured to its run list.This policy setting appears in the Computer Configuration an
nd User Configuration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence over th
sof the credential providers to exclude from the set of installedcredential providers available for authentication purposes.If you disable or
ed in the %Systemroot% directory you must specify the fully qualified path to the file.If you disable or do not configure this policy setting
on.If you disable this policy setting users will not see the animation and Microsoft account users will not see the opt-in prompt for service
GATION_POLICY_DEP_ENABLE (0x00000001) Enables data execution prevention (DEP) for the child process PROCESS_CREATION_M
o establish a connection to this domain controller. If you enable this policy setting Net Logon will allow the negotiation and use of older cr
emulator if the DC fails to validate the password.If you disable this policy setting the DCs will not attempt to verify any passwords with the
usive access is requested and the caller has only read permission.By default the Netlogon share will grant shared read access to files on the
n by an expensive (e.g. ISDN) line this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted dom
is requested and the caller has only read permission.By default the SYSVOL share will grant shared read access to files on the share when e
bove.If you disable this policy setting or do not configure it the default behavior occurs as described above.
y DCs that were initially unavailable. If the value for this setting is too small clients will attempt to find DCs even when none are available.
is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0)
use their local configuration.
olicy setting is used.The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*
cified in the NegativeCachePeriod subkey the value in the NegativeCachePeriod subkey is used.Warning: If the value for this setting is too l
his setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.If the value for this setting is smaller than the valu
bling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are runnin
and can be used in an environment without WINS in an IPv6-only environment and whenever DC location based on a NetBIOS domain na
o discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons NetBI
l only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by defa
. But if some applications are broken due to the returned IPv6 DC address this policy can be used to disable the default behavior and enfo
S SRV resource records click Enabled and then enter a value. The range of values is from 0 to 65535.If you do not configure this policy setti
cts the target host to be contacted is proportional to the Weight field value in the SRV record.To specify the Weight in the DC Locator DNS
n the following behaviors:0 - DCs will never perform address lookups.1 - DCs will perform an exhaustive address lookup to discover additio
es.<DnsDomainName>Pdc SRV _ldap._tcp.pdc._msdcs.<DnsDomainName>Gc SRV _ldap._tcp.gc._msdcs.<DnsForestNam
ot configure this policy setting it is not applied to any DCs and DCs use their local configuration.
ers are configured to perform scavenging of the stale records this reregistration is required to instruct the DNS servers configured to auto
rds and the site-specific SRV records are dynamically registered by the Net Logon service and they are used to locate the application direc
e or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specify the site
GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access a
hops away could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A sit
no Global Catalog for the same forest exists.If you disable this policy setting the DCs will not register site-specific DC Locator DNS SRV reco
policy setting is enabled.If you enable this policy setting when the AllowSingleLabelDnsDomain policy is not enabled computers to which t
g an Active Directory domain specified with a single-label name using DNS name resolution.If you disable this policy setting computers to w
gured DNS host name as-is when registering domain controller SRV records.If not configured domain controllers will default to using their
pecified conditions for the maximum PIN length are not met default values will be used for both the maximum and minimum PIN lengths.
above specified conditions for the minimum PIN length are not met default values will be used for both the maximum and minimum PIN le
ange this setting.
tting users can control this setting.
e show" policy setting can be used to disable the slide show feature.
e show" policy setting can be used to disable the slide show feature.
policy setting can be used to disable the slide show feature.
policy setting can be used to disable the slide show feature.
show to run on the lock screen when the machine is locked this can prevent the sleep transition from occuring. The "Prevent enabling lo
show to run on the lock screen when the machine is locked this can prevent the sleep transition from occuring. The "Prevent enabling lo
be used to disable the slide show feature.
be used to disable the slide show feature.
er to restore the computer to the original state or from a user-created system image. This is the default setting. If you disable this policy
omputers running this version and a previous version of the operating system can connect to this computer.If you do not configure this po
nical support staff using Offer (Unsolicited) Remote Assistance.If you enable this policy setting you have two ways to allow helpers to provi
llow connections to this computer.If you do not configure this policy setting users can turn on or turn off Solicited (Ask for) Remote Assista
able this policy setting the user sees the default warning message.If you do not configure this policy setting the user sees the default warn
drag-Turn off backgroundIf you enable this policy setting bandwidth optimization occurs at the level specified.If you disable this policy setti
policy setting RPC clients will authenticate to the Endpoint Mapper Service for calls that contain authentication information. Clients makin
nter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.If you disable this policy setting the RPC Runtim
PC state information.-- "None" indicates that the system does not maintain any RPC state information. Note: Because the basic state infor
n.If you do not configure this policy setting it remains disabled. It will only generate a status code to indicate an error condition.If you ena
C server runtime uses the value of "Authenticated" on Windows Client and the value of "None" on Windows Server versions that support t
the RPC Client the RPC Server and the RPC HTTP Proxy are all running Windows Server 2003 family/Windows XP SP1 or higher versions. If
able Data Drives."
ed and the DNS suffixes are not configured.
h Windows Vista operating system scripts that are configured to run asynchronously are no longer visible on startup whether this policy se
neously.This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Confi
operating system scripts that are configured to run asynchronously are no longer visible on startup whether the ""Run startup scripts visib
C). This policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts:GPO B: B.cmd B.ps1GPO C: C.cm
GPO B and GPO C include the following user logon scripts:GPO B: B.cmd B.ps1GPO C: C.cmd C.ps1Assume also that there are two users Qin
to finish. To direct the system to wait until the scripts have finished no matter how long they take type 0. This interval is particularly impor
OCA vulnerability.Audit: during authentication the domain controller will emit audit events for WHfB keys that are subject to the ROCA vu
Server 2008 R2) or the “Refresh the data shown in Server Manager every [x] [minutes/hours/days]” setting (in Windows Server 2012) that
dministrator logs on to the server. However if an administrator selects the "Do not show this window at logon" option the window is not d
o not start Server Manager automatically at logon” (Windows Server 2012) option is selected the console is not displayed automatically at
be automatically terminated during shutdown helping to ensure that Windows can shut down faster and more smoothly.
dence (unless you also configure the "Configure Storage Sense cadence" group policy).Disabled:Storage Sense is turned off the machine. U
setting in Storage settings.
ud-backed content.Disabled or Not Configured:By default Storage Sense will not dehydrate any cloud-backed content. Users can configur
Sense will delete files in the user’s Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings.
ting files in the Downloads folder.Disabled or Not Configured:By default Storage Sense will not delete files in the user’s Downloads folder.
do not configure this policy setting users can change the System Restore settings through System Protection. Also see the "Turn off System
o not configure this policy setting users can perform System Restore and configure System Restore settings through System Protection.Also
detects or indicate to the user that assisted resolution is available.If you disable this policy setting Windows cannot detect troubleshoot o
ffect immediately.This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is sto
atibility issues for applications and drivers.If you do not configure this policy setting the PCA is configured to detect failures during applicati
t is required. This behavior is recommended for headless operation.Troubleshooting Only: Detection and troubleshooting of corrupted file
tting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in
potential data loss. If you disable this policy S.M.A.R.T. faults are still detected and logged but no corrective action is taken. If you do not
fault.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.This policy setting takes effect o
de scenario execution policy is not configured.No reboots or service restarts are required for this policy setting to take effect. Changes take
er to download additional tools to diagnose problems on remote computers only. If you enable this policy setting for local and remote tro
t configure this policy setting MSDT support mode is enabled by default.No reboots or service restarts are required for this policy setting t
ly troubleshooting for critical problems by system features and Microsoft.2 = Automatically apply troubleshooting for critical problems by
and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recove
will not be able to detect troubleshoot or resolve problems on a scheduled basis.If you do not configure this policy setting local troublesho
dalone troubleshooting packs such as those found in .diagcab files.

hosted on Microsoft content servers from within the Troubleshooting Control Panel user interface.If you disable this policy setting users c
ect Windows Boot Performance problems and indicate to the user that assisted resolution is available.If you disable this policy setting Win
or disabled diagnostic scenarios are not executed.Note: The DPS can be configured with the Services snap-in to the Microsoft Managemen
on the DPS will detect Windows Resource Exhaustion problems and indicate to the user that assisted resolution is available.If you disable t
PS will detect Windows Shutdown Performance problems and indicate to the user that assisted resolution is available.If you disable this po
solution the DPS will detect Windows Standby/Resume Performance problems and indicate to the user that assisted resolution is available
PS will detect Windows System Responsiveness problems and indicate to the user that assisted resolution is available.If you disable this po
n blob plus the TPM user delegation blob or none.If you enable this policy setting Windows will store the TPM owner authorization in the
vigate to the "Command Management" section.If you disable or do not configure this policy setting only those TPM commands specified th
s disabled or until the TPM is in a Ready state.
enabled on a system and has taken effect (after a system restart) disabling it will have no impact and the system's TPM will remain config
ault Block List" column. The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scr
ured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands.If you disable or do not confi
s can send commands requiring authorization to the TPM.An authorization failure occurs each time a standard user sends a command to t
requiring authorization to the TPM.An authorization failure occurs each time a standard user sends a command to the TPM and receives
standard users can send commands requiring authorization to the TPM.An authorization failure occurs each time a standard user sends a
uring this policy setting you can alter this behavior.If you enable this policy setting the administrator group is also given full control to the u
you enable this policy setting you can change how long Windows waits for a response from the server before considering the connection t
d.If you enable this policy setting any local copies of the user's roaming profile are deleted when the user logs off. The roaming profile still
cally delete any profiles on the next system restart.
it ignores the policy settings that tell the system how to respond to a slow connection.If you disable this policy setting or do not configure
ade for the correct permissions if the profile folder already exists. For Windows Server 2003 family Windows 2000 Professional SP4 and Wi
stry at logoff but will unload the registry when all open handles to the per-user registry keys are closed.If you disable or do not configure t
ded.If you disable this policy setting or do not configure it Windows logs on the user with a temporary profile when Windows cannot load
nt in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory sc
sed profiles.If you enable this policy setting you can override the amount of time Windows waits for user input before using a default user
time. You can use this policy setting to change this behavior.If you enable this policy setting Windows will not delete Windows Installer or
or editing the registry the system cannot unload it. The system tries repeatedly (at a rate of once per second) to unload and update the re
to use roaming profiles from receiving their profile on a specific computer.If you enable this setting the following occurs on the affected co
ou can prevent changes made to a roaming profile on a particular computer from being persisted.If you enable this policy setting changes
oose to download the remote copy of the user profile. In Microsoft Windows Vista a check box appears on the logon screen and the user m
setting Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value
re that you have set the appropriate security on the folder to allow all users to access the profile.If you enable this policy setting all users l
ofile's registry file at the specified interval after the user logs on. For example with a value of 6 hours the registry file of the roaming user p
o the file share. If you choose “On the local computer” enter a local path (for example C:\HomeFolder) in the Path box.Do not specify envir
eve the user's UPN SIP/URI and DNS."Always off" - users will not be able to change this setting and the user's name and account picture wi
slow.If you disable this policy setting or do not configure it when a remote profile is slow to load the system loads the local copy of the roa
5" as the maximum amount of disk space.If you disable this policy setting or do not configure it the default value is set to 50 MB on Windo
If you disable or do not configure this policy setting by default files are scanned only during setup.Note: This policy setting affects file scan
ameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values c
ormation see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settin
ld card characters cannot be used when specifying the host URLs.

dation criteria. If you are aware that a trusted site has a certificate error but you want to trust it anyway you can select the certificate erro
r profiles for the Guest account and members of the Guests groupIf you enable this policy setting Group Policy allows deployment operati
on of Windows app packages.
ce.If you choose the "Force Allow" option Windows apps are allowed to access account information and employees in your organization c
hoose the "Force Allow" option Windows apps are allowed to access the eye tracker and employees in your organization cannot change it.
e "Force Allow" option Windows apps are allowed to access the call history and employees in your organization cannot change it.If you cho
rce Allow" option Windows apps are allowed to access contacts and employees in your organization cannot change it.If you choose the "F
rmation about other apps using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to get d
low" option Windows apps are allowed to access email and employees in your organization cannot change it.If you choose the "Force Den
ce Allow" option Windows apps are allowed to access location and employees in your organization cannot change it.If you choose the "Fo
e device.If you choose the "Force Allow" option Windows apps can read or send messages and employees in your organization cannot cha
the "Force Allow" option Windows apps are allowed to access motion data and employees in your organization cannot change it.If you ch
the "Force Allow" option Windows apps are allowed to access notifications and employees in your organization cannot change it.If you ch
ow" option Windows apps are allowed to access tasks and employees in your organization cannot change it.If you choose the "Force Deny
e the "Force Allow" option Windows apps are allowed to access the calendar and employees in your organization cannot change it.If you ch
he "Force Allow" option Windows apps are allowed to access the camera and employees in your organization cannot change it.If you choo
choose the "Force Allow" option Windows apps are allowed to access the microphone and employees in your organization cannot change
hoose the "Force Allow" option Windows apps are allowed to access trusted devices and employees in your organization cannot change it
ation can decide whether Windows apps can access the user's movements while the apps are running in the background by using Settings
ord and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organizati
cannot interact with applications using speech while the system is locked and employees in your organization cannot change it.If you disa
using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to communicate with unpaired w
you choose the "Force Allow" option Windows apps will have access to control radios and employees in your organization cannot change i
"Force Allow" option Windows apps are allowed to make phone calls and employees in your organization cannot change it.If you choose t
hoose the "Force Allow" option Windows apps are allowed to run in the background and employees in your organization cannot change it.
ays by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to take screenshots of vario
e device.If you choose the "Force Allow" option Windows apps are allowed to turn off the screenshot border and employees in your organ
this policy setting Windows Store apps can open files in the default desktop app for a file type.
figure this policy setting Windows Store apps can open URIs in the default desktop app for a URI scheme.Note: Enabling this policy setting
unched. This policy should not be enabled unless recommended by Microsoft as a security response because it can cause severe app c
stem is running any subsequent 16-bit applications launch faster but overall resource usage on the system is increased.If the status is set t
is interface.
cy applications and will not block known incompatible applications from installing. (For Instance: This may result in a blue screen if an old
try collection has stopped for all applications please reboot your machine.
lector will be turned on.Note: This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Invento
when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already
ot configure this policy setting Steps Recorder will be enabled.
ity of the applications they are using. If you disable or do not configure this policy setting the Switchback will be turned on.Please reboot t
ther autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this polic
evices. If you enable this policy setting Autoplay is disabled on CD-ROM and removable media drives or disabled on all drives. Thi
trics to log on.

.Note: Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone fo
cs cannot be used by any users to log on to a local Windows-based computer.Note: Users who log on using biometrics should create a pas
or Windows Hello face authentication is not required on unmanaged devices.

ironment variables in the path. If the path is not valid the BitLocker setup wizard will display the computer's top-level folder view.If you di
you use the XTS-AES algorithm. For removable drives you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other
will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.If you disable or do not confi
08 R2 or Windows 7.If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLoc
recovery key.If you enable this policy setting you can configure the options that the setup wizard displays to users for recovering BitLocke
system is rebooted or hibernated. This policy setting is only enforced when BitLocker or device encryption is enabled.Note: Some PCs may
this policy setting BitLocker secrets are removed from memory when the computer restarts.
nagement of certificate-based data recovery agents on BitLocker-protected drives and for potential updates to the BitLocker To Go Reade
uter. This policy setting is applied when you turn on BitLocker.Note: You might need to set up appropriate schema extensions and access c
.67.1.1Note: BitLocker does not require that a certificate have an EKU attribute but if one is configured for the certificate it must be set to
an be viewed. These operating systems have read-only access to BitLocker-protected drives.When this policy setting is enabled select the "
BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.In "Configur
upport hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-bas
y\ must be also enabled.Note: These settings are enforced when turning on BitLocker not when unlocking a volume. BitLocker will allow un
rs available on the drive.If you disable this policy setting users are not allowed to use smart cards to authenticate their access to BitLocker-
the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented
not enabled the options of "Require additional authentication at startup" policy apply.
tLocker setup.If you disable or do not configure this policy setting enhanced PINs will not be used.
he BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certifica
e of Secure Boot-based integrity validation.If you disable this policy setting BitLocker will use legacy platform integrity validation even on s
or the Local Group Policy Editor. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information ab
NOTE: If minimum PIN length is set below 6 digits Windows will attempt to update the TPM 2.0 lockout period to be greater than the def
ssage and URL" option.If you select the "Use custom recovery message" option the message you type in the "Custom recovery message o
hange while BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead
fferent values into the Platform Configuration Registers (PCRs). Use the "Configure TPM platform validation profile for native UEFI firmwa
nfiguration Registers (PCRs). Use the "Configure TPM platform validation profile for BIOS-based firmware configurations" group policy setti
do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardw
Password Policy\ must be also enabled.Note: These settings are enforced when turning on BitLocker not when unlocking a volume. BitLoc
vironment must be enabled on tablets to support the entry of the BitLocker recovery password. When the Windows Recovery Environmen
a password or a USB drive is required for start-up. When using a startup key the key information used to encrypt the drive is stored on the
e computer starts it can require users to insert a USB flash drive containing a startup key. It can also require users to enter a 4-digit to 20-d
Locker recovery.
guration Data (BCD) integrity validation as defined by the "Allow Secure Boot for integrity validation" group policy the "Use enhanced Boot
r content can be viewed. These operating systems have read-only access to BitLocker-protected drives.When this policy setting is enabled
Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about adding data recovery agents.
o not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardwar
settings are enforced when turning on BitLocker not when unlocking a volume. BitLocker will allow unlocking a drive with any of the prote
rotectors available on the drive.If you disable this policy setting users are not allowed to use smart cards to authenticate their access to Bi
encryption from the drive or suspend the encryption while maintenance is performed. Consult the BitLocker Drive Encryption Deploymen
access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These field
at icon will be configured according to the defaults for your Windows edition.
setting with a level of "Basic" or below users may see a limited set of tips.Also this setting only applies to Enterprise and Education SKUs.
x. To display the password click the password reveal button.The policy applies to all Windows components and applications that use the W
ter Windows credentials within the user’s desktop session potentially allowing malicious code access to the user’s Windows credentials.
if Microsoft is a processor for Windows diagnostic data from this device. Configuring this setting does not change whether diagnostic data
y supported on Enterprise Education and Server editions. - Send required diagnostic data. This is the minimum diagnostic data necessary
roxy configuration.The format for this setting is <server>:<port>
policy setting.
te this machine and its diagnostic data data with your organization.
the events required by Desktop Analytics which can be viewed at https://go.microsoft.com/fwlink/?linkid=2116020.If you disable or do no
view builds' under 'Windows Update for Business' for newer Windows 10 versions.
HTTP blended with Internet Peering.99 = Simple download mode with no peering. Delivery Optimization downloads using HTTP only and d
returned GUID value as the Group ID.
cy setting requires a logoff for it to be applied.
changed by users.
e client authentication certificate>. When using the HTTP protocol use port 5985.If you disable or do not configure this policy setting the Ev
Retain old events" policy setting is enabled new events are discarded and the old events are retained.
s change across all tools and APIs.
guration remains in effect.
an read or clear this log.Note: If you enable this policy setting some tools and APIs may ignore it. The same change should be made to the
s change across all tools and APIs.
guration remains in effect.
s from it.Note: If you enable this policy setting some tools and APIs may ignore it. The same change should be made to the "Configure log a
they were encrypted with.If you disable or do not configure this policy setting components will not encrypt event log messages before wr
nabled.If you enable this policy SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:• Warn
of the default Library definition files.

ed disabled or the client machine is not domain-joined no default associations will be applied at logon time.If the policy is enabled disable
olicy setting the protocol is fully enabled allowing the opening of folders and files.If you disable this policy setting the protocol is in the pro
disable or do not configure this policy setting Folder Redirection does not create a temporary file and functions as if both new and old loca
ding to on-disk restore points.If you do not configure this policy setting it is disabled by default.
setting it is disabled by default. The Restore button is active when the previous version is of a local file.
backup media.If you do not configure this policy setting it is disabled by default. The Restore button is active when the previous version is
configure this policy setting it is disabled by default. The Restore button is active when the previous version is of a file on a file share.
on are not registered and the Find My Device feature will not work.The user will also not be able to view the location of the last use of the
t restart the computer for this policy setting to take effect.
ote: This list can be created from a custom administrative template file. For information about creating this custom administrative templat
won't be able to change the Suggestions setting on the Settings charm.If you don't configure this policy setting users can change the Sugges
policy setting newly installed add-ons are automatically activated in the browser.If you disable or do not configure this policy setting newly
channel is used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in up to three of the follo
this policy setting the user will have the freedom to automatically configure these settings.
moves the Connections tab from the interface.
policy is enabled the user cannot add secondary home pages.
use the Import/Export Settings wizard.If you disable or do not configure this policy setting the user will be able to use the Import/Export Se
settings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect.
being notified about new versions of the browser.
for administrators who want to use Software Distribution Channels to update their users' programs without user intervention.
text managing favorites and accessing Help. The Command bar enables the user to access and manage favorites feeds shortcuts to home
in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally it’s best to enable this
you disable or don't configure this policy setting the menu option won't appear and users won't be able to run websites in Enterprise Mod
e domain per line to the text box. For example:microsoft.sharepoint.comoutlook.comonedrive.comtimecard.contoso.comLOBApp.contoso
ones. The decimal representation of this number is used to represent this number in policy. For example:• 2 - Intranet site zone only Bin
le to provide a default Pop-up Blocker exception list.Note: You can disable users from adding or removing websites to the exception list by
ar and F1 to access Help.

also want to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the user f
the user can configure how windows open when he or she clicks links from other applications.
ators are turned on users can install search providers as Accelerators to include them on the Accelerator menu.
ther to turn on SmartScreen Filter during the first-run experience.

website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do
ess of which option is chosen.If you disable or do not configure this policy setting Internet Explorer may run the First Run wizard the first ti
ult providers installed do not appear (including providers installed from other applications). The only providers that appear are those in th
cal Intranet zone.This policy prevents users from changing site management settings for security zones established by the administrator.No
ministrative Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Security tab from Internet Ex
Do not allow users to change policies" policy.
on the currently active browser.Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Send all
m and amount of physical memory. We recommend the default setting.The second algorithm must be explicitly enabled through the creatio
al security checks.If you disable or do not configure this policy setting the ActiveX Opt-In prompt appears.
en the average time to load all the user's enabled add-ons exceeds the threshold.If you disable or do not configure this policy setting users
tabbed browsing.
configure this policy setting the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience.
tting the popup management feature will be functional.
ure this policy setting the user can turn on or turn off tabbed browsing.
se to turn the auto-complete setting for web-addresses on or off.
y setting the user can turn on and turn off the Suggested Sites feature.
mputer attempts to perform a Clipboard operation.If you do not configure this policy setting current values of the URL action for the applic
prompted when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation.If you do not configure
tting.If you enable this policy setting and enter a value of 1 prompts are bypassed. If you enter a value of 0 prompts are not bypassed. Value
etting the Print menu in Internet Explorer will be available. Starting with Windows 8 the Print flyout for Internet Explorer will be available a
ou do not configure this policy setting the Microsoft-provided website lists are not active. The user can activate the feature by using the C
ards Mode. This option results in the greatest compatibility with existing webpages but newer content written to common Internet standa
y setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet content. Add
ab in Internet Options.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect.
ory List. Users can not delete browsing history.If you disable or do not configure this policy setting a user can set the number of days that
ng History dialog box. Starting with Windows 8 users can click the Delete Browsing History button on the Settings charm.
cking Protection data and Do Not Track exceptions stored for visited websites.This feature is available in the Delete Browsing History dialo
nabled this policy setting is enabled by default.

his policy setting has no effect.
ete.If you do not configure this policy setting the user can choose whether to delete or preserve InPrivate Filtering data when he or she cli
y" policy setting is enabled this policy setting is enabled by default.

vent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
emoves the Advanced tab from the interface.

y settings""Disable changing Automatic Configuration settings"
e General tab from the interface:"Disable changing home page settings""Disable changing Temporary Internet files settings""Disable chan
he Reset Web Settings feature""Disable changing default browser check"

ones: Do not allow users to add/delete sites"
s are converted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to IDN fo
d then under International select the "Use UTF-8 for mailto links" check box.
policy setting non-Internet Explorer components will be automatically installed as necessary.
ll be prompted when Web Components such as fonts would be downloaded.If you do not configure this policy users will be prompted wh
ngs. The default is on.
automatically launches any browser helper objects that are installed on the user's computer.
net Explorer only sends the Do Not Track header if inPrivate Browsing mode is used.If you don't configure the policy setting users can selec
net for new versions of the browser so does not prompt users to install them.If you do not configure this policy setting Internet Explorer d
ed.If you do not configure this policy setting Internet Explorer will not check server certificates to see if they have been revoked.
ecutable programs or display their identities before downloading them to user computers.If you do not configure this policy Internet Explo
ainst malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8 Enhanced Pr
net Explorer will save encrypted pages containing secure (HTTPS) information to the cache.
will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.If you do not configure this pol
mated pictures found in Web content.
the most preferred match.If you enable this policy setting the browser negotiates or does not negotiate an encryption tunnel by using the
using Internet Explorer settings. This feature is turned on by default
f you do not configure this policy setting a user will have the freedom to accept requests from Web sites for Profile Assistant information.
licy setting users can turn this behavior on or off using Internet Explorer Advanced Options settings. The default is to encode all query strin
aded into the background.If you don't configure this setting users can turn this behavior on or off using the Settings charm.
11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.If you don't configure this poli
ng Caret Browsing support can be turned on or off through the registry.
ble this policy setting Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of Prote
g session with the home page. Users cannot change this option to start with the tabs from the last browsing session.If you do not configur
ites will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will be avai
g websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settings wi
tting you provide the cache limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow trusted domains to
cache expiration time limit for all application caches. The default is 30 days.
u provide the cache limit in MB. The default is 500 MB.If you enable this policy setting Internet Explorer will allow trusted domains to store
less than or equal to the size set in this policy setting.If you disable or do not configure this policy setting Internet Explorer will use the def
er will allow the creation of application caches whose manifest file contains the number of resources including the page that referenced th
onfigure this policy setting Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB.
o not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databases. The default is 4 G
and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equivalent
al sites into the Intranet Zone.
re: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites zone (
ct the intranet through the intranet settings dialog in Control Panel.
he Advanced page in the Internet Control panel).
ng treated as though it is in the Internet zone.If this policy setting is not configured a Notification bar notification appears for intranet conte
olicy setting users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.If you do not confi
control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you disable this po
implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are available.
paste files from this zone automatically.
desktop items from this zone.

ing XBAPs.If you disable this policy setting XBAPs are not loaded inside Internet Explorer. The user cannot change this behavior.If you do n
ML files.If you disable this policy setting XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.If you do
er cannot change this behavior.If you do not configure this policy setting the user can decide whether to load XPS files inside Internet Expl
onfigure this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another Web
rch Connectors.If you do not configure this policy setting users can perform OpenSearch queries in this zone using Search Connectors.
eturned as search results in File Explorer will be affected. MAPI items reside in the Internet zone so disabling this policy for the Internet zo
in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.If you do not configure this p
fied zones.If you disable this policy setting video and animation cannot be played through older media players.If you do not configure this p
an click on the Notification bar to allow the ActiveX control prompt.

wnload prompt.
will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.If you
figure this policy setting Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that has n
cks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off usi
ther to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
signed controls.
rent windows. Users cannot change this setting.In Internet Explorer 10 if you disable this policy setting or do not configure it users cannot
window. Users cannot change this setting in the Internet Options dialog.In Internet Explorer 10 if you disable this policy setting or do not c
s zone as dictated by the feature control setting for the process.If you do not configure this policy setting the MIME Sniffing Safety Feature
ML form.If you do not configure this policy setting the user can choose whether path information is sent when he or she is uploading a file
are queried whether to allow the control to be loaded with parameters or scripted.If you disable this policy setting ActiveX controls that ca
un in their sandbox. Disable Java to prevent any applets from running.If you disable this policy setting Java applets cannot run.If you do no
running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are que
s in other zones. After a user is queried these values can be used silently for the remainder of the session.Automatic logon with current us
o not configure this policy setting users can open windows and frames from othe domains and access applications from other domains.
you disable this policy setting Internet Explorer will not execute unsigned managed components.If you do not configure this policy setting
le this policy setting Internet Explorer will not execute signed managed components.If you do not configure this policy setting Internet Exp
ng the user can configure how the computer handles these files. By default these files are blocked in the Restricted zone enabled in the In
ed on) users' computers.High safety to prevent users from being notified of software updates by e-mail software packages from being auto
his policy setting information using HTML forms on pages in this zone is prevented from being submitted.If you do not configure this policy
Framework Setup is turned on. The user cannot change this behavior.If you do not configure this policy setting .NET Framework Setup is tu
n prompt is turned off by default.
n this zone for malicious content.
wser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users can p
this policy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Pr

o not have installed.
figure this policy setting Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a Web site
k with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off using
signed controls.
n prompt is turned on by default.

automatically.
gned controls without user intervention.
ed controls without user intervention.
running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users can run
s policy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Prote
implemented a custom security manager.If you do not configure this policy setting only behaviors listed in the Admin-approved Behaviors


wnload prompt.
signed controls.
s zone as dictated by the feature control setting for the process.If you do not configure this policy setting the actions that may be harmful


wnload prompt.
signed controls.
automatically.

wnload prompt.
signed controls.
implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unless ap
ther to drag or copy files from this zone.
ems from this zone.

onfigure this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another W
rch Connectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connectors.

wnload prompt.
t be downloaded.
signed controls.
running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are pre
cess applications from different domains.If you do not configure this policy setting users cannot open other windows and frames from diff
wser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users canno
automatically.

wnload prompt.
signed controls.
ppear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you
implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unless ap
ther to drag or copy files from this zone.
ems from this zone.

onfigure this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to another W
rch Connectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connectors.
wnload prompt.
t be downloaded.
signed controls.
running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users are pre
cess applications from different domains.If you do not configure this policy setting users cannot open other windows and frames from diff
wser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users canno
automatically.
choose whether to allow the unsigned control to run.

esults is displayed in the main window.If you disable or do not configure this policy setting the user can specify what action applies to sea
his policy setting you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results webpa
y setting URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. By defa
icy setting Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot change th
update information URL.If you disable or do not configure this policy setting the user can specify the cipher strength update information U
nfigure this policy setting the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPrivate Fi
configure this policy setting the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Trackin
you do not configure this policy setting it can be configured on the Privacy tab in Internet Options.
on or off on the Privacy tab in Internet Options.
ou do not configure this policy setting it can be configured through the registry.
or use.If you do not configure this policy setting it can be configured through the registry.
plication.If you disable or do not configure this policy setting the reveal password button can be shown by the application as a user types
tting has no effect if Windows has been configured to enable Data Execution Prevention.
e this policy setting Data URI support can be turned on or off through the registry.
of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list enter the following information:Name of t
pect add-on management user preferences or policy settings.
s not listed within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assumed t
user preferences and policy settings. If you enter a Value of 0 the add-on management user preferences and policy settings are ignored b
utton lets the user run the outdated ActiveX control once.For more information see "Outdated ActiveX Controls" in the Internet Explorer T
you want to include http://example use "example"3. "file:///path/filename.htm". For example use "file:///C:/Users/contoso/Desktop/ind
ocking of outdated ActiveX controls for Internet Explorer on specific domains" policy settings.For more information see "Outdated ActiveX
object.If you disable or do not configure this policy setting websites can request data across domains by using the WebSocket object. By d
st data across domains by using the XDomainRequest object.
behavior notation e.g. #default#vml.If you disable this policy setting no behaviors will be allowed in zones set to 'admin-approved' just as i
MD4 signing technologies.

tting binary behaviors are prevented for the File Explorer and Internet Explorer processes.
lowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do
cy setting Consistent Mime Handling is enabled for all processes.If you disable or do not configure this policy setting Consistent Mime Han
cy setting Internet Explorer requires consistent MIME data for all received files.If you disable this policy setting Internet Explorer will not r
ows administrators to define applications for which they want this security feature to be prevented or allowed.If you enable this policy setti
ity applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list.If you disab
g the Local Machine zone security applies to all local files and content processed by Internet Explorer.If you disable this policy setting Loca
ocal Machine Zone security applies. If you enter a value of 0 Local Machine Zone security does not apply. If a Value Name is empty or the V
s not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processe
rotocol is prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.
the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Pr
ses other than File Explorer or Internet Explorer.If you do not configure this policy setting no policy is enforced for processes other than Fil
value names http and https.If you disable this policy setting restricting content obtained through restricted protocols is prevented for File
ols is allowed. If you enter a Value of 0 restricting content obtained through restricted protocols is blocked. The Value Name is the name o
over restricted protocols to access my computer."If you disable or do not configure this policy setting for a zone no protocols are restricte
n bar will not be displayed for all processes other than Internet Explorer or those listed in the Process List.
r Processes.
cutable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in thi
within or across domains for Internet Explorer processes.

empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Inter
esses other than Internet Explorer or those listed in the Process List receive no such protection.
Explorer processes.If you disable this policy setting no zone receives such protection for Internet Explorer processes.If you do not configur
is security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 elevation to more privileged zones ca
lated Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes config
his list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the
s and windows that obfuscate other windows.If you do not configure this policy setting popup windows and other restrictions apply for Fil
may not be opened. If you enter a Value of 0 windows have none of these restrictions. The Value Name is the name of the executable. If a V
nly icons.If you disable or do not configure this policy setting the command buttons show selective text by default and the user can chang
not prompted and incompatible toolbars run unless previously disabled through policy settings or user choice.If you disable or do not confi
sable or do not configure this policy setting IIS can be installed as well as all the programs and applications that require IIS to run.
el will apply.
elay will be applied to Automatic Maintenance.
his policy setting the wake setting as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
evice to MDM service specified in the Azure AD. If you disable this policy setting MDM will be unenrolled.
e any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured applications and se
omputer is restarted the service will be started if it is set to Automatic startup. After the service has started there will be a check to see if a
sabled: Potentially unwanted software will not be blocked. Not configured: Same as Disabled.
icy will be used in the resulting effective policy. Group Policy settings will override preference settings configured by the local administrato
rding to the order specified above. If you disable or do not configure this setting the proxy will skip over this fallback step according to t
ed above. The URL should be proceeded with either http:// or https://. If you disable or do not configure this setting the proxy will skip o
fender Antivirus. Otherwise Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software
olicy setting Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately
e is not used and it is recommended that this be set to 0.
windows\app.exe". The value is not used and it is recommended that this be set to 0.
ture will not function. MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Sen
e was removed. The information will be automatically collected and sent. In some instances personal information might unintentionally b
subsample of audit events are collected for ASR rules will the value of not configured. Enabled: Specify the state for each ASR rule unde
will be applied to the ASR rules. Not configured: Same as Disabled. You can configure ASR rules in the Configure Attack Surface Reducti
You can enable controlled folder access in the Configure controlled folder access GP setting. Default system folders are automatically gu
n the Configure allowed applications GP setting. Default system folders are automatically protected but you can add folders in the Con
e as Disabled. You can enable controlled folder access in the Configure controlled folder access GP setting. Microsoft Defender Antiviru
n a record of the event will be in the event logs. Disabled: Users and applications will not be blocked from connecting to dangerous do
nding on the value of EnableNetworkProtection.
other MAPS settings - "Configure the 'Block at First Sight' feature; "Join Microsoft MAPS"; "Send file samples when further analysis is requ
enabled in order to function. Possible options are: (0x0) Default Microsoft Defender Antivirus blocking level (0x1) Moderate Micro
nding on the value of EnableNetworkProtection.

ter that is up-to-date with all the latest security updates network protection will have no impact on network performance. If you enable
vity will be present on those volumes. The options for this setting are mutually exclusive: 0 = Scan incoming and outgoing files (default)
uency specified. If you disable or do not configure this setting a scheduled full scan to complete remediation will run at a default frequen
plete remediation will run at a default time.
cheduled scan will run at a default frequency.

gured there will be no catch-up scan run. If you disable or do not configure this setting catch-up scans for scheduled full scans will be tur
nfigured there will be no catch-up scan run. If you disable or do not configure this setting catch-up scans for scheduled quick scans will b
ault number of days.
this setting the antimalware service will not receive notifications to disable security intelligence.
security intelligence updates will be enabled. If you disable this setting real-time security intelligence updates will disabled.
ecified source the remaining sources in the list will not be contacted. If you disable or do not configure this setting the list will remain em
e. If you disable or do not configure this setting spyware security intelligence will be considered out of date after the default number of
ou disable or do not configure this setting virus security intelligence will be considered out of date after the default number of days have p
n the order specified. Once security intelligence updates have been successfully downloaded from one specified source the remaining sou
isable or do not configure this setting the check for security intelligence updates will occur at a default frequency.
me of day specified. If you disable or do not configure this setting the check for security intelligence updates will occur at the default tim
e.Important: If you turn on this policy a compromised container could bypass camera and microphone permissions and access the camera
n result in data loss for the employee.If you disable or don't configure this setting Application Guard deletes all user data within the Applic
endering graphics hardware Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.Note:Be a
8a362c860c36a6461f31e3aa7e58c141b1d49f06d2a697a544a1059bd59a7b058cda924
tionality a potentially compromised Application Guard session will have access to the host device’s clipboard and its content.If you choose
le or don't configure this setting all print functionality is turned off in Application Guard.
ProcessMitigation PowerShell cmdlet or using the Export button at the bottom of the Exploit Protection area in Windows Security.- Place t
or teacher.
employees can see the Address bar drop-down functionality in Microsoft Edge. If you disable this setting employees won't see the Ad
e employee to use Internet Explorer 11 where the site is automatically rendered as though it’s in whatever version of IE is necessary for it t
ows sign in when the system is idle or each time Microsoft Edge is closed.
e Start or New Tab page during Windows sign in and each time Microsoft Edge is closed.
e this setting users can't add search engines or change the default used in the address bar.
abled this policy does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this in Group Policy Editor
e you must also add a link to your OpenSearch XML file including at least the short name and https: URL of the search engine. For more inf
Microsoft Edge.
ites asking for tracking info.
d the favorites bar is hidden and the favorites bar toggle resets to Off but disabled preventing your users from making changes. An error m
ome button loads the Start page.- Show home button & set to New tab page is selected clicking the home button loads a New tab page.- S
s running Windows desktop editions” (https://aka.ms/E489vw).If enabled and set to 0 (Default or not configured):- If it’s a single app it run
ser to continue and if no user action Microsoft Edge resets after 30 seconds.If you set this policy to 0 Microsoft Edge does not use an idle ti
d(s). If selected you must specify at least one URL in Configure Start Pages; otherwise this policy is ignored.When enabled and you want to
of Microsoft Edge.
osoft enable this policy and use the <about:blank> value which honors domain- and non-domain-joined devices when it is the only configu
oblems while using legacy apps.

ng employees can choose whether to use Windows Defender SmartScreen.
cked down.Supported devices: Domain-joined or MDM-enrolledRelated policy:- Configure Start Pages- Configure Open Microsoft Edge W
eir favorites between Internet Explorer and Microsoft Edge.If you disable or don't configure this setting (default) employees can add impor
colon delimited list of extension package family names (PFNs). For example adding Microsoft.OneNoteWebClipper_8wekyb3d8bbwe;Mic
h settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.If you disable or don't configure thi
OpenSearch XML file including at least the short name and https: URL of the search engine. For more info about creating the OpenSearch
behavior occurs and no additional page displays.Default setting: Disabled or not configuredRelated policies:-Configure the Enterprise Mode
e UI settings for the home button are disabled preventing your users from making changes.Default setting: Disabled or not configuredRelat
c provider. Settings are written directly to the settings storage location rather than being cached to sync later. Set SyncMethod to “Extern
cts their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will default to
ng the settings storage location before synchronizing settings packages. If you do not configure this policy any defined values will be delete
ackage size.
ation.If you specify a UNC path and leave the option to replace the default Microsoft templates unchecked the UE-V Agent will use the def
that is roaming.If you do not configure this policy setting any defined values are deleted.
onized.If you do not configure this policy setting any defined values are deleted.
nly the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.If you disable th
.With this setting disabled the tray icon does not appear in the system tray UE-V never displays notifications and the user cannot access Co
ooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE-V wa
ng any defined values will be deleted.
nue to be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 2013 app
nue to be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 2016 app
defined values will be deleted.
olicy setting any defined values will be deleted.
y setting any defined values will be deleted.
setting any defined values will be deleted.
tting any defined values will be deleted.
g the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any version
ned values will be deleted.
ned values will be deleted.
his policy setting any defined values will be deleted.
is policy setting any defined values will be deleted.
nfigure this policy setting any defined values will be deleted.
nfigure this policy setting any defined values will be deleted.
etting any defined values will be deleted.
ft Office Suite 2010 applications continue to synchronize.If you disable this policy setting the user settings which are common between the
re excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
re excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
le this policy setting Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft O
le this policy setting Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft O
n the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.If you enable this policy setting user se
n the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.If you enable this policy setting user se
is policy setting Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 3
is policy setting Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 3
enable this policy setting Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.If you disable this policy setting Mic
policy setting Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365
policy setting Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365
ou enable this policy setting Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.If you disable this policy setting M
ou enable this policy setting Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.If you disable this policy setting M
enable this policy setting Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.If you disable this policy setting Micro
enable this policy setting Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.If you disable this policy setting Micro
E-V.If you enable this policy setting Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.If you disable this polic
E-V.If you enable this policy setting Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.If you disable this polic
ble this policy setting Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft
ble this policy setting Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft
ou enable this policy setting Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.If you disable this policy setting
ou enable this policy setting Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.If you disable this policy setting
etween computers with UE-V.If you enable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings continue to syn
s policy setting Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 36
s policy setting Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 36
his policy setting Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offic
his policy setting Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offic
If you do not configure this policy setting any defined values will be deleted.
configure this policy setting any defined values will be deleted.
gure this policy setting any defined values will be deleted.
f you do not configure this policy setting any defined values will be deleted.
xcluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
xcluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
ettings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
icy setting any defined values will be deleted.
s policy setting any defined values will be deleted.

cy setting any defined values will be deleted.
er 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
fined values will be deleted.
y defined values will be deleted.
isable this setting do not return the setting to Not Configured. Doing so will not change the configuration and the last configured setting w
ork with OneDrive file storage.
nd features can work with OneDrive file storage.
with a connected account will save documents to OneDrive by default.
acy experience may launch for newly-created user accounts or for accounts that should be prompted to choose their privacy settings after
onnected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration.If you do not con
stomize their system settings for presentations in Windows Mobility Center.If you do not configure this policy setting Windows presentati
espond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on
will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003.By default if the m
rom unknown publishers on the client computer. If the user tries to start an RDP session the user receives a message that the publisher ha
cifying an .rdp file).If you enable or do not configure this policy setting users can run .rdp files that are signed with a valid certificate. Users
Host server can be authenticated the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be
se hardware accelerated decoding if supported hardware is available.
s of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2 and a user is prompted on both the client computer and on the RD Sess
u disable or do not configure this policy setting no publisher is treated as a trusted .rdp publisher.Notes:You can define this policy setting i
DP redirection by using any user account.For this change to take effect you must restart Windows.
tions.If you do not configure this policy setting Remote Desktop Services uses the Remote Desktop setting on the target computer to deter
gured automatic reconnection is not specified at the Group Policy level. However users can configure automatic reconnection using the "R
RD Session Host server is configured to allow multiple sessions) and the original session might still be active.If you enable this policy settin
he connected administrator is allowed.Note: The console session is also known as Session 0. Console access can be obtained by using the
mited number of Remote Desktop Services sessions and Remote Desktop for Administration allows two Remote Desktop Services sessions
do not configure this policy setting this policy setting is not specified at the Group Policy level.
ote Desktop Protocol will not try to adapt the remote user experience to varying network quality. If you disable Connect Time Detect and
will use TCP.If you disable or do not configure this policy setting RDP will choose the optimal protocols for delivering the best user experie
hout the user's consent.4. View Session with user's permission: Allows the administrator to watch the session of a remote user with the us
If you disable or do not configure this policy setting the Start screen is shown and apps are registered in the background.
etting in a Remote Desktop Protocol (.rdp) file. By default video playback is enabled.By default audio and video playback redirection is not
08 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7 or Windows Server 20
is the same as the server time zone.Note: Time zone redirection is possible only when connecting to at least a Microsoft Windows Server
ure this policy setting any UI Automation clients on your local computer can interact with remote apps. For example you can use your loca
allows Clipboard redirection.If you do not configure this policy setting Clipboard redirection is not specified at the Group Policy level.
ote Desktop Services always allows COM port redirection.If you do not configure this policy setting COM port redirection is not specified a
py redirection is not allowed on computers running Windows Server 2003 Windows 8 and Windows XP.If you disable this policy setting clie
llowed.If you do not configure this policy setting LPT port redirection is not specified at the Group Policy level.
st Microsoft Windows XP Professional and the target server must be joined to a domain.
hoose the supported Plug and Play devices to redirect to the remote computer.If you enable this policy setting users cannot redirect their
nection to choose the video capture devices to redirect to the remote computer.
ency as determined by the codec that is being used. If you select Dynamic the audio will be sent with a level of compression that is determ
his policy setting these notifications will not be displayed on the RD Session Host server.If you disable or do not configure this policy settin
ave an RDS Per Device CAL issued from an RD Licensing server. If you enable this policy setting the Remote Desktop licensing mode tha
wing order: 1. Remote Desktop license servers that are published in Active Directory Domain Services. 2. Remote Desktop license serve
tting users can redirect print jobs with client printer mapping.If you do not configure this policy setting client printer mapping is not specifi
cally maps the client default printer and sets it as the default printer upon connection.If you do not configure this policy setting the defau
ot available. You can choose to change this default behavior. The available options are:"Do nothing if one is not found" - If there is a printe
atches the client printer the client printer is not available for the Remote Desktop session.If you disable this policy setting the RD Session H
e entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is chec
pecified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user.T
home directory on the local computer type the Home Dir Root Path in the form "Drive:\Path" (without quotes) without environment varia
profiles are not used by users connecting remotely to the RD Session Host server.Note:For this policy setting to take effect you must also e
farm name the server joins that farm in RD Connection Broker.If you enable this policy setting you must specify the name of a farm in RD
er 2012 for a high availability setup with multiple RD Connection Broker servers you must provide a semi-colon separated list of the FQDNs
farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting.If you
ost server where their session exists. To use this redirection method client computers must be able to connect directly by IP address to RD
g overrides any initial program policy settings.If you disable or do not configure this policy setting an initial program can be specified that
es less network bandwidth but is more memory-intensive. Additionally a third option is available that balances memory usage and networ
and set quality to Medium RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode p
ure this policy setting the RemoteFX experience will change dynamically based on the network condition."
ort the Windows Server 2008 R2 SP1 RemoteFX Codec.If you disable or do not configure this policy setting non-Windows thin clients that o
emote Desktop Services sessions.If the status is set to Enabled wallpaper never appears in a Remote Desktop Services session.If the status
olor support available on the client computer. If you select Client Compatible the highest color depth supported by the client will be used.I
disable or do not configure this policy setting the maximum resolution that can be used by each monitor to display a Remote Desktop Ser
ber of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
ndows dialog box.Note: This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other met
urity remains in the Settings menu.
u and Windows Desktop are not displayed and when the user exits the program the session is automatically logged off.To use this setting in
t use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do
ver use the Microsoft Basic Render Driver as the default adapter. In all other cases Remote Desktop Services sessions use the hardware gra
ed on an RD Session Host server RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme.If you ena
ither Rich multimedia or Text.If you disable or do not configure this policy setting Remote Desktop Services sessions are optimized for rich
at is performed).If you have a higher than average bandwidth network you can maximize the utilization of bandwidth by selecting the high
ktop Services by supplying their passwords in the Remote Desktop Connection client. They are prompted for a password to log on.If you di
nly.If you disable or do not configure this policy setting server administrators have full read/write permissions to the user security descript
always requests security for all RPC traffic. However unsecured communication is allowed for RPC clients that do not respond to the requ
If Transport Layer Security (TLS) version 1.0 is supported it is used to authenticate the RD Session Host server. If TLS is not supported nativ
Desktop Connection on the client computer click the icon in the upper-left corner of the Remote Desktop Connection dialog box and then c
nsidered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occur
e the encryption method specified in this setting. By default the encryption level is set to High. The following encryption methods are avail
r active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.If you en
to keep the session active. If you have a console session idle session time limits do not apply.If you disable or do not configure this policy s
you have a console session active session time limits do not apply.If you disable or do not configure this policy setting this policy setting is
sconnected sessions are maintained for an unlimited time on the server.If you enable this policy setting disconnected sessions are deleted
eleted when a user logs off even if the server administrator specifies otherwise.If you do not configure this policy setting Remote Desktop S
u enable this policy setting per-session temporary folders are not created. Instead a user's temporary files for all sessions on the remote co
rough the Feed APIs.
in Internet Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice by usin
nnection.A developer cannot change this policy setting through the Feed APIs.
vice is Windows SharePoint Services (WSS) the query should resemble the following where XXXX is the locale ID of your WSS Service. For e
arePoint Portal Server your query should resemble the following:http://sitename/Search.aspx?k=$wIf your intranet search service is Wind
ng is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (s
r only because of diacritics as the same word.

t can determine the language of a document with high confidence.
eries on the web and if the web results are displayed in Search.
figure this policy setting a user can choose whether or not Search can perform queries on the web over metered connections and if the we
behavior for Search is to not index online delegate mailboxes. Disabling this policy will block any indexing of online delegate mailboxes. O
support. If you set this policy to not configured then online mail items will be indexed at the speed of 120 items per minute. This policy ha
fied user locations will be visible.
specify an initial default list of excluded file types that users can change later see the administration guide for information about how to s
xxxxxxxxxxx} (include the braces) or a ProgID such as VisFilter.CFilter.1.If you maintain a locked desktop environment this setting is redund
ts and your users can choose the location of the preview pane
hould use Search/DoNotUseWebResults

sage information but don't share search history Microsoft account info or specific location. If you disable or don't configure this policy se
us section are displayed. Note that Security Center can only be turned off for computers that are joined to a Windows domain. When a com
tificates with a Client Authentication EKUIf you disable or do not configure this policy setting only certificates that contain the smart card l
ng are not affected by this policy setting. Note: If you use an ECDSA key to log on you must also have an associated ECDH key to permit log
dity has expired.If you disable or do not configure this policy setting certificates which are expired or not yet valid will not be listed on the
e user (determined by their UPN). If there are two or more of the "same" certificate on a smart card and this policy is enabled then t
le this setting then Windows will attempt to read all certificates from the smart card regardless of the feature set of the CSP.If you disable
layed. This setting controls the appearance of that subject name and might need to be adjusted per organization.If you enable this policy
e passed the Windows Hardware Quality Labs (WHQL) testing process.
not be sent to Microsoft)
by default and configurable by the user.

n suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Panel will
the Input Panel Options dialog box.If you disable this policy Input Panel will appear next to any text entry area in applications where this b
ptions dialog box.If you disable this policy Input Panel will appear next to text entry areas in applications where this behavior is available.
yboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy rarely used Chinese Kanji and Hanja characters will b
configure this setting in the Input Panel Options dialog box.If you do not configure this policy Input Panel tab will appear on the edge of the
ill appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the Inpu
this policy and choose “Low” from the drop-down box password security is set to “Low.” At this setting all password security settings are
” from the drop-down menu no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in the
et of the Disable pen flicks policy.If you disable or do not configure this policy all the features described above will be available.
efault.Note: Changes to this setting will not take effect until the user logs off.
wer management settings and its security context. Beginning users will often not be interested or confused by having the property sheet
s and its security context.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are con
Start menu and its submenus. Once a task is created users cannot change the program a task runs.Important: This setting does not preven
it does not prevent users from deleting tasks.Note: This setting appears in the Computer Configuration and User Configuration folders. If b
mputer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers.
guration.Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks.
ling firewall protection ensure that a Windows Defender Application Control (WDAC) policy that correctly tags applications has been appli
e including files downloaded from the Internet.

nabled.If you enable this policy SmartScreen will be turned on for all users. Its behavior can be controlled by the following options:• Warn
ng employees can choose whether to use Windows Defender SmartScreen.
t consent and notification settings.

en Control Panel settings for Windows Error Reporting override this policy setting.If you enable this policy setting the setting overrides any
Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes preceden

Disabling this policy setting is useful for servers that do not have interactive users.If you do not configure this policy setting users can chang
e for a report that contains data about the same event types.
olicy setting WER checks for solutions while a computer is running on battery power but does not upload report data until the computer is
Error Reporting sends error reports to Microsoft.

rts are automatically deleted.If you disable or do not configure this policy setting no Windows Error Reporting information is stored.
pted to send the reports or until the user sends problem reports by using the Solutions to Problems page in Control Panel. If Queuing beh
heck box is filled all errors in Windows applications are reported regardless of the setting in the Default dropdown list. The Windows applic
onfigured to report all application errors.If you enable this policy setting you can create a list of applications that are always included in err
nsion. To remove an application from the list click the name and then press DELETE. If this policy setting is enabled the Exclude errors for
d.exe). File names must always include the .exe file name extension. Errors that are generated by applications in this list are not reported
sent to send any additional data that is requested by Microsoft.- Send parameters and safe additional data: the minimum data that is requ
(Always ask before sending data): Windows prompts the user for consent to send reports.- 2 (Send parameters): Windows Error Reporting
licy setting is designed for a single user who has enrolled privileged and non-privileged on a single device. The user owns both credentials
h existing unlock options.For more information see: https://go.microsoft.com/fwlink/?linkid=849684
the time of creation. Credentials created before the application of this policy continue to provide smart card emulation. To change an exis
ss using software if the TPM is non-functional or unavailable.
o for Business" policy setting requires the environment to have one or more Windows Server 2016 domain controllers to prevent Window
ndows Hello for Business" policy setting requires one or more Windows Server 2016 domain controllers. Otherwise Windows Hello for Bus
enable this policy setting Windows Hello for Business uses the PIN recovery service. If you disable or do not configure this policy setting Wi
ential that encrypts their domain password.Select "Do not start Windows Hello provisioning after sign-in" when you use a third-party solu
ed to authorize the use of the certificate's private key.This policy setting is incompatible with Windows Hello for Business credentials prov
o which files are installed.If Windows Installer detects that an installation package has permitted the user to change a protected option it
s security context. Also see the "Remove browse dialog box for new source" policy setting.If you disable or do not configure this policy setti
h elevated privileges such as installations offered on the desktop or displayed in Add or Remove Programs.This policy setting does not affe
configure this policy setting by default users can install programs from removable media only when the installation runs in the user's secur
ion to view or change including directories on highly restricted computers.If you disable or do not configure this policy setting the system
o 0 the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be
component.(2) Add a new feature to the top or middle of an existing feature tree.The new feature must be added as a new leaf feature to
employees. However because this policy setting can pose a security risk it should be applied cautiously.
ho are not system administrators cannot apply patches to installations that run with elevated system privileges such as those offered on th
be applied using a minimal set of processing.
ges can install non-administrator updates.
he product.If you disable or do not configure this policy setting a user can remove an update from the computer only if the user has been
ed to reduce the amount of temporary disk space required to install programs. Also it prevents malicious users from interrupting an instal
Manager Off" option turns off Restart Manager for file in use detection and the legacy file in use behavior is used.-- The "Restart Manager O
setting and "Hide User Installs" is selected the installer ignores per-user applications. This causes a per-computer installed application to b
nfigure this policy setting the Browse button is enabled when an installation is running in the user's security context. But only system adm
nected to the original or identical media to reinstall remove or repair the installation.This policy setting is designed for enterprises to preve
you disable or do not configure this policy setting Windows Installer logs the default event types represented by the letters "iweap."
ach time an application is installed so that users can restore their computer to the state it was in before installing the application.
property.-- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy
Professional and Windows Vista when the policy is not configured.-- The "For non-managed applications only" option permits users to ins
and not suspended during the reboot or shutdown. Personal data can be accessed on the device’s hard drive at this time if BitLocker is not
ess applications can simulate the SAS.If you disable or do not configure this setting only Ease of Access applications running on the secure d
y that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.For domai
efault. When the policy is enabled the user is automatically signed in and the session is automatically locked with all lock screen apps con
t music that they copy from a CD and play this protected content on their computer since the license is generated locally in this scenario.W
ot configure this policy setting and the "Set and lock skin" policy setting is enabled some options in the anchor window are not available.
o not configure this policy setting the dialog boxes are displayed when the user starts the Player for the first time.
smoothing occurs if necessary. Users can change the setting for the Use Video Smoothing check box.Video smoothing is available only on
n the Preferences tab on the Tools menu in the Windows Messenger user interface.Note: If you do not want users to use Windows Messen
e: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configura
is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured the Log
block function or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. Note: This policy s
nd time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session. If you
ll scripts to run.If you disable this policy setting no scripts are allowed to run.Note: This policy setting exists under both "Computer Configu
and WMI-capable applications will be unable to access reliability information from the listed providers.
t needs to use the list of trusted hosts you must configure the list of trusted hosts locally on each computer.
r do not configure this policy setting the WinRM service will not respond to requests from a remote computer regardless of whether or no
policy setting the WinRM service will allow the RunAsUser and RunAsPassword configuration values to be set for plug-ins and the RunAsP
ng a valid channel binding token is rejected. If HardeningLevel is set to Relaxed (default value) any request containing an invalid chann
50 is used by default.
host audio input to the container.
shown in Windows Security. Not configured: Same as Disabled.

the contact options that are displayed based on the notification space available. Disabled: No contact information will be sho
ntrol window and do not need elevated permissions to install these updates except in the case of updates that contain User Interface End
disable or do not configure this policy the default notification behaviors will be used.
on will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selects the
if updates are available when the user selects the Shut Down option in the Start menu.
stall the updates.Windows update will also wake the system up and install an update if an install deadline occurs.The system will not wake
o Disabled or Not Configured Automatic Updates will notify the user that the computer will automatically restart in 5 minutes to complete
policy has no effect. This policy has no effect on Windows RT
computer is next started.Note: This policy applies only when Automatic Updates is configured to perform scheduled installations of updat
rs. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured the pending restart will trans
available. The user can click the notification to open the Windows Update Application and get more information about the software or inst
nstallations" policy is enabled then this policy has no effect.

are ready to be downloaded. After going to Windows Update users can download and install any available updates. 3 = (Default settin
y quality or feature updates and your devices may be at risk.
he deadline is set to 0 days the update will be installed immediately upon offering but might not finish within the day due to device availab
estart at scheduled time.Note that the default max active hours range is 18 hours from the active hours start time unless otherwise config
te service location must be signed by Microsoft.Note: Updates from a service other than an intranet Microsoft update service must always
to have effect. Note: If the "Configure Automatic Updates" policy is disabled this policy has no effect. Note: This policy is not suppo
he "Specify intranet Microsoft update service location" policy.
abled or Not Configured no target group information will be sent to the intranet Microsoft update service.Note: This policy applies only wh
rver to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be
ns. Note: If you are using “Do not allow deferral policies to cause scans against Windows Update” currently to ensure devices only scan
ore a major release.Release Preview Channel (default)Insiders in the Release Preview Channel will have access to the upcoming release of
til you correct the values to a supported product and version.
he deferrals will not be in effect. Please see the Windows Release Information page for OS version information.Pause Updates | To preve
ministrative Templates\Windows Components\WorkFolders. If the "Specify Work Folders settings" policy setting does not apply to a user W
specify a list of pages to hide it must begin with "hide:". If a page in a showonly list would normally be hidden for other reasons (such as a
e used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon
eting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected an
f you disable or do not configure this policy setting users will be able to customize their account pictures.
or Windows.Disabled: Allows local accounts to have full administrative rights when authenticating via network logon by configuring the Loc
er object.3. "Allow all activation" restores Office's default behavior allowing the Flash control to be activated.Because this setting is not a t
setting;* In the "Configure LanmanWorkstation dependencies" text box enter the following four lines of text:BowserMRxSmb10MRxSmb
matic start" for Windows 8.1 and Windows Server 2012R2 and newer.Changes to this setting require a reboot to take effect.For more info
r H-node if there is at least one WINS server configured.
uld be converted prior to changing the setting value. To learn more about Internet Explorer Feature Control Key and the Restrict JScript pro
mended): Disables WDigest authentication. For this setting to work on Windows 7 Windows 8 Windows Server 2008 R2 or Windows Serve
s caches the files and responds to content requests from peers. Using the "Do not allow the computer to act as a BITS peer caching server
uter's administrative settings for Windows Branch Cache disable its use entirely.
ers before reverting to the origin server. Note: This policy setting has no effect if the "Allow BITS peer caching" policy setting is disable
tting is disabled or not configured.
policy setting is disabled or not configured.
the total system disk size. Note: This policy setting has no effect if the "Allow BITS peer caching" setting is disabled or not configured
o use approximately 2 kilobits. To prevent BITS transfers from occurring specify a limit of 0. If you disable or do not configure this pol
cy setting you can enter a value in bits per second (bps) between 1048576 and 4294967200 to use as the maximum network bandwidth u
00 if the "Maximum number of BITS jobs for this computer" policy setting is not configured. BITS jobs created by services and the local adm
t to transfer only when on uncosted network connections but foreground jobs should proceed only when not roaming. The values that can
f normal priority jobs to 0 Kbps from 8:00 A.M. to 10:00 A.M. on a maintenance schedule. If you disable or do not configure this polic
high normal and low. You can specify a limit to use for background jobs during a work schedule. For example you can limit the netwo
rphaned jobs occupying disk space. If you enable this policy setting you can configure the inactive job timeout to specified number of
nts begin caching content after they receive it from the file servers.Policy configurationSelect one of the following:- Not Configured. With
ng system.Policy configurationSelect one of the following:- Not Configured. With this selection this policy setting is not applied to client co
servers hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect yo
licy setting BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cach
ent computers you can specify Not Configured for this domain Group Policy setting and then configure local computer policy to enable Bra
this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCache on all client com
onSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy
nt to configure a BranchCache client computer cache setting on all client computers you can specify Not Configured for this domain Group
members but you do not want to enable BranchCache on all client computers you can specify Not Configured for this domain Group Policy
Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The synta
f an IPsec tunnel endpoint. Example: PING:2002:836b:1::836b:1.You must configure this setting to have complete NCA functionality.
ecifying IPv6 addresses rather than names.The ability to disconnect allows users to specify single-label unqualified names (such as “PRINTS
nqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's prim
d name resolution will fail.If you disable this policy setting or if you do not configure this policy setting computers will use locally configure
ied list of DNS servers if configured.

e this policy setting click Enabled and then enter a string value representing the DNS suffixes that should be appended to single-label name
use dynamic DNS registration for any of their network connections regardless of the configuration for individual network connections.
orks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding ord
f you disable this policy setting or if you do not configure this policy setting each computer uses its local primary DNS suffix which is usuall
suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the
primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab
mputer will register A and PTR resource records with its connection-specific DNS suffix in addition to the primary DNS suffix. This applies to
ords even if registration of the corresponding A records was not successful.Register only if A record registration succeeds: Computers will
longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval
use by the client. By default the DNS client attempts to replace the existing A resource record with an A resource record that has the clien
tting or you do not configure this policy setting LLMNR will be enabled on all available network adapters.
is policy setting or if you do not configure this policy setting name resolution will be optimized when issuing DNS LLMNR and NetBT querie
applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
ttings. By default DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused clients try to use secure upd
s do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the compu
port and users can only authenticate with WLAN hotspots using a web browser.
he top. Remove any cipher suites you don't want to use.Note: When configuring this security setting changes will not take effect until you r
oup Policy setting and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Po
.Policy configurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client compu
e top. Remove any cipher suites you don't want to use.Note: When configuring this security setting changes will not take effect until you r
st logons by default. Since insecure guest logons are unauthenticated important security features such as SMB Signing and SMB Encryptio
ed by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Window
ead to very long transition times between the online and offline states.
hoose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.If you disable or do
hand if a network interface is connected to an unmanaged network you may choose the "Allow operation while in public network" and "P
. In order to use the global well known seed server on the Internet only; enable the setting leave the seed server list empty leave the chec
orking scenarios).If you disable this setting PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured th
ocal address.If you enable this policy setting PNRP does not create a cloud and applications cannot use this cloud to publish or resolve nam
ing a public registry key to determine the seed server to bootstrap from.
working scenarios).If you disable this setting PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured
will revert to using a public registry key to determine the seed server to bootstrap from.
working scenarios).If you disable this setting PNRP will use multicast for bootstrapping on the same subnet.If this setting is not configured
or do not configure it the user will be able to create and modify the configuration of a Network Bridge. Enabling this setting does not remo
t filter for home and small office users to protect them from Internet network security threats.If you enable this setting Internet Connectio
haring page is removed from the New Connection Wizard. The Network Setup Wizard is disabled.If you disable this setting or do not config
tween remote client computers running DirectAccess and the Internet is not routed through the internal network.If you do not configure t
ems to the list upon disabling this policy Windows Defender Firewall deletes the list.Note: You define entries in this list by using Security D
end or receive.If you disable this policy setting Windows Defender Firewall blocks all the listed incoming and outgoing ICMP message types
this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port excep
amically-assigned ports typically in the range of 1024 to 1034. On Windows Vista this policy setting does not control connections to SVCH
top requests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Defender Firewall does no
efender Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to o
be allowed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to prevent all locally cre
dministrators will still be allowed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to
ame ensure that the Windows Defender Firewall service account has write permissions to the folder containing the log file. Default path fo
at. To remove a port click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and a
Defender Firewall: Define inbound port exceptions" policy setting. To view the program list enable the policy setting and then click the Show
rewall.If you disable this policy setting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages.
der Firewall behaves as if the policy setting were disabled except that in the Windows Defender Firewall component of Control Panel the "
is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Defender Firewall alw
Defender Firewall on or off unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides
end or receive.If you disable this policy setting Windows Defender Firewall blocks all the listed incoming and outgoing ICMP message types
this computer from sharing files and printers. If an administrator attempts to open any of these ports by adding them to a local port excep
amically-assigned ports typically in the range of 1024 to 1034. On Windows Vista this policy setting does not control connections to SVCH
top requests. If an administrator attempts to open this port by adding it to a local port exceptions list Windows Defender Firewall does no
efender Firewall blocks these ports which prevents this computer from receiving Plug and Play messages. If an administrator attempts to o
be allowed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to prevent all locally cre
dministrators will still be allowed to create firewall rules in the Windows Defender Firewall with Advanced Security snap-in. If you wish to
ame ensure that the Windows Defender Firewall service account has write permissions to the folder containing the log file. Default path fo
at. To remove a port click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and a
Defender Firewall: Define inbound port exceptions" policy setting. To view the program list enable the policy setting and then click the Show
rewall.If you disable this policy setting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages.
der Firewall behaves as if the policy setting were disabled except that in the Windows Defender Firewall component of Control Panel the "
is a response to a Dynamic Host Configuration Protocol (DHCP) broadcast message sent by this computer. Windows Defender Firewall alw
Defender Firewall on or off unless the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting overrides
ps policy.Example: [cloudresource]|[cloudresource]|[cloudresource][proxy]|[cloudresource]|[cloudresource][proxy]|For more informatio
tion the sole list of allowed proxies enable the "Proxy definitions are authoritative" setting.If you disable or do not configure this policy setti
18.0.0.2For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
these addresses are the only addresses ever classified as private enable the "Subnet definitions are authoritative" policy setting.If you disa
p://go.microsoft.com/fwlink/p/?LinkId=234043
ng or select the "Work offline" option users can work offline if disconnected.If you do not configure this setting users can work offline by d
owed Time Without A Sync' value to ensure that all network folders on the machine are synchronized with the server on a regular basis.Y
ed to be slow.Note: Use the following formula when entering the slow link value: [ bps / 100]. For example if you want to set a threshold v
p network latency is above (slower than) the Latency threshold parameter.You can configure the slow-link mode by specifying threshold va
space limit.If you disable this setting the system limits the space that automatically cached files occupy to 10 percent of the space on the s
mode" policy to avoid network usage.

red by the configured round trip network latency value. We recommend using this policy setting when the network connection to the ser
s includes existing files as well as files added later even if the files were stored using NTFS encryption or BitLocker Drive Encryption while o
nt when the server hosting the offline file is disconnected from the network."2" also records events when the local computer is connected
e the file name extension in the "Extensions" box. To type more than one extension separate the extensions with a semicolon (;).Note: To
much of that disk space can be used by automatically cached files.If you disable this policy setting the system limits the space that offline
ver the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configuration
ttings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To view the Offlin
tting in Computer Configuration takes precedence over the setting in User Configuration.Tip: This setting provides a quick method for locki
etting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To set reminder balloon frequency without
dence.The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012 Windows Se
r all files and folders.If you do not configure this policy setting the "Make Available Offline" command is available for all files and folders.N
r folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).If you d
able offline when they make a parent folder available offline.
ation by default but users can change this option.This setting appears in the Computer Configuration and User Configuration folders. If bot
Quick synchronization ensures that files are complete but does not ensure that they are current.If you do not configure this setting and S
logged on to the computer at the time the computer is suspended a synchronization is not performed.
can change the setting.To prevent users from changing the setting while a setting is in effect the system disables the "Enable reminders" o
he registry for a particular network adapter this setting is ignored when configuring that network adapter.
registry this setting is ignored when configuring that network adapter.
hat network adapter.

ored when configuring that network adapter.
configuring that network adapter.
gnored when configuring that network adapter.
that network adapter.
guring that network adapter.
red when configuring that network adapter.
onfiguring that network adapter.
nored when configuring that network adapter.
figuring that network adapter.
quests from management systems within the communities it recognizes and only SNMP Read operation is allowed for the community.If yo
setting.If you disable or do not configure this policy setting SNMP service takes the permitted managers configured on the local computer
to the hosts within the "public" community.If you disable or do not configure this policy setting the SNMP service takes the trap configurati
e available.Policy Enabled State: If a global IPv4 address is present the host will have a 6to4 interface. If no global IPv4 address is present t
esent on the host.
with a link-local address and an address for each prefix received from the ISATAP router through stateless address auto-configuration. If th
configure this policy setting the refresh rate is configured using the local settings on the computer. The default refresh rate is 30 seconds.
ork that includes a domain controller.
throughput problems casued by Firewalls or other middle boxes.

over all media. The default for this policy setting allows operations over all media.
he existing TCP session will continue uninterrupted.- Windows then checks the traffic level on the network periodically. If the traffic level is
ked when the computer has at least one active internet connection to a preferred type of network. Here's the order of preference (from m
mpts- When the computer is already connected to either a non-domain based network or a domain based network over media other than
d the cost of Wireless LAN connections is Unrestricted by default.

rvices" enables Windows to temporarily connect to open hotspots to determine if paid services are available.If this policy setting is disable
yees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access cellular data an
ections is Fixed by default.
nnections is Fixed by default.
ternet. Also see the "Custom support URL in the Printers folder's left pane" setting in this folder and the "Browse a common Web site
e Web Services printers on your network ensure that network discovery is turned on. To turn on network discovery click "Start" click "Cont
0.In Windows 10 and later only TCP/IP printers can be shown in the wizard. If you enable this policy setting only TCP/IP printer limits are a
printers. This setting is designed to prevent printers from being pruned when the computer is temporarily disconnected from the networ
e server will simply pass the commands to the printer. This increases the workload of the client while decreasing the load on the server.If
nd other search criteria) to find a printer nearby. You can also use this setting to direct users to a particular printer or group of printers tha
effect. (To enable Web view open the Printers folder and on the Tools menu click Folder Options click the General tab and then click "Ena
between contact attempts. If you do not configure or disable this setting the default values will be used. Note: This setting is u
n domain controllers.
s two retries before deleting printers from Active Directory. You can use this setting to change the number of retries. If you enable th
ll not be allowed.Note: By applying this policy existing kernel-mode drivers will be disabled upon installation of service packs or reinstallati
aded by the print spooler. Print drivers loaded by applications are not affected.-This policy setting takes effect without restarting the print
nds on the version of Windows that you are using.By default Windows Ultimate Professional and Home SKUs will continue to search for co
disable this policy setting then print drivers will be loaded within all associated application processes.Notes:-This policy setting applies on
he default value is every eight hours. If the computer has not responded by the last contact attempt its printers are pruned from the direc
print drivers loaded by the print spooler. Print drivers loaded by applications are not affected.-This policy setting takes effect without rest
nt server.If this setting is enabled users will only be able to package point and print to print servers approved by the network administrato
ngs and elevated command prompts do not appear when users Point and Print or when printer connection drivers need to be updated.
d's Printer Name and Sharing Location screen and to the General tab in the Printer Properties dialog box. If you enable the Group Policy Co
nounces a printer to a print browse master on the domain.
network. However because non-Windows 2000 computers and computers in other domains cannot republish printers in Active Directory
configure this setting the system will store and display shortcuts to recently and frequently used files folders and websites.Note: The syste
s cannot turn it to On. Select this option for compatibility with earlier versions of Windows.If you disable or do not configure this setting th
and the Shut Down Restart Sleep and Hibernate commands are available on the Start menu. The Power button on the Windows Security a
of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same part of St
f the XML file. You can type a local path such as C:\StartLayouts\myLayout.xml or a UNC path such as \\Server\Share\Layout.xml. If the spe
API calls from within the application. If you disable or do not configure this policy setting the client computer will connect to WNS at u
ee "Supported on" for all supported versions.
enable this policy setting and choose "Workstation Only" from the drop-down menu list the Shutdown Event Tracker is displayed when you
ready for power to be safely removed.If you disable or do not configure this policy setting the computer system safely shuts down to a ful
tting the program continues without the registration. As a result the program might not perform all its functions or it might stop.This setting
ds beginning with Windows Server 2003.Note: This feature might interfere with power configuration settings that turn off hard disks after
Use a semicolon to separate folders. For example to restrict the commands to only .chm files in the %windir%\help folder and D:\somefold
nder Computer Configuration and User Configuration. If both are settings are used any programs listed in either of these locations cannot
IM file. If it is a WIM file the location should be specified by prefixing the path with “wim:” and include the index of the image to use in the
Executable. This provides an additional security benefit but HTLM Help stops if DEP detects system memory abnormalities.
r configuration.If you do not configure this policy setting users see a standard Access Denied message unless the file server is configured t
. User Publishing Refresh On Logon: Triggers a user publishing refresh on logon (Boolean). User Publishing Refresh Interval: Sp
XML cache for storing reporting information. The default value is 20 MB. The size applies to the cache in memory. When the limit is reach
t configuredNote: When this policy setting is enabled any user with access to read the security events will be able to read the command lin
computer. Applications depending upon this delegation behavior might fail authentication. For more information see KB.FWlink for KB:htt
more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a s
disable this policy setting delegation of fresh credentials is not permitted to any machine.Note: The "Allow delegating fresh credentials" po
tion of fresh credentials is not permitted to any machine.Note: The "Allow delegating fresh credentials with NTLM-only server authenticati
MSRV/*).If you disable this policy setting delegation of saved credentials is not permitted to any machine.Note: The "Allow delegating sav
s not a member of any domain. If the client is domain-joined by default the delegation of saved credentials is not permitted to any machin
e of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote
The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Re
t be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources
d services using CredSSP will not accept unpatched clients. Note: this setting should not be deployed until all remote hosts support the new
to connect to remote hosts. Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect t
otected policy then disabling this policy setting doesn't remove the feature from the computer. Instead you must either: 1) first update t
ization Based Security feature.The "Disabled" option turns off Virtualization Based Protection of Code Integrity remotely if it was previousl
ir workflows.
he driver was created. If you disable this policy setting drivers that are signed by a Microsoft Windows Publisher certificate are selected fo
arch for a driver only if a driver is not locally available on the system.If you disable or do not configure this policy setting members of the A
all policy settings that restrict device installation.
vice match criteria" policy setting Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID ap
teria" policy setting Windows is allowed to install or update any device whose Plug and Play device instance ID appears in the list you creat
s across all device match criteria" policy setting Windows is allowed to install or update driver packages whose device setup class GUIDs ap
nstance IDs2. Allow installation of devices using drivers that match these device instance IDsDevice IDs3. Prevent installation of devices us
for any device that is not described by either the "Allow installation of devices that match any of these device IDs" the "Allow installation
a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server th
ated as allowed or prevented by other policy settings.
a" policy setting. If you enable this policy setting Windows is prevented from installing or updating driver packages whose device setup clas
and "Allow installation of devices that match any of these device instance IDs" policy settings to supersede this policy setting for applicabl
avior is observed and the NV cache is used for boot and resume optimizations.Note: This policy setting is applicable only if the NV cache fe
u disable this policy setting the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriatel
cache.Note: This policy setting is applicable only if the NV cache feature is on.
olicy setting turns on disk quota management but does not establish or enforce a particular disk quota limit. To specify a disk quota limit u
rced disk quota limit the system responds as though the physical space on the volume were exhausted. When users reach an unenforced
administrators can use the Quota tab option to change the setting.This policy setting is independent of the enforcement policy settings fo
ng setting.This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event users can detect t
This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users or affec
enable this policy some blurry applications will be crisp after they are restarted without requiring the user to log out and back in to Windo
will be turned off.

mptions" policy is not configured.
will add it to the list without checking for errors.If you enable this policy setting you can view and change the list of DCOM activation secu
oing to Windows Update to search for device drivers.
r has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start d
perty List in AD DS provides the default set of properties.

on is: ([NumProcessors]*2)
erated for files created on the system volume.
to function.If you enable this policy setting and the user has redirected folders such as the Documents and Pictures folders the folders are
or these subfolders when redirecting the Start Menu or legacy My Documents folder.Note: This policy is valid only on Windows Vista Wind
ng is applied using the Group Policy Objects (GPOs) that are scoped to the computer.- An event log message (1109) is posted stating that l
ou can change this behavior by using this setting.If you enable this setting the Group Policy Object Editor snap-in always uses local ADM fil
in the background after the network becomes available.Note that because this is a background refresh extensions requiring synchronous
or the option to override the default to slow network connection and instead default to using a fast network connection in the case that n
when the update is being transmitted across a slow network connection such as a telephone line. Updates across slow connections can ca
ansmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays.The "D
is policy setting it has no effect on the system.The "Allow processing across a slow network connection" option updates the policies even w
of the policy information and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link D
box type a decimal number between 0 and 4294967200 indicating a transfer rate in kilobits per second. Any connection slower than this
ction" option updates the policies even when the update is being transmitted across a slow network connection such as a telephone line. U
n updates the policies even when the update is being transmitted across a slow network connection such as a telephone line. Updates acr
ogon scripts.
use. When background updates are disabled policy changes will not take effect until the next user logon or system restart.The "Process ev
onnection such as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic backg
d while the computer is in use. When background updates are disabled policy changes will not take effect until the next user logon or syst
or do not configure this policy setting it has no effect on the system.The "Allow processing across a slow network connection" option upd
odes from the Mode box:"Replace" indicates that the user settings defined in the computer's Group Policy Objects replace the user setting
mitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays.The "Do no
ng transmitted across a slow network connection such as a telephone line. Updates across slow connections can cause significant delays.T
from the command line by typing RSOP.mscNote: This policy setting exists as both a User Configuration and Computer Configuration settin
st version of the policy information and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy
y take effect on reboot.
er how this policy setting is configured.Also see the "Set Group Policy refresh interval for computers" policy setting to change the policy ref
ds. However because updates might interfere with users' work and increase network traffic very short update intervals are not appropriate
installations.If you disable or do not configure this setting the domain controller updates Group Policy every 5 minutes (the default). To sp
ait time.If you disable or do not configure this policy setting Group Policy will use the default wait time of 30 seconds on computers runnin
default or system-computed wait time.If you disable or do not configure this policy setting Group Policy will use the default wait time of 6
art your computer for it to take effect.
re this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
nt Console (MMC).
o not configure this policy setting users can access the Windows Update website and enable automatic updating to receive notifications an
ntact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.If you disable or do not configure
ayed at the end of the description.If you disable or do not configure this policy setting the user can click the hyperlink which prompts the u
ablet PC user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.If you do
rs can report handwriting recognition errors to Microsoft.
ntent in the "Did you know?" section will remain static indefinitely without an Internet connection.
to the Internet and has not disabled the Knowledge Base search from the Search Options page.
user uses the web publishing or online ordering wizards.See the documentation for the web publishing and online ordering wizards for mo
nfiguration/Administrative Templates/Printers.
y/region you live in).
xt and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion
etting is not shown.If you do not configure this policy setting users have the choice to opt in and allow information to be collected.
u disable this policy setting all users are opted into the Windows Customer Experience Improvement Program.If you do not configure this p
ws Error Reporting" policy settings under Computer Configuration/Administrative Templates/Windows Components/Windows Error Repo
runs one of the two active tests.
Update for device drivers if a driver is not found locally.Note: This policy setting is replaced by "Specify Driver Source Search Order" in "Ad
uthentication or armoring.If you configure the "Not supported" option the domain controller does not support claims compound authenti
hentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials.If you d
ns during user logon" policy setting is enabled.Note: Information about previous logons is provided only if the domain functional level is W
e this policy setting domain controllers will return service tickets that contain compound authentication any time the client sends a compo
me is not found NTLM authentication might be used.To ensure consistent behavior this policy setting must be supported and set identicall
r the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure t
this policy setting and the resource domain requests compound authentication devices will send a non-compounded authentication reque
ove a mapping from the list click the mapping entry to be removed and then press the DELETE key. To edit a mapping remove the current
d host names of the host KDCs using the appropriate syntax format. To remove an interoperable Kerberos V5 realm Value Name or Value
rberos client support for claims compound authentication and Kerberos armoring" must also be enabled to support Kerberos armoring. If
compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients us
oined to a domain the Kerberos client allows the root CA certificate on the smart card to be used in the path validation of the KDC's X.509
cy setting any service is allowed to accept incoming connections by using this system-generated SPN.
lient or server uses the locally configured value or the default value. Note: This policy setting configures the existing MaxTokenSize registr
ing the appropriate syntax format. To view the list of mappings enable the policy setting and then click the Show button. To remove a map
ded for this computer account.Automatic: Compound authentication is provided for this computer account when one or more applications
ys authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authen
er locale but they can still select a replacement locale if one is installed.If you disable or do not configure this policy setting the user can se
is policy is set to Enabled at the computer level then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the compu
ale only from the specified system locale list.If you disable or do not configure this policy setting administrators can select any system loca
nd French (Canada).If you enable this policy setting only locales in the specified locale list can be selected by users.If you disable or do not
nnot change the amount of time after the device's screen turns off before a password is required when waking the device. Instead a passw
ction take two logons to apply changes. To be able to operate safely these extensions require that no users be logged on. Therefore they m
omain is always set to the domain to which the computer is joined.
dows 2000 Server.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured
he Computer Configuration and User Configuration folders. If both policy settings are configured the policy setting in Computer Configurati
ation takes precedence over the policy setting in User Configuration.Note: Customized run-once lists are stored in the registry in HKEY_LOC
tion purposes.If you disable or do not configure this policy all installed and otherwise enabled credential providers are available for authen
t configure this policy setting the user will have to start the appropriate programs after logon.Note: This setting appears in the Computer C
the opt-in prompt for services.If you do not configure this policy setting the user who completes the initial Windows setup will see the an
ess PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) Enables DEP-ATL thunk emulation for the

negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However using the older algorithms represents a p
verify any passwords with the PDC emulator. If you do not configure this policy setting it is not applied to any DCs.
ared read access to files on the share when exclusive access is requested.Note: The Netlogon share is a share created by the Net Logon se
overy of DCs in a trusted domain.To enable the setting click Enabled and then specify the interval in seconds.
ss to files on the share when exclusive access is requested.Note: The SYSVOL share is a share created by the Net Logon service for use by
ven when none are available.

setting is to always refresh (0).
etting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.Warning: If the value for this setting is too small a clie
he value for this setting is too large a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is v
setting is smaller than the value specified for the Initial DC Discovery Retry Setting the Initial DC Discovery Retry Setting is used.Warning: If
setting once all DCs are running the same OS version.The allowable values for this setting result in the following behaviors:1 - Computers w
based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.If you enable this po
ded). For these reasons NetBIOS-based discovery is not recommended.Note that this policy setting does not affect NetBIOS-based discove
ditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing o
the default behavior and enforce to return only IPv4 DC address. Once applications are fixed this policy can be used to enable the default
o not configure this policy setting it is not applied to any DCs and DCs use their local configuration.
Weight in the DC Locator DNS SRV records click Enabled and then enter a value. The range of values is from 0 to 65535.If you do not confi
ress lookup to discover additional client IP addresses.2 - DCs will perform a fast DNS-only address lookup to discover additional client IP ad
tcp.gc._msdcs.<DnsForestName>GcAtSite SRV _ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>DcByGuid SRV _ldap
NS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the dat
to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow a
replication.To specify the sites covered by the DC Locator DNS SRV records click Enabled and then enter the sites names in a space-delim
gure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory
-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost. If you enable this policy
ecific DC Locator DNS SRV records for any other sites but their own.If you do not configure this policy setting it is not applied to any DCs an
enabled computers to which this policy is applied will locate a domain controller hosting an Active Directory domain specified with a single
s policy setting computers to which this setting is applied will use the AllowDnsSuffixSearch policy if it is not disabled or perform NetBIOS
llers will default to using their local configuration.The default local configuration is enabled.A reboot is not required for changes to this setti
um and minimum PIN lengths.

maximum and minimum PIN lengths.
ring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
ring. The "Prevent enabling lock screen slide show" policy setting can be used to disable the slide show feature.
ng. If you disable this policy setting the items "Use a system image you created earlier to recover your computer" and "Reinstall Window
.If you do not configure this policy setting users can configure the setting in System Properties in the Control Panel.
ways to allow helpers to provide Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the
icited (Ask for) Remote Assistance themselves in System Properties in Control Panel. Users can also configure Remote Assistance settings.I
he user sees the default warning message.
ed.If you disable this policy setting application-based settings are used.If you do not configure this policy setting application-based settings
on information. Clients making such calls will not be able to communicate with the Windows NT4 Server Endpoint Mapper Service.If you
s policy setting the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to serve
: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memo
e an error condition.If you enable this policy setting the RPC runtime will generate extended error information. You must select an error re
Server versions that support this policy setting. If you do not configure this policy setting it remains disabled. The RPC server runtime will
ws XP SP1 or higher versions. If either the RPC Client or the RPC Server or the RPC HTTP Proxy run on an older version of Windows this polic
startup whether this policy setting is enabled or not.

y setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
the ""Run startup scripts visible"" policy setting is enabled or not.
GPO B: B.cmd B.ps1GPO C: C.cmd C.ps1Assume also that there are two computers DesktopIT and DesktopSales. For DesktopIT GPOs A B an
o that there are two users Qin Hong and Tamara Johnston. For Qin GPOs A B and C are applied. Therefore the scripts for GPOs B and C run
is interval is particularly important when other system tasks must wait while the scripts complete. By default each startup script must com
hat are subject to the ROCA vulnerability (authentications will still succeed).Block: during authentication the domain controller will block th
(in Windows Server 2012) that is configured in the Server Manager console.If you disable this policy setting Server Manager does not refre
n" option the window is not displayed on subsequent logons.
not displayed automatically at logon.Note: Regardless of the status of this policy setting Server Manager is available from the Start menu o
ore smoothly.
se is turned off the machine. Users cannot enable Storage Sense.Not Configured:By default Storage Sense is turned off until the user runs
d content. Users can configure this setting in Storage settings.

his setting in Storage settings.
n the user’s Downloads folder. Users can configure this setting in Storage settings.
n. Also see the "Turn off System Restore" policy setting. If the "Turn off System Restore" policy setting is enabled the "Turn off System Rest
hrough System Protection.Also see the "Turn off System Restore configuration" policy setting. If the "Turn off System Restore" policy settin
cannot detect troubleshoot or resolve any problems that are handled by the DPS.If you do not configure this policy setting the DPS enabl
state. When the service is stopped or disabled diagnostic scenario data will not be deleted. The DPS can be configured with the Services
detect failures during application installation failures during application runtime and drivers blocked due to compatibility issues.Note: Thi
ubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an administr
nostic Policy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios are not executed. The DPS c
action is taken. If you do not configure this policy setting the DPS enables S.M.A.R.T. fault resolution by default. This policy setting takes e
his policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagn
ng to take effect. Changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the
etting for local and remote troubleshooting MSDT always prompts for additional tool downloading.If you disable this policy setting MSDT n
equired for this policy setting to take effect. Changes take effect immediately.
ooting for critical problems by system features and Microsoft. Notify users when troubleshooting for other problems is available and allow
ation and is the default recovery behavior on Windows server.Troubleshooting Only: Detection and verification of file corruption will be p
policy setting local troubleshooting preferences will take precedence as configured in the control panel. If no local troubleshooting prefer
sable this policy setting users can only access and search troubleshooting content that is available locally on their computers even if they a
disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Boot Performance problems that are h
to the Microsoft Management Console.No operating system restart or service restart is required for this policy to take effect. Changes tak
tion is available.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Resource Exhaus
available.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows Shutdown Performanc
assisted resolution is available.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows S
available.If you disable this policy setting Windows will not be able to detect troubleshoot or resolve any Windows System Responsivenes
M owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you c
se TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pr
stem's TPM will remain configured using the legacy Dictionary Attack Prevention parameters regardless of the value of this group policy. T
ning "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of b
s.If you disable or do not configure this policy setting Windows will block the TPM commands found in the local list in addition to comman
rd user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures ol
mand to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this duration
h time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authoriza
s also given full control to the user's profile folder.If you disable or do not configure this policy setting only the user is given full control of t
e considering the connection to be slow.If you disable or do not configure this policy setting Windows considers the network connection to
s off. The roaming profile still remains on the network server that stores it.If you disable or do not configure this policy setting Windows ke
cy setting or do not configure it slow link detection is enabled. The system measures the speed of the connection between the user's com
2000 Professional SP4 and Windows XP SP1 the default behavior is to check the folder for the correct permissions if the profile folder alre
u disable or do not configure this policy setting Windows will always unload the users registry at logoff even if there are any open handles
e when Windows cannot load their user profile.Also see the "Delete cached copies of roaming profiles" policy setting.
rsion of the Active Directory schema to function.If you enable this policy setting and the user has a roaming profile the roaming profile is d
put before using a default user profile for roaming user profiles. The default timeout value is 30 seconds. To use this policy setting type the
ot delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This
d) to unload and update the registry settings. By default the system repeats its periodic attempts 60 times (over the course of one minute)
wing occurs on the affected computer: At first logon the user receives a new local profile rather than the roaming profile. At logoff change
ble this policy setting changes a user makes to their roaming profile aren't merged with the server (roaming) copy when the user logs off.I
e logon screen and the user must choose whether to download the remote user profile before Windows detects the network connection
olicy setting. Setting the value to zero causes Windows to proceed without waiting for the network.If you disable or do not configure this
le this policy setting all users logging on this computer will use the roaming profile path specified in this policy.If you disable or do not con
istry file of the roaming user profile is uploaded to the server every six hours while the user is logged on.If "Run at specified time of day" is
Path box.Do not specify environment variables or ellipses in the path. Also do not specify a placeholder for the user name because the us
name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise a
loads the local copy of the roaming user profile. The local copy is also used when the user is consulted (as set in the "Prompt user when sl
alue is set to 50 MB on Windows XP Professional and is unlimited (4294967295 MB) on Windows Server 2003.
policy setting affects file scanning only. It does not affect the standard background file change detection that Windows File Protection pro
er corrections; larger values cause more frequent corrections. Default: 4 (scalar). HoldPeriodThis parameter indicates how many consi
me Service Group Policy Settings. The default value is ""time.windows.com0x09"". TypeThis value controls the authentication that W32tim
u can select the certificate errors that you want to ignore. Note: This policy setting applies to all sites in Trusted zones.
icy allows deployment operations (adding registering staging updating or removing an app package) of Windows Store apps when using a
ployees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access account info
organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the eye tracker and employ
tion cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the call history and employees in you
change it.If you choose the "Force Deny" option Windows apps are not allowed to access contacts and employees in your organization ca
dows apps are allowed to get diagnostic information about other apps and employees in your organization cannot change it.If you choose
t.If you choose the "Force Deny" option Windows apps are not allowed to access email and employees in your organization cannot change
hange it.If you choose the "Force Deny" option Windows apps are not allowed to access location and employees in your organization cann
your organization cannot change it.If you choose the "Force Deny" option Windows apps cannot read or send messages and employees in
tion cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access motion data and employees in your
tion cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access notifications and employees in your
If you choose the "Force Deny" option Windows apps are not allowed to access tasks and employees in your organization cannot change i
ation cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the calendar and employees in your
n cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the camera and employees in your orga
ur organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access the microphone and emp
organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access trusted devices and employ
background by using Settings > Privacy on the device.If you choose the "Force Allow" option Windows apps are allowed to access user mo
employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on t
on cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether users can inte
communicate with unpaired wireless devices and employees in your organization cannot change it.If you choose the "Force Deny" option W
r organization cannot change it.If you choose the "Force Deny" option Windows apps will not have access to control radios and employees
annot change it.If you choose the "Force Deny" option Windows apps are not allowed to make phone calls and employees in your organiza
organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to run in the background and employ
ed to take screenshots of various windows or displays and employees in your organization cannot change it.If you choose the "Force Deny
r and employees in your organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to turn off th
e: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http https and mailto URI
ause it can cause severe app compatibility issues.
increased.If the status is set to Enabled the MS-DOS subsystem is prevented from running which then prevents any 16-bit applications fro
esult in a blue screen if an old anti-virus application is installed.)The Windows Resource Protection and User Account Control features of W
gram is turned off. The Inventory Collector will be off.

performance and are already aware of application compatibility issues. If you disable or do not configure this policy setting the PCA will be
l be turned on.Please reboot the system after changing the setting to ensure that your system accurately reflects those changes.
g. If you enable this policy setting an Administrator can change the default Windows Vista or later behavior for autorun to: a) Co
disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autopla
in the event that someone forgets their logon credentials.

biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
top-level folder view.If you disable or do not configure this policy setting the BitLocker setup wizard will display the computer's top-level
the drive will be used in other devices that are not running Windows 10 (Version 1511).If you disable or do not configure this policy settin
s.If you disable or do not configure this policy setting BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose d
key cipher strength for BitLocker to use to encrypt drives.If you disable or do not configure this policy setting BitLocker will use the defaul
users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 2
s enabled.Note: Some PCs may not be compatible with this policy if the system firmware enables DMA for newly attached Thunderbolt dev
to the BitLocker To Go Reader. BitLocker will only manage and update data recovery agents when the identification field on the drive mat
hema extensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS
he certificate it must be set to an object identifier (OID) that matches the OID configured for BitLocker.If you enable this policy setting the
setting is enabled select the "Do not install BitLocker To Go Reader on FAT formatted fixed drives" check box to help prevent users from r
a recovery agents.In "Configure user storage of BitLocker recovery information" select whether users are allowed required or not allowed
suites used with hardware-based encryption.If you disable this policy setting BitLocker cannot use hardware-based encryption with operati
volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you enable this policy setting users can co
ticate their access to BitLocker-protected fixed data drives.If you do not configure this policy setting smart cards can be used to authenticat
option will not be presented in the BitLocker setup wizard.If you disable or do not configure this policy setting the BitLocker setup wizard
e. The Network Unlock certificate is used to create Network Key Protectors and protects the information exchanged with the server to unlo
m integrity validation even on systems capable of Secure Boot-based integrity validation.When this policy is enabled and the hardware is ca
chNet for more information about adding data recovery agents.In "Configure user storage of BitLocker recovery information" select wheth
riod to be greater than the default when a PIN is changed. If successful Windows will only reset the TPM lockout period back to default if t
"Custom recovery message option" text box will be displayed in the pre-boot key recovery screen. If a recovery URL is available include it
and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be pro
profile for native UEFI firmware configurations" group policy setting to configure the TPM PCR profile for computers using native UEFI firm
nfigurations" group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmwa
cipher suites used with hardware-based encryption.If you disable this policy setting BitLocker cannot use hardware-based encryption with
en unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.If you enable this policy setti
Windows Recovery Environment is not enabled and this policy is not enabled you cannot turn on BitLocker on a device that uses the Windo
crypt the drive is stored on the USB drive creating a USB key. When the USB key is inserted the access to the drive is authenticated and the
users to enter a 4-digit to 20-digit startup personal identification number (PIN).A USB flash drive containing a startup key is needed on com
policy the "Use enhanced Boot Configuration Data validation profile" group policy is ignored.The setting that controls boot debugging (0x1
n this policy setting is enabled select the "Do not install BitLocker To Go Reader on FAT formatted removable drives" check box to help pre
t adding data recovery agents.In "Configure user storage of BitLocker recovery information" select whether users are allowed required or
pher suites used with hardware-based encryption.If you disable this policy setting BitLocker cannot use hardware-based encryption with o
g a drive with any of the protectors available on the drive.If you enable this policy setting users can configure a password that meets the r
authenticate their access to BitLocker-protected removable data drives.If you do not configure this policy setting smart cards are available
r Drive Encryption Deployment Guide on Microsoft TechNet for more information on suspending BitLocker protection.If you do not configu
dentification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting.If you disable or do
erprise and Education SKUs.
nd applications that use the Windows system controls including Internet Explorer.
user’s Windows credentials.

hange whether diagnostic data is collected or the ability of the user to change the level. To configure collection level please use the "Allow
mum diagnostic data necessary to keep Windows secure up to date and performing as expected. Using this value disables the "Optional dia
116020.If you disable or do not configure this policy setting diagnostic data collection is determined by the "Allow Diagnostic Data" policy
wnloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services.
figure this policy setting the Event Collector computer will not be specified.
hange should be made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
e made to the "Configure log access (legacy)" policy setting to enforce this change across all tools and APIs.
event log messages before writing them to the event log.
y the following options:• Warn and prevent bypass• WarnIf you enable this policy with the "Warn and prevent bypass" option SmartScree
If the policy is enabled disabled or not configured users will still be able to override default file type and protocol associations.
tting the protocol is in the protected mode allowing applications to only open a limited set of folders.If you do not configure this policy setti
ns as if both new and old locations point to different shares when their network paths are different.Note: If the paths point to different ne
e when the previous version is of a local file and stored on the backup.
is of a file on a file share.
e location of the last use of their active digitizer on their device.
ustom administrative template file see the Internet Explorer documentation on search providers.If you disable or do not configure this po
g users can change the Suggestions setting on the Settings charm.

figure this policy setting newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user when n
open in up to three of the following channels where: 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Micros
le to use the Import/Export Settings wizard.
user intervention.
rites feeds shortcuts to home page and more. Full-screen mode disables not only these three bars but also the shortcuts to these bars.If y
tionally it’s best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.Related policies:- S
un websites in Enterprise Mode.
d.contoso.comLOBApp.contoso.com
2 - Intranet site zone only Binary Representation - 00010• 0 - Restricted Sites Zone• 0 - Internet Zone• 0 - Trusted Sites Zone• 1 - Local In
ebsites to the exception list by enabling "Turn off Managing Pop-up Allow list" policy.
y settings to prevent the user from configuring pop-up behavior.
ng the user.If you disable or do not configure this policy setting the user is prompted to decide the mode of operation for the phishing filte
the First Run wizard the first time the browser is started after installation.
ers that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative temp
lished by the administrator.Note: The "Disable the Security page" policy (located in \User Configuration\Administrative Templates\Windo
e Security tab from Internet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.Also see the "S
nents\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting then all intranet sites will continue to open in Internet Ex
tly enabled through the creation of an integer setting. In this case each Internet Explorer isolation setting will quickly grow to use the speci
nfigure this policy setting users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This is the
g the first-run experience.

of the URL action for the application or process on the computer prevail.
eration.If you do not configure this policy setting current values of the URL action for the Internet Explorer process prevail.
ompts are not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1 the policy setting
net Explorer will be available and users will see installed printers under the Devices charm.
vate the feature by using the Compatibility View Settings dialog box.
en to common Internet standards may be displayed incorrectly.If you disable this policy setting Internet Explorer uses a current user agent
for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The user ca
setting has no effect.

n set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
ttings charm.
Delete Browsing History dialog box.If you enable this policy setting ActiveX Filtering Tracking Protection and Do Not Track data is preserve
tering data when he or she clicks Delete.
et files settings""Disable changing history settings""Disable changing color settings""Disable changing link color settings""Disable changing
are always converted to IDN format.If you disable or do not configure this policy setting the user can control this setting by using Advanced
cy users will be prompted when Web Components such as fonts would be downloaded.
e policy setting users can select the Always send Do Not Track header option in Internet Explorer settings. By selecting this option Internet
icy setting Internet Explorer does not check the Internet for new versions of the browser so does not prompt users to install them.
have been revoked.
gure this policy Internet Explorer will not check the digital signatures of executable programs or display their identities before downloadin
least Windows 8 Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file system.Wh
f you do not configure this policy Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser windo
encryption tunnel by using the encryption methods that you select from the drop-down list.If you disable or do not configure this policy se
Profile Assistant information.

ault is to encode all query strings in UTF-8.
ettings charm.
If you don't configure this policy setting users can turn this feature on or off using Internet Explorer settings. This feature is turned off by d
ed will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.If you do not configure this policy users will
session.If you do not configure this policy setting Internet Explorer starts with the home page. Users can change this option to start with t
bsite Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
s on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers
r will allow trusted domains to store additional files in application caches up to the limit set in this policy setting.If you disable or do not co
allow trusted domains to store additional data in indexed databases up to the limit set in this group policy.If you disable or do not configu
ernet Explorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB.
ng the page that referenced the manifest that are less than or equal to the limit set in this policy setting.If you disable or do not configure
ches. The default is 1 GB.
d databases. The default is 4 GB.
the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security) the same change should be m
te) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings that p
tion appears for intranet content loaded on a browser on a computer that is not a domain member until the user turns off the Notification
n the zone.If you do not configure this policy setting users cannot load a page in the zone that uses MSXML or ADO to access data from an
affected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you do not configur
ors are available.
hange this behavior.If you do not configure this policy setting the user can decide whether to load XBAPs inside Internet Explorer.
change this behavior.If you do not configure this policy setting the user can decide whether to load XAML files inside Internet Explorer.
d XPS files inside Internet Explorer.
be redirected to another Web page.
using Search Connectors.

g this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails it is the zo
s.If you do not configure this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that in
s.If you do not configure this policy setting video and animation can be played through older media players in specified zones.
nsecure (http://) content.If you disable this policy setting users cannot receive the security information message and nonsecure content ca
onnect to a Web site that has no certificate or only one certificate.
urn this behavior on or off using Internet Explorer Security settings.
ntly downloaded.
o not configure it users cannot drag content from one domain to a different domain when the source and destination are in different wind
e this policy setting or do not configure it users cannot drag content from one domain to a different domain when the source and destinati
MIME Sniffing Safety Feature will not apply in this zone.
en he or she is uploading a file via an HTML form. By default path information is sent.
etting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting Acti
pplets cannot run.If you do not configure this policy setting the permission is set to High Safety.
his policy setting users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone.
tomatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM authe
ations from other domains.
t configure this policy setting Internet Explorer will execute unsigned managed components.
this policy setting Internet Explorer will execute signed managed components.
stricted zone enabled in the Intranet and Local Computer zones and set to prompt in the Internet and Trusted zones.
ware packages from being automatically downloaded to users' computers and software packages from being automatically installed on use
ou do not configure this policy setting users are queried to choose whether to allow information using HTML forms on pages in this zone to
ng .NET Framework Setup is turned on by default. The user can change this behavior.
this policy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page saved
be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from less p
n the zone.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone that us
ors are available.

s.If you do not configure this policy setting Windows Restrictions security will not apply in this zone. The security zone runs without the ad
hen they connect to a Web site that has no certificate or only one certificate.
n this behavior on or off using Internet Explorer Security settings.
ntly downloaded.
pplets cannot run.If you do not configure this policy setting the permission is set to Medium Safety.
ou do not configure this policy setting information using HTML forms on pages in this zone can be submitted automatically.
be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from less p
n the zone.If you do not configure this policy setting users can load a page in the zone that uses MSXML or ADO to access data from anoth
ors are available.


etting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting use
pplets cannot run.If you do not configure this policy setting the permission is set to Medium Safety.
his policy setting users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
t configure this policy setting Internet Explorer will not execute unsigned managed components.
this policy setting Internet Explorer will not execute signed managed components.
on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting the possibly harmful na
he Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

ntly downloaded.
actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the feature co
pplets cannot run.If you do not configure this policy setting Java applets are disabled.
n the zone.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone that us

ntly downloaded.

ors are not available unless applications have implemented a custom security manager.
ot be redirected to another Web page.
one using Search Connectors.

his policy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
windows and frames from different domains or access applications from different domains.
this policy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web page sa

protocols is unaffected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you d
ors are not available unless applications have implemented a custom security manager.
ot be redirected to another Web page.
one using Search Connectors.

his policy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
windows and frames from different domains or access applications from different domains.
this policy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web page sa
ors are available.

etting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy setting use
pplets cannot run.If you do not configure this policy setting the permission is set to Low Safety.
be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting a warning is issued to
cify what action applies to searches on the Address bar.

site or a search-results webpage in the main window.If you disable or do not configure this policy setting the user can select their preferen
nternet Options dialog. By default URL Suggestions are turned on.
bar. The user cannot change this setting.If you do not configure this policy setting the user can choose to turn the Use Windows Search setti
strength update information URL.
n and then clicking InPrivate Filtering.

tton and then clicking Tracking Protection.
he application as a user types in a password. The reveal password button is visible by default.On at least Windows 8 if the "Do not display
llowing information:Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in brac
ers - all add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting.If you enable this po
d policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or the Valu
ols" in the Internet Explorer TechNet library.
:/Users/contoso/Desktop/index.htm"If you disable or don't configure this policy setting the list is deleted and Internet Explorer continues
mation see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
ng the WebSocket object. By default the WebSocket object is enabled.
t to 'admin-approved' just as if those zones were set to 'disable'.If you do not configure this policy setting only VML will be allowed in zone
he policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to en
y setting Consistent Mime Handling is prevented for all processes.
ng Internet Explorer will not require consistent MIME data for all received files.If you do not configure this policy setting Internet Explorer
ed.If you enable this policy setting and enter a Value of 1 MIME handling is in effect. If you enter a Value of 0 file-type information is allowe
ed in a process list.If you disable or do not configure this policy setting Local Machine zone security is not applied to local files or content p
disable this policy setting Local Machine zone security is not applied to local files or content processed by Internet Explorer.If you do not c
a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use th
ed Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configur
sable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If yo
ed for processes other than File Explorer and Internet Explorer.
protocols is prevented for File Explorer and Internet Explorer processes.If you do not configure this policy setting the policy setting is ignor
The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not ent
zone no protocols are restricted for that zone regardless of the setting for "Allow active content over restricted protocols to access my com
ernet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All Proce
this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled t
ocesses.If you do not configure this policy setting any zone can be protected from zone elevation by Internet Explorer processes.
on to more privileged zones can be prevented. If you enter a Value of 0 elevation to any zone is allowed. The Value Name is the name of th
s enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the se
es policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this po
other restrictions apply for File Explorer and Internet Explorer processes.
name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explore
efault and the user can change this.
e.If you disable or do not configure this policy setting the toolbar upgrade tool checks for incompatible toolbars. The user can enable or di
hat require IIS to run.
Panel will apply.
onfigured applications and services can use Microsoft accounts for authentication. By default this setting is Disabled. This setting does no
there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled the service will remain ru
gured by the local administrator.
his fallback step according to the order specified above.

his setting the proxy will skip over this fallback step according to the order specified above.
otentially unwanted software. Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended tha
gurable delay of approximately five seconds.
1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Neve
mation might unintentionally be sent to Microsoft. However Microsoft will not use this information to identify you or contact you. Possibl
e state for each ASR rule under the Options section for this setting. Enter each rule on a new line as a name-value pair: - Name column
onfigure Attack Surface Reduction rules GP setting.
m folders are automatically guarded but you can add folders in the configure protected folders GP setting.
you can add folders in the Configure protected folders GP setting. Block: The following will be blocked: - Attempts by untrusted
Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in
m connecting to dangerous domains. Not configured: Same as Disabled.
when further analysis is required" all need to be enabled.
level (0x1) Moderate Microsoft Defender Antivirus blocking level delivers verdict only for high confidence detections (0x2) High bloc
performance. If you enable or do not configure this setting definition retirement will be enabled. If you disable this setting definition re
ng and outgoing files (default) 1 = Scan incoming files only 2 = Scan outgoing files only Any other value or if the value does not exist r
on will run at a default frequency.

cheduled full scans will be turned off.
or scheduled quick scans will be turned off.
ates will disabled.
setting the list will remain empty by default and no sources will be contacted.
e after the default number of days have passed without an update.

default number of days have passed without an update.
ified source the remaining sources in the list will not be contacted. If you disable or do not configure this setting security intelligence upd
es will occur at the default time.
issions and access the camera and microphone without the user’s knowledge. To prevent unauthorized access we recommend that camer
all user data within the Application Guard container.
ed (CPU) rendering.Note:Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to
and its content.If you choose to enable copying you must also choose the type of content that can be copied by using the content option
a in Windows Security.- Place the generated XML file in a shared or local path. Note: Endpoints that have this GP setting set to Enabled mu
g employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting "Show
ersion of IE is necessary for it to appear properly.If you disable this setting the Microsoft Compatibility List isn’t used during browser navig
ent this in Group Policy Editor enable Allows development of Windows Store apps and installing them from an integrated development en
he search engine. For more info about creating the OpenSearch XML file see the Understanding OpenSearch Standards (https://msdn.micr
m making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some settings.If
utton loads a New tab page.- Show home button & set a specific page is selected clicking the home button loads the URL specified in the Se
ured):- If it’s a single app it runs InPrivate full screen for digital signage or interactive displays.- If it’s one of many apps Microsoft Edge run
oft Edge does not use an idle timer.If disabled or not configured the default value is 5 minutes.If you do not configure Microsoft Edge in as
When enabled and you want to make changes you must first set the Disable Lockdown of Start Pages to not configured make the changes t
ces when it is the only configured URL.Version 1809:If enabled and you select either Start page New Tab page or previous page in the Con
figure Open Microsoft Edge With
ault) employees can add import and make changes to the Favorites list.
Clipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and Office
u disable or don't configure this setting employees will see the favorites they set in the Hub and Favorites Bar.
bout creating the OpenSearch XML file see the Understanding OpenSearch Standards (https://msdn.microsoft.com/en-us/library/dd16354
Configure the Enterprise Mode Site List-Send all intranet sites to Internet Explorer 11
isabled or not configuredRelated policy:-Configure Home Button-Set Home Button URL
er. Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDrive Wo
Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows.
he UE-V Agent will use the default Microsoft templates installed by the UE-V Agent and custom templates in the settings template catalog
nchronization.If you disable this policy setting all Windows Settings are excluded from the settings synchronization.If you do not configure
and the user cannot access Company Settings Center from the system tray. The Company Settings Center remains accessible through the
ack to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers running in a
Microsoft Office Suite 2013 applications will not be backed up. If you do not configure this policy setting any defined values will be deleted.
Microsoft Office Suite 2016 applications will not be backed up. If you do not configure this policy setting any defined values will be deleted.
synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled.If you do not configu
hich are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the Micro
will be deleted.
will be deleted.
e this policy setting Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V.If you do not configure thi
e this policy setting Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V.If you do not configure thi
nable this policy setting user settings which are common between the Microsoft Office Suite 2013 applications continue to synchronize wit
nable this policy setting user settings which are common between the Microsoft Office Suite 2016 applications continue to synchronize wit
policy setting Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy
policy setting Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy
u disable this policy setting Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V.If you do not con
cy setting Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setti
cy setting Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy setti
ou disable this policy setting Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V.If you do not c
ou disable this policy setting Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V.If you do not c
isable this policy setting Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V.If you do not config
isable this policy setting Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V.If you do not config
h UE-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with UE-V.If
h UE-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with UE-V.If
ble this policy setting Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V.If you do not configure t
ble this policy setting Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V.If you do not configure t
you disable this policy setting Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V.If you do not
you disable this policy setting Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V.If you do not
3 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings are
licy setting Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy se
licy setting Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V.If you do not configure this policy se
s policy setting Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V.If you do not configure this poli
s policy setting Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V.If you do not configure this poli
be deleted.
be deleted.
values will be deleted.
d the last configured setting will remain in effect.

ose their privacy settings after an upgrade.
onfiguration.If you do not configure this setting users who are members of the Administrators group can make changes using the Window
cy setting Windows presentation settings can be invoked.
RDS Endpoint Servers group on the license server.By default the RDS Endpoint Servers group is empty.If you disable or do not configure thi
erver 2003.By default if the most appropriate RDS CAL is not available for a connection a Windows Server 2008 license server will issue a W
message that the publisher has been blocked.
d with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user star
Session Host server cannot be authenticated the user is prompted to choose whether to connect to the RD Session Host server without a
t computer and on the RD Session Host server to provide credentials clear the Always prompt for password check box on the Log on Settin
can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for
n the target computer to determine whether the remote connection is allowed. This setting is found on the Remote tab in the System prop
matic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection.
If you enable this policy setting you must enter a keep-alive interval. The keep-alive interval determines how often in minutes the server c
can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
ote Desktop Services sessions.To use this setting enter the number of connections you want to specify as the maximum for the server. To
able Connect Time Detect and Continuous Network Detect Remote Desktop Protocol will not try to determine the network quality at the c
elivering the best user experience.
n of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session of a r
background.
deo playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2 Windows Server 2008 or Windo
ndows 7 or Windows Server 2008 R2. If you enable this policy setting audio recording redirection is allowed.If you disable this policy setting
t a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
example you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote sessio
at the Group Policy level.
t redirection is not specified at the Group Policy level.
u disable this policy setting client drive redirection is always allowed. In addition Clipboard file copy redirection is always allowed if Clipboa
ng users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting users can
of compression that is determined by the bandwidth of the remote connection.The audio playback quality that you specify on the remote
not configure this policy setting these notifications will be displayed on the RD Session Host server after you log on as a local administrator
ote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. If you disable or do
Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.If you disable o
t printer mapping is not specified at the Group Policy level.
e this policy setting the default printer is not specified at the Group Policy level.
not found" - If there is a printer driver mismatch the server will attempt to find a suitable driver. If one is not found the client's printer is n
policy setting the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doe
ming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specifi
e account name of each user.To configure this policy setting type the path to the network share in the form of \\Computername\Sharenam
es) without environment variables or ellipses. Do not specify a placeholder for user alias because Remote Desktop Services automatically a
to take effect you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting.
cify the name of a farm in RD Connection Broker.If you disable or do not configure this policy setting the farm name is not specified at the
on separated list of the FQDNs of all the RD Connection Broker servers.If you disable or do not configure this policy setting the policy settin
ver name policy setting.If you disable this policy setting the server does not join a farm in RD Connection Broker and user session tracking i
ct directly by IP address to RD Session Host servers in the farm.If you disable this policy setting the IP address of the RD Session Host serve
program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not s
es memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is
m quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality. If you enable t
on-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. Th
p Services session.If the status is set to Disabled wallpaper might appear in a Remote Desktop Services session depending on the client con
ted by the client will be used.If you disable or do not configure this policy setting the color depth for connections is not specified at the Gro
display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop S
Policy level.
nt users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent discon
ogged off.To use this setting in Program path and file name type the fully qualified path and file name of the executable file to be run whe
ed as RemoteApp programs do not support these advanced graphics.
sessions use the hardware graphics renderer by default.NOTE: The policy setting enables load-balancing of graphics processing units (GPU
ompression scheme.If you enable this policy setting RemoteFX will be used to deliver a rich user experience over LAN connections and RD
sessions are optimized for rich multimedia.
andwidth by selecting the highest setting for screen capture rate and the highest setting for image quality.By default Remote Desktop Conn
a password to log on.If you disable this policy setting users can always log on to Remote Desktop Services automatically by supplying their
ns to the user security descriptors by using the Remote Desktop Session WMI Provider.Note: The preferred method of managing user acce
hat do not respond to the request.If the status is set to Not Configured unsecured communication is allowed.Note: The RPC interface is use
er. If TLS is not supported native Remote Desktop Protocol (RDP) encryption is used to secure communications but the RD Session Host ser
nnection dialog box and then click About. In the About Remote Desktop Connection dialog box look for the phrase Network Level Authenti
certificate selection only occurs when a specific certificate has not been selected.If no certificate can be found that was created with the s
encryption methods are available:* High: The High setting encrypts data sent from the client to the server and from the server to the clien
ssions policy settings.If you enable this policy setting Remote Desktop Services ends any session that reaches its time-out limit.If you disab
r do not configure this policy setting the time limit is not specified at the Group Policy level. By default Remote Desktop Services allows se
icy setting this policy setting is not specified at the Group Policy level. By default Remote Desktop Services allows sessions to remain active
onnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sess
olicy setting Remote Desktop Services deletes the temporary folders from the remote computer at logoff unless specified otherwise by the
r all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.If you
ete a feed or Web Slice by using the Feed APIs.
e ID of your WSS Service. For example the English locale ID is 1033.http://sitename/_layouts/XXXX/searchresults.aspx?SearchString=$wTh

intranet search service is Windows SharePoint Services (WSS) the query should resemble the following where XXXX is the locale ID of your
tely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to
ered connections and if the web results are displayed in Search.Note: If you enable the "Don't search the web or display web results in Sea
online delegate mailboxes. Online delegate mailboxes are managed separately from online mailboxes. The "Enable Indexing of Uncached
ems per minute. This policy has no effect on mail items when using Microsoft Office Outlook in cached mode.
or information about how to set up the initial machine preference.
ronment this setting is redundant because non-administrative users do not have permission to install new components. If your users have
r don't configure this policy setting users can choose what information is shared in Search.
Windows domain. When a computer is not joined to a Windows domain the policy setting will have no effect.If you do not congifure this p
s that contain the smart card logon object identifier can be used to log on with a smart card.
ciated ECDH key to permit logons when you are not connected to the network.
valid will not be listed on the logon screen.
nd this policy is enabled then the certificate that is used for logon on Windows 2000 Windows XP and Windows 2003 Server will be shown
e set of the CSP.If you disable or do not configure this setting Windows will only attempt to read the default certificate from those cards th
ation.If you enable this policy setting or do not configure this setting then the subject name will be reversed. If you disable the subject na
able this policy Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel Option
ea in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If y
ere this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configure t
nji and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to confi
will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Options.Cau
nfigure this setting in the Input Panel Options dialog box.If you do not configure this policy application auto complete lists will appear next
password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable
o configure this setting in the Input Panel Options dialog box. If you enable this policy and choose “Tolerant" users will be able to use t
e will be available.
by having the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disabled or
olders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: T
nt: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder. To pre
computers.
gs applications has been applied to the target devices. Enabling firewall protection without a corresponding WDAC policy will prevent all a
y the following options:• Warn and prevent bypass• WarnIf you enable this policy with the "Warn and prevent bypass" option SmartScree
tting the setting overrides any user changes made to Windows Error Reporting settings in Control Panel and default values are applied for
cation settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured user settings in Control Pan
policy setting users can change this setting in Control Panel which is set to enable notification by default on computers that are running W
port data until the computer is connected to a more permanent power source.
ng information is stored.
Control Panel. If Queuing behavior is set to Always queue for administrator reports are queued until an administrator is prompted to send
down list. The Windows applications category is a subset of Microsoft applications.If you disable or do not configure this policy setting use
that are always included in error reporting. To add applications to the list click Show under the Report errors for applications on this list se
nabled the Exclude errors for applications on this list setting takes precedence.If you disable or do not configure this policy setting errors a
ns in this list are not reported even if the Default Application Reporting Settings policy setting is configured to report all application errors.
the minimum data that is required to check for an existing solution along with data which Windows has determined (within a high probabi
ers): Windows Error Reporting automatically sends the minimum data required to check for an existing solution and Windows prompts th
he user owns both credentials which enables them to sign-in using non-privileged credentials but can performed elevated tasks without sig
d emulation. To change an existing credential enable this policy setting and select "I forgot my PIN" from Settings.
controllers to prevent Windows Hello for Business authentication from failing.

erwise Windows Hello for Business authentication will fail.
onfigure this policy setting Windows does not create or store the PIN recovery secret. If the user forgets their PIN they must delete their e
hen you use a third-party solution to provision Windows Hello for Business.If you select "Do not start Windows Hello provisioning after sig
o for Business credentials provisioned when the "Turn off smart card emulation" is enabled.Windows requires a user to lock and unlock th
change a protected option it stops the installation and displays a message. These security features operate only when the installation pro
do not configure this policy setting by default only system administrators can browse during installations with elevated privileges such as in
his policy setting does not affect installations that run in the user's security context. By default users can install patches to programs that r
llation runs in the user's security context. During privileged installations such as those offered on the desktop or displayed in Add or Remo
this policy setting the system applies the current user's permissions when it installs programs that a system administrator does not distrib
will remain on disk and will be deleted when the product is removed. If you set the baseline cache to 100 the Windows Installer will u
dded as a new leaf feature to an existing feature tree.If you disable or do not configure this policy setting the Windows Installer will use le
es such as those offered on the desktop or in Add or Remove Programs.Also see the "Enable user to patch elevated products" policy settin
uter only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator whether
ers from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However bec
sed.-- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser
puter installed application to be visible to users even if those users have a per-user install of the product registered in their user profile.
context. But only system administrators can browse when an installation is running with elevated system privileges such as installations o
igned for enterprises to prevent unauthorized or malicious editing of transform files.If you disable this policy setting Windows Installer sto
d by the letters "iweap."
alling the application.
cified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.If you disable o
y" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them
at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system compo
ations running on the secure desktop can simulate the SAS.
ft Windows desktop.For domain user accounts in Windows Server 2003 Windows 2000 native or Windows 2000 mixed functional level dom
d with all lock screen apps configured for that user after the device boots. After enabling this policy you can configure its settings through t
rated locally in this scenario.When this policy is either disabled or not configured Windows Media DRM functions normally and will conne
or window are not available.
smoothing is available only on the Windows XP Home Edition and Windows XP Professional operating systems.
users to use Windows Messenger enable the "Do not allow Windows Messenger to run" policy setting.Note: This policy setting is available
ditor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
etting is not configured the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events of a mo
gs. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Com
PowerShell session. If you disable this policy setting transcripting of PowerShell-based applications is disabled by default although tra
under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has preced
er regardless of whether or not any WinRM listeners are configured.The service listens on the addresses specified by the IPv4 and IPv6 filte
et for plug-ins and the RunAsPassword value will be stored securely.If you enable and then disable this policy settingany values that were p
est containing an invalid channel binding token is rejected. However a request that does not contain a channel binding token is accepted (t
ontact information will be shown on notifications. Not configured: Same as Disabled.
at contain User Interface End User License Agreement or Windows Update setting changes.There are two situations where the effect of
t the time the user selects the Shut Down option in the Start menu.Note that this policy setting has no impact if the Computer Configurati
curs.The system will not wake unless there are updates to be installed. If the system is on battery power when Windows Update wakes it
start in 5 minutes to complete the installation.Note: This policy applies only when Automatic Updates is configured to perform scheduled
heduled installations of updates. If the "Configure Automatic Updates" policy is disabled this policy has no effect.
the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to automatically executed within the spe
tion about the software or install it. The user can also click "Close this message" or "Show me later" to defer the notification as appropriate
pdates. 3 = (Default setting) Download the updates automatically and notify when they are ready to be installed Windows finds up
the day due to device availability and network connectivity.Set a grace period for feature updates and quality updates to guarantee users
t time unless otherwise configured via the Specify active hours range for auto-restarts policy.
oft update service must always be signed by Microsoft and are not affected by this policy setting.Note: This policy is not supported on Win
Note: This policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
ote: This policy applies only when the intranet Microsoft update service this computer is directed to is configured to support client-side tar
onal server name value can be specified to configure Windows Update Agent to download updates from an alternate download server ins
ntly to ensure devices only scan against your specified server we recommend configuring this policy instead or in addition to such.
ess to the upcoming release of Windows 10 prior to it being released to the world. These builds are supported by Microsoft. The Release P
tion.Pause Updates | To prevent Feature Updates from being received on their scheduled time you can temporarily pause Feature Update
tting does not apply to a user Work Folders is not automatically set up. If you disable or do not configure this policy setting Work Folder
en for other reasons (such as a missing hardware device) this policy will not force that page to appear. After this the policy string must con
pecified lock screen and logon image to be shown.Note: This setting only applies to Enterprise Education and Server SKUs.
ugh Input Panel is collected and stored. Note: Automatic learning of both text and ink might not be available for all languages even when
rk logon by configuring the LocalAccountTokenFilterPolicy registry value to 1.For more information about local accounts and credential the
d.Because this setting is not a true Group Policy setting and "tattoos" the registry enabling the "Allow all activation" option is the only way
xt:BowserMRxSmb10MRxSmb20NSIWARNING: DO NOT SELECT THE "DISABLED" RADIO BUTTON UNDER ANY CIRCUMSTANCES!Changes to
ot to take effect.For more information see https://support.microsoft.com/kb/2696547
Key and the Restrict JScript process-level policy for Windows please refer to: https://docs.microsoft.com/en-us/previous-versions/window
ver 2008 R2 or Windows Server 2012 KB2871997 must first be installed.For more information see http://support.microsoft.com/kb/28719
t as a BITS peer caching server" and "Do not allow the computer to act as a BITS peer caching client" policy settings it is possible to control
aching" policy setting is disabled or not configured.
g is disabled or not configured.
ble or do not configure this policy setting BITS uses all available unused bandwidth. Note: You should base the limit on the speed of th
aximum network bandwidth used for peer caching. If you disable this policy setting or do not configure it the default value of 30 perc
d by services and the local administrator account do not count toward this limit.
ot roaming. The values that can be assigned are: - Always transfer - Transfer unless roaming - Transfer unless s
e or do not configure this policy setting the limits defined for work or nonwork schedules will be used. Note: The bandwidth limits tha
xample you can limit the network bandwidth of low priority jobs to 128 Kbps from 8:00 A.M. to 5:00 P.M. on Monday through Friday and t
meout to specified number of days. If you disable or do not configure this policy setting the default value of 90 (days) will be used for
owing:- Not Configured. With this selection BranchCache latency settings are not applied to client computers by this policy. In the circums
tting is not applied to client computers and the clients run the version of BranchCache that is included with their operating system.- Enable
policy setting to take effect you must also enable the "Turn on BranchCache" policy setting.This policy setting can only be applied to client
computers detect hosted cache servers hosted cache mode is turned on. If they do not detect hosted cache servers hosted cache mode i
computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Po
e BranchCache on all client computers you can specify Not Configured for this domain Group Policy setting and then configure local compu
lient computers by this policy. In the circumstance where client computers are domain members but you do not want to enable BranchCa
figured for this domain Group Policy setting and then configure local computer policy to enable BranchCache client computer cache settin
for this domain Group Policy setting and then configure local computer policy to enable BranchCache on individual client computers. Beca
page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server
mplete NCA functionality.
alified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resour
n of the local DNS client's primary domain suffix a connection-specific domain suffix and a DNS suffix search list.If attaching suffixes is allow
uters will use locally configured settings.
appended to single-label names. You must specify at least one suffix. Use a comma-delimited string such as "microsoft.comserverua.micro
ual network connections.
orks higher in the binding order.Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy settin
mary DNS suffix which is usually the DNS name of Active Directory domain to which it is joined.
anced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.Devolution is not enabled if a global suffix search list is confi
ffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.Devolution is not enable
mary DNS suffix. This applies to all network connections used by computers that receive this policy setting.For example with a computer na
tion succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
nger than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.To specify the registra
ource record that has the client's current IP address.If you enable this policy setting or if you do not configure this policy setting DNS client
DNS LLMNR and NetBT queries.
ed clients try to use secure update.

ource records that the computer needs to update.
s will not take effect until you restart Windows.

Because the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual servers whe
are not applied to client computers by this policy setting. In this circumstance which is the default both V1 and V2 hash generation and retr
will not take effect until you restart Windows.

MB Signing and SMB Encryption are disabled. As a result clients that allow insecure guest logons are vulnerable to a variety of man-in-the-m
ct to files hosted on a Windows Failover Cluster with the File Server for General Use role as it can lead to adverse failover times and increa
ons instead.If you disable or do not configure this policy setting the default behavior of LLTDIO will apply.
while in public network" and "Prohibit operation while in private network" options instead.If you disable or do not configure this policy setti
rver list empty leave the checkbox unchecked.2. In order to use a corporate seed server only enable the setting; insert the fully qualified d
his setting is not configured the protocol will revert to using a public registry key to determine whether it will publish the computer or will
cloud to publish or resolve names regardless of whether the computer has an IPv6 address that matches the cloud scope.If you disable or d
f this setting is not configured the protocol will revert to using a public registry key to determine whether it will publish the computer or w
f this setting is not configured the protocol will revert to using a public registry key to determine whether it will publish the computer or w
ling this setting does not remove an existing Network Bridge from the user's computer.
this setting Internet Connection Firewall cannot be enabled or configured by users (including administrators) and the Internet Connection
ble this setting or do not configure it and have two or more connections administrators can enable ICS. The Advanced tab in the properties
twork.If you do not configure this policy setting traffic between remote client computers running DirectAccess and the Internet is not rout
in this list by using Security Descriptor Definition Language (SDDL) strings. For more information about the SDDL format see the Windows
outgoing ICMP message types. As a result utilities that use the blocked ICMP messages will not be able to send those messages to or from
ing them to a local port exceptions list Windows Defender Firewall does not open the port. In the Windows Defender Firewall component
t control connections to SVCHOST.EXE and LSASS.EXE.If you enable this policy setting Windows Defender Firewall allows the computer to r
ws Defender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" chec
an administrator attempts to open these ports by adding them to a local port exceptions list Windows Defender Firewall does not open th
wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration\W
ecurity snap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Com
ing the log file. Default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.If you disable this policy setting Win
nt definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions li
setting and then click the Show button. To add a program enable the policy setting note the syntax click the Show button. In the Show Con
solicited incoming messages. In the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check b
mponent of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected by default and ad
Windows Defender Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS mess
twork" policy setting overrides.
outgoing ICMP message types. As a result utilities that use the blocked ICMP messages will not be able to send those messages to or from
ing them to a local port exceptions list Windows Defender Firewall does not open the port. In the Windows Defender Firewall component
t control connections to SVCHOST.EXE and LSASS.EXE.If you enable this policy setting Windows Defender Firewall allows the computer to r
ws Defender Firewall does not open the port. In the Windows Defender Firewall component of Control Panel the "Remote Desktop" chec
an administrator attempts to open these ports by adding them to a local port exceptions list Windows Defender Firewall does not open th
wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Computer Configuration\W
ecurity snap-in. If you wish to prevent all locally created rules from applying use the Group Policy Object Editor snap-in and configure Com
ing the log file. Default path for the log file is %systemroot%\system32\LogFiles\Firewall\pfirewall.log.If you disable this policy setting Win
nt definition from the list and add a new one with different parameters. To allow administrators to add ports to the local port exceptions li
setting and then click the Show button. To add a program enable the policy setting note the syntax click the Show button. In the Show Con
solicited incoming messages. In the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check b
mponent of Control Panel the "Notify me when Windows Defender Firewall blocks a new program" check box is selected by default and ad
Windows Defender Firewall always permits those DHCP unicast responses. However this policy setting can interfere with the NetBIOS mess
twork" policy setting overrides.
e][proxy]|For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
do not configure this policy setting apps will use the Internet proxies auto-discovered by Windows Network Isolation.Example: [3efe:3022:
ative" policy setting.If you disable or do not configure this policy setting Windows Network Isolation attempts to automatically discover yo
ng users can work offline by default but they can change this option.This setting appears in the Computer Configuration and User Configur
the server on a regular basis.You can also configure Background Sync for network shares that are in user selected Work Offline mode. This
f you want to set a threshold value of 128000 bps enter a value of 1280.
ode by specifying threshold values for Throughput (in bits per second) and/or Latency (in milliseconds) for specific UNC paths. We recomm
percent of the space on the system drive.If you do not configure this setting disk space for automatically cached files is limited to 10 perce
network connection to the server is slow. For example you can configure a value of 60 ms as the round trip latency of the network above w
ocker Drive Encryption while on the server. The cached copy on the local computer is affected but the associated network copy is not. The
e local computer is connected and disconnected from the network."3" also records an event when the server hosting the offline file is reco
with a semicolon (;).Note: To make changes to this setting effective you must log off and log on again.
m limits the space that offline files occupy to 25 percent of the total space on the drive where the Offline Files cache is located. The limit f
mputer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom actions thro
uration.Tip: To view the Offline Files Folder in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then
vides a quick method for locking down the default settings for Offline Files. To accept the defaults just enable this setting. You do not have
er balloon frequency without establishing a setting in Windows Explorer on the Tools menu click Folder Options and then click the Offline
dows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Windows 7 or Windows Vista.
lable for all files and folders.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both policy
folders for offline use).If you do not configure this policy setting no files or folders are made available for offline use by Group Policy.Note:
er Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Co
ot configure this setting and Synchronization Manager is configured for logon synchronization the system performs a quick synchronizatio
bles the "Enable reminders" option on the Offline Files tabThis setting appears in the Computer Configuration and User Configuration fold
llowed for the community.If you disable or do not configure this policy setting the SNMP service takes the Valid Communities configured o
nfigured on the local computer instead.Best practice: For security purposes it is recommended to restrict the HKLM\SOFTWARE\Policies\SN
rvice takes the trap configuration configured on the local computer instead.Note: This setting has no effect if the SNMP agent is not instal
lobal IPv4 address is present the host will not have a 6to4 interface.Policy Disabled State: 6to4 is turned off and connectivity with 6to4 wil
dress auto-configuration. If the ISATAP name is not resolved successfully the host will have an ISATAP interface configured with a link-loca
ult refresh rate is 30 seconds.
eriodically. If the traffic level is above a certain threshold no further action is taken. The computer stays connected to the network and con
e order of preference (from most preferred to least preferred): Ethernet WLAN then cellular. Ethernet is always preferred when connecte
twork over media other than Ethernet and a user attempts to create a manual connection to an additional network in violation of this pol
e.If this policy setting is disabled both "Connect to suggested open hotspots" "Connect to networks shared by my contacts" and "Enable pa
owed to access cellular data and employees in your organization cannot change it.If you disable or do not configure this policy setting emp
e "Browse a common Web site to find printers" setting in User Configuration\Administrative Templates\Control Panel\Printers.
scovery click "Start" click "Control Panel" and then click "Network and Internet". On the "Network and Internet" page click "Network and S
only TCP/IP printer limits are applicable. On Windows 10 only if you disable or do not configure this policy setting the default limit is applie
disconnected from the network. Note: You can use the "Directory Pruning Interval" and "Directory Pruning Retry" settings to adjust t
asing the load on the server.If you do not enable this policy setting the behavior is the same as disabling it.Note: This policy does not deter
printer or group of printers that you want them to use. If you disable this setting or do not configure it and the user does not type a lo
eneral tab and then click "Enable Web content in folders.") Also see the "Activate Internet printing" setting in this setting folder and t
d. Note: This setting is used only on domain controllers.
f retries. If you enable this setting you can change the interval between attempts. If you do not configure or disable this settin
of service packs or reinstallation of the Windows XP operating system. This policy does not apply to 64-bit kernel-mode printer drivers as
ct without restarting the print spooler service.

s will continue to search for compatible Point and Print drivers from Windows Update if needed. However you must explicitly enable this
:-This policy setting applies only to applications opted into isolation.-This policy setting applies only to print drivers loaded by applications.
ters are pruned from the directory. If you enable this policy setting the contact events are recorded in the event log. If you disab
etting takes effect without restarting the print spooler service.

d by the network administrator. When using package point and print client computers will check the driver signature of all drivers that are
drivers need to be updated. If you do not configure this policy setting: -Windows Vista client computers can point and print to an
ou enable the Group Policy Computer location setting the default location you entered appears in the Location field by default.If you disab
sh printers in Active Directory automatically by default the system never prunes their printer objects. You can enable this setting to c
and websites.Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Also se
do not configure this setting the all apps list will be visible by default and the user can change "Show app list in Start" in Settings.
tton on the Windows Security and logon screens is also available.
which manages same part of Start menu but with fewer options).
er\Share\Layout.xml. If the specified file is not available when the user logs on the layout won't be changed. Users cannot customize their
puter will connect to WNS at user login and applications will be allowed to poll for tile notification updates in the background. No reb
Tracker is displayed when you shut down a computer running a client version of Windows. (See "Supported on" for supported versions.)If
tem safely shuts down to a fully powered-off state.

ns or it might stop.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the s
s that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel.
%\help folder and D:\somefolder add the following string to the edit box: "%windir%\help;D:\somefolder". Note: An environment varia
ther of these locations cannot launched from Help
ndex of the image to use in the WIM file. For example “wim:\\server\share\install.wim:3”.If you disable or do not configure this policy setti
abnormalities.
s the file server is configured to display the customized Access Denied message. By default users see the standard Access Denied message
Publishing Refresh Interval: Specifies the publishing refresh interval using the UserRefreshIntervalUnit. To disable package refresh select 0
emory. When the limit is reached the log file will roll over. When a new record is to be added (bottom of the list) one or more of the oldest
e able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private
mation see KB.FWlink for KB:http://go.microsoft.com/fwlink/?LinkId=301508Note: The "Allow delegating default credentials" policy setting
n be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources
elegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server t
NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target
ote: The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents
s not permitted to any machine.If you disable this policy setting delegation of saved credentials is not permitted to any machine.Note: The
sources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Deskto
manresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote D
RMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERM
l remote hosts support the newest version.Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure ve
Credential Guard to connect to remote hosts. Require Restricted Admin: Participating applications must use Restricted Admin to connect
must either: 1) first update the policy to a non-protected policy and then disable the setting or 2) disable the setting and then remove t
ity remotely if it was previously turned on with the "Enabled without lock" option. The "Enabled with UEFI lock" option ensures that Virtua
sher certificate are selected for installation over drivers that are signed by other Authenticode certificates.
olicy setting members of the Administrators group can determine the priority order in which Windows searches source locations for device
ardware ID or compatible ID appears in the list you create unless another policy setting at the same or higher layer in the hierarchy specific
ID appears in the list you create unless another policy setting at the same or higher layer in the hierarchy specifically prevents that installa
se device setup class GUIDs appear in the list you create unless another policy setting at the same or higher layer in the hierarchy specifica
vent installation of devices using drivers that match these device IDs4. Allow installation of devices using drivers that match these device
ce IDs" the "Allow installation of devices for these device classes" or the "Allow installation of devices that match any of these device insta
on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desk
kages whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server the policy
this policy setting for applicable devices enable the "Apply layered order of evaluation for Allow and Prevent device installation policies ac
licable only if the NV cache feature is on.
the NV cache are appropriately configured.Note: This policy setting will take effect on next boot.If you do not configure this policy setting t
To specify a disk quota limit use the "Default quota limit and warning level" policy setting. Otherwise the system uses the physical space o
en users reach an unenforced limit their status in the Quota Entries window changes but they can continue to write to the volume as long
enforcement policy settings for disk quotas. As a result you can direct the system to log an event regardless of whether or not you choose
gged event users can detect that they have reached their warning level because their status in the Quota Entries window changes.Note: T
imits for current users or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).If yo
o log out and back in to Windows. Be aware of the following:Per Process System DPI will only improve the rendering of desktop applicatio
e list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1 D
unch Antimalware boot-start driver.If you enable this policy setting you will be able to choose which boot-start drivers to initialize the nex
Pictures folders the folders are redirected on the user's primary computer only.If you disable or do not configure this policy setting and the
d only on Windows Vista Windows 7 Windows 8 and Windows Server 2012 when it processes a legacy redirection policy already deployed
(1109) is posted stating that loopback was invoked in Replace mode.If you enable this policy setting the behavior is exactly the same as in
p-in always uses local ADM files in your %windir%\inf directory when editing GPOs.This leads to the following behavior:- If you had origin
nsions requiring synchronous processing such as Software Installation Folder Redirectionand Drive Maps preference extension will not be
connection in the case that no network bandwidth speed is determined.Note: When Group Policy detects a slow network connection Gro
cross slow connections can cause significant delays.The "Do not apply during periodic background processing" option prevents the system
cause significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected pol
tion updates the policies even when the update is being transmitted across a slow network connection such as a telephone line. Updates a
figure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) The slow link value that is defi
y connection slower than this rate is considered to be slow. If you type 0 all connections are considered to be fast.If you disable this settin
tion such as a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic background
a telephone line. Updates across slow connections can cause significant delays.The "Do not apply during periodic background processing"
system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the polic
ot apply during periodic background processing" option prevents the system from updating affected policies in the background while the c
ntil the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies th
twork connection" option updates the policies even when the update is being transmitted across a slow network connection such as a tele
Objects replace the user settings normally applied to the user."Merge" indicates that the user settings defined in the computer's Group Pol
e significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected policies
can cause significant delays.The "Do not apply during periodic background processing" option prevents the system from updating affected
Computer Configuration setting.Also see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Administra
e the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.) The slow link value
etting to change the policy refresh interval.Note: If you make changes to this policy setting you must restart your computer for it to take e
e intervals are not appropriate for most installations.If you disable this setting Group Policy is updated every 90 minutes (the default). To s
y 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use select the "Turn off
seconds on computers running Windows Vista operating system.
use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workp
to a workgroup.
ting to receive notifications and critical updates from Windows Update.Note: This policy applies only when this PC is configured to connec
ou disable or do not configure this policy setting your computer will contact the Windows Update website.
hyperlink which prompts the user and then sends information about the event over the Internet to Microsoft. Also see "Events.asp URL" "
ared with Microsoft.If you do not configure this policy Tablet PC users can choose whether or not they want to share their writing sample
online ordering wizards for more information including details on specifying service providers in the registry.
urns off the Search Companion feature completely.
mation to be collected.
m.If you do not configure this policy setting the administrator can use the Problem Reports and Solutions component in Control Panel to en
ponents/Windows Error Reporting.
r Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
ort claims compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or
public key credentials.If you disable or not configure this policy setting then the DC will never offer the PKInit Freshness Extension and ac
e domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003 Windows 2000 nati
time the client sends a compound authentication request regardless of the account configuration.
e supported and set identically on all domain controllers in the domain.
u disable or do not configure this policy setting the threshold value defaults to 12000 bytes which is the default Kerberos MaxTokenSize fo
pounded authentication request first then a compound authentication request when the service requests compound authentication.
mapping remove the current entry from the list and add a new one with different parameters.If you disable this policy setting the host na
5 realm Value Name or Value entry from the list click the entry and then press the DELETE key. To edit a mapping remove the current entr
support Kerberos armoring. If you disable or do not configure this policy setting the client computers in the domain enforce the use of Ker
o retrieve claims for clients using Kerberos protocol transition.
h validation of the KDC's X.509 certificate.If you disable or do not configure this policy setting the Kerberos client requires only that the KD
existing MaxTokenSize registry value in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters which was

Show button. To remove a mapping from the list click the mapping entry to be removed and then press the DELETE key. To edit a mapping
when one or more applications are configured for Dynamic Access Control.Always: Compound authentication is always provided for this co
using certificates then authentication will fail.If you disable this policy setting certificates will never be used.If you do not configure this po
s policy setting the user can select a custom locale as their user locale.If this policy setting is enabled at the machine level it cannot be disa
is set to Disabled at the computer level then the per-User policy will be ignored. If this policy is set to Not Configured at the computer leve
ors can select any system locale shipped with the operating system.
users.If you disable or do not configure this policy setting users can select any locale installed on the computer unless restricted by the "D
ng the device. Instead a password is required immediately after the screen turns off.If you don't configure this policy setting on a domain-
be logged on. Therefore they must be processed in the foreground before users are actively using the computer. In addition changes that
f both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To displa
etting in Computer Configuration takes precedence over the policy setting in User Configuration.Note: To create a customized run list by u
ed in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.Also see the ""Do not process the le
viders are available for authentication purposes.
tting appears in the Computer Configuration and User Configuration folders. If both settings are configured the system starts the programs
Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy settin
P-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from the Acti
older algorithms represents a potential security risk.If you disable this policy setting Net Logon will not allow the negotiation and use of old
e created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no a
Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application wit
r this setting is too small a client will stop trying to find a DC too soon.
the value set in this setting is very small and the DC is not available the traffic caused by periodic DC discoveries may be excessive.
etry Setting is used.Warning: If the value for this setting is too large a client may take very long periods to try to find a DC.If the value for th
ing behaviors:1 - Computers will ping DCs at the normal frequency.2 - Computers will ping DCs at the higher frequency.To specify this beh
NS names.If you enable this policy setting this DC does not process incoming mailslot messages that are used for NetBIOS domain name ba
t affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.If you enable or do not configure this policy se
ntain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force
be used to enable the default behavior.If you enable this policy setting DC Locator APIs can return IPv4/IPv6 DC address. This is the default
0 to 65535.If you do not configure this policy setting it is not applied to any DCs and DCs use their local configuration.
discover additional client IP addresses.To specify this behavior in the DC Locator DNS SRV records click Enabled and then enter a value. Th
me>DcByGuid SRV _ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>GcIpAddress A gc._msdcs.<DnsForestName>D
hould be preserved in the database.Warning: If the DNS resource records are registered in zones with scavenging enabled the value of thi
ed TCP/IP subnets that allow administrators to configure Active Directory access and replication.To specify the sites covered by the DC Lo
e sites names in a space-delimited format.If you do not configure this policy setting it is not applied to any DCs and DCs use their local confi
ery domain in Active Directory.To specify the sites covered by the GC Locator DNS SRV records click Enabled and enter the sites' names in a
k cost. If you enable this policy setting Try Next Closest Site DC Location will be turned on for the computer.If you disable this policy setting
g it is not applied to any DCs and DCs use their local configuration.
domain specified with a single-label name by appending different registered DNS suffixes to perform DNS name resolution. The single-lab
disabled or perform NetBIOS name resolution otherwise to attempt to locate a domain controller that hosts an Active Directory domain s
equired for changes to this setting to take effect.More information is available at https://aka.ms/lowercasehostnamesrvrecord
mputer" and "Reinstall Windows" (or "Return your computer to factory condition") in Recovery (in Control Panel) will be unavailable. Howe
elpers to remotely control the computer." When you configure this policy setting you also specify the list of users or user groups that are a
e Remote Assistance settings.If you enable this policy setting you have two ways to allow helpers to provide Remote Assistance: "Allow he
tting application-based settings are used.
dpoint Mapper Service.If you do not configure this policy setting it remains disabled. RPC clients will not authenticate to the Endpoint Ma
legation and connect to servers using constrained delegation. If you do not configure this policy setting it remains disabled and will genera
nd uses only about 4K of memory this setting is not recommended for most installations.-- "Auto1" directs RPC to maintain basic state info
n. You must select an error response type in the drop-down box.-- "Off" disables all extended error information for all processes. RPC on
d. The RPC server runtime will behave as though it was enabled with the value of "Authenticated" used for Windows Client and the value
r version of Windows this policy setting will be ignored.The minimum allowed value for this policy setting is 90 seconds. The maximum is 7
es. For DesktopIT GPOs A B and C are applied. Therefore the scripts for GPOs B and C run in the following order for DesktopIT:Within GPO
he scripts for GPOs B and C run in the following order for Qin:Within GPO B: B.ps1 B.cmdWithin GPO C: C.ps1 C.cmd For Tamara GPOs B an
t each startup script must complete before the next one runs. Also you can use the ""Run logon scripts synchronously"" setting to direct th
domain controller will block the use of WHfB keys that are subject to the ROCA vulnerability (authentications will fail).This setting only tak
Server Manager does not refresh automatically. If you do not configure this policy setting Server Manager uses the refresh interval settings
vailable from the Start menu or the Windows taskbar.
turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings.
bled the "Turn off System Restore configuration" policy setting is overwritten.
ff System Restore" policy setting is disabled or not configured the "Turn off System Restore configuration" policy setting is used to determi
is policy setting the DPS enables all scenarios for resolution by default unless you configure separate scenario-specific policy settings.This p
e configured with the Services snap-in to the Microsoft Management Console.
compatibility issues.Note: This policy setting has no effect if the "Turn off Program Compatibility Assistant" policy setting is enabled. The D
Windows will log an administrator event with instructions if manual recovery is possible.If you enable this setting the recovery behavior fo
os are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. Note: For Windows Serv
ault. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. No reboots or service restarts a
ce is stopped or disabled diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Man
tic Policy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios will not be executed. The DPS c
able this policy setting MSDT never downloads tools and is unable to diagnose problems on remote computers.If you do not configure this
roblems is available and allow users to choose to apply or ignore.3 = Automatically apply troubleshooting for critical and other problems b
tion of file corruption will be performed without UI. Recovery is not attempted.If you enable this policy setting the recovery behavior for c
o local troubleshooting preference is configured scheduled diagnostics are enabled for detection troubleshooting and resolution by defau
their computers even if they are connected to the Internet. They are prevented from connecting to the Microsoft servers that host the Wi
formance problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windows Boot Performance
licy to take effect. Changes take effect immediately.
ny Windows Resource Exhaustion problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Win
indows Shutdown Performance problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windo
oot or resolve any Windows Standby/Resume Performance problems that are handled by the DPS.If you do not configure this policy settin
ndows System Responsiveness problems that are handled by the DPS.If you do not configure this policy setting the DPS will enable Windo
M authentication setting you choose.Choose the operating system managed TPM authentication setting of "Full" to store the full TPM own
f blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc" navigating to the "Command
he value of this group policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to
figure the Group Policy list of blocked TPM commands.If you disable or do not configure this policy setting Windows will block the TPM com
cal list in addition to commands in the Group Policy and default lists of blocked TPM commands.
urred. Authorization failures older than the duration are ignored.For each standard user two thresholds apply. Exceeding either threshold
ailures older than this duration are ignored.For each standard user two thresholds apply. Exceeding either threshold will prevent the stand
tion failure occurred. Authorization failures older than the duration are ignored.For each standard user two thresholds apply. Exceeding eit
he user is given full control of their user profile and the administrators group has no file system access to this folder.Note: If the policy setti
ders the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.C
this policy setting Windows keeps a copy of a user's roaming profile on the local computer's hard drive when the user logs off.Important:
ction between the user's computer and profile server. If the connection is slow (as defined by the "Slow network connection timeout for u
ssions if the profile folder already exists and not copy files to or from the roaming folder if the permissions are not correct.By configuring
if there are any open handles to the per-user registry keys at user logoff.
profile the roaming profile is downloaded on the user's primary computer only.If you disable or do not configure this policy setting and the
use this policy setting type the number of seconds Windows should wait for user input. The minumum value is 0 seconds and the maximum
eleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user pro
ver the course of one minute).If you enable this policy setting you can adjust the number of times the system tries to unload and update t
aming profile. At logoff changes are saved to the local profile. All subsequent logons use the local profile. If you disable this setting or do n
) copy when the user logs off.If you disable or not configure this policy setting the default behavior occurs as indicated above.Note: This po
tects the network connection speed. If you disable or do not configure this policy setting the system does not consult the user. Instead th
sable or do not configure this policy setting Windows waits for the network for a maximum of 30 seconds.
cy.If you disable or do not configure this policy setting users logging on this computer will use their local profile or standard roaming user p
Run at specified time of day" is chosen then a time of day must be specified. Once set Windows uploads the registry file at the same time
the user name because the user name will be appended at logon.Note: The Drive letter box is ignored if you choose “On the local comput
pps) that have the enterprise authentication capability will not be able to retrieve the user's UPN SIP/URI and DNS. Selecting this option m
et in the "Prompt user when slow link is detected" policy setting) but does not respond in the time allowed (as set in the "Timeout for dialo
at Windows File Protection provides.
eter indicates how many consistent time samples the client computer must receive in a series before subsequent time samples are evalua
the authentication that W32time uses. The default value is NT5DS.CrossSiteSyncFlagsThis value expressed as a bitmask controls how W32
usted zones.
dows Store apps when using a special profile.If you disable or do not configure this policy setting Group Policy blocks deployment operation
allowed to access account information and employees in your organization cannot change it.If you disable or do not configure this policy s
ss the eye tracker and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in y
l history and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organ
loyees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decid
annot change it.If you choose the "Force Deny" option Windows apps are not allowed to get diagnostic information about other apps and
ur organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether W
yees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide
nd messages and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your o
n data and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organiz
ations and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organi
organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether Wi
alendar and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organ
ra and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organizatio
cess the microphone and employees in your organization cannot change it.If you disable or do not configure this policy setting employees
ss trusted devices and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in
are allowed to access user movements while the apps are running in the background and employees in your organization cannot change i
by using Settings > Privacy on the device.This policy is applied to Windows apps and Cortana.
decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.This
oose the "Force Deny" option Windows apps are not allowed to communicate with unpaired wireless devices and employees in your organ
control radios and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in you
nd employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization ca
n the background and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in y
If you choose the "Force Deny" option Windows apps are not allowed to take screenshots of various windows or displays and employees i
s are not allowed to turn off the screenshot border and employees in your organization cannot change it.If you disable or do not configure
the http https and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from untruste
ents any 16-bit applications from running. In addition any 32-bit applications with 16-bit installers or other 16-bit components cannot run.I
Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the eng
s policy setting the PCA will be turned on. To configure the diagnostic settings for the PCA go to System->Troubleshooting and Diagnostics
flects those changes.
avior for autorun to: a) Completely disable autorun commands or b) Revert back to pre-Windows Vista behavior of automatically
e this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting Auto
ets their logon credentials.
play the computer's top-level folder view when the user chooses the option to save the recovery password in a folder.Note: This policy setti
not configure this policy setting BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the "Choose drive encryption meth
bit or 256-bit) as the "Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7)" policy setti
g BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.
assword as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file
ewly attached Thunderbolt devices before exposing the new devices to Windows.
tification field on the drive matches the value configured in the identification field. In a similar manner BitLocker will only update the BitLoc
mation about setting up AD DS backup for BitLocker is available on Microsoft TechNet.BitLocker recovery information includes the recovery
u enable this policy setting the object identifier specified in the "Object identifier" box must match the object identifier in the smart card ce
x to help prevent users from running BitLocker To Go Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is prese
owed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Select "Omit recovery options from the
-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypt
this policy setting users can configure a password that meets the requirements you define. To require the use of a password select "Requi
rds can be used to authenticate user access to a BitLocker-protected drive.
ng the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
hanged with the server to unlock the computer. You can use the group policy setting "Computer Configuration\Windows Settings\Security
nabled and the hardware is capable of using Secure Boot for BitLocker scenarios the "Use enhanced Boot Configuration Data validation pr
ery information" select whether users are allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery
kout period back to default if the TPM is reset.
very URL is available include it in the message.If you select the "Use custom recovery URL" option the URL you type in the "Custom recove
assword or recovery key be provided to unlock the drive.If you disable or do not configure this policy setting the TPM uses the default platf
omputers using native UEFI firmware.If you enable this policy setting before turning on BitLocker you can configure the boot components t
r computers with UEFI firmware with a CSM enabled.If you enable this policy setting before turning on BitLocker you can configure the bo
rdware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is
ve.If you enable this policy setting users can configure a password that meets the requirements you define. To enforce complexity requirem
n a device that uses the Windows touch keyboard.Note that if you do not enable this policy setting options in the "Require additional authe
drive is authenticated and the drive is accessible. If the USB key is lost or unavailable or if you have forgotten the password then you will n
a startup key is needed on computers without a compatible TPM. Without a TPM BitLocker-encrypted data is protected solely by the key m
controls boot debugging (0x16000010) will always be validated and will have no effect if it is included in the provided fields.
e drives" check box to help prevent users from running BitLocker To Go Reader from their removable drives. If BitLocker To Go Reader (bit
users are allowed required or not allowed to generate a 48-digit recovery password or a 256-bit recovery key.Select "Omit recovery option
dware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is en
e a password that meets the requirements that you define. To require the use of a password select "Require password for removable data
tting smart cards are available to authenticate user access to a BitLocker-protected removable data drive.
rotection.If you do not configure this policy setting users can use BitLocker on removable disk drives.If you disable this policy setting users
licy setting.If you disable or do not configure this policy setting all removable data drives on the computer will be mounted with read and w
on level please use the "Allow Diagnostic Data" policy and to restrict users on this device from changing the diagnostic data level please u
alue disables the "Optional diagnostic data" control in the Settings app. - Send optional diagnostic data. Additional diagnostic data is coll
Allow Diagnostic Data" policy setting or by the end user from the Settings app.
tools and APIs.
ent bypass" option SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen
tocol associations.
do not configure this policy setting the protocol is in the protected mode allowing applications to only open a limited set of folders.
the paths point to different network shares this policy setting is not required. If the paths point to the same network share any data conta
ble or do not configure this policy setting the user can configure their list of search providers unless another policy setting restricts such co
lorer notifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the notific
ersion 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or laterIf the Windows Update for th
he shortcuts to these bars.If you enable this policy setting the navigation bar the menu bar and the Command bar are not visible and the u
rosoft Edge.Related policies:- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’)- Send all sites not included in t
rusted Sites Zone• 1 - Local Intranet Zone• 0 - Local Machine Zone• 6 - Intranet and Trusted site zones only Binary Representation - 0011
operation for the phishing filter.
a custom administrative template file. For information about creating this custom administrative template file see the Internet Explorer d
ministrative Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Security tab from the interfac
olicy is ignored.Also see the "Security zones: Use only machine settings" policy.
continue to open in Internet Explorer 11.

l quickly grow to use the specified integer number of tab processes regardless of the physical memory on the computer or how many Inte
ceeds the threshold. This is the default.

rocess prevail.
is not 0 or 1 the policy setting is ignored.If you enable this policy setting for an application or process in the list a script can perform a Clip
orer uses a current user agent string. Additionally all Standards Mode webpages appear in the Standards Mode available in the latest vers
7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.If you do not configure this po
wsing history.
Do Not Track data is preserved when the user clicks Delete.If you disable this policy setting ActiveX Filtering Tracking Protection and Do N
olor settings""Disable changing font settings""Disable changing language settings""Disable changing accessibility settings"
this setting by using Advanced Options in Internet Control Panel. By default domain names are converted to IDN format only for addresse
selecting this option Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific exce
t users to install them.
r identities before downloading them to user computers.

registry and the file system.When Enhanced Protected Mode is enabled and a user encounters a website that attempts to load an ActiveX
les folder when browser windows are closed.
do not configure this policy setting the user can select which encryption method the browser supports.Note: SSL 2.0 is off by default and i
This feature is turned off by default.
configure this policy users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options dialog
ange this option to start with the tabs from the last session.
a on their computers.
store data on their computers.
tting.If you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all application cac
you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databases. T
ces. The default is 50 MB.
ou disable or do not configure this policy setting Internet Explorer will use the default maximum application cache resource list size for all a
) the same change should be made to the Locked-Down equivalent.Note. It is recommended to configure template policy settings in one G
special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their related zon
user turns off the Notification bar.

or ADO to access data from another site in the zone.
blocked.If you do not configure this policy setting the Notification bar will appear to allow control over questionable content accessed ove
de Internet Explorer.
es inside Internet Explorer.
custom thumbnails it is the zone of the thumbnail that is checked not the zone of item. Typically these are the same but a source is able t
windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as
in specified zones.
age and nonsecure content cannot be displayed.If you do not configure this policy setting the user will receive the security information me
stination are in different windows. Users can change this setting in the Internet Options dialog.In Internet Explorer 9 and earlier versions i
when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.In Internet Explorer
onfigure this policy setting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
on the pages in this zone.

se (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server the logon uses the user's network
automatically installed on users' computers.If you disable this policy setting permissions are set to high safety.If you do not configure this
forms on pages in this zone to be submitted.
ectly within a Web page saved to disk.

y setting Web sites from less privileged zones can open new windows in or navigate into this zone.
be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
urity zone runs without the added layer of security provided by this feature.
in specified zones.

automatically.

y setting Web sites from less privileged zones can open new windows in or navigate into this zone.
ADO to access data from another site in the zone.
in specified zones.
onfigure this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.
out user intervention.

automatically.
etting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protection fro
in specified zones.
e as dictated by the feature control setting for the process.


be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.
in specified zones.

automatically.

in specified zones.

automatically.

in specified zones.
pages in this zone.

directly within a Web page saved to disk.

in specified zones.
automatically.

ed protocols is blocked.If you do not configure this policy setting all attempts to access such content over the restricted protocols is blocke
in specified zones.
pages in this zone.

directly within a Web page saved to disk.

in specified zones.
onfigure this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.

automatically.
y setting a warning is issued to the user that potentially risky navigation is about to occur.
e user can select their preference for this behavior. Browsing to the top-result website is the default.
n the Use Windows Search setting on or off.Note: If you enable this policy setting feeds do not appear in the Address bar. This does not aff
dows 8 if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Templates\Wi
t. The CLSID should be in brackets for example ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obtained
cy setting.If you enable this policy setting Internet Explorer only allows add-ons that are specifically listed (and allowed) through the 'Add-o
lue Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter Internet Explorer processes in this list because these
nd Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.For more information see "O
nly VML will be allowed in zones set to 'admin-approved'.Note. If this policy is set in both Computer Configuration and User Configuration
xplorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box
policy setting Internet Explorer requires consistent MIME data for all received files.
file-type information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the Value
plied to local files or content processed by any process other than Internet Explorer or those defined in a process list.
ternet Explorer.If you do not configure this policy setting the Local Machine zone security applies to all local files and content processed by
rer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setti
nabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the secu
cedence over that setting.If you disable or do not configure this policy setting the policy setting is ignored.
tting the policy setting is ignored.

y setting is ignored.Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processes pol
ed protocols to access my computer."Note. If policy for a zone is set in both Computer Configuration and User Configuration both lists of
or IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting. If you d
sses policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this
t Explorer processes.
Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter th
nfigure this policy setting the security feature is allowed.

ble or do not configure this policy setting the security feature is allowed.
not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If
bars. The user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo these c
Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts or the ability for users to provide M
bled the service will remain running. If both are disabled the service will be stopped.
havior. It is recommended that you leave this policy setting unconfigured.

the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function. Real-time Protection -> The “Scan all dow
y you or contact you. Possible options are: (0x0) Disabled (default) (0x1) Basic membership (0x2) Advanced membership Basic me
e-value pair: - Name column: Enter a valid ASR rule ID - Value column: Enter the status ID that relates to state you want to specify for t
ed: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to disk sectors
ditional trusted applications in the Configure allowed applications GP setting.
e detections (0x2) High blocking level - aggressively block unknowns while optimizing client performance (greater chance of false positiv
disable this setting definition retirement will be disabled.

or if the value does not exist resolves to the default (0). If you enable this setting the specified type of monitoring will be enabled. If yo
etting security intelligence update sources will be contacted in a default order.
ess we recommend that camera and microphone privacy settings be turned off on the user’s device when they are not needed.
or drivers might pose a risk to the host device.If you disable or don’t configure this setting Microsoft Defender Application Guard uses soft
ed by using the content options:- 1. Allows text copying.- 2. Allows image copying.- 3. Allows both text and image copying.If you disable or
s GP setting set to Enabled must be able to access the XML file otherwise the settings will not be applied.EnabledSpecify the location of the
the user-defined setting "Show search and site suggestions as I type".

n’t used during browser navigation.
an integrated development environment (IDE) which is located at:Computer Configuration > Administrative Templates > Windows Compo
Standards (https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add: <https:
ation manages some settings.If not configured the favorites bar is hidden but is visible on the Start and New Tab pages and the favorites ba
ads the URL specified in the Set Home Button URL policy.- Hide home button is selected the home button is hidden in Microsoft Edge.Defa
many apps Microsoft Edge runs as normal.If enabled and set to 1:- If it’s a single app it runs a limited multi-tab version of InPrivate and is t
configure Microsoft Edge in assigned access then this policy does not take effect.
configured make the changes to the Configure Open Microsoft Edge With policy and then enable the Disable Lockdown of Start Pages polic
ge or previous page in the Configure Open Microsoft Edge With policy Microsoft Edge ignores the Configure Start Pages policy. If not confi
eNote Web Clipper and Office Online extension.When enabled removing extensions from the list does not uninstall the extension from th
oft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add: <https://fabrikam.com/opensearch.xml>N
c. This could use OneDrive Work Folders SharePoint or any other engine that uses a local folder to synchronize data between users’ comp
ndows.
the settings template catalog. If there are custom templates in the settings template catalog which use the same ID as the default Micros
zation.If you do not configure this policy setting any defined values will be deleted.
emains accessible through the Control Panel and the Start menu or Start screen.If you do not configure this policy setting any defined value
tting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop collectio

disabled.If you do not configure this policy setting any defined values will be deleted.
on settings. If any of the Microsoft Office Suite 2010 applications are enabled this policy setting should not be disabled If you do not config
on settings. If any of the Microsoft Office Suite 2013 applications are enabled this policy setting should not be disabled.If you do not configu
on settings. If any of the Microsoft Office Suite 2016 applications are enabled this policy setting should not be disabled.If you do not configu
E-V.If you do not configure this policy setting any defined values will be deleted.
ns continue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office Suite
ns continue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office Suite
ou do not configure this policy setting any defined values will be deleted.
ou do not configure this policy setting any defined values will be deleted.
on with UE-V.If you do not configure this policy setting any defined values will be deleted.
ation with UE-V.If you do not configure this policy setting any defined values will be deleted.
with UE-V.If you do not configure this policy setting any defined values will be deleted.
m synchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
m synchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
UE-V.If you do not configure this policy setting any defined values will be deleted.
UE-V.If you do not configure this policy setting any defined values will be deleted.
zation with UE-V.If you do not configure this policy setting any defined values will be deleted.
zation with UE-V.If you do not configure this policy setting any defined values will be deleted.
esigner 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setting any defined values will b
you do not configure this policy setting any defined values will be deleted.
ke changes using the Windows To Go Startup Options Control Panel item.
disable or do not configure this policy setting the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requ
008 license server will issue a Windows Server 2008 TS CAL if available to the following:* A client connecting to a Windows Server 2003 ter
e RDC client. When a user starts an RDP session the user is asked to confirm whether they want to connect.If you disable this policy settin
Session Host server without authenticating the RD Session Host server.Do not connect if authentication fails: The client establishes a conn
check box on the Log on Settings tab in Remote Desktop Session Host Configuration.If you disable or do not configure this policy setting th
configure this policy setting for the computer the list of certificate thumbprints trusted for a user is a combination of the list defined for the
Remote tab in the System properties sheet. By default remote connections are not allowed. Note: You can limit which clients are able to co
e Desktop Connection.
w often in minutes the server checks the session state. The range of values you can enter is 1 to 999999.If you disable or do not configure t
or from the command line.
e maximum for the server. To specify an unlimited number of connections type 999999.If the status is set to Enabled the maximum numbe
e the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection and
ator to watch the session of a remote user without the user's consent.If you disable this policy setting administrators can interact with a us
indows Server 2008 or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer
f you disable this policy setting audio recording redirection is not allowed even if audio recording redirection is specified in RDC.If you do n
you opened in a remote session.If you disable this policy setting UI Automation clients running on your local computer can't interact with
on is always allowed if Clipboard redirection is allowed.If you do not configure this policy setting client drive redirection and Clipboard file
ure this policy setting users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server
that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Servic
log on as a local administrator.
n Host. If you disable or do not configure this policy setting the licensing mode is not specified at the Group Policy level.
ion Host server.If you disable or do not configure this policy setting the RD Session Host server does not specify a license server at the Gro
t found the client's printer is not available. This is the default behavior."Default to PCL if one is not found" - If no suitable printer driver can
he RD Session Host server does not have a printer driver that matches the client printer the server tries to use the Remote Desktop Easy P
mum size that you have specified the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming u
of \\Computername\Sharename. Do not specify a placeholder for the user account name because Remote Desktop Services automatically
esktop Services automatically appends this at logon.Note: The Drive Letter field is ignored if you choose to specify a local path. If you choo
Profile" policy setting.
m name is not specified at the Group Policy level. Notes: 1. This policy setting is not effective unless both the Join RD Connection Broker
s policy setting the policy setting is not specified at the Group Policy level.Notes: 1. For Windows Server 2008 this policy setting is suppor
ker and user session tracking is not performed. If the policy setting is disabled you cannot use either the Remote Desktop Session Host Co
s of the RD Session Host server is not sent to the client. Instead the IP address is embedded in a token. When a client reconnects to the lo
er. If an initial program is not specified the desktop is always displayed on the remote computer after the client connects to the remote co
mory usage and bandwidth is used.You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compressio
high quality. If you enable this policy setting and set quality to High RemoteFX Adaptive Graphics uses an encoding mechanism that resu
e to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1 and does not affect
on depending on the client configuration.If the status is set to Not Configured the default behavior applies.
tions is not specified at the Group Policy level.Note:1.Setting the color depth to 24 bits is only supported on Windows Server 2003 and Win
s tab in the Remote Desktop Session Host Configuration tool.
g also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server
e executable file to be run when the user logs on. If necessary in Working Directory type the fully qualified path to the starting directory fo
graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affecte
over LAN connections and RDP 7.1.If you disable this policy setting RemoteFX will be disabled.If you do not configure this policy setting th
default Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disa
utomatically by supplying their passwords in the Remote Desktop Connection client.If you do not configure this policy setting automatic lo
method of managing user access is by adding a user to the Remote Desktop Users group.
.Note: The RPC interface is used for administering and configuring Remote Desktop Services.
ns but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.* RDP:
hrase Network Level Authentication supported.If you disable this policy setting Network Level Authentication is not required for user auth
nd that was created with the specified certificate template the RD Session Host server will issue a certificate enrollment request and will u
nd from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clie
s its time-out limit.If you disable this policy setting Remote Desktop Services always disconnects a timed-out session even if specified other
ote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to en
lows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a sessi
ehavior that disconnected sessions are maintained for an unlimited time select Never. If you have a console session disconnected session ti
less specified otherwise by the server administrator.Note: This setting only takes effect if per-session temporary folders are in use on the s
n the remote computer.If you disable this policy setting per-session temporary folders are always created even if the server administrator
sults.aspx?SearchString=$wThis adds intranet search location to:1) The Windows Deskbar2) The Desktop Search results search box3) The W
re XXXX is the locale ID of your WSS Service. For example the English locale ID is 1033.http://sitename/_layouts/XXXX/searchresults.aspx?S
or the location of the index to maintain security for encrypted files.
b or display web results in Search" policy setting queries won't be performed on the web over metered connections and web results won't
"Enable Indexing of Uncached Exchange Folders" policy has no effect on online delegate mailboxes. To stop indexing of online mailboxes a
omponents. If your users have Administrator permissions or can install software this policy prevents them from specifically using Windows
t.If you do not congifure this policy setting the Security Center is turned off for domain members. If you enable this policy setting Security
ws 2003 Server will be shown otherwise the the certificate with the expiration time furthest in the future will be shown. Note: This settin
certificate from those cards that do not support retrieval of all certificates in a single call. Certificates other than the default will not be av
. If you disable the subject name will be displayed as it appears in the certificate.
etting in the Input Panel Options dialog box.If you do not configure this policy Input Panel will provide text prediction suggestions. Users w
t Panel Options dialog box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where this beh
g box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where this behavior is available. Us
Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy rarely used Chinese Kanji and
tab in Input Panel Options.Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “P
complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this setting
ptions dialog box. If you enable this policy and choose “Medium-Low” from the drop-down box password security is set to “Medium-Low.”
ant" users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users will no
en if this setting is Disabled or Not Configured.Note: This setting appears in the Computer Configuration and User Configuration folders. If b
ng in User Configuration.Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created tasks
Scheduled Tasks folder. To prevent this action use the "Prohibit Drag-and-Drop" setting.Note: This setting appears in the Computer Config
edence over the setting in User Configuration.
WDAC policy will prevent all applications from reaching Microsoft endpoints. This firewall setting is not supported on all versions of Wind
ent bypass" option SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen
default values are applied for any Windows Error Reporting policy settings that are not configured (even if users have changed settings by
ed user settings in Control Panel for Windows Error Reporting are applied.
computers that are running Windows XP Personal Edition and Windows XP Professional Edition and disable notification by default on com
inistrator is prompted to send them or until the administrator sends them by using the Solutions to Problems page in Control Panel.The M
onfigure this policy setting users can enable or disable Windows Error Reporting in Control Panel. The default setting in Control Panel is Up
s for applications on this list setting and edit the list of application file names in the Show Contents dialog box. The file names must include
gure this policy setting errors are reported on all Microsoft and Windows applications by default.
o report all application errors.If this policy setting is enabled the Exclude errors for applications on this list setting takes precedence. If an a
rmined (within a high probability) does not contain personally-identifiable information is sent automatically and Windows prompts the us
tion and Windows prompts the user for consent to send any additional data requested by Microsoft.- 3 (Send parameters and safe additio
med elevated tasks without signing-out.This policy setting is incompatible with Windows Hello for Business credentials provisioned when t
ir PIN they must delete their existing PIN and create a new one and they will have to to re-register with any services to which the old PIN p
ws Hello provisioning after sign-in" Windows Hello for Business does not automatically start provisioning after the user has signed in.If yo
es a user to lock and unlock their session after changing this setting if the user is currently signed in.
only when the installation program is running in a privileged security context in which it has access to directories denied to the user.This p
h elevated privileges such as installations offered on the desktop or displayed in Add or Remove Programs.
tall patches to programs that run in their own security context. Also see the "Prohibit patching" policy setting.
p or displayed in Add or Remove Programs only system administrators can install from removable media.Also see the "Prevent removable
administrator does not distribute or offer.Note: This policy setting appears both in the Computer Configuration and User Configuration fo
0 the Windows Installer will use available free space for the baseline file cache. If you disable or do not configure this policy setting the
e Windows Installer will use less restrictive rules for component upgrades.
levated products" policy setting.
r is an administrator whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set and whether
ure system files. However because an incomplete installation can render the system or a program inoperable do not use this policy setting
ndows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager f
istered in their user profile.
rivileges such as installations offered on the desktop or in Add or Remove Programs. This policy setting affects Windows Installer only.
y setting Windows Installer stores transform files in the Application Data directory in the user's profile.If you do not configure this policy se
Logging policy.If you disable or do not configure this policy setting Windows Installer will automatically generate log files for those packag
ktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 fam
s protection for system components and data but may be needed in certain circumstances to successfully update boot-critical component
000 mixed functional level domains if you enable this setting a warning message will appear that Windows could not retrieve the informati
configure its settings through the ConfigAutomaticRestartSignOn policy which configures the mode of automatically signing in and locking
tions normally and will connect to the Internet (or intranet) to acquire licenses download security upgrades and perform license restoratio
: This policy setting is available under both Computer Configuration and User Configuration. If both are present the Computer Configuratio
r the execution events of a module or snap-in are logged. By default the LogPipelineExecutionDetails property of all modules and snap-ins
e Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
sabled by default although transcripting can still be enabled through the Start-Transcript cmdlet. If you use the OutputDirecto
uter Configuration" has precedence over "User Configuration."If you disable or do not configure this policy setting it reverts to a per-mach
cified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses and the IPv6 filter specifies one or more ra
y settingany values that were previously configured for RunAsPassword will need to be reset.
el binding token is accepted (though it is not protected from credential-forwarding attacks). If HardeningLevel is set to None all reque
situations where the effect of this setting depends on the operating system: Hide/Restore updates and Cancel an install.On XP: If you enab
ct if the Computer Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and S
en Windows Update wakes it up it will not install updates and the system will automatically return to sleep in 2 minutes.
figured to perform scheduled installations of updates. If the "Configure Automatic Updates" policy is disabled this policy has no effect.
tically executed within the specified period.If you do not specify a deadline or if the deadline is set to 0 the PC won't automatically restart a
the notification as appropriate.In Windows 7 this policy setting will only control detailed notifications for optional applications. In Window
installed Windows finds updates that apply to the computer and downloads them in the background (the user is not notified or interru
ity updates to guarantee users a minimum time to manage their restarts once updates are installed. Users will be able to schedule restarts
policy is not supported on Windows RT. Setting this policy will not have any effect on Windows RT PCs.
ured to support client-side targeting. If the "Specify intranet Microsoft update service location" policy is disabled or not configured this po
alternate download server instead of the intranet update service. If the status is set to Enabled the Automatic Updates client connects
or in addition to such.
ed by Microsoft. The Release Preview Channel is where we recommend companies preview and validate upcoming Windows 10 releases b
porarily pause Feature Updates. The pause will remain in effect for 35 days from the specified start date or until the field is cleared (Quality
his policy setting Work Folders uses the "Force automatic setup" option of the "Specify Work Folders settings" policy setting to determine
this the policy string must contain a semicolon-delimited list of settings page identifiers. The identifier for any given settings page is the pu
d Server SKUs.
e for all languages even when handwriting personalization is available. See Tablet PC Help for more information.If you enable this policy se
cal accounts and credential theft see "Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques": http://www.microso
vation" option is the only way to restore default behavior after either of the "Block" options has been applied. We do not recommend con
Y CIRCUMSTANCES!Changes to this setting require a reboot to take effect.For more information see https://support.microsoft.com/kb/269
us/previous-versions/windows/internet-explorer/ie-developer/general-info/ee330734(v=vs.85)#restrict-jscript-at-a-process-level
port.microsoft.com/kb/2871997 and http://blogs.technet.com/b/srd/archive/2014/06/05/an-overview-of-kb2871997.aspx .

ettings it is possible to control BITS peer caching functionality at a more detailed level. However it should be noted that the "Allow BITS pe
se the limit on the speed of the network link not the computer's network interface card (NIC). This policy setting does not affect Peercach
it the default value of 30 percent of the slowest active network interface will be used. Note: This setting has no effect if the "Allow BI
ng - Transfer unless surcharge applies (when not roaming or overcap) - Transfer unless nearing limit (when not roaming
Note: The bandwidth limits that are set for the maintenance period supersede any limits defined for work and other schedules.
Monday through Friday and then set the limit to 512 Kbps for nonwork hours. If you disable or do not configure this policy setting BI
ue of 90 (days) will be used for the inactive job timeout.
s by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache latenc
heir operating system.- Enabled. With this selection this policy setting is applied to client computers based on the value of the option setti
g can only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Wi
e servers hosted cache mode is not turned on and the client uses any other configuration that is specified manually or by Group Policy.Wh
Because the domain Group Policy setting is not configured it will not over-write the client computer cache age setting that you use on indi
nd then configure local computer policy to enable BranchCache on individual client computers. Because the domain Group Policy setting i
o not want to enable BranchCache on all client computers you can specify Not Configured for this domain Group Policy setting and then co
e client computer cache settings on individual client computers. Because the domain Group Policy setting is not configured it will not over
dividual client computers. Because the domain Group Policy setting is not configured it will not over-write the enabled setting that you use
IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:
orary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is
ist.If attaching suffixes is allowed and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the D
"microsoft.comserverua.microsoft.comoffice.microsoft.com" to specify multiple suffixes.If you enable this policy setting one DNS suffix is a
d name resolution policy setting is disabled or not configured.
global suffix search list is configured using Group Policy.If a global suffix search list is not configured and the Append primary and connecti
og box.Devolution is not enabled if a global suffix search list is configured using Group Policy.If a global suffix search list is not configured an
r example with a computer name of mycomputer a primary DNS suffix of microsoft.com and a connection specific DNS suffix of VPNconne
ding A records was successful.If you disable this policy setting or if you do not configure this policy setting computers will use locally config
records.To specify the registration refresh interval click Enabled and then enter a value of 1800 or greater. The value that you specify is th
e this policy setting DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic u
use on individual servers where you want to enable BranchCache.- Enabled. With this selection hash publication is turned on for all file se
nd V2 hash generation and retrieval are supported.- Enabled. With this selection the policy setting is applied and the hash version(s) that a
ble to a variety of man-in-the-middle attacks that can result in data loss data corruption and exposure to malware. Additionally any data w
verse failover times and increased memory and CPU usage.
o not configure this policy setting the default behavior for the Responder will apply.
tting; insert the fully qualified domain name or IPv6 address of the corporate seed server; and check the checkbox. Using the corporate see
l publish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrappi
cloud scope.If you disable or do not configure this policy setting all PNRP clouds are turned on by default and PNRP creates a cloud if the c
will publish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrap
will publish the computer or will use multicast to search for other computers on the local subnet.The multicast protocol used for bootstrap
) and the Internet Connection Firewall service cannot run on the computer. The option to enable the Internet Connection Firewall through
Advanced tab in the properties dialog box for a LAN or remote access connection is available. In addition the user is presented with the opti
ss and the Internet is not routed through the internal network.

SDDL format see the Windows Defender Firewall deployment information at the Microsoft Web site (http://go.microsoft.com/fwlink/?Link
end those messages to or from this computer. If you enable this policy setting and allow certain message types then later disable this polic
Defender Firewall component of Control Panel the "File and Printer Sharing" check box is cleared and administrators cannot select it.If yo
ewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP a
el the "Remote Desktop" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defen
nder Firewall does not open the ports. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is
gure Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security to specify that local
tor snap-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Securit
disable this policy setting Windows Defender Firewall does not record information in the log file. If you enable this policy setting and Wind
to the local port exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Windows
Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program click its definition
ncoming connections" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defende
x is selected by default and administrators can change it.
erfere with the NetBIOS messages that detect name conflicts.
end those messages to or from this computer. If you enable this policy setting and allow certain message types then later disable this polic
Defender Firewall component of Control Panel the "File and Printer Sharing" check box is cleared and administrators cannot select it.If yo
ewall allows the computer to receive the unsolicited incoming messages associated with remote administration. You must specify the IP a
el the "Remote Desktop" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defen
nder Firewall does not open the ports. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is
gure Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Security to specify that local
tor snap-in and configure Computer Configuration\Windows Settings\Security Settings\Windows Defender Firewall with Advanced Securit
disable this policy setting Windows Defender Firewall does not record information in the log file. If you enable this policy setting and Wind
to the local port exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Windows
Show button. In the Show Contents dialog box type a definition string that uses the syntax format. To remove a program click its definition
ncoming connections" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defende
x is selected by default and administrators can change it.
erfere with the NetBIOS messages that detect name conflicts.
solation.Example: [3efe:3022::1000];18.0.0.1;18.0.0.2 For more information see: http://go.microsoft.com/fwlink/p/?LinkId=234043
s to automatically discover your private network hosts.Example: 3efe:1092::/9618.1.1.1/10 For more information see: http://go.microsoft
onfiguration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over t
ected Work Offline mode. This mode is in effect when a user selects the Work Offline button for a specific share. When selected all configu
pecific UNC paths. We recommend that you always specify a value for Latency since the round-trip network latency detection is faster. Yo
ched files is limited to 10 percent of the system drive by default but users can change it.Tip: To change the amount of disk space used for a
atency of the network above which files should be transparently cached in the Offline Files cache. If the round trip latency of the network
ated network copy is not. The user cannot encrypt Offline Files through the user interface.If you do not configure this policy setting encryp
r hosting the offline file is reconnected to the network.Note: This setting appears in the Computer Configuration and User Configuration fo
es cache is located. The limit for automatically cached files is 100 percent of the total disk space limit.If you do not configure this policy se
m setting custom actions through the Offline Files tab. However users are unable to change any custom actions established via this settin
k the Offline Files tab and then click "View Files."
le this setting. You do not have to disable any other settings in this folder.
ons and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
guration folders. If both policy settings are configured the policy settings are combined and the "Make Available Offline" command is unav
ffline use by Group Policy.Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy settings ar
nce over the setting in User Configuration.Tip: To change the synchronization method without changing a setting in Windows Explorer on
erforms a quick synchronization by default but users can change this option.This setting appears in the Computer Configuration and User C
n and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting
alid Communities configured on the local computer instead.Best practice: For security purposes it is recommended to restrict the HKLM\SO
HKLM\SOFTWARE\Policies\SNMP\Parameters\PermittedManagers key to allow only the local admin group full control.Note: This policy s
f the SNMP agent is not installed on the client computer.Also see the other two SNMP settings: "Specify permitted managers" and "Specif
and connectivity with 6to4 will not be available.
ace configured with a link-local address.Policy Disabled State: No ISATAP interfaces are present on the host.
nected to the network and continues to use it. For example if the network connection is currently being used to download files from the In
ways preferred when connected. Users can still manually connect to any network. This was previously the Enabled state for this policy setti
network in violation of this policy setting the existing network connection is disconnected and the manual connection is allowed.- When th
y my contacts" and "Enable paid services" will be turned off and users on this device will be prevented from enabling them.If this policy se
nfigure this policy setting employees in your organization can decide whether Windows apps can access cellular data by using Settings > N
rol Panel\Printers.
net" page click "Network and Sharing Center". On the Network and Sharing Center page click "Change advanced sharing settings". On the A
etting the default limit is applied. In Windows 8 and later Bluetooth printers are not shown so its limit does not apply to those version
ning Retry" settings to adjust the contact interval and number of contact attempts.
ote: This policy does not determine whether offline printing will be available to the client. The client print spooler can always queue print
and the user does not type a location as a search criterion the system searches for a nearby printer based on the IP address and subnet ma
tting in this setting folder and the "Browse a common web site to find printers" setting in User Configuration\Administrative Templates\Co
configure or disable this setting the default values are used. Note: This setting is used only on domain controllers.
kernel-mode printer drivers as they cannot be installed and associated with a print queue.
ou must explicitly enable this policy setting for other versions of Windows (for example Windows Enterprise and all versions of Windows S
drivers loaded by applications. Print drivers loaded by the print spooler are not affected.-This policy setting is only checked once during the
he event log. If you disable or do not configure this policy setting the contact events are not recorded in the event log. Note: Thi
ignature of all drivers that are downloaded from print servers.If this setting is disabled or not configured package point and print will not b
uters can point and print to any server. -Windows Vista computers will show a warning and an elevated command prompt when user
on field by default.If you disable this setting or do not configure it Location Tracking is disabled. Printer proximity is estimated using the st
You can enable this setting to change the default behavior. To use this setting select one of the following options from the "Prune non-rep
er-name\Recent folder.Also see the "Remove Recent Items menu from Start Menu" and "Clear history of recently opened documents on e
in Start" in Settings.
Users cannot customize their Start screen while this setting is enabled.If you disable this setting or do not configure it the Start screen lay
n the background. No reboots or service restarts are required for this policy setting to take effect.
on" for supported versions.)If you disable this policy setting the Shutdown Event Tracker is not displayed when you shut down the compu
h settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
tions Control Panel.
Note: An environment variable may be used (for example %windir%) as long as it is defined on the system. For example %programfiles%
o not configure this policy setting or if the required files cannot be found at the locations specified in this policy setting the files will be dow
ndard Access Denied message.
sable package refresh select 0. User Publishing Refresh Interval Unit: Specifies the interval unit (Hour 0-23 Day 0-31).
list) one or more of the oldest records (top of the list) will be deleted to make room. A warning will be logged to the Client log and the eve
can contain sensitive or private information such as passwords or user data.
ault credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which th
ERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERM
represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the
he SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted wh
es (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is pe
tted to any machine.Note: The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one
neTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session
machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop S
s.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Re
to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information
Restricted Admin to connect to remote hosts.If you disable or do not configure this policy setting Restricted Admin and Remote Credentia
the setting and then remove the policy from each computer with a physically present user.
ock" option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature you
hes source locations for device drivers.

r layer in the hierarchy specifically prevents that installation such as the following policy settings:- Prevent installation of devices that matc
ecifically prevents that installation such as the following policy settings:- Prevent installation of devices that match any of these device inst
layer in the hierarchy specifically prevents that installation such as the following policy settings:- Prevent installation of devices for these d
vers that match these device IDsDevice setup class5. Prevent installation of devices using drivers that match these device setup classes6.
atch any of these device instance IDs" policy setting.If you disable or do not configure this policy setting Windows is allowed to install or u
ktop client to the remote desktop server.If you disable or do not configure this policy setting devices can be installed and updated as allow
mote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop serve
device installation policies across all device match criteria" policy setting.If you enable this policy setting Windows is prevented from insta
t configure this policy setting the default behavior is to turn on support for the NV cache.
stem uses the physical space on the volume as the quota limit.Note: To turn on or turn off disk quota management without specifying a se
o write to the volume as long as physical space is available.Note: This policy setting overrides user settings that enable or disable quota en
of whether or not you choose to enforce the disk quota limit.Also this policy setting does not affect the Quota Entries window on the Quo
ntries window changes.Note: To find the logging option in My Computer right-click the name of an NTFS file system volume click Propertie
ab in Volume Properties).If you disable or do not configure this policy setting the disk space available to users is not limited. The disk quota
endering of desktop applications that are positioned on the primary display. Some desktop applications can still be blurry on secondary dis
this list and set its value to 1 DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list an
art drivers to initialize the next time the computer is started.If you disable or do not configure this policy setting the boot start drivers dete
gure this policy setting and the user has redirected folders the folders are redirected on every computer that the user logs on to.Note: If yo
ection policy already deployed for these folders in your existing localized environment.
havior is exactly the same as in Windows 2000: user policy is applied and a roaming user profile is allowed from the trusted forest.If you dis
ng behavior:- If you had originally created the GPO with an English system and then you edit the GPO with a Japanese system the Group P
eference extension will not be applied.Note: There are two conditions that will cause Group Policy to be processed synchronously even if t
a slow network connection Group Policy will only process those client side extensions configured for processing across a slow link (slow ne
ng" option prevents the system from updating affected policies in the background while the computer is in use. When background updates
em from updating affected policies in the background while the computer is in use. When background updates are disabled policy changes
as a telephone line. Updates across slow connections can cause significant delays.The "Process even if the Group Policy objects have not c
The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain contro
e fast.If you disable this setting or do not configure it the system uses the default value of 500 kilobits per second.This setting appears in th
y during periodic background processing" option prevents the system from updating affected policies in the background while the compu
riodic background processing" option prevents the system from updating affected policies in the background while the computer is in use
es the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. How
in the background while the computer is in use. When background updates are disabled policy changes will not take effect until the next
ption updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated
work connection such as a telephone line. Updates across slow connections can cause significant delays.The "Process even if the Group Po
d in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict the user s
om updating affected policies in the background while the computer is in use. When background updates are disabled policy changes will
system from updating affected policies in the background while the computer is in use. When background updates are disabled policy cha
uter Configuration\Administrative Templates\System\GroupPolicy.
avior.) The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the dom
your computer for it to take effect.

90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use select the "Turn off backgrou
er is in use select the "Turn off background refresh of Group Policy" setting.This setting also lets you specify how much the actual update i
ndows 7 configured for workplace connectivity.

his PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
ft. Also see "Events.asp URL" "Events.asp program" and "Events.asp Program Command Line Parameters" settings in "Administrative Temp
to share their writing samples from the handwriting recognition personalization tool with Microsoft.
mponent in Control Panel to enable Windows Customer Experience Improvement Program for all users.
g Windows Server 2008 R2 or earlier operating systems.Note: For the following options of this KDC policy to be effective the Kerberos Gro
it Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public k
erver 2003 Windows 2000 native or Windows 2000 mixed domain controllers cannot provide information about previous logons and enab
ault Kerberos MaxTokenSize for Windows 7 Windows Server 2008 R2 and prior versions.
mpound authentication.
e this policy setting the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.If you do not configure this policy se
pping remove the current entry from the list and add a new one with different parameters.If you disable this policy setting the interoperab
domain enforce the use of Kerberos armoring when possible as supported by the target domain.
ient requires only that the KDC certificate contain the Server Authentication purpose object identifier in the EKU extensions which can be
rberos\Parameters which was added in Windows XP and Windows Server 2003 with a default value of 12000 bytes. Beginning with Windo
DELETE key. To edit a mapping remove the current entry from the list and add a new one with different parameters.If you disable or do no
n is always provided for this computer account.If you disable this policy setting Never will be used.If you do not configure this policy setting
.If you do not configure this policy setting Automatic will be used.
machine level it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level the per-user policy setti
onfigured at the computer level then restrictions will be based on per-User policies.To set this policy on a per-user basis make sure that the
uter unless restricted by the "Disallow selection of Custom Locales" policy setting.If this policy setting is enabled at the computer level it ca
his policy setting on a domain-joined device a user cannot change the amount of time after the device's screen turns off before a password
uter. In addition changes that are made to the user object such as adding a roaming profile path home directory or user object logon scrip
ser Configuration.Tip: To display the welcome screen click Start point to Programs point to Accessories point to System Tools and then clic
eate a customized run list by using a policy setting use the ""Run these applications at startup"" policy setting.Also see the ""Do not proces
ee the ""Do not process the legacy run list"" policy setting.
he system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Confi
tial setup and this policy setting is not configured users new to this computer will not see the animation. Note: The first sign-in animati
ults that originate from the Active Template Library (ATL) thunk layer. PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x0
the negotiation and use of older cryptography algorithms. If you do not configure this policy setting Net Logon will not allow the negotiati
tlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive
ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access whic
ries may be excessive.

to find a DC.If the value for this setting is too small and the DC is not available the frequent retries may produce excessive network traffic
frequency.To specify this behavior click Enabled and then enter a value. The range of values is from 1 to 2.If you do not configure this pol
for NetBIOS domain name based DC location.If you disable or do not configure this policy setting this DC processes incoming mailslot mes
do not configure this policy setting the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-b
default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses th
DC address. This is the default behavior of the DC Locator.If you disable this policy setting DC Locator APIs will ONLY return IPv4 DC addre
figuration.
led and then enter a value. The range of values is from 0 to 2.If you do not configure this policy setting it is not applied to any DCs and DCs
gc._msdcs.<DnsForestName>DsaCname CNAME <DsaGuid>._msdcs.<DnsForestName>Kdc SRV _kerberos._tcp.dc._msdcs.<Dn
nging enabled the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh In
he sites covered by the DC Locator application directory partition-specific DNS SRV records click Enabled and then enter the site names in
Cs and DCs use their local configuration.
and enter the sites' names in a space-delimited format.If you do not configure this policy setting it is not applied to any GCs and GCs use t
f you disable this policy setting Try Next Closest Site DC Location will not be used by default for the computer. However if a DC Locator call
ame resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a sin
s an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case unless the com
ostnamesrvrecord
anel) will be unavailable. However with this policy setting disabled users can still restore the computer to the original state or from a user-c
users or user groups that are allowed to offer remote assistance.To configure the list of helpers click "Show." In the window that opens yo
Remote Assistance: "Allow helpers to only view the computer" or "Allow helpers to remotely control the computer."The "Maximum ticke
thenticate to the Endpoint Mapper Service but they will be able to communicate with the Windows NT4 Server Endpoint Mapper Service.N
mains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using const
PC to maintain basic state information only if the computer has at least 64 MB of memory.-- "Auto2" directs RPC to maintain basic state i
ation for all processes. RPC only generates an error code.-- "On with Exceptions" enables extended error information but lets you disable
Windows Client and the value of "None" used for Server SKUs that support this policy setting. If you enable this policy setting it directs the
90 seconds. The maximum is 7200 seconds (2 hours).If you disable this policy setting the idle connection timeout on the IIS server running
der for DesktopIT:Within GPO B: B.ps1 B.cmdWithin GPO C: C.ps1 C.cmd For DesktopSales GPOs B and C are applied but not GPO A. There
1 C.cmd For Tamara GPOs B and C are applied but not GPO A. Therefore the scripts for GPOs B and C run in the following order for Tamara
hronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop. An excessively long interval c
s will fail).This setting only takes effect on domain controllers.If not configured domain controllers will default to using their local configur
es the refresh interval settings that are specified in the Server Manager console.Note: The default refresh interval for Server Manager is tw
etting in Storage settings.
olicy setting is used to determine whether the option to configure System Restore is available.
o-specific policy settings.This policy setting takes precedence over any scenario-specific policy settings when it is enabled or disabled. Sce
policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to ru
etting the recovery behavior for corrupted files will be set to either the regular (default) silent or troubleshooting only state.If you disable
sole. Note: For Windows Server systems this policy setting applies only if the Desktop Experience optional component is installed and the
No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. This policy setting takes e
s snap-in to the Microsoft Management Console.No system restart or service restart is required for this policy setting to take effect: chang
will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
ers.If you do not configure this policy setting MSDT prompts the user before downloading any additional tools.No reboots or service restar
r critical and other problems by system features and Microsoft. Notify users when troubleshooting has solved a problem.4 = Automatically
ng the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client) Silent (default on Wind
ooting and resolution by default.No reboots or service restarts are required for this policy to take effect: changes take effect immediately.T
rosoft servers that host the Windows Online Troubleshooting Service.

le Windows Boot Performance for resolution by default.This policy setting takes effect only if the diagnostics-wide scenario execution poli
etting the DPS will enable Windows Resource Exhaustion for resolution by default.This policy setting takes effect only if the diagnostics-wi
tting the DPS will enable Windows Shutdown Performance for resolution by default.This policy setting takes effect only if the diagnostics-w
not configure this policy setting the DPS will enable Windows Standby/Resume Performance for resolution by default.This policy setting ta
tting the DPS will enable Windows System Responsiveness for resolution by default.This policy setting takes effect only if the diagnostics-wi
Full" to store the full TPM owner authorization the TPM administrative delegation blob and the TPM user delegation blob in the local regis
navigating to the "Command Management" section and making visible the "On Default Block List" column. The local list of blocked TPM c
here it was once enabled is to a) disable it from group policy and b)clear the TPM on the system.
indows will block the TPM commands in the default list in addition to commands in the Group Policy and local lists of blocked TPM comm
y. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization.This value is
hreshold will prevent the standard user from sending a command to the TPM that requires authorization.The Standard User Lockout Thres
hresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorizatio
folder.Note: If the policy setting is enabled after the profile is created the policy setting has no effect.Note: The policy setting must be con
120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing p
n the user logs off.Important: Do not enable this policy setting if you are using the slow link detection feature. To respond to a slow link th
work connection timeout for user profiles" policy setting) the system applies the other policy settings set in this folder to determine how t
are not correct.By configuring this policy setting you can alter this behavior.If you enable this policy setting Windows will not check the per
gure this policy setting and the user has a roaming profile the roaming profile is downloaded on every computer that the user logs on to.
is 0 seconds and the maximum is 600 seconds.If you disable or do not configure this policy setting Windows waits 30 seconds for user inp
ing user logon when a user profile is deleted and that user subsequently logs on to the machine.If you disable or do not configure this poli
m tries to unload and update the user's registry settings. (You cannot adjust the retry rate.)If you disable this policy setting or do not config
you disable this setting or do not configure it the default behavior occurs as indicated above.If you enable both the "Prevent Roaming Profi
indicated above.Note: This policy setting only affects roaming profile users.
ot consult the user. Instead the system uses the local copy of the user profile. If you have enabled the "Wait for remote user profile" policy
file or standard roaming user profile.Note: There are four ways to configure a roaming profile for a user. Windows reads profile configurati
registry file at the same time every day as long as the user is logged on.For both scheduling options there is a random one hour delay atta
choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share the user's home folde
d DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the d
as set in the "Timeout for dialog boxes" policy setting).Waiting for the remote profile is appropriate when users move between computers
quent time samples are evaluated as potential spikes. Default: 5 LargePhaseOffsetIf a time sample differs from the client computer's lo
s a bitmask controls how W32time chooses time sources outside its own site. The possible values are 0 1 and 2. Setting this value to 0 (Non
y blocks deployment operations of Windows Store apps when using a special profile.
r do not configure this policy setting employees in your organization can decide whether Windows apps can access account information b
s policy setting employees in your organization can decide whether Windows apps can access the eye tracker by using Settings > Privacy o
etting employees in your organization can decide whether Windows apps can access the call history by using Settings > Privacy on the devi
in your organization can decide whether Windows apps can access contacts by using Settings > Privacy on the device.If an app is open wh
rmation about other apps and employees in your organization cannot change it.If you disable or do not configure this policy setting emplo
nization can decide whether Windows apps can access email by using Settings > Privacy on the device.If an app is open when this Group P
your organization can decide whether Windows apps can access location by using Settings > Privacy on the device.If an app is open when
icy setting employees in your organization can decide whether Windows apps can read or send messages by using Settings > Privacy on th
tting employees in your organization can decide whether Windows apps can access motion data by using Settings > Privacy on the device.If
tting employees in your organization can decide whether Windows apps can access notifications by using Settings > Privacy on the device.I
zation can decide whether Windows apps can access tasks by using Settings > Privacy on the device.If an app is open when this Group Pol
tting employees in your organization can decide whether Windows apps can access the calendar by using Settings > Privacy on the device.
employees in your organization can decide whether Windows apps can access the camera by using Settings > Privacy on the device.If an a
e this policy setting employees in your organization can decide whether Windows apps can access the microphone by using Settings > Priva
is policy setting employees in your organization can decide whether Windows apps can access trusted devices by using Settings > Privacy o
r organization cannot change it.If you choose the "Force Deny" option Windows apps are not allowed to access user movements while the
s > Privacy on the device.This policy is applied to Windows apps and Cortana. It takes precedence of the “Allow Cortana above lock” policy
s and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization
olicy setting employees in your organization can decide whether Windows apps have access to control radios by using Settings > Privacy o
ployees in your organization can decide whether Windows apps can make phone calls by using Settings > Privacy on the device.If an app is
s policy setting employees in your organization can decide whether Windows apps can run in the background by using Settings > Privacy o
ws or displays and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your
ou disable or do not configure this policy setting employees in your organization can decide whether Windows apps can turn off the screen
d vulnerabilities from untrusted sources reducing the associated risk.
6-bit components cannot run.If the status is set to Disabled the MS-DOS subsystem runs for all users on this computer.If the status is set to
pplication problems. If the engine is turned off these mitigations will not be applied to applications and their installers and these applicatio
oubleshooting and Diagnostics->Application Compatibility Diagnostics.Note: The Diagnostic Policy Service (DPS) and Program Compatibility
Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting Windows Vista or la
nfigure this policy setting AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configur
n a folder.Note: This policy setting does not prevent the user from saving the recovery password in another folder.
Choose drive encryption method and cipher strength (Windows Vista Windows Server 2008 Windows 7)" and "Choose drive encryption m
2008 Windows 7)" policy setting if it is set. If neither policy is set BitLocker will use the default encryption method of AES 128-bit or the en
ecified by the setup script.
covery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example not allowing the 48-di
ker will only update the BitLocker To Go Reader when the identification field on the drive matches the value configured for the identificati
rmation includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protect
t identifier in the smart card certificate.If you disable or do not configure this policy setting a default object identifier is used.
der (bitlockertogo.exe) is present on a drive that does not have an identification field specified or if the drive has the same identification fie
mit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on BitLocker on a
ault when the drive is encrypted.If you do not configure this policy setting BitLocker will use software-based encryption irrespective of har
se of a password select "Require password for fixed data drive". To enforce complexity requirements on the password select "Require com
on\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate" on the domain controlle
onfiguration Data validation profile" group policy setting is ignored and Secure Boot verifies BCD settings according to the Secure Boot poli
assword or a 256-bit recovery key.Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recove
ou type in the "Custom recovery URL option" text box will replace the default URL in the default recovery message which will be displayed
the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation p
nfigure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any
cker you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating syst
d by default when the drive is encrypted.If you do not configure this policy setting BitLocker will use software-based encryption irrespectiv
To enforce complexity requirements on the password select "Require complexity".When set to "Require complexity" a connection to a dom
n the "Require additional authentication at startup" policy might not be available on such devices. These options include:- Configure TPM s
n the password then you will need to use one of the BitLocker recovery options to access the drive.On a computer with a compatible TPM
s protected solely by the key material on this USB flash drive.If you enable this policy setting the wizard will display the page to allow the u
e provided fields.
If BitLocker To Go Reader (bitlockertogo.exe) is present on a drive that does not have an identification field specified or if the drive has th
y.Select "Omit recovery options from the BitLocker setup wizard" to prevent users from specifying recovery options when they turn on Bit
by default when the drive is encrypted.If you do not configure this policy setting BitLocker will use software-based encryption irrespective
e password for removable data drive". To enforce complexity requirements on the password select "Require complexity".When set to "Req
disable this policy setting users cannot use BitLocker on removable disk drives.
ill be mounted with read and write access.Note: This policy setting can be overridden by the policy settings under User Configuration\Adm
diagnostic data level please use the "Configure diagnostic data opt-in settings user interface" policy.
ditional diagnostic data is collected that helps us to detect diagnose and fix issues as well as make product improvements. Required diagn
and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.If you enable this policy with the
a limited set of folders.
network share any data contained in the redirected folders is deleted if this policy setting is not enabled.
policy setting restricts such configuration.
m by responding to the notification using Manage Add-ons or using other methods.

rIf the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed the following behaviors
nd bar are not visible and the user cannot access them.If you disable or do not configure this policy setting the user can view and access th
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’)For more info about how to use this policy toget
Binary Representation - 00110• 0 - Restricted Sites Zone• 0 - Internet Zone• 1 - Trusted Sites Zone• 1 - Local Intranet Zone• 0 - Local Ma
file see the Internet Explorer documentation on search providers.If you disable or do not configure this policy setting the user can configur
e Security tab from the interface takes precedence over this policy. If it is enabled this policy is ignored.Also see the "Security zones: Use on
e computer or how many Internet Explorer isolation settings are running.If you enable this policy setting you set the rate at which Interne
list a script can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to prompt
ode available in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer.If you do not configu
.If you do not configure this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string append
Tracking Protection and Do Not Track data is deleted when the user clicks Delete.If you don't configure this policy setting users can turn t
ility settings"
o IDN format only for addresses that are not in the Intranet zone.
user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default this option is tur
at attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode Internet Explorer notifies the user and gives t
e: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protocol and e
of the Internet Options dialog.
age limit for all application caches. The default is 50 MB.
mit for all indexed databases. The default is 500 MB.
cache resource list size for all application caches. The default is 1000 resources.
mplate policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You can the
st of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified zone
tionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled.
he same but a source is able to define a specific location of a thumbnail that is different than the location of the item.If you enable this po
ature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
ve the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.
xplorer 9 and earlier versions if you disable this policy or do not configure it users can drag content from one domain to a different domain
ons dialog.In Internet Explorer 9 and earlier versions if you disable this policy setting or do not configure it users can drag content from one
ogon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server the us
ety.If you do not configure this policy setting permissions are set to Medium safety.
ety.If you do not configure this policy setting permissions are set to Medium safety.
ety.If you do not configure this policy setting permissions are set to Low safety.
is zone as set by Protection from Zone Elevation feature control.


e restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
ety.If you do not configure this policy setting permissions are set to High safety.
Address bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center.
\Administrative Templates\Windows Components\Credential User Interface is enabled for the system it will override this policy setting.
or an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.Value - A number indicating
d allowed) through the 'Add-on List' policy setting.If you disable or do not configure this policy setting users may use Add-on Manager to a
esses in this list because these processes always respect add-on management user preferences and policy settings. If the All Processes po
e.For more information see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
ration and User Configuration both lists of behaviors will be allowed as appropriate.
rocesses configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security feature i
e Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the rela
files and content processed by Internet Explorer.

If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not
gure this policy setting the security feature is allowed.
nternet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled the processes configure
ser Configuration both lists of protocols will be restricted for that zone.
ence over that setting. If you disable or do not configure this policy setting the Notification bar is not displayed for the specified processes.
sable or do not configure this policy setting the security feature is allowed.
tting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disa
able or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that se
ettings do not undergo these checks.
e ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function
anced membership Basic membership will send basic information to Microsoft about software that has been detected including where th
state you want to specify for the associated rule The following status IDs are permitted under the value column: - 1 (Block) - 0 (Off)
d apps to write to disk sectors The Windows event log will record these blocks under Applications and Services Logs > Microsoft > Win
(greater chance of false positives) (0x4) High+ blocking level – aggressively block unknowns and apply additional protection measures (m
nitoring will be enabled. If you disable or do not configure this setting monitoring for incoming and outgoing files will be enabled.
ey are not needed.
der Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected
mage copying.If you disable or don't configure this setting all clipboard functionality is turned off in Application Guard.
bledSpecify the location of the XML file in the Options section. You can use a local (or mapped) path a UNC path or a URL such as the follo
Templates > Windows Components > App Package DeploymentSupported versions: Microsoft Edge on Windows 10 version 1809Default s
ink(s) you wish to add: <https://fabrikam.com/opensearch.xml><https://www.contoso.com/opensearch.xml>If you disable this setting an
Tab pages and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes.
hidden in Microsoft Edge.Default setting: Disabled or not configuredRelated policies:- Set Home Button URL- Unlock Home Button
ab version of InPrivate and is the only app available for public browsing. Users can’t minimize close or open windows or customize Microso
Lockdown of Start Pages policy.If disabled or not configured and you enable the Disable Lockdown of Start Pages policy your users can ch
Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages Microsoft Edge u
ninstall the extension from the user’s computer automatically. To uninstall the extension use any available enterprise deployment channe
rikam.com/opensearch.xml>NoteIf you'd like your employees to use the default Microsoft Edge settings for each market you can set the s
ize data between users’ computers. In this mode UE-V writes settings data to the local folder specified in the settings storage path. These s
same ID as the default Microsoft templates they will be ignored.If you specify a UNC path and check the option to replace the default Mic
policy setting any defined values are deleted.
of the virtual desktop collection containing the virtual computers. If you enable this policy setting the UE-V rollback state is copied to the s
e disabled If you do not configure this policy setting any defined values will be deleted.
e disabled.If you do not configure this policy setting any defined values will be deleted.
e disabled.If you do not configure this policy setting any defined values will be deleted.
een the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V.If you do not configure this policy setting an
een the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V.If you do not configure this policy setting an

D Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configur
to a Windows Server 2003 terminal server* A client connecting to a Windows 2000 terminal serverIf you enable this policy setting the lice
f you disable this policy setting users cannot run .rdp files that are signed with a valid certificate. Additionally users cannot start an RDP se
s: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated.If you disable o
configure this policy setting the version of the operating system on the RD Session Host server will determine when a user is prompted to p
ation of the list defined for the computer and the list defined for the user.This policy setting overrides the behavior of the "Allow .rdp files
mit which clients are able to connect remotely by using Remote Desktop Services by configuring the policy setting at Computer Configurati
u disable or do not configure this policy setting a keep-alive interval is not set and the server will not check the session state.
Enabled the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode o
m a low-speed connection and it will not try to adapt the user experience to varying network quality.If you disable or do not configure this p
istrators can interact with a user's Remote Desktop Services session with the user's consent.
hen connecting to a computer running Windows 8 Windows Server 2012 Windows 7 Windows Vista or Windows XP Professional.If you ena
is specified in RDC.If you do not configure this policy setting Audio recording redirection is not specified at the Group Policy level.
computer can't interact with remote apps.
redirection and Clipboard file copy redirection are not specified at the Group Policy level.
f it is running Windows Server 2012 R2 and earlier versions.Note: You can disable redirection of specific types of supported Plug and Play
d for a Remote Desktop Services session regardless of the audio playback quality configured on the client computer. For example if the au
up Policy level.
cify a license server at the Group Policy level.
f no suitable printer driver can be found default to the Printer Control Language (PCL) fallback printer driver."Default to PS if one is not fou
se the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot b
he size of the entire roaming user profile cache is less than the maximum size specified.If you disable or do not configure this policy setting
Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist Rem
pecify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path Remote Desktop
he Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using G
08 this policy setting is supported on at least Windows Server 2008 Standard. 2. This policy setting is not effective unless the Join RD Con
mote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.If
n a client reconnects to the load balancer the routing token is used to redirect the client to their existing session on the correct RD Session
ent connects to the remote computer.Note: If this policy setting is enabled then the "Start a program on connection" policy setting is ignor
not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device
encoding mechanism that results in high quality images and consumes moderate network bandwidth. If you enable this policy setting a
l (RDP) 7.1 and does not affect clients that are using other RDP versions.
Windows Server 2003 and Windows XP Professional.2.The value specified in this policy setting is not applied to connections from client co
n remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Des
ath to the starting directory for the program. If you leave Working Directory blank the program runs with its default working directory. If th
the local session is not affected by this policy setting.
configure this policy setting the default behavior will be used. By default RemoteFX for RD Virtualization Host is enabled and RemoteFX for
ver LAN conditions. If you disable or do not configure this policy setting Remote Desktop Connection sessions that use RemoteFX will be t
his policy setting automatic logon is not specified at the Group Policy level.
n) is not recommended.* RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session
on is not required for user authentication before allowing remote connections to the RD Session Host server.If you do not configure this po
enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was create
s that contain only 128-bit clients (for example clients that run Remote Desktop Connection). Clients that do not support this encryption le
session even if specified otherwise by the server administrator.If you do not configure this policy setting Remote Desktop Services disconn
Remote Desktop Services to end instead of disconnect a session when the time limit is reached you can configure the policy setting Compu
d instead of disconnect a session when the time limit is reached you can configure the policy setting Computer Configuration\Administrati
session disconnected session time limits do not apply.If you disable or do not configure this policy setting this policy setting is not specified
rary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting this policy setting has no eff
ven if the server administrator specifies otherwise.If you do not configure this policy setting per-session temporary folders are created unle
arch results search box3) The WDS search box in Search Companion
uts/XXXX/searchresults.aspx?SearchString=$wThese additional intranet search locations are added to the All Locations list in the Desktop
nections and web results won't be displayed when a user performs a query in Search.
indexing of online mailboxes and online delegate mailboxes you must disable both policies.
om specifically using Windows Desktop Search-related add-ins.Note: Because of a limitation in the Group Policy editor you must add at lea
ble this policy setting Security Center is turned on for all users. If you disable this policy setting Security Center is turned off for domain me
ill be shown. Note: This setting will be applied after the following policy: "Allow time invalid certificates"If you enable or do not configure
than the default will not be available for logon.
ediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and Wind
in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.Cauti
e this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
rarely used Chinese Kanji and Hanja characters will not be included in recognition results when handwriting is converted to typed text. Us
entry areas” policy and the “Prevent Input Panel tab from appearing” policy and disable the “Show Input Panel taskbar icon” policy the us
e able to configure this setting on the Text completion tab in Input Panel Options.
curity is set to “Medium-Low.” At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default sk
Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and cho
perties of newly created tasks use the "Remove Advanced Menu" setting.
ppears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration
ported on all versions of Windows - see the following link for more information. For details about setting up WDAC with tenant restrictions
and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app.If you enable this policy with the
sers have changed settings by using Control Panel). If you enable this policy setting you can configure the following settings in the policy s
notification by default on computers that are running Windows Server.See also the Configure Error Reporting policy setting.
ms page in Control Panel.The Maximum number of reports to queue setting determines how many reports can be queued before older rep
t setting in Control Panel is Upload all applications.This policy setting is ignored if the Configure Error Reporting policy setting is disabled or
x. The file names must include the .exe file name extension (for example notepad.exe). Errors that are generated by applications on this lis
etting takes precedence. If an application is listed both in the List of applications to always report errors for policy setting and in the exclus
and Windows prompts the user for consent to send any additional data that is requested by Microsoft.- Send all data: any error reporting
d parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an existing
redentials provisioned when the "Turn off smart card emulation" is enabled.Windows requires a reboot after you apply this setting to a co
services to which the old PIN provided access.NOTE: This policy is only applicable to devices which are registered with Azure Active Direct
er the user has signed in.If you do not select "Do not start Windows Hello provisioning after sign-in" Windows Hello for Business automati
ories denied to the user.This policy setting is designed for less restrictive environments. It can be used to circumvent errors in an installati
o see the "Prevent removable media source for any install" policy setting.
tion and User Configuration folders. To make this policy setting effective you must enable it in both folders.Caution: Skilled users can take a
configure this policy setting the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
y settings are set and whether the update was installed in a per-user managed per-user unmanaged or per-machine context."
e do not use this policy setting unless it is essential.This policy setting appears in the Computer Configuration and User Configuration folde
e still using Restart Manager for detection.If you disable or do not configure this policy setting Windows Installer will use Restart Manager
ffects Windows Installer only. It does not prevent users from selecting other browsers such as File Explorer or Network Locations to search
do not configure this policy setting on Windows 2000 Professional Windows XP Professional and Windows Vista when a user reinstalls rem
erate log files for those packages that include the MsiLogging property.
er on Windows Server 2003 family when the policy is not configured.-- The "Always" option indicates that Windows Installer is disabled.Th
pdate boot-critical components. BitLocker is suspended during updates if: - The device doesn’t have TPM 2.0 and PCR7 or - The d
ould not retrieve the information and the user will not be able to log on. Therefore you should not enable this policy setting if the domain i
atically signing in and locking the last interactive user after a restart or cold boot .If you disable this policy setting the device does not confi
and perform license restoration.
ent the Computer Configuration version of this policy setting takes precedence.
ty of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list click Show and then type the modu
on policy setting.
If you use the OutputDirectory setting to enable transcript logging to a shared location be sure to limit access to that directory to preven
etting it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
filter specifies one or more ranges of IPv6addresses. If specified the service enumerates the available IP addresses on the computer and u
gLevel is set to None all requests are accepted (though they are not protected from credential-forwarding attacks).
el an install.On XP: If you enable this policy setting users will not see a User Account Control window and do not need elevated permission
t display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
in 2 minutes.
d this policy has no effect.
C won't automatically restart and will require the person to schedule it prior to restart.If you disable or do not configure this policy the PC
tional applications. In Windows Vista this policy setting controls detailed notifications for optional applications and updates.If you disable
e user is not notified or interrupted during this process). When the downloads are complete users will be notified that they are ready to in
will be able to schedule restarts during the grace period and Windows can still automatically restart outside of active hours if users choose
abled or not configured this policy has no effect.Note: This policy is not supported on Windows RT. Setting this policy will not have any effe
omatic Updates client connects to the specified intranet Microsoft update service (or alternate download server) instead of Windows Upda
oming Windows 10 releases before broad deployment within their organization.Note: Preview Build enrollment requires a telemetry leve
ntil the field is cleared (Quality Updates will still be offered).
gs" policy setting to determine whether to automatically set up Work Folders for a given user.
y given settings page is the published URI for that page minus the "ms-settings:" protocol part.Example: to specify that only the About and
tion.If you enable this policy setting automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control
hniques": http://www.microsoft.com/en-us/download/details.aspx?id=36036.For more information about LocalAccountTokenFilterPolicy

d. We do not recommend configuring this setting to "Disabled" nor to "Not Configured" after it has been enabled.
support.microsoft.com/kb/2696547
ript-at-a-process-level
b2871997.aspx .
e noted that the "Allow BITS peer caching" policy setting must be enabled for the other two policy settings to have any effect. If you d
tting does not affect Peercaching transfers between peer computers (it does affect transfers from the origin server); the "Limit the maximu
g has no effect if the "Allow BITS peer caching" policy setting is disabled or not configured.
aring limit (when not roaming or nearing cap) - Transfer only if unconstrained - Custom--allows you to specify a bitmas
nd other schedules.
configure this policy setting BITS uses all available unused bandwidth for background job transfers.
onfigure a BranchCache latency setting on all client computers you can specify Not Configured for this domain Group Policy setting and the
on the value of the option setting "Select from the following versions" that you specify.- Disabled. With this selection this policy setting is n
omputers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied in addition to the "Set Br
anually or by Group Policy.When this policy setting is applied the client computer performs or does not perform automatic hosted cache s
ge setting that you use on individual client computers.- Enabled. With this selection the BranchCache client computer cache age setting is
domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual client computers where
oup Policy setting and then configure local computer policy to enable BranchCache on individual client computers. Because the domain Gr
not configured it will not over-write the client computer cache setting that you use on individual client computers.- Enabled. With this sele
e enabled setting that you use on individual client computers where you want to enable BranchCache.- Enabled. With this selection Branc
m/ or HTTP:http://2002:836b:1::1/.-A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the
rectAccess client computer is connected to its own intranet.To restore the DirectAccess rules to the NRPT and resume normal DirectAcces
a query for "server.corp" the DNS client will send a query for "server.corp" first and then a query for "server.corp.contoso.com." second if
olicy setting one DNS suffix is attached at a time for each query. If a query is unsuccessful a new DNS suffix is added in place of the failed su
Append primary and connection specific DNS suffixes radio button is selected the DNS client appends the following names to a single-labe
search list is not configured and the Append primary and connection specific DNS suffixes radio button is selected the DNS client appends
pecific DNS suffix of VPNconnection a computer will register A and PTR resource records for mycomputer.VPNconnection and mycompute
mputers will use locally configured settings.
he value that you specify is the number of seconds to use for the registration refresh interval. For example 1800 seconds is 30 minutes.If y
urce records during dynamic update.If you disable this policy setting existing A resource records that contain conflicting IP addresses will n
ation is turned on for all file servers where Group Policy is applied. For example if Hash Publication for BranchCache is enabled in domain G
and the hash version(s) that are specified in "Hash version supported" are generated and retrieved.- Disabled. With this selection both V1
ware. Additionally any data written to a file server using an insecure guest logon is potentially accessible to anyone on the network. Micro
ckbox. Using the corporate seed server only will prevent your mobile users from being able to use their peer to peer applications at home.
protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must be enabled (which it is by default) for
d PNRP creates a cloud if the computer has an IPv6 address compatible with the cloud’s scope.
ast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must enabled (which it is by default) for
ast protocol used for bootstrapping is SSDP (Simple Service Discovery Protocol). The SSDP service must be enabled (which it is by default) f
et Connection Firewall through the Advanced tab is removed. In addition the Internet Connection Firewall is not enabled for remote access
user is presented with the option to enable Internet Connection Sharing in the Network Setup Wizard and Make New Connection Wizard.
go.microsoft.com/fwlink/?LinkId=25131).
es then later disable this policy setting Windows Defender Firewall deletes the list of message types that you had enabled.If you do not co
nistrators cannot select it.If you do not configure this policy setting Windows Defender Firewall does not open these ports. Therefore the c
tion. You must specify the IP addresses or subnets from which these incoming messages are allowed.If you disable or do not configure this
policy setting Windows Defender Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unle
UPnP framework" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Fire
d Security to specify that local firewall rules should not apply.
Firewall with Advanced Security to specify that local firewall rules should not apply.
ble this policy setting and Windows Defender Firewall creates the log file and adds information then upon disabling this policy setting Wind
nel also enable the "Windows Defender Firewall: Allow local port exceptions" policy setting.If you disable this policy setting the port excep
ve a program click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a n
olicy setting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Defender
es then later disable this policy setting Windows Defender Firewall deletes the list of message types that you had enabled.If you do not co
nistrators cannot select it.If you do not configure this policy setting Windows Defender Firewall does not open these ports. Therefore the c
tion. You must specify the IP addresses or subnets from which these incoming messages are allowed.If you disable or do not configure this
policy setting Windows Defender Firewall does not open this port. Therefore the computer cannot receive Remote Desktop requests unle
UPnP framework" check box is cleared and administrators cannot select it.If you do not configure this policy setting Windows Defender Fire
d Security to specify that local firewall rules should not apply.
Firewall with Advanced Security to specify that local firewall rules should not apply.
ble this policy setting and Windows Defender Firewall creates the log file and adds information then upon disabling this policy setting Wind
nel also enable the "Windows Defender Firewall: Allow local port exceptions" policy setting.If you disable this policy setting the port excep
ve a program click its definition and then press the DELETE key. To edit a definition remove the current definition from the list and add a n
olicy setting Windows Defender Firewall applies other policy settings that allow unsolicited incoming messages. In the Windows Defender
wlink/p/?LinkId=234043
mation see: http://go.microsoft.com/fwlink/p/?LinkId=234043
ration takes precedence over the setting in User Configuration.Tip: To configure this setting without establishing a setting in Windows Expl
are. When selected all configured settings will apply to shares in user selected Work Offline mode as well.If you disable or do not configur
latency detection is faster. You can use wildcard characters (*) for specifying UNC paths. If you do not specify a Latency or Throughput val
mount of disk space used for automatic caching without specifying a setting in Windows Explorer on the Tools menu click Folder Options c
nd trip latency of the network is less than 60ms reads to remote files will not be cached.If you enable this policy setting transparent cachin
figure this policy setting encryption of the Offline Files cache is controlled by the user through the user interface. The current cache state is
tion and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the settin
do not configure this policy setting the system limits the space that offline files occupy to 25 percent of the total space on the drive where
tions established via this setting.Tip: To configure this setting without establishing a setting in Windows Explorer on the Tools menu click Fo
minutes" option.
able Offline" command is unavailable for all specified files and folders.The "Make Available Offline" command is called "Always available o
lders. If both policy settings are configured the policy settings will be combined and all specified files will be available for offline use.
tting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select the "Synchronize all offline files
uter Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence
s precedence over the setting in User Configuration.Tip: To display or hide reminder balloons without establishing a setting in Windows Ex
mended to restrict the HKLM\SOFTWARE\Policies\SNMP\Parameters\ValidCommunities key to allow only the local admin group full contro
full control.Note: This policy setting has no effect if the SNMP agent is not installed on the client computer.Also see the other two SNMP p
mitted managers" and "Specify Community Name".
d to download files from the Internet the files will continue to be downloaded using that network connection.- When the network traffic d
abled state for this policy setting. This option was first available in Windows 8. If this policy setting is set to 2 the behavior is similar to
nnection is allowed.- When the computer is already connected to either a non-domain based network or a domain based network over Et
enabling them.If this policy setting is not configured or is enabled users can choose to enable or disable either "Connect to suggested ope
ular data by using Settings > Network - Internet > Cellular on the device.If an app is open when this Group Policy object is applied on a dev
ced sharing settings". On the Advanced sharing settings page click the arrow next to "Domain" arrow click "turn on network discovery" and
oes not apply to those versions of Windows.
ooler can always queue print jobs when not connected to the print server. Upon reconnecting to the server the client will submit any pen
the IP address and subnet mask of the user's computer.

\Administrative Templates\Control Panel\Printers. Web view is affected by the "Turn on Classic Shell" and "Do not allow Folder Optio
controllers.
and all versions of Windows Server 2008 R2 and later) to have the same behavior.
s only checked once during the lifetime of a process. After changing the policy a running application must be relaunched before settings ta
n the event log. Note: This setting does not affect the logging of pruning events; the actual pruning of a printer is always logged.
kage point and print will not be restricted to specific print servers.
d command prompt when users create a printer connection to any server using Point and Print. -Windows Vista computers will show
imity is estimated using the standard method (that is based on IP address and subnet mask).
tions from the "Prune non-republishing printers" box: -- "Never" specifies that printer objects that are not automatically republished
ently opened documents on exit" policies in this folder.If you enable this setting but do not enable the "Remove Recent Items menu from
onfigure it the Start screen layout won't be changed and users will be able to customize it.
hen you shut down the computer.If you do not configure this policy setting the default behavior for the Shutdown Event Tracker occurs.No
onfiguration.
m. For example %programfiles% is not defined on some early versions of Windows. The "Shortcut" command is used to add a link to a H
licy setting the files will be downloaded from Windows Update if that is allowed by the policy settings for the computer.
0-23 Day 0-31).

0-23 Day 0-31).
0-23 Day 0-31).
0-23 Day 0-31).
0-23 Day 0-31).
d to the Client log and the event log the first time this occurs and will not be logged again until after the cache has been successfully cleare
ts the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying th
es.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com R
permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.comRemote Desktop Session Host running on
card character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session
single wildcard character is permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desk
olicy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials
m.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be used in combinati
rikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting can be used in com
manresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.comThis policy setting ca
ow for important information about the risk posed by remaining unpatched clients.Vulnerable: Client applications which use CredSSP will
d Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices.Note: To
der to disable the feature you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer wi
stallation of devices that match these device IDs- Prevent installation of devices that match any of these device instance IDsIf the "Apply l
match any of these device instance IDsIf the "Apply layered order of evaluation for Allow and Prevent device installation policies across all
tallation of devices for these device classes- Prevent installation of devices that match these device IDs- Prevent installation of devices tha
h these device setup classes6. Allow installation of devices using drivers that match these device setup classesRemovable devices7. Preven
dows is allowed to install or update the driver package for any device that is not described by the "Prevent installation of devices that ma
installed and updated as allowed or prevented by other policy settings.
nt to the remote desktop server.If you disable or do not configure this policy setting Windows can install and update devices as allowed or
ndows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable thi
ement without specifying a setting in My Computer right-click the name of an NTFS volume click Properties click the Quota tab and then c
hat enable or disable quota enforcement on their volumes.Note: To specify a disk quota limit use the "Default quota limit and warning lev
ta Entries window on the Quota tab. Even without the logged event users can detect that they have reached their limit because their statu
system volume click Properties and then click the Quota tab.
s is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level.When yo
still be blurry on secondary displays that have different display scale factors. Per Process System DPI will not work for all applications as som
you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless
tting the boot start drivers determined to be Good Unknown or Bad but Boot Critical are initialized and the initialization of drivers determin
t the user logs on to.Note: If you enable this policy setting in Computer Configuration and User Configuration the Computer Configuration
om the trusted forest.If you disable this policy setting the behavior is the same as if it is not configured.
Japanese system the Group Policy Object Editor snap-in uses the local Japanese ADM files and you see the text in Japanese under Adminis
cessed synchronously even if this policy setting is enabled:1 - At the first computer startup after the client computer has joined the domain
ing across a slow link (slow network connection).If you enable this policy when Group Policy cannot determine the bandwidth speed acros
se. When background updates are disabled policy changes will not take effect until the next user logon or system restart.The "Process eve
es are disabled policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objects
roup Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implem
ponse from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout value that is de
cond.This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a
background while the computer is in use. When background updates are disabled policy changes will not take effect until the next user lo
d while the computer is in use. When background updates are disabled policy changes will not take effect until the next user logon or syst
ated only when changed. However you might want to update unchanged policies such as reapplying a desired policy setting in case a user
not take effect until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option update
s specify that they be updated only when changed. However you might want to update unchanged policies such as reapplying a desired po
"Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not chang
the settings conflict the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.If you disab
e disabled policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy objects hav
pdates are disabled policy changes will not take effect until the next user logon or system restart.The "Process even if the Group Policy ob
it for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds. The timeout valu
e select the "Turn off background refresh of Group Policy" policy.The Set Group Policy refresh interval for computers policy also lets you sp
how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simult
ervice location" policy.
ttings in "Administrative Templates/Windows Components/Event Viewer".
o be effective the Kerberos Group Policy "Kerberos client support for claims compound authentication and Kerberos armoring" must be en
ever receive the fresh public key identity SID.
bout previous logons and enabling this policy setting does not affect anything.
do not configure this policy setting the system uses the host name-to-Kerberos realm mappings that are defined in the local registry if the
s policy setting the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.If you do not configure this policy setting
EKU extensions which can be issued to any server.
0 bytes. Beginning with Windows 8 the default is 48000 bytes. Due to HTTP's base64 encoding of authentication context tokens it is not ad
meters.If you disable or do not configure this policy setting the Kerberos client does not have KDC proxy servers settings defined by Group
not configure this policy setting Automatic will be used.
e level the per-user policy setting will be ignored. If this policy setting is not configured at the machine level restrictions will be based on p
r-user basis make sure that the per-computer policy is set to Not Configured.
led at the computer level it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level the per-user poli
en turns off before a password is required when waking the device. Instead a password is required immediately after the screen turns off.I
tory or user object logon script may take up to two logons to be detected.If a user with a roaming profile home directory or user object log
to System Tools and then click ""Getting Started."" To suppress the welcome screen without specifying a setting clear the ""Show this scre
g.Also see the ""Do not process the run once list"" policy setting.
ams specified in the User Configuration setting.Also see the ""Do not process the legacy run list"" and the ""Do not process the run once lis
Note: The first sign-in animation will not be shown on Server so this policy will have no effect.
_POLICY_SEHOP_ENABLE (0x00000004) Enables structured exception handler overwrite protection (SEHOP) for the child process. SEH
on will not allow the negotiation and use of older cryptography algorithms.
e files by requesting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When
ting exclusive read access which might prevent Group Policy settings from being updated on clients in the domain. When this setting is ena
duce excessive network traffic.
f you do not configure this policy setting it is not applied to any computers and computers use their local configuration.
ocesses incoming mailslot messages. This is the default behavior of DC Locator.
lback mechanism when DNS-based discovery fails. This is the default behavior.If you disable this policy setting the DC location algorithm ca
d if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.If yo
will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses DC Locator APIs will return IPv4 a
ot applied to any DCs and DCs use their local configuration.

_kerberos._tcp.dc._msdcs.<DnsDomainName>KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>Dc
e zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the u
d then enter the site names in a space-delimited format.If you do not configure this policy setting it is not applied to any DCs and DCs use t
plied to any GCs and GCs use their local configuration.

r. However if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly the Try Next Closest Site behavior is honored.If
ned to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-labe
tion in this case unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to wh
original state or from a user-created system image by restarting the computer and accessing the System Recovery Options menu if it is av
" In the window that opens you can enter the names of the helpers. Add each user or group one by one. When you enter the name of the
mputer."The "Maximum ticket time" policy setting sets a limit on the amount of time that a Remote Assistance invitation created by using
ver Endpoint Mapper Service.Note: This policy will not be applied until the system is rebooted.
connect to servers using constrained delegation. If you enable this policy setting then:-- "Off" directs the RPC Runtime to generate RPC_S_
s RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server Windo
ormation but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in eff
his policy setting it directs the RPC server runtime to restrict unauthenticated RPC clients connecting to RPC servers running on a machine.
eout on the IIS server running the RPC HTTP proxy will be used.If you do not configure this policy setting it will remain disabled. The idle co
applied but not GPO A. Therefore the scripts for GPOs B and C run in the following order for DesktopSales:Within GPO B: B.cmd B.ps1Wit
he following order for Tamara:Within GPO B: B.cmd B.ps1Within GPO C: C.cmd C.ps1Note: This policy setting determines the order in whic
. An excessively long interval can delay the system and inconvenience users. However if the interval is too short prerequisite tasks might n
ult to using their local configuration. The default local configuration is Audit.A reboot is not required for changes to this setting to take effe
terval for Server Manager is two minutes in Windows Server 2008 and Windows Server 2008 R2 or 10 minutes in Windows Server 2012.
it is enabled or disabled. Scenario-specific policy settings only take effect if this policy setting is not configured.No reboots or service rest
st be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.
oting only state.If you disable this setting the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will b
omponent is installed and the Remote Desktop Services role is not installed.
ely. This policy setting takes effect only when the DPS is in the running state. When the service is stopped or disabled diagnostic scenarios
y setting to take effect: changes take effect immediately.
ls.No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.This policy setting will t
d a problem.4 = Automatically apply troubleshooting for critical and other problems by system features and Microsoft. Do not notify users
client) Silent (default on Windows server) or Troubleshooting Only. If you disable this policy setting the troubleshooting and recovery beh
nges take effect immediately.This policy setting will only take effect when the Task Scheduler service is in the running state. When the ser
s-wide scenario execution policy is not configured.No system restart or service restart is required for this policy to take effect: changes tak
ffect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy
effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy
by default.This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.No system restart or servi
ffect only if the diagnostics-wide scenario execution policy is not configured.No system restart or service restart is required for this policy
legation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner auth
The local list of blocked TPM commands is configured outside of Group Policy by running "tpm.msc" or through scripting against the Win3
cal lists of blocked TPM commands.
res authorization.This value is the maximum number of authorization failures each standard user may have before the user is not allowed
e Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before
TPM that requires authorization.The Standard User Individual Lockout value is the maximum number of authorization failures each standa
The policy setting must be configured on the client computer not the server for it to have any effect because the client computer sets the
es or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting
e. To respond to a slow link the system requires a local copy of the user's roaming profile.
this folder to determine how to proceed. By default when the connection is slow the system loads the local copy of the user profile.
Windows will not check the permissions for the folder in the case where the folder exists.If you disable or do not configure this policy settin
uter that the user logs on to.

s waits 30 seconds for user input before applying the default user profile .
e or do not configure this policy setting Windows will delete the entire profile for roaming users including the Windows Installer and Grou
policy setting or do not configure it the system repeats its attempt 60 times.If you set the number of retries to 0 the system tries just once
th the "Prevent Roaming Profile changes from propagating to the server" setting and the "Only allow local user profiles" setting roaming p
for remote user profile" policy setting the system downloads the remote copy of the user profile without consulting the user. In Microsoft
ndows reads profile configuration in the following order and uses the first configured policy setting it reads.1. Terminal Services roaming pr
a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example if the settings dict
file share the user's home folder will be placed in the network location without mapping the file share to a drive letter.If you disable or do n
ess apps that depend on the domain information protected by this setting to connect with network resources.If you do not configure or dis
ers move between computers frequently and the local copy of their profile is not always current. Using the local copy is desirable when qu
from the client computer's local clock by more than LargePhaseOffset the local clock is deemed to have drifted considerably or in other w
d 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to
access account information by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device
er by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart t
Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or
he device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for the policy ch
figure this policy setting employees in your organization can decide whether Windows apps can get diagnostic information about other app
app is open when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to be app
device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for the policy chan
using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the a
ttings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or devi
ttings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or dev
p is open when this Group Policy object is applied on a device employees must restart the app or device for the policy changes to be applie
ttings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or dev
> Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device fo
phone by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must rest
es by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart t
ess user movements while the apps are running in the background and employees in your organization cannot change it.If you disable or d
ow Cortana above lock” policy. This policy is applicable only when “Allow voice activation” policy is configured to allow applications to be
mployees in your organization can decide whether Windows apps can communicate with unpaired wireless devices by using Settings > Pri
s by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart th
vacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app or device for the
d by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart t
licy setting employees in your organization can decide whether Windows apps can take screenshots of various windows or displays by usin
ws apps can turn off the screenshot border by using Settings > Privacy on the device.If an app is open when this Group Policy object is app
computer.If the status is set to Not Configured the OS falls back on a local policy set by the registry DWORD value HKLM\System\CurrentC
installers and these applications may fail to install or run properly.This option is useful to server administrators who require faster perform
PS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Service
icy setting Windows Vista or later will prompt the user whether autorun command is to be run.
onfiguration and User Configuration folders. If the policy settings conflict the policy setting in Computer Configuration takes precedence ov
nd "Choose drive encryption method and cipher strength" policy settings (in that order) if they are set. If none of the policies are set BitLoc
ethod of AES 128-bit or the encryption method specified by the setup script.
xample not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder.If y
e configured for the identification field.The allowed identification field is used in combination with the "Deny write access to removable dr
at contains a BitLocker-protected drive's encryption key. This key package is secured by one or more recovery passwords and may help pe
dentifier is used.
has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting the user will be promp
en they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you turn on BitLoc
encryption irrespective of hardware-based encryption availability.Note: The “Choose drive encryption method and cipher strength” policy
password select "Require complexity".When set to "Require complexity" a connection to a domain controller is necessary when BitLocker
ficate" on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the c
ording to the Secure Boot policy setting which is configured separately from BitLocker.Note: If the group policy setting "Configure TPM pla
nt users from specifying recovery options when they turn on BitLocker on a drive. This means that you will not be able to specify which rec
essage which will be displayed in the pre-boot key recovery screen.Note: Not all characters and languages are supported in pre-boot. It is s
script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23 The default platf
operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption k
cker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release
e-based encryption irrespective of hardware-based encryption availability.Note: The “Choose drive encryption method and cipher strength
mplexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to
tions include:- Configure TPM startup PIN: Required/Allowed- Configure TPM startup key and PIN: Required/Allowed- Configure use of pass
mputer with a compatible TPM four types of authentication methods can be used at startup to provide added protection for encrypted dat
display the page to allow the user to configure advanced startup options for BitLocker. You can further configure setting options for compu
specified or if the drive has the same identification field as specified in the "Provide unique identifiers for your organization" policy setting
options when they turn on BitLocker on a drive. This means that you will not be able to specify which recovery option to use when you tur
based encryption irrespective of hardware-based encryption availability.Note: The “Choose drive encryption method and cipher strength”
complexity".When set to "Require complexity" a connection to a domain controller is necessary when BitLocker is enabled to validate the
under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" polic
mprovements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnostic da
you enable this policy with the "Warn" option SmartScreen's dialogs will warn the user that the app appears suspicious but will permit the
stalled the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge version 45 or earlier is automatically use
he user can view and access the navigation bar the menu bar and the Command bar.
ut how to use this policy together with other related policies to create the optimal configuration for your organization see https://go.micro
al Intranet Zone• 0 - Local Machine Zone• 22 - Trusted Intranet and Restricted site zones only Binary Representation - 10110• 1 - Restric
y setting the user can configure his or her list of search providers.
see the "Security zones: Use only machine settings" policy.
u set the rate at which Internet Explorer creates new tab processes to low medium or high or to an integer.If you disable or do not configu
avior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting for an application or process in the list a scr
Explorer.If you do not configure this policy setting the user can turn on and turn off Internet Explorer 7 Standards Mode.
h an additional string appended) for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explor
policy setting users can turn this feature on and off determining whether to delete ActiveX Filtering Tracking Protection and Do Not Track
on. By default this option is turned on.
er notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.If you enable this policy setting In
utdated security protocol and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
n a separate GPO. You can then use Group Policy management features (for example precedence inheritance or enforce) to apply individu
settings for the specified zone are applied to the site. For each entry that you add to the list enter the following information:Valuename
ure is enabled.
the item.If you enable this policy setting users can preview items and get custom thumbnails from OpenSearch query results in this zone
g for the process.
ttp://) content.
domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
ers can drag content from one domain to a different domain when the source and destination are in the same window. Users cannot chan
supported by the server the user is queried to provide the user name and password.If you disable this policy setting logon is set to Automa
ure is enabled.
ttp://) content.
ure is enabled.
ttp://) content.
g for the process.
ttp://) content.
g for the process.
ttp://) content.
g for the process.
ttp://) content.
g for the process.
ttp://) content.
g for the process.
ttp://) content.
g for the process.

ttp://) content.
ure is enabled.
ttp://) content.
override this policy setting.
d.Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on should b
may use Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting.Note: If an add-on is listed
ettings. If the All Processes policy setting is enabled the processes configured in this policy setting take precedence over that setting.If you
y setting the security feature is allowed.
ocesses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is
setting.If you disable or do not configure this policy setting the security feature is allowed.
abled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the secur
ed for the specified processes.
ocesses policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take prece
x take precedence over that setting.If you disable or do not configure this policy setting the security feature is allowed.
ons.
Sight” feature will not function. Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sigh
en detected including where the software came from the actions that you apply or that are applied automatically and whether the actions
lumn: - 1 (Block) - 0 (Off) - 2 (Audit) - 5 (Not Configured) - 6 (Warn) Example: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 0
ervices Logs > Microsoft > Windows > Windows Defender > Operational > ID 1123. Disabled: The following will not be blocked and
ditional protection measures (may impact client performance) (0x6) Zero tolerance blocking level – block all unknown executables
g files will be enabled.
or interact with any connected graphics hardware.
on Guard.
path or a URL such as the following:- C:\MitigationSettings\Config.XML- \\Server\Share\Config.xml- https://localhost:8080/Config.xmlThe s

dows 10 version 1809Default setting: Disabled or not configuredRelated policies:- Allows development of Windows Store apps and installin
l>If you disable this setting any added search engines are removed from your employee's devices.If you don't configure this setting the se
- Unlock Home Button

windows or customize Microsoft Edge but can clear browsing data and downloads and restart by clicking “End session.” You can configure
Pages policy your users can change or customize the Start page.Default setting: A specific page or pages (default)Related policies:-Disable
age or pages Microsoft Edge uses the Configure Start Pages policy.Supported devices: Domain-joined or MDM-enrolledRelated policy:- Co
enterprise deployment channel.If you enable the Allow Developer Tools policy then this policy does not prevent users from debugging and
each market you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine you c
e settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no contr
tion to replace the default Microsoft templates all of the default Microsoft templates installed by the UE-V Agent will be deleted from the
rollback state is copied to the settings storage location on logout and restored on login.If you disable this policy setting no UE-V rollback st
ay by disabling or not configuring this policy setting.Note: You should only enable this policy setting when the license server is a member o
able this policy setting the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Ho
y users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to sta
authenticated.If you disable or do not configure this policy setting the authentication setting that is specified in Remote Desktop Connecti
e when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Wi
ehavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.If the list contains a string that is not a c
etting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Ho
he session state.
n of Windows and the mode of Remote Desktop Services running on the server.If the status is set to Disabled or Not Configured limits to t
sable or do not configure this policy setting Remote Desktop Protocol will spend up to a few seconds trying to determine the network qual
ows XP Professional.If you enable this policy setting audio and video playback redirection is allowed.If you disable this policy setting audio
he Group Policy level.
es of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Insta
mputer. For example if the audio playback quality configured on the client computer is higher than the audio playback quality configured
."Default to PS if one is not found" - If no suitable printer driver can be found default to the PostScript (PS) fallback printer driver."Show bo
sy Print printer driver cannot be used the client printer is not available for the Remote Desktop Services session.Note: If the "Do not allow
not configure this policy setting no restriction is placed on the size of the entire roaming user profile cache on the local drive.Note: This po
work share does not exist Remote Desktop Services displays an error message on the RD Session Host server and will store the user profile
Dir Root Path Remote Desktop Services places user home directories in the network location.If the status is set to Enabled Remote Deskto
bled and configured by using Group Policy. 2. For Windows Server 2008 this policy setting is supported on at least Windows Server 2008
ffective unless the Join RD Connection Broker policy setting is enabled. 3. To be an active member of an RD Session Host server farm the
er to RD Connection Broker.If the policy setting is not configured the policy setting is not specified at the Group Policy level. Notes: 1. If y
sion on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the u
nection" policy setting is ignored.
u are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm so
ou enable this policy setting and set quality to Lossless RemoteFX Adaptive Graphics uses lossless encoding. In this mode the color integrit
to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Win
ows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
default working directory. If the specified program path file name or working directory is not the name of a valid directory the RD Session
t is enabled and RemoteFX for RD Session Host is disabled.
ns that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (t
een the client and RD Session Host server. If you select this setting the RD Session Host server is not authenticated. Native RDP encryption
If you do not configure this policy setting the local setting on the target computer will be enforced. On Windows Server 2012 and Window
ficate is found that was created with the specified certificate template the certificate that will expire latest and that matches the current n
o not support this encryption level cannot connect to RD Session Host servers.* Client Compatible: The Client Compatible setting encrypts
mote Desktop Services disconnects a timed-out session unless specified otherwise in local settings.Note: This policy setting only applies to
figure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desk
er Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time
s policy setting is not specified at the Group Policy level. Be y default Remote Desktop Services disconnected sessions are maintained for a
ng this policy setting has no effect.
porary folders are created unless the server administrator specifies otherwise.
l Locations list in the Desktop Search results.
licy editor you must add at least one entry in the allow list even if you want to enable this policy without an allow list. Create a list entry by
er is turned off for domain members.Windows XP SP2----------------------In Windows XP SP2 the essential security settings that are monitore
ou enable or do not configure this policy setting filtering will take place.If you disable this policy setting no filtering will take place.
ptions in Windows 7 and Windows Vista.
ab in Input Panel Options.Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and the “Pre
g is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configure thi
nel taskbar icon” policy the user will then have no way to access Input Panel.
screen keyboard by default skin switching is allowed and Input Panel displays the cursor and which keys are tapped. Users will not be able
you enable this policy and choose “None” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out ge
dence over the setting in User Configuration.
tting in Computer Configuration takes precedence over the setting in User Configuration.
WDAC with tenant restrictions see https://go.microsoft.com/fwlink/?linkid=2155230
you enable this policy with the "Warn" option SmartScreen's dialogs will warn the user that the app appears suspicious but will permit the
llowing settings in the policy setting:- ""Do not display links to any Microsoft ‘More information’ websites"": Select this option if you do no
ng policy setting.
n be queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determine
ting policy setting is disabled or not configured.For related information see the Configure Error Reporting and Report Operating System Err
rated by applications on this list are always reported even if the Default dropdown in the Default application reporting policy setting is set
policy setting and in the exclusion list in this policy setting the application is excluded from error reporting. You can also use the exclusion l
d all data: any error reporting data requested by Microsoft is sent automatically.If this policy setting is disabled or not configured then the
quired to check for an existing solution as well as data which Windows has determined (within a high probability) does not contain person
er you apply this setting to a computer.
tered with Azure Active Directory.

ws Hello for Business automatically starts provisioning after the user has signed in.
cumvent errors in an installation program that prevents software from being installed.
aution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent access
cache maximum size.
machine context."
n and User Configuration folders. If the policy setting is enabled in either folder it is considered be enabled even if it is explicitly disabled in
taller will use Restart Manager to detect files in use and mitigate a system restart when possible.
or Network Locations to search for installation files. Also see the "Enable user to browse for source while elevated" policy setting.
Vista when a user reinstalls removes or repairs an installation the transform file is available even if the user is on a different computer or is
Windows Installer is disabled.This policy setting affects Windows Installer only. It does not prevent users from using other methods to insta
PM 2.0 and PCR7 or - The device doesn’t use a TPM-only protector2. “Always Enabled” specifies that automatic sign on will happen eve
is policy setting if the domain is not at the Windows Server 2008 domain functional level.If you disable or do not configure this setting mes
etting the device does not configure automatic sign in. The user’s lock screen apps are not restarted after the system restarts.
Show and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. Note: This p
ess to that directory to prevent users from viewing the transcripts of other users or computers. Note: This policy setting exists unde
dresses on the computer and uses only addresses that fall within one of the filter ranges.You should use an asterisk (*) to indicate that the
ttacks).
not need elevated permissions to do either of these update-related tasks.On Vista: If you enable this policy setting users will not see a Use
ot configure this policy the PC will restart following the default schedule.Enabling any of the following policies will override the above poli
ns and updates.If you disable or do not configure this policy setting Windows 7 users will not be offered detailed notification messages for
tified that they are ready to install. After going to Windows Update users can install them. 4 = Automatically download updates and in
f active hours if users choose not to schedule restarts. The grace period might not take effect if users already have more than the number
his policy will not have any effect on Windows RT PCs.

ver) instead of Windows Update to search for and download updates. Enabling this setting means that end users in your organization don
ment requires a telemetry level setting of 2 or higher and your domain registered on insider.windows.com. For additional information on P
pecify that only the About and Bluetooth pages should be shown (their respective URIs are ms-settings:about and ms-settings:bluetooth)
onfigure this setting in Control Panel.If you disable this policy setting automatic learning is turned on. Users cannot configure this policy se
ocalAccountTokenFilterPolicy see http://support.microsoft.com/kb/951016.

o have any effect. If you disable or do not configure this policy setting the BITS peer caching feature will be disabled and BITS will dow
server); the "Limit the maximum network bandwidth used for Peercaching" policy setting should be used for that purpose. Consider
allows you to specify a bitmask in which the bits describe cost states allowed or disallowed for this priority: (bits described here) 0x1
n Group Policy setting and then configure local computer policy to enable BranchCache latency settings on individual client computers. Be
election this policy setting is not applied to client computers and the clients run the version of BranchCache that is included with their ope
plied in addition to the "Set BranchCache Hosted Cache mode" policy setting use the hosted cache servers that are specified in this policy
orm automatic hosted cache server discovery under the following circumstances:If no other BranchCache mode-based policy settings are a
computer cache age setting is enabled for all client computers where the policy is applied. For example if this policy setting is enabled in do
vidual client computers where you want to enable BranchCache.- Enabled. With this selection BranchCache distributed cache mode is enab
puters. Because the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual clien
puters.- Enabled. With this selection the BranchCache client computer cache setting is enabled for all client computers where the policy is
bled. With this selection BranchCache is turned on for all client computers where the policy is applied. For example if this policy is enabled
existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC pa
nd resume normal DirectAccess functionality the user clicks Connect.Note If the DirectAccess client computer is on the intranet and has co
corp.contoso.com." second if the first query fails.If you enable this policy setting suffixes are allowed to be appended to an unqualified mu
added in place of the failed suffix and this new query is submitted. The values are used in the order they appear in the string starting with
llowing names to a single-label name when it sends DNS queries:The primary DNS suffix as specified on the Computer Name tab of the Sys
ected the DNS client appends the following names to a single-label name when it sends DNS queries:The primary DNS suffix as specified o
Nconnection and mycomputer.microsoft.com when this policy setting is enabled.Important: This policy setting is ignored on a DNS client c
1800 seconds is 30 minutes.If you enable this policy setting registration refresh interval that you specify will be applied to all network conn
n conflicting IP addresses will not be replaced during a dynamic update and an error will be recorded in Event Viewer.
hCache is enabled in domain Group Policy hash publication is turned on for all domain member file servers to which the policy is applied. T
d. With this selection both V1 and V2 hash generation and retrieval are supported.In circumstances where this setting is enabled you can
anyone on the network. Microsoft recommends disabling insecure guest logons and configuring file servers to require authenticated acces
to peer applications at home.3. In order to use a corporate seed server and the global seed server enable the setting; insert the fully quali
bled (which it is by default) for this policy to have effect.
led (which it is by default) for this policy to have effect.
nabled (which it is by default) for this policy to have effect.
not enabled for remote access connections created through the Make New Connection Wizard. The Network Setup Wizard is disabled.Not
Make New Connection Wizard. (The Network Setup Wizard is available only in Windows XP Professional.)By default ICS is disabled when yo
u had enabled.If you do not configure this policy setting Windows Defender Firewall behaves as if you had disabled it.Note: If any policy se
n these ports. Therefore the computer cannot share files or printers unless an administrator uses other policy settings to open the require
disable or do not configure this policy setting Windows Defender Firewall does not open TCP port 135 or 445. Also on Windows XP Professi
Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Defender Firewall compone
setting Windows Defender Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an a
sabling this policy setting Windows Defender Firewall leaves the log file intact.If you do not configure this policy setting Windows Defende
s policy setting the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Als
ition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions
es. In the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is cleared by default bu
u had enabled.If you do not configure this policy setting Windows Defender Firewall behaves as if you had disabled it.Note: If any policy se
n these ports. Therefore the computer cannot share files or printers unless an administrator uses other policy settings to open the require
disable or do not configure this policy setting Windows Defender Firewall does not open TCP port 135 or 445. Also on Windows XP Professi
Remote Desktop requests unless an administrator uses other policy settings to open the port. In the Windows Defender Firewall compone
setting Windows Defender Firewall does not open these ports. Therefore the computer cannot receive Plug and Play messages unless an a
sabling this policy setting Windows Defender Firewall leaves the log file intact.If you do not configure this policy setting Windows Defende
s policy setting the port exceptions list defined by Group Policy is deleted but other policy settings can continue to open or block ports. Als
ition from the list and add a new one with different parameters. To allow administrators to add programs to the local program exceptions
es. In the Windows Defender Firewall component of Control Panel the "Block all incoming connections" check box is cleared by default bu
hing a setting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab click Advanced and then select an opti
you disable or do not configure this policy setting Windows performs a background sync of offline folders in the slow-link mode at a defau
fy a Latency or Throughput value computers running Windows Vista or Windows Server 2008 will not use the slow-link mode.If you do not
ols menu click Folder Options click the Offline Files tab and then use the slider bar associated with the "Amount of disk space to use for tem
licy setting transparent caching is enabled and configurable.If you disable or do not configure this policy setting remote files will be not be
ace. The current cache state is retained and if the cache is only partially encrypted the operation completes so that it is fully encrypted. Th
kes precedence over the setting in User Configuration.
otal space on the drive where the Offline Files cache is located. The limit for automatically cached files is 100 percent of the total disk spac
orer on the Tools menu click Folder Options click the Offline Files tab and then click Advanced. This setting corresponds to the settings in th
nd is called "Always available offline" on computers running Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Window
available for offline use.
he "Synchronize all offline files before logging off" option.

onfiguration takes precedence over the setting in User Configuration.Tip: To change the synchronization method without setting a setting i
shing a setting in Windows Explorer on the Tools menu click Folder Options and then click the Offline Files tab. This setting corresponds to
e local admin group full control.Note: It is good practice to use a cryptic community name.Note: This policy setting has no effect if the SNM
Also see the other two SNMP policy settings: "Specify trap configuration" and "Specify Community Name".
n.- When the network traffic drops below this threshold the computer will be disconnected from the network. Apps that keep a network c
to 2 the behavior is similar to 1. However if a cellular data connection is available it will always stay connected for services that require a c
domain based network over Ethernet and a user attempts to create a manual connection to an additional network in violation of this policy
er "Connect to suggested open hotspots" or "Connect to networks shared by my contacts".

olicy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
urn on network discovery" and then click "Save changes". If you would like to not display printers of a certain type enable this policy a
the client will submit any pending print jobs.Note: Some printer drivers require a custom print processor. In some cases the custom print
and "Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon" settings in User Configuration\Adm
relaunched before settings take effect.
printer is always logged. Note: This setting is used only on domain controllers.
ws Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be update
not automatically republished are never pruned. "Never" is the default. -- "Only if Print Server is found" prunes printer objects that
move Recent Items menu from Start Menu" setting the Recent Items menu appears on the Start menu but it is empty.If you enable this setti
down Event Tracker occurs.Note: By default the Shutdown Event Tracker is only displayed on computers running Windows Server.
mand is used to add a link to a Help topic and runs executables that are external to the Help file. The "WinHelp" command is used to add a
e computer.
he has been successfully cleared on transmission and the log has filled up again. Data Block Size: This value specifies the maximum size
permitted when specifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on
manresources.fabrikam.com Remote Desktop Session Host running on all machines in .humanresources.fabrikam.com
ktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all mach
.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host ru
es.fabrikam.com Remote Desktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Sess
to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.For Example:
etting can be used in combination with the "Allow delegating default credentials" policy setting to define exceptions for specific servers tha
licy setting can be used in combination with the "Allow delegating fresh credentials" policy setting to define exceptions for specific servers
kam.comThis policy setting can be used in combination with the "Allow delegating saved credentials" policy setting to define exceptions fo
ations which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using Cred
ls to remote devices.Note: To disable most credential delegation it may be sufficient to deny delegation in Credential Security Support Pro
onality from each computer with a physically present user in order to clear configuration persisted in UEFI. The "Enabled without lock" opti
vice instance IDsIf the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria"
e installation policies across all device match criteria" policy setting is not enabled with this policy setting then any other policy settings spe
vent installation of devices that match any of these device instance IDsIf the "Apply layered order of evaluation for Allow and Prevent dev
esRemovable devices7. Prevent installation of removable devicesNOTE: This policy setting provides more granular control than the "Preven
nstallation of devices that match any of these device IDs" "Prevent installation of devices for these device classes" policy setting "Prevent
d update devices as allowed or prevented by other policy settings.

vers updated. If you enable this policy setting on a remote desktop server the policy setting affects redirection of removable devices from a
click the Quota tab and then click "Enable quota management."
lt quota limit and warning level" policy setting. Otherwise the system uses the physical space on the volume as the quota limit.
d their limit because their status in the Quota Entries window changes.Note: To find the logging option in My Computer right-click the nam
mit and warning level.When you select a limit remember that the same limit applies to all users on all volumes regardless of actual volume
work for all applications as some older desktop applications will always be blurry on high DPI displays. In some cases you may see some od
r that DCOM server regardless of local settings.If you disable this policy setting the appid exemption list defined by Group Policy is deleted
nitialization of drivers determined to be Bad is skipped.If your malware detection application does not include an Early Launch Antimalwar
n the Computer Configuration policy setting takes precedence.
ext in Japanese under Administrative Templates.If you disable or do not configure this setting the Group Policy Object Editor snap-in alwa
omputer has joined the domain.2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled.If you disab
ne the bandwidth speed across Direct Access Group Policy will evaluate the network connection as a fast link and process all client side ex
stem restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policie
ven if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many p
t changed. Many policy implementations specify that they are updated only when changed. However you might want to update unchange
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain contr
puter Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow l
ke effect until the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and r
ntil the next user logon or system restart.The "Process even if the Group Policy objects have not changed" option updates and reapplies th
ed policy setting in case a user has changed it.

e not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that
uch as reapplying a desired policy setting in case a user has changed it.
if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However you m
's normal settings.If you disable this setting or do not configure it the user's Group Policy Objects determines which user settings apply.No
f the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy
ess even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Ma
seconds. The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the do
mputers policy also lets you specify how much the actual update interval varies. To prevent clients with the same update interval from req
om requesting updates simultaneously the system varies the update interval for each controller by a random number of minutes. The num
erberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled Kerberos authentication messages
fined in the local registry if they exist.
ot configure this policy setting the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry if they ex
tion context tokens it is not advised to set this value more than 48000 bytes.
vers settings defined by Group Policy.
restrictions will be based on per-user policy settings.To set this policy setting on a per-user basis make sure that you do not configure the
mputer level the per-user policy is ignored. If this policy setting is not configured at the computer level restrictions are based on per-user
tely after the screen turns off.If you don't configure this policy setting on a workgroup device a user on a Connected Standby device can ch
me directory or user object logon script logs on to a computer computers always wait for the network to be initialized before logging the u
tting clear the ""Show this screen at startup"" check box on the welcome screen.
Do not process the run once list"" settings.
OP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. PROCESS_CREA
n clients in the domain. When this setting is enabled an application that relies on the ability to lock files on the Netlogon share with only re
omain. When this setting is enabled an application that relies on the ability to lock files on the SYSVOL share with only read permission will
nfiguration.
ng the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
domain controller entries.If you enable this policy setting DC Locator on the machine will carry out Force Rediscovery periodically accordin
Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address then DC Locator APIs will fail.If you do not c
sdcs.<DnsDomainName>Dc SRV _ldap._tcp.dc._msdcs.<DnsDomainName>DcAtSite SRV _ldap._tcp.<SiteName>._sites.dc._m
DNS zones may result in the undesired deletion of DNS resource records.To specify the Refresh Interval of the DC records click Enabled an
plied to any DCs and DCs use their local configuration.
est Site behavior is honored.If you do not configure this policy setting Try Next Closest Site DC Location will not be used by default for the
performed on the single-label name only in the event that DNS resolution fails.If you disable this policy setting when the AllowSingleLabe
e Active Directory forest to which this computer is joined.If you do not configure this policy setting it is not applied to any computers and
covery Options menu if it is available.
en you enter the name of the helper user or user groups use the following format:<Domain Name>\<User Name> or<Domain Name>\<Gr
nce invitation created by using email or file transfer can remain open.The "Select the method for sending email invitations" setting specifie
C Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation but the created security context does not support delegati
g Windows 2000 Server Windows 2000 Advanced Server or Windows 2000 Datacenter Server. -- "Server" directs RPC to maintain basic sta
while this policy setting is in effect the command that starts the process must begin with one of the strings in the Extended Error Informati
servers running on a machine. A client will be considered an authenticated client if it uses a named pipe to communicate with the server o
ill remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used.If you enable this policy setting
Within GPO B: B.cmd B.ps1Within GPO C: C.cmd C.ps1Note: This policy setting determines the order in which computer startup and shutdo
g determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for spe
hort prerequisite tasks might not be done and the system can appear to be ready prematurely.If you disable or do not configure this settin
nges to this setting to take effect.Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations
es in Windows Server 2012.
red.No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately.
osoft Management Console.
leshooting or resolution will be attempted.If you do not configure this setting the recovery behavior for corrupted files will be set to the re
r disabled diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Conso
diately.This policy setting will take effect only when MSDT is enabled.This policy setting will only take effect when the Diagnostic Policy Ser
Microsoft. Do not notify users when troubleshooting has solved a problem.5 = Allow the user to choose their own troubleshooting setting
bleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted.If you do not co
e running state. When the service is stopped or disabled scheduled diagnostics will not be executed. The Task Scheduler service can be co
icy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic Policy Service is in the runn
tart is required for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic P
start is required for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic
red.No system restart or service restart is required for this policy to take effect: changes take effect immediately.This policy setting will on
tart is required for this policy to take effect: changes take effect immediately.This policy setting will only take effect when the Diagnostic P
orage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM
ugh scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM c
before the user is not allowed to send commands requiring authorization to the TPM.The Standard User Lockout Total Threshold value is
andard user may have before the user is not allowed to send commands requiring authorization to the TPM.The Standard User Lockout To
horization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM.This
e the client computer sets the file share permissions for the roaming profile at creation time.Note: In the default case administrators have
ork connections" policy setting is enabled this policy setting is ignored. Also if the "Delete cached copies of roaming profiles" policy setting
copy of the user profile.

not configure this policy setting AND the roaming profile folder exists AND the user or administrators group are not the owner of the folde
he Windows Installer and Group Policy software installation data when those profiles are deleted.Note: If this policy setting is enabled for a
to 0 the system tries just once to unload and update the user's registry settings. It does not try again.Note: This policy setting is particular
ser profiles" setting roaming profiles are disabled.Note: This setting only affects roaming profile users.
nsulting the user. In Microsoft Windows Vista the system will ignore the user choice made on the logon screen.Note: This policy setting an
. Terminal Services roaming profile path specified by Terminal Services policy2. Terminal Services roaming profile path specified by the use
or example if the settings dictate that the user's registry file is to be uploaded at 6pm it will actually upload at a random time between 6pm
ive letter.If you disable or do not configure this policy setting the user's home folder is configured as specified in the user's Active Director
s.If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this optio
ocal copy is desirable when quick logging on is a priority.Important: If the "Do not detect slow network connections" policy setting is enab
fted considerably or in other words spiked. Default: 50000000 100-nanosecond units (ns) or 5 seconds. MaxAllowedPhaseOffsetIf a res
de its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator o
cy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
vice employees must restart the app or device for the policy changes to be applied to the app.
oyees must restart the app or device for the policy changes to be applied to the app.
app or device for the policy changes to be applied to the app.
c information about other apps by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a de
or the policy changes to be applied to the app.
p or device for the policy changes to be applied to the app.
employees must restart the app or device for the policy changes to be applied to the app.
s must restart the app or device for the policy changes to be applied to the app.
es must restart the app or device for the policy changes to be applied to the app.
the policy changes to be applied to the app.
es must restart the app or device for the policy changes to be applied to the app.
st restart the app or device for the policy changes to be applied to the app.
a device employees must restart the app or device for the policy changes to be applied to the app.
evice employees must restart the app or device for the policy changes to be applied to the app.
ot change it.If you disable or do not configure this policy setting employees in your organization can decide whether Windows apps can ac
ed to allow applications to be activated with voice.

devices by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must re
start the app or device for the policy changes to be applied to the app.
us windows or displays by using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device emp
his Group Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
value HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault. If that value is non-0 this prevents all 16-bit applications
ors who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web
onfigured by using the Services snap-in to the Microsoft Management Console.

figuration takes precedence over the policy setting in User Configuration.
e of the policies are set BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method specified by the se
very information to a folder.If you disable or do not configure this policy setting the BitLocker setup wizard will present users with ways to
write access to removable drives not protected by BitLocker" policy setting to help control the use of removable drives in your organizatio
y passwords and may help perform specialized recovery when the disk is damaged or corrupted.If you select the option to "Require BitLoc
setting the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In this situation for the fi
o use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting.In "Save BitLocker r
hod and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based e
er is necessary when BitLocker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a dom
method uses the TPM on the computer so computers that do not have a TPM cannot create Network Key Protectors to automatically unloc
icy setting "Configure TPM platform validation profile for native UEFI firmware configurations" is enabled and has PCR 7 omitted Bitlocker
ot be able to specify which recovery option to use when you turn on BitLocker instead BitLocker recovery options for the drive are determ
e supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear corr
from 0 to 23 The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measuremen
ill not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require tha
effect the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console
on method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-
ity the password. When set to "Allow complexity" a connection to a domain controller will be attempted to validate the complexity adher
Allowed- Configure use of passwords for operating system drives.
d protection for encrypted data. When the computer starts it can use only the TPM for authentication or it can also require insertion of a U
gure setting options for computers with and without a TPM.If you disable or do not configure this policy setting the BitLocker setup wizard
ur organization" policy setting the user will be prompted to update BitLocker and BitLocker To Go Reader will be deleted from the drive. In
ery option to use when you turn on BitLocker instead BitLocker recovery options for the drive are determined by the policy setting.In "Save
n method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-ba
cker is enabled to validate the complexity the password. When set to "Allow complexity" a connection to a domain controller will be attem
Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
c data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Limit Dia
suspicious but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that ap
or earlier is automatically used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in up to th
anization see https://go.microsoft.com/fwlink/?linkid=2094210.
sentation - 10110• 1 - Restricted Sites Zone• 0 - Internet Zone• 1 - Trusted Sites Zone• 1 - Local Intranet Zone• 0 - Local Machine Zone
you disable or do not configure this policy setting the tab process growth is set to the default. The user can change this value by using the
ation or process in the list a script that is running in the application or process cannot bypass the prompt for delete copy or paste operation
dards Mode.
ages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages but newer con
g Protection and Do Not Track data when clicking Delete.

ou enable this policy setting Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected Mode w
e or enforce) to apply individual settings to specific targets.

owing information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also includ
arch query results in this zone using File Explorer.If you disable this policy setting users will be prevented from previewing items and get cu
nge this setting.

me window. Users cannot change this setting in the Internet Options dialog.
setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Automatic logon only
nge this setting.
nge this setting.

setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Automatic logon with
nge this setting.

nge this setting.
nge this setting.

nge this setting.

setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Prompt for username
nge this setting.

nge this setting.
setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Prompt for username
nge this setting.

pecify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed enter a 1 (one) into this
ng.Note: If an add-on is listed in the 'Add-on List' policy setting the user cannot change its state through Add-on Manager (unless its value
dence over that setting.If you do not configure this policy processes other than the Internet Explorer processes will not be affected by add
All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not confi
ure this policy setting the security feature is allowed.
nfigured in this box take precedence over that setting.If you disable or do not configure this policy setting the security feature is allowed.
policy or the “Block at First Sight” feature will not function.
cally and whether the actions were successful. Advanced membership in addition to basic information will send more information to Mi
x-xxxx-xxxxxxxxxxxx 0 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 1 xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 2 Disabled: N
owing will not be blocked and will be allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders -A
all unknown executables

ocalhost:8080/Config.xmlThe settings in the XML file will be applied to the endpoint.DisabledCommon settings will not be applied and the
ndows Store apps and installing them from an integrated development environment (IDE)- Allow all trusted apps to install
't configure this setting the search engine list is set to what is specified in App settings.
nd session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” p
ault)Related policies:-Disable Lockdown of Start Pages-Configure Start Pages
M-enrolledRelated policy:- Configure Open Microsoft Edge With- Disable Lockdown of Start Pages
ent users from debugging and altering the logic on an extension.If disabled or not configured extensions defined as part of this policy get i
he default search engine you can set the string to EDGEBING.Employees can change the default search engine at any time unless you disa
tion engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers take p
gent will be deleted from the computer and only the templates located in the settings template catalog will be used.If you disable this pol
icy setting no UE-V rollback state is copied to the settings storage location.If you do not configure this policy no UE-V rollback state is copie
e license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers gr
RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS C
name. When a user tries to start an RDP session the user receives a message that the publisher has been blocked.Note: You can define this
d in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server w
Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote conn
contains a string that is not a certificate thumbprint it is ignored.
es\Remote Desktop Session Host\Security\Require user authentication for remote connections by using Network Level Authentication. You
d or Not Configured limits to the number of connections are not enforced at the Group Policy level.Note: This setting is designed to be use
o determine the network quality prior to the connection and it will continuously try to adapt the user experience to varying network quali
sable this policy setting audio and video playback redirection is not allowed even if audio playback redirection is specified in RDC or video
evice Installation\Device Installation Restrictions policy settings.
o playback quality configured on the remote computer the lower level of audio playback quality will be used.Audio playback quality can b
allback printer driver."Show both PCL and PS if one is not found" - If no suitable driver can be found show both PS and PCL-based fallback p
sion.Note: If the "Do not allow client printer redirection" policy setting is enabled the "Use Remote Desktop Easy Print printer driver first"
n the local drive.Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting
r and will store the user profiles locally on the RD Session Host server.If you disable or do not configure this policy setting user profiles are
set to Enabled Remote Desktop Services creates the user's home directory in the specified location on the local computer or the network.
at least Windows Server 2008 Standard.

D Session Host server farm the computer account for each RD Session Host server in the farm must be a member of one of the following lo
oup Policy level. Notes: 1. If you enable this policy setting you must also enable the Configure RD Connection Broker farm name and Confi
ancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to
RDP compression algorithm some graphics data will still be compressed.If you disable or do not configure this policy setting the default RD
In this mode the color integrity of the graphics data is not impacted. However this setting results in a significant increase in network band
ing at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections.3.For connections fro
ected sessions" policy setting.
valid directory the RD Session Host server connection fails with an error message.If the status is set to Enabled Remote Desktop Services s
ssion settings were selected (the default behavior).
ticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.* SSL (TLS 1.0): The SSL method requires the use of TLS
ows Server 2012 and Windows 8 Network Level Authentication is enforced by default.Important: Disabling this policy setting provides less
and that matches the current name of the RD Session Host server will be selected.If you disable or do not configure this policy the certifica
t Compatible setting encrypts data sent between the client and the server at the maximum key strength supported by the client. Use this e
s policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out eve
Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting app
op Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting appears in both Computer Configu
d sessions are maintained for an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and User Con
allow list. Create a list entry by putting a space in the name field and a space in the value field and then save it. This will create a placehold
rity settings that are monitored by Security Center include firewall antivirus and Automatic Updates. Note that Security Center might not
tering will take place.

ntry areas” policy and the “Prevent Input Panel tab from appearing” policy and disable the “Show Input Panel taskbar icon” policy the use
box.If you do not configure this policy rarely used Chinese Kanji and Hanja characters will not be included in recognition results when hand
tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose “Medium
nd the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you disable
suspicious but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that ap
Select this option if you do not want error dialog boxes to display links to Microsoft websites.- ""Do not collect additional files"": Select th
on check reminders determines the interval time between the display of system notifications that remind the user to check for solutions t
d Report Operating System Errors policy settings.
reporting policy setting is set to report no application errors.If the Report all errors in Microsoft applications or Report all errors in Windo
ou can also use the exclusion list in this policy setting to exclude specific Microsoft applications or parts of Windows if the check boxes for
led or not configured then the consent level defaults to the highest-privacy setting: Always ask before sending data.
bility) does not contain personally identifiable data and prompts the user for consent to send any additional data requested by Microsoft.-
es and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not guarantee
ven if it is explicitly disabled in the other folder.
elevated" policy setting.

s on a different computer or is not connected to the network.
m using other methods to install and upgrade programs.

omatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled personal data i
not configure this setting messages about the previous logon or logon failures are not displayed.
e system restarts.
he computer. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. Th
: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Configurati
asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used other ranges in the filter are ig
setting users will not see a User Account Control window and do not need elevated permissions to do either of these tasks. If you do not e
es will override the above policy: 1. No auto-restart with logged on users for scheduled automatic updates installations 2. Always autom
ailed notification messages for optional applications and Windows Vista users will not be offered detailed notification messages for option
cally download updates and install them on the schedule specified below. When "Automatic" is selected as the scheduled install time W
y have more than the number of days set as grace period to manage their restart based on deadline configurations.You can set the device
users in your organization don't have to go through a firewall to get updates and it gives you the opportunity to test updates before deplo
or additional information on Preview Builds see: https://aka.ms/wipforbizIf you disable or do not configure this policy Windows Update wi
ut and ms-settings:bluetooth) and all other pages hidden:showonly:about;bluetoothExample: to specify that only the Bluetooth page (whic
cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition if handwriting personalization
be disabled and BITS will download files directly from the origin server.
r that purpose. Consider using this setting to prevent BITS transfers from competing for network bandwidth when the client compute
bits described here) 0x1 - The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges a
ndividual client computers. Because the domain Group Policy setting is not configured it will not over-write the latency setting that you us
that is included with their operating system.In circumstances where this setting is enabled you can also select and configure the following
hat are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting "Set BranchCache Hos
ode-based policy settings are applied the client computer performs automatic hosted cache server discovery. If one or more hosted cache
s policy setting is enabled in domain Group Policy the BranchCache client computer cache age that you specify in the policy is turned on fo
distributed cache mode is enabled for all client computers where the policy is applied. For example if this policy is enabled in domain Grou
hat you use on individual client computers where you want to enable BranchCache.- Enabled. With this selection BranchCache hosted cach
omputers where the policy is applied. For example if Set percentage of disk space used for client computer cache is enabled in domain Gr
xample if this policy is enabled in domain Group Policy BranchCache is turned on for all domain member client computers to which the pol
erName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt
r is on the intranet and has correctly determined its network location the Disconnect option has no effect because the rules for DirectAcce
ppended to an unqualified multi-label name if the original name query fails.If you disable this policy setting no suffixes are appended to un
pear in the string starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.If you disab
Computer Name tab of the System control panel.Each connection-specific DNS suffix assigned either through DHCP or specified in the DNS
mary DNS suffix as specified on the Computer Name tab of the System control panel.Each connection-specific DNS suffix assigned either t
ng is ignored on a DNS client computer if dynamic DNS registration is disabled.If you disable this policy setting or if you do not configure th
be applied to all network connections used by computers that receive this policy setting.If you disable this policy setting or if you do not co
nt Viewer.
o which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-ena
his setting is enabled you can also select and configure the following option:Hash version supported:- To support V1 content information o
to require authenticated access."
e setting; insert the fully qualified domain name or IPv6 address of the corporate seed server leave the checkbox unchecked. This is the se
k Setup Wizard is disabled.Note: If you enable the "Windows Firewall: Protect all network connections" policy setting the "Prohibit use of I
default ICS is disabled when you create a remote access connection but administrators can use the Advanced tab to enable it. When runnin
sabled it.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound echo requests even if the "Windows D
cy settings to open the required ports. In the Windows Defender Firewall component of Control Panel the "File and Printer Sharing" check
. Also on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1 Windows Defender Firewall prevents SVC
ws Defender Firewall component of Control Panel the "Remote Desktop" check box is cleared. Administrators can change this check box."
and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the W
licy setting Windows Defender Firewall behaves as if the policy setting were disabled.
nue to open or block ports. Also if a local port exceptions list exists it is ignored unless you enable the "Windows Defender Firewall: Allow
the local program exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Window
ck box is cleared by default but administrators can change it.
sabled it.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound echo requests even if the "Windows D
cy settings to open the required ports. In the Windows Defender Firewall component of Control Panel the "File and Printer Sharing" check
. Also on Windows XP Professional with at least SP2 and Windows Server 2003 with at least SP1 Windows Defender Firewall prevents SVC
ws Defender Firewall component of Control Panel the "Remote Desktop" check box is cleared. Administrators can change this check box."
and Play messages unless an administrator uses other policy settings to open the required ports or enable the required programs. In the W
licy setting Windows Defender Firewall behaves as if the policy setting were disabled.
nue to open or block ports. Also if a local port exceptions list exists it is ignored unless you enable the "Windows Defender Firewall: Allow
the local program exceptions list that is defined by the Windows Defender Firewall component in Control Panel also enable the "Window
ck box is cleared by default but administrators can change it.
anced and then select an option in the "When a network connection is lost" section.Also see the "Non-default server disconnect actions"
the slow-link mode at a default interval with the start of the sync varying between 0 and 60 additional minutes. In Windows 7 and Window
e slow-link mode.If you do not configure this policy setting computers running Windows Vista or Windows Server 2008 will not transition a
unt of disk space to use for temporary offline files" option.
tting remote files will be not be transparently cached on client computers.

so that it is fully encrypted. The cache does not return to the unencrypted state. The user must be an administrator on the local computer
0 percent of the total disk space limit. However the users can change these values using the Offline Files control applet.If you enable this s
rresponds to the settings in the "Exception list" section.
Windows Server 2008 Windows 8 Windows 7 or Windows Vista.This policy setting does not prevent files from being automatically cached
thod without setting a setting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select the "Sy
ab. This setting corresponds to the "Enable reminders" check box.
etting has no effect if the SNMP agent is not installed on the client computer.Also see the other two SNMP settings: "Specify permitted ma
k. Apps that keep a network connection active even when they’re not actively using it (for example email apps) might lose their connectio
ed for services that require a cellular connection. When the user is connected to a WLAN or Ethernet connection no internet traffic will be
twork in violation of this policy setting the existing Ethernet connection is maintained and the manual connection attempt is blocked.If thi
lied to the app.
ertain type enable this policy and set the number of printers to display to 0. In Windows 10 and later only TCP/IP printers can be sho
some cases the custom print processor may not be installed on the client machine such as when the print server does not support transfe
ngs in User Configuration\Administrative Templates\Windows Components\Windows Explorer and by the "Enable Active Desktop" setting
tion driver needs to be updated. -Windows Server 2003 and Windows XP client computers can create a printer connection to any ser
nd" prunes printer objects that are not automatically republished only when the print server responds but the printer is unavailable.
s empty.If you enable this setting but then later disable it or set it to Not Configured the document shortcuts saved before the setting was
nning Windows Server.
p" command is used to add a link to a Help topic and runs a WinHLP32.exe Help (.hlp) file. To disallow the "Shortcut" and "WinHelp" c
e specifies the maximum size in bytes to transmit to the server at once on a reporting upload to avoid permanent transmission failures wh
sktop Session Host running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all mac
rikam.com
sion Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .h
mote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on
MSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host
ecifying the SPN.For Example:TERMSRV/host.humanresources.fabrikam.com Remote Desktop Session Host running on host.humanresour
eptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating default credentials" serv
exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating fresh credentials" ser
setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the "Allow delegating sav
ersions and services using CredSSP will accept unpatched clients.For more information about the vulnerability and servicing requirements
redential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Adminis
he "Enabled without lock" option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy. Th
cross all device match criteria" policy setting is not enabled with this policy setting then any other policy settings specifically preventing ins
n any other policy settings specifically preventing installation will take precedence.NOTE: The "Prevent installation of devices not describe
tion for Allow and Prevent device installation policies across all device match criteria" policy setting is not enabled with this policy setting th
nular control than the "Prevent installation of devices not described by other policy settings" policy setting. If these conflicting policy settin
asses" policy setting "Prevent installation of devices that match any of these device instance IDs" or "Prevent installation of removable de
n of removable devices from a remote desktop client to the remote desktop server.If you disable or do not configure this policy setting W
as the quota limit.

Computer right-click the name of an NTFS file system volume click Properties and then click the Quota tab.
es regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
me cases you may see some odd behavior in some desktop applications. If that happens Per Process System DPI should be disabled.Enablin
ned by Group Policy is deleted and the one defined by local computer administrators is used.If you do not configure this policy setting the
e an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled this setting has no
icy Object Editor snap-in always loads all ADM files from the actual GPO.Note: If the ADMs that you require are not all available locally in y
d logon" is enabled.If you disable or do not configure this policy setting detecting a slow network connection will not affect whether Group
k and process all client side extensions.If you disable this setting or do not configure it Group Policy will evaluate the network connection a
the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. Howev
ies have not changed. Many policy implementations specify that they are updated only when changed. However you might want to updat
ight want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
sponse from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processi
Configuration defines a slow link for settings in the User Configuration folder.Also see the "Do not detect slow network connections" and
changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they a
ption updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated
implementations specify that they are updated only when changed. However you might want to update unchanged policies such as reap
hen changed. However you might want to update unchanged policy settings such as reapplying a desired policies in case a user has chang
s which user settings apply.Note: This setting is effective only when both the computer account and the user account are in at least Windo
ave not changed. Many policy implementations specify that they are updated only when changed. However you might want to update un
policies have not changed. Many policy implementations specify that they are updated only when changed. However you might want to u
ait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Polic
same update interval from requesting updates simultaneously the system varies the update interval for each client by a random number o
m number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example if you type
eros authentication messages will not use these features. If you configure "Supported" the domain controller supports claims compound
d in the local registry if they exist.
that you do not configure the per-machine policy setting.
ictions are based on per-user policies.

nnected Standby device can change the amount of time after the device's screen turns off before a password is required when waking the
initialized before logging the user on. If a user has never logged on to this computer before computers always wait for the network to be i
echnique. PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) The force Address

he Netlogon share with only read permission will be able to deny Group Policy clients from reading the files and in general the availability o
with only read permission will be able to deny Group Policy clients from reading the files and in general the availability of the SYSVOL shar
covery fails.
iscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive net
tor APIs will fail.If you do not configure this policy setting DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of t
._tcp.<SiteName>._sites.dc._msdcs.<DnsDomainName>Rfc1510Kdc SRV _kerberos._tcp.<DnsDomainName>Rfc1510KdcAtSite SRV _
he DC records click Enabled and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds
not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly the Next Closest Site behavior will be used
tting when the AllowSingleLabelDnsDomain policy is not enabled computers to which this policy is applied will only use NetBIOS name reso
applied to any computers and computers use their local configuration.
ame> or<Domain Name>\<Group Name>If you enable this policy setting you should also enable firewall exceptions to allow Remote Assis
mail invitations" setting specifies which email standard to use to send Remote Assistance invitations. Depending on your email program you
text does not support delegation.-- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if deleg
rects RPC to maintain basic state information on the computer regardless of its capacity.-- "Full" directs RPC to maintain complete RPC sta
n the Extended Error Information Exception field.-- "Off with Exceptions" disables extended error information but lets you enable it for sel
ommunicate with the server or if it uses RPC Security. RPC Interfaces that have specifically requested to be accessible by unauthenticated
you enable this policy setting and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout the timeo
h computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types wit
rride this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: User Configu
or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
k until appropriate mitigations have been performed for example patching of vulnerable TPMs.More information is available at https://go
upted files will be set to the regular recovery behavior.No system or service restarts are required for changes to this policy to take immed
Microsoft Management Console. Note: For Windows Server systems this policy setting applies only if the Desktop Experience optional com
when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled diagnostic scenarios are not exec
ir own troubleshooting settings.After setting this policy you can use the following instructions to check devices in your domain for availabl
be attempted.If you do not configure this policy setting the recovery behavior for corrupted files will be set to the default recovery behav
sk Scheduler service can be configured with the Services snap-in to the Microsoft Management Console.
tic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be executed. The DPS can be
e effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be
ke effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not b
ately.This policy setting will only take effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disab
e effect when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios will not be
on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may
nd local lists of blocked TPM commands.
ckout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users ar
.The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have befo
authorization to the TPM.This value is the maximum total number of authorization failures all standard users may have before all standar
ault case administrators have no file access to the user's profile but they may still take ownership of this folder to grant themselves file pe
oaming profiles" policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
are not the owner of the folder Windows will not copy files to or from the roaming folder. The user will be shown an error message and an
s policy setting is enabled for a machine local administrator action is required to remove the Windows Installer or Group Policy software in
This policy setting is particularly important to servers running Remote Desktop Services. Because Remote Desktop Services edits the users
en.Note: This policy setting and related policy settings in this folder define the system's response when roaming user profiles are slow to d
rofile path specified by the user object3. A per-computer roaming profile path specified in this policy4. A per-user roaming profile path spe
at a random time between 6pm and 7pm.Note: If "Run at set interval" is selected the "Time of day" option is disregarded. Likewise if "Run
ed in the user's Active Directory Domain Services account.If the "Set Remote Desktop Services User Home Directory" policy setting is enab
off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on th
ections" policy setting is enabled this policy setting is ignored. Also if the "Delete cached copies of roaming profiles" policy setting is enabl
MaxAllowedPhaseOffsetIf a response is received that has a time variation that is larger than this parameter value W32time sets the client c
in controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchron
d to the app.
Policy object is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
whether Windows apps can access the user's movements while the apps are running in the background by using Settings > Privacy on the
n a device employees must restart the app or device for the policy changes to be applied to the app.
ject is applied on a device employees must restart the app or device for the policy changes to be applied to the app.
es to be applied to the app.
revents all 16-bit applications from running. If that value is 0 16-bit applications are allowed to run. If that value is also not present on Win
is particularly useful for a web server where applications may be launched several hundred times a second and the performance of the lo
on method specified by the setup script.”
will present users with ways to store recovery options.Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker s
vable drives in your organization. It is a comma separated list of identification fields from your organization or other external organizations
t the option to "Require BitLocker backup to AD DS" BitLocker cannot be turned on unless the computer is connected to the domain and t
drive. In this situation for the fixed drive to be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3
icy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery information to s
hm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on the driv
lexity" a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy but if no do
otectors to automatically unlock with Network Unlock.If you disable or do not configure this policy setting BitLocker clients will not be able
d has PCR 7 omitted Bitlocker will be prevented from using Secure Boot for platform or Boot Configuration Data (BCD) integrity validation.
tions for the drive are determined by the policy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choo
m message or URL appear correctly on the pre-boot recovery screen.

Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR
overy console and require that either the recovery password or recovery key be provided to unlock the drive.If you disable or do not confi
he BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.If you disab
algorithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on
validate the complexity adheres to the rules set by the policy but if no domain controllers are found the password will still be accepted reg
an also require insertion of a USB flash drive containing a startup key the entry of a 6-digit to 20-digit personal identification number (PIN)
tting the BitLocker setup wizard will display basic steps that allow users to turn on BitLocker on computers with a TPM. In this basic wizard n
ll be deleted from the drive. In this situation for the removable drive to be unlocked on computers running Windows Server 2008 Window
d by the policy setting.In "Save BitLocker recovery information to Active Directory Domain Services" choose which BitLocker recovery infor
algorithm used by hardware-based encryption is set when the drive is partitioned. By default BitLocker uses the algorithm configured on th
domain controller will be attempted to validate the complexity adheres to the rules set by the policy but if no domain controllers are found
Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent.If you disab
warn the user again for that app if the user tells SmartScreen to run the app.If you disable this policy SmartScreen will be turned off for all
rected sites to open in up to three of the following channels where: 0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge Stable
ne• 0 - Local Machine Zone

change this value by using the registry key. Note: On Terminal Server the default value is the integer “1”.
delete copy or paste operations from the Clipboard.If you do not configure this policy setting current values of the URL action for an applic
sting webpages but newer content written to common Internet standards may be displayed incorrectly. This option matches the default b
d Mode. All Protected Mode websites will run in Enhanced Protected Mode.If you disable or do not configure this policy setting Internet E
The valuename may also include a specific protocol. For example if you enter http://www.contoso.com as the valuename other protocols
m previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.If you do not configure this
is set to Automatic logon only in Intranet zone.
is set to Automatic logon with current username and password.



is set to Prompt for username and password.

is set to Prompt for username and password.

lowed enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on through
d-on Manager (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
ses will not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
g.If you disable or do not configure this policy setting the security feature is allowed.
he security feature is allowed.

send more information to Microsoft about malicious software spyware and potentially unwanted software including the location of the s
xxxxxxx 2 Disabled: No ASR rules will be configured. Not configured: Same as Disabled. You can exclude folders or files in the
files in protected folders - Attempts by untrusted apps to write to disk sectors These attempts will not be recorded in the Windows
gs will not be applied and the locally configured settings will be used instead.Not configuredSame as Disabled.
apps to install
osk reset after idle timeout” policy.- If it’s one of many apps it runs in a limited multi-tab version of InPrivate for public browsing with othe
fined as part of this policy get ignored.Default setting: Disabled or not configuredRelated policies: Allow Developer ToolsRelated Documen
ne at any time unless you disable the "Allow search engine customization" setting which restricts any changes.If you disable this setting th
he normal UE-V triggers take place.With notifications enabled UE-V users receive a message when the settings sync is delayed. The notifica
be used.If you disable this policy setting the UE-V Agent will not use the custom settings location templates. If you disable this policy settin
no UE-V rollback state is copied to the settings storage location.

to the RDS Endpoint Servers group when the license server is a member of a domain.
S CAL and the temporary RDS CAL has expired the client will not be able to connect to the RD Session Host server unless the RD Licensing g
cked.Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this p
o the RD Session Host server when the client cannot authenticate the RD Session Host server.
credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2 a user will be prompted on the client compu
work Level Authentication. You can limit the number of users who can connect simultaneously by configuring the policy setting at Comput
is setting is designed to be used on RD Session Host servers (that is on servers running Windows with Remote Desktop Session Host role se
ence to varying network quality.
on is specified in RDC or video playback is specified in the .rdp file.If you do not configure this policy setting audio and video playback redir
d.Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.r
oth PS and PCL-based fallback printer drivers.If you disable this policy setting the RD Session Host server fallback driver is disabled and the
Easy Print printer driver first" policy setting is ignored.
ng to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
policy setting user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop
cal computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user's alias.If the status i
mber of one of the following local groups on the RD Connection Broker server: Session Directory Computers Session Broker Computers or
on Broker farm name and Configure RD Connection Broker server name policy settings. 2. For Windows Server 2008 this policy setting is s
ectly connect by IP address to RD Session Host servers in the load-balanced farm.If you do not configure this policy setting the Use IP addr
is policy setting the default RDP compression algorithm will be used.
cant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. If you disable or do not
nections.3.For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to co
ed Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program de
method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported the connection fails. This is the reco
his policy setting provides less security because user authentication will occur later in the remote connection process.
nfigure this policy the certificate template name is not specified at the Group Policy level. By default a self-signed certificate is used to aut
ported by the client. Use this encryption level in environments that include clients that do not support 128-bit encryption.* Low: The Low
does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuratio
ed.Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured the Com
ears in both Computer Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setti
er Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes precedence
it. This will create a placeholder entry that is ignored by the program.
hat Security Center might not be available following a change to this policy setting until after the computer is restarted for Windows XP SP
el taskbar icon” policy the user will then have no way to access Input Panel.
recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conversion t
his policy and choose “Medium” from the drop-down box password security is set to “Medium.” At this setting when users enter password
ns dialog box. If you disable this policy users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-out ge
warn the user again for that app if the user tells SmartScreen to run the app.If you disable this policy SmartScreen will be turned off for all
ect additional files"": Select this option if you do not want additional files to be collected and included in error reports.- ""Do not collect ad
e user to check for solutions to problems. A value of 0 disables the reminder.If you disable or do not configure this policy setting Windows
s or Report all errors in Windows components check boxes in the Default Application Reporting policy setting are filled Windows Error Rep
indows if the check boxes for these categories are filled in the Default application reporting settings policy setting.If you disable or do not
data requested by Microsoft.- 4 (Send all data): Any data requested by Microsoft is sent automatically.If you disable or do not configure th
policy setting is not guaranteed to be secure.

is not enabled personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you a
n in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
itor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
other ranges in the filter are ignored. If the filter is left blank the service does not listen on any addresses.For example if you want the serv
of these tasks. If you do not enable this policy setting then users will always see an Account Control window and require elevated permiss
installations 2. Always automatically restart at scheduled time 3. Specify deadline before auto-restart for update installation
otification messages for optional applications or updates.By default this policy setting is disabled.If you are not using the Microsoft Update
as the scheduled install time Windows will automatically check download and install updates. The device will reboot as per Windows defa
rations.You can set the device to delay restarting until both the deadline and grace period have expired.If you disable or do not configure
y to test updates before deploying them. If the status is set to Disabled or Not Configured and if Automatic Updates is not disabled by
his policy Windows Update will not offer you any pre-release updates and you will receive such content once released to the world. Disab
only the Bluetooth page (which has URI ms-settings:bluetooth) should be hidden:hide:bluetoothThe availability of per-user support is doc
f handwriting personalization is turned on.If you do not configure this policy users can choose to enable or disable automatic learning eith
width when the client computer has a fast network card (10Mbs) but is connected to the network via a slow link (56Kbs).
nrestricted of usage charges and capacity constraints. 0x2 - The usage of this connection is unrestricted up to a certain data limit
the latency setting that you use on individual client computers.- Enabled. With this selection the BranchCache maximum round trip latency
ct and configure the following option:Select from the following versions- Windows Vista with BITS 4.0 installed Windows 7 or Windows Se
setting "Set BranchCache Hosted Cache Mode."If you do not configure this policy setting or if you disable this policy setting client compute
y. If one or more hosted cache servers is found the client computer self-configures for hosted cache mode.If the policy setting "Set Branch
ify in the policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selection BranchC
licy is enabled in domain Group Policy BranchCache distributed cache mode is turned on for all domain member client computers to which
ction BranchCache hosted cache mode is enabled for all client computers where the policy is applied. For example if this policy is enabled
cache is enabled in domain Group Policy the BranchCache client computer cache setting that you specify in the policy is turned on for all d
nt computers to which the policy is applied.- Disabled. With this selection BranchCache is turned off for all client computers where the pol
:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.You must configure this setting to have complete NCA functionali
ecause the rules for DirectAccess are already removed from the NRPT.If this setting is not configured users do not have Connect or Disconn
no suffixes are appended to unqualified multi-label name queries if the original name query fails.If you do not configure this policy setting
l suffixes are tried.If you disable this policy setting or if you do not configure this policy setting the primary DNS suffix and network connec
h DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connectio
fic DNS suffix assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP S
ng or if you do not configure this policy setting a DNS client computer will not register any A and PTR resource records using a connection-s
olicy setting or if you do not configure this policy setting computers will use the local or DHCP supplied setting. By default client computers
t is stored in BranchCache-enabled file shares.- Disabled. With this selection hash publication is turned off for all file servers where Group P
pport V1 content information only configure "Hash version supported" with the value of 1.- To support V2 content information only config
kbox unchecked. This is the setting which will allow your mobile users to use peer to peer applications at both work and home seamlessly
cy setting the "Prohibit use of Internet Connection Firewall on your DNS domain network" policy setting has no effect on computers that a
d tab to enable it. When running the New Connection Wizard or Network Setup Wizard administrators can choose to enable ICS.Note: Inte
quests even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP
File and Printer Sharing" check box is cleared. Administrators can change this check box.Note: If any policy setting opens TCP port 445 Win
efender Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages and prevents hosted services from o
s can change this check box."
he required programs. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is cleared. Admini
ows Defender Firewall: Allow local port exceptions" policy setting.If you do not configure this policy setting Windows Defender Firewall us
anel also enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you disable this policy setting the prog
quests even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP
File and Printer Sharing" check box is cleared. Administrators can change this check box.Note: If any policy setting opens TCP port 445 Win
efender Firewall prevents SVCHOST.EXE and LSASS.EXE from receiving unsolicited incoming messages and prevents hosted services from o
s can change this check box."
he required programs. In the Windows Defender Firewall component of Control Panel the "UPnP framework" check box is cleared. Admini
ows Defender Firewall: Allow local port exceptions" policy setting.If you do not configure this policy setting Windows Defender Firewall us
anel also enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you disable this policy setting the prog
ult server disconnect actions" setting.
tes. In Windows 7 and Windows Server 2008 R2 the default sync interval is 360 minutes. In Windows 8 and Windows Server 2012 the defa
erver 2008 will not transition a shared folder to the slow-link mode. Computers running Windows 7 or Windows Server 2008 R2 will use th
istrator on the local computer to encrypt or decrypt the Offline Files cache.Note: By default this cache is protected on NTFS partitions by A
ntrol applet.If you enable this setting and specify a total size limit greater than the size of the drive hosting the Offline Files cache and that
m being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Available
les tab and then select the "Synchronize all offline files before logging on" option.
ettings: "Specify permitted managers" and "Specify trap configuration".
ps) might lose their connection. If this happens these apps should re-establish their connection over a different network.This policy setting
ction no internet traffic will be routed over the cellular connection. This option was first available in Windows 10 (Version 1703). If this
ection attempt is blocked.If this policy setting is not configured or is disabled computers are allowed to connect simultaneously to both dom
nly TCP/IP printers can be shown in the wizard. If you enable this policy setting only TCP/IP printer limits are applicable. On Windows 10 on
erver does not support transferring print processors during point-and-print. In the case of a print processor mismatch the client spooler w
Enable Active Desktop" setting in User Configuration\Administrative Templates\Desktop\Active Desktop.
printer connection to any server in their forest using Point and Print. If you disable this policy setting: -Windows Vista client com
he printer is unavailable. -- "Whenever printer is not found" prunes printer objects that are not automatically republished whenever
s saved before the setting was enabled reappear in the Recent Items menu and program File menus and Jump Lists.This setting does not h
he "Shortcut" and "WinHelp" commands on the entire local system enable the policy setting and leave the text box on the Settings tab of t
anent transmission failures when the log has reached a significant size. The default value is 65536. When transmitting report data to the s
ession Host running on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in .
t running on all machines in .humanresources.fabrikam.com

sktop Session Host running on all machines in humanresources.fabrikam.com
Remote Desktop Session Host running on all machines in humanresources.fabrikam.com
running on host.humanresources.fabrikam.com machineTERMSRV/* Remote Desktop Session Host running on all machines.TERMSRV/*.h
ating default credentials" server list.
elegating fresh credentials" server list.
rs in the "Allow delegating saved credentials" server list.
ty and servicing requirements for protection see https://go.microsoft.com/fwlink/?linkid=866660
mputer Configuration\Administrative Templates\System\Credentials Delegation).Note: On Windows 8.1 and Windows Server 2012 R2 enab
otely by using Group Policy. The "Not Configured" option leaves the policy setting undefined. Group Policy does not write the policy settin
ngs specifically preventing installation will take precedence.NOTE: The "Prevent installation of devices not described by other policy settin
llation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allo
abled with this policy setting then any other policy settings specifically preventing installation will take precedence.NOTE: The "Prevent ins
If these conflicting policy settings are enabled at the same time the "Apply layered order of evaluation for Allow and Prevent device install
t installation of removable devices" policy setting.
configure this policy setting Windows can install and update driver packages for removable devices as allowed or prevented by other polic
ange of volumes in the group.This policy setting is effective only when disk quota management is enabled on the volume. Also if disk quot
DPI should be disabled.Enabling this setting lets you specify the system-wide default for desktop applications as well as per-application ov
nfigure this policy setting the appid exemption list defined by local computer administrators is used.Notes:The DCOM Activation security c
een disabled this setting has no effect and all boot-start drivers are initialized.
are not all available locally in your %windir%\inf directory you might not be able to see all the settings that have been configured in the GP
will not affect whether Group Policy processing will be synchronous or asynchronous.
uate the network connection as a slow link and process only those client side extensions configured to process over a slow link.
ed only when changed. However you might want to update unchanged policies such as reapplying a desired setting in case a user has chan
ever you might want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established.
ow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the profi
mentations specify that they are updated only when changed. However you might want to update unchanged policies such as reapplying
specify that they are updated only when changed. However you might want to update unchanged policies such as reapplying a desired po
changed policies such as reapplying a desired policy setting in case a user has changed it.
licies in case a user has changed it.

account are in at least Windows 2000 domains.
you might want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
However you might want to update unchanged policies such as reapplying a desired setting in case a user has changed it.
stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is es
h client by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For e
iance. For example if you type 30 minutes the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad ran
er supports claims compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that
d is required when waking the device. The time is limited by any EAS settings or Group Policies that affect the maximum idle time before a
ys wait for the network to be initialized.If you enable this policy setting computers wait for the network to be fully initialized before users
00100) The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by
and in general the availability of the Netlogon share on the domain will be decreased.If you enable this policy setting domain administrato
availability of the SYSVOL share on the domain will be decreased.If you enable this policy setting domain administrators should ensure tha
1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds while any value g
his is the default behavior of the DC Locator.
ame>Rfc1510KdcAtSite SRV _kerberos._tcp.<SiteName>._sites.<DnsDomainName>GenericGc SRV _gc._tcp.<DnsForestName>Gener
l of the DC records in seconds (for example the value 3600 is 60 minutes).If you do not configure this policy setting it is not applied to any
sest Site behavior will be used.
l only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-lab
eptions to allow Remote Assistance communications. The firewall exceptions required for Offer (Unsolicited) Remote Assistance depend o
ing on your email program you can use either the Mailto standard (the invitation recipient connects through an Internet link) or the SMAP
pport delegation even if delegation was asked for.Note: This policy setting will not be applied until the system is rebooted.
C to maintain complete RPC state information on the system regardless of its capacity. Because this level can degrade performance it is rec
n but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect the
accessible by unauthenticated clients may be exempt from this restriction depending on the selected value for this policy setting.-- "None
connection timeout the timeout on the IIS server is used. Otherwise the provided timeout value is used. The timeout is given in seconds.N
tting for specific script types within a specific GPO by configuring the following policy settings for the GPO: Computer Configuration\Policies
ngs for the GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogonUser Configuration\Policies\Windows Setting
nutes). This is the default.
ation is available at https://go.microsoft.com/fwlink/?linkid=2116430.
es to this policy to take immediate effect after a Group Policy refresh.Note: This policy setting will take effect only when the Diagnostic Pol
esktop Experience optional component is installed and the Remote Desktop Services role is not installed.
gnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
es in your domain for available troubleshooting from Microsoft:1. Create a bat script with the following contents:rem The following batch
to the default recovery behavior.No system or service restarts are required for changes to this policy setting to take immediate effect afte
t be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
iagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
the service is stopped or disabled diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the M
iagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used
ve before all standard users are not allowed to send commands requiring authorization to the TPM.The TPM is designed to protect itself a
standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM.The TPM is des
s may have before all standard users are not allowed to send commands requiring authorization to the TPM.The TPM is designed to prote
der to grant themselves file permissions.Note: The behavior when this policy setting is enabled is exactly the same behavior as in Windows
m detects a slow connection.
hown an error message and an entry will be written to the event log. The user's cached profile will be used or a temporary profile issued if
ler or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine.
esktop Services edits the users' registry settings when they log off the system's first few attempts to unload the user settings are more likel
ming user profiles are slow to download. To adjust the time within which the user must respond to this notice in operating systems earlier
-user roaming profile path specified in the user object

s disregarded. Likewise if "Run at set time of day" is chosen the "Interval (hours)" option is disregarded.If you enable this policy setting W
rectory" policy setting is enabled the “Set user home folder” policy setting has no effect.
usiness apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn th
profiles" policy setting is enabled there is no local copy of the roaming profile to load when the system detects a slow connection.
alue W32time sets the client computer's local clock immediately to the time that is accepted as accurate from the Network Time Protocol
when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization part
plied to the app.
using Settings > Privacy on the device.If an app is open when this Group Policy object is applied on a device employees must restart the app
the app.
alue is also not present on Windows 10 and above the OS will launch the 16-bit application support control panel to allow an elevated adm
and the performance of the loader is essential.NOTE: Many system processes cache the value of this setting for performance reasons. If y
needed during the BitLocker setup TPM owner information will be saved or printed with the BitLocker recovery information.Note: The 48
or other external organizations.You can configure the identification fields on existing drives by using manage-bde.exe.If you enable this po
onnected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help en
ws Vista Windows XP with SP3 or Windows XP with SP2 BitLocker To Go Reader must be installed on the computer. If this check box is not
cker recovery information to store in AD DS for fixed data drives. If you select "Backup recovery password and key package" both the BitLo
gorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based en
s set by the policy but if no domain controllers are found the password will still be accepted regardless of actual password complexity and
tLocker clients will not be able to create and use Network Key Protectors.Note: For reliability and security computers should also have a TP
Data (BCD) integrity validation.Warning: Disabling this policy may result in BitLocker recovery when firmware is updated. If you disable this
ectory Domain Services" choose which BitLocker recovery information to store in AD DS for operating system drives. If you select "Backup
the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the
e.If you disable or do not configure this policy setting BitLocker uses the default platform validation profile or the platform validation profi
o unlock the drive.If you disable or do not configure this policy setting BitLocker uses the default platform validation profile for the availab
s the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-b
sword will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. W
nal identification number (PIN) or both.If you enable this policy setting users can configure advanced startup options in the BitLocker setup
th a TPM. In this basic wizard no additional startup key or startup PIN can be configured.
Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 BitLocker To Go Reader must be installed on the com
which BitLocker recovery information to store in AD DS for removable data drives. If you select "Backup recovery password and key packa
the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-bas
o domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypte
gnostic data is sent.If you disable or do not configure this policy setting the device will send required diagnostic data and the end user can
creen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.If you do not configure t
er 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edg
of the URL action for an application or process in the list prevail.
option matches the default behavior of Internet Explorer.

e this policy setting Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in regular P
he valuename other protocols are not affected. If you enter just www.contoso.com then all protocols are affected for that site including htt
er.If you do not configure this policy setting users can preview items and get custom thumbnails from OpenSearch query results in this zon
er.If you do not configure this policy setting users cannot preview items or get custom thumbnails from OpenSearch query results in this zo
er.If you do not configure this policy setting users cannot preview items or get custom thumbnails from OpenSearch query results in this zo
o manage the add-on through Add-on Manager enter a 2 (two) into this field.If you disable this policy setting the list is deleted. The 'Deny a
e details).
enabled).
including the location of the software file names how the software operates and how it has impacted your computer. If you enable this s
n exclude folders or files in the ""Exclude files and paths from Attack Surface Reduction Rules"" GP setting.
t be recorded in the Windows event log. Audit Mode: The following will not be blocked and will be allowed to run: - Attempts
e for public browsing with other apps. Users can minimize close and open multiple InPrivate windows but they can’t customize Microsoft E
eloper ToolsRelated Documents:- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/protect/dep
es.If you disable this setting the policy-set default search engine is removed. If this is also the current in-use default the engine changes to
gs sync is delayed. The notification delay policy setting defines the delay before a notification appears.If you disable this policy setting the s
If you disable this policy setting after it has been enabled the UE-V Agent will not restore the default Microsoft templates. If you do not co
erver unless the RD Licensing grace period for the RD Session Host server has not expired.If you disable or do not configure this policy setti
n node. If you configure this policy setting for the computer all users on the computer are affected.
prompted on the client computer to provide credentials for a remote connection.
g the policy setting at Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Deskt
e Desktop Session Host role service installed).
udio and video playback redirection is not specified at the Group Policy level.
a Remote Desktop Protocol (.rdp) file. By default audio playback quality is set to Dynamic.If you disable or do not configure this policy setti
ack driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver.If you do not configure this policy s
m\User Profiles is enabled.

e path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.Notes:1. The roaming user profiles enabled
d the user's alias.If the status is set to Disabled or Not Configured the user's home directory is as specified at the server.
Session Broker Computers or RDS Endpoint Servers.

ver 2008 this policy setting is supported on at least Windows Server 2008 Standard.
policy setting the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be us
nly. If you disable or do not configure this policy setting RemoteFX Adaptive Graphics uses an encoding mechanism that results in mediu
sions that are connecting to computers running at least Windows 8 or Windows Server 2012 the minimum of the following values is used
g Directory (or the program default directory if Working Directory is not specified) as the working directory for the program.If the status is
nnection fails. This is the recommended setting for this policy.If you disable or do not configure this policy setting the security method to b
n process.
gned certificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the
bit encryption.* Low: The Low setting encrypts only data sent from the client to the server by using 56-bit encryption.If you disable or do n
in both Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting takes precede
ettings are configured the Computer Configuration policy setting takes precedence.
puter Configuration policy setting takes precedence.
policy setting takes precedence.
s restarted for Windows XP SP2 computers. Windows Vista---------------------In Windows Vista this policy setting monitors essential security
on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
ng when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is not allowed and Input Pane
d the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do not
creen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet.If you do not configure t
or reports.- ""Do not collect additional computer data"": Select this if you do not want additional information about the computer to be co
re this policy setting Windows Error Reporting reports are not queued and users can only send reports at the time that a problem occurs.
g are filled Windows Error Reporting reports errors as if all applications in these categories were added to the list in this policy setting. (No
etting.If you disable or do not configure this policy setting the Default application reporting settings policy setting takes precedence.
disable or do not configure this policy setting then the default consent settings that are applied are those specified by the user in Control
un under this condition if you are confident that the configured device is in a secure physical location.If you disable or don’t configure this
figuration policy setting.
r example if you want the service to listen only on IPv4 addresses leave the IPv6 filter empty.Ranges are specified using the syntax IP1-IP2.
w and require elevated permissions to do either of these tasks.On Windows 7 : This policy setting has no effect. Users will always see an Ac
r update installation
ot using the Microsoft Update service then the Software Notifications policy setting has no effect.If the "Configure Automatic Updates" po
ill reboot as per Windows default settings unless configured by group policy. (Applies to Windows 10 version 1809 and higher) Specify
ou disable or do not configure this policy devices will get updates and will restart according to the default schedule.This policy will override
tic Updates is not disabled by policy or user preference the Automatic Updates client connects directly to the Windows Update site on the
e released to the world. Disabling this policy will cause any devices currently on a pre-release build to opt out and stay on the latest Featu
bility of per-user support is documented here: https://go.microsoft.com/fwlink/?linkid=2102995
disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.This policy setti
ink (56Kbs).
d up to a certain data limit 0x4 - The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 p
e maximum round trip latency setting is enabled for all client computers where the policy is applied. For example if Configure BranchCach
ed Windows 7 or Windows Server 2008 R2. If you select this version later versions of Windows run the version of BranchCache that is incl
is policy setting client computers that are configured with hosted cache mode still function correctly.Policy configurationSelect one of the
the policy setting "Set BranchCache Distributed Cache Mode" is applied in addition to this policy the client computer performs automatic
d. With this selection BranchCache client computers use the default client computer cache age setting of 28 days on the client computer.In
mber client computers to which the policy is applied.- Disabled. With this selection BranchCache distributed cache mode is turned off for al
ample if this policy is enabled in domain Group Policy BranchCache hosted cache mode is turned on for all domain member client comput
he policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With this selection BranchCache c
ient computers where the policy is applied.* This policy setting is supported on computers that are running Windows Vista Business Enter
have complete NCA functionality.
o not have Connect or Disconnect options.
ot configure this policy setting computers will use their local DNS client settings to determine the query behavior for unqualified multi-labe
NS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
dialog box for each connection.For example when a user submits a query for a single-label name such as "example" the DNS client attach
tab in the Advanced TCP/IP Settings dialog box for each connection.For example when a user submits a query for a single-label name such
e records using a connection-specific DNS suffix.
g. By default client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and D
r all file servers where Group Policy is applied.In circumstances where this policy setting is enabled you can also select the following config
ontent information only configure "Hash version supported" with the value of 2.- To support both V1 and V2 content information configure
th work and home seamlessly.4. In order to not use any seed server enable the setting; do not insert a seed server name; and check the ch
no effect on computers that are running Windows Firewall which replaces Internet Connection Firewall when you install Windows XP Serv
hoose to enable ICS.Note: Internet Connection Sharing is only available when two or more network connections are present.Note: When t
icy settings that can open TCP port 445 include "Windows Defender Firewall: Allow file and printer sharing exception" "Windows Defende
etting opens TCP port 445 Windows Defender Firewall allows inbound ICMP echo requests (the message sent by the Ping utility) even if the
events hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 4
" check box is cleared. Administrators can change this check box."
Windows Defender Firewall uses only the local port exceptions list that administrators define by using the Windows Defender Firewall com
ble this policy setting the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists it is ignored un
icy settings that can open TCP port 445 include "Windows Defender Firewall: Allow file and printer sharing exception" "Windows Defende
etting opens TCP port 445 Windows Defender Firewall allows inbound ICMP echo requests (the message sent by the Ping utility) even if the
events hosted services from opening additional dynamically-assigned ports. Because disabling this policy setting does not block TCP port 4
" check box is cleared. Administrators can change this check box."
Windows Defender Firewall uses only the local port exceptions list that administrators define by using the Windows Defender Firewall com
ble this policy setting the program exceptions list defined by Group Policy is deleted. If a local program exceptions list exists it is ignored un
Windows Server 2012 the default sync interval is 120 minutes.
ows Server 2008 R2 will use the default latency value of 80 milliseconds when transitioning a folder to the slow-link mode. Computers run
otected on NTFS partitions by ACLs.This setting is applied at user logon. If this setting is changed after user logon then user logoff and logon
he Offline Files cache and that drive is the system drive the total size limit is automatically adjusted downward to 75 percent of the size of
display of the "Make Available Offline" command in File Explorer.If the "Remove 'Make Available Offline' command" policy setting is enab
ent network.This policy setting depends on other group policy settings. For example if 'Minimize the number of simultaneous connections
s 10 (Version 1703). If this policy setting is set to 3 the behavior is similar to 2. However if there's an Ethernet connection Windows wo
ect simultaneously to both domain and non-domain networks.
applicable. On Windows 10 only if you disable or do not configure this policy setting the default limit is applied. In Windows 8 a
mismatch the client spooler will always send jobs to the print server for rendering. Disabling the above policy setting does not override thi
-Windows Vista client computers can create a printer connection to any server using Point and Print. -Windows Vista computers
atically republished whenever the host computer does not respond just as it does with Windows 2000 printers. Note: This setting ap
mp Lists.This setting does not hide or prevent the user from pinning files folders or websites to the Jump Lists. See the "Do not allow pinnin
xt box on the Settings tab of the Policy Properties dialog box blank. If you disable or do not configure this policy setting these comman
ansmitting report data to the server one block at a time of application records that is less than or equal to the block size in bytes of XML da
ost running on all machines in .humanresources.fabrikam.com
on all machines.TERMSRV/*.humanresources.fabrikam.com Remote Desktop Session Host running on all machines in humanresources.fab
Windows Server 2012 R2 enabling this policy will enforce Restricted Administration mode regardless of the mode chosen. These versions
oes not write the policy setting to the registry and so it has no impact on computers or users. If there is a current setting in the registry it w
escribed by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device
red order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported targe
dence.NOTE: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply lay
low and Prevent device installation policies across all device match criteria" policy setting will be enabled and the other policy setting will
ed or prevented by other policy settings.
n the volume. Also if disk quotas are not enforced users can exceed the quota limit you set. When users reach the quota limit their status i
s as well as per-application overrides. If you disable or do not configure this setting Per Process System DPI will not apply to any processes
he DCOM Activation security check is done after a DCOM server process is started but before an object activation request is dispatched to
have been configured in the GPO that you are editing.
ess over a slow link.

setting in case a user has changed it.
anged it.
main controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 mill
\User Profile. Note: If the profile server has IP connectivity the connection speed setting is used. If the profile server does not have IP conn
ed policies such as reapplying a desired policy setting in case a user has changed it.
such as reapplying a desired policy setting in case a user has changed it.
as changed it.
on to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is
or the range of variance. For example if you type 30 minutes the system selects a variance of 0 to 30 minutes. Typing a large number esta
umber establishes a broad range and makes it less likely that update requests overlap. However updates might be delayed significantly.No
erberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos arm
e maximum idle time before a device locks. Additionally if a password is required when a screensaver turns on the screensaver timeout wil
e fully initialized before users are logged on. Group Policy is applied in the foreground synchronously. On servers running Windows Server
t dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required images that do n
y setting domain administrators should ensure that the only applications using the exclusive read capability in the domain are those appro
ministrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administ
200 seconds while any value greater than 4294967 seconds (~49 days) will be treated as infinity.If you disable this policy setting Force Red
._tcp.<DnsForestName>GenericGcAtSite SRV _gc._tcp.<SiteName>._sites.<DnsForestName>Rfc1510UdpKdc SRV _kerberos._udp.<Dn
setting it is not applied to any DCs and DCs use their local configuration.
main specified with a single-label name. The computers will not attempt DNS name resolution in this case unless the computer is searching
) Remote Assistance depend on the version of Windows you are running.Windows Vista and laterEnable the Remote Assistance exception
an Internet link) or the SMAPI (Simple MAPI) standard (the invitation is attached to your email message). This policy setting is not availab
m is rebooted.
degrade performance it is recommended for use only while you are investigating an RPC problem.Note: To retrieve the RPC state informa
s policy setting is in effect the command that starts the process must begin with one of the strings in the Extended Error Information Excep
or this policy setting.-- "None" allows all RPC clients to connect to RPC Servers running on the machine on which the policy setting is appli
e timeout is given in seconds.Note: This policy setting will not be applied until the system is rebooted.
mputer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\StartupComputer Configuration\Policies\Windows Settings\
tion\Policies\Windows Settings\Scripts (Logon/Logoff)\LogoffThis policy setting appears in the Computer Configuration and User Configur
t only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled system file recovery will no
anagement Console.
tents:rem The following batch script triggers Recommended Troubleshootingschtasks /run /TN "\Microsoft\Windows\Diagnosis\Recomme
to take immediate effect after a Group Policy refresh.Note: This policy setting will take effect only when the Diagnostic Policy Service (DP
oft Management Console.

soft Management Console.
h the Services snap-in to the Microsoft Management Console.
oft Management Console.
ti-hammering logic can be used.Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM ad
M is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many comman
on to the TPM.The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it recei
.The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many
same behavior as in Windows NT 4.0.
or a temporary profile issued if no cached profile exists. Note: The policy setting must be configured on the client computer not the server
on the machine.
he user settings are more likely to fail.This policy setting does not affect the system's attempts to update the files in the user profile.Tip: Co
e in operating systems earlier than Microsoft Windows Vista use the "Timeout for dialog boxes" policy setting.Important: If the "Do not de
u enable this policy setting Windows uploads the registry file of the user's roaming user profile in the background according to the schedu
urces if users choose to turn the setting off.

ts a slow connection.
m the Network Time Protocol (NTP) server. If the time variation is less than this value the client computer's local clock is corrected gradua
that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexa
mployees must restart the app or device for the policy changes to be applied to the app.
panel to allow an elevated administrator to make the decision; on windows 7 and downlevel the OS will allow 16-bit applications to run.No
for performance reasons. If you make changes to this setting please reboot to ensure that your system accurately reflects those changes.
very information.Note: The 48-digit recovery password will not be available in FIPS-compliance mode.Important: This policy setting provid
-bde.exe.If you enable this policy setting you can configure the identification field on the BitLocker-protected drive and any allowed identi
selected by default to help ensure that BitLocker recovery is possible. If this option is not selected AD DS backup is attempted but networ
mputer. If this check box is not selected BitLocker To Go Reader will be installed on the fixed drive to enable users to unlock the drive on co
nd key package" both the BitLocker recovery password and key package are stored in AD DS. Storing the key package supports recovering d
llowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware enc
tual password complexity and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity" no p
mputers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server a
is updated. If you disable this policy suspend BitLocker prior to applying firmware updates.
m drives. If you select "Backup recovery password and key package" both the BitLocker recovery password and key package are stored in A
oot Manager (PCR 10) and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible Fir
r the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Regis
lidation profile for the available hardware or the platform validation profile specified by the setup script. A platform validation profile cons
suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardw
hat password as a protector. When set to "Do not allow complexity" no password complexity validation will be done.Passwords must be a
options in the BitLocker setup wizard.If you disable or do not configure this policy setting users can configure only basic options on compu
must be installed on the computer. If this check box is not selected BitLocker To Go Reader will be installed on the removable drive to en
overy password and key package" both the BitLocker recovery password and key package are stored in AD DS. If you select "Backup recove
uites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardwa
and the drive will be encrypted using that password as a protector. When set to "Do not allow complexity" no password complexity valida
tic data and the end user can choose whether to send optional diagnostic data from the Settings app.Note:The "Configure diagnostic data
ernet.If you do not configure this policy SmartScreen will be enabled by default but users may change their settings.
77 or later 4 = Microsoft Edge Canary version 77 or later*For more information about the Windows update for the next version of Micro
e ActiveX controls in regular Protected Mode. This is the default behavior.
ected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 127.0.0
earch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
nSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
nSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add-ons n
omputer. If you enable this setting you will join Microsoft MAPS with the membership specified. If you disable or do not configure this
llowed to run: - Attempts by untrusted apps to modify or delete files in protected folders - Attempts by untrusted apps to write to
ey can’t customize Microsoft Edge.
ft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)- How to manage apps you purchased from the Microsoft Store for Busi
default the engine changes to the Microsoft Edge specified engine for the market.If you don't configure this setting the default search eng
disable this policy setting the sync provider is used to synchronize settings between computers and the settings storage location.If you do
oft templates. If you do not configure this policy setting any defined values will be deleted.
o not configure this policy setting the license server will exhibit the default behavior noted earlier.
esktop Services\Remote Desktop Session Host\Connections\Limit number of connections or by configuring the policy setting Maximum Co
o not configure this policy setting audio playback quality will be set to Dynamic.
u do not configure this policy setting the fallback printer driver behavior is off by default.Note: If the "Do not allow client printer redirection
roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows
the server.
evel and the default will be used. This setting is enabled by default.Notes: 1. For Windows Server 2008 this policy setting is supported o
echanism that results in medium quality images.
of the following values is used as the color depth format:a.Value specified by this policy settingb.Maximum color depth supported by the c
or the program.If the status is set to Disabled or Not Configured Remote Desktop Services sessions start with the full desktop unless the se
etting the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
to be used to authenticate the RD Session Host server that certificate will take precedence over this policy setting.
cryption.If you disable or do not configure this setting the encryption level to be used for remote connections to RD Session Host servers i
guration setting takes precedence.
ng monitors essential security settings to include firewall antivirus antispyware Internet security settings User Account Control and Autom
is not allowed and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the Input P
s dialog box. If you do not configure this policy users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratc
ernet.If you do not configure this policy SmartScreen will be enabled by default but users may change their settings.
n about the computer to be collected and included in error reports.- ""Force queue mode for application errors"": Select this option if you
e time that a problem occurs.
e list in this policy setting. (Note: The Microsoft applications category includes the Windows components category.)If you disable this polic
etting takes precedence.
pecified by the user in Control Panel or in the Configure Default Consent policy setting.
disable or don’t configure this setting automatic sign on will default to the “Enabled if BitLocker is on and not suspended” behavior.
cified using the syntax IP1-IP2. Multiple ranges are separated using "" (comma) as the delimiter.Example IPv4 filters:\n2.0.0.1-2.0.0.20 24.0
ct. Users will always see an Account Control window and require elevated permissions to do either of these tasks.On Windows 8 and Wind
figure Automatic Updates" policy setting is disabled or is not configured then the Software Notifications policy setting has no effect.
n 1809 and higher) Specify the schedule using the options in the Group Policy Setting. For version 1709 and above there is an additiona
hedule.This policy will override the following policies:1. Specify deadline before auto restart for update installation2. Specify Engaged rest
e Windows Update site on the Internet. The alternate download server configures the Windows Update Agent to download files from
ut and stay on the latest Feature Update once released.

e opt-in dialog.This policy setting is related to the "Turn off handwriting personalization" policy setting.Note: The amount of stored ink is lim
nd plan usage is less than 80 percent of the limit. 0x8 - Usage of this connection is unrestricted up to a certain data limit and plan usag
ample if Configure BranchCache for network files is enabled in domain Group Policy the BranchCache latency setting that you specify in the
on of BranchCache that is included in these operating systems rather than later versions of BranchCache.- Windows 8. If you select this ve
onfigurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by
omputer performs automatic hosted cache server discovery. If one or more hosted cache servers are found the client computer self-confi
days on the client computer.In circumstances where this setting is enabled you can also select and configure the following option:- Specify
cache mode is turned off for all client computers where the policy is applied.* This policy setting is supported on computers that are runnin
omain member client computers to which the policy is applied.- Disabled. With this selection BranchCache hosted cache mode is turned o
h this selection BranchCache client computers use the default client computer cache setting of five percent of the total disk space on the c
Windows Vista Business Enterprise and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
avior for unqualified multi-label names.
xample" the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com" before sending the quer
ry for a single-label name such as "example" the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.micr
ords once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
also select the following configuration options:- Allow hash publication for all shared folders. With this option BranchCache generates cont
content information configure "Hash version supported" with the value of 3.
server name; and check the check box.If this setting is disabled or not configured the protocol will revert to using a public registry key to d
n you install Windows XP Service Pack 2.If you disable this setting or do not configure it the Internet Connection Firewall is disabled when
ons are present.Note: When the "Prohibit access to properties of a LAN connection" "Ability to change properties of an all user remote ac
xception" "Windows Defender Firewall: Allow remote administration exception" and "Windows Defender Firewall: Define inbound port e
t by the Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that
tting does not block TCP port 445 it does not conflict with the "Windows Defender Firewall: Allow file and printer sharing exception" policy
indows Defender Firewall component in Control Panel. Other policy settings can continue to open or block ports.Note: If you type an inva
ptions list exists it is ignored unless you enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you do n
xception" "Windows Defender Firewall: Allow remote administration exception" and "Windows Defender Firewall: Define inbound port e
t by the Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that
tting does not block TCP port 445 it does not conflict with the "Windows Defender Firewall: Allow file and printer sharing exception" policy
indows Defender Firewall component in Control Panel. Other policy settings can continue to open or block ports.Note: If you type an inva
ptions list exists it is ignored unless you enable the "Windows Defender Firewall: Allow local program exceptions" policy setting.If you do n
ow-link mode. Computers running Windows 8 or Windows Server 2012 will use the default latency value of 35 milliseconds when transitio
gon then user logoff and logon is required for this setting to take effect.
rd to 75 percent of the size of the drive. If the cache is located on a drive other than the system drive the limit is automatically adjusted do
mmand" policy setting is enabled this setting has no effect.

r of simultaneous connections to the Internet or a Windows Domain' is disabled Windows will not disconnect from any networks.
ernet connection Windows won't allow users to connect to a WLAN manually. A WLAN can only be connected (automatically or manually)
ied. In Windows 8 and later Bluetooth printers are not shown so its limit does not apply to those versions of Windows.
y setting does not override this behavior.Note: In cases where the client print driver does not match the server print driver (mismatched c
-Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to any ser
ers. Note: This setting applies to printers published by using Active Directory Users and Computers or Pubprn.vbs. It does not apply t
s. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide Tasks that the application has provided for their
s policy setting these commands are fully functional for all Help files. Note: Only folders on the local computer can be specified in this
e block size in bytes of XML data will be removed from the cache and sent to the server. Each block will have the general Client data and g
achines in humanresources.fabrikam.com
mode chosen. These versions do not support Remote Credential Guard.
rrent setting in the registry it will not be modified.The "Require UEFI Memory Attributes Table" option will only enable Virtualization Based
for Allow and Prevent device installation policies across all device match criteria" policy setting for supported target Windows 10 versions
icy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow an
een replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" p
d the other policy setting will be ignored.If you disable or do not configure this policy setting the default evaluation is used. By default all "
h the quota limit their status in the Quota Entries window changes but users can continue to write to the volume.
will not apply to any processes on the system.
vation request is dispatched to the server process. This access check is done against the DCOM server's custom launch permission securit
logon. The default is 5000 milliseconds. If you disable this policy setting the Group Policy client will not cache applicable GPOs or settin
e server does not have IP connectivity the SMB timing is used.
at boot or logon. The default is 5000 milliseconds. If you disable or do not configure this policy setting the Group Policy client will not c
es. Typing a large number establishes a broad range and makes it less likely that client requests overlap. However updates might be delaye
ght be delayed significantly.Note: This setting is used only when you are establishing policy for a domain site organizational unit (OU) or cu
cess Control and Kerberos armoring. Domain functional level requirementsFor the options "Always provide claims" and "Fail unarmored a
on the screensaver timeout will limit the options the user may choose.
rvers running Windows Server 2008 or later this policy setting is ignored during Group Policy processing at computer startup and Group Po
are required images that do not have a base relocation section will not be loaded. PROCESS_CREATION_MITIGATION_POLICY_BOTTO
n the domain are those approved by the administrator.
ose approved by the administrator.
le this policy setting Force Rediscovery will be used by default for the machine at every 12 hour interval.If you do not configure this policy
dc SRV _kerberos._udp.<DnsDomainName>Rfc1510Kpwd SRV _kpasswd._tcp.<DnsDomainName>Rfc1510UdpKpwd SRV _kpassw
less the computer is searching for a domain with a single label DNS name to which this computer is joined in the Active Directory forest.
Remote Assistance exception for the domain profile. The exception must contain:Port 135:TCP%WINDIR%\System32\msra.exe%WINDIR%
his policy setting is not available in Windows Vista since SMAPI is the only method supported.If you enable this policy setting you should al
retrieve the RPC state information from a system that maintains it you must use a debugging tool.Note: This policy setting will not be appl
ended Error Information Exception field.-- "On" enables extended error information for all processes.Note: For information about the Ext
which the policy setting is applied.-- "Authenticated" allows only authenticated RPC Clients (per the definition above) to connect to RPC Se
on\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
nfiguration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User
ed system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console
Windows\Diagnosis\RecommendedTroubleshootingScanner"2. To create a new immediate task navigate to the Group Policy Managemen
e Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled system file recovery will not be attempted
ated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropria
it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users includ
re lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is g
de when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all us
lient computer not the server for it to have any effect because the client computer sets the file share permissions for the roaming profile a
e files in the user profile.Tip: Consider increasing the number of retries specified in this policy setting if there are many user profiles stored
g.Important: If the "Do not detect slow network connections" setting is enabled this policy setting is ignored. Also if the "Delete cached co
round according to the schedule set here while the user is logged on. Regular profiles are not affected.If this setting is disabled or not confi
local clock is corrected gradually. Default: 300 seconds. MaxNegPhaseCorrectionIf a time sample is received that indicates a time in th
t value is 2 decimal (0x02 hexadecimal).ResolvePeerBackoffMinutesThis value expressed in minutes controls how long W32time waits bef
w 16-bit applications to run.Note: This setting appears in only Computer Configuration.
urately reflects those changes.

tant: This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of ke
d drive and any allowed identification field used by your organization.When a BitLocker-protected drive is mounted on another BitLocker-e
ckup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recov
users to unlock the drive on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2 that d
package supports recovering data from a drive that has been physically corrupted. If you select "Backup recovery password only" only the
ker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardware-based en
Do not allow complexity" no password complexity validation will be done.Passwords must be at least 8 characters. To configure a greater m
wired network or the server at startup.
nd key package are stored in AD DS. Storing the key package supports recovering data from a drive that has been physically corrupted. If y
uters that use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS.
f Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key aga
latform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. On PCs that lack Secure B
BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardware-b
be done.Passwords must be at least 8 characters. To configure a greater minimum length for the password enter the desired number of ch
e only basic options on computers with a TPM.Note: If you want to require the use of a startup PIN and a USB flash drive you must configu
on the removable drive to enable users to unlock the drive on computers running Windows Server 2008 Windows Vista Windows XP with
S. If you select "Backup recovery password only" only the recovery password is stored in AD DS.Select the "Do not enable BitLocker until re
BitLocker can use with hardware encryption. If the algorithm set for the drive is not available BitLocker will disable the use of hardware-ba
no password complexity validation will be done.Passwords must be at least 8 characters. To configure a greater minimum length for the pa
The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data colle
e for the next version of Microsoft Edge including how to disable it see https://go.microsoft.com/fwlink/?linkid=2102115. This update appl
27.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such as tr
logs off from Windows.

r logs off from Windows.
r logs off from Windows.
determine whether add-ons not in this list are assumed to be denied.
sable or do not configure this setting you will not join Microsoft MAPS. In Windows 10 Basic membership is no longer available so settin
by untrusted apps to write to disk sectors The Windows event log will record these attempts under Applications and Services Logs > M
m the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)- How to
setting the default search engine is set to the one specified in App settings.
ttings storage location.If you do not configure this policy setting any defined values will be deleted.
he policy setting Maximum Connections by using the Remote Desktop Session Host WMI Provider.
allow client printer redirection" setting is enabled this policy setting is ignored and the fallback printer driver is disabled.
er might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedenc
s policy setting is supported on at least Windows Server 2008 Standard.
olor depth supported by the clientc.Value requested by the clientIf the client does not support at least 16 bits the connection is terminate
h the full desktop unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\Syst
he Group Policy level.
ns to RD Session Host servers is not enforced through Group Policy.ImportantFIPS compliance can be configured through the System crypt
er Account Control and Automatic Updates. Windows Vista computers do not require a reboot for this policy setting to take effect.
figure this setting in the Input Panel Options dialog box. If you enable this policy and choose to “Medium-High” from the drop-down box pa
tures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options.
settings.
ors"": Select this option if you do not want users to report errors. When this option is selected errors are stored in a queue directory and t
tegory.)If you disable this policy setting or do not configure it the Default application reporting settings policy setting takes precedence.Als
suspended” behavior.
4 filters:\n2.0.0.1-2.0.0.20 24.0.0.1-24.0.0.22Example IPv6 filters:\n3FFE:FFFF:7654:FEDA:1245:BA98:0000:0000-3FFE:FFFF:7654:FEDA:124

tasks.On Windows 8 and Windows RT: This policy setting has no effect. Users will always see an Account Control window and require elev
cy setting has no effect.
nd above there is an additional choice of limiting updating to a weekly bi-weekly or monthly occurrence. If no schedule is specified the def
allation2. Specify Engaged restart transition and notification schedule for updates3. Always automatically restart at the scheduled time4.
Agent to download files from an alternative download server instead of the intranet update service. The option to download files with
The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached a
certain data limit and plan usage is between 80 percent and 100 percent of the limit. 0x10 - Usage of this connection is unrestricted u
y setting that you specify in the policy is turned on for all domain member client computers to which the policy is applied.- Disabled. With t
Windows 8. If you select this version Windows 8 will run the version of BranchCache that is included in the operating system.
pplied to client computers by this policy setting.- Enabled. With this selection the policy setting is applied to client computers which are co
the client computer self-configures for hosted cache mode only.If the policy setting "Set BranchCache Hosted Cache Mode" is applied the
e the following option:- Specify the age in days for which segments in the data cache are valid.
d on computers that are running Windows Vista Business Enterprise and Ultimate editions with Background Intelligent Transfer Service (BI
osted cache mode is turned off for all client computers where the policy is applied.In circumstances where this setting is enabled you can
of the total disk space on the client computer.In circumstances where this setting is enabled you can also select and configure the followin
4.0 installed.
com" before sending the query to a DNS server.If a DNS suffix search list is not specified the DNS client attaches the primary DNS suffix to a
ng in the query "example.microsoft.com" before sending the query to a DNS server.If a DNS suffix search list is not specified the DNS clien
ease is granted or renewed.
n BranchCache generates content information for all content in all shares on the file server. - Allow hash publication only for shared folder
using a public registry key to determine the seed server to bootstrap from.
tion Firewall is disabled when a LAN Connection or VPN connection is created but users can use the Advanced tab in the connection prope
erties of an all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to
rewall: Define inbound port exceptions."Note: Other Windows Defender Firewall policy settings affect only incoming messages but severa
ock them. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exceptio
inter sharing exception" policy setting.Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We re
ports.Note: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors and therefore y
tions" policy setting.If you do not configure this policy setting Windows Defender Firewall uses only the local program exceptions list that a
rewall: Define inbound port exceptions."Note: Other Windows Defender Firewall policy settings affect only incoming messages but severa
ock them. Policy settings that can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exceptio
inter sharing exception" policy setting.Note: Malicious users often attempt to attack networks and computers using RPC and DCOM. We re
ports.Note: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors and therefore y
tions" policy setting.If you do not configure this policy setting Windows Defender Firewall uses only the local program exceptions list that a
35 milliseconds when transitioning a folder to the slow-link mode. To avoid extra charges on cell phone or broadband plans it may be nece
mit is automatically adjusted downward to 100 percent of the size of the drive.If you enable this setting and specify a total size limit less th
t from any networks.
ed (automatically or manually) when there's no Ethernet connection. This policy setting is related to the "Enable Windows to soft-disco
versions of Windows.
ver print driver (mismatched connection) the client will always process the print job regardless of the setting of this policy.
a printer connection to any server using Point and Print. -Windows Vista computers will not show a warning or an elevated command
Pubprn.vbs. It does not apply to printers published by using Printers in Control Panel. Tip: If you disable automatic pruning remembe
plication has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the "Hide th
mputer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm
e the general Client data and global package list data prepended and these will not factor into the block size calculations; the potential exi
ed target Windows 10 versions. It is recommended that you use the "Apply layered order of evaluation for Allow and Prevent device instal
der of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.Alternativ
oss all device match criteria" policy setting for supported target Windows 10 versions. It is recommended that you use the "Apply layered
luation is used. By default all "Prevent installation..." policy settings have precedence over any other policy setting that allows Windows to
tom launch permission security descriptor if it exists or otherwise against the configured defaults.If the DCOM server's custom launch perm
ache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously it downloads the latest versi
e Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronousl
wever updates might be delayed significantly.This setting establishes the update rate for computer Group Policy. To set an update rate for u
organizational unit (OU) or customized group. If you are establishing policy for a local computer only the system ignores this setting.
claims" and "Fail unarmored authentication requests" when the domain functional level is set to Windows Server 2008 R2 or earlier then d
omputer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer sta
_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR

ou do not configure this policy setting Force Rediscovery will be used by default for the machine at every 12 hour interval unless the local m
1510UdpKpwd SRV _kpasswd._udp.<DnsDomainName>If you disable this policy setting DCs configured to perform dynamic registration
n the Active Directory forest.

System32\msra.exe%WINDIR%\System32\raserver.exeWindows XP with Service Pack 2 (SP2) and Windows XP Professional x64 Edition wi
his policy setting you should also enable appropriate firewall exceptions to allow Remote Assistance communications.
policy setting will not be applied until the system is rebooted.

For information about the Extended Error Information Exception field see the Windows Software Development Kit (SDK).Note: Extended e
n above) to connect to RPC Servers running on the machine on which the policy setting is applied. Exemptions are granted to interfaces th
ce over the setting set in User Configuration.
icrosoft Management Console.
the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. 3. Under Control Panel se
ecovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
gistry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic.Choose the operating
e it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failu
M enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The numbe
kout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authoriza
sions for the roaming profile at creation time.Note: The behavior when this policy setting is enabled is exactly the same behavior as in Win
are many user profiles stored in the computer's memory. This indicates that the system has not been able to unload the profile.Also check
. Also if the "Delete cached copies of roaming profiles" policy setting is enabled there is no local copy of the roaming profile to load when
setting is disabled or not configured the registry file for a roaming user profile will not be uploaded in the background while the user is log
ved that indicates a time in the past (as compared to the client computer's local clock) that has a time difference that is greater than the M
s how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes.Reso
vent data loss due to lack of key information. If you do not allow both user recovery options you must enable the "Store BitLocker recover
ounted on another BitLocker-enabled computer the identification field and allowed identification field will be used to determine whether
matically retried and the recovery password may not have been stored in AD DS during BitLocker setup.If you disable or do not configure th
or Windows XP with SP2 that do not have BitLocker To Go Reader installed.If this policy setting is disabled fixed data drives formatted with
overy password only" only the recovery password is stored in AD DS.Select the "Do not enable BitLocker until recovery information is store
the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC mode
acters. To configure a greater minimum length for the password enter the desired number of characters in the "Minimum password length
been physically corrupted. If you select "Backup recovery password only" only the recovery password is stored in AD DS.Select the "Do no
ters that use a standard BIOS.Warning: Changing from the default platform validation profile affects the security and manageability of you
secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the O
23. On PCs that lack Secure Boot State (PCR 7) support the default platform validation profile secures the encryption key against changes
disable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CB
enter the desired number of characters in the "Minimum password length" box.If you disable or do not configure this policy setting the de
SB flash drive you must configure BitLocker settings using the command-line tool manage-bde instead of the BitLocker Drive Encryption set
ndows Vista Windows XP with SP3 or Windows XP with SP2 that do not have BitLocker To Go Reader installed.If this policy setting is disabl
Do not enable BitLocker until recovery information is stored in AD DS for removable data drives" check box if you want to prevent users fro
isable the use of hardware-based encryption.Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC
ter minimum length for the password enter the desired number of characters in the "Minimum password length" box.If you disable this p
from changing their data collection settings.

id=2102115. This update applies only to Windows 10 version 1709 and higher.
ers after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/mail w
is no longer available so setting the value to 1 or 2 enrolls the device into Advanced membership.
lications and Services Logs > Microsoft > Windows > Windows Defender > Operational > ID 1124. Block disk modification only: The
ws-store-for-business)- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)- Mana
r is disabled.
profile always takes precedence in a Remote Desktop Services session.2. To configure a mandatory Remote Desktop Services roaming user
ts the connection is terminated.
Administrative Templates\System\Logon\Run these programs at user logon" setting.)Note: This setting appears in both Computer Configur
ured through the System cryptography. Use FIPS compliant algorithms for encryption hashing and signing settings in Group Policy (under C
setting to take effect.
h” from the drop-down box password security is set to “Medium-High.” At this setting when users enter passwords from Input Panel they
n Input Panel Options.
red in a queue directory and the next administrator to log on to the computer can send the error reports to Microsoft.- ""Corporate file p
y setting takes precedence.Also see the ""Default Application Reporting"" and ""Application Exclusion List"" policies.This setting will be ign
000-3FFE:FFFF:7654:FEDA:1245:BA98:3210:4562
ntrol window and require elevated permissions to do either of these tasks.If you disable this policy setting then only administrative users w
o schedule is specified the default schedule for all installations will be every day at 3:00 AM. If any updates require a restart to complete t
estart at the scheduled time4. Configure Automatic Updates
e option to download files with missing Urls allows content to be downloaded from the Alternate Download Server when there are no dow
hen these limits are reached and new data is collected old data is deleted to make room for more recent data.Note: Handwriting persona
is connection is unrestricted up to a certain data limit which has been exceeded. Surcharge applied or unknown. 0x20 - Usage of this
cy is applied.- Disabled. With this selection BranchCache client computers use the default latency setting of 80 milliseconds.In circumstanc
perating system.
client computers which are configured as hosted cache mode clients that use the hosted cache servers that you specify in "Hosted cache
d Cache Mode" is applied the client computer does not perform automatic hosted cache discovery. This is also true in cases where the po
Intelligent Transfer Service (BITS) 4.0 installed.

his setting is enabled you can also select and configure the following option:- Type the name of the hosted cache server. Specifies the com
ect and configure the following option:- Specify the percentage of total disk space allocated for the cache. Specifies an integer that is the p
hes the primary DNS suffix to a single-label name. If this query fails the connection-specific DNS suffix is attached for a new query. If none
is not specified the DNS client attaches the primary DNS suffix to a single-label name. If this query fails the connection-specific DNS suffix
blication only for shared folders on which BranchCache is enabled. With this option content information is generated only for shared folde
ed tab in the connection properties to enable it. The Internet Connection Firewall is enabled by default on the connection for which Intern
onnection" settings are set to deny access to the Connection Properties dialog box the Advanced tab for the connection is blocked.Note: N
ncoming messages but several of the options of the "Windows Defender Firewall: Allow ICMP exceptions" policy setting affect outgoing co
e and printer sharing exception" "Windows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender
rs using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by
king for errors and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope
program exceptions list that administrators define by using the Windows Defender Firewall component in Control Panel.Note: If you type
ncoming messages but several of the options of the "Windows Defender Firewall: Allow ICMP exceptions" policy setting affect outgoing co
e and printer sharing exception" "Windows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender
rs using RPC and DCOM. We recommend that you contact the manufacturers of your critical programs to determine if they are hosted by
king for errors and therefore you can accidentally create multiple entries for the same port with conflicting Scope or Status values. Scope
program exceptions list that administrators define by using the Windows Defender Firewall component in Control Panel.Note: If you type
roadband plans it may be necessary to configure the latency threshold to be lower than the round-trip network latency.In Windows Vista
specify a total size limit less than the amount of space currently used by the Offline Files cache the total size limit is automatically adjusted
"Enable Windows to soft-disconnect a computer from a network" policy setting.
of this policy.
ning or an elevated command prompt when an existing printer connection driver needs to be updated. -Windows Server 2003 and W
e automatic pruning remember to delete printer objects manually whenever you remove a printer or print server.
en dialog box. See the "Hide the dropdown list of recent files" setting.Note: It is a requirement for third-party applications with Windows 2
"WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths. For additional options see the "Re
calculations; the potential exists for an extremely large package list to result in transmission failures over low bandwidth or unreliable con
llow and Prevent device installation policies across all device match criteria" policy setting when possible.Alternatively if this policy setting
tting when possible.Alternatively if this policy setting is enabled together with the "Prevent installation of devices not described by other p
at you use the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy
setting that allows Windows to install a device.
M server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succ
y it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the
roup Policy runs synchronously it downloads the latest version of the policy from the network and uses bandwidth estimates to determine
icy. To set an update rate for user policies use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Adm
tem ignores this setting.
erver 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected. When the domain functional level is set t
nitialized during computer startup). If the server is configured as follows this policy setting takes effect during Group Policy processing at u
ON_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) The bottom-up randomization policy which includes stack randomization
hour interval unless the local machine setting in the registry is a different value.
perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.If you do not configure this policy se
XP Professional x64 Edition with Service Pack 1 (SP1)Port 135:TCP%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe%WINDIR%\PCHealt
nications.
ent Kit (SDK).Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft operating
ns are granted to interfaces that have requested them.-- "Authenticated without exceptions" allows only authenticated RPC Clients (per t
ttings. 3. Under Control Panel settings right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).4. Provide
ement Console.
ing logic.Choose the operating system managed TPM authentication setting of "None" for compatibility with previous operating systems a
number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockou
r Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some T
tion. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may ent
ly the same behavior as in Windows 2000 Professional pre-SP4 and Windows XP Professional.
o unload the profile.Also check the Application Log in Event Viewer for events generated by Userenv. The system records an event whenev
roaming profile to load when the system detects a slow connection.
ackground while the user is logged on.
ence that is greater than the MaxNegPhaseCorrection value the time sample is discarded. Default: 172800 seconds. MaxPosPhaseCorr
fault value is 15 minutes.ResolvePeerBackoffMaxTimesThis value controls how many times W32time attempts to resolve a DNS name befo
e the "Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)" policy setting
e used to determine whether the drive is from an outside organization.If you disable or do not configure this policy setting the identificati
u disable or do not configure this policy setting BitLocker recovery information is not backed up to AD DS.Note: Trusted Platform Module (T
xed data drives formatted with the FAT file system that are BitLocker-protected cannot be unlocked on computers running Windows Serve
til recovery information is stored in AD DS for fixed data drives" check box if you want to prevent users from enabling BitLocker unless the
xample:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
he "Minimum password length" box.If you disable this policy setting the user is not allowed to use a password.If you do not configure this
red in AD DS.Select the "Do not enable BitLocker until recovery information is stored in AD DS for operating system drives" check box if yo
urity and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decrea
tform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS
ncryption key against changes to the core system firmware executable code (PCR 0) extended or pluggable executable code (PCR 2) boot m
). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
gure this policy setting the default length constraint of 8 characters will apply to operating system drive passwords and no complexity che
BitLocker Drive Encryption setup wizard.
ed.If this policy setting is disabled removable data drives formatted with the FAT file system that are BitLocker-protected cannot be unlock
you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery
For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
ngth" box.If you disable this policy setting the user is not allowed to use a password.If you do not configure this policy setting passwords w
nd www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Value - A n
disk modification only: The following will be blocked: - Attempts by untrusted apps to write to disk sectors The Windows event
us/intune/apps-deploy)- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://docs.mic
Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server use this policy setting together with
ars in both Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting overrides.
ttings in Group Policy (under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.) The FIPS compl
swords from Input Panel they use the on-screen keyboard by default skin switching is allowed and Input Panel does not display the cursor
Microsoft.- ""Corporate file path"": Type a UNC path to enable Corporate Error Reporting. All errors are stored at the specified location in
policies.This setting will be ignored if the 'Configure Error Reporting' setting is disabled or not configured.
en only administrative users will receive update notifications.Note: On Windows 8 and Windows RT this policy setting is enabled by defau
equire a restart to complete the installation Windows will restart the computer automatically. (If a user is signed in to the computer when
Server when there are no download Urls for files in the update metadata. This option should only be used when the intranet update servic
ta.Note: Handwriting personalization works only for Microsoft handwriting recognizers and not with third-party recognizers.
own. 0x20 - Usage of this connection is unrestricted up to a certain data limit which has been exceeded. No surcharge applies but spe
80 milliseconds.In circumstances where this policy setting is enabled you can also select and configure the following option:- Type the max
you specify in "Hosted cache servers."- Disabled. With this selection this policy is not applied to client computers.In circumstances where
lso true in cases where the policy setting "Configure Hosted Cache Servers" is applied.This policy setting can only be applied to client comp
cache server. Specifies the computer name of the hosted cache server. Because the hosted cache server name is also specified in the certifi
pecifies an integer that is the percentage of total client computer disk space to use for the BranchCache client computer cache.* This polic
ched for a new query. If none of these queries are resolved the client devolves the primary DNS suffix of the computer (drops the leftmost
connection-specific DNS suffix is attached for a new query. If none of these queries are resolved the client devolves the primary DNS suffix
enerated only for shared folders on which BranchCache is enabled. If you use this setting you must enable BranchCache for individual shar
e connection for which Internet Connection Sharing is enabled. In addition remote access connections created through the Make New Co
connection is blocked.Note: Nonadministrators are already prohibited from configuring Internet Connection Sharing regardless of this setti
olicy setting affect outgoing communication.

tion" and "Windows Defender Firewall: Define inbound port exceptions."
termine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not then do not ena
Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values any definition with the
ontrol Panel.Note: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors. This all
olicy setting affect outgoing communication.

tion" and "Windows Defender Firewall: Define inbound port exceptions."
termine if they are hosted by SVCHOST.exe or LSASS.exe or if they require RPC and DCOM communication. If they do not then do not ena
Scope or Status values. Scope parameters are combined for multiple entries. If entries have different Status values any definition with the
ontrol Panel.Note: If you type an invalid definition string Windows Defender Firewall adds it to the list without checking for errors. This all
ork latency.In Windows Vista or Windows Server 2008 once transitioned to slow-link mode users will continue to operate in slow-link mod
limit is automatically adjusted upward to the amount of space currently used by offline files. The cache is then considered full.If you enab
-Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -The "U
y applications with Windows 2000 or later certification to adhere to this setting.

additional options see the "Restrict these programs from being launched from Help" policy.
w bandwidth or unreliable connections.

ernatively if this policy setting is enabled together with the "Prevent installation of devices not described by other policy settings" policy se
vices not described by other policy settings" policy setting Windows is allowed to install or update any device whose Plug and Play device
device match criteria" policy setting when possible.Alternatively if this policy setting is enabled together with the "Prevent installation of
at would have previously succeeded for such specified users once the DCOM server process was up and running might now fail instead. T
e slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior
dwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asyn
ed in User Configuration\Administrative Templates\System\Group Policy).This setting is only used when the "Turn off background refresh
domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domai
g Group Policy processing at user logon:• The server is configured as a terminal server (that is the Terminal Server role service is installed
includes stack randomization options causes a random location to be used as the lowest user address. For instance to enable PROCES
do not configure this policy setting DCs use their local configuration.
elpsvc.exe%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exe%WINDIR%\System32\Sessmgr.exeFor computers running Windows Server 2
and older Microsoft operating systems but only newer Microsoft operating systems can read and respond to the information.Note: The de
uthenticated RPC Clients (per the definition above) to connect to RPC Servers running on the machine on which the policy setting is applied
At least Windows 7).4. Provide name and description as appropriate then under Security Options set the user account to System and selec
h previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using
Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures.
by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depe
facturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past
stem records an event whenever it tries to unload the registry portion of the user profile. The system also records an event when it fails to
econds. MaxPosPhaseCorrectionIf a time sample is received that indicates a time in the future (as compared to the client computer's l
pts to resolve a DNS name before the discovery process is restarted. Each time DNS name resolution fails the amount of time to wait befor
Windows Vista)" policy setting to prevent a policy error.
s policy setting the identification field is not required.Note: Identification fields are required for management of certificate-based data rec
te: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the "Turn on TPM backup to Active Directory D
puters running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with SP2. Bitlockertogo.exe will not be installed
enabling BitLocker unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds.
rd.If you do not configure this policy setting passwords will be supported with the default settings which do not include password complex
system drives" check box if you want to prevent users from enabling BitLocker unless the computer is connected to the domain and the ba
horized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
S Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLocker Access Control (PCR 11).Warning: Changin
xecutable code (PCR 2) boot manager (PCR 4) and the BitLocker access control (PCR 11).When Secure Boot State (PCR7) support is availab
1.3.4.1.42
swords and no complexity checks will occur.Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptography: Us
er-protected cannot be unlocked on computers running Windows Server 2008 Windows Vista Windows XP with SP3 or Windows XP with S
e backup of BitLocker recovery information to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery information is stored in
3.4.1.42
this policy setting passwords will be supported with the default settings which do not include password complexity requirements and requ
refore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet Explo
ctors The Windows event log will record these attempts under Applications and Services Logs > Microsoft > Windows > Windows Defe
on Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)- How to add
s policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration
nfiguration setting overrides.
urity Options.) The FIPS compliant setting encrypts and decrypts data sent from the client to the server and from the server to the client w
nel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog b
red at the specified location instead of being sent directly to Microsoft and the next administrator to log onto the computer can send the
icy setting is enabled by default. In all prior versions of windows it is disabled by default.If the "Configure Automatic Updates" policy settin
gned in to the computer when Windows is ready to restart the user will be notified and given the option to delay the restart.) On Wind
hen the intranet update service does not provide download Urls in the update metadata for files which are present on the alternate down
. No surcharge applies but speeds are likely reduced. 0x40 - The connection is costed on a per-byte basis. 0x80 - The connection
ollowing option:- Type the maximum round trip network latency (milliseconds) after which caching begins. Specifies the amount of time in
uters.In circumstances where this setting is enabled you can also select and configure the following option:- Hosted cache servers. To add
only be applied to client computers that are running at least Windows 8. This policy has no effect on computers that are running Window
me is also specified in the certificate enrolled to the hosted cache server the name that you enter here must match the name of the hosted
nt computer cache.* This policy setting is supported on computers that are running Windows Vista Business Enterprise and Ultimate editio
computer (drops the leftmost label of the primary DNS suffix) attaches this devolved primary DNS suffix to the single-label name and subm
evolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix) attaches this devolved primary DNS suffi
anchCache for individual shares in Share and Storage Management on the file server.- Disallow hash publication on all shared folders. Wit
ed through the Make New Connection Wizard have the Internet Connection Firewall enabled.
n Sharing regardless of this setting.Note: Disabling this setting does not prevent Wireless Hosted Networking from using the ICS service for
f they do not then do not enable this policy setting.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbou
values any definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled" and the port does not recei
ut checking for errors. This allows you to add programs that you have not installed yet but be aware that you can accidentally create multi
f they do not then do not enable this policy setting.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbou
values any definition with the Status set to "disabled" overrides all definitions with the Status set to "enabled" and the port does not recei
ut checking for errors. This allows you to add programs that you have not installed yet but be aware that you can accidentally create multi
ue to operate in slow-link mode until the user clicks the Work Online button on the toolbar in Windows Explorer. Data will only be synchro
hen considered full.If you enable this setting and specify an auto-cached space limit greater than the total size limit the auto-cached limit is
ng Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 2003 and
other policy settings" policy setting Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID
e whose Plug and Play device instance ID appears in the list you create unless another policy setting specifically prevents that installation (
th the "Prevent installation of devices not described by other policy settings" policy setting Windows is allowed to install or update driver p
ning might now fail instead. The proper action in this situation is to re-configure the DCOM server's custom launch permission settings fo
chronous foreground behavior.)
olicy setting to configure asynchronous foreground behavior.)
"Turn off background refresh of Group Policy" setting is not enabled.Note: Consider notifying users that their policy is updated periodicall
ent computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring and
Server role service is installed and configured on the server); and• The “Allow asynchronous user Group Policy processing when logging o
or instance to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORCE_RE

ers running Windows Server 2003 with Service Pack 1 (SP1)Port 135:TCP%WINDIR%\PCHealth\HelpCtr\Binaries\Helpsvc.exe%WINDIR%\P
the information.Note: The default policy setting "Off" is designed for systems where extended error information is considered to be sensi
ich the policy setting is applied. No exceptions are allowed.Note: This policy setting will not be applied until the system is rebooted.
r account to System and select the Run with highest privileges checkbox.5. In the Actions tab create a new action select Start a Program a
n not be stored locally. Using this setting might cause issues with some TPM-based applications.Note: If the operating system managed TP
es depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to b
wer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may
on failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the sy
cords an event when it fails to update the files in a user profile.
ared to the client computer's local clock) that has a time difference greater than the MaxPosPhaseCorrection value the time sample is disc
amount of time to wait before the next attempt will be twice the previous amount. The default value is seven attempts.SpecialPollInterva
t of certificate-based data recovery agents on BitLocker-protected drives. BitLocker will only manage and update certificate-based data re
M backup to Active Directory Domain Services" policy setting in System\Trusted Platform Module Services to ensure that TPM information
ertogo.exe will not be installed.Note: This policy setting does not apply to drives that are formatted with the NTFS file system.
formation to AD DS succeeds.Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed data drives" che
not include password complexity requirements and require only 8 characters.Note: Passwords cannot be used if FIPS-compliance is enable
cted to the domain and the backup of BitLocker recovery information to AD DS succeeds.Note: If the "Do not enable BitLocker until recov
rol (PCR 11).Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLo
State (PCR7) support is available the default platform validation profile secures the encryption key using Secure Boot State (PCR 7) and the
The "System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing" policy setting in Computer Configuration\W
with SP3 or Windows XP with SP2. Bitlockertogo.exe will not be installed.Note: This policy setting does not apply to drives that are formatte
covery information is stored in AD DS for fixed data drives" check box is selected a recovery password is automatically generated.If you ena
plexity requirements and require only 8 characters.Note: Passwords cannot be used if FIPS-compliance is enabled. The "System cryptogra
ity settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their own
ft > Windows > Windows Defender > Operational > ID 1123. The following will not be blocked and will be allowed to run: - Attemp
ore-for-business)- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lob-app
ted in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The
rom the server to the client with the Federal Information Processing Standard (FIPS) 140 encryption algorithms by using Microsoft cryptog
e Input Panel Options dialog box.If you enable this policy and choose “High” from the drop-down box password security is set to “High.” A
to the computer can send the error reports to Microsoft.- ""Replace instances of the word ‘Microsoft’ with"": You can specify text with wh
tomatic Updates" policy setting is disabled or is not configured then the Elevate Non-Admin policy setting has no effect.
delay the restart.) On Windows 8 and later you can set updates to install during automatic maintenance instead of a specific schedule.
present on the alternate download server. Note: If the "Configure Automatic Updates" policy is disabled then this policy has no effect.
s. 0x80 - The connection is roaming. 0x80000000 - Ignore congestion.
pecifies the amount of time in milliseconds after which BranchCache client computers begin to cache content locally.
Hosted cache servers. To add hosted cache server computer names to this policy setting click Enabled and then click Show. The Show Con
uters that are running Windows 7 or Windows Vista. If you disable or do not configure this setting a client will not attempt to discover hos
match the name of the hosted cache server that is specified in the server certificate. Hosted cache clients must trust the server certificate
Enterprise and Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
he single-label name and submits this new query to a DNS server.For example if the primary DNS suffix ooo.aaa.microsoft.com is attached
this devolved primary DNS suffix to the single-label name and submits this new query to a DNS server.For example if the primary DNS suffi
tion on all shared folders. With this option BranchCache does not generate content information for any shares on the computer and does
g from using the ICS service for DHCP services. To prevent the ICS service from running on the Network Permissions tab in the network's po
Defender Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firew
d" and the port does not receive messages. Therefore if you set the Status of a port to "disabled" you can prevent administrators from usi
u can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined f
Defender Firewall allows inbound ICMP echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firew
d" and the port does not receive messages. Therefore if you set the Status of a port to "disabled" you can prevent administrators from usi
u can accidentally create multiple entries for the same program with conflicting Scope or Status values. Scope parameters are combined f
orer. Data will only be synchronized to the server if the user manually initiates synchronization by using Sync Center.In Windows 7 Window
e limit the auto-cached limit is automatically adjusted downward to equal the total size limit.This setting replaces the Default Cache Size s
y to Windows Server 2003 and Windows XP SP1 (and later service packs).
hardware ID or compatible ID appears in the list you create unless another policy setting specifically prevents that installation (for exampl
ally prevents that installation (for example the "Prevent installation of devices that match any of these device IDs" policy setting the "Prev
ed to install or update driver packages whose device setup class GUIDs appear in the list you create unless another policy setting specifica
launch permission settings for correct security settings but this policy setting may be used in the short-term as an application compatibilit
ir policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated the Windows desktop is
ol and Kerberos armoring and: - If you set the "Always provide claims" option always returns claims for accounts and supports the RFC be
licy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configu
ITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALW

ries\Helpsvc.exe%WINDIR%\PCHealth\HelpCtr\Binaries\Helpctr.exeAllow Remote Desktop Exception
ation is considered to be sensitive and it should not be made available remotely.Note: This policy setting will not be applied until the syste
the system is rebooted.
action select Start a Program as its type then enter the file created in step 1.6. Configure the task to deploy to your domain.
operating system managed TPM authentication setting is changed from "Full" to "Delegated" the full TPM owner authorization value will b
Ms may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administrator with the TPM o
ckout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An admin
ther TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.An administrator with th
n value the time sample is discarded. Default: 172800 seconds. PhaseCorrectRateThis parameter controls how quickly W32time correc
en attempts.SpecialPollIntervalThis NTP client value expressed in seconds controls how often a manually configured time source is polled
pdate certificate-based data recovery agents when the identification field is present on a drive and is identical to the value configured on th
ensure that TPM information is also backed up.
NTFS file system.

D DS for fixed data drives" check box is selected a recovery password is automatically generated.If you enable this policy setting you can co
ed if FIPS-compliance is enabled. The "System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing" policy setti
ot enable BitLocker until recovery information is stored in AD DS for operating system drives" check box is selected a recovery password is
ability of your computer. BitLocker's sensitivity to platform modifications (malicious or authorized) is increased or decreased depending up
ure Boot State (PCR 7) and the BitLocker access control (PCR 11). Warning: Changing from the default platform validation profile affects the
in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enab
ply to drives that are formatted with the NTFS file system.
omatically generated.If you enable this policy setting you can control the methods available to users to recover data from BitLocker-protec
abled. The "System cryptography: Use FIPS-compliant algorithms for encryption hashing and signing" policy setting in Computer Configura
y users may choose their own site-to-zone assignments.
e allowed to run: - Attempts by untrusted apps to modify or delete files in protected folders These attempts will not be recorded in
soft.com/en-us/intune/lob-apps-windows)
\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain th
hms by using Microsoft cryptographic modules. Use this encryption level when communications between clients and RD Session Host serve
ord security is set to “High.” At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin
: You can specify text with which to customize your error report dialog boxes. The word ""Microsoft"" is replaced with the specified text.
instead of a specific schedule. Automatic maintenance will install updates when the computer is not in use and avoid doing so when the c
then this policy has no effect. Note: If the "Alternate Download Server" is not set it will use the intranet update service by default to d
nt locally.
hen click Show. The Show Contents dialog box opens. Click Value and then type the computer names of the hosted cache servers.
ill not attempt to discover hosted cache servers by service connection point.Policy configurationSelect one of the following:- Not Configur
ust trust the server certificate that is issued to the hosted cache server. Ensure that the issuing CA certificate is installed in the Trusted Roo
aaa.microsoft.com is attached to the non-dot-terminated single-label name "example" and the DNS query for example.ooo.aaa.microsoft
ample if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example" and the DNS q
res on the computer and does not send content information to client computers that request content.
missions tab in the network's policy properties select the "Don't use hosted networks" check box.
the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 incl
event administrators from using the Windows Defender Firewall component in Control Panel to enable the port.Note: The only effect of s
pe parameters are combined for multiple entries.Note: If you set the Status parameter of a definition string to "disabled" Windows Defend
the "Windows Defender Firewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 incl
event administrators from using the Windows Defender Firewall component in Control Panel to enable the port.Note: The only effect of s
pe parameters are combined for multiple entries.Note: If you set the Status parameter of a definition string to "disabled" Windows Defend
c Center.In Windows 7 Windows Server 2008 R2 Windows 8 or Windows Server 2012 when operating in slow-link mode Offline Files synch
places the Default Cache Size setting used by pre-Windows Vista systems.
ts that installation (for example the "Prevent installation of devices that match any of these device IDs" policy setting the "Prevent installa
e IDs" policy setting the "Prevent installation of devices for these device classes" policy setting the "Prevent installation of devices that ma
nother policy setting specifically prevents installation (for example the "Prevent installation of devices that match these device IDs" policy
as an application compatibility deployment aid.DCOM servers added to this exemption list are only exempted if their custom launch perm
dated the Windows desktop is refreshed; it flickers briefly and closes open menus. Also restrictions imposed by Group Policies such as thos
ounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). - If you set the "Fail unarmored a
cated under Computer Configuration\Policies\Administrative templates\System\Group Policy\.If this configuration is not implemented on
OLICY_BOTTOM_UP_ASLR_ALWAYS_OFF and to leave all other options at their default values specify a value of: ???????????????0????
not be applied until the system is rebooted.
wner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid.
administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm
ts the lockout mode.An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Man
mode.An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Cons
s how quickly W32time corrects the client computer's local clock difference to match time samples that are accepted as accurate from the
nfigured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on t
al to the value configured on the computer. The identification field can be any value of 260 characters or fewer.
e this policy setting you can control the methods available to users to recover data from BitLocker-protected fixed data drives.If this policy
ashing and signing" policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies
lected a recovery password is automatically generated.If you enable this policy setting you can control the methods available to users to r
ed or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

m validation profile affects the security and manageability of your computer. BitLocker's sensitivity to platform modifications (malicious o
ether FIPS-compliance is enabled.

er data from BitLocker-protected removable data drives.If this policy setting is not configured or disabled the default recovery options are
setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance
ttempts will not be recorded in the Windows event log. Audit disk modification only: The following will not be blocked and will be a
policy setting should contain the mandatory profile.
ents and RD Session Host servers requires the highest level of encryption.
reen keyboard by default skin switching is not allowed and Input Panel does not display the cursor or which keys are tapped. Users will no
placed with the specified text.If you do not configure this policy setting users can change Windows Error Reporting settings in Control Pane
and avoid doing so when the computer is running on battery power. If automatic maintenance is unable to install updates for 2 days Wind
update service by default to download updates. Note: The option to "Download files with no Url..." is only used if the "Alternate Dow
hosted cache servers.
of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy setting and cli
e is installed in the Trusted Root Certification Authorities certificate store on all hosted cache client computers.* This policy setting is suppo
or example.ooo.aaa.microsoft.com fails the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolutio
ame "example" and the DNS query for example.ooo.aaa.microsoft.com fails the DNS client devolves the primary DNS suffix (drops the leftm
hat can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Fir
port.Note: The only effect of setting the Status value to "disabled" is that Windows Defender Firewall ignores other definitions for that por
to "disabled" Windows Defender Firewall ignores port requests made by that program and ignores other definitions that set the Status of
hat can open TCP port 445 include "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Fir
port.Note: The only effect of setting the Status value to "disabled" is that Windows Defender Firewall ignores other definitions for that por
to "disabled" Windows Defender Firewall ignores port requests made by that program and ignores other definitions that set the Status of
w-link mode Offline Files synchronizes the user's files in the background at regular intervals or as configured by the "Configure Background
y setting the "Prevent installation of devices for these device classes" policy setting the "Prevent installation of devices that match any of
installation of devices that match any of these device instance IDs" policy setting or the "Prevent installation of removable devices" policy
match these device IDs" policy setting the "Prevent installation of devices for these device classes" policy setting the "Prevent installation o
ed if their custom launch permissions do not contain specific LocalLaunch RemoteLaunch LocalActivate or RemoteActivate grant or deny e
by Group Policies such as those that limit the programs users can run might interfere with tasks in progress.
you set the "Fail unarmored authentication requests" option rejects unarmored Kerberos messages.Warning: When "Fail unarmored auth
ration is not implemented on the server this policy setting is ignored. In this case Group Policy processing at user logon is synchronous (th
of: ???????????????0???????1???????1 Setting flags not specified here to any value other than ? results in undefined behavior.
will be invalid.
M Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM autho
kout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior st
ng the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TP
accepted as accurate from the NTP server. Lower values cause the clock to correct more slowly; larger values cause the clock to correct m
cialInterval flag is enabled on the NTPServer setting the client uses the value that is set as the SpecialPollInterval instead of a variable inter
wer.
d fixed data drives.If this policy setting is not configured or disabled the default recovery options are supported for BitLocker recovery. By d
ies\Security Options specifies whether FIPS-compliance is enabled.
methods available to users to recover data from BitLocker-protected operating system drives.If this policy setting is disabled or not configu
rm modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Spe
e default recovery options are supported for BitLocker recovery. By default a DRA is allowed the recovery options can be specified by the
fies whether FIPS-compliance is enabled.

will not be blocked and will be allowed to run: - Attempts by untrusted apps to write to disk sectors - Attempts by untrusted apps to
keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you disable this policy password se
porting settings in Control Panel. By default these settings are Enable Reporting on computers that are running Windows XP and Report to
nstall updates for 2 days Windows Update will install updates right away. Users will then be notified about an upcoming restart and that re
nly used if the "Alternate Download Server" is set. Note: This policy is not supported on Windows RT. Setting this policy will not have a
rs by this policy setting and client computers do not perform hosted cache server discovery.- Enabled. With this selection the policy settin
rs.* This policy setting is supported on computers that are running Windows Vista Business Enterprise and Ultimate editions with Backgro
abel) till the specified devolution level and submits a query for example.aaa.microsoft.com. If this query fails the primary DNS suffix is devo
mary DNS suffix (drops the leftmost label) till the specified devolution level and submits a query for example.aaa.microsoft.com. If this quer
ption" "Windows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall: Define inbound po
s other definitions for that port that set the Status to "enabled." If another policy setting opens a port or if a program in the program exce
finitions that set the Status of that program to "enabled." Therefore if you set the Status to "disabled" you prevent administrators from all
ption" "Windows Defender Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall: Define inbound po
s other definitions for that port that set the Status to "enabled." If another policy setting opens a port or if a program in the program exce
finitions that set the Status of that program to "enabled." Therefore if you set the Status to "disabled" you prevent administrators from all
by the "Configure Background Sync" policy. While in slow-link mode Windows periodically checks the connection to the folder and brings t
of devices that match any of these device instance IDs" policy setting or the "Prevent installation of removable devices" policy setting).If y
n of removable devices" policy setting).If you enable this policy setting on a remote desktop server the policy setting affects redirection of
tting the "Prevent installation of devices that match any of these device instance IDs" policy setting or the "Prevent installation of removab
emoteActivate grant or deny entries for any users or groups. Also note exemptions for DCOM Server Appids added to this list will apply to
ng: When "Fail unarmored authentication requests" is set then client computers which do not support Kerberos armoring will fail to authen
user logon is synchronous (these servers wait for the network to be initialized during user logon).If you disable or do not configure this po
sults in undefined behavior.

prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately.If this valu
dware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again
logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately.If
s cause the clock to correct more quickly. Default: 7 (scalar). PollAdjustFactorThis parameter controls how quickly W32time changes p
rval instead of a variable interval between MinPollInterval and MaxPollInterval values to determine how frequently to poll the time source
ed for BitLocker recovery. By default a DRA is allowed the recovery options can be specified by the user including the recovery password a
tting is disabled or not configured the default recovery options are supported for BitLocker recovery. By default a DRA is allowed the recov
(respectively) of the PCRs. Specifically setting this policy with PCR 7 omitted will override the "Allow Secure Boot for integrity validation" g
ptions can be specified by the user including the recovery password and recovery key and recovery information is not backed up to AD DS
Attempts by untrusted apps to modify or delete files in protected folders Only attempts to write to protected disk sectors will be recor
disable this policy password security is set to “Medium-High.” At this setting when users enter passwords from Input Panel they use the o
ng Windows XP and Report to Queue on computers that are running Windows Server 2003.If you disable this policy setting configuration s
n upcoming restart and that restart will only take place if there is no potential for accidental data loss. 5 = Allow local administrators to
tting this policy will not have any effect on Windows RT PCs. To ensure the highest level of security Microsoft recommends securing W
this selection the policy setting is applied to client computers which perform automatic hosted cache server discovery and which are confi
Ultimate editions with Background Intelligent Transfer Service (BITS) 4.0 installed.
the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If th
aaa.microsoft.com. If this query fails the primary DNS suffix is devolved further if it is under specified devolution level and the query exam
der Firewall: Define inbound port exceptions."
program in the program exceptions list asks Windows Defender Firewall to open a port Windows Defender Firewall opens the port.Note:
revent administrators from allowing the program to ask Windows Defender Firewall to open additional ports. However even if the Status i
der Firewall: Define inbound port exceptions."
program in the program exceptions list asks Windows Defender Firewall to open a port Windows Defender Firewall opens the port.Note:
revent administrators from allowing the program to ask Windows Defender Firewall to open additional ports. However even if the Status i
ction to the folder and brings the folder back online if network speeds improve.In Windows 8 or Windows Server 2012 set the Latency thre
ble devices" policy setting).If you enable this policy setting on a remote desktop server the policy setting affects redirection of the specifie
setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not con
revent installation of removable devices" policy setting).If you enable this policy setting on a remote desktop server the policy setting affec
s added to this list will apply to both 32-bit and 64-bit versions of the server if present.
ros armoring will fail to authenticate to the domain controller.To ensure this feature is effective deploy enough domain controllers that su
ble or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that
again immediately.If this value is not configured a default value of 4 is used.A value of zero means the OS will not allow standard users to
o use the TPM normally again immediately.If this value is not configured a default value of 480 minutes (8 hours) is used.
normally again immediately.If this value is not configured a default value of 9 is used.A value of zero means the OS will not allow standard
ow quickly W32time changes polling intervals. When responses are considered to be accurate the polling interval lengthens automatically.
quently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval MaxPollInterval] else the nearest value of the r
uding the recovery password and recovery key and recovery information is not backed up to AD DS
ult a DRA is allowed the recovery options can be specified by the user including the recovery password and recovery key and recovery info
Boot for integrity validation" group policy preventing BitLocker from using Secure Boot for platform or Boot Configuration Data (BCD) integ
on is not backed up to AD DS
ected disk sectors will be recorded in the Windows event log (under Applications and Services Logs > Microsoft > Windows > Windows Def
om Input Panel they use the on-screen keyboard by default skin switching is allowed and Input Panel does not display the cursor or which
s policy setting configuration settings in the policy setting are left blank.See related policy settings Display Error Notification (same folder a
= Allow local administrators to select the configuration mode that Automatic Updates should notify and install updates. (This option has n
osoft recommends securing WSUS with TLS/SSL protocol thereby using HTTPS based intranet servers to keep systems secure. If a proxy is r
discovery and which are configured as hosted cache mode clients.- Disabled. With this selection this policy is not applied to client comput
crosoft.com is submitted. If this query fails devolution continues if it is under specified devolution level and the query example.microsoft.c
tion level and the query example.microsoft.com is submitted. If this query fails devolution continues if it is under specified devolution leve
Firewall opens the port.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound ICMP echo request mes
s. However even if the Status is "disabled" the program can still receive unsolicited incoming messages through a port if another policy setti
Firewall opens the port.Note: If any policy setting opens TCP port 445 Windows Defender Firewall allows inbound ICMP echo request mes
s. However even if the Status is "disabled" the program can still receive unsolicited incoming messages through a port if another policy setti
erver 2012 set the Latency threshold to 1ms to keep users always working offline in slow-link mode.If you disable this policy setting compu
ects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disable or do not configure this
er.If you disable or do not configure this policy setting and no other policy setting describes the device the "Prevent installation of devices
p server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.If you disa
ugh domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to h
Server 2008 or later and that is configured as described earlier the computer typically does not wait for the network to be fully initialized.
will not allow standard users to send commands to the TPM which may cause an authorization failure.
ours) is used.
the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
erval lengthens automatically. When responses are considered to be inaccurate the polling interval shortens automatically. Default: 5 (sca
else the nearest value of the range is picked. Default: 1024 seconds.EventLogFlagsThis value is a bitmask that controls events that may be
recovery key and recovery information is not backed up to AD DS.
Configuration Data (BCD) integrity validation. Setting this policy may result in BitLocker recovery when firmware is updated. If you set this
oft > Windows > Windows Defender > Operational > ID 1124). Attempts to modify or delete files in protected folders will not be record
ot display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you
ror Notification (same folder as this policy setting) and Turn off Windows Error Reporting in Computer Configuration/Administrative Temp
all updates. (This option has not been carried over to any Win 10 Versions) With this option local administrators will be allowed to use
systems secure. If a proxy is required we recommend configuring system proxy. To ensure highest levels of security additionally leverage
s not applied to client computers.
he query example.microsoft.com is submitted corresponding to a devolution level of two. The primary DNS suffix cannot be devolved bey
nder specified devolution level and the query example.microsoft.com is submitted corresponding to a devolution level of two. The primar
bound ICMP echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions
ugh a port if another policy setting opens that port.Note: Windows Defender Firewall opens ports for the program only when the program
bound ICMP echo request messages (the message sent by the Ping utility) even if the "Windows Defender Firewall: Allow ICMP exceptions
ugh a port if another policy setting opens that port.Note: Windows Defender Firewall opens ports for the program only when the program
sable this policy setting computers will not use the slow-link mode.
sable or do not configure this policy setting and no other policy setting describes the device the "Prevent installation of devices not describ
Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.
mote desktop server.If you disable or do not configure this policy setting and no other policy setting describes the device the "Prevent insta
re Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result i
network to be fully initialized. In this case users are logged on with cached credentials. Group Policy is applied asynchronously in the back
automatically. Default: 5 (scalar). SpikeWatchPeriodThis parameter specifies the amount of time that samples with time offset larger
at controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an ev
ware is updated. If you set this policy to include PCR 0 suspend BitLocker prior to applying firmware updates.It is recommended to not confi
ected folders will not be recorded. Not configured: Same as Disabled.
nel Options dialog box. If you do not configure this policy password security is set to “Medium-High” by default. At this setting when user
guration/Administrative Templates/System/Internet Communication Management/Internet Communication settings.

strators will be allowed to use the Windows Update control panel to select a configuration option of their choice. Local administrators wil
security additionally leverage WSUS TLS certificate pinning on all devices. In order to keep clients inherently secure we are no longer a
suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolutio
ution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured us
rewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Defender Fir
ogram only when the program is running and "listening" for incoming messages. If the program is not running or is running but not listenin
rewall: Allow ICMP exceptions" policy setting would block them. Policy settings that can open TCP port 445 include "Windows Defender Fir
ogram only when the program is running and "listening" for incoming messages. If the program is not running or is running but not listenin
tallation of devices not described by other policy settings" policy setting determines whether the device can be installed.
device can be installed.
s the device the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can b
hat support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is the "Su
ed asynchronously in the background.Notes: -If you want to guarantee the application of Folder Redirection Software Installation or roam
amples with time offset larger than LargePhaseOffset are received before these samples are accepted as accurate. SpikeWatchPeriod is us
hat W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event
It is recommended to not configure this policy to allow Windows to select the PCR profile for the best combination of security and usabilit
ault. At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is allowed an
settings.
hoice. Local administrators will not be allowed to disable the configuration for Automatic Updates. 7 = Notify for install and notify for r
ntly secure we are no longer allowing intranet servers to leverage user proxy by default for detecting updates. If you need to leverage use
e primary DNS suffix devolution level policy setting. The default devolution level is two.If you enable this policy setting or if you do not con
tion level can be configured using this policy setting. The default devolution level is two.If you enable this policy setting and DNS devolutio
nclude "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Firewall: Allow inbound remot
g or is running but not listening for those messages Windows Defender Firewall does not open its ports.
nclude "Windows Defender Firewall: Allow inbound file and printer sharing exception" "Windows Defender Firewall: Allow inbound remot
g or is running but not listening for those messages Windows Defender Firewall does not open its ports.
be installed.
ines whether the device can be installed.

ring is required (that is the "Supported" option is enabled).Impact on domain controller performance when this policy setting is enabled:
Software Installation or roaming user profile settings in just one logon enable this policy setting to ensure that Windows waits for the netw
urate. SpikeWatchPeriod is used in conjunction with HoldPeriod to help eliminate sporadic inaccurate time samples that are returned from
W32time will create an event whenever a time source change is made. Because it is a bitmask value setting 0x3 (the addition of 0x1 and 0
ination of security and usability based on the available hardware on each PC.
ult skin switching is allowed and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this settin
otify for install and notify for restart. (Windows Server only) With this option from Windows Server 2016 applicable only to Server SKU
es. If you need to leverage user proxy for detecting updates while using an intranet server despite the vulnerabilities it presents you must
icy setting or if you do not configure this policy setting DNS clients attempt to resolve single-label names using concatenations of the single
licy setting and DNS devolution is also enabled DNS clients use the DNS devolution level that you specify.If this policy setting is disabled or
Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall: Define inbound port exceptions."
Firewall: Allow inbound remote administration exception" and "Windows Defender Firewall: Define inbound port exceptions."
this policy setting is enabled: - Secure Kerberos domain capability discovery is required resulting in additional message exchanges. - Claim
hat Windows waits for the network to be available before applying policy. -If Folder Redirection policy will apply during the next logon secu
samples that are returned from a peer. Default: 900 seconds. UpdateIntervalThis parameter specifies the amount of time that W32tim
0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged.
be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista.Caution: If you lower passw
6 applicable only to Server SKU devices local administrators will be allowed to use Windows Update to proceed with installations or reboot
rabilities it presents you must configure the proxy behavior to "Allow user proxy to be used as a fallback if detection using system proxy fa
ng concatenations of the single-label name to be resolved and the devolved primary DNS suffix.If you disable this policy setting DNS clients
his policy setting is disabled or if this policy setting is not configured DNS clients use the default devolution level of two provided that DNS
al message exchanges. - Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data i
pply during the next logon security policies will be applied asynchronously during the next update cycle if network connectivity is available.
e amount of time that W32time waits between corrections when the clock is being corrected gradually. When it makes a gradual correctio
ta.Caution: If you lower password security settings people who can see the user’s screen might be able to see their passwords.
ed with installations or reboots manually.If the status for this policy is set to Disabled any updates that are available on Windows Update m
etection using system proxy fails". Detection for updates against intranet servers will fail when user proxy is needed as a fallback and t
e this policy setting DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the d
evel of two provided that DNS devolution is enabled.
e and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. - Kerberos ar
work connectivity is available.
vailable on Windows Update must be downloaded and installed manually. To do this search for Windows Update using Start.If the status
y is needed as a fallback and the alternate proxy behavior is not configured.

name to be resolved and the devolved primary DNS suffix.
rvice ticket size. - Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing tim
ults in increased processing time but does not change the service ticket size.
Policy Path
AutoSubscription
Control Panel
Control Panel
Control Panel
Control Panel
Control Panel
Control Panel\Add or Remove Programs
Control Panel\Display
Control Panel\Display
Control Panel\Printers
Control Panel\Programs
Control Panel\Regional and Language Options\Handwriting personalization
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop
Desktop\Active Directory
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Desktop\Desktop
Shared Folders
Shared Folders
System
System
System
System
System
System
System
System
System
System
System\Ctrl+Alt+Del Options
System\Display
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Group Policy
System\Internet Communication Management
System\Logon
System\Logon
System\Logon
System\Scripts
System\Scripts
System\Scripts
System\Scripts
System\Scripts
Windows Components\Add features to Windows 10
Windows Components\Attachment Manager
Windows Components\Calculator
Windows Components\Digital Locker
Windows Components\File Explorer\Common Open File Dialog
Windows Components\File Explorer\Explorer Frame Pane
Windows Components\File Explorer\Explorer Frame Pane
Windows Components\File Revocation
Windows Components\IME
Windows Components\Instant Search
Windows Components\Internet Explorer\Administrator Approved Controls
Windows Components\Internet Explorer\Internet Control Panel\Content Page
Windows Components\Internet Explorer\Internet Control Panel\General Page
Windows Components\Internet Explorer\Internet Control Panel\General Page\Browsing Histor
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Local Machine
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down I
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down L
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Re
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Locked-Down Tr
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Restricted Sites
Windows Components\Internet Explorer\Internet Control Panel\Security Page\Trusted Sites Z
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Internet Connect
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Printing
Windows Components\Internet Explorer\Internet Settings\Advanced settings\Signup Settings
Windows Components\Internet Explorer\Internet Settings\Display settings
Windows Components\Internet Explorer\Internet Settings\Display settings\General Colors
Windows Components\Internet Explorer\Internet Settings\Display settings\Link Colors
Windows Components\Internet Explorer\Internet Settings\URL Encoding
Windows Components\Internet Explorer\Offline Pages
Windows Components\Internet Explorer\Persistence Behavior
Windows Components\Internet Explorer\Security Features\Binary Behavior Security Restrictio
Windows Components\Internet Explorer\Security Features\Local Machine Zone Lockdown Secu
Windows Components\Internet Explorer\Security Features\Network Protocol Lockdown\Restric
Windows Components\Internet Explorer\Security Features\Scripted Window Security Restricti
Windows Components\Microsoft Management Console
Windows Components\Microsoft Management Console
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Extensi
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group P
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Pol
Windows Components\Microsoft Management Console\Restricted/Permitted snap-ins\Group Poli
Windows Components\Multitasking
Windows Components\NetMeeting\Application Sharing
Windows Components\NetMeeting\Audio & Video
Windows Components\NetMeeting\Options Page
Windows Components\Network Sharing
Windows Components\OOBE
Windows Components\Presentation Settings
Windows Components\Remote Desktop Services\RD Gateway
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Printer Redire
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Sessi
Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time L
Windows Components\Remote Desktop Services\RemoteApp and Desktop Connections
Windows Components\Sound Recorder
Windows Components\Tablet PC\Cursors
Windows Components\Tablet PC\Pen Flicks Learning
Windows Components\Tablet PC\Pen UX Behaviors
Windows Components\Tablet PC\Tablet PC Pen Training
Windows Components\Windows Calendar
Windows Components\Windows Color System
Windows Components\Windows Media Player\Networking
Windows Components\Windows Media Player\Playback
Windows Components\Windows Media Player\Playback
Windows Components\Windows Media Player\User Interface
Windows Components\Windows Mobility Center
Windows Components\Windows Update\Manage updates offered from Windows Server Updat
Policy Setting Name
Enable auto-subscription
Always open All Control Panel Items when opening Control Panel
Hide specified Control Panel items
Prohibit access to Control Panel and PC settings
Settings Page Visibility
Show only specified Control Panel items
Go directly to Components Wizard
Hide Add New Programs page
Hide Add/Remove Windows Components page
Hide Change or Remove Programs page
Hide the "Add a program from CD-ROM or floppy disk" option
Hide the "Add programs from Microsoft" option
Hide the "Add programs from your network" option
Hide the Set Program Access and Defaults page
Remove Add or Remove Programs
Remove Support Information
Specify default category for Add New Programs
Disable the Display Control Panel
Hide Settings tab
Enable screen saver
Force a specific visual style file or force Windows Classic
Force specific screen saver
Load a specific theme
Password protect the screen saver
Prevent changing color and appearance
Prevent changing color scheme
Prevent changing desktop background
Prevent changing desktop icons
Prevent changing mouse pointers
Prevent changing screen saver
Prevent changing sounds
Prevent changing theme
Prevent changing visual style for windows and buttons
Prohibit selection of visual style font size
Screen saver timeout
Browse a common web site to find printers
Browse the network to find printers
Default Active Directory path when searching for printers
Enable Device Control Printing Restrictions
List of Approved USB-connected print devices
Only use Package Point and print
Package Point and print - Approved servers
Point and Print Restrictions
Prevent addition of printers
Prevent deletion of printers
Turn off Windows default printer management
Hide "Get Programs" page
Hide "Installed Updates" page
Hide "Programs and Features" page
Hide "Set Program Access and Computer Defaults" page
Hide "Windows Features"
Hide "Windows Marketplace"
Hide the Programs Control Panel
Hide Regional and Language Options administrative options
Hide the geographic location option
Hide the select language group options
Hide user locale selection and customization options
Restrict Language Pack and Language Feature Installation
Restrict selection of Windows menus and dialogs language
Restricts the UI languages Windows should use for the selected user
Turn off autocorrect misspelled words
Turn off highlight misspelled words
Turn off insert a space after selecting a text prediction
Turn off offer text predictions as I type
Turn off automatic learning
Do not add shares of recently opened documents to Network Locations
Don't save settings at exit
Hide and disable all items on the desktop
Hide Internet Explorer icon on desktop
Hide Network Locations icon on desktop
Prevent adding dragging dropping and closing the Taskbar's toolbars
Prohibit adjusting desktop toolbars
Prohibit User from manually redirecting Profile Folders
Remove Computer icon on the desktop
Remove My Documents icon on the desktop
Remove Properties from the Computer icon context menu
Remove Properties from the Documents icon context menu
Remove Properties from the Recycle Bin context menu
Remove Recycle Bin icon from desktop
Remove the Desktop Cleanup Wizard
Turn off Aero Shake window minimizing mouse gesture
Enable filter in Find dialog box
Hide Active Directory folder
Maximum size of Active Directory searches
Add/Delete items
Allow only bitmapped wallpaper
Desktop Wallpaper
Disable Active Desktop
Disable all items
Enable Active Desktop
Prohibit adding items
Prohibit changes
Prohibit closing items
Prohibit deleting items
Prohibit editing items
Ability to change properties of an all user remote access connection
Ability to delete all user remote access connections
Ability to Enable/Disable a LAN connection
Ability to rename all user remote access connections
Ability to rename LAN connections
Ability to rename LAN connections or remote access connections available to all users
Enable Windows 2000 Network Connections settings for Administrators
Prohibit access to properties of a LAN connection
Prohibit access to properties of components of a LAN connection
Prohibit access to properties of components of a remote access connection
Prohibit access to the Advanced Settings item on the Advanced menu
Prohibit access to the New Connection Wizard
Prohibit access to the Remote Access Preferences item on the Advanced menu
Prohibit adding and removing components for a LAN or remote access connection
Prohibit changing properties of a private remote access connection
Prohibit connecting and disconnecting a remote access connection
Prohibit deletion of remote access connections
Prohibit Enabling/Disabling components of a LAN connection
Prohibit renaming private remote access connections
Prohibit TCP/IP advanced configuration
Prohibit viewing of status for an active connection
Turn off notifications when a connection has only limited or no connectivity
Action on server disconnect
Event logging level
Initial reminder balloon lifetime
Non-default server disconnect actions
Prevent use of Offline Files folder
Prohibit user configuration of Offline Files
Reminder balloon frequency
Reminder balloon lifetime
Remove "Make Available Offline" command
Remove "Make Available Offline" for these files and folders
Remove "Work offline" command
Specify administratively assigned Offline Files
Synchronize all offline files before logging off
Synchronize all offline files when logging on
Synchronize offline files before suspend
Turn off reminder balloons
Prohibit access of the Windows Connect Now wizards
Allow DFS roots to be published
Allow shared folders to be published
Add "Run in Separate Memory Space" check box to Run dialog box
Add Logoff to the Start Menu
Add Search Internet link to Start Menu
Add the Run command to the Start Menu
Change Start Menu power button
Clear history of recently opened documents on exit
Clear the recent programs list for new users
Clear tile notifications during log on
Disable context menus in the Start Menu
Disable showing balloon notifications as toasts.
Do not allow pinning items in Jump Lists
Do not allow pinning programs to the Taskbar
Do not allow pinning Store app to the Taskbar
Do not allow taskbars on more than one display
Do not display any custom toolbars in the taskbar
Do not display or track items in Jump Lists from remote locations
Do not keep history of recently opened documents
Do not search communications
Do not search for files
Do not search Internet
Do not search programs and Control Panel items
Do not use the search-based method when resolving shell shortcuts
Do not use the tracking-based method when resolving shell shortcuts
Force classic Start Menu
Force Start to be either full screen size or menu size
Go to the desktop instead of Start when signing in
Gray unavailable Windows Installer programs Start Menu shortcuts
Hide the notification area
List desktop apps first in the Apps view
Lock all taskbar settings
Lock the Taskbar
Pin Apps to Start when installed
Prevent changes to Taskbar and Start Menu Settings
Prevent grouping of taskbar items
Prevent users from adding or removing toolbars
Prevent users from customizing their Start Screen
Prevent users from moving taskbar to another screen dock location
Prevent users from rearranging toolbars
Prevent users from resizing the taskbar
Prevent users from uninstalling applications from Start
Remove "Recently added" list from Start Menu
Remove access to the context menus for the taskbar
Remove All Programs list from the Start menu
Remove and prevent access to the Shut Down Restart Sleep and Hibernate commands
Remove Balloon Tips on Start Menu items
Remove Clock from the system notification area
Remove common program groups from Start Menu
Remove Default Programs link from the Start menu.
Remove Documents icon from Start Menu
Remove Downloads link from Start Menu
Remove Favorites menu from Start Menu
Remove frequent programs list from the Start Menu
Remove Games link from Start Menu
Remove Help menu from Start Menu
Remove Homegroup link from Start Menu
Remove links and access to Windows Update
Remove Logoff on the Start Menu
Remove Music icon from Start Menu
Remove Network Connections from Start Menu
Remove Network icon from Start Menu
Remove Notifications and Action Center
Remove Pictures icon from Start Menu
Remove pinned programs from the Taskbar
Remove pinned programs list from the Start Menu
Remove programs on Settings menu
Remove Recent Items menu from Start Menu
Remove Recorded TV link from Start Menu
Remove Run menu from Start Menu
Remove Search Computer link
Remove Search link from Start Menu
Remove See More Results / Search Everywhere link
Remove the "Undock PC" button from the Start Menu
Remove the battery meter
Remove the Meet Now icon
Remove the networking icon
Remove the People Bar from the taskbar
Remove the Security and Maintenance icon
Remove the volume control icon
Remove user folder link from Start Menu
Remove user name from Start Menu
Remove user's folders from the Start Menu
Remove Videos link from Start Menu
Search just apps from the Apps view
Show "Run as different user" command on Start
Show additional calendar
Show or hide "Most used" list from Start menu
Show QuickLaunch on Taskbar
Show Start on the display the user is using when they press the Windows logo key
Show the Apps view automatically when the user goes to Start
Show Windows Store apps on the taskbar
Start Layout
Turn off all balloon notifications
Turn off automatic promotion of notification icons to the taskbar
Turn off feature advertisement balloon notifications
Turn off notification area cleanup
Turn off personalized menus
Turn off taskbar thumbnails
Turn off user tracking
Set the time Quiet Hours begins each day
Set the time Quiet Hours ends each day
Turn off calls during Quiet Hours
Turn off notification mirroring
Turn off Quiet Hours
Turn off tile notifications
Turn off toast notifications
Turn off toast notifications on the lock screen
Century interpretation for Year 2000
Custom User Interface
Do not display the Getting Started welcome screen at logon
Don't run specified Windows applications
Download missing COM components
Prevent access to registry editing tools
Prevent access to the command prompt
Restrict these programs from being launched from Help
Run only specified Windows applications
Windows Automatic Updates
Remove Change Password
Remove Lock Computer
Remove Logoff
Remove Task Manager
Configure Per-Process System DPI settings
Code signing for driver packages
Configure driver search locations
Turn off Windows Update device driver search prompt
Do not automatically make all redirected folders available offline
Do not automatically make specific redirected folders available offline
Enable optimized move of contents in Offline Files cache on Folder Redirection server path change
Redirect folders on primary computers only
Use localized subfolder names when redirecting Start Menu and My Documents
Configure Group Policy domain controller selection
Configure Group Policy slow link detection
Create new Group Policy Object links disabled by default
Determine if interactive users can generate Resultant Set of Policy data
Enforce Show Policies Only
Set default name for new Group Policy objects
Set Group Policy refresh interval for users
Turn off automatic update of ADM files
Restrict Internet communication
Turn off access to the Store
Turn off downloading of print drivers over HTTP
Turn off handwriting personalization data sharing
Turn off handwriting recognition error reporting
Turn off Help Experience Improvement Program
Turn off Help Ratings
Turn off Internet download for Web publishing and online ordering wizards
Turn off Internet File Association service
Turn off printing over HTTP
Turn off the "Order Prints" picture task
Turn off the "Publish to Web" task for files and folders
Turn off the Windows Messenger Customer Experience Improvement Program
Turn off Windows Online
Disallow changing of geographic location
Disallow selection of Custom Locales
Disallow user override of locale settings
Restrict user locales
Do not process the legacy run list
Do not process the run once list
Run these programs at user logon
Process Mitigation Options
Prompt for password on resume from hibernate/suspend
All Removable Storage classes: Deny all access
CD and DVD: Deny read access
CD and DVD: Deny write access
Custom Classes: Deny read access
Custom Classes: Deny write access
Floppy Drives: Deny read access
Floppy Drives: Deny write access
Removable Disks: Deny read access
Removable Disks: Deny write access
Set time (in seconds) to force reboot
Tape Drives: Deny read access
Tape Drives: Deny write access
WPD Devices: Deny read access
WPD Devices: Deny write access
Display instructions in logoff scripts as they run
Display instructions in logon scripts as they run
Run legacy logon scripts hidden
Run logon scripts synchronously
Run Windows PowerShell scripts first at user logon logoff
Connect home directory to root of the share
Exclude directories in roaming profile
Limit profile size
Specify network directories to sync at logon/logoff time only
Prevent the wizard from running.
Block launching desktop apps associated with a file.
Block launching desktop apps associated with a URI scheme
Turn off Program Compatibility Assistant
Default risk level for file attachments
Do not preserve zone information in file attachments
Hide mechanisms to remove zone information
Inclusion list for high risk file types
Inclusion list for low file types
Inclusion list for moderate risk file types
Notify antivirus programs when opening attachments
Trust logic for file attachments
Disallow Autoplay for non-volume devices
Prevent AutoPlay from remembering user choices.
Set the default behavior for AutoRun
Turn off Autoplay
Allow Graphing Calculator
Configure Windows spotlight on lock screen
Do not suggest third-party content in Windows spotlight
Do not use diagnostic data for tailored experiences
Turn off all Windows spotlight features
Turn off Spotlight collection on Desktop
Turn off the Windows Welcome Experience
Turn off Windows Spotlight on Action Center
Turn off Windows Spotlight on Settings
Do not display the password reveal button
Allow Diagnostic Data
Configure collection of browsing data for Desktop Analytics
Restrict unpacking and installation of gadgets that are not digitally signed.
Turn off desktop gadgets
Turn Off user-installed desktop gadgets
Do not allow Flip3D invocation
Do not allow window animations
Do not allow color changes
Specify a default color
Do not allow Digital Locker to run
Allow edge swipe
Disable help tips
Do not show recent apps when the mouse is pointing to the upper-left corner of the screen
Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the
Search Share Start Devices and Settings don't appear when the mouse is pointing to the upper-right corner of the screen
Turn off switching between recent apps
Turn off tracking of app usage
Allow only per user or approved shell extensions
Disable binding directly to IPropertySetStorage without intermediate layers.
Disable Known Folders
Display confirmation dialog when deleting files
Display the menu bar in File Explorer
Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon
Do not display the Welcome Center at user logon
Do not move deleted files to the Recycle Bin
Do not request alternate credentials
Do not track Shell shortcuts during roaming
Hide these specified drives in My Computer
Hides the Manage item on the File Explorer context menu
Location where all default Library definition files for users/machines reside.
Maximum allowed Recycle Bin size
Maximum number of recent documents
No Computers Near Me in Network Locations
No Entire Network in Network Locations
Pin Internet search sites to the "Search again" links and the Start menu
Pin Libraries or Search Connectors to the "Search again" links and the Start menu
Prevent access to drives from My Computer
Prevent users from adding files to the root of their Users Files folder.
Remove "Map Network Drive" and "Disconnect Network Drive"
Remove CD Burning features
Remove DFS tab
Remove File Explorer's default context menu
Remove File menu from File Explorer
Remove Hardware tab
Remove Search button from File Explorer
Remove Security tab
Remove Shared Documents from My Computer
Remove the Search the Internet "Search again" link
Remove UI to change keyboard navigation indicator setting
Remove UI to change menu animation setting
Request credentials for network installations
Start File Explorer with ribbon minimized
Turn off caching of thumbnail pictures
Turn off common control and window animations
Turn off display of recent search entries in the File Explorer search box
Turn off numerical sorting in File Explorer
Turn off shell protocol protected mode
Turn off the caching of thumbnails in hidden thumbs.db files
Turn off the display of snippets in Content view mode
Turn off the display of thumbnails and only display icons on network folders
Turn off the display of thumbnails and only display icons.
Turn off Windows Key hotkeys
Turn off Windows Libraries features that rely on indexed file data
Turn on Classic Shell
Hide the common dialog back button
Hide the common dialog places bar
Hide the dropdown list of recent files
Items displayed in Places Bar
Turn off Preview Pane
Turn on or off details pane
Hide previous versions list for local files
Hide previous versions list for remote files
Hide previous versions of files on backup location
Prevent restoring local previous versions
Prevent restoring previous versions from backups
Prevent restoring remote previous versions
Allow Windows Runtime apps to revoke enterprise data
Configure Japanese IME version
Configure Korean IME version
Configure Simplified Chinese IME version
Configure Traditional Chinese IME version
Do not include Non-Publishing Standard Glyph in the candidate list
Restrict character code range of conversion
Turn off custom dictionary
Turn off history-based predictive input
Turn off Internet search integration
Turn off Open Extended Dictionary
Turn off saving auto-tuning data to file
Turn on cloud candidate
Turn on cloud candidate for CHS
Turn on misconversion logging for misconversion report
Custom Instant Search Internet search provider
Add a specific list of search providers to the user's list of search providers
Allow "Save Target As" in Internet Explorer mode
Allow Internet Explorer 8 shutdown behavior
Allow Microsoft services to provide enhanced suggestions as the user types in the Address bar
Automatically activate newly installed add-ons
Configure Media Explorer Bar
Configure Outlook Express
Configure which channel of Microsoft Edge to use for opening redirected sites
Customize user agent string
Disable AutoComplete for forms
Disable caching of Auto-Proxy scripts
Disable changing accessibility settings
Disable changing Advanced page settings
Disable changing Automatic Configuration settings
Disable changing Calendar and Contact settings
Disable changing certificate settings
Disable changing color settings
Disable changing connection settings
Disable changing default browser check
Disable changing font settings
Disable changing home page settings
Disable changing language settings
Disable changing link color settings
Disable changing Messaging settings
Disable changing Profile Assistant settings
Disable changing ratings settings
Disable changing secondary home page settings
Disable changing Temporary Internet files settings
Disable external branding of Internet Explorer
Disable Import/Export Settings wizard
Disable Internet Connection wizard
Disable Internet Explorer 11 as a standalone browser
Disable the Reset Web Settings feature
Display error message on proxy script download failure
Do not allow users to enable or disable add-ons
Enable extended hot keys in Internet Explorer mode
Enforce full-screen mode
Identity Manager: Prevent users from using Identities
Keep all intranet sites in Internet Explorer
Let users turn on and use Enterprise Mode from the Tools menu
Limit Site Discovery output by Domain
Limit Site Discovery output by Zone
Notify users if Internet Explorer is not the default web browser
Pop-up allow list
Position the menu bar above the navigation bar
Prevent "Fix settings" functionality
Prevent access to Internet Explorer Help
Prevent bypassing SmartScreen Filter warnings
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Prevent changing pop-up filter level
Prevent changing proxy settings
Prevent changing the default search provider
Prevent configuration of how windows open
Prevent configuration of new tab creation
Prevent Internet Explorer Search box from appearing
Prevent managing pop-up exception list
Prevent managing SmartScreen Filter
Prevent managing the phishing filter
Prevent participation in the Customer Experience Improvement Program
Prevent per-user installation of ActiveX controls
Prevent running First Run wizard
Replace JScript by loading JScript9Legacy in place of JScript via MSHTML/WebOC.
Restrict search providers to a specific list
Search: Disable Find Files via F3 within the browser
Search: Disable Search Customization
Send all sites not included in the Enterprise Mode Site List to Microsoft Edge
Set tab process growth
Show message when opening sites in Microsoft Edge using Enterprise Mode
Specify default behavior for a new tab
Specify use of ActiveX Installer Service for installation of ActiveX controls
Turn off ability to pin sites in Internet Explorer on the desktop
Turn off ActiveX Opt-In prompt
Turn off add-on performance notifications
Turn off Automatic Crash Recovery
Turn off browser geolocation
Turn off configuration of pop-up windows in tabbed browsing
Turn off Crash Detection
Turn off Favorites bar
Turn off Managing SmartScreen Filter for Internet Explorer 8
Turn off page-zooming functionality
Turn off pop-up management
Turn off Quick Tabs functionality
Turn off Reopen Last Browsing Session
Turn off suggestions for all user-installed providers
Turn off Tab Grouping
Turn off tabbed browsing
Turn off the auto-complete feature for web addresses
Turn off the quick pick menu
Turn off the Security Settings Check feature
Turn on ActiveX Filtering
Turn on compatibility logging
Turn on menu bar by default
Turn on Site Discovery WMI output
Turn on Site Discovery XML output
Turn on Suggested Sites
Turn on the auto-complete feature for user names and passwords on forms
Use Automatic Detection for dial-up connections
Use the Enterprise Mode IE website list
Add default Accelerators
Add non-default Accelerators
Restrict Accelerators to those deployed through Group Policy
Turn off Accelerators
Audio/Video Player
Carpoint
DHTML Edit Control
Investor
Menu Controls
Microsoft Agent
Microsoft Chat
Microsoft Scriptlet Component
Microsoft Survey Control
MSNBC
NetShow File Transfer Control
Shockwave Flash
Bypass prompting for Clipboard access for scripts running in any process
Bypass prompting for Clipboard access for scripts running in the Internet Explorer process
Define applications and processes that can access the Clipboard without prompting
Disable Open in New Window menu option
Disable Save this program to disk option
File menu: Disable closing the browser and Explorer windows
File menu: Disable New menu option
File menu: Disable Open menu option
File menu: Disable Save As Web Page Complete
File menu: Disable Save As... menu option
Help menu: Remove 'For Netscape Users' menu option
Help menu: Remove 'Send Feedback' menu option
Help menu: Remove 'Tip of the Day' menu option
Help menu: Remove 'Tour' menu option
Hide Favorites menu
Tools menu: Disable Internet Options... menu option
Turn off Print Menu
Turn off Shortcut Menu
Turn off the ability to launch report site problems using a menu option
View menu: Disable Full Screen menu option
View menu: Disable Source menu option
Include updated website lists from Microsoft
Turn off Compatibility View
Turn off Compatibility View button
Turn on Internet Explorer 7 Standards Mode
Turn on Internet Explorer Standards Mode for local intranet
Use Policy List of Internet Explorer 7 sites
Use Policy List of Quirks Mode sites
Allow deleting browsing history on exit
Disable "Configuring History"
Prevent access to Delete Browsing History
Prevent deleting ActiveX Filtering Tracking Protection and Do Not Track data
Prevent deleting cookies
Prevent deleting download history
Prevent deleting favorites site data
Prevent deleting form data
Prevent deleting InPrivate Filtering data
Prevent deleting passwords
Prevent deleting temporary Internet files
Prevent deleting websites that the user has visited
Prevent the deletion of temporary Internet files and cookies
Disable the Advanced page
Disable the Connections page
Disable the Content page
Disable the General page
Disable the Privacy page
Disable the Programs page
Disable the Security page
Prevent ignoring certificate errors
Send internationalized domain names
Use UTF-8 for mailto links
Allow active content from CDs to run on user machines
Allow Install On Demand (except Internet Explorer)
Allow Install On Demand (Internet Explorer)
Allow Internet Explorer to use the HTTP2 network protocol
Allow Internet Explorer to use the SPDY/3 network protocol
Allow software to run or install even if the signature is invalid
Allow third-party browser extensions
Always send Do Not Track header
Automatically check for Internet Explorer updates
Check for server certificate revocation
Check for signatures on downloaded programs
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Do not allow resetting Internet Explorer settings
Do not save encrypted pages to disk
Empty Temporary Internet Files folder when browser is closed
Play animations in web pages
Play sounds in web pages
Play videos in web pages
Turn off ClearType
Turn off encryption support
Turn off loading websites and content in the background to optimize performance
Turn off Profile Assistant
Turn off sending UTF-8 query strings for URLs
Turn off the flip ahead with page prediction feature
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Turn on Caret Browsing support
Turn on Enhanced Protected Mode
Use HTTP 1.1
Use HTTP 1.1 through proxy connections
Show Content Advisor on Internet Options
Start Internet Explorer with tabs from last browsing session
Allow websites to store application caches on client computers
Allow websites to store indexed databases on client computers
Set application cache storage limits for individual domains
Set application caches expiration time limit for individual domains
Set default storage limits for websites
Set indexed database storage limits for individual domains
Set maximum application cache individual resource size
Set maximum application cache resource list size
Set maximum application caches storage limit for all domains
Set maximum indexed database storage limit for all domains
Internet Zone Template
Intranet Sites: Include all local (intranet) sites not listed in other zones
Intranet Sites: Include all network paths (UNCs)
Intranet Sites: Include all sites that bypass the proxy server
Intranet Zone Template
Local Machine Zone Template
Locked-Down Internet Zone Template
Locked-Down Intranet Zone Template
Locked-Down Local Machine Zone Template
Locked-Down Restricted Sites Zone Template
Locked-Down Trusted Sites Zone Template
Restricted Sites Zone Template
Site to Zone Assignment List
Trusted Sites Zone Template
Turn on automatic detection of intranet
Turn on certificate address mismatch warning
Turn on Notification bar notification for intranet content
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Allow META REFRESH
Allow scriptlets
Java permissions
Logon options
Use Pop-up Blocker
Open Internet Explorer tiles on the desktop
Set how links are opened in Internet Explorer
Go to an intranet site for a one-word entry in the Address bar
Hide the button (next to the New Tab button) that opens Microsoft Edge
Turn off configuring underline links
Turn off details in messages about Internet connection problems
Turn off page transitions
Turn off phone number detection
Turn off smooth scrolling
Turn on script debugging
Turn on the display of script errors
Start the Internet Connection Wizard automatically
Allow Internet Explorer to play media files that use alternative codecs
Allow the display of image download placeholders
Turn off automatic image resizing
Turn off image display
Turn off smart image dithering
Turn on printing of background colors and images
Prevent configuration of search on Address bar
Prevent configuration of top-result search on Address bar
Turn on automatic signup
Turn off inline AutoComplete in File Explorer
Turn off URL Suggestions
Turn off Windows Search AutoComplete
Turn on inline AutoComplete
Prevent choosing default text size
Prevent specifying background color
Prevent specifying text color
Prevent the use of Windows colors
Prevent specifying the color of links that have already been clicked
Prevent specifying the color of links that have not yet been clicked
Prevent specifying the hover color
Turn on the hover color option
Turn off sending URL path as UTF-8
Disable adding channels
Disable adding schedules for offline pages
Disable all scheduled offline pages
Disable channel user interface completely
Disable downloading of site subscription content
Disable editing and creating of schedule groups
Disable editing schedules for offline pages
Disable offline page hit logging
Disable removing channels
Disable removing schedules for offline pages
Subscription Limits
File size limits for Internet zone
File size limits for Intranet zone
File size limits for Local Machine zone
File size limits for Restricted Sites zone
File size limits for Trusted Sites zone
Establish InPrivate Filtering threshold
Establish Tracking Protection threshold
Prevent the computer from loading toolbars and Browser Helper Objects when InPrivate Browsing starts
Turn off collection of InPrivate Filtering data
Turn off InPrivate Browsing
Turn off InPrivate Filtering
Turn off Tracking Protection
Do not display the reveal password button
Turn off Data URI support
Add-on List
All Processes
Deny all add-ons unless specifically allowed in the Add-on List
Process List
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Turn off automatic download of the ActiveX VersionList
Turn off blocking of outdated ActiveX controls for Internet Explorer
Turn off blocking of outdated ActiveX controls for Internet Explorer on specific domains
Turn on ActiveX control logging in Internet Explorer
Allow native XMLHTTP support
Change the maximum number of connections per host (HTTP 1.1)
Maximum number of connections per server (HTTP 1.0)
Set the maximum number of WebSocket connections per server
Turn off cross-document messaging
Turn off the WebSocket Object
Turn off the XDomainRequest object
Admin-approved behaviors
All Processes
Install binaries signed by MD2 and MD4 signing technologies
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Internet Zone Restricted Protocols
Intranet Zone Restricted Protocols
Local Machine Zone Restricted Protocols
Restricted Sites Zone Restricted Protocols
Trusted Sites Zone Restricted Protocols
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
All Processes
Process List
Configure Toolbar Buttons
Customize command labels
Disable customizing browser toolbar buttons
Disable customizing browser toolbars
Display tabs on a separate row
Hide the Command bar
Hide the status bar
Lock all toolbars
Lock location of Stop and Refresh buttons
Turn off Developer Tools
Turn off toolbar upgrade tool
Use large icons for command buttons
Turn off location
Turn off location scripting
Turn off sensors
Allow a shared Books folder
Allow Address bar drop-down list suggestions
Allow Adobe Flash
Allow clearing browsing data on exit
Allow configuration updates for the Books Library
Allow Developer Tools
Allow extended telemetry for the Books tab
Allow Extensions
Allow FullScreen Mode
Allow InPrivate browsing
Allow Microsoft Compatibility List
Allow Microsoft Edge to pre-launch at Windows startup when the system is idle and each time Microsoft Edge is closed
Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
Allow printing
Allow Saving History
Allow search engine customization
Allow Sideloading of extension
Allow web content on New Tab page
Always show the Books Library in Microsoft Edge
Configure additional search engines
Configure Autofill
Configure cookies
Configure Do Not Track
Configure Favorites
Configure Favorites Bar
Configure Home Button
Configure kiosk mode
Configure kiosk reset after idle timeout
Configure Open Microsoft Edge With
Configure Password Manager
Configure Pop-up Blocker
Configure search suggestions in Address bar
Configure Start pages
Configure the Adobe Flash Click-to-Run setting
Configure the Enterprise Mode Site List
Disable lockdown of Start pages
For PDF files that have both landscape and portrait pages print each in its own orientation.
Keep favorites in sync between Internet Explorer and Microsoft Edge
Prevent access to the about:flags page in Microsoft Edge
Prevent bypassing Windows Defender SmartScreen prompts for files
Prevent certificate error overrides
Prevent changes to Favorites on Microsoft Edge
Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
Prevent the First Run webpage from opening on Microsoft Edge
Prevent turning off required extensions
Prevent using Localhost IP address for WebRTC
Provision Favorites
Send all intranet sites to Internet Explorer 11
Set default search engine
Set Home Button URL
Set New Tab page URL
Show message when opening sites in Internet Explorer
Unlock Home Button
Restrict the user from entering author mode
Restrict users to the explicitly permitted list of snap-ins
.Net Framework Configuration
Active Directory Domains and Trusts
Active Directory Sites and Services
Active Directory Users and Computers
ActiveX Control
ADSI Edit
Certificate Templates
Certificates
Certification Authority
Component Services
Computer Management
Device Manager
Disk Defragmenter
Disk Management
Distributed File System
Enterprise PKI
Event Viewer
Event Viewer (Windows Vista)
Failover Clusters Manager
FAX Service
FrontPage Server Extensions
Health Registration Authority (HRA)
Indexing Service
Internet Authentication Service (IAS)
Internet Information Services
IP Security Monitor
IP Security Policy Management
Link to Web Address
Local Users and Groups
NAP Client Configuration
Network Policy Server (NPS)
Online Responder
Performance Logs and Alerts
QoS Admission Control
Remote Desktop Services Configuration
Remote Desktops
Removable Storage Management
Routing and Remote Access
Security Configuration and Analysis
Security Templates
Server Manager
Services
Shared Folders
System Information
Telephony
TPM Management
Windows Firewall with Advanced Security
Wireless Monitor
WMI Control
AppleTalk Routing
Authorization Manager
Certification Authority Policy Settings
Connection Sharing (NAT)
DCOM Configuration Extension
Device Manager
DHCP Relay Management
Event Viewer
Event Viewer (Windows Vista)
Extended View (Web View)
IAS Logging
IGMP Routing
IP Routing
IPX RIP Routing
IPX Routing
IPX SAP Routing
Logical and Mapped Drives
OSPF Routing
Public Key Policies
RAS Dialin - User Node
Remote Access
Removable Storage
RIP Routing
Routing
Send Console Message
Service Dependencies
Shared Folders Ext
SMTP Protocol
SNMP
System Properties
Group Policy Management
Group Policy Object Editor
Group Policy tab for Active Directory Tools
Resultant Set of Policy snap-in
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
IP Security Policy Management
NAP Client Configuration
Remote Installation Services
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Windows Firewall with Advanced Security
Wired Network (IEEE 802.3) Policies
Wireless Network (IEEE 802.11) Policies
Administrative Templates (Computers)
Administrative Templates (Users)
Folder Redirection
Internet Explorer Maintenance
Scripts (Logon/Logoff)
Scripts (Startup/Shutdown)
Security Settings
Software Installation (Computers)
Software Installation (Users)
Configure Sync Method
Do not synchronize Windows Apps
Ping the settings storage location before sync
Settings package size warning threshold
Settings storage path
Sync settings over metered connections
Sync settings over metered connections even when roaming
Synchronization timeout
Synchronize Windows settings
Use User Experience Virtualization (UE-V)
VDI Configuration
Calculator
InfoPath 2013 backup only
Internet Explorer 8
Internet Explorer 9
Internet Explorer Common Settings
Microsoft Lync 2010
Microsoft Lync 2013
Microsoft Lync 2016
Microsoft Office 365 InfoPath 2013
Microsoft Office 365 SharePoint Designer 2013
Microsoft SharePoint Workspace 2010
Microsoft Word 2010
Microsoft Word 2013
Microsoft Word 2016
Notepad
SharePoint Designer 2013 backup only
WordPad
Finance
Games
Maps
Music
News
Reader
Sports
Travel
Video
Weather
Configure the inclusion of Microsoft Edge tabs into Alt-Tab
Allow persisting automatic acceptance of Calls
Disable Chat
Disable Directory services
Disable NetMeeting 2.x Whiteboard
Disable Whiteboard
Enable Automatic Configuration
Limit the size of sent files
Prevent adding Directory servers
Prevent automatic acceptance of Calls
Prevent changing Call placement method
Prevent receiving files
Prevent sending files
Prevent viewing Web directory
Set Call Security options
Set the intranet support Web page
Disable application Sharing
Prevent Application Sharing in true color
Prevent Control
Prevent Desktop Sharing
Prevent Sharing
Prevent Sharing Command Prompts
Prevent Sharing Explorer windows
Disable Audio
Disable full duplex Audio
Limit the bandwidth of Audio and Video
Prevent changing DirectSound Audio setting
Prevent receiving Video
Prevent sending Video
Disable the Advanced Calling button
Hide the Audio page
Hide the General page
Hide the Security page
Hide the Video page
Prevent users from sharing files within their profile.
Don't launch privacy settings experience on user logon
Turn off Windows presentation settings
Enable connection through RD Gateway
Set RD Gateway authentication method
Set RD Gateway server address
Allow .rdp files from unknown publishers
Allow .rdp files from valid publishers and user's default .rdp settings
Do not allow passwords to be saved
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers
Set rules for remote control of Remote Desktop Services user sessions
Use Remote Desktop Easy Print printer driver first
Start a program on connection
End session when time limits are reached
Set time limit for active but idle Remote Desktop Services sessions
Set time limit for active Remote Desktop Services sessions
Set time limit for disconnected sessions
Specify default connection URL
Prevent access to feed list
Prevent automatic discovery of feeds and Web Slices
Prevent downloading of enclosures
Prevent subscribing to or deleting a feed or a Web Slice
Turn off background synchronization for feeds and Web Slices
Turn on Basic feed authentication over HTTP
Default excluded paths
Default indexed paths
Prevent adding UNC locations to index from Control Panel
Prevent customization of indexed locations in Control Panel
Prevent indexing certain paths
Turn off storage and display of search history
Do not allow Sound Recorder to run
Only display the private store within the Microsoft Store
Turn off the offer to update to the latest version of Windows
Turn off the Store application
Do not allow Inkball to run
Do not allow printing to Journal Note Writer
Do not allow Snipping Tool to run
Do not allow Windows Journal to be run
Turn off pen feedback
Prevent Back-ESC mapping
Prevent launch an application
Prevent press and hold
Turn off hardware buttons
Disable text prediction
For tablet pen input don’t show the Input Panel icon
For touch input don’t show the Input Panel icon
Include rarely used Chinese Kanji or Hanja characters
Prevent Input Panel tab from appearing
Turn off AutoComplete integration with Input Panel
Turn off password security in Input Panel
Turn off tolerant and Z-shaped scratch-out gestures
Prevent Flicks Learning Mode
Prevent flicks
Turn off Tablet PC Pen Training
Turn off Tablet PC touch input
Turn off Touch Panning
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard
Hide Property Pages
Prevent Task Run or End
Prohibit Browse
Prohibit Drag-and-Drop
Prohibit New Task Creation
Prohibit Task Deletion
Turn off Windows Calendar
Prohibit installing or uninstalling color profiles
Automatically send memory dumps for OS-generated error reports
Disable logging
Disable Windows Error Reporting
Do not send additional data
Do not throttle additional data
Send additional data when on battery power
Send data when on connected to a restricted/costed network
Configure Report Archive
Configure Report Queue
List of applications to be excluded
Configure Default consent
Customize consent settings
Ignore custom consent settings
Use certificate for on-premises authentication
Use Windows Hello for Business
Always install with elevated privileges
Prevent removable media source for any installation
Prohibit rollback
Specify the order in which Windows Installer searches for installation files
Remove logon hours expiration warnings
Report when logon server was not available during user logon
Set action to take when logon hours expire
Prevent CD and DVD Media Information Retrieval
Prevent Music File Media Information Retrieval
Prevent Radio Station Preset Retrieval
Configure HTTP Proxy
Configure MMS Proxy
Configure Network Buffering
Configure RTSP Proxy
Hide Network Tab
Streaming Media Protocols
Allow Screen Saver
Prevent Codec Download
Do Not Show Anchor
Hide Privacy Tab
Hide Security Tab
Set and Lock Skin
Do not allow Windows Messenger to be run
Do not automatically start Windows Messenger initially
Turn off Windows Mobility Center
Set the default source path for Update-Help
Turn on Module Logging
Turn on PowerShell Script Block Logging
Turn on PowerShell Transcription
Turn on Script Execution
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box
Remove access to use all Windows Update features
Enables the use of Token Broker for AD FS authentication
Specify Work Folders settings
Windows 11
Enabled
Enabled
ft corner or press the Windows logo key+X

Disabled
Registry Information
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AutoSubscription
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceClassicControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowCpl; HKCU\Software\Microsoft\Windows\Curr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoControlPanel
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SettingsPageVisibility
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictCpl; HKCU\Software\Microsoft\Windows\Curre
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoWindowsSetupPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoRemovePage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromCDorFloppy
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromInternet
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddFromNetwork
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoChooseProgramsPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoAddRemovePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!NoSupportInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Uninstall!DefaultCategory
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispCPL
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispSettingsPage
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveActive
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!SetVisualStyle
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!SCRNSAVE.EXE
HKCU\Software\Policies\Microsoft\Windows\Personalization!ThemeFile
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaverIsSecure
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispAppearancePage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoColorChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoChangingWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispBackgroundPage
HKCU\Software\Policies\Microsoft\Windows\Personalization!NoChangingMousePointers
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoDispScrSavPage
HKCU\Software\Policies\Microsoft\Windows\Personalization!NoChangingSoundScheme
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThemesTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoVisualStyleChoice
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!NoSizeChoice
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!ScreenSaveTimeOut
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Printers Page URL
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Downlevel Browse
HKCU\Software\Policies\Microsoft\Windows NT\Printers\Wizard!Default Search Scope
HKCU\Software\Policies\Microsoft\Windows NT\Printers!EnableDeviceControl
HKCU\Software\Policies\Microsoft\Windows NT\Printers!ApprovedUsbPrintDevices
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrintOnly
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PackagePointAndPrint!PackagePointAndPrintServerList; HKCU\Softw
HKCU\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint!Restricted; HKCU\Software\Policies\Microsoft\Windo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAddPrinter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDeletePrinter
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows!LegacyDefaultPrinterMode
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoGetPrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoInstalledUpdates
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoProgramsAndFeatures
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoDefaultPrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoWindowsFeatures
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoWindowsMarketplace
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Programs!NoProgramsCPL
HKCU\Software\Policies\Microsoft\Control Panel\International!HideAdminOptions
HKCU\Software\Policies\Microsoft\Control Panel\International!HideCurrentLocation
HKCU\Software\Policies\Microsoft\Control Panel\International!HideLanguageSelection
HKCU\Software\Policies\Microsoft\Control Panel\International!HideLocaleSelectAndCustomize
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictLanguagePacksAndFeaturesInstall
HKCU\Software\Policies\Microsoft\Control Panel\Desktop!MultiUILanguageID
HKCU\Software\Policies\Microsoft\Control Panel\Desktop!PreferredUILanguages
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffAutocorrectMisspelledWords
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffHighlightMisspelledWords
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffInsertSpace
HKCU\Software\Policies\Microsoft\Control Panel\International!TurnOffOfferTextPredictions
HKCU\SOFTWARE\Policies\Microsoft\InputPersonalization!RestrictImplicitTextCollection HKCU\SOFTWARE\Policies\Microsoft
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsNetHood
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSaveSettings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetIcon
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetHood
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCloseDragDropBands
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoMovingBands
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisablePersonalDirChange
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{450D8FBA-AD25-11D0-98A8-0800361B1103}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyComputer
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesMyDocuments
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPropertiesRecycleBin
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum!{645FF040-5081-101B-9F08-00AA002F954E}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDesktopCleanupWizard
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoWindowMinimizingShortcuts
HKCU\Software\Policies\Microsoft\Windows\Directory UI!EnableFilter
HKCU\Software\Policies\Microsoft\Windows\Directory UI!HideDirectoryFolder
HKCU\Software\Policies\Microsoft\Windows\Directory UI!QueryLimit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\AdminComponent!Add HKCU\Software\Microso
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoHTMLWallPaper
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Wallpaper HKCU\Software\Microsoft\Windows\Current
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktop
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceActiveDesktopOn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoAddingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoActiveDesktopChanges
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoClosingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoDeletingComponents
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop!NoEditingComponents
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasAllUserProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteAllUserConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanConnect
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameAllUserRasConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameLanConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_EnableAdminProhibits
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_LanChangeProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasChangeProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AdvancedSettings
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_NewConnectionWizard
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DialupPrefs
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AddRemoveComponents
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasMyProperties
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RasConnect
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_DeleteConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_ChangeBindState
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_RenameMyRasConnection
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_AllowAdvancedTCPIPConfig
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_Statistics
HKCU\Software\Policies\Microsoft\Windows\Network Connections!NC_IpStateChecking
HKCU\Software\Policies\Microsoft\Windows\NetCache!GoOfflineAction
HKCU\Software\Policies\Microsoft\Windows\NetCache!EventLoggingLevel
HKCU\Software\Policies\Microsoft\Windows\NetCache!InitialBalloonTimeoutSeconds
HKCU\Software\Policies\Microsoft\Windows\NetCache\CustomGoOfflineActions
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoCacheViewer
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoConfigCache
HKCU\Software\Policies\Microsoft\Windows\NetCache!ReminderFreqMinutes
HKCU\Software\Policies\Microsoft\Windows\NetCache!ReminderBalloonTimeoutSeconds
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoMakeAvailableOffline
HKCU\Software\Policies\Microsoft\Windows\NetCache\NoMakeAvailableOfflineList
HKCU\Software\Policies\Microsoft\Windows\NetCache!WorkOfflineDisabled
HKCU\Software\Policies\Microsoft\Windows\NetCache\AssignedOfflineFolders
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogoff
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtLogon
HKCU\Software\Policies\Microsoft\Windows\NetCache!SyncAtSuspend
HKCU\Software\Policies\Microsoft\Windows\NetCache!NoReminders
HKCU\Software\Policies\Microsoft\Windows\WCN\UI!DisableWcnUi
HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishDfsRoots
HKCU\Software\Policies\Microsoft\Windows NT\SharedFolders!PublishSharedFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MemCheckBoxInRunDlg
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceStartMenuLogOff
HKCU\Software\Policies\Microsoft\Windows\Explorer!AddSearchInternetLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ForceRunOnStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!PowerButtonAction
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentDocsOnExit
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClearRecentProgForNewUserInStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!ClearTilesOnExit
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableContextMenusInStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!EnableLegacyBalloonNotifications
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningToDestinations
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningToTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoPinningStoreToTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!TaskbarNoMultimon
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarsOnTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoRemoteDestinations
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsHistory
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchCommInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchFilesInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchInternetInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchProgramsInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveSearch
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoResolveTrack
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSimpleStartMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!ForceStartSize
HKCU\Software\Policies\Microsoft\Windows\Explorer!GoToDesktopOnSignIn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!GreyMSIAds
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayItemsDisplay
HKCU\Software\Policies\Microsoft\Windows\Explorer!DesktopAppsFirstInAppsView
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarLockAll
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LockTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!StartPinAppsWhenInstalled; HKCU\Software\Policies\Microsoft\Windo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetTaskbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTaskGrouping
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoAddRemoveToolbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoRedock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoDragToolbar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoResize
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoUninstallFromStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!HideRecentlyAddedApps
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoTrayContextMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMorePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoClose
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMBalloonTip
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideClock
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCommonGroups
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMConfigurePrograms
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyDocs
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuDownloads
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFavoritesMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMFUprogramsList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyGames
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMHelp
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuHomegroup
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWindowsUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!StartMenuLogOff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuMyMusic
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetworkConnections
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuNetworkPlaces
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableNotificationCenter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSMMyPictures
HKCU\Software\Policies\Microsoft\Windows\Explorer!TaskbarNoPinnedList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuPinnedList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSetFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecentDocsMenu
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuRecordedTV
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSearchComputerLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFind
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSearchEverywhereLinkInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuEjectPC
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAPower
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAMeetNow
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCANetwork
HKCU\Software\Policies\Microsoft\Windows\Explorer!HidePeopleBar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAHealth
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!HideSCAVolume
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserFolderInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoUserNameInStartMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStartMenuSubFolders
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoStartMenuVideos
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableGlobalSearchOnAppsView
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowRunAsDifferentUserInStart
HKCU\Software\Policies\Microsoft\Windows\Settings!AllowConfigureTaskbarCalendar; HKCU\Software\Policies\Microsoft\W
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowOrHideMostUsedApps
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!QuickLaunchEnabled
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowStartOnDisplayWithForegroundOnWinKey
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowAppsViewOnStart
HKCU\Software\Policies\Microsoft\Windows\Explorer!ShowWindowsStoreAppsOnTaskbar
HKCU\Software\Policies\Microsoft\Windows\Explorer!LockedStartLayout; HKCU\Software\Policies\Microsoft\Windows\Explo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoNotification
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSystraySystemPromotion
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoBalloonFeatureAdvertisements
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoTrayNotify
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!Intellimenus
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TaskbarNoThumbnail
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInstrumentation
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!EntryTime
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!ExitTime
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!AllowCalls
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!DisallowNotificationMirroring
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\QuietHours!Enable
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoTileApplicationNotification
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplicationNotification
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\PushNotifications!NoToastApplicationNotificationOnLockScre
HKCU\Software\Policies\Microsoft\Control Panel\International\Calendars\TwoDigitYearMax!1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!Shell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWelcomeScreen
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisallowRun; HKCU\Software\Microsoft\Windows\Cur
HKCU\Software\Policies\Microsoft\Windows\App Management!COMClassStore
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableRegistryTools
HKCU\Software\Policies\Microsoft\Windows\System!DisableCMD
HKCU\Software\Policies\Microsoft\Windows\System!DisableInHelp
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictRun; HKCU\Software\Microsoft\Windows\Curr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutoUpdate
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableChangePassword
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableLockWorkstation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoLogoff
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DisableTaskMgr
HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop!EnablePerProcessSystemDPI HKCU\Software\Policies\Mi
HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing!BehaviorOnFailedVerify
HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontSearchFloppies HKCU\Software\Policies\Microsoft\Window
HKCU\Software\Policies\Microsoft\Windows\DriverSearching!DontPromptForWindowsUpdate
HKCU\Software\Policies\Microsoft\Windows\NetCache!DisableFRAdminPin
HKCU\Software\Policies\Microsoft\Windows\NetCache\{3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}!DisableFRAdminPinByF
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!FolderRedirectionEnableCacheRename
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!PrimaryComputerEnabledFR
HKCU\Software\Policies\Microsoft\Windows\System\Fdeploy!LocalizeXPRelativePaths
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DCOption
HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyMinTransferRate
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!NewGPOLinksDisabled
HKCU\Software\Policies\Microsoft\Windows\System!DenyRsopToInteractiveUser
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!ShowPoliciesOnly
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!GPODisplayName
HKCU\Software\Policies\Microsoft\Windows\System!GroupPolicyRefreshTime HKCU\Software\Policies\Microsoft\Windows\S
HKCU\Software\Policies\Microsoft\Windows\Group Policy Editor!DisableAutoADMUpdate
HKCU\Software\Policies\Microsoft\InternetManagement!RestrictCommunication; HKCU\Software\Microsoft\Windows\Curre
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoUseStoreOpenWith
HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableWebPnPDownload
HKCU\Software\Policies\Microsoft\Windows\TabletPC!PreventHandwritingDataSharing
HKCU\Software\Policies\Microsoft\Windows\HandwritingErrorReports!PreventHandwritingErrorReports
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoImplicitFeedback
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoExplicitFeedback
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWebServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInternetOpenWith
HKCU\Software\Policies\Microsoft\Windows NT\Printers!DisableHTTPPrinting
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoOnlinePrintsWizard
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPublishingWizard
HKCU\Software\Policies\Microsoft\Messenger\Client!CEIP
HKCU\Software\Policies\Microsoft\Assistance\Client\1.0!NoOnlineAssist
HKCU\Software\Policies\Microsoft\Control Panel\International!PreventGeoIdChange
HKCU\Software\Policies\Microsoft\Control Panel\International!CustomLocalesNoSelect
HKCU\Software\Policies\Microsoft\Control Panel\International!PreventUserOverrides
HKCU\Software\Policies\Microsoft\Control Panel\International!RestrictUserLocales; HKCU\Software\Policies\Microsoft\Contr
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableCurrentUserRunOnce
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\MitigationOptions\ProcessMitigationOptions
HKCU\Software\Policies\Microsoft\Windows\System\Power!PromptPasswordOnResume
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!Deny_All
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Re
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Wr
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Read!Deny_Read; HKCU\Software\Po
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\Custom\Deny_Write!Deny_Write; HKCU\Software\P
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Re
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Wr
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Re
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Wr
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices!RebootTimeinSeconds_state; HKCU\Software\Policie
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Re
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630b-b6bf-11d0-94f2-00a0c91efb8b}!Deny_Wr
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33}!Deny_
HKCU\Software\Policies\Microsoft\Windows\RemovableStorageDevices\{6AC27878-A6FA-4155-BA85-F98F491D4F33}!Deny_
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogoffScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLogonScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!HideLegacyLogonScripts
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunLogonScriptSync
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!RunUserPSScriptsFirst
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ConnectHomeDirToRoot
HKCU\Software\Policies\Microsoft\Windows\System!ExcludeProfileDirs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!EnableProfileQuota; HKCU\Software\Microsoft\Window
HKCU\Software\Policies\Microsoft\Windows\System!CscSuspendDirs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\WAU!Disabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockFileElevation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!BlockProtocolElevation
HKCU\Software\Policies\Microsoft\Windows\AppCompat!DisablePCA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!DefaultFileTypeRisk
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!SaveZoneInformation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!HideZoneInfoOnProperties
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!HighRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!LowRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations!ModRiskFileTypes
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!ScanWithAntiVirus
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments!UseTrustedHandlers
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoAutoplayfornonVolume
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DontSetAutoplayCheckbox
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoAutorun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDriveTypeAutoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Calculator!AllowGraphingCalculator
HKCU\Software\Policies\Microsoft\Windows\CloudContent!ConfigureWindowsSpotlight; HKCU\Software\Policies\Microsoft\W
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableThirdPartySuggestions
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableTailoredExperiencesWithDiagnosticData
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightFeatures
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableSpotlightCollectionOnDesktop
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightWindowsWelcomeExperience
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightOnActionCenter
HKCU\Software\Policies\Microsoft\Windows\CloudContent!DisableWindowsSpotlightOnSettings
HKCU\Software\Policies\Microsoft\Windows\CredUI!DisablePasswordReveal
HKCU\Software\Policies\Microsoft\Windows\DataCollection!AllowTelemetry
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection!MicrosoftEdgeDataOptIn
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUnsignedGadgets
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffSidebar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows\Sidebar!TurnOffUserInstalledGadgets
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowFlip3d
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowAnimations
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DisallowColorizationColorChanges
HKCU\SOFTWARE\Policies\Microsoft\Windows\DWM!DefaultColorizationColorState; HKCU\SOFTWARE\Policies\Microsoft\W
HKCU\SOFTWARE\Policies\Microsoft\Windows\Digital Locker!DoNotRunDigitalLocker
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!AllowEdgeSwipe
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableHelpSticker
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableRecentApps
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!ShowCommandPromptOnWinX
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableCharms
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!TurnOffBackstack
HKCU\Software\Policies\Microsoft\Windows\EdgeUI!DisableMFUTracking
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!EnforceShellExtensionSecurity
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableBindDirectlyToPropertySetStorage
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableKnownFolders; HKCU\Software\Policies\Microsoft\Windows\Ex
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ConfirmFileDelete
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!AlwaysShowClassicMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFolderOptions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RestrictWelcomeCenter
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRecycleFiles
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoRunasInstallPrompt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!LinkResolveIgnoreLinkInfo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDrives
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoManageMyComputerVerb
HKCU\Software\Policies\Microsoft\Windows\Explorer!DefaultLibrariesLocation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!RecycleBinSize
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!MaxRecentDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoComputersNearMe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Network!NoEntireNetwork
HKCU\Software\Policies\Microsoft\Windows\Explorer!TryHarderPinnedOpenSearch; HKCU\Software\Policies\Microsoft\Wind
HKCU\Software\Policies\Microsoft\Windows\Explorer!TryHarderPinnedLibrary; HKCU\Software\Policies\Microsoft\Windows\
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewOnDrive
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreventItemCreationInUsersFilesFolder
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoNetConnectDisconnect
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoCDBurning
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoDFSTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoViewContextMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoFileMenu
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoHardwareTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoShellSearchButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSecurityTab
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoSharedDocuments
HKCU\Software\Policies\Microsoft\Windows\Explorer!NoSearchInternetTryHarderButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeKeyboardNavigationIndicators
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoChangeAnimation
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PromptRunasInstallNetPath
HKCU\Software\Policies\Microsoft\Windows\Explorer!ExplorerRibbonStartsMinimized; HKCU\Software\Policies\Microsoft\W
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoThumbnailCache
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!TurnOffSPIAnimations
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableSearchBoxSuggestions
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoStrCmpLogical
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!PreXPSP2ShellProtocolBehavior
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableThumbsDBOnNetworkFolders
HKCU\Software\Policies\Microsoft\Windows\Explorer!HideContentViewModeSnippets
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableThumbnailsOnNetworkFolders
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!DisableThumbnails
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoWinKeys
HKCU\Software\Policies\Microsoft\Windows\Explorer!DisableIndexedLibraryExperience
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!ClassicShell
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoBackButton
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoPlacesBar
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32!NoFileMru
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\Placesbar!Place0 HKCU\Software\Microsoft\Window
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoReadingPane
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoPreviewPane
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableLocalPage
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableRemotePage
HKCU\Software\Policies\Microsoft\PreviousVersions!HideBackupEntries
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableLocalRestore
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableBackupRestore
HKCU\Software\Policies\Microsoft\PreviousVersions!DisableRemoteRestore
HKCU\Software\Policies\Microsoft\Windows\FileRevocation!DelegatedTuples
HKCU\Software\Policies\Microsoft\InputMethod\Settings\JPN!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\InputMethod\Settings\KOR!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHS!ConfigureImeVersion
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHT!ConfigureImeVersion
HKCU\software\policies\microsoft\ime\imejp!ShowOnlyPublishingStandardGlyph
HKCU\software\policies\microsoft\ime\imejp!CodeAreaForConversion
HKCU\software\policies\microsoft\ime\shared!UserDict
HKCU\software\policies\microsoft\ime\imejp!UseHistorybasedPredictiveInput
HKCU\software\policies\microsoft\ime\shared!SearchPlugin
HKCU\software\policies\microsoft\ime\shared!OpenExtendedDict
HKCU\software\policies\microsoft\ime\imejp!SaveAutoTuneDataToFile
HKCU\Software\Policies\Microsoft\InputMethod\Settings\Shared!Enable Cloud Candidate
HKCU\Software\Policies\Microsoft\InputMethod\Settings\CHS!Enable Cloud Candidate
HKCU\software\policies\microsoft\ime\shared!misconvlogging
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\SearchExtensions!InternetExtensionName HKCU\Softw
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!AddPolicySearchProviders
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!AllowSaveTargetAsInIEMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ShutdownWaitForOnUnload
HKCU\Software\Policies\Microsoft\Internet Explorer!AllowServicePoweredQSA
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!IgnoreFrameApprovalCheck
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!No_LaunchMediaBar HKCU\Software\Microsoft\Internet Ex
HKCU\Software\Microsoft\Outlook Express!BlockExeAttachments
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!NeedEdgeBrowser HKCU\Software\Policies\Micro
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent!Version
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use FormSuggest; HKCU\Software\Policies\Microsoft\Internet Exp
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableAutoProxyResultCache
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Accessibility
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Advanced
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Autoconfig
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!CalendarContact
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Certificates
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Colors
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connection Settings
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Check_If_Default
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Fonts
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!HomePage; HKCU\Software\Policies\Microsoft\Internet E
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Languages
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!links
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Messaging
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Profiles
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Ratings
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\SecondaryStartPages
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Cache
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExternalBranding
HKCU\Software\Policies\Microsoft\Internet Explorer!DisableImportExportFavorites
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Connwiz Admin Lock
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NotifyDisableIEOptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ResetWebSettings
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisplayScriptDownloadFailureUI
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoExtensionManagement
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!EnableExtendedIEModeHotkeys
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus; HKCU\Software\Policies\Microsoft\Internet E
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Identities!Locked Down
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!KeepIntranetSitesInInternetExplorer
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!Enable
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!DomainAllowList
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!ZoneAllowList
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Check_Associations
HKCU\Software\Policies\Microsoft\Internet Explorer\New Windows!ListBox_Support_Allow; HKCU\Software\Policies\Microso
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar\WebBrowser!ITBar7Position
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!DisableFixSecuritySettings
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpMenu
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverride
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!PreventOverrideAppRepUnknown
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!DisablePopupFilterLevel
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Proxy
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChangeDefaultSearchProvider
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AllowWindowReuse
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!OpenInForeground
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchBox
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!RestrictPopupExceptionList
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV9
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\SQM!DisableCustomerImprovementProgram
HKCU\Software\Policies\Microsoft\Internet Explorer\Security\ActiveX!BlockNonAdminActiveXInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableFirstRunCustomize
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!JScriptReplacement
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!UsePolicySearchProvidersOnly
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFindFiles
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSearchCustomization
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!RestrictIE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!TabProcGrowth
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!ShowMessageWhenOpeningSitesInMicrosoftEdge
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!NewTabPageShow
HKCU\Software\Policies\Microsoft\Windows\AxInstaller!OnlyUseAXISForActiveXInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableAddSiteMode
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!NoFirsttimeprompt
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!DisableAddonLoadTimePerformanceNotifications
HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery!AutoRecover
HKCU\Software\Policies\Microsoft\Internet Explorer\Geolocation!PolicyDisableGeolocation
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!PopupsUseNewWindow
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoCrashDetection
HKCU\Software\Policies\Microsoft\Internet Explorer\LinksBar!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\PhishingFilter!EnabledV8
HKCU\Software\Policies\Microsoft\Internet Explorer\ZOOM!ZoomDisabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPopupManagement
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!QuickTabsThreshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Recovery!NoReopenLastSession
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!ShowSearchSuggestionsGlobal
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Groups
HKCU\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing!Enabled
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!AutoSuggest
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!DisplayQuickPick
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!DisableSecuritySettingsCheck
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\ActiveXFiltering!IsEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Compat_logging!iexplore.exe
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AlwaysShowMenus
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!Active
HKCU\Software\Microsoft\Internet Explorer\WMITelemetry!XMLPath
HKCU\Software\Policies\Microsoft\Internet Explorer\Suggested Sites!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!FormSuggest Passwords; HKCU\Software\Policies\Microsoft\Intern
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DialupAutodetect
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\EnterpriseMode!SiteList
HKCU\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesDefaultInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\GPActivities\ActivitiesInstall
HKCU\Software\Policies\Microsoft\Internet Explorer\Activities\Restrictions!UsePolicyActivitiesOnly
HKCU\Software\Policies\Microsoft\Internet Explorer\Activities!NoActivities
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{05589FA1-C356-11CE-BF01-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{DED22F57-FEE2-11D0-953B
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{2D360201-FFF5-11D1-8D03
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{9276B91A-E780-11d2-8A8D
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{275E2FE0-7486-11D0-89D6-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{D45FD31B-5C6E-11D1-9EC1
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{D6526FE0-E651-11CF-99CB-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{AE24FDAE-03C6-11D1-8B76
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{BD1F006E-174F-11D2-95C0-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{2FF18E10-DE11-11D1-8161-
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{26F24A93-1DA2-11D0-A334
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls!{D27CDB6E-AE6D-11CF-96B8
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_Paste_URLAction_If_Prom
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\Feature_Enable_Script_Paste_URLAction_If_Prom
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_Feature_Enable_Script_Paste_UR
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoOpeninNewWnd
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoSelectDownloadDir
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserClose
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFileNew
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFileOpen
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoBrowserSaveWebComplete
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserSaveAs
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemNetscapeHelp
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemSendFeedback
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemTipOfTheDay
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoHelpItemTutorial
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoFavorites
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserOptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoPrinting
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoBrowserContextMenu
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoReportSiteProblems
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoTheaterMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoViewSource
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!MSCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!DisableSiteListEditing
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowCompatibilityViewButton
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!AllSitesCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation!IntranetCompatibilityMode
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\QuirksPolicyList
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!ClearBrowsingHistoryOnExit
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!History; HKCU\Software\Policies\Microsoft\Windows\Cur
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteBrowsingHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTrackingProtection
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanCookies
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanDownloadHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!UseAllowList
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeleteForms
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanInPrivateBlocking
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableDeletePasswords
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanTIF
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!CleanHistory
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!Settings
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!AdvancedTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ConnectionsTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ContentTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!GeneralTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!PrivacyTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!ProgramsTab
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!SecurityTab
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!PreventIgnoreCertErrors
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnablePunyCode
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Protocols\Mailto!UTF8Encoding
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\Settings!L
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoWebJITSetup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoJITSetup
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHTTP2
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableSPDY3_0
HKCU\Software\Policies\Microsoft\Internet Explorer\Download!RunInvalidSignatures
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Enable Browser Extensions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DoNotTrack
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!NoUpdateCheck
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!CertificateRevocation
HKCU\Software\Policies\Microsoft\Internet Explorer\Download!CheckExeSignatures
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisableEPMCompat
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!DisableRIED
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!DisableCachingOfSSLPages
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Cache!Persistent
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Play_Animations
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Play_Background_Sounds
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Videos
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!UseClearType
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!SecureProtocols
HKCU\Software\Policies\Microsoft\Internet Explorer\PrefetchPrerender!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Security\P3Global!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel!UTF8URLQuery
HKCU\Software\Policies\Microsoft\Internet Explorer\FlipAhead!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation64Bit
HKCU\Software\Policies\Microsoft\Internet Explorer\CaretBrowsing!EnableOnStartup
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Isolation
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!EnableHttp1_1
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ProxyHttp1.1
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ShowContentAdvisor
HKCU\Software\Policies\Microsoft\Internet Explorer\ContinuousBrowsing!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!AllowWebsiteCaches
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!AllowWebsiteDatabases
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!MaxTrustedDomainLimitInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!GarbageCollectionThresholdInDays
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage!DefaultDomainCacheLimitInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!MaxTrustedDomainLimitInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestSingleResourceQuotaInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!ManifestResourceQuota
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\AppCache!TotalLimitInMB
HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserStorage\IndexedDB!TotalLimitInMB
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Template Policies!InternetZoneTemplate; HKC
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!IntranetName
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!UNCAsIntranet
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!ProxyByPass
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Settings\Template Policies!IntranetZoneTemplate; HKC
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Settings\Template Policies!LocalMachineZo
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Lockdown Settings\Template Policies!InternetZoneLock
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Intranet Lockdown Settings\Template Policies!IntranetZoneLock
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Local Machine Zone Lockdown Settings\Template Policies!Local
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Lockdown Settings\Template Policies!Restricted
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Lockdown Settings\Template Policies!TrustedSites
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Restricted Sites Settings\Template Policies!RestrictedSitesZoneT
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_ZoneMapKey; HKCU\Softwar
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Trusted Sites Settings\Template Policies!TrustedSitesZoneTemp
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap!AutoDetect
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnBadCertRecving
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!WarnOnIntranet
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1406
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120b
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120c
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180E
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!180F
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!140C
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!120A
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1A04
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1C00
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!270B
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3!1E05
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!1406
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!120b
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!120c
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!180E
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!180F
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!140C
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!120A
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!1A04
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!1C00
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!270B
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\3!1E05
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!ApplicationTileImmersiveActivation
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AssociationActivationMode
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!GotoIntranetSiteForSingleWordEntry
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!HideNewEdgeButton
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Anchor Underline
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Friendly http errors
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Page_Transitions
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FormatDetection!PhoneNumberEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!SmoothScroll
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Disable Script Debugger
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Error Dlg Displayed On Every Error
HKCU\Software\Policies\Microsoft\Internet Connection Wizard!DisableICW
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!EnableAlternativeCodec
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Show image placeholders
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Enable AutoImageResize
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Display Inline Images
HKCU\SOFTWARE\Policies\Microsoft\Internet Explorer!SmartDithering
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Print_Background
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!AutoSearch
HKCU\Software\Policies\Microsoft\Internet Explorer\SearchScopes!TopResult
HKCU\Software\Policies\Microsoft\IEAK!NoAutomaticSignup
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!Use AutoComplete
HKCU\Software\Policies\Microsoft\Internet Explorer\DomainSuggestion!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\WindowsSearch!EnabledScopes
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete!Append Completion
HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions!NoDefaultTextSize; HKCU\Software\Policies\Microsoft\Inter
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Background Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Text Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!Use_DlgBox_Colors
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color Visited
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Anchor Color Hover
HKCU\Software\Policies\Microsoft\Internet Explorer\Settings!Use Anchor Hover Color
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!UrlEncoding
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoAddingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoAddingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoScheduledUpdates
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChannelUI
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoSubscriptionContent
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoEditingScheduleGroups
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoEditingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoChannelLogging
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoRemovingChannels
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!NoRemovingSubscriptions
HKCU\Software\Policies\Microsoft\Internet Explorer\Infodelivery\Restrictions!MaxSubscriptionSize HKCU\Software\Policies\M
HKCU\Software\Policies\Microsoft\Internet Explorer\Persistence\3!DomainLimit HKCU\Software\Policies\Microsoft\Internet
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!Threshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!TrackingProtectionThreshold
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableToolbars
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableLogging
HKCU\Software\Policies\Microsoft\Internet Explorer\Privacy!EnableInPrivateBrowsing
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableInPrivateBlocking
HKCU\Software\Policies\Microsoft\Internet Explorer\Safety\PrivacIE!DisableTrackingProtection
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!DisablePasswordReveal
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DATAURI!iexplore.exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_Support_CLSID; HKCU\Software\Microsoft\Window
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT!*
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RestrictToList
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_ADDON_MANAGEMEN
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!RunThisTimeEnabled
HKCU\Software\Microsoft\Internet Explorer\VersionManager!DownloadVersionList
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!VersionCheckEnabled
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!ListBox_DomainAllowlist; HKCU\Software\Microsoft\Windo
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Ext!AuditModeEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!XMLHTTP
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPERSERVER!iexplore
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MAXCONNECTIONSPER1_0SERVER!iexp
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET_MAXCONNECTIONSPERSE
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_CROSS_DOCUMENT_MESSAGING!iexplo
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET!iexplore.exe
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XDOMAINREQUEST!iexplore.exe
HKCU\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings!ListBox_Support_AllowedBehaviors; HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Security!ENABLE_MD2_MD4
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BEHAVIORS!(Reserved) HKCU\Software
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_BEHAVIORS; HKCU\So
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_HANDLING!(Reserved) HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_MIME_HANDLING; HK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN!(Reserved
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_LOCALMACHINE_LOCK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MIME_SNIFFING!(Reserved) HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_MIME_SNIFFING; HKC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_MK_PROTOCOL!(Reserved) HK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_DISABLE_MK_PROTOC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_PROTOCOL_LOCKDOWN!(Reserved) HK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_PROTOCOL_LOCKDOW
HKCU\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\RestrictedProtocols!ListBox_Support_3; HKC
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND!(Reserved) HKCU\Softw
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_SECURITYBAND; HKCU
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_OBJECT_CACHING!(Reserved) HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_OBJECT_CACHING; HK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ZONE_ELEVATION!(Reserved) HKCU\Soft
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_ZONE_ELEVATION; HK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL!(Reserved) H
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_RESTRICT_ACTIVEXINS
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_RESTRICT_FILEDOWNLOAD!(Reserved) H
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_RESTRICT_FILEDOWNL
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!*
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS!(Reserved) HK
HKCU\Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl!ListBox_Support_FEATURE_WINDOW_RESTRICTIO
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!SpecifyDefaultButtons; HKCU\Software\Microsoft\Win
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!TextOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoToolbarCustomize
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoBandCustomize
HKCU\Software\Policies\Microsoft\Internet Explorer\MINIE!ShowTabsBelowAddressBar
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!CommandBarEnabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Main!StatusBarWeb
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbar!Locked
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!ShowLeftAddressToolbar
HKCU\Software\Policies\Microsoft\Internet Explorer\IEDevTools!Disabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions!DisableToolbarUpgrader
HKCU\Software\Policies\Microsoft\Internet Explorer\CommandBar!SmallIcons
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocation
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableLocationScripting
HKCU\Software\Policies\Microsoft\Windows\LocationAndSensors!DisableSensors
HKCU\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary!UseSharedFolderForBooks
HKCU\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI!ShowOneBox
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Addons!FlashPlayerEnabled
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Privacy!ClearBrowsingHistoryOnExit
HKCU\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary!AllowConfigurationUpdateForBooksLibrary
HKCU\Software\Policies\Microsoft\MicrosoftEdge\F12!AllowDeveloperTools
HKCU\Software\Policies\Microsoft\MicrosoftEdge\BooksLibrary!EnableExtendedBooksTelemetry
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Extensions!ExtensionsEnabled
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowFullScreenMode
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowInPrivate
HKCU\Software\Policies\Microsoft\MicrosoftEdge\BrowserEmulation!MSCompatibilityMode
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowPrelaunch
HKCU\Software\Policies\Microsoft\MicrosoftEdge\TabPreloader!AllowTabPreloading
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowPrinting
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowSavingHistory
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/brows
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Extensions!AllowSideloadingOfExtensions
HKCU\Software\Policies\Microsoft\MicrosoftEdge\ServiceUI!AllowWebContentOnNewTabPage
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AlwaysEnableBooksLibrary
HKCU\Software\Policies\Microsoft\MicrosoftEdge\OpenSearch!ConfigureAdditionalSearchEngines
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!Use FormSuggest
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!Cookies
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!DoNotTrack
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings\ProvisionedFavorites
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!ConfigureFavoritesBar
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!ConfigureHomeButton
HKCU\Software\Policies\Microsoft\MicrosoftEdge\KioskMode!ConfigureKioskMode; HKCU\Software\Policies\Microsoft\Micro
HKCU\Software\Policies\Microsoft\MicrosoftEdge\KioskMode!ConfigureKioskResetAfterIdleTimeout; HKCU\Software\Policies
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!ConfigureOpenMicrosoftEdgeWith
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!FormSuggest Passwords
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowPopups
HKCU\Software\Policies\Microsoft\MicrosoftEdge\SearchScopes!ShowSearchSuggestionsGlobal
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!ProvisionedHomePages
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Security!FlashClickToRunMode
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode!SiteList
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!EnabledV9
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!DisableLockdownOfStartPages
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!AllowMixedModePrintingInPDF
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!SyncFavoritesBetweenIEAndMicrosoftEdge
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!PreventAccessToAboutFlagsInMicrosoftEdge
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverrideAppRepUnknown
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverride
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!PreventCertErrorOverrides
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Favorites!LockdownFavorites
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!PreventLiveTileDataCollection
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!PreventFirstRunPage
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Extensions!PreventTurningOffRequiredExtensions
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!HideLocalHostIP
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Favorites!ConfiguredFavorites
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!SendIntranetTraffictoInternetExplorer
HKCU\Software\Policies\Microsoft\MicrosoftEdge\OpenSearch!SetDefaultSearchEngine
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!HomeButtonURL
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!NewTabPageURL
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Main!ShowMessageWhenOpeningSitesInInternetExplorer; HKCU\Software
HKCU\Software\Policies\Microsoft\MicrosoftEdge\Internet Settings!UnlockHomeButton
HKCU\Software\Policies\Microsoft\MMC!RestrictAuthorMode
HKCU\Software\Policies\Microsoft\MMC!RestrictToPermittedSnapins
HKCU\Software\Policies\Microsoft\MMC\{18BA7139-D98B-43c2-94DA-2604E34E175D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{EBC53A38-A23F-11D0-B09B-00C04FD8DCA6}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{D967F824-9968-11D0-B936-00C04FD8D5B0}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E355E538-1C2E-11D0-8C37-00C04FD8FE93}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C96401CF-0E17-11D3-885B-00C04F72C717}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1C5DACFA-16BA-11D2-81D0-0000F87A7AA3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{A994E107-6854-4F3D-917C-E6F01670F6D3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{53D6AB1D-2488-11D1-A28C-00C04FB94F17}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{de751566-4cc6-11d1-8ca0-00c04fc297eb}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C9BC92DF-5B9A-11D1-8F00-00C04FC2C17B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{58221C67-EA27-11CF-ADCF-00AA00A80033}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{74246bfc-4c96-11d0-abef-0020af6b0b7a}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{43668E21-2636-11D1-A1CE-0080C88593A5}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{8EAD3A12-B2C1-11d0-83AA-00A0C92C9D5D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{677A2D94-28D9-11D1-A95B-008048918FB1}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{634BDE40-E5E1-49A1-B2CD-140FFFC830F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{975797FC-4E2A-11D0-B702-00C04FD8DBF7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ad-fe9c-4363-be05-7a4cbb7cb510}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{D2779945-405B-4ACE-8618-508F3E3054AC}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{753EDB4D-2E1B-11D1-9064-00A0C90AB504}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{FF5903A8-78D6-11D1-92F6-006097B01056}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{89cc9588-7628-4d29-8e4a-6550d0087059}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{95AD72F0-44CE-11D0-AE29-00AA004B9986}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{8F8F8DC0-5713-11D1-9551-0060B0576642}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{A841B6C2-7577-11D0-BB1F-00A0C922E79C}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{57C596D0-9370-40C0-BA0D-AB491B63255D}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA2-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C96401D1-0E17-11D3-885B-00C04F72C717}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5D6179C8-17EC-11D1-9AA9-00C04FD8FE93}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{a1bc4eca-66b2-44e8-9915-be02e84438ba}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{6630f2d7-bd52-4072-bfa7-863f3d0c5da0}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{6d8880af-e518-43a8-986c-1ad21c4c976e}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7478EF61-8C46-11d1-8D99-00A0C913CAD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{FD57D297-4FD9-11D1-854E-00C04FC31FD3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B91B6008-32D2-11D2-9888-00A0C925F917}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3D5D035E-7721-4B83-A645-6C07A3D403B7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3CB6973D-3E6F-11D0-95DB-00A024D77700}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1AA7F839-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{011BE22D-E453-11D1-945A-00C04FB984F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5ADF5BF6-E452-11D1-945A-00C04FB984F9}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{18ea3f92-d6aa-41d9-a205-2023400c8fbb}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{45ac8c63-23e2-11d1-a696-00c04fd58bc3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E26D02A0-4C1F-11D1-9AA1-00C04FC3357A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{7d3830aa-e69e-4e17-8bd1-1b87b97099da}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ac-fe9c-4368-be02-7a4cbb7cbe11}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{23DC5869-BD9F-46fd-AADD-1F869BA64FC3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5C659257-E236-11D2-8899-00104B2AFB46}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1AA7F83C-C7F5-11D0-A376-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1F5EEC01-1214-4D94-80C5-4BDCD2014DDD}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3F276EB4-70EE-11D1-8A0F-00C04FB93753}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C2FE450B-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{9EC88934-C774-11d1-87F4-00C04FC2C17B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{90087284-d6d6-11d0-8353-00a0c90640bf}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{C2FE4502-D6C2-11D0-A37B-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{394C052E-B830-11D0-9A86-00C04FD8DBF7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{b05566ae-fe9c-4363-be05-7a4cbb7cb510}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B708457E-DB61-4C55-A92F-0D4B5E9B1224}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2E19B602-48EB-11d2-83CA-00104BCA42CF}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{90810502-38F1-11D1-9345-00C04FC9DA04}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{6E8E0081-19CD-11D1-AD91-00AA00B8E05A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{34AB8E82-C27E-11D1-A6C0-00C04FB94F17}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B52C1E50-1DD2-11D1-BC43-00C04FC31FD3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{5880CD5C-8EC0-11d1-9570-0060B0576642}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{243E20B0-48ED-11D2-97DA-00A024D77700}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{DAB1A262-4FD7-11D1-842C-00C04FB6C218}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B1AFF7D0-0C49-11D1-BB12-00C04FC9A3A3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{BD95BA60-2E26-AAD1-AD99-00AA00B8E05A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{03f1f940-a0f2-11d0-bb77-00aa00a1eab7}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7AF60DD3-4979-11D1-8A6C-00C04FC33566}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0F3621F1-23C6-11D1-AD97-00AA00B88E5A}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{E12BBB5D-D59D-4E61-947A-301D25AE8C23}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{8FC0B734-A0E1-11D1-A7D3-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{D70A2BEA-A63E-11D1-A7D4-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{6DC3804B-7212-458D-ADB0-9A07E2AE1FA2}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0F6B957D-509E-11D1-A7CC-0000F87571E3}!Restrict_Run; HKCU\Software\Policies
HKCU\Software\Policies\Microsoft\MMC\{0F6B957E-509E-11D1-A7CC-0000F87571E3}!Restrict_Run; HKCU\Software\Policies
HKCU\Software\Policies\Microsoft\MMC\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{FC715823-C5FB-11D1-9EEF-00A0C90347FF}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{DEA8AFA0-CC85-11d0-9CE2-0080C7221EBD}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\FX:{a1bc4ecb-66b2-44e8-9915-be02e84438ba}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{3060E8CE-7020-11D2-842D-00C04FA372D4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66650-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B6664F-4972-11D1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{942A8E4F-A261-11D1-A760-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{BACF5C8A-A3C7-11D1-A760-00C04FB9603F}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{0E752416-F29E-4195-A9DD-7F0D4D5A9D71}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{06993B16-A5C7-47EB-B61C-B1CB7EE600AC}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{2DA6AA7F-8C88-4194-A558-0D36E7FD3E64}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AE-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{B6F9C8AF-EF3A-41C8-A911-37370C331DD4}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{c40d66a0-e90c-46c6-aa3b-473e38c72bf2}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{d524927d-6c08-46bf-86af-391534d779d3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66661-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{40B66660-4972-11d1-A7CA-0000F87571E3}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{fe883157-cebd-4570-b7a2-e4fe06abe626}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{7E45546F-6D52-4D10-B702-9C2E67232E62}!Restrict_Run
HKCU\Software\Policies\Microsoft\MMC\{1BC972D6-555C-4FF7-BE2C-C584021A0A6A}!Restrict_Run
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncMethod HKCU\Software\Policies\Microsoft\UEV\Agent\Con
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!DontSyncWindows8AppSettings
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncProviderPingEnabled
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!MaxPackageSizeInBytes
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SettingsStoragePath
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetwork
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncOverMeteredNetworkWhenRoaming
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncTimeoutInMilliseconds
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!DesktopSettings HKCU\Software\Policies\Mic
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration!SyncEnabled
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\WindowsSettings!VdiState; HKCU\Software\Policies\Microsoft\U
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Access HKCU\So
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Access HKCU\So
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftCalculator6
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Common HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Common HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Excel HKCU\Soft
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Excel HKCU\Soft
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.InfoPath HKCU\
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplorer.Version10
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftInternetExplorer.Common
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013BackupWin32 HKCU\Software\P
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016BackupWin32 HKCU\Software\P
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Access HKCU\Software
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Excel HKCU\Software\P
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.InfoPath HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Win32.InfoPath HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2010
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Win32 HKCU\Software\Policies
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Win32 HKCU\Software\Policies
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Common HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Win32.UploadCenter HKCU\So
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Win32.UploadCenter HKCU\So
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Access HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Access HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Common HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Common HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Excel HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Excel HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.InfoPath HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2013Office365Win32 HKCU\Softwar
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftLync2016Office365Win32 HKCU\Softwar
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.OneNote HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.OneNote HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Outlook HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Outlook HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.PowerPoint H
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.PowerPoint H
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Project HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Project HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Publisher HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Publisher HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.SharePointDe
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Visio HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Visio HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Office365Win32.Word HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Office365Win32.Word HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Win32.OneDrive HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016Win32.OneDrive HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.OneNote HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Outlook HKCU\Softwar
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.PowerPoint HKCU\Soft
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Project HKCU\Software
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Publisher HKCU\Softwa
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.SharePointDesigner HK
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013Win32.SharePointDesigner HK
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Groove HKCU\Software
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Visio HKCU\Software\P
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2010Win32.Word HKCU\Software\
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftNotepad6
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.OneNote HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.OneNote HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Outlook HKCU\
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Outlook HKCU\
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.PowerPoint HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.PowerPoint HKC
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Project HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Project HKCU\S
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Publisher HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Publisher HKCU
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.SharePointDesig
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Visio HKCU\Soft
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Visio HKCU\Soft
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2013BackupWin32.Word HKCU\So
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftOffice2016BackupWin32.Word HKCU\So
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Applications!MicrosoftWordpad6
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingFinance_8wekyb3d8bbwe!Syn
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.XboxLIVEGames_8wekyb3d8bbwe
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingMaps_8wekyb3d8bbwe!SyncS
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneMusic_8wekyb3d8bbwe!Sync
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingNews_8wekyb3d8bbwe!SyncS
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.Reader_8wekyb3d8bbwe!SyncSetti
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingSports_8wekyb3d8bbwe!Sync
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingTravel_8wekyb3d8bbwe!Sync
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.ZuneVideo_8wekyb3d8bbwe!Sync
HKCU\Software\Policies\Microsoft\UEV\Agent\Configuration\Windows8AppList\Microsoft.BingWeather_8wekyb3d8bbwe!Sy
HKCU\Software\Policies\Microsoft\Windows\Explorer!MultiTaskingAltTabFilter
HKCU\Software\Policies\Microsoft\Conferencing!PersistAutoAcceptCalls
HKCU\Software\Policies\Microsoft\Conferencing!NoChat
HKCU\Software\Policies\Microsoft\Conferencing!NoDirectoryServices
HKCU\Software\Policies\Microsoft\Conferencing!NoOldWhiteBoard
HKCU\Software\Policies\Microsoft\Conferencing!NoNewWhiteBoard
HKCU\Software\Policies\Microsoft\Conferencing!Use AutoConfig; HKCU\Software\Policies\Microsoft\Conferencing!ConfigFile
HKCU\Software\Policies\Microsoft\Conferencing!MaxFileSendSize
HKCU\Software\Policies\Microsoft\Conferencing!NoAddingDirectoryServers
HKCU\Software\Policies\Microsoft\Conferencing!NoAutoAcceptCalls
HKCU\Software\Policies\Microsoft\Conferencing!NoChangingCallMode
HKCU\Software\Policies\Microsoft\Conferencing!NoReceivingFiles
HKCU\Software\Policies\Microsoft\Conferencing!NoSendingFiles
HKCU\Software\Policies\Microsoft\Conferencing!NoWebDirectory
HKCU\Software\Policies\Microsoft\Conferencing!CallSecurity
HKCU\Software\Policies\Microsoft\Conferencing!IntranetSupportURL
HKCU\Software\Policies\Microsoft\Conferencing!NoAppSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoTrueColorSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoAllowControl
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingDesktop
HKCU\Software\Policies\Microsoft\Conferencing!NoSharing
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingDosWindows
HKCU\Software\Policies\Microsoft\Conferencing!NoSharingExplorer
HKCU\Software\Policies\Microsoft\Conferencing!NoAudio
HKCU\Software\Policies\Microsoft\Conferencing!NoFullDuplex
HKCU\Software\Policies\Microsoft\Conferencing!MaximumBandwidth
HKCU\Software\Policies\Microsoft\Conferencing!NoChangeDirectSound
HKCU\Software\Policies\Microsoft\Conferencing!NoReceivingVideo
HKCU\Software\Policies\Microsoft\Conferencing!NoSendingVideo
HKCU\Software\Policies\Microsoft\Conferencing!NoAdvancedCalling
HKCU\Software\Policies\Microsoft\Conferencing!NoAudioPage
HKCU\Software\Policies\Microsoft\Conferencing!NoGeneralPage
HKCU\Software\Policies\Microsoft\Conferencing!NoSecurityPage
HKCU\Software\Policies\Microsoft\Conferencing!NoVideoPage
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer!NoInplaceSharing
HKCU\Software\Policies\Microsoft\Windows\OOBE!DisablePrivacyExperience
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\PresentationSettings!NoPresentationSettings
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseProxy; HKCU\SOFTWARE\Policies\Microsoft\Window
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowExplicitLogonMethod HKCU\SOFTWARE\Policies\M
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowExplicitProxyName HKCU\SOFTWARE\Policies\Mic
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowUnsignedFiles
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!AllowSignedFiles
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!DisablePasswordSaving
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!TrustedCertThumbprints
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!Shadow
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!UseUniversalPrinterDriverFirst
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fInheritInitialProgram; HKCU\SOFTWARE\Policies\Micro
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime
HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime
HKCU\SOFTWARE\Policies\Microsoft\Workspaces!DefaultConnectionURL
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableFeedPane
HKCU\Software\Policies\Microsoft\Internet Explorer\Feed Discovery!Enabled
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableEnclosureDownload
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!DisableAddRemove
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!BackgroundSyncStatus
HKCU\Software\Policies\Microsoft\Internet Explorer\Feeds!AllowBasicAuthInClear
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultExcludedPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\DefaultIndexedPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search!HideUNCTab
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search!PreventModifyingIndexedLocations
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Search\PreventIndexingCertainPaths
HKCU\SOFTWARE\Policies\Microsoft\Windows\Explorer!DisableSearchHistory
HKCU\SOFTWARE\Policies\Microsoft\SoundRecorder!Soundrec
HKCU\Software\Policies\Microsoft\WindowsStore!RequirePrivateStoreOnly
HKCU\Software\Policies\Microsoft\WindowsStore!DisableOSUpgrade
HKCU\Software\Policies\Microsoft\WindowsStore!RemoveWindowsStore
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableInkball
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableNoteWriterPrinting
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableSnippingTool
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!DisableJournal
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPenFeedback
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonBackEscapeMapping
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonApplicationLaunch
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventButtonPressAndHold
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffButtons
HKCU\software\policies\microsoft\TabletTip\1.7!DisablePrediction
HKCU\software\policies\microsoft\TabletTip\1.7!HideIPTIPTarget
HKCU\software\policies\microsoft\TabletTip\1.7!HideIPTIPTouchTarget
HKCU\software\policies\microsoft\TabletTip\1.7!IncludeRareChar
HKCU\software\policies\microsoft\TabletTip\1.7!DisableEdgeTarget
HKCU\software\policies\microsoft\TabletTip\1.7!DisableACIntegration
HKCU\software\policies\microsoft\TabletTip\1.7!PasswordSecurityState; HKCU\software\policies\microsoft\TabletTip\1.7!Pa
HKCU\software\policies\microsoft\TabletTip\1.7!ScratchOutState; HKCU\software\policies\microsoft\TabletTip\1.7!ScratchO
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicksLearningMode
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!PreventFlicks
HKCU\SOFTWARE\Policies\Microsoft\PenTraining!DisablePenTraining
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffTouchInput
HKCU\SOFTWARE\Policies\Microsoft\TabletPC!TurnOffPanning
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Disable Advanced
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Property Pages
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Execution
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Allow Browse
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!DragAndDrop
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Creation
HKCU\Software\Policies\Microsoft\Windows\Task Scheduler5.0!Task Deletion
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Windows!TurnOffWinCal
HKCU\Software\Policies\Microsoft\Windows\WindowsColorSystem!ProhibitInstallUninstall
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!EnabledV9
HKCU\Software\Policies\Microsoft\MicrosoftEdge\PhishingFilter!PreventOverride
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!AutoApproveOSDumps
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!LoggingDisabled
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!Disabled
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DontSendAdditionalData
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassDataThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassPowerThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!BypassNetworkCostThrottling
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableArchive; HKCU\SOFTWARE\Policies\Microso
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting!DisableQueue; HKCU\SOFTWARE\Policies\Microsoft
HKCU\Software\Policies\Microsoft\Windows\Windows Error Reporting\ExcludedApplications
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultConsent
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent
HKCU\SOFTWARE\Policies\Microsoft\Windows\Windows Error Reporting\Consent!DefaultOverrideBehavior
HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!UseCertificateForOnPremAuth
HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!Enabled; HKCU\SOFTWARE\Policies\Microsoft\PassportForWork!Disa
HKCU\Software\Policies\Microsoft\Windows\Installer!AlwaysInstallElevated
HKCU\Software\Policies\Microsoft\Windows\Installer!DisableMedia
HKCU\Software\Policies\Microsoft\Windows\Installer!DisableRollback
HKCU\Software\Policies\Microsoft\Windows\Installer!SearchOrder
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!DontDisplayLogonHoursWarnings
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!ReportControllerMissing
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System!LogonHoursAction
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventCDDVDMetadataRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventMusicFileMetadataRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventRadioPresetsRetrieval
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\HTTP!ProxyPolicy; HKCU\Software\Policies\Microsoft\Wi
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\MMS!ProxyPolicy; HKCU\Software\Policies\Microsoft\Wi
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!NetworkBufferingPolicy; HKCU\Software\Policies\Microsoft\Window
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols\RTSP!ProxyPolicy; HKCU\Software\Policies\Microsoft\Wi
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HideNetworkTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer\Protocols!WindowsMediaStreamingProtocols; HKCU\Software\Poli
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!EnableScreenSaver
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!PreventCodecDownload
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!DoNotShowAnchor
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HidePrivacyTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!HideSecurityTab
HKCU\Software\Policies\Microsoft\WindowsMediaPlayer!SetAndLockSkin; HKCU\Software\Policies\Microsoft\WindowsMedi
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventRun
HKCU\Software\Policies\Microsoft\Messenger\Client!PreventAutoRun
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\MobilityCenter!NoMobilityCenter
HKCU\Software\Policies\Microsoft\Windows\PowerShell\UpdatableHelp!EnableUpdateHelpDefaultSourcePath; HKCU\Softwa
HKCU\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging!EnableModuleLogging; HKCU\Software\Policies\Mic
HKCU\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging!EnableScriptBlockLogging; HKCU\Software\Polic
HKCU\Software\Policies\Microsoft\Windows\PowerShell\Transcription!EnableTranscripting; HKCU\Software\Policies\Microso
HKCU\Software\Policies\Microsoft\Windows\PowerShell!EnableScripts; HKCU\Software\Policies\Microsoft\Windows\PowerS
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUAsDefaultShutdownOption
HKCU\Software\Policies\Microsoft\Windows\WindowsUpdate\AU!NoAUShutdownOption
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate!DisableWindowsUpdateAccess; HKCU\Softwar
HKCU\Software\Policies\Microsoft\Windows\WorkFolders!EnableTokenBroker
HKCU\Software\Policies\Microsoft\Windows\WorkFolders!SyncUrl HKCU\Software\Policies\Microsoft\Windows\WorkFolders
Supported On
At least Windows 2000 Service Pack 1
Windows Server 2008 Windows Server 2003 Windows Vista and Windows XP
Supported Windows XP SP1 through Windows Server 2008 RTM
Windows Vista only
Windows 2000 only
Microsoft Windows Server 2003 Windows XP and Windows 2000 Service Pack 1 operating systems only
Microsoft Windows XP Professional with SP2 and Windows Server 2003 family only
Windows Server 2008 Windows Server 2003 Windows Vista Windows XP and Windows 2000
Windows Server 2012 R2 Windows 8.1 Windows RT 8.1 Windows Server 2008 Windows Server 2003 Windows 7 Windows Vist
At least Windows 2000 through Windows 8.1 or Windows Server 2012 R2
Windows Vista only
At least Windows Server 2008 R2 or Windows 7. Not supported on Windows 10 or later
Unknown
Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista Windows XP Windows 2000 and Windows 10
Windows Vista only
Windows Vista only
Windows 2000 only
Unknown
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows 10
At least Windows Server 2012 Windows 8 or Windows RT or at least Internet Explorer 10
Windows Vista only
Windows Vista Service Pack 1
Unknown
Unknown
Unknown
Unknown
At least Internet Explorer 6.0 in Windows XP with Service Pack 2 or Windows Server 2003 with Service Pack 1
Only Internet Explorer 11.0 on Windows 8.1
At least Internet Explorer 6.0 in Windows 2003 Service Pack 1. Not supported on Windows Vista
Only Internet Explorer 6.0 in Windows XP Service Pack 2 or Windows Server 2003 Service Pack 1 through IE8 inclusive
At least Internet Explorer 11.0 on Windows 10 version 1703 or later
Only Internet Explorer 9.0 through 11.0. Not supported on Windows 10
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 7 Windows Vista and Windows XP
Microsoft Windows 8 or later
Windows Vista only
Windows Vista only
Windows Vista only
Windows Vista only
Windows Server 2016 Version 1703 Windows 10 Version 1703 Windows 10 Windows 8.1 Windows 8 Windows 7 and Window
Windows 8.1 Windows 8 Windows 7 and Windows Vista only
At least Windows 10
At least Windows 10
Windows Media Player for Windows XP and later.
At least Windows XP Professional Service Pack 1 or At least Windows 2000 Service Pack 3 through Windows 8.1 or Windows S
Help Text
Controls the list of URLs that the user should be auto-subscribed to
This policy setting controls the default Control Panel view whether by category or icons. If this policy setting is enabled the Con
This setting allows you to display or hide specified Control Panel items such as Mouse System or Personalization from the Cont
Disables all Control Panel programs and the PC settings app.This setting prevents Control.exe and SystemSettings.exe the prog
Specifies the list of pages to show or hide from the System Settings app.This policy allows an administrator to block a given set
This policy setting controls which Control Panel items such as Mouse System or Personalization are displayed on the Control P
Prevents users from using Add or Remove Programs to configure installed services.This setting removes the "Set up services" s
Removes the Add New Programs button from the Add or Remove Programs bar. As a result users cannot view or change the a
Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result users cannot view
Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result users cannot view or cha
Removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from
Removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using
Prevents users from viewing or installing published programs.This setting removes the "Add programs from your network" sec
Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result users cannot view o
Prevents users from using Add or Remove Programs.This setting removes Add or Remove Programs from Control Panel and re
Removes links to the Support Info dialog box from programs on the Change or Remove Programs page.Programs listed on the
Specifies the category of programs that appears when users open the "Add New Programs" page.If you enable this setting onl
Disables the Display Control Panel.If you enable this setting the Display Control Panel does not run. When users try to start Dis
Removes the Settings tab from Display in Control Panel.This setting prevents users from using Control Panel to add configure o
Enables desktop screen savers.If you disable this setting screen savers do not run. Also this setting disables the Screen Saver se
This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.This can be a loc
Specifies the screen saver for the user's desktop.If you enable this setting the system displays the specified screen saver on the
Specifies which theme file is applied to the computer the first time a user logs on.If you enable this setting the theme that you
Determines whether screen savers used on the computer are password protected.If you enable this setting all screen savers a
Disables the Color (or Window Color) page in the Personalization Control Panel or the Color Scheme dialog in the Display Cont
This setting forces the theme color scheme to be the default color scheme.If you enable this setting a user cannot change the
Prevents users from adding or changing the background design of the desktop.By default users can use the Desktop Backgroun
Prevents users from changing the desktop icons.By default users can use the Desktop Icon Settings dialog in the Personalizatio
Prevents users from changing the mouse pointers.By default users can use the Pointers tab in the Mouse Control Panel to add
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users fr
Prevents users from changing the sound scheme.By default users can use the Sounds tab in the Sound Control Panel to add re
This setting disables the theme gallery in the Personalization Control Panel.If you enable this setting users cannot change or sa
Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens.When ena
Prevents users from changing the size of the font in the windows and buttons displayed on their screens.If this setting is enabl
Specifies how much user idle time must elapse before the screen saver is launched.When configured this idle time can be set f
Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a We
Allows users to use the Add Printer Wizard to search the network for shared printers.If you enable this setting or do not config
Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option o
Determines whether Device Control Printing Restrictions are enforced for printing on this computer. By default ther
This setting is a component of the Device Control Printing Restrictions. To use this setting enable Device Control Printing
This policy restricts clients computers to use package point and print only.If this setting is enabled users will only be able to po
Restricts package point and print to approved servers.This policy setting restricts package point and print connections to appro
This policy setting controls the client Point and Print behavior including the security prompts for Windows Vista computers. Th
Prevents users from using familiar methods to add local and network printers. If this policy setting is enabled it removes t
If this policy setting is enabled it prevents users from deleting local and network printers. If a user tries to delete a printer
This preference allows you to change default printer management.If you enable this setting Windows will not manage the def
Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing th
This setting prevents users from accessing "Installed Updates" page from the "View installed updates" task."Installed Updates
This setting prevents users from accessing "Programs and Features" to view uninstall change or repair programs that are curre
This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result users cannot vie
This setting prevents users from accessing the "Turn Windows features on or off" task from the Programs Control Panel in Cate
This setting prevents users from access the "Get new programs from Windows Marketplace" task from the Programs Control P
This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View
This policy setting removes the Administrative options from the Region settings control panel. Administrative options include
This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control pan
This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional O
This policy setting removes the regional formats interface from the Region settings control panel.This policy setting is used onl
This policy setting restricts the user from installing language packs and language features on demand. This policy does not
This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region setting
This policy setting restricts the Windows UI language for specific users.This policy setting applies to computers with more than
This policy turns off the autocorrect misspelled words option. This does not however prevent the user or an application fr
This policy turns off the highlight misspelled words option. This does not however prevent the user or an application from
This policy turns off the insert a space after selecting a text prediction option. This does not however prevent the user or a
This policy turns off the offer text predictions as I type option. This does not however prevent the user or an application fr
This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic lear
Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.If you disable
Prevents users from saving certain changes to the desktop.If you enable this setting users can change the desktop but some ch
Removes icons shortcuts and other default and user-defined items from the desktop including Briefcase Recycle Bin Computer
Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.This setting does not prev
Removes the Network Locations icon from the desktop.This setting only affects the desktop icon. It does not prevent users fro
Prevents users from manipulating desktop toolbars.If you enable this setting users cannot add or remove toolbars from the de
Prevents users from adjusting the length of desktop toolbars. Also users cannot reposition items or toolbars on docked toolba
Prevents users from changing the path to their profile folders.By default a user can change the location of their individual profi
This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view o
Removes most occurrences of the My Documents icon.This setting removes the My Documents icon from the desktop from Fi
This setting hides Properties on the context menu for Computer.If you enable this setting the Properties option will not be pre
This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.If you enable this po
Removes the Properties option from the Recycle Bin context menu.If you enable this setting the Properties option will not be p
Removes most occurrences of the Recycle Bin icon.This setting removes the Recycle Bin icon from the desktop from File Explo
Prevents users from using the Desktop Cleanup Wizard.If you enable this setting the Desktop Cleanup wizard does not automa
Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If y
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional
Hides the Active Directory folder in Network Locations.The Active Directory folder displays Active Directory objects in a brows
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory
Adds and deletes specified Web content items.You can use the "Add" box in this setting to add particular Web-based items or
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If u
Specifies the desktop background ("wallpaper") displayed on all users' desktops.This setting lets you specify the wallpaper on
Disables Active Desktop and prevents users from enabling it.This setting prevents users from trying to enable or disable Active
Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desk
Enables Active Desktop and prevents users from disabling it.This setting prevents users from trying to enable or disable Active
Prevents users from adding Web content to their Active Desktop.This setting removes the "New" button from Web tab in Disp
Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.This is a comprehen
Prevents users from removing Web content from their Active Desktop.In Active Desktop you can add items to the desktop but
Prevents users from deleting Web content from their Active Desktop.This setting removes the Delete button from the Web tab
Prevents users from changing the properties of Web content items on their Active Desktop.This setting disables the Properties
Determines whether a user can view and change the properties of remote access connections that are available to all users of
Determines whether users can delete all user remote access connections.To create an all-user remote access connection on th
Determines whether users can enable/disable LAN connections.If you enable this setting the Enable and Disable options for LA
Determines whether nonadministrators can rename all-user remote access connections.To create an all-user connection on th
Determines whether nonadministrators can rename a LAN connection.If you enable this setting the Rename option is enabled
Determines whether users can rename LAN or all user remote access connections.If you enable this setting the Rename option
Determines whether settings that existed in Windows 2000 Server family will apply to Administrators.The set of Network Conn
Determines whether users can change the properties of a LAN connection.This setting determines whether the Properties men
Determines whether Administrators and Network Configuration Operators can change the properties of components used by
Determines whether users can view and change the properties of components used by a private or all-user remote access con
Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators
Determines whether users can use the New Connection Wizard which creates new network connections.If you enable this setti
Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled.T
Determines whether administrators can add and remove network components for a LAN or remote access connection. This se
Determines whether users can view and change the properties of their private remote access connections.Private connections
Determines whether users can connect and disconnect remote access connections.If you enable this setting (and enable the "
Determines whether users can delete remote access connections.If you enable this setting (and enable the "Enable Network C
Determines whether administrators can enable and disable the components used by LAN connections.If you enable this settin
Determines whether users can rename their private remote access connections.Private connections are those that are availab
Determines whether users can configure advanced TCP/IP settings.If you enable this setting (and enable the "Enable Network
Determines whether users can view the status for an active connection.Connection status is available from the connection sta
This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is u
Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files
Determines which events the Offline Files feature records in the event log.Offline Files records events in the Application log in
Determines how long the first reminder balloon for a network status change is displayed.Reminder balloons appear when the
Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the
Disables the Offline Files folder.This setting disables the "View Files" button on the Offline Files tab. As a result users cannot us
Prevents users from enabling disabling or changing the configuration of Offline Files.This setting removes the Offline Files tab f
Determines how often reminder balloon updates appear.If you enable this setting you can select how often reminder balloons
Determines how long updated reminder balloons are displayed.Reminder balloons appear when the user's connection to a ne
This policy setting prevents users from making network files and folders available offline.If you enable this policy setting users
This policy setting allows you to manage a list of files and folders for which you want to block the "Make Available Offline" com
This policy setting removes the "Work offline" command from Explorer preventing users from manually changing whether Offl
This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files an
Determines whether offline files are fully synchronized when users log off.This setting also disables the "Synchronize all offline
Determines whether offline files are fully synchronized when users log on.This setting also disables the "Synchronize all offline
Determines whether offline files are synchonized before a computer is suspended.If you enable this setting offline files are syn
Hides or displays reminder balloons and prevents users from changing the setting.Reminder balloons appear above the Offline
This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting the wizards are t
This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS).If you enab
This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS).If you e
Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process.All DOS and 16-bit programs r
This policy only applies to the classic version of the start menu and does not affect the new style start menu.Adds the "Log Off
If you enable this policy a "Search the Internet" link is shown when the user performs a search in the start menu search box. T
If you enable this setting the Run command is added to the Start menu. If you disable or do not configure this setting the Run
Set the default action of the power button on the Start menu.If you enable this setting the Start Menu will set the power butto
Clear history of recently opened documents on exit.If you enable this setting the system deletes shortcuts to recently used do
If you enable this policy setting the recent programs list in the start menu will be blank for each new user.If you disable or do n
If you enable this setting the system deletes tile notifications when the user logs on. As a result the Tiles in the start view will a
This policy allows you to prevent users from being able to open context menus in the Start Menu.If you enable this policy then
This policy disables the functionality that converts balloons to toast notifications.If you enable this policy setting system and a
This policy setting allows you to control pinning items in Jump Lists.If you enable this policy setting users cannot pin files folde
This policy setting allows you to control pinning programs to the Taskbar.If you enable this policy setting users cannot change
This policy setting allows you to control pinning the Store app to the Taskbar.If you enable this policy setting users cannot pin
This policy setting allows you to prevent taskbars from being displayed on more than one monitor.If you enable this policy setti
This setting affects the taskbar.The taskbar includes the Start button buttons for currently running tasks custom toolbars the n
This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations.The Start Menu and T
Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents.I
If you enable this policy the start menu search box will not search for communications.If you disable or do not configure this p
If you enable this policy setting the Start menu search box will not search for files.If you disable or do not configure this policy
If you enable this policy the start menu search box will not search for internet history or favorites.If you disable or do not confi
If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.If you disable or
This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.If you
This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.If you enable this policy setting
This setting affects the presentation of the Start menu.The classic Start menu in Windows 2000 Professional allows users to be
If you enable this policy and set it to Start menu or full screen Start Start will be that size and users will be unable to change th
This policy setting allows users to go to the desktop instead of the Start screen when they sign in.If you enable this policy setti
Displays Start menu shortcuts to partially installed programs in gray text.This setting makes it easier for users to distinguish be
This setting affects the notification area (previously called the "system tray") on the taskbar.Description: The notification area
This policy setting allows desktop apps to be listed first in the Apps view in Start.If you enable this policy setting desktop apps
This policy setting allows you to lock all taskbar settings.If you enable this policy setting the user cannot access the taskbar con
This setting affects the taskbar which is used to switch between running applications.The taskbar includes the Start button list
This policy setting allows pinning apps to Start by default when they are included by AppID on the list.
This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.If you enable this policy setting The user
This setting affects the taskbar buttons used to switch between running programs.Taskbar grouping consolidates similar applic
This policy setting allows you to prevent users from adding or removing toolbars.If you enable this policy setting the user is no
This policy setting allows you to prevent users from changing their Start screen layout.If you enable this setting you will preven
This policy setting allows you to prevent users from moving taskbar to another screen dock location.If you enable this policy se
This policy setting allows you to prevent users from rearranging toolbars.If you enable this policy setting users are not able to
This policy setting allows you to prevent users from resizing the taskbar.If you enable this policy setting users are not be able t
If you enable this setting users cannot uninstall apps from Start.If you disable this setting or do not configure it users can acces
This policy allows you to prevent the Start Menu from displaying a list of recently installed applications.If you enable this polic
This policy setting allows you to remove access to the context menus for the taskbar.If you enable this policy setting the menu
If you enable this setting the Start Menu will either collapse or remove the all apps list from the Start menu.Selecting "Collapse
This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen:
Hides pop-up text on the Start menu and in the notification area.When you hold the cursor over an item on the Start menu or
Prevents the clock in the system notification area from being displayed.If you enable this setting the clock will not be displayed
Removes items in the All Users profile from the Programs menu on the Start menu.By default the Programs menu contains ite
This policy setting allows you to remove the Default Programs link from the Start menu.If you enable this policy setting the De
This policy setting allows you to remove the Documents icon from the Start menu and its submenus.If you enable this policy se
This policy setting allows you to remove the Downloads link from the Start Menu.If you enable this policy setting the Start Men
Prevents users from adding the Favorites menu to the Start menu or classic Start menu.If you enable this setting the Display Fa
If you enable this setting the frequently used programs list is removed from the Start menu.If you disable this setting or do not
If you enable this policy the start menu will not show a link to the Games folder.If you disable or do not configure this policy th
This policy setting allows you to remove the Help command from the Start menu.If you enable this policy setting the Help com
If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Star
This policy setting allows you to remove links and access to Windows Update.If you enable this policy setting users are preven
This policy setting allows you to removes the "Log Off <username>" item from the Start menu and prevents users from restori
This policy setting allows you to remove the Music icon from Start Menu.If you enable this policy setting the Music icon is no lo
This policy setting allows you to remove Network Connections from the Start Menu.If you enable this policy setting users are p
This policy setting allows you to remove the Network icon from Start Menu.If you enable this policy setting the Network icon i
This policy setting removes Notifications and Action Center from the notification area on the taskbar.The notification area is lo
This policy setting allows you to remove the Pictures icon from Start Menu.If you enable this policy setting the Pictures icon is
This policy setting allows you to remove pinned programs from the taskbar.If you enable this policy setting pinned programs a
If you enable this setting the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start m
This policy setting allows you to remove programs on Settings menu.If you enable this policy setting the Control Panel Printers
Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu.The Recen
This policy setting allows you to remove the Recorded TV link from the Start Menu.If you enable this policy setting the Start M
Allows you to remove the Run command from the Start menu Internet Explorer and Task Manager.If you enable this setting th
If you enable this policy the "See all results" link will not be shown when the user performs a search in the start menu search b
This policy setting allows you to remove the Search link from the Start menu and disables some File Explorer search elements.
If you enable this policy a "See more results" / "Search Everywhere" link will not be shown when the user performs a sea
If you enable this setting the "Undock PC" button is removed from the simple Start Menu and your PC cannot be undocked.If y
This policy setting allows you to remove the battery meter from the system control area.If you enable this policy setting the ba
This policy setting allows you to remove the Meet Now icon from the system control area.If you enable this policy setting the M
This policy setting allows you to remove the networking icon from the system control area.If you enable this policy setting the
This policy allows you to remove the People Bar from the taskbar and disables the My People experience.If you enable this po
This policy setting allows you to remove Security and Maintenance from the system control area.If you enable this policy settin
This policy setting allows you to remove the volume control icon from the system control area.If you enable this policy setting
If you enable this policy the start menu will not show a link to the user's storage folder.If you disable or do not configure this p
This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003.If
Hides all folders on the user-specific (top) section of the Start menu. Other items appear but folders are hidden.This setting is
This policy setting allows you to remove the Videos link from the Start Menu.If you enable this policy setting the Start Menu do
This policy setting prevents the user from searching apps files settings (and the web if enabled) when the user searches from t
This policy setting shows or hides the "Run as different user" command on the Start application bar.If you enable this setting u
By default the calendar is set according to the locale of the operating system and users can show an additional calendar. For z
If you enable this policy setting you can configure Start menu to show or hide the list of user's most used apps regardless of us
This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.If you enable this policy setting the QuickL
This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. Th
This policy setting allows the Apps view to be opened by default when the user goes to Start.If you enable this policy setting th
This policy setting allows users to see Windows Store apps on the taskbar.If you enable this policy setting users will see Windo
Specifies the Start layout for users.This setting lets you specify the Start layout for users and prevents them from changing its
This policy setting allows you to turn off all notification balloons.If you enable this policy setting no notification balloons are sh
This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.If you enable this policy setti
This policy setting allows you to turn off feature advertisement balloon notifications.If you enable this policy setting certain no
This setting affects the notification area also called the "system tray."The notification area is located in the task bar generally a
Disables personalized menus.Windows personalizes long menus by moving recently used items to the top of the menu and hid
This policy setting allows you to turn off taskbar thumbnails.If you enable this policy setting the taskbar thumbnails are not dis
This policy setting allows you to turn off user tracking.If you enable this policy setting the system does not track the programs
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If
This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If y
This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting voice and video call
This policy setting turns off notification mirroring. If you enable this policy setting notifications from applications an
This policy setting turns off Quiet Hours functionality. If you enable this policy setting toast notifications will not b
This policy setting turns off tile notifications. If you enable this policy setting applications and system features will no
This policy setting turns off toast notifications for applications. If you enable this policy setting applications will not b
This policy setting turns off toast notifications on the lock screen. If you enable this policy setting applications will not
This policy setting determines how programs interpret two-digit years.This policy setting affects only the programs that use th
Specifies an alternate user interface.The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface bu
This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on.If you
Prevents Windows from running the programs you specify in this policy setting.If you enable this policy setting users cannot ru
This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that
Disables the Windows registry editor Regedit.exe.If you enable this policy setting and the user tries to start Regedit.exe a mes
This policy setting prevents users from running the interactive command prompt Cmd.exe. This policy setting also determines
This policy setting allows you to restrict programs from being run from online Help. If you enable this policy settin
Limits the Windows programs that users have permission to run on the computer.If you enable this policy setting users can on
This setting controls automatic updates to a user's computer.Whenever a user connects to the Internet Windows searches for
This policy setting prevents users from changing their Windows password on demand.If you enable this policy setting the 'Cha
This policy setting prevents users from locking the system.While locked the desktop is hidden and the system cannot be used.
This policy setting disables or removes all menu items and buttons that log the user off the system.If you enable this policy setti
This policy setting prevents users from starting Task Manager.Task Manager (taskmgr.exe) lets users start and stop programs;
Per Process System DPI is an application compatibility feature for desktop applications that do not render properly after a disp
Determines how the system responds when a user tries to install driver package files that are not digitally signed.This setting e
This setting configures the location that Windows searches for drivers when a new piece of hardware is found.By default Wind
Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the In
This policy setting allows you to control whether all redirected shell folders such as Contacts Documents Desktop Favorites Mu
This policy setting allows you to control whether individual redirected shell folders are available offline by default.For the folde
This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or si
This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to im
This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Progra
This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.If you enable this setting yo
This policy setting defines a slow connection for purposes of applying and updating Group Policy.If the rate at which data is tra
This policy setting allows you to create new Group Policy object links in the disabled state.If you enable this setting you can cre
This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data.By default interactively logged o
This policy setting prevents administrators from viewing or using Group Policy preferences.A Group Policy administration (.adm
This policy setting allows you to set the default display name for new Group Policy objects.This setting allows you to specify th
This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This
Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy O
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.If yo
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file typ
This policy setting specifies whether to allow this client to download print driver packages over HTTP.To set up HTTP printing n
Turns off data sharing from the handwriting recognition personalization tool.The handwriting recognition personalization tool
Turns off the handwriting recognition error reporting tool.The handwriting recognition error reporting tool enables users to re
This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience
This policy setting specifies whether users can provide ratings for Help content.If you enable this policy setting ratings controls
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering w
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandl
This policy setting specifies whether to allow printing over HTTP from this client.Printing over HTTP allows a client to print to p
This policy setting specifies whether the "Order Prints Online" task is available from Picture Tasks in Windows folders.The Orde
This policy setting specifies whether the tasks "Publish this file to the Web" "Publish this folder to the Web" and "Publish the s
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger so
This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows O
This policy setting prevents users from changing their user geographical location (GeoID).If you enable this policy setting users
This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to th
This policy setting prevents the user from customizing their locale by changing their user overrides.Any existing overrides in pl
This policy setting restricts users on a computer to the specified list of user locales. If the list is empty it locks all user locales to
This policy setting ignores the customized run list.You can create a customized list of additional programs and documents that
This policy setting ignores customized run-once lists.You can create a customized list of additional programs and documents th
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the s
This security feature provides a means to override individual process MitigationOptions settings. This can be used to enfo
This policy setting allows you to configure client computers to lock and prompt for a password when resuming from a hiberna
Configure access to all removable storage classes.This policy setting takes precedence over any individual removable storage p
This policy setting denies read access to the CD and DVD removable storage class.If you enable this policy setting read access i
This policy setting denies write access to the CD and DVD removable storage class.If you enable this policy setting write access
This policy setting denies read access to custom removable storage classes.If you enable this policy setting read access is denie
This policy setting denies write access to custom removable storage classes.If you enable this policy setting write access is den
This policy setting denies read access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable t
This policy setting denies write access to the Floppy Drives removable storage class including USB Floppy Drives.If you enable t
This policy setting denies read access to removable disks.If you enable this policy setting read access is denied to this removab
This policy setting denies write access to removable disks.If you enable this policy setting write access is denied to this remova
This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a c
This policy setting denies read access to the Tape Drive removable storage class.If you enable this policy setting read access is
This policy setting denies write access to the Tape Drive removable storage class.If you enable this policy setting write access i
This policy setting denies read access to removable disks which may include media players cellular phones auxiliary displays an
This policy setting denies write access to removable disks which may include media players cellular phones auxiliary displays a
This policy setting displays the instructions in logoff scripts as they run.Logoff scripts are batch files of instructions that run wh
This policy setting displays the instructions in logon scripts as they run.Logon scripts are batch files of instructions that run whe
This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files o
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface progr
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during us
This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in
This policy setting lets you exclude folders that are normally included in the user's profile. As a result these folders do not need
This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reach
This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline File
By default Add features to Windows 10 is available for all administrators. If you enable this policy setting the wizard will not ru
This policy setting lets you control whether Windows Store apps can open files using the default desktop app for a file type. Be
This policy setting lets you control whether Windows Store apps can open URIs using the default desktop app for a URI schem
This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachment
This policy setting allows you to manage whether Windows marks file attachments with information about their zone of origin
This policy setting allows you to manage whether users can manually remove the zone information from saved file attachmen
This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types
This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types Wind
This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk fi
This policy setting allows you to manage the behavior for notifying registered antivirus programs. If multiple programs are reg
This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments.Preferring th
This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting AutoPlay is
This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected.
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.i
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert
This policy setting allows you to control whether graphing functionality is available in the Windows Calculator app. If you disab
This policy setting lets you configure Windows spotlight on the lock screen.If you enable this policy setting "Windows spotlight
If you enable this policy Windows spotlight features like lock screen spotlight suggested apps in Start menu or Windows tips w
This policy setting lets you prevent Windows from using diagnostic data to provide tailored experiences to the user.If you enab
This policy setting lets you turn off all Windows Spotlight features at once.If you enable this policy setting Windows spotlight o
This policy setting removes the Spotlight collection setting in Personalization rendering the user unable to select and subseque
This policy setting lets you turn off the Windows Spotlight Windows Welcome experience. This feature helps onboard users to
If you enable this policy Windows Spotlight notifications will no longer be shown on Action Center.If you disable or do not con
If you enable this policy Windows Spotlight suggestions will no longer be shown in Settings app.If you disable or do not configu
This policy setting allows you to configure the display of the password reveal button in password entry user experiences.If you
By configuring this policy setting you can adjust what diagnostic data is collected from Windows. This policy setting also restric
You can configure Microsoft Edge to send intranet history only internet history only or both to Desktop Analytics for enterpris
This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed
This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the
This policy setting allows you to turn off desktop gadgets that have been installed by the user.If you enable this setting Window
This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the W
This policy setting controls the appearance of window animations such as those found when restoring minimizing and maximiz
This policy setting controls the ability to change the color of window frames. If you enable this policy setting you prevent users
This policy setting controls the default color for window frames when the user does not specify a color. If you enable this polic
Specifies whether Digital Locker can run.Digital Locker is a dedicated download manager associated with Windows Marketplac
If you disable this policy setting users will not be able to invoke any system UI by swiping in from any screen edge.If you enabl
Disables help tips that Windows shows to the user.By default Windows will show the user help tips until the user has successfu
This policy setting allows you to prevent the last app and the list of recent apps from appearing when the mouse is pointing to
This policy setting allows you to prevent users from replacing the Command Prompt with Windows PowerShell in the menu th
This policy setting allows you to prevent Search Share Start Devices and Settings from appearing when the mouse is pointing t
If you enable this setting users will not be allowed to switch between recent apps. The App Switching option in the PC settings
This policy setting prevents Windows from keeping track of the apps that are used and searched most frequently. If you enabl
This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting Windows is d
Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorag
This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent t
Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin.If you en
This policy setting configures File Explorer to always display the menu bar.Note: By default the menu bar is not displayed in Fil
This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explor
This policy setting prevents the display of the Welcome Center at user logon.If you enable this policy setting the Welcome Cen
When a file or folder is deleted in File Explorer a copy of the file or folder is placed in the Recycle Bin. Using this setting you ca
Prevents users from submitting alternate logon credentials to install a program.This setting suppresses the "Install Program As
This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the u
This policy setting allows you to hide these specified drives in My Computer.This policy setting allows you to remove the icons
Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer
This policy setting allows you to specify a location where all default Library definition files for users/machines reside.If you ena
Limits the percentage of a volume's disk space that can be used to store deleted files.If you enable this setting the user has a m
This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on th
This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File
Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Ne
This policy setting allows you to add Internet or intranet sites to the "Search again" links located at the bottom of search resul
This policy setting allows up to five Libraries or Search Connectors to be pinned to the "Search again" links and the Start menu
Prevents users from using My Computer to gain access to the content of selected drives.If you enable this setting users can br
This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Us
Prevents users from using File Explorer or Network Locations to map or disconnect network drives.If you enable this setting th
This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if y
This policy setting allows you to remove the DFS tab from File Explorer.If you enable this policy setting the DFS (Distributed File
Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item.If you enab
Removes the File menu from My Computer and File Explorer.This setting does not prevent users from using other methods to
Removes the Hardware tab.This setting removes the Hardware tab from Mouse Keyboard and Sounds and Audio Devices in Co
This policy setting allows you to remove the Search button from the File Explorer toolbar.If you enable this policy setting the S
Removes the Security tab from File Explorer.If you enable this setting users opening the Properties dialog box for all file system
This policy setting allows you to remove the Shared Documents folder from My Computer.When a Windows client is in a work
If you enable this policy the "Internet" "Search again" link will not be shown when the user performs a search in the Explorer w
Disables the "Hide keyboard navigation indicators until I use the ALT key" option in Display in Control Panel.When this Display
This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the mo
Prompts users for alternate logon credentials during network-based installations.This setting displays the "Install Program As O
This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are o
This policy setting allows you to turn off caching of thumbnail pictures.If you enable this policy setting thumbnail views are not
This policy is similar to settings directly available to computer users. Disabling animations can improve usability for users with
Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the regist
This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical orde
This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full fun
Turns off the caching of thumbnails in hidden thumbs.db files.This policy setting allows you to configure File Explorer to cache
This policy setting allows you to turn off the display of snippets in Content view mode.If you enable this policy setting File Expl
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders.File Explore
This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer.File Exp
Turn off Windows Key hotkeys.Keyboards with a Windows key provide users with shortcuts to common shell features. For exa
This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If y
This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior.If you enable this settin
Hide the Back button in the Open dialog box.This policy setting lets you remove new features added in Microsoft Windows 200
Removes the shortcut bar from the Open dialog box.This setting and others in this folder lets you remove new features added
Removes the list of most recently used files from the Open dialog box.If you disable this setting or do not configure it the "File
Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify f
Hides the Preview Pane in File Explorer.If you enable this policy setting the Preview Pane in File Explorer is hidden and cannot
This policy setting shows or hides the Details Pane in File Explorer.If you enable this policy setting and configure it to hide the p
This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come fr
This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from th
This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backu
This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous
Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID) but can only
This policy setting controls the version of Microsoft IME.If you don’t configure this policy setting user can control IME version t
This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Gly
This policy setting allows you to restrict character code range of conversion by setting character filter.If you enable this policy
This policy setting allows you to turn off the ability to use a custom dictionary.If you enable this policy setting you cannot add e
This policy setting allows you to turn off history-based predictive input.If you enable this policy setting history-based predictive
This policy setting allows you to turn off Internet search integration.Search integration includes both using Search Provider (Ja
This policy setting allows you to turn off Open Extended Dictionary.If you enable this policy setting Open Extended Dictionary i
This policy setting allows you to turn off saving the auto-tuning result to file.If you enable this policy setting the auto-tuning da
This policy setting controls the cloud candidates feature which uses an online service to provide input suggestions that don't e
This policy setting controls the cloud candidates feature which uses an online service to provide input suggestions that don't e
This policy setting allows you to turn on logging of misconversion for the misconversion report.If you enable this policy setting
Set up the menu name and URL for the custom Internet search provider.If you enable this setting the specified menu name an
This policy setting allows you to add a specific list of search providers to the user's default list of search providers. Normally se
This policy setting allows admins to enable "Save Target As" context menu in Internet Explorer mode.If you enable this policy "
This policy setting allows you to revert to the Internet Explorer 8 behavior of allowing OnUnLoad script handlers to display UI d
This policy setting allows Internet Explorer to provide enhanced suggestions as the user types in the Address bar. To provide e
This policy setting allows you to configure whether newly installed add-ons are automatically activated in the Internet Explore
Allows Administrators to enable and disable the Media Explorer Bar and set the auto-play default.The Media Explorer Bar play
Allows Administrators to enable and disable the ability for Outlook Express users to save or open attachments that can potenti
Enables you to configure up to three versions of Microsoft Edge to open a redirected site (in order of preference). Use this pol
This policy setting allows you to customize the Internet Explorer version string as reported to web servers in the HTTP User Ag
This AutoComplete feature suggests possible matches when users are filling up forms.If you enable this setting the user is not
Prevents automatic proxy scripts which interact with a server to automatically configure users' proxy settings from being store
If you enable this policy the user cannot modify the Accessibility options. All options in the "Accessibility" window on the Gene
Prevents users from changing settings on the Advanced tab in the Internet Options dialog box.If you enable this policy users ar
This setting specifies to automatically detect the proxy server settings used to connect to the Internet and customize Internet
Prevents users from changing the default programs for managing schedules and contacts.If you enable this policy the Calenda
Prevents users from changing certificate settings in Internet Explorer. Certificates are used to verify the identity of software pu
Prevents users from changing the default Web page colors.If you enable this policy the color settings for Web pages appear di
Prevents users from changing dial-up settings.If you enable this policy the Settings button on the Connections tab in the Intern
Prevents Microsoft Internet Explorer from checking to see whether it is the default browser.If you enable this policy the Intern
Prevents users from changing font settings.If you enable this policy users will not be able to change font settings for viewing W
The Home page specified on the General tab of the Internet Options dialog box is the default Web page that Internet Explorer
Prevents users from changing language preference settings.If you enable this policy users will not be able to set language pref
Prevents users from changing the colors of links on Web pages.If you enable this policy the color settings for links appear dimm
Prevents users from changing the default programs for messaging tasks.If you enable this policy the E-mail Newsgroups and In
Prevents users from changing Profile Assistant settings.If you enable this policy the My Profile button appears dimmed in the P
Prevents users from changing ratings that help control the type of Internet content that can be viewed.If you enable this polic
Secondary home pages are the default Web pages that Internet Explorer loads in separate tabs from the home page wheneve
Prevents users from changing the browser cache settings such as the location and amount of disk space to use for the Tempor
Prevents branding of Internet programs such as customization of Internet Explorer and Outlook Express logos and title bars by
This policy settings disables the Import/Export Settings wizard. This wizard allows you to import settings from another browse
Prevents users from running the Internet Connection Wizard.If you enable this policy the Setup button on the Connections tab
This policy lets you restrict launching of Internet Explorer as a standalone browser.If you enable this policy it:- Prevents Intern
Prevents users from restoring default settings for home and search pages.If you enable this policy the Reset Web Settings butt
Specifies that error messages will be displayed to users if problems occur with proxy scripts.If you enable this policy error mes
This policy setting allows you to manage whether users have the ability to allow or deny add-ons through Add-On Manager.If y
This policy setting lets admins enable extended Microsoft Edge Internet Explorer mode hotkeys such as "Ctrl+S" to have "Save
This policy setting allows you to enforce full-screen mode which disables the navigation bar the menu bar and the Command b
Prevents users from configuring unique identities by using Identity Manager.Identity Manager enables users to create multiple
Prevents intranet sites from being opened in any browser except Internet Explorer. But note that If the ‘Send all sites not inclu
This policy setting lets you decide whether users can turn on Enterprise Mode for websites with compatibility issues. Optionall
This policy setting allows you to control which Domains are included in the discovery functionality of the Internet Explorer Site
This policy setting allows you to control which site zones are included in the discovery functionality of the Internet Explorer Sit
This policy setting allows you to choose whether users will be notified if Internet Explorer is not the default web browser.If you
This policy setting allows you to specify a list of web sites that will be allowed to open pop-up windows regardless of the Intern
This policy setting positions the menu bar above the navigation bar. The navigation bar contains icons for a variety of features
This policy setting prevents the user from using the "Fix settings" functionality related to Security Settings Check.If you enable
This policy setting prevents the user from accessing Help in Internet Explorer.If you enable this policy setting the following occ
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter prevents the
This policy setting determines whether the user can bypass warnings from SmartScreen Filter. SmartScreen Filter warns the us
This policy setting prevents the user from changing the level of pop-up filtering. The available levels are as follows: High: Bloc
This policy setting specifies if a user can change proxy settings.If you enable this policy setting the user will not be able to confi
This policy setting prevents the user from changing the default search provider for the Address bar and the toolbar Search box
This policy setting allows you to configure how windows open in Internet Explorer when the user clicks links from other applic
This policy setting allows you to configure how new tabs are created by default in Internet Explorer.If you enable this policy se
This policy setting prevents the Search box from appearing in Internet Explorer. When the Search box is available it includes al
You can allow pop-ups from specific websites by adding the sites to the exception list.If you enable this policy setting the user
This policy setting prevents the user from managing SmartScreen Filter which warns the user if the website being visited is kno
This policy setting prevents the user from managing a filter that warns the user if the website being visited is known for fraudu
This policy setting prevents the user from participating in the Customer Experience Improvement Program (CEIP).If you enable
This policy setting allows you to prevent the installation of ActiveX controls on a per-user basis.If you enable this policy setting
This policy setting prevents Internet Explorer from running the First Run wizard the first time a user starts the browser after in
This policy setting specifies whether JScript or JScript9Legacy is loaded for MSHTML/WebOC based invocations. If you enab
This policy setting allows you to restrict the search providers that appear in the Search box in Internet Explorer to those define
Disables using the F3 key to search in Internet Explorer and File Explorer.If you enable this policy the search functionality of th
Makes the Customize button in the Search Assistant appear dimmed.The Search Assistant is a tool that appears in the Search b
This setting lets you decide whether to open all sites not included in the Enterprise Mode Site List in Microsoft Edge. If you use
This policy setting allows you to set the rate at which Internet Explorer creates new tab processes. There are two algorithms th
This policy setting lets you decide whether employees see an additional page in Internet Explorer 11 stating that a site has bee
This policy setting allows you to specify what is displayed when the user opens a new tab.If you enable this policy setting you c
This policy setting allows you to specify how ActiveX controls are installed.If you enable this policy setting ActiveX controls are
This policy setting allows you to manage whether users can pin sites to locations where pinning is allowed such as the taskbar
This policy setting allows you to turn off the ActiveX Opt-In prompt. ActiveX Opt-In prevents websites from loading any ActiveX
This policy setting prevents Internet Explorer from displaying a notification when the average time to load all the user's enable
This policy setting turns off Automatic Crash Recovery.If you enable this policy setting Automatic Crash Recovery does not pro
This policy setting allows you to disable browser geolocation support. This will prevent websites from requesting location data
This policy setting allows you to define the user experience related to how pop-up windows appear in tabbed browsing in Inte
This policy setting allows you to manage the crash detection feature of add-on Management.If you enable this policy setting a
This policy setting allows you to manage whether a user has access to the Favorites bar in Internet Explorer.If you enable this p
This policy setting allows the user to enable the SmartScreen Filter which warns the user if the website being visited is known
This policy setting prevents the user from zooming in to or out of a page to better see the content.If you enable this policy setti
This policy setting allows you to manage pop-up management functionality in Internet Explorer.If you enable this policy setting
This policy setting allows you to turn off the Quick Tabs functionality in Internet Explorer.If you enable this policy setting the e
This policy setting allows you to manage whether a user has access to the Reopen Last Browsing Session feature in Internet Ex
This policy setting allows you to turn off suggestions for all user-installed search providers.If you enable this policy setting the
This policy setting allows you to manage whether the user has access to Tab Grouping in Internet Explorer.If you enable this p
This policy setting allows you to turn off tabbed browsing and related entry points from the Internet Explorer user interface. S
This AutoComplete feature suggests possible matches when users are entering Web addresses in the browser address bar.If y
This policy setting allows you to prevent the quick pick menu from appearing when a user clicks in the Search box.If you enabl
This policy setting turns off the Security Settings Check feature which checks Internet Explorer security settings to determine w
This policy setting controls the ActiveX Filtering feature for websites that are running ActiveX controls. The user can choose to
This policy setting logs information that is blocked by new features in Internet Explorer. The logged compatibility information i
This policy setting allows you to turn on or turn off the earlier menus (for example File Edit and View) in Internet Explorer.If yo
This policy setting allows you to manage the WMI output functionality of the Internet Explorer Site discovery Toolkit(SDTK). W
This policy setting allows you to manage the XML output functionality of the Internet Explorer Site discovery Toolkit(SDTK). Wh
This policy setting controls the Suggested Sites feature which recommends websites based on the user’s browsing activity. Sug
This AutoComplete feature can remember and suggest User names and passwords on Forms.If you enable this setting the use
Specifies that Automatic Detection will be used to configure dial-up settings for users.Automatic Detection uses a DHCP (Dyna
This policy setting lets you specify where to find the list of websites you want opened using Enterprise Mode IE instead of Stan
This policy setting allows you to add default Accelerators.If you enable this policy setting the specified Accelerators are added
This policy setting allows you to add non-default Accelerators.If you enable this policy setting the specified Accelerators are ad
This policy setting restricts the list of Accelerators that the user can access to only the set deployed through Group Policy.If yo
This policy setting allows you to manage whether users can access Accelerators.If you enable this policy setting users cannot a
Designates the Audio/Video Player ActiveX control as administrator-approved.This control is used for playing sounds videos an
Designates the Microsoft Network (MSN) Carpoint automatic pricing control as administrator-approved.This control enables e
This ActiveX control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser. Th
Designates a set of Microsoft Network (MSN) Investor controls as administrator-approved.These controls enable users to view
Designates a set of Microsoft ActiveX controls used to manipulate pop-up menus in the browser as administrator-approved.If
Designates the Microsoft Agent ActiveX control as administrator-approved.Microsoft Agent is a set of software services that su
Designates the Microsoft Chat ActiveX control as administrator-approved.This control is used by Web authors to build text-bas
Designates Microsoft Scriptlet Component as an administrator approved control. It is an Active X control which is used to rend
Designates Microsoft Survey Control as an administrator approved control.If you enable this policy this control can be run in se
Designates a set of MSNBC controls as administrator-approved.These controls enable enhanced browsing of news reports on
Designates NetShow File Transfer Control as an administrator approved control.If you enable this policy this control can be run
Designates Shockwave flash as an administrator approved control.If you enable this policy this control can be run in security zo
This policy setting allows you to bypass prompting when a script that is running in any process on the computer attempts to pe
This policy setting allows you to bypass prompting when a script that is running in the Internet Explorer process attempts to pe
This policy setting allows you to define applications and processes that can access the Clipboard without prompting the user.N
Prevents using the shortcut menu to open a link in a new browser window.If you enable this policy users cannot point to a link
Prevents users from saving a program or file that Microsoft Internet Explorer has downloaded to the hard disk.If you enable th
Prevents users from closing Microsoft Internet Explorer and File Explorer.If you enable this policy the Close command on the F
Prevents users from opening a new browser window from the File menu.If this policy is enabled users cannot open a new brow
Prevents users from opening a file or Web page from the File menu in Internet Explorer.If you enable this policy the Open dial
Prevents users from saving the complete contents that are displayed on or run from a Web page including the graphics scripts
Prevents users from saving Web pages from the browser File menu to their hard disk or to a network share.If you enable this p
Prevents users from displaying tips for users who are switching from Netscape.If you enable this policy the For Netscape Users
Prevents users from sending feedback to Microsoft by clicking the Send Feedback command on the Help menu.If you enable t
Prevents users from viewing or changing the Tip of the Day interface in Microsoft Internet Explorer.If you enable this policy th
Prevents users from running the Internet Explorer Tour from the Help menu in Internet Explorer.If you enable this policy the T
Prevents users from adding removing editing or viewing the list of Favorite links.The Favorites list is a way to store popular link
Prevents users from opening the Internet Options dialog box from the Tools menu in Microsoft Internet Explorer.If you enable
This policy setting allows you to manage whether users can access the Print menu. Starting with Windows 8 this policy setting
This policy setting prevents the shortcut menu from appearing when a user right-clicks a webpage while using Internet Explore
This policy setting allows you to manage whether users can launch the report site problems dialog using a menu option.If you
Prevents users from displaying the browser in full-screen (kiosk) mode without the standard toolbar.If you enable this policy t
Prevents users from viewing the HTML source of Web pages by clicking the Source command on the View menu.If you enable
This policy controls the website compatibility lists that Microsoft provides. The updated website lists are available on Window
This policy setting controls the Compatibility View feature which allows the user to fix website display problems that he or she
This policy setting controls the Compatibility View button that appears on the Command bar. This button allows the user to fix
This policy setting allows you to turn on Internet Explorer 7 Standards Mode. Compatibility View determines how Internet Exp
This policy setting controls how Internet Explorer displays local intranet content. Intranet content is defined as any webpage t
This policy setting allows you to add specific sites that must be viewed in Internet Explorer 7 Compatibility View.If you enable
Compatibility View determines how Internet Explorer identifies itself to a web server and determines whether content is rend
This policy setting allows the automatic deletion of specified items when the last browser window closes. The preferences sele
This setting specifies the number of days that Internet Explorer tracks views of pages in the History List. To access the Tempor
This policy setting prevents the user from performing actions which will delete browsing history. For more information on brow
In Internet Explorer 9 and Internet Explorer 10:This policy setting prevents users from deleting ActiveX Filtering and Tracking P
This policy setting prevents the user from deleting cookies. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting his or her download history. This feature is available in the Delete Browsing
This policy setting prevents the user from deleting favorites site data. This feature is available in the Delete Browsing History d
This policy setting prevents the user from deleting form data. This feature is available in the Delete Browsing History dialog bo
This policy setting prevents the user from deleting InPrivate Filtering data. Internet Explorer collects InPrivate Filtering data du
This policy setting prevents users from deleting passwords. This feature is available in the Delete Browsing History dialog box.I
This policy setting prevents the user from deleting temporary Internet files. This feature is available in the Delete Browsing His
This policy setting prevents the user from deleting the history of websites that he or she has visited. This feature is available in
This policy setting is used to manage temporary Internet files and cookies associated with your Internet browsing history avail
Removes the Advanced tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented
Removes the Connections tab from the interface in the Internet Options dialog box.If you enable this policy users are prevente
If you enable this policy setting users are prevented from seeing and changing ratings certificates AutoComplete Wallet and Pr
Removes the General tab from the interface in the Internet Options dialog box.If you enable this policy users are unable to see
Removes the Privacy tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented fro
Removes the Programs tab from the interface in the Internet Options dialog box.If you enable this policy users are prevented
Removes the Security tab from the interface in the Internet Options dialog box.If you enable this policy it prevents users from
This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors th
This policy setting allows you to manage whether Internet Explorer converts Unicode domain names to internationalized dom
This policy setting allows you to manage whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) for mai
This policy setting allows you to manage whether users receive a dialog requesting permission for active content on a CD to ru
This policy setting allows you to manage whether users can download and install self-installing program files (non-Internet Exp
This policy setting allows you to manage whether users can automatically download and install Web components (such as fon
This policy setting determines whether Internet Explorer uses the HTTP2 network protocol. HTTP2 requests help optimize the
This policy setting determines whether Internet Explorer uses the SPDY/3 network protocol. SPDY/3 works with HTTP requests
This policy setting allows you to manage whether software such as ActiveX controls and file downloads can be installed or run
This policy setting allows you to manage whether Internet Explorer will launch COM add-ons known as browser helper objects
This policy setting allows you to configure how Internet Explorer sends the Do Not Track (DNT) header.If you enable this policy
This policy setting allows you to manage whether Internet Explorer checks the Internet for newer versions. When Internet Exp
This policy setting allows you to manage whether Internet Explorer will check revocation status of servers' certificates. Certific
This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher
This policy setting prevents ActiveX controls from running in Protected Mode when Enhanced Protected Mode is enabled. Wh
This policy setting prevents the user from using the Reset Internet Explorer Settings feature. Reset Internet Explorer Settings a
This policy setting allows you to manage whether Internet Explorer will save encrypted pages that contain secure (HTTPS) info
This policy setting allows you to manage whether Internet Explorer deletes the contents of the Temporary Internet Files folder
This policy setting allows you to manage whether Internet Explorer will display animated pictures found in Web content. Gene
This policy setting allows you to manage whether Internet Explorer will play sounds found in web content. Generally only soun
This policy setting allows you to manage whether Internet Explorer will display videos found in Web content. Generally only em
This policy setting prevents the text on the screen from being rendered through the ClearType technology that enhances the r
This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0 TLS 1.1 TLS 1.2 Secure Sockets Layer (SS
This policy setting determines whether Internet Explorer preemptively loads websites and content in the background speeding
This policy setting specifies whether you will accept requests from Web sites for Profile Assistant information.If you enable thi
This policy setting determines whether Internet Explorer uses 8-bit Unicode Transformation Format (UTF-8) to encode query s
This policy setting determines whether a user can swipe across a screen or click Forward to go to the next pre-loaded page of
This policy setting determines whether Internet Explorer 11 uses 64-bit processes (for greater security) or 32-bit processes (fo
This policy setting allows you to turn Caret Browsing on or off. Caret Browsing allows users to browse to a webpage by using th
Enhanced Protected Mode provides additional protection against malicious websites by using 64-bit processes on 64-bit versio
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1.If you enable this policy setting Internet Exp
This policy setting allows you to manage whether Internet Explorer uses HTTP 1.1 through proxy connections.If you enable thi
This policy setting shows the Content Advisor setting on the Content tab of the Internet Options dialog box.If you enable this p
This policy setting configures what Internet Explorer displays when a new browsing session is started. By default Internet Explo
This policy setting allows websites to store file resources in application caches on client computers.If you enable this policy setti
This policy setting allows websites to store indexed database cache information on client computers.If you enable this policy s
This policy setting sets file storage limits for application caches of websites that have been allowed to exceed their storage lim
This policy setting sets the number of days an inactive application cache will exist before it is removed. If the application cache
This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set t
This policy setting sets data storage limits for indexed databases of websites that have been allowed to exceed their storage li
This policy setting sets the maximum size for an individual resource file contained in a manifest file. The manifest file is used to
This policy setting sets the maximum number of resource entries that can be specified in a manifest file associated with an app
This policy setting sets the file storage limit for all combined application caches for a user. When you set this policy setting you
This policy setting sets the data storage limit for all combined indexed databases for a user. When you set this policy setting yo
This policy setting controls whether local sites which are not explicitly mapped into any Security Zone are forced into the local
This policy setting controls whether URLs representing UNCs are mapped into the local Intranet security zone.If you enable thi
This policy setting controls whether sites which bypass the proxy server are mapped into the local Intranet security zone.If you
This policy setting allows you to manage a list of sites that you want to associate with a particular security zone. These zone nu
This policy setting enables intranet mapping rules to be applied automatically if the computer belongs to a domain.If you enab
This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned o
This policy setting causes a Notification bar notification to appear when intranet content is loaded and the intranet mapping ru
This policy setting allows you to manage whether a resource hosted on an admin-restricted protocol in the Trusted Sites Zone
This policy setting configures Internet Explorer to open Internet Explorer tiles on the desktop.If you enable this policy setting In
This policy setting allows you to choose how links are opened in Internet Explorer: Let Internet Explorer decide always in Inter
This policy allows the user to go directly to an intranet site for a one-word entry in the Address bar.If you enable this policy se
This policy setting allows you to manage if users can see the button (next to the New Tab button) that opens Microsoft Edge.If
This policy setting specifies how you want links on webpages to be underlined.If you enable this policy setting a user cannot ch
This policy setting specifies whether when there is a problem connecting with an Internet server to provide a detailed descripti
This policy setting specifies if as you move from one Web page to another Internet Explorer fades out of the page you are leav
This policy setting determines whether phone numbers are recognized and turned into hyperlinks which can be used to invoke
This policy setting specifies whether smooth scrolling is used to display content at a predefined speed.If you enable this policy
This policy setting allows you to turn on your script debugger if one is installed. Website developers use script debuggers to te
This policy setting specifies whether to display script errors when a page does not appear properly because of problems with i
This policy setting determines whether the Internet Connection Wizard was completed. If the Internet Connection Wizard was
This policy setting specifies whether Internet Explorer plays media files that use alternative codecs and that require additional
This policy setting specifies whether placeholders appear for graphical images while the images are downloading. This allows i
This policy setting specifies that you want Internet Explorer to automatically resize large images so that they fit in the browser
This policy setting specifies whether graphical images are included when pages are displayed.Sometimes pages that contain se
This policy setting specifies whether you want Internet Explorer to smooth images so that they appear less jagged when displa
This policy setting specifies whether Internet Explorer prints background colors and images when the user prints a webpage. In
This policy setting specifies whether the user can conduct a search on the Address bar.If you enable this policy setting you mu
This policy setting allows you to specify whether a user can browse to the website of a top result when search is enabled on th
This policy setting allows Internet Explorer to be started automatically to complete the signup process after the branding is co
This policy setting let you turn off Inline AutoComplete in File Explorer. Inline AutoComplete provides suggestions for what you
This policy setting turns off URL Suggestions. URL Suggestions allow users to autocomplete URLs in the address bar based on c
This policy setting allows you to prevent Windows Search AutoComplete from providing results in the Internet Explorer Addre
This policy setting allows you to turn on inline AutoComplete in Internet Explorer and File Explorer. The AutoComplete feature
This policy setting prevents the user from choosing the default text size in Internet Explorer.If you enable this policy setting the
This policy setting prevents the user from specifying the background color in Internet Explorer.If you enable this policy setting
This policy setting prevents the user from specifying the text color in Internet Explorer.If you enable this policy setting the user
This policy setting prevents the user from using Windows colors as a part of the display settings.If you enable this policy settin
This policy setting prevents the user from specifying the color of webpage links that he or she has already clicked. Appropriate
This policy setting prevents the user from specifying the color of webpage links that he or she has not yet clicked. Appropriate
This policy setting prevents the user from specifying the color to which hyperlinks change when the mouse pointer pauses on
This policy setting makes hyperlinks change color when the mouse pointer pauses on them.If you enable this policy setting the
This policy setting specifies whether to use 8-bit Unicode Transformation Format (UTF-8) a standard that defines characters so
Prevents users from adding channels to Internet Explorer.Channels are Web sites that are updated automatically on your com
Prevents users from specifying that Web pages can be downloaded for viewing offline. When users make Web pages available
Disables existing schedules for downloading Web pages for offline viewing.When users make Web pages available for offline v
Prevents users from viewing the Channel bar interface. Channels are Web sites that are automatically updated on their compu
Prevents content from being downloaded from Web sites that users have subscribed to.When users make Web pages availabl
Prevents users from adding editing or removing schedules for offline viewing of Web pages and groups of Web pages that use
Prevents users from editing an existing schedule for downloading Web pages for offline viewing.When users make Web pages
Prevents channel providers from recording information about when their channel pages are viewed by users who are working
Prevents users from disabling channel synchronization in Microsoft Internet Explorer.Channels are Web sites that are automati
Prevents users from clearing the preconfigured settings for Web pages to be downloaded for offline viewing.When users make
Restricts the amount of information downloaded for offline viewing.If you enable this policy you can set limits to the size and
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Internet security zone.I
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Intranet security
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Local Computer securit
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Restricted Sites security
Limits the amount of storage that a page or site using the DHTML Persistence behavior can use for the Trusted Sites security z
This policy setting allows you to establish the threshold for InPrivate Filtering Automatic mode.The threshold sets the number
This policy setting allows you to establish the threshold for Tracking Protection Automatic mode.The threshold sets the numbe
This policy setting allows you to choose whether or not toolbars and Browser Helper Objects (BHOs) are loaded by default dur
This policy setting allows you to turn off the collection of data used by the InPrivate Filtering Automatic mode.The data consist
This policy setting allows you to turn off the InPrivate Browsing feature.InPrivate Browsing prevents Internet Explorer from sto
This policy setting allows you to turn off InPrivate Filtering.InPrivate Filtering helps users control whether third parties can aut
This policy setting allows you to turn off Tracking Protection.Tracking Protection helps users control whether third parties can
This policy setting allows you to hide the reveal password button when Internet Explorer prompts users for a password. The re
This policy setting allows you to turn on or turn off Data URI support. A Data URI allows web developers to encapsulate images
This policy setting allows you to manage a list of add-ons to be allowed or denied by Internet Explorer. Add-ons in this case are
This policy setting allows you to manage whether processes respect add-on management user preferences (as reflected by Ad
This policy setting allows you to ensure that any Internet Explorer add-ons not listed in the 'Add-on List' policy setting are deni
This policy setting allows you to manage whether the listed processes respect add-on management user preferences (as enter
This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX
This setting determines whether IE automatically downloads updated versions of Microsoft’s VersionList.XML. IE uses this file
This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls
This policy setting allows you to manage a list of domains on which Internet Explorer will stop blocking outdated ActiveX contr
This policy setting determines whether Internet Explorer saves log information for ActiveX controls.If you enable this policy se
This policy setting allows the user to run natively implemented scriptable XMLHTTP.If you enable this policy setting the user ca
This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can s
This policy setting allows you to manage whether documents can request data across third-party domains embedded in the pa
The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. T
This policy setting allows you to choose whether websites can request data across domains by using the XDomainRequest obje
For each zone the Binary and Scripted Behavior security restrictions may be configured to allow only a list of admin-approved
This policy setting allows you to manage whether Internet Explorer 9 can install ActiveX controls and other binaries signed wit
File Explorer and Internet Explorer may be configured to prevent active content obtained through restricted protocols from ru
This policy setting allows you to manage whether the Notification bar is displayed for processes other than the Internet Explor
This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or
This policy setting allows you to manage whether the Notification bar is displayed for specific processes when file or code insta
This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes.If you enable this po
This policy setting enables blocking of file download prompts that are not user initiated.If you enable this policy setting file dow
Specifies which buttons will be displayed on the standard toolbar in Microsoft Internet Explorer.If you enable this policy you ca
This policy setting allows you to choose among three different labels for command buttons: show all text labels show selective
Prevents users from determining which buttons appear on the Microsoft Internet Explorer and File Explorer standard toolbars
Prevents users from determining which toolbars are displayed in Microsoft Internet Explorer and File Explorer.If you enable th
This policy setting allows you to manage where tabs are displayed.If you enable this policy setting tabs are displayed on a sepa
This policy setting allows you to show or hide the Command bar.If you enable this policy setting the Command bar is hidden an
This policy setting allows you to show or hide the status bar.If you enable this policy setting the status bar is hidden and the us
This policy setting allows you to lock or unlock the toolbars on the user interface.If you enable this policy setting the toolbars a
This policy setting allows you to lock the Stop and Refresh buttons next to the Back and Forward buttons.If you enable this pol
This policy setting allows you to manage whether the user can access Developer Tools in Internet Explorer.If you enable this p
This policy setting allows you to turn off the toolbar upgrade tool. The toolbar upgrade tool determines whether incompatible
This policy setting allows you increase the size of icons for command buttons.If you enable this policy setting icons for comman
This policy setting turns off the location feature for this computer. If you enable this policy setting the location feature
This policy setting turns off scripting for the location feature. If you enable this policy setting scripts for the location fe
This policy setting turns off the sensor feature for this computer. If you enable this policy setting the sensor feature is
This policy setting lets you decide whether Microsoft Edge stores books from the Books tab to a default shared folder for Wind
This policy setting lets you decide whether the Address bar drop-down functionality is available in Microsoft Edge. We recomm
This setting lets you decide whether employees can run Adobe Flash in Microsoft Edge.If you enable or don't configure this setti
This policy setting allows the automatic clearing of browsing data when Microsoft Edge closes.If you enable this policy setting
This policy setting lets you decide whether Microsoft Edge can automatically update the configuration data for the Books Libra
This policy setting lets you decide whether F12 Developer Tools are available on Microsoft Edge.If you enable or don't configur
This policy setting lets you decide how much data to send to Microsoft about the book you're reading from the Books tab in M
This setting lets you decide whether employees can load extensions in Microsoft Edge.If you enable or don't configure this setti
With this policy you can specify whether to allow full-screen mode which shows only the web content and hides the Microsoft
This policy setting lets you decide whether employees can browse using InPrivate website browsing.If you enable or don't con
This policy setting lets you decide whether to use the Microsoft Compatibility List (a Microsoft-provided list that helps sites wit
This policy setting lets you decide whether Microsoft Edge can pre-launch during Windows sign in when the system is idle and
This policy setting lets you decide whether Microsoft Edge can load the Start and New Tab page during Windows sign in and ea
With this policy you can restrict whether printing web content in Microsoft Edge is allowed.If enabled printing is allowed.If dis
Microsoft Edge saves your user's browsing history which is made up of info about the websites they visit on their devices.If en
This policy setting lets you decide whether users can change their search engine. If you disable this setting users can't add new
Sideloading installs and runs unverified extensions in Microsoft Edge. With this policy you can specify whether unverified exte
This policy setting lets you configure what appears when Microsoft Edge opens a new tab. By default Microsoft Edge opens th
This policy setting helps you to decide whether to make the Books tab visible regardless of a device's country or region setting
This policy setting lets you add up to 5 additional search engines which can't be removed by your employees but can be made
This policy setting lets you decide whether employees can use Autofill to automatically fill in form fields while using Microsoft
This setting lets you configure how to work with cookies.If you enable this setting you must also decide whether to: Allow al
This policy setting lets you decide whether employees can send Do Not Track requests to websites that ask for tracking info. B
This policy setting lets you configure the default list of Favorites that appear for your employees. Employees can change their
The favorites bar shows your user's links to sites they have added to it. With this policy you can specify whether to set the favo
The Home button loads either the default Start page the New tab page or a URL defined in the Set Home Button URL policy.By
Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access either as a single app or as one o
You can configure Microsoft Edge to reset to the configured start experience after a specified amount of idle time. The reset ti
You can configure Microsoft Edge to lock down the Start page preventing users from changing or customizing it.If enabled you
This policy setting lets you decide whether employees can save their passwords locally using Password Manager. By default Pa
This policy setting lets you decide whether to turn on Pop-up Blocker. By default Pop-up Blocker is turned on..If you enable thi
This policy setting lets you decide whether search suggestions appear in the Address bar of Microsoft Edge. By default employ
When you enable the Configure Open Microsoft Edge With policy you can configure one or more Start pages. When you enabl
If you enable or don’t configure the Adobe Flash Click-to-Run setting Microsoft Edge will require a user to click the Click-to
This policy setting lets you configure whether to use Enterprise Mode and the Enterprise Mode Site List to address common co
You can configure Microsoft Edge to disable the lockdown of Start pages allowing users to change or customize their start pag
With this policy you can print PDF files based on per page orientation in Microsoft Edge.If enabled mixed mode printing is allow
This setting lets you decide whether people can sync their favorites between Internet Explorer and Microsoft Edge.If you enab
This policy settings lets you decide whether employees can access the about:flags page which is used to change developer setti
This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about down
Web security certificates are used to ensure a site your users go to is legitimate and in some circumstances encrypts the data.
This policy setting lets you decide whether employees can add import sort or edit the Favorites list on Microsoft Edge.If you en
This policy lets you decide whether Microsoft Edge can gather Live Tile metadata from the ieonline.microsoft.com service to p
This policy setting lets you decide whether employees see Microsoft's First Run webpage when opening Microsoft Edge for the
You can define a list of extensions in Microsoft Edge that users cannot turn off. You must deploy extensions through any availa
This policy setting lets you decide whether an employee's LocalHost IP address shows while making calls using the WebRTC pr
This policy setting allows you to configure a default set of favorites which will appear for employees. Employees cannot modif
This policy setting lets you decide whether your intranet sites should all open using Internet Explorer 11. This setting should on
This policy setting lets you configure the default search engine for your employees. Your employees can change the default se
The home button can be configured to load a custom URL when your user clicks the home button.If enabled or configured and
You can set the default New Tab page URL in Microsoft Edge. Enabling this policy prevents your users from changing the New
You can configure Microsoft Edge to open a site automatically in Internet Explorer 11 and choose to display a notification befo
By default when enabling Configure Home Button or Set Home Button URL the home button is locked down to prevent your u
Prevents users from entering author mode.This setting prevents users from opening the Microsoft Management Console (MM
Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.-- If you enable this setting
This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting the snap-in is permitted and can
Permits or prohibits use of this snap-in.If you enable this setting the snap-in is permitted. If you disable the setting the snap-in
Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active D
This policy setting configures the sync provider used by User Experience Virtualization (UE-V) to sync settings between users’ c
This policy setting defines whether the User Experience Virtualization (UE-V) Agent synchronizes settings for Windows apps.By
This policy setting allows you to configure the User Experience Virtualization (UE-V) sync provider to ping the settings storage
This policy setting allows you to configure the UE-V Agent to write a warning event to the event log when a settings package fi
This policy setting configures where the settings package files that contain user settings are stored. If you enable this policy se
This policy setting configures the number of milliseconds that the computer waits when retrieving user settings from the settin
This policy setting configures the synchronization of Windows settings between computers.Certain Windows settings will sync
This policy setting allows you to enable or disable User Experience Virtualization (UE-V). Only applies to Windows 10 or earlier
This policy setting configures the synchronization of User Experience Virtualization (UE-V) rollback information for computers r
This policy setting configures the synchronization of user settings of Calculator.By default the user settings of Calculator synch
This policy setting configures the backup of certain user settings for Microsoft InfoPath 2013.Microsoft InfoPath 2013 has user
This policy setting configures the synchronization of user settings which are common between the versions of Internet Explore
This policy setting configures the synchronization of user settings for Microsoft Office 365 InfoPath 2013.Microsoft Office 365 s
This policy setting configures the synchronization of user settings for Microsoft Office 365 SharePoint Designer 2013.Microsoft
This policy setting configures the synchronization of user settings for Microsoft SharePoint Workspace 2010.By default the use
This policy setting configures the synchronization of user settings of Notepad.By default the user settings of Notepad synchron
This policy setting configures the backup of certain user settings for Microsoft SharePoint Designer 2013.Microsoft SharePoint
This policy setting configures the synchronization of user settings of WordPad.By default the user settings of WordPad synchro
This policy setting configures the synchronization of user settings for the Finance app.By default the user settings of Finance sy
This policy setting configures the synchronization of user settings for the Games app.By default the user settings of Games syn
This policy setting configures the synchronization of user settings for the Maps app.By default the user settings of Maps sync b
This policy setting configures the synchronization of user settings for the Music app.By default the user settings of Music sync
This policy setting configures the synchronization of user settings for the News app.By default the user settings of News sync b
This policy setting configures the synchronization of user settings for the Reader app.By default the user settings of Reader syn
This policy setting configures the synchronization of user settings for the Sports app.By default the user settings of Sports sync
This policy setting configures the synchronization of user settings for the Travel app.By default the user settings of Travel sync
This policy setting configures the synchronization of user settings for the Video app.By default the user settings of Video sync b
This policy setting configures the synchronization of user settings for the Weather app.By default the user settings of Weather
This setting controls the inclusion of Microsoft Edge tabs into Alt+Tab.This can be set to show all tabs the most recent 3 or 5 ta
Make the automatic acceptance of incoming calls persistent.
Disables the Chat feature of NetMeeting.
Disables the directory feature of NetMeeting.Users will not logon to a directory (ILS) server when NetMeeting starts. Users wi
Disables the 2.x whiteboard feature of NetMeeting.The 2.x whiteboard is available for compatibility with older versions of Net
Disables the T.126 whiteboard feature of NetMeeting.
Configures NetMeeting to download settings for users each time it starts.The settings are downloaded from the URL listed in t
Limits the size of files users can send to others in a conference.
Prevents users from adding directory (ILS) servers to the list of those they can use for placing calls.
Prevents users from turning on automatic acceptance of incoming calls.This ensures that others cannot call and connect to Ne
Prevents users from changing the way calls are placed either directly or via a gatekeeper server.
Prevents users from receiving files from others in a conference.
Prevents users from sending files to others in a conference.
Prevents users from viewing directories as Web pages in a browser.
Sets the level of security for both outgoing and incoming NetMeeting calls.
Sets the URL NetMeeting will display when the user chooses the Help Online Support command.
Disables the application sharing feature of NetMeeting completely. Users will not be able to host or view shared applications.
Prevents users from sharing applications in true color. True color sharing uses more bandwidth in a conference.
Prevents users from allowing others in a conference to control what they have shared. This enforces a read-only mode; the ot
Prevents users from sharing the whole desktop. They will still be able to share individual applications.
Prevents users from sharing anything themselves. They will still be able to view shared applications/desktops from others.
Prevents users from sharing command prompts. This prevents users from inadvertently sharing out applications since comma
Prevents users from sharing Explorer windows. This prevents users from inadvertently sharing out applications since Explorer
Disables the audio feature of NetMeeting. Users will not be able to send or receive audio.
Disables full duplex mode audio. Users will not be able to listen to incoming audio while speaking into the microphone. Older
Limits the bandwidth audio and video will consume when in a conference. This setting will guide NetMeeting to choose the ri
Prevents user from changing the DirectSound audio setting. DirectSound provides much better audio quality but older audio h
Prevents users from receiving video. Users will still be able to send video provided they have the hardware."
Prevents users from sending video if they have the hardware. Users will still be able to receive video from others.
Disables the Advanced Calling button on the General Options page. Users will not then be able to change the call placement m
Hides the Audio page of the Tools Options dialog. Users will not then be able to change audio settings.
Hides the General page of the Tools Options dialog. Users will not then be able to change personal identification and bandwid
Hides the Security page of the Tools Options dialog. Users will not then be able to change call security and authentication setti
Hides the Video page of the Tools Options dialog. Users will not then be able to change video settings.
This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within
When logging into a new user account for the first time or after an upgrade in some scenarios that user may be presented wit
This policy setting turns off Windows presentation settings.If you enable this policy setting Windows presentation settings can
If you enable this policy setting when Remote Desktop Connection cannot connect directly to a remote computer (an RD Sessi
Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through a
Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host serve
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files fro
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signe
Controls whether a user can save passwords using Remote Desktop Connection.If you enable this setting the credential saving
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted
If you enable this policy setting administrators can interact with a user's Remote Desktop Services session based on the option
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client pr
Configures Remote Desktop Services to run a specified program automatically upon connection.You can use this setting to spe
This policy setting specifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it.Y
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be i
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active be
This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions.You can use this po
This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL
This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Win
This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available
This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's compute
This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice.If you enable this policy setting the m
This policy setting controls whether to have background synchronization for feeds and Web Slices.If you enable this policy setti
This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypte
Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths
Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude the
Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Pa
If enabled Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can
If you enable this policy setting you specify a list of paths to exclude from indexing. The user cannot enter any path that starts
This policy setting prevents search queries from being stored in the registry. If you enable this policy setting search suggestion
Specifies whether Sound Recorder can run.Sound Recorder is a feature of Microsoft Windows Vista that can be used to record
Denies access to the retail catalog in the Microsoft Store but displays the private store.If you enable this setting users will not
Enables or disables the Store offer to update to the latest version of Windows.If you enable this setting the Store application w
Denies or allows access to the Store application.If you enable this setting access to the Store application is denied. Access to th
Prevents start of InkBall game.If you enable this policy the InkBall game will not run.If you disable this policy the InkBall game
Prevents printing to Journal Note Writer.If you enable this policy the Journal Note Writer printer driver will not allow printing t
Prevents the snipping tool from running.If you enable this policy setting the Snipping Tool will not run.If you disable this policy
Prevents start of Windows Journal.If you enable this policy the Windows Journal accessory will not run.If you disable this polic
Disables visual pen action feedback except for press and hold feedback.If you enable this policy all visual pen action feedback
Removes the Back->ESC mapping that normally occurs when menus are visible and for applications that subscribe to this beha
Prevents the user from launching an application from a Tablet PC hardware button.If you enable this policy applications canno
Prevents press and hold actions on hardware buttons so that only one action is available per button.If you enable this policy p
Turns off Tablet PC hardware buttons.If you enable this policy no actions will occur when the buttons are pressed and the butt
Prevents the Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) from prov
Includes rarely used Chinese Kanji and Hanja characters when handwriting is converted to typed text. This policy applies only t
Prevents Input Panel tab from appearing on the edge of the Tablet PC screen.Tablet PC Input Panel is a Tablet PC accessory th
Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is av
Adjusts password security settings in Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Panel in Windows 7 and W
Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out ge
Makes pen flicks learning mode unavailable.If you enable this policy pen flicks are still available but learning mode is not. Pen
Makes pen flicks and all related features unavailable.If you enable this policy pen flicks and all related features are unavailable
Turns off Tablet PC Pen Training.If you enable this policy setting users cannot open Tablet PC Pen Training.If you disable or do
Turn off Tablet PC touch inputTurns off touch input which allows the user to interact with their computer using their finger.If y
Turn off Panning Turns off touch panning which allows users pan inside windows by touch. On a compatible PC with a touc
This setting removes the "Open advanced properties for this task when I click Finish" checkbox from the last page of the Sched
Prevents users from viewing and changing the properties of an existing task.This setting removes the Properties item from the
Prevents users from starting and stopping tasks manually.This setting removes the Run and End Task items from the context m
Limits newly scheduled to items on the user's Start menu and prevents the user from changing the scheduled program for exis
Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder.This setting disabl
Prevents users from creating new tasks.This setting removes the Add Scheduled Task item that starts the New Task Wizard. Al
Prevents users from deleting tasks from the Scheduled Tasks folder.This setting removes the Delete command from the Edit m
Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars publishing
This policy setting affects the ability of users to install or uninstall color profiles.If you enable this policy setting users cannot in
This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automa
This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event lo
This policy setting turns off Windows Error Reporting so that reports are not collected or sent to either Microsoft or internal se
This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically.If you en
This policy setting determines whether Windows Error Reporting (WER) sends additional second-level report data even if a CA
This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. B
This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amo
This policy setting controls the behavior of the Windows Error Reporting archive.If you enable this policy setting you can config
This policy setting determines the behavior of the Windows Error Reporting report queue.If you enable this policy setting you
This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is
This policy setting determines the default consent behavior of Windows Error Reporting.If you enable this policy setting you ca
This policy setting determines the consent behavior of Windows Error Reporting for specific event types.If you enable this poli
This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings.If y
Use this policy setting to configure Windows Hello for Business to enroll a sign-in certificate used for on-premises authenticati
Windows Hello for Business is an alternative method for signing into Windows using your Active Directory or Azure Active Dire
This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system.If you ena
This policy setting prevents users from installing any programs from removable media.If you enable this policy setting if a user
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuc
This policy setting specifies the order in which Windows Installer searches for installation files.If you disable or do not configur
This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default a user
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and
This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the
This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet.If you en
This policy setting allows you to prevent media information for music files from being retrieved from the Internet.If you enable
This policy setting allows you to prevent radio station presets from being retrieved from the Internet.If you enable this policy s
This policy setting allows you to specify the HTTP proxy settings for Windows Media Player.If you enable this policy setting sele
This policy setting allows you to specify the MMS proxy settings for Windows Media Player.If you enable this policy setting sele
This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds.If you en
This policy setting allows you to specify the RTSP proxy settings for Windows Media Player.If you enable this policy setting sele
This policy setting allows you to hide the Network tab.If you enable this policy setting the Network tab in Windows Media Play
This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving stre
This policy setting allows a screen saver to interrupt playback.If you enable this policy setting a screen saver is displayed during
This policy setting allows you to prevent Windows Media Player from downloading codecs.If you enable this policy setting the
Prevents the anchor window from being displayed when Windows Media Player is in skin mode.This policy hides the anchor w
This policy setting allows you to hide the Privacy tab in Windows Media Player.If you enable this policy setting the "Update my
This policy setting allows you to hide the Security tab in Windows Media Player.If you enable this policy setting the default sec
This policy setting allows you to set and lock Windows Media Player in skin mode using a specified skin.If you enable this polic
This policy setting allows you to prevent Windows Messenger from running.If you enable this policy setting Windows Messeng
This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting Window
This policy setting turns off Windows Mobility Center.If you enable this policy setting the user is unable to invoke Windows Mo
This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet.If you enable th
This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting pip
This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event
This policy setting lets you capture the input and output of Windows PowerShell commands into text-based transcripts.
This policy setting lets you configure the script execution policy controlling which scripts are allowed to run.If you enable this p
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choic
This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Wi
This setting allows you to remove access to Windows Update.If you enable this setting all Windows Update features are remov
This policy specifies whether Work Folders should use Token Broker for interactive AD FS authentication instead of its own OA
This policy setting specifies the Work Folders server for affected users as well as whether or not users are allowed to change s
view used in the last Control Panel session.Note: Icon size is dependent upon what the user has set it to in the previous session.
nd Support or command lines that use control.exe. This policy has no effect on items displayed in PC settings.If you enable this setting you
The Start screenFile ExplorerThis setting removes PC settings from:The Start screenSettings charmAccount pictureSearch resultsIf users tr
o a blocked page via URI context menu in Explorer or other means will result in the front page of Settings being shown instead.This policy h
er ways to access Control Panel items such as shortcuts in Help and Support or command lines that use control.exe. This policy has no effe
ration tools.If you disable this setting or do not configure it "Set up services" appears only when there are unconfigured system services. I
w Programs button is available to all users.This setting does not prevent users from using other tools and methods to install programs.
configure components of Windows from the installation files.If you disable this setting or do not configure it the Add/Remove Windows C
e it the Change or Remove Programs page is available to all users.This setting does not prevent users from using other tools and methods t
n is available to all users.This setting does not prevent users from using other tools and methods to add or remove program components.N
ot prevent users from using other tools and methods to connect to Windows Update.Note: If the "Hide Add New Programs page" setting
hose programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically syste
as well as which programs are accessible from the Start menu desktop and other locations.If you disable this setting or do not configure it
ssional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs.If you di
ation including a link to the installation files and data that users need to obtain product support such as the Product ID and version numbe
ograms in other categories.To use this setting type the name of a category in the Category box for this setting. You must enter a category t
l) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
o effect on the system.If you enable it a screen saver runs provided the following two conditions hold: First a valid screen saver on the clien
ecify will be used. Also a user may not apply a different visual style when changing themes.If you disable or do not configure this setting th
anging the screen saver.If you disable this setting or do not configure it users can select any screen saver.If you enable this setting type th
background color sounds or screen saver after the first logon.If you disable or do not configure this setting the default theme will be appl
Saver dialog in the Personalization or Display Control Panel preventing users from changing the password protection setting.If you do not
dows 8) glass color (on Windows Vista and Windows 7) system colors or color scheme of the desktop and windows.If this setting is disable
r use the "Prevent changing color and appearance" setting.
an be changed by the user.To specify wallpaper for a group use the "Desktop Wallpaper" setting.Note: You must also enable the "Desktop
ista this setting also hides the Desktop tab in the Display Control Panel.
ot configure this setting there is no effect.Note: If you enable this setting but do not specify a theme using the "load a specific theme" setti
this setting prevents users and applications from changing the visual style through the command line. Also a user may not apply a differen
nt size" drop-down list on the Appearance tab.
umstances: - The setting is disabled or not configured. - The wait time is set to zero. - The "Enable Screen Saver" setting is disabled.
a Printer" page in the Add Printer Wizard. The Browse button appears beside the "Connect to a printer on the Internet or on a home or offi
also check the "Connect to this printer (or to browse for a printer select this option and click Next)" radio button on Add Printer Wizard's p
erwise searches begin at the root of Active Directory. This setting only provides a starting point for Active Directory searches for prin
porate network or approved USB-connected printers. If you disable this setting or do not configure it there are no restrictions to prin
e if the current USB connected printer is approved for local printing. Type all the approved vid/pid combinations (separated by comm
m print servers.If this setting is disabled or not configured users will not be restricted to package-aware point and print only.
of non-package point and print connections.Windows Vista and later clients will attempt to make a non-package point and print connecti
er clients will only download print driver components from a list of explicitly named servers. If a compatible print driver is available on the
rs folder in Control Panel. Also users cannot add printers by dragging a printer icon into the Printers folder. If they try a message appe
g other programs to delete a printer. If this policy is disabled or not configured users can delete printers using the methods described
ams" page lists published programs and provides an easy way to install them.Published programs are those programs that the system adm
hers.If this setting is disabled or not configured the "View installed updates" task and the "Installed Updates" page will be available to all u
tools and methods to view or uninstall programs. It also does not prevent users from linking to related Programs Control Panel Features in
or sending e-mail as well as specify the programs that are accessible from the Start menu desktop and other locations.If this setting is disa
d or is not configured the "Turn Windows features on or off" task will be available to all users.This setting does not prevent users from usin
er for installation.Enabling this feature does not prevent users from navigating to Windows Marketplace using other methods. If this featu
software from Windows Marketplace. Programs published or assigned to the user by the system administrator also appear in the Program
se values programmatically.This policy setting is used only to simplify the Regional Options control panel.If you enable this policy setting th
prevent the user or an application from changing the GeoID programmatically.If you disable or do not configure this policy setting the user
UI language. This does not prevent the user or an application from changing the UI language programmatically.If you disable or do not con
an application from changing their user locale or user overrides programmatically.If you disable or do not configure this policy setting the u
er." If you enable this policy setting the installation of language packs and language features is prevented for the user. If you disa
the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language
age for the selected user. If the specified language is not installed on the target computer or you disable this policy setting the language se
y is Enabled then the option will be locked to not autocorrect misspelled words. If the policy is Disabled or Not Configured then the use
ed then the option will be locked to not highlight misspelled words. If the policy is Disabled or Not Configured then the user will be free
er selects a text prediction candidate when using the on-screen keyboard. If the policy is Enabled then the option will be locked to no
n-screen keyboard. If the policy is Enabled then the option will be locked to not offer text predictions. If the policy is Disabled or No
hat is collected includes all outgoing messages in Windows Mail and MAPI enabled email clients as well as URLs from the Internet Explorer
setting shared folders are not added to Network Locations automatically when you open a document in the shared folder.
ems displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove
ork Places icon.

tion.Tip: To view the toolbars that can be added to the desktop right-click a docked toolbar (such as the taskbar beside the Start button) a
ault configuration.Also see the "Prevent adding dragging dropping and closing the Taskbar's toolbars" setting.
in the Target box.
ty Computer folder. This setting allows administrators to restrict their users from seeing Computer in the shell namespace allowing them t
s to the contents of the My Documents folder.This setting does not remove the My Documents icon from the Start menu. To do so use the
t configure this setting the Properties option is displayed as usual.
n opens the File menu.Clicks the My Documents icon and then presses ALT+ENTER.If you disable or do not configure this policy setting the
gure this setting the Properties option is displayed as usual.
contents of the Recycle Bin folder.Note: To make changes to this setting effective you must log off and then log back on.
avior of the Desktop Clean Wizard running every 60 days occurs.Note: When this setting is not enabled users can run the Desktop Cleanup
policy this window minimizing and restoring gesture will apply.
gure it the filter bar does not appear but users can display it by selecting "Filter" on the "View" menu.To see the filter bar open Network Lo
older appears in the Network Locations folder.This setting is designed to let users search Active Directory but not tempt them to casually b
permissions for user or group objects in Active Directory.If you enable this setting you can use the "Number of objects returned" box to li
elete particular Web-based items from users' desktops. Users can add the item again (if settings allow) but the item is deleted each time th
a .bmp format such as JPEG GIF and PNG can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".Also see th
ype the fully qualified path and name of the file that stores the wallpaper image. You can type a local path such as C:\Windows\web\wallp
op" setting and the "Disable Active Desktop" setting are enabled the "Disable Active Desktop" setting is ignored. If the "Turn on Classic She
desktop.Note: This setting does not disable Active Desktop. Users can still use image formats such as JPEG and GIF for their desktop wallpa
op" setting and the "Disable Active Desktop" setting are enabled the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Sh
eir Active Desktop or prevent users from removing existing Web content.Also see the "Disable all items" setting.
nnot enable or disable Active Desktop. If Active Desktop is already enabled users cannot add remove or edit Web content or disable lock o
xes from items on the Web tab in Display in Control Panel.Note: This setting does not prevent users from deleting items from their Active D
ontent to their Active Desktop.Also see the "Prohibit closing items" and "Disable all items" settings.
perties of an item such as its synchronization schedule password or display characteristics.
nes whether the Properties menu item is enabled and thus whether the Remote Access Connection Properties dialog box is available to us
tion if your file system is NTFS users need to have Write access to Documents and Settings\All Users\Application Data\Microsoft\Network
king it or by using the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Administrators" settin
ections. Any user can rename all-user connections by clicking an icon representing the connection or by using the File menu.If you disable
me option is disabled for nonadministrators only.If you do not configure this setting only Administrators and Network Configuration Operat
etwork Connections settings for Administrators" setting) the Rename option for LAN and all user remote access connections is disabled for
bit the use of certain features from Administrators.By default Network Connections group settings in Windows XP Professional do not have
ttings for Administrators" setting) the Properties menu items are disabled for all users and users cannot open the Local Area Connection Pr
Connections settings for Administrators" setting) the Properties button is disabled for Administrators. Network Configuration Operators ar
ble the "Enable Network Connections settings for Administrators" setting) the Properties button is disabled for all users (including administ
s.If you enable this setting (and enable the "Enable Network Connections settings for Administrators" setting) the Advanced Settings item i
tions folder. As a result users (including administrators) cannot start the New Connection Wizard.Important: If the "Enable Network Conn
ble the "Enable Network Connections settings for Administrators" setting) the Remote Access Preferences item is disabled for all users (inc
s for components of connections are disabled and administrators are not permitted to access network components in the Windows Comp
his setting determines whether the Properties menu item is enabled and thus whether the Remote Access Connection Properties dialog bo
ding administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting w
ntext menu for a remote access connection and on the File menu in the Network Connections folder.Important: If the "Enable Network Co
cannot enable or disable the components that a connection uses.Important: If the "Enable Network Connections settings for Administrato
d enable the "Enable Network Connections settings for Administrators" setting) the Rename option is disabled for all users (including adm
result users cannot open the Advanced TCP/IP Settings Properties page and modify IP settings such as DNS and WINS server information.
re the properties of the connection.If you enable this setting the connection status taskbar icon and Status dialog box are not available to
cates that a DHCP server could not be reached or the DHCP server was reached but unable to respond to the request with a valid IP addre
ou enable this setting you can use the "Action" box to specify how computers in the group respond.-- "Work offline" indicates that the com
tional events you want Offline Files to record.To use this setting in the "Enter" box select the number corresponding to the events you wan
ear every 60 minutes and are displayed for 15 seconds. You can use this setting to change the duration of the first reminder.This setting ap
the Value Name column box type the server's computer name. Then in the Value column box type "0" if users can work offline when they
status type or location.This setting does not prevent users from working offline or from saving local copies of files available offline. Also it d
result users cannot view or change the options on the Offline Files tab or Offline Files dialog box.This is a comprehensive setting that locks
ed periodically. By default the first reminder for an event is displayed for 30 seconds. Then updates appear every 60 minutes and are disp
are displayed for 15 seconds. You can use this setting to change the duration of the update reminder.This setting appears in the Compute
ching.If you disable or do not configure this policy setting users can manually specify files and folders that they want to make available offl
e Show Contents dialog box in the Value Name column box type the fully qualified UNC path to the file or folder. Leave the Value column fi
etting the "Work offline" command is displayed in File Explorer.
lder click Show. In the Show Contents dialog box in the Value Name column type the fully qualified UNC path to the file or folder. Leave th
synchronized. Full synchronization ensures that offline files are complete and current.If you disable this setting the system only performs a
ynchronized at logon. Full synchronization ensures that offline files are complete and current. Enabling this setting automatically enables l
n to "Full" ensures that all cached files and folders are up-to-date with the most current version.If you disable or do not configuring this se
oceed.If you enable this setting the system hides the reminder balloons and prevents users from displaying them.If you disable the setting
disabled. If you disable or do not configure this policy setting users can access the wizard tasks including "Set up a wireless router or acces
cannot publish DFS roots in AD DS and the "Publish in Active Directory" option is disabled. Note: The default is to allow shared folders to b
policy setting users cannot publish shared folders in AD DS and the "Publish in Active Directory" option is disabled. Note: The default is to
ed by 16-bit programs. By default all 16-bit programs run as threads in a single shared VDM process. As such they share the memory space
es the Display Logoff item from Start Menu Options. As a result users cannot remove the Log Off <username> item from the Start Menu.If
enu search box. If you do not configure this policy (default) there will not be a "Search the Internet" link on the start menu.
he Run command to the Start menu policy has no effect.
all back to Shut Down.If you disable or do not configure this setting the Start Menu power button will be set to Shut Down by default and
he Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off.If you disable or do not configure this se
re this setting the system retains notifications and when a user logs on the tiles appear just as they did when the user logged off including t
atibility issues with toast notifications.If you disable or don’t configure this policy setting all notifications will appear as toast notifications.A
Jump Lists will continue to show.If you disable or do not configure this policy setting users can pin files folders websites and other items to
e programs already pinned to the Taskbar and they cannot pin new programs to the Taskbar.If you disable or do not configure this policy s
users can pin the Store app to the Taskbar.
policy setting users can show taskbars on more than one display.
led the taskbar does not display any custom toolbars and the user cannot add any custom toolbars to the taskbar. Moreover the "Toolbar
ortant documents and other tasks.If you enable this policy setting the Start Menu and Taskbar only track the files that the user opens local
ocument shortcuts. The system empties the Recent Items menu on the Start menu and Windows programs do not display shortcuts at the
l not be shown when the user performs a search in the start menu search box.
licy setting by default when the system cannot find the target file for a shortcut (.lnk) it searches all paths associated with the shortcut. If
figure this policy setting by default when the system cannot find the target file for a shortcut (.lnk) it searches all paths associated with the
ments Pictures Music Computer and Network. The new Start menu starts them directly.If you enable this setting the Start menu displays th
ge the size of Start in Settings.
etting the default setting for the user’s device will be used and the user can choose to change it.
ler and those that users have configured for full installation upon first use.If you disable this setting or do not configure it all Start menu sh
g the notification icons is hidden. The taskbar displays only the Start button taskbar buttons custom toolbars (if any) and the system clock.I
ault sorting options.If you disable or don't configure this policy setting the desktop apps won't be listed first when the apps are sorted by c
etting that is not prevented by another policy setting.
cannot be moved or resized.If you enable this setting it prevents the user from moving or resizing the taskbar. While the taskbar is locked
the action.If you disable or do not configure this policy setting the Taskbar and Start Menu items are available from Settings on the Start m
gram name. By default this setting is always enabled.If you disable or do not configure it items on the taskbar that share the same program
ns are able to add toolbars to the taskbar.
not configure this setting you will allow a user to select an app resize a tile pin/unpin a tile or a secondary tile enter the customize mode a
ea of the monitor unless prevented by another policy setting.
policy setting the context menus for the taskbar are available.This policy setting does not prevent users from using other methods to issue
n Start" in Settings to Off.Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in
tting the Power button and the Shut Down Restart Sleep and Hibernate commands are removed from the Start menu. The Power button is
p-up text affected by this setting includes "Click here to begin" on the Start button "Where have all my programs gone" on the Start menu
items in the All Users profile on the system drive go to ProgramData\Microsoft\Windows\Start Menu\Programs.
he ability to specify default programs for certain activities such as Web browsing or sending e-mail as well as which programs are accessibl
ods to gain access to the contents of the Documents folder.Note: To make changes to this policy setting effective you must log off and then
does not appear on the Start menu by default. To display the Favorites menu right-click Start click Properties and then click Customize. If
art menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help.
emove the homegroup link from the Start Menu.
the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.Windows U
ns. As a result users cannot restore the Log Off <username> item to the Start Menu.If you disable or do not configure this policy setting us
ons from Settings on the Start menu.Network Connections still appears in Control Panel and in File Explorer but if users try to start it a me
the notification area. The user will be able to read notifications when they appear but they won’t be able to review any notifications they m
ogram shortcuts stay on the Taskbar.

e "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
s (such as Control.exe) from running.However users can still start Control Panel items by using other methods such as right-clicking the de
system saves document shortcuts but does not display the Recent Items menu in the Start Menu and users cannot turn the menu on.If yo
m entering the following into the Internet Explorer Address Bar:--- A UNC path: \\<server>\<share> ---Accessing local drives: e.g. C:--- Acce
t menu that appears when you right-click the Start menu. Also the system does not respond when users press the Application key (the key
If a 3rd party protocol handler is installed a "Search Everywhere" link will be shown instead of the "See more results" link.
yed in the system notification area.

ation area.
the "Remove user folder link from Start Menu" policy setting.If you disable or do not configure this policy setting the user name label app
ears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users you can use th
the list of installed apps.If you disable or don’t configure this policy setting the user can configure this setting.
the "Run as different user" command from Start for any applications.Note: This setting does not prevent users from using other methods
dditional calendar shows the lunar month and date and holiday names in Traditional Chinese (Lunar) by default.If you enable this policy se
e hidden and user cannot change to show it using the Settings app.Selecting "Not Configured" or if you disable or do not configure this pol
tting then users will be able to turn the QuickLaunch bar on and off.
ows logo key.If you disable or don't configure this policy setting the Start screen will always appear on the main display when the user pre
etting the Start screen will appear by default whenever the user goes to Start and the user will be able to switch between the Apps view an
user’s device will be used and the user can choose to change it.
configure a device's Start layout to the desired look and feel. Once you are done run the Export-StartLayout PowerShell cmdlet on that sa
or do not configure this policy setting newly added notification icons are temporarily promoted to the Taskbar.
ations are collapsed. The notification cleanup << icon can be referred to as the "notification chevron."If you enable this setting the system
menus. All menu items appear and remain in standard order. Also this setting removes the "Use Personalized Menus" option so users do no
r runs. The system uses this information to customize Windows features such as showing frequently used programs in the Start Menu.Also
l be used and users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting a default va
be used and users will not be able to change it or any other Quiet Hours setting. If you do not configure this policy setting a default valu
ng voice and video calls will be allowed during Quiet Hours and users will not be able to customize this or any other Quiet Hours settings.
r or user. No reboots or service restarts are required for this policy setting to take effect.
will be suppressed and some background task deferred during the designated Quiet Hours time window. Users will not be able to change
d off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect.
ou must enable/disable system features individually to stop their ability to raise toast notifications. If you disable or do not configure
ff by the administrator or user. No reboots or service restarts are required for this policy setting to take effect.
his policy setting the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the
nterface program to a network share or to your system drive. Then enable this setting and type the name of the interface program includi
on the Start menu or by typing ""Welcome"" in the Run dialog box.If you disable or do not configure this policy the welcome screen is dis
rs from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task Man
nless Windows has internally registered the required components.If you enable this policy setting and a component registration is missing
ng other administrative tools use the "Run only specified Windows applications" policy setting.
ng that a setting prevents the action.If you disable this policy setting or do not configure it users can run Cmd.exe and batch files normally.
commas. If you disable or do not configure this policy setting users can run all applications from online Help. Note: You ca
users from running programs that are started by the File Explorer process. It does not prevent users from running programs such as Task M
ed components are ready to be installed or prior to downloading depending on their configuration.If you enable this setting it prohibits Wi
e system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
l.If you disable or do not configure this policy setting users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.Tip:To lo
rom the Start menu.Also see the 'Remove Logoff on the Start Menu' policy setting.If you disable or do not configure this policy setting use
nge the priority of the process in which programs run.If you enable this policy setting users will not be able to access Task Manager. If use
scale factor (DPI) connect remotely from a device with a different display scale factor or manually change the display scale factor) many d
nabled the system does not implement any setting less secure than the one the setting established.When you enable this setting use the d
m the search algorithm.If you enable this setting you can remove the locations by selecting the associated check box beside the location na
t Communication settings" is disabled or not configured.If you enable this setting administrators will not be prompted to search Windows
e offline. If you disable or do not configure this policy setting redirected shell folders are automatically made available offline. All subfolde
automatically made available offline. All subfolders within the redirected folders are also made available offline.Note: This policy setting do
ork location to another and Folder Redirection is configured to move the content to the new location instead of copying the content to th
a computer in a remote office.To designate a user's primary computers an administrator must use management software or a script to ad
Windows Vista Windows 7 Windows 8 and Windows Server 2012 will use localized folder names for these subfolders when redirecting the
es to the domain controller designated as the PDC Operations Master for the domain."Inherit from Active Directory Snap-ins" indicates th
o be slow.The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the re
ch as Active Directory Users and Computers or Active Directory Sites and Services you can enable the object links for use on the system.If
licy setting interactive users can generate RSoP.Note: This policy setting does not affect administrators. If you enable or disable this policy
ft\Windows\CurrentVersion\Policies registry subkeys. Preferences which are not fully supported use registry entries in other subkeys.If yo
owser.The display name can contain environment variables and can be a maximum of 255 characters long.If this setting is Disabled or Not C
hen users log on.By default user Group Policy is updated in the background every 90 minutes with a random offset of 0 to 30 minutes.If yo
y Object Editor a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files sto
disable this policy setting all of the the policy settings listed in the "Internet Communication settings" section are set such that their respe
tion or use the Store service to find an application.If you enable this policy setting the "Look for an app in the Store" item in the Open With
prohibits downloading drivers that are not already installed locally.If you enable this policy setting print drivers cannot be downloaded ove
soft to improve handwriting recognition in future versions of Windows. The tool generates reports and transmits them to Microsoft over a
mprove handwriting recognition in future versions of Windows.If you enable this policy users cannot start the handwriting recognition err
Help Experience Improvement program.If you disable or do not configure this policy setting users can turn on the Help Experience Improv
uality and usefulness of the Help and Support content.
ownloaded from a Windows website in addition to providers specified in the registry.If you enable this policy setting Windows does not do
n or use the Web service to find an application.If you enable this policy setting the link and the dialog for using the Web service to open an
inting server and making its shared printers available via HTTP.If you enable this policy setting it prevents this client from printing to Intern
icture Tasks in File Explorer folders.If you disable or do not configure this policy setting the task is displayed.
content to the web.If you enable this policy setting these tasks are removed from the File and Folder tasks in Windows folders.If you disab
nformation is used to improve the product in future releases.If you enable this policy setting Windows Messenger does not collect usage in
f you disable or do not configure this policy setting users can access online assistance if they have a connection to the Internet and have n
ed by a per-user policy setting. If you disable this policy setting at the computer level the per-user policy is ignored. If you do not configure
missions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.The policy setting "Restrict us
abled users can still choose alternate locales installed on the system unless prevented by other policies however they will be unable to cus
ed to locales in this list.To set this policy setting on a per-user basis make sure that you do not configure the per-computer policy setting.T
grams and services that the system starts.If you enable this policy setting the system ignores the run list for Windows Vista Windows XP Pr
ou enable this policy setting the system ignores the run-once list.If you disable or do not configure this policy setting the system runs the p
cy setting click Show. In the Show Contents dialog box in the Value column type the name of the executable program (.exe) file or docume
flags in particular positions. Bits can be set to either 0 (setting is forced off) 1 (setting is forced on) or ? (setting retains its existing value pr
r do not configure this policy setting users control if their computer is automatically locked or not after performing a resume operation.
disable or do not configure this policy setting write and read accesses are allowed to all removable storage classes.
ected storage enable the policy setting "Deny write access to drives not protected by BitLocker" which is located in "Computer Configuratio
do not configure this setting the operating system does not force a reboot.Note: If no reboot is forced the access right does not take effec
emovable storage class.

s removable storage class.
t as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not confi
it runs. The instructions appear in a command window. This policy setting is designed for advanced users.If you disable or do not configur
ey run although it does not display logon scripts written for Windows 2000.If you enable this setting Windows 2000 does not display logon
essing is complete before the user starts working but it can delay the appearance of the desktop.If you disable or do not configure this po
GPO) PowerShell scripts are run before non-PowerShell scripts during user logon and logoff. For example assume the following scenario: Th
he local computer to a local or remote directory.If you enable this policy setting the system uses the Windows NT 4.0 definitions. %HOME
de the narrowest set of data that will address your needs. For example if there is one application with data that should not be roamed the
es.If you enable this policy setting you can:-- Set a maximum permitted user profile size.-- Determine whether the registry files are include
e.If you enable this policy setting the network paths specified in this policy setting will be synchronized only by Offline Files during user log
esktop app for a file type.If you enable this policy setting Windows Store apps cannot open files in the default desktop app for a file type;
y launching a desktop app.If you enable this policy setting Windows Store apps cannot open URIs in the default desktop app for a URI sche
e user from accessing the file. If the file is from the Internet zone Windows prompts the user before accessing the file.Moderate Risk: If th
cannot make proper risk assessments.If you enable this policy setting Windows does not mark file attachments with their zone information
angerous file attachments that Windows has blocked users from opening.If you enable this policy setting Windows hides the check box an
on list takes precedence over the medium-risk and low-risk inclusion lists (where an extension is listed in more than one inclusion list).If yo
a lower precedence than the high-risk or medium-risk inclusion lists (where an extension is listed in more than one inclusion list).If you en
o Windows and it takes precedence over the low-risk inclusion list but has a lower precedence than the high-risk inclusion list (where an ex
ld be redundant. If you enable this policy setting Windows tells the registered antivirus program to scan the file when a user opens a file a
to use the file type data over the file handler data. For example trust .txt files regardless of the file handler.Using both the file handler and
remembers user's choice of what to do when a device is connected.

cally execute the program without user intervention. This creates a major security concern as code may be executed without user's k
le drives such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2 Autoplay is e
ing functionality.
onally if you check the "Include content from Enterprise spotlight" checkbox and your organization has setup an Enterprise spotlight conte
s.If you disable or do not configure this policy Windows spotlight features may suggest apps and content from third-party software publis
to customize content shown on lock screen Windows tips Microsoft consumer features and other related features. If these features are en
c from target devices.If you disable or do not configure this policy setting Windows spotlight features are allowed and may be controlled in
o not configure this policy "Spotlight collection" will appear as an option in Personalization settings allowing the user to select "Spotlight c
here are updates and changes to Windows and its apps.If you disable or do not configure this policy the Windows Welcome Experience w
setting the password reveal button will be displayed after a user types a password in the password entry text box.By default the password
are considered part of Windows and does not apply to any additional apps installed by your organization. - Diagnostic data off (not reco
e on Windows 10 version 1809Default setting: Disabled or not configured (no data collected or sent)
signed and unsigned gadgets will be extracted.The default is for Windows to extract both signed and unsigned gadgets.
ets to be turned on.
ip 3D is accessible if desktop composition is turned on. When Windows Flip 3D is activated with the Windows+Tab keys a visual version of
s policy setting requires a logoff for it to be applied.
tting can be used in conjunction with the "Specify a default color for window frames" policy setting to enforce a specific color for window f
rnal color is used if the user does not specify a color. Note: This policy setting can be used in conjunction with the "Prevent color changes o
gital Locker will not run.If you disable or do not configure this setting Digital Locker can be run.
s using touch gestures keyboard shortcuts and the Start screen.If you disable or don't configure this policy setting the recent apps will be a
ers won't be able to replace it with Windows PowerShell. Users will still be able to access Windows PowerShell but not from that menu.If y
orner. They'll still be available if the mouse is pointing to the lower-right corner.If you disable or don't configure this policy setting Search S
re this policy setting Windows will keep track of the apps that are used and searched most frequently. Most frequently used apps will app
s an entry in at least one of the following locations in registry.For shell extensions that have been approved by the administrator and are a
ccess to user-defined properties and properties stored in NTFS secondary streams.
blocks the creation of the folder.You can specify a known folder using its known folder id or using its canonical name. For example the Sa
f not displaying a confirmation dialog occurs.
le Explorer.Note: When the menu bar is not displayed users can access the menu bar by pressing the 'ALT' key.
will receive an error message if they tap or click the Options button or choose the Change folder and search options command and they w
Center is displayed at user logon.
f you disable or do not configure this setting files and folders deleted using File Explorer will be placed in the Recycle Bin.
who are not administrators try to install programs locally on their computers. This setting allows administrators who have logged on as re
he current target path then by default it searches for the target in the original path. If the shortcut has been copied to a different compute
enable this policy setting select a drive or combination of drives in the drop-down list.Note: This policy setting removes the drive icons. Use
vent Viewer Device Manager and Disk Management. You must be an administrator to use many of the features of these tools.This setting d
m the UI. On every logon the policy settings are verified and Libraries for the user are updated or changed according to the path defined.If
ace used by the Recycle Bin.Note: This setting is applied to all volumes.
of shortcuts specified by the policy setting.If you disable or do not configure this policy setting by default the system displays shortcuts to
Locations. This policy setting also removes these icons from the Map Network Drive browser.If you disable or do not configure this policy
owser associated with the Map Network Drive option.This setting does not prevent users from viewing or connecting to computers in the
ernet search site will be searched with the text in the search box. To add an Internet search site specify the URL of the search site in Open
ecify the path of the .Library-ms or .searchConnector-ms file in the "Location" text box (for example "C:\sampleLibrary.Library-ms" for the
r the Map Network Drive dialog box to view the directories on these drives.To use this setting select a drive or combination of drives from
er.If you disable or do not configure this policy setting users will be able to add new items such as files or folders to the root of their Users
appear when you right-click the File Explorer or Network Locations icons.This setting does not prevent users from connecting to another
onfigure this policy setting users are able to use the File Explorer CD burning features.Note: This policy setting does not prevent users from
e the properties of the DFS shares available from their computer.This policy setting does not prevent users from using other methods to c
to issue commands available on the shortcut menus.
use the Hardware tab to view or change the device list or device properties or use the Troubleshoot button to resolve problems with the d
ocations.Enabling this policy setting does not remove the Search button or affect any search features of Internet browser windows such a
ll users that have access to the resource in question.If you disable or do not configure this setting users will be able to access the security
g you can choose not to have these items displayed.If you enable this policy setting the Shared Documents folder is not displayed in the W
t browser with the search terms.If you do not configure this policy (default) there will be an "Internet" link when the user performs a searc
es are designed to enhance the user's experience but might be confusing or distracting to some users.
oggled by users.Effects such as animation are designed to enhance the user's experience but might be confusing or distracting to some use
e it this dialog box appears only when users are installing programs from local media.The "Install Program as Other User" dialog box promp
onfigure this policy setting users can choose how the ribbon appears when they open new windows.
should enable this policy setting to turn off the thumbnail view cache because the thumbnail cache can be read by everyone.
enable this policy File Explorer will not show suggestion pop-ups as users type into the Search Box and it will not store Search Box entries
orer will sort file names by increasing number value (for example 3 < 22 < 111).
set of folders. Applications are not able to open files with this protocol when it is in the protected mode. It is recommended to leave this p
isable or do not configure this policy setting File Explorer creates reads from and writes to thumbs.db files.
If you disable or do not configure this policy setting File Explorer displays only thumbnail images on network folders.
his policy setting File Explorer displays only thumbnail images.
eys.If you enable this setting the Windows Key hotkeys are unavailable.If you disable or do not configure this setting the Windows Key hot
olicy will: * Disable all Arrangement views except for "By Folder" * Disable all Search filter suggestions other than "Date Modified" and
dows NT 4.0 and users cannot restore the new features.Enabling this policy will also turn off the preview pane and set the folder options f
evelopers of Windows programs.If you enable this policy setting the Back button is removed from the standard Open dialog box.If you dis
provided to developers of Windows programs.To see an example of the standard Open dialog box start Wordpad and on the File menu cl
file name in the text box.This setting and others in this folder lets you remove new features added in Windows 2000 Professional so that th
ers -- (\\server\share)3) FTP folders4) web folders5) Common Shell folders.The list of Common Shell Folders that may be specified:Desktop
ble and cannot be hidden by the user. Note: This has a side effect of not being able to toggle to the Preview Pane since the two cannot be
ng users cannot list and restore previous versions of files on local disks.If you do not configure this policy setting it defaults to disabled.
list and restore previous versions of files on file shares.If you do not configure this policy setting it is disabled by default.
backup copies and can see only previous versions corresponding to on-disk restore points.If you disable this policy setting users can see pr
olicy setting the Restore button remains active for a previous version corresponding to a local file. If the user clicks the Restore button Win
on corresponding to a backup.If you disable this policy setting the Restore button remains active for a previous version corresponding to a
isable this policy setting the Restore button remains active for a previous version corresponding to a file on a file share. If the user clicks th
ew line that contains the enterprise identifier separated by a comma and the Package Family Name of the application. The EID must be an
sable this user is not allowed to control IME version to use. The new Microsoft IME is always selected.This Policy setting applies only to Mic
disable or do not configure this policy setting both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candi
e OR of following values:0x0001 // JIS208 area0x0002 // NEC special char code0x0004 // NEC selected IBM extended code0x0008 // IBM e
or conversion.If you disable or do not configure this policy setting the custom dictionary can be used by default.[Clear auto-tuning informa
e: Changes to this setting will not take effect until the user logs off.
or do not configure this policy setting the search integration function can be used by default.This policy setting applies to Japanese Micro
for conversion.If you disable or do not configure this policy setting Open Extended Dictionary can be added and used by default.This policy
suggestions and the user won't be able to turn it off.If you disable this policy setting the functionality associated with this feature is turned
suggestions and the user won't be able to turn it off.If you disable this policy setting the functionality associated with this feature is turned
Traditional Chinese IME.
add and remove search providers but only from the set of search providers specified in the list of policy keys for search providers (found u
As" will not show up in the Internet Explorer mode context menu.For more information see https://go.microsoft.com/fwlink/?linkid=21021
UI during shutdown.If you disable or do not configure this policy setting OnUnLoad script handlers do not display UI during shutdown (defa
ddress bar. In addition users won't be able to change the Suggestions setting on the Settings charm.If you disable this policy setting users
er upgrades to Internet Explorer 9.In Internet Explorer 9 add-ons are defined as toolbars Browser Helper Objects or Explorer bars. ActiveX
click on a link within Internet Explorer the content will be played by the default media client on their system.If you enable the Media Explo
ble the blocking of attachments in options.If the block attachments setting is not checked the user can specify to enable or disable the bloc
e bypassed.If both the Windows Update for the next version of Microsoft Edge* and Microsoft Edge Stable channel are installed the follow
policy setting Internet Explorer sends the current Internet Explorer version in the User Agent header (for example "MSIE 7.0").
u do not configure this setting the user has the freedom to turn on the auto-complete feature for forms.To display this option the users op
proxy scripts can be stored in the users' cache.
n Web pages.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Compon
s policy or do not configure it users can select or clear settings on the Advanced tab.If you set the "Disable the Advanced page" policy (loca
able to do automatic configuration. You can import your current connection settings from your machine using Internet Explorer Maintena
u disable this policy or do not configure it users can determine which programs to use for managing schedules and contacts if programs th
ure it users can import new certificates remove approved publishers and change settings for certificates that have already been accepted.T
box.If you disable this policy or do not configure it users can change the default background and text color of Web pages.If you set the "D
page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) y
not configure it users can determine whether Internet Explorer will check to see if it is the default browser. When Internet Explorer perfo
e it users can change the default fonts for viewing Web pages.If you set the "Disable the General page" policy (located in \User Configurati
. For machines with at least Internet Explorer 7 the home page can be set within this policy to override other home page policies.If you dis
able this policy or do not configure it users can change the language preference settings for viewing Web sites for languages in which the
ou disable this policy or do not configure it users can change the default color of links on Web pages.If you set the "Disable the General pa
e this policy or do not configure it users can determine which programs to use for sending mail viewing newsgroups and placing Internet ca
ir street and e-mail addresses.The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows C
r ratings settings.The "Disable the Ratings page" policy (located in \User Configuration\Administrative Templates\Windows Components\I
ondary home pages. The user cannot set custom default secondary home pages.If you disable or do not configure this policy setting the u
b and then click the Settings button in the Internet Options dialog box.If you disable this policy or do not configure it users can change thei
s policy or do not configure it users could install customizations from another party-for example when signing up for Internet services.This
s from a file allows the user to import favorites feeds and cookies from a file. Exporting settings to a file allows the user to export favorites
tart pointing to Programs pointing to Accessories pointing to Communications and then clicking Internet Connection Wizard.If you disable
nternet Explorer 11 to Microsoft Edge Stable Channel browser.- Overrides any other policies that redirect to Internet Explorer 11.If you dis
h pages.The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet
when problems occur with proxy scripts.
dd-On Manager will be available to the user.
e this policy extended hotkeys will not work in Internet Explorer mode.For more information see https://go.microsoft.com/fwlink/?linkid=
lection of search tools viewing a history of visited pages printing and accessing email and newsgroups. The menu bar contains menus that
rs will not be able to create new identities manage existing identities or switch identities. The Switch Identity option will be removed from
orer 11. The only exceptions are sites listed in your Enterprise Mode Site List.If you disable or don’t configure this policy all intranet sites a
tting on users can see and use the Enterprise Mode option from the Tools menu. If you turn this setting on but don't specify a report locati
ill be included in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To con
e included in site discovery. This policy can be used in conjunction with other policies controlling sites included in Site Discovery.To configu
notified if Internet Explorer is not the default web browser. Users cannot change the setting.If you do not configure this policy setting use
Only the domain name is allowed so www.contoso.com is valid but not http://www.contoso.com. Wildcards are allowed so *.contoso.com
il and newsgroups. The menu bar contains menus that open lists of commands. The commands include options for printing customizing In
n this policy setting is enabled the "Fix settings" command on the Notification bar shortcut menu should be disabled.
ed from the Settings charm (starting with Internet Explorer 10 on Windows 8).If you disable or do not configure this policy setting the Inte
you enable this policy setting SmartScreen Filter warnings block the user.If you disable or do not configure this policy setting the user can
u disable or do not configure this policy setting the user can bypass SmartScreen Filter warnings.
cify the filter level by importing Privacy settings from your computer under Internet Explorer Maintenance.If you disable or do not configu
the following: • Open in an existing Internet Explorer window. If tabbed browsing is enabled a new tab is created in this scenario. • Op
tabs in the background by pressing Ctrl+Shift+Select or open the tabs in the foreground by pressing Ctrl+Shift+Select.If you disable or do n
ure this policy setting the Search box appears by default in the Internet Explorer frame.Note: If you enable this policy setting Internet Explo
xception list.Note: You can allow a default list of sites that can open pop-up windows regardless of the Internet Explorer process's Pop-Up
rtScreen Filter. All website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.
e the phishing filter uses: manual automatic or off.If you select manual mode the phishing filter performs only local analysis and the user i
r must participate in the CEIP and the Customer Feedback Options command does not appear on the Help menu.If you do not configure th
age. • Skip the First Run wizard and go directly to the "Welcome to Internet Explorer" webpage.Starting with Windows 8 the "Welcome t
d from third-party toolbars or in Setup but the user can also add them from a search provider's website.If you enable this policy setting the
t informs the user that this feature has been disabled.If you disable this policy or do not configure it users can press F3 to search the Intern
e this policy or do not configure it users can change their settings for the Search Assistant.This policy is designed to help administrators ma
de at least one site in the Enterprise Mode Site List.Enabling this setting automatically opens all sites not included in the Enterprise Mode S
esses; and high allows the tab process to grow very quickly and is intended only for computers that have ample physical memory. The defa
Microsoft Edge with Enterprise Mode.If you disable or don't configure this setting the default app behavior occurs and no additional page a
ble or do not configure this policy setting the user can select his or her preference for this behavior.
eX controls including per-user controls are installed through the standard installation process.
al.If you enable this policy setting the ActiveX Opt-In prompt does not appear. Internet Explorer does not ask the user for permission to loa
he Disable Add-ons dialog box displays the load time for each group of add-ons enabled in the browser. It allows the user to disable add-on
his or her data after a program stops responding.
nfigure this policy setting browser geolocation support can be turned on or off in Internet Options on the Privacy tab.
decide. 1: Force pop-up windows to open in new windows. 2: Force pop-up windows to open on new tabs.If you disable or do not con
ws Error Reporting continue to apply.If you disable or do not configure this policy setting the crash detection feature for add-on managem
he Favorites bar.
reen Filter. You must specify which mode the SmartScreen Filter uses: on or off.All website addresses that are not on the filter's allow list a
cations that host MSHTML respond to user input that causes the content to be re-rendered at a scaled size.
r. Pop-up windows will continue to function as they did in Windows XP Service Pack 1 or earlier although windows launched off screen wil
n Last Browsing Session feature.

arch providers that offer suggestions.
net Explorer and the user cannot turn them on.If you disable this policy setting tabbed browsing and related entry points appear on the us
s policy setting user will be suggested matches when entering Web addresses. The user cannot change the auto-complete for web-addres
user clicks in the Search box the quick pick menu appears.
annot turn off ActiveX Filtering although they may add per-site exceptions.If you disable or do not configure this policy setting ActiveX Filt
ging.If you disable this policy setting the user cannot log information that is blocked by new Internet Explorer features. The user cannot tu
plorer by default and the user cannot turn it on.If you do not configure this policy setting the menu bar is turned off by default. The user ca
will be written to the WMI class. Enabling or disabling this setting will not impact other output methods available for the SDTK.
abling this setting will not impact other output methods available for the SDTK.
ested Sites. The user’s browsing history is sent to Microsoft to produce suggestions.If you disable this policy setting the entry points and fu
ou have to decide whether to select "prompt me to save passwords".If you disable this setting the user cannot change "User name and pas
tection.If you disable this policy or do not configure it dial-up settings will not be configured by Automatic Detection unless specified by th
Software\policies\Microsoft\Internet Explorer\Main\EnterpriseMode) opening all listed websites using Enterprise Mode IE.If you disable o
default Accelerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provided th
non-default Accelerators should not overlap.If you disable or do not configure this policy setting the user has Accelerators that are provid
ure this policy setting the user can access any Accelerators that he or she has installed.
not configure it this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled
nes in which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it this control will n
n that has restricted functionality and is intended for use by web sites.If you enable this policy this control will be available as an administr
n.If you disable this policy or do not configure it these controls will not be designated as administrator-approved.Select the check boxes for
t these controls will not be designated as administrator-approved.To specify a control as administrator-approved click Enabled and then s
which you specify that administrator-approved controls can be run.If you disable this policy or do not configure it these controls will not be
strator-approved controls can be run.If you disable this policy or do not configure it this control will not be designated as administrator-ap
not configure it this control will not be designated as administrator-approved.To specify how administrator-approved controls are handle
r-approved.To specify how administrator-approved controls are handled for each security zone carry out the following steps:1. In Group P
cy or do not configure it these controls will not be designated as administrator-approved.Select the check boxes for the controls that you
trator-approved.To specify how administrator-approved controls are handled for each security zone carry out the following steps:1. In Gro
ed.To specify how administrator-approved controls are handled for each security zone carry out the following steps:1. In Group Policy clic
a Clipboard operation. This means that if the zone behavior is currently set to prompt it will be bypassed and enabled.If you disable this po
nning in the Internet Explorer process performs a Clipboard operation. In the Internet Explorer process if the zone behavior is currently se
he Internet Explorer process" policy. If the "Bypass prompting for Clipboard access for scripts running in any process" policy setting is enab
w by using the shortcut menu.This policy can be used in coordination with the "File menu: Disable New menu option" policy which preven
be informed that the command is not available.If you disable this policy or do not configure it users can download programs from their br
t corner of the program will not work; if users click the Close button they will be informed that the command is not available.
e informed that the command is not available.If you disable this policy or do not configure it users can open a new browser window from
this policy or do not configure it users can open a Web page from the browser File menu.Caution: This policy does not prevent users from
m the Save as Type box in the Save Web Page dialog box. Users can still save Web pages as hypertext markup language (HTML) files or as te
e over the "File Menu: Disable Save As Web Page Complete" policy which prevents users from saving the entire contents that are displaye
ers command on the Help menu.Caution: Enabling this policy does not remove the tips for Netscape users from the Microsoft Internet Exp
Microsoft products.
m of the browser.
command on the shortcut menu is disabled; when users click it they are informed that the command is unavailable.If you disable this polic
nternet Options command on the Tools menu they are informed that the command is unavailable.If you disable this policy or do not confi
n Internet Explorer will not be available. Starting with Windows 8 the Print flyout for Internet Explorer will not be available and users will n
icks a webpage.If you disable or do not configure this policy setting users can use the shortcut menu.
oblems dialog box.If you disable or do not configure this policy setting the menu options will be available.
n display the browser in a full screen.This policy is intended to prevent users from displaying the browser without toolbars which might be
browser View menu.Caution: This policy does not prevent users from viewing the HTML source of a Web page by right-clicking a Web pag
atically displayed in Compatibility View.If you disable this policy setting the Microsoft-provided website lists are not used. Additionally the
t configure this policy setting the user can use the Compatibility View button and manage the Compatibility View sites list.
onfigure this policy setting the user can use the Compatibility View button.
ernet Explorer.If you enable this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string app
anet Standards Mode pages appear in the Standards Mode available with the latest version of Internet Explorer. The user cannot change t
er can add and remove sites from the list.
nt string (with an additional string appended). Additionally webpages included in this list appear in Quirks Mode.
nable this policy setting deleting browsing history on exit is turned on.If you disable this policy setting deleting browsing history on exit is tu
you enable this policy setting a user cannot set the number of days that Internet Explorer tracks views of the pages in the History List. You
elete Browsing History dialog box. Starting with Windows 8 users cannot click the Delete Browsing History button on the Settings charm.If
ed if users turn on the Personalized Tracking Protection List which blocks third-party items while the user is browsing.With at least Interne
gure this policy setting the user can choose whether to delete or preserve cookies when he or she clicks Delete.If the "Prevent access to De
user clicks Delete.If you do not configure this policy setting the user can choose whether to delete or preserve download history when he o
s Delete.If you do not configure this policy setting the user can choose whether to delete or preserve favorites site data when he or she cl
onfigure this policy setting the user can choose whether to delete or preserve form data when he or she clicks Delete.If the "Prevent acces
the Delete Browsing History dialog box.If you enable this policy setting InPrivate Filtering data is preserved when the user clicks Delete.If y
configure this policy setting the user can choose whether to delete or preserve passwords when he or she clicks Delete.If the "Prevent ac
ed when the user clicks Delete.If you do not configure this policy setting the user can choose whether to delete or preserve temporary Inte
g websites that the user has visited are deleted when he or she clicks Delete.If you do not configure this policy setting the user can choose
and cookies.If you disable or do not configure this policy setting users will be able to delete temporary Internet files and cookies.
s.When you set this policy you do not need to set the "Disable changing Advanced page settings" policy (located in \User Configuration\Ad
ot need to set the following policies for the Content tab because this policy removes the Connections tab from the interface:"Disable Inter
ttings.When you set this policy you do not need to set the following Internet Explorer policies (located in \User Configuration\Administrativ
do not need to set the following policies for the Programs tab because this policy removes the Programs tab from the interface:"Disable c
ettings.When you set this policy you do not need to set the following Internet Explorer policies because this policy removes the Security ta
e or do not configure this policy setting the user can choose to ignore certificate errors and continue browsing.
r names should be sent: 0) Unicode domain names are never converted to IDN format. 1) Unicode domain names are converted to IDN
ded through the user's code page. This behavior matches the behavior of Internet Explorer 6 and earlier. The user can change this behavio
do not configure this policy users can choose whether to be prompted before running active content on a CD.
ng non-Internet Explorer components will be automatically installed as necessary.If you disable this policy setting users will be prompted w
download the Japanese Language Pack component if it is not already installed.If you enable this policy setting Web components such as fo
is policy setting Internet Explorer won't use the HTTP2 network protocol.If you don't configure this policy setting users can turn this behav
ol.If you disable this policy setting Internet Explorer won't use the SPDY/3 network protocol.If you don't configure this policy setting users c
to install or run files with an invalid signature.If you disable this policy setting users cannot run or install files with an invalid signature.If y
et Explorer automatically launches any browser helper objects that are installed on the user's computer.If you disable this policy setting br
u disable this policy setting Internet Explorer only sends the Do Not Track header if a Tracking Protection List is enabled or inPrivate Brows
t Explorer checks the Internet for a new version approximately every 30 days and prompts the user to download new versions when they
ecure.If you enable this policy setting Internet Explorer will check to see if server certificates have been revoked.If you disable this policy s
lorer will check the digital signatures of executable programs and display their identities before downloading them to user computers.If yo
ves the option to run the website in regular Protected Mode. This policy setting disables this notification and forces all websites to run in E
se Reset Internet Explorer Settings.If you disable or do not configure this policy setting the user can use Reset Internet Explorer Settings.
pages containing secure (HTTPS) information to the cache.If you disable this policy setting Internet Explorer will save encrypted pages cont
l disk space usage.If you enable this policy setting Internet Explorer will delete the contents of the user's Temporary Internet Files folder w
s found in Web content.If you disable this policy setting Internet Explorer will not play or download animated pictures helping pages displa
content.If you disable this policy setting Internet Explorer will not play or download sounds in Web content helping pages display more qu
ent.If you disable this policy setting Internet Explorer will not play or download videos helping pages display more quickly.If you do not con
e or do not configure this policy setting applications that host MSHTML render text by using the Microsoft ClearType rendering engine.
ected communication with the target server the browser and server negotiate which protocol and version to use. The browser and server
ebsites or content in the background.If you disable this policy setting Internet Explorer preemptively loads websites and content in the ba
sts Profile Assistant information users will be prompted to choose which information to share. At that time users can also choose to allow
ery strings. 1) Only encode query strings for URLs that aren't in the Intranet zone. 2) Only encode query strings for URLs that are in the
ble this policy setting flip ahead with page prediction is turned off and the next webpage isn't loaded into the background.If you disable th
processes are used.If you enable this policy setting Internet Explorer 11 will use 64-bit tab processes when running in Enhanced Protected
licy setting is particularly useful to users who do not use a mouse.If you enable this policy setting Caret Browsing is turned on.If you disabl
you enable this policy setting Enhanced Protected Mode will be turned on. Any zone that has Protected Mode enabled will use Enhanced P
not use HTTP 1.1.
do not configure this policy setting users can configure Internet Explorer to use or not use HTTP 1.1 through proxy connections.
r do not configure this policy setting Internet Explorer does not display the Content Advisor setting on the Content tab of the Internet Opti
nternet Explorer starts a new browsing session with the tabs from the last browsing session. Users cannot change this option to start with
s policy setting websites will not be able to store application caches on client computers. Allow website database and caches on Website D
e this policy setting websites will not be able to store an indexed database on client computers. Allow website database and caches on We
ual domain Internet Explorer sends an error to the website. No notification will be displayed to the user. This group policy sets the maxim
etting Internet Explorer will remove application caches that haven't been used within the timeframe set in this policy setting.If you disable
ou disable or do not configure this policy setting users can set default data storage limits for indexed databases and application caches.
vidual domain Internet Explorer sends an error to the website. No notification is sent to the user. This group policy sets the maximum data
you set this policy setting you provide the resource size limit in MB. The default is 50 MB.If you enable this policy setting Internet Explore
ds an error to the website. No notification will be displayed to the user. When you set this policy setting you provide the resource limit as
heir computer. The default maximum storage limit for all application caches is 1 GB.If you enable this policy setting you can set the maximu
ed on their computer. The default maximum storage limit for all indexed databases is 4 GB.If you enable this policy setting you can set the
andard template defaults.If you disable this template policy setting no security level is configured.If you do not configure this template pol
ng local sites which are not explicitly mapped into a zone will not be considered to be in the Intranet Zone (so would typically be in the Inte
might map one there).If you do not configure this policy setting users choose whether network paths are mapped into the Intranet Zone.
rily mapped into the Intranet Zone (other rules might map one there).If you do not configure this policy setting users choose whether sites
ociate sites to zones. They are: (1) Intranet zone (2) Trusted Sites zone (3) Internet zone and (4) Restricted Sites zone. Security settings can
olicy setting automatic detection of the intranet is turned off and intranet mapping rules are applied however they are configured.If this po
enable this policy setting the certificate address mismatch warning always appears.If you disable or do not configure this policy setting the
ppears whenever the user browses to a page that loads content from an intranet site.If you disable this policy setting a Notification bar no
e in the zone. If you select Prompt in the drop-down box users are queried to choose whether to allow a page to be loaded in the zone tha
col Lockdown policy.If you enable this policy setting no Intranet Zone content accessed is affected even for protocols on the restricted list.
you disable this policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting script c
n box only behaviors listed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.If you disable
m clipboard operations.If you disable this policy setting a script cannot perform a clipboard operation.If you do not configure this policy setti
r to drag or copy files from this zone.If you disable this policy setting users are prevented from dragging files or copying and pasting files fr
able this policy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files can be dow
nload.If you disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting HTML fonts
r to install desktop items from this zone.If you disable this policy setting users are prevented from installing desktop items from this zone.
able this policy setting and set the drop-down box to Enable XBAPs are automatically loaded inside Internet Explorer. The user cannot chan
olicy setting and set the drop-down box to Enable XAML files are automatically loaded inside Internet Explorer. The user cannot change thi
ternet Explorer. The user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XPS files.
ta Refresh setting can be redirected to another Web page.If you disable this policy setting a user's browser that loads a page containing an
w the control to run from the current site or from all sites.If you disable this policy setting the user does not see the per-site ActiveX promp
files.If you enable this policy setting users can perform OpenSearch queries in this zone using Search Connectors.If you disable this policy
ources from within the File Explorer) it might affect other items as well that are marked from this zone. For example some application-spec
setting the user can enable or disable script access to the WebBrowser control. By default script access to the WebBrowser control is allow
ture.If you disable this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows that include
ript to run.If you selected Disable in the drop-down box VBScript is prevented from running.If you do not configure or disable this policy s
. Also as of Internet Explorer 8 this policy setting controls HTML+TIME media elements that refer to audio and video files.If you enable this
w Internet Explorer windows that have no status bar or Address bar.If you do not configure this policy setting the user can choose whether
the user can enable or disable the Notification bar behavior.
cked using the Notification bar. Users can click on the Notification bar to allow the ActiveX control prompt.If you do not configure this poli
e or do not configure this setting file downloads that are not user-initiated will be blocked and users will see the Notification bar instead o
eive a security information message (This page contains both secure and nonsecure items. Do you want to display the nonsecure items?)
te or only one certificate.If you disable this policy setting Internet Explorer prompts users with a "Client Authentication" message when th
you disable this policy setting Internet Explorer always checks with your antimalware program to see if it's safe to create an instance of th
by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.If you disable the policy setting signed controls
n the drop-down box users are queried to choose whether to allow the unsigned control to run.If you disable this policy setting users cann
n are in different windows. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content fr
n are in the same window. Users cannot change this setting.If you enable this policy setting and click Disable users cannot drag content fro
The security zone will run without the added layer of security provided by this feature.If you disable this policy setting the actions that ma
art of the path.If you enable this policy setting path information is sent when the user is uploading a file via an HTML form.If you disable th
This setting causes both unsafe and safe controls to be initialized and scripted ignoring the Script ActiveX controls marked safe for scripting
dbox (an area in memory outside of which the program cannot make calls) plus capabilities like scratch space (a safe and secure storage ar
ention. If you select Prompt in the drop-down box users are queried to choose whether to run applications and download files from IFRAM
and password to query users for user IDs and passwords. After a user is queried these values can be used silently for the remainder of the
users are queried whether to allow windows and frames to access applications from other domains.If you disable this policy setting users c
cy setting users can choose whether or not to render filters in this zone. Users can change this setting on the Security tab of the Internet O
licy setting Internet Explorer will execute unsigned managed components. If you select Prompt in the drop-down box Internet Explorer wil
setting Internet Explorer will execute signed managed components. If you select Prompt in the drop-down box Internet Explorer will prom
ontrols or plug-in to run.If you disable this policy setting controls and plug-ins are prevented from running.If you do not configure this poli
w script interaction.If you disable this policy setting script interaction is prevented from occurring.If you do not configure this policy setting
ts.If you disable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts can access
ese files open without a security warning. If you set the drop-down box to Prompt a security warning appears before the files open.If you
rs and software packages to be automatically installed on users' computers.Medium safety to allow users to be notified of software updat
pages in this zone can be submitted automatically. If you select Prompt in the drop-down box users are queried to choose whether to allo
m multiple developer tools. It includes the new managed code APIs for Windows.If you enable this policy setting .NET Framework Setup is
le this policy setting the first-run prompt is turned off in the corresponding zone.If you disable this policy setting the first-run prompt is tur
policy setting the XSS Filter is turned off for sites in this zone and Internet Explorer permits cross-site script injections.
ot turn off Protected Mode.If you disable this policy setting Protected Mode is turned off. The user cannot turn on Protected Mode.If you
you do not configure this policy setting the user can choose whether SmartScreen Filter scans pages in this zone for malicious content.Not
ndows are not prevented from appearing.If you do not configure this policy setting most unwanted pop-up windows are prevented from a
le this policy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page sav
ayer of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warni
e or do not configure this setting users will receive a file download dialog for automatic download attempts.
ndows are not prevented from appearing.If you do not configure this policy setting pop-up windows are not prevented from appearing.
r of security that is provided by the Protection from Zone Elevation security feature. If you select Prompt in the drop-down box a warning
you disable this policy setting script code on pages in the zone is prevented from running.If you do not configure this policy setting users a
able this policy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are preven
nload.If you disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are qu
-down box users are queried whether to allow additional windows and frames to access applications from other domains.If you disable th
ts.If you disable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are preven
ork Protocol Lockdown policy.If you enable this policy setting no Trusted Sites Zone content accessed is affected even for protocols on the
able this policy setting files are prevented from being downloaded from the zone. If you do not configure this policy setting files are preven
nload.If you disable this policy setting HTML fonts are prevented from downloading.If you do not configure this policy setting users are qu
-down box users are queried whether to allow additional windows and frames to access applications from other domains.If you disable th
ts.If you disable this policy setting scripts are prevented from accessing applets.If you do not configure this policy setting scripts are preven
oose how Internet Explorer tiles are opened.
o not configure this policy setting users can choose how links are opened in Internet Explorer.
oes not go directly to an intranet site for a one-word entry in the Address bar.
net Explorer will be shown.If you do not configure this policy setting the button to open Microsoft Edge from Internet Explorer can be con
this policy setting the user can choose when to underline links.
is a problem connecting with an Internet server the user does not see a detailed description or hints about how to correct the problem. Th
setting page transitions will be turned on. The user cannot change this behavior.If you do not configure this policy setting the user can tur
icy setting phone number detection is turned on. Users won't be able to modify this setting.If you don't configure this policy setting users c
ing.If you do not configure this policy setting the user can hide or show the button to open Microsoft Edge from Internet Explorer.
pt) or Microsoft JScript.If you enable this policy setting script debugging is turned on. The user cannot turn off script debugging.If you disa
oes not appear properly because of problems with its scripting. The user cannot change this policy setting.If you disable this policy setting t
The user cannot prevent the wizard from starting.If you disable this policy setting the Internet Connection Wizard does not start automati
ese files.If you do not configure this policy setting the user can change the "Enable alternative codecs in HTML5 media elements" setting o
e this policy setting placeholders appear for graphical images while the images are downloading. The user cannot change this policy settin
d on. The user cannot change this setting.If you do not configure this policy setting the user can turn on or off automatic image resizing.
user cannot turn on image display. However the user can still display an individual image by right-clicking the icon that represents the ima
ot turn it off.If you do not configure this policy setting the user can turn on or turn off smart image dithering.
his policy setting the printing of background colors and images is turned on. The user cannot turn it off.If you disable this policy setting the
ot use the Address bar for searches. The user can still perform searches on the Search bar by clicking the Search button. • Display the res
displayed in the main window. • Enable top result search: When a user performs a search in the Address bar the user is directed to an ex
lete the signup process after the branding is complete for ISPs (IEAK). The user cannot change this behavior.If you disable this policy settin
omplete for File Explorer is turned off. The user cannot turn it on.If you disable this policy setting Inline AutoComplete for File Explorer is tu
estions will be turned off. Users will not be able to turn on URL Suggestions.If you disable this policy setting URL Suggestions will be turned
he browser Address bar.If you enable this policy setting Internet Explorer does not use Windows Search AutoComplete for providing releva
urned on. The user cannot turn it off.If you disable this policy setting inline AutoComplete is turned off. The user cannot turn it on.If you do
ot configure this policy setting the user can choose the default text size in Internet Explorer.
tting the user can specify the background color in Internet Explorer.
the text color in Internet Explorer.
this policy setting the user can turn on or turn off Windows colors for display.
inks already clicked in Internet Explorer. You must specify the link color (for example: 192192192).If you disable or do not configure this p
inks not yet clicked in Internet Explorer. You must specify the link color (for example: 192192192).If you disable or do not configure this po
y setting the user can specify the hover color.
is policy setting the user can turn on or turn off the hover color option.
Explorer does not allow sending the path portion of URLs as UTF-8. The user cannot change this policy setting.If you disable this policy setti
d to will be disabled. Users also cannot add content that is based on a channel such as some of the Active Desktop items from Microsoft's
e content. The Make Available Offline check box will be dimmed in the Add Favorite dialog box.If you disable this policy or do not configur
perties are cleared and users cannot select them. To display this tab users click the Tools menu click Synchronize select a Web page click t
nel Bar check box on the Web tab in the Display Properties dialog box.If you disable this policy or do not configure it users can view and sub
have subscribed to. However synchronization with the Web pages will still occur to determine if any content has been updated since the
e Web page Properties dialog box are dimmed. To display this tab users click the Tools menu click Synchronize select a Web page click the
ges that have been set up for offline viewing. If users click the Tools menu click Synchronize select a Web page and then click the Propertie
other settings for downloading Web content.If you disable this policy or do not configure it channel providers can record information abo
isable this policy or do not configure it users can disable the synchronization of channels.This policy is intended to help administrators ens
n the Organize Favorites Favorite dialog box and the Make This Page Available Offline check box will be selected but dimmed. To display t
e viewing.If you disable this policy or do not configure it then users can determine the amount of content that is searched for new informa
t set this limit.Note: This setting does not appear in the user interface.
annot set this limit.Note: This setting does not appear in the user interface.
u cannot set this limit.Note: This setting does not appear in the user interface.
cannot set this limit.Note: This setting does not appear in the user interface.
annot set this limit.Note: This setting does not appear in the user interface.
ls about a user's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30.I
ails about a user's browsing. However doing so may cause compatibility issues on some websites. The allowed value range is 3 through 30
you enable this policy setting toolbars and BHOs are not loaded by default during an InPrivate Browsing session.If you disable this policy s
is policy setting InPrivate Filtering data collection is turned off.If you disable this policy setting InPrivate Filtering collection is turned on.If y
u disable this policy setting InPrivate Browsing is available for use.If you do not configure this policy setting InPrivate Browsing can be turne
that users have visited.If you enable this policy setting InPrivate Filtering is turned off in all browsing sessions and InPrivate Filtering data i
bsites that users have visited.If you enable this policy setting Tracking Protection is disabled in all browsing sessions and Tracking Protectio
nds).If you enable this policy setting the reveal password button will be hidden for all password fields. Users and developers will not be ab
d data.If you enable this policy setting Data URI support is turned off. Without Data URI support a Data URI will be interpreted as a failed U
st can be used with the 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting which defines whether add-ons not li
er preferences and policy settings.If you enable this policy setting all processes will respect add-on management user preferences and polic
owser or web pages.By default the 'Add-on List' policy setting defines a list of add-ons to be allowed or denied through Group Policy. How
you to extend support for these user preferences and policy settings to specific processes listed in the process list.If you enable this policy
ated ActiveX control.If you disable or don't configure this policy setting users will see the "Run this time" button on the warning message
matic download breaks the out-of-date ActiveX control blocking feature by not letting the version list update with newly outdated controls
Internet Explorer continues to block specific outdated ActiveX controls.For more information see "Outdated ActiveX Controls" in the Inter
n't be blocked in Internet Explorer. Each domain entry must be formatted like one of the following:1. "domain.name.TLD". For example if
his policy setting Internet Explorer won't log ActiveX control information.Note that you can turn this policy setting on or off regardless of t
etting the user can choose to run natively implemented scriptable XMLHTTP.
tting Internet Explorer uses the default connection limit for HTTP 1.1 (6 connections per host).In versions of Internet Explorer before Intern
ions of Internet Explorer prior to Internet Explorer 8 the default connection limit for HTTP 1.0 was 4.
configure this policy setting Internet Explorer uses the default limit of 6 WebSocket connections per server.
s can request data across third-party domains embedded in the page.
in Internet Explorer 10. Also this policy setting does not prevent a site from requesting cross-domain data through a server.If you enable t
g cross-domain data through a server.If you enable this policy setting websites cannot request data across domains by using the XDomain
nctionality or behavior on a page.)If you enable this policy setting this sets the list of behaviors permitted in each zone for which Script an
haviors are prevented for all processes. Any use of binary behaviors for HTML rendering is blocked.If you disable or do not configure this p
u enable this policy setting Internet Explorer 9 installs binaries signed by MD2 and MD4 signing technologies.If you disable or do not confi
haviors are prevented for the File Explorer and Internet Explorer processes.If you disable this policy setting binary behaviors are allowed fo
to define applications for which they want this security feature to be prevented or allowed.If you enable this policy setting and enter a Val
MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file Internet Explorer renames the file by s
ty applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vector to l
ty applies to all local files and content processed by Internet Explorer. This feature helps to mitigate attacks where the Local Machine zone
security applies to all local files and content. This feature helps to mitigate attacks where the Local Machine zone is used as an attack vect
g Safety Feature is disabled for all processes.
er processes will allow a MIME sniff promoting a file of one type to a more dangerous file type.If you do not configure this policy setting M
ng and enter a Value of 1 this protection will be in effect. If you enter a Value of 0 any file may be promoted to more dangerous file types.
this policy setting the MK Protocol is enabled.
If you disable this policy setting applications can use the MK protocol API. Resources hosted on the MK protocol will work for the File Expl
policy setting and enter a Value of 1 use of the MK protocol is prevented. If you enter a Value of 0 use of the MK protocol is allowed. If a V
btained through restricted protocols is allowed for all processes other than File Explorer or Internet Explorer.If you disable this policy setti
tricting content obtained through restricted protocols is allowed for File Explorer and Internet Explorer processes. For example you can re
pplications for which they want restricting content obtained through restricted protocols to be prevented or allowed.If you enable this pol
and applies to all processes which have opted in to the security restriction.If you enable this policy setting for a zone this sets the list of pro
Explorer Processes for which the Notification bar is displayed by default). If you enable this policy setting the Notification bar will be displa
net Explorer Processes.If you disable this policy setting the Notification bar will not be displayed for Internet Explorer processes.If you do n
tification bar is displayed by default).If you enable this policy setting and enter a Value of 1 the Notification bar is displayed. If you enter a
e this policy setting object reference is retained when navigating within or across domains in the Restricted Zone sites.
his policy setting an object reference is retained when navigating within or across domains for Internet Explorer processes.If you do not co
and enter a Value of 1 references to objects are inaccessible after navigation. If you enter a Value of 0 references to objects are still access
aking the Local Machine security zone a prime target for malicious users.If you enable this policy setting any zone can be protected from zo
hine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context.If yo
al Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security contex
s policy setting the Web Browser Control will not block automatic prompting of ActiveX control installation for all processes.
not be blocked for Internet Explorer processes.If you do not configure this policy setting the user's preference will be used to determine w
X control installation is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the po
sable this policy setting the Web Browser Control will not block automatic prompting of file downloads that are not user initiated for all pr
nitiated for Internet Explorer processes.If you do not configure this policy setting the user's preference determines whether to prompt for
mpting of non-initiated file downloads is allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is n
ws' title and status bars.If you enable this policy setting scripted windows are restricted for all processes.If you disable or do not configure t
ws' title and status bars.If you enable this policy setting popup windows and other restrictions apply for File Explorer and Internet Explorer
ws' title and status bars.This policy setting allows administrators to define applications for which they want this security feature to be preve
will be displayed with its default settings unless users customize it.
w command buttons are displayed:Show all text labels: All command buttons have only text.Show selective text: Some command buttons
r the Toolbars submenu of the Tools menu in the Command bar in subsequent versions of Internet Explorer.If you enable this policy the Cu
nfigure it users can determine which toolbars are displayed in File Explorer and Internet Explorer.This policy can be used in coordination w
Command bar is shown by default and the user can choose to hide it.
shown by default and the user can choose to hide it.
bars are locked by default but the user can unlock them through the shortcut menu of the Command bar.
next to the Address bar and the user cannot move them.If you do not configure this policy setting the Stop and Refresh buttons are next
ecific toolbars or Browser Helper Objects that are enabled or disabled via policy settings do not undergo this check.If you enable this policy
made bigger (20 x 20 pixels).If you do not configure this policy setting icons for command buttons are 16 x 16 pixels and the user can make
programs on this computer will not be prevented from using location information from the location feature.
or feature.
Books tab. For this to work properly your students and teachers must be signed in using a school account.If you disable or don't configure
wn functionality. Therefore because search suggestions are shown in the drop-down this setting takes precedence over the "Configure sea
ons under Settings.

won't automatically download updated configuration data for the Books Library.
tting Microsoft Edge only sends basic telemetry data depending on your device configuration.
de is unavailable for use in Microsoft Edge.
or don’t configure this setting Microsoft Edge periodically downloads the latest version of the list from Microsoft applying the updates dur
ring Windows sign in when the system is idle and each time Microsoft Edge is closed; minimizing the amount of time required to start up M
d New Tab page during Windows sign in and each time Microsoft Edge is closed; minimizing the amount of time required to start up Micro
story exists before this policy was disabled the previous browsing history remains visible in the History pane. This policy when disabled do
ft browser extension policy (aka.ms/browserpolicy).If you enable or don't configure this policy users can add new search engines and chang
ions in Microsoft Edge is not allowed. Extensions can be installed only through Microsoft store (including a store for business) enterprise s
u use this setting employees can't change it.If you don't configure this setting employees can choose how new tabs appears.
disable or don't configure this setting Microsoft Edge shows the Books Library only in countries or regions where it's supported.
ith domain-joined or MDM-enrolled devices. For more info see the Microsoft browser extension policy (aka.ms/browserpolicy).If you enab
sable this setting employees can't use Autofill to automatically fill in forms while using Microsoft Edge.If you don't configure this setting em
ebsites.If you disable or don't configure this setting all cookies are allowed from all sites.
king for tracking info.If you disable this setting Do Not Track requests are never sent to websites asking for tracking info.If you don't config
lso provide a list of Favorites in the Options section. This list is imported after your policy is deployed.If you disable or don't configure this
your users from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages so
m making changes in Microsoft Edge's UI settings. To let your users change the Microsoft Edge UI settings enable the Unlock Home Button
e.You need to configure Microsoft Edge in assigned access for this policy to take effect; otherwise these settings are ignored. To learn mor
40). You must set the Configure kiosk mode policy to 1 and configure Microsoft Edge in assigned access as a single app for this policy to wo
Start Pages policy.- Previous pages: all tabs the user had open when Microsoft Edge last closed loads ignoring the Configure Start Pages po
d Manager to save their passwords locally.If you don't configure this setting employees can choose whether to use Password Manager to
onfigure this setting employees can choose whether to use Pop-up Blocker.
soft Edge.If you disable this setting employees can't see search suggestions in the Address bar of Microsoft Edge.If you don't configure this
g format: <support.contoso.com><support.microsoft.com>If disabled or not configured the webpages specified in App settings loads as
k specifically by how often the content is allowed to load and run.
be viewed using Internet Explorer 11 and Enterprise Mode.If you disable or don't configure this setting Microsoft Edge won't use the Ente
ble this setting Windows Defender SmartScreen is turned on and employees can't turn it off.If you disable this setting Windows Defender S
ured using the Configure Start pages policy is not locked down allowing users to edit their Start pages.If disabled or not configured the Star
ween Internet Explorer and Microsoft Edge.

cess the about:flags page.
u disable or don't configure this setting employees can ignore Windows Defender SmartScreen warnings and continue the download proce
or don't configure this setting employees can ignore Windows Defender SmartScreen warnings and continue to the site.
disabled or not configured overriding certificate errors are allowed.
h as Create a new folder) are all turned off.ImportantDon't enable both this setting and the Keep favorites in sync between Internet Explo
hen a user pins a Live Tile to the Start menu.If you disable or don't configure this setting Microsoft Edge gathers the Live Tile metadata pro
will see the First Run page when opening Microsoft Edge for the first time.
extensions defined in this policy such as allow for InPrivate browsing. Any additional permissions requested by future updates of the exte
are shown while making calls using the WebRTC protocol.
e Hub or Favorites Bar). The user favorites will appear after these provisioned favorites.ImportantDon't enable both this setting and the Ke
ble or don't configure this setting all intranet sites are automatically opened using Microsoft Edge.
wserpolicy).If you enable this setting you can choose a default search engine for your employees. If this setting is enabled you must also a
g: Blank or not configuredRelated policy: Configure Home Button
bled you can set the default New Tab page URL.If disabled or not configured the default Microsoft Edge new tab page is used.Default setti
he notification appears on a new page. If you want users to continue in Microsoft Edge select the Show Keep going in Microsoft Edge optio
L are enabled.If enabled the UI settings for the home button are enabled allowing your users to make changes including hiding and showin
add or remove snap-ins. Also because they cannot open author-mode console files they cannot use the tools that the files contain.This setti
rmitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disa
dded into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stati
ibited.-- If "Restrict users to the explicitly permitted list of snap-ins" is enabled users cannot use any snap-in except those explicitly permi
irectory Users and Computers and Active Directory Sites and Services snap-ins. If you disable the setting the Group Policy tab is not display
location. This is the default value. You can disable the sync provider on computers that never go offline and are always connected to the s
nchronize settings for Windows apps.If you disable this policy setting the UE-V Agent will synchronize settings for Windows apps. If you do
der doesn’t attempt the synchronization. If you enable this policy setting the sync provider pings the settings storage location before synch
ytes. When the settings package file exceeds this threshold the UE-V Agent will write a warning event to the event log.If you disable or do
or your environment.
n.With this setting disabled the UE-V Agent does not synchronize settings over a metered connection.If you do not configure this policy setti
tion that is roaming.With this setting enabled the UE-V Agent synchronizes settings over a metered connection that is roaming.With this s
to retrieve settings. If you disable or do not configure this policy setting the default value of 2000 milliseconds is used.
ecify which Windows settings synchronize between computers. You can also use these settings to enable synchronization of users' sign-in
e rollback information is copied to the settings storage location when the user logs off or shuts down their VDI session. Enable this setting
cy setting certain user settings of Microsoft Access 2013 will continue to be backed up.If you disable this policy setting certain user settings
cy setting certain user settings of Microsoft Access 2016 will continue to be backed up.If you disable this policy setting certain user settings
user settings continue to synchronize. If you disable this policy setting Calculator user settings are excluded from the synchronization setti
etting to suppress the backup of specific common Microsoft Office Suite 2013 applications.If you enable this policy setting certain user setti
etting to suppress the backup of specific common Microsoft Office Suite 2016 applications.If you enable this policy setting certain user setti
tting certain user settings of Microsoft Excel 2013 will continue to be backed up.If you disable this policy setting certain user settings of Mi
tting certain user settings of Microsoft Excel 2016 will continue to be backed up.If you disable this policy setting certain user settings of Mi
s policy setting certain user settings of Microsoft InfoPath 2013 will continue to be backed up.If you disable this policy setting certain user
his policy setting the Internet Explorer 10 user settings continue to synchronize. If you disable this policy setting Internet Explorer 10 user s
his policy setting the Internet Explorer 11 user settings continue to synchronize.If you disable this policy setting Internet Explorer 11 user se
policy setting the Internet Explorer 8 user settings continue to synchronize. If you disable this policy setting Internet Explorer 8 user setting
policy setting the Internet Explorer 9 user settings continue to synchronize. If you disable this policy setting Internet Explorer 9 user setting
ternet Explorer from synchronization between computers. If you enable this policy setting the user settings which are common between t
ng certain user settings of Microsoft Lync 2013 will continue to be backed up.If you disable this policy setting certain user settings of Micro
ng certain user settings of Microsoft Lync 2016 will continue to be backed up.If you disable this policy setting certain user settings of Micro
nable this policy setting Microsoft Access 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Access 201
e this policy setting Microsoft Excel 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2010 user se
this policy setting Microsoft Excel 2013 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2013 user se
this policy setting Microsoft Excel 2016 user settings continue to synchronize.If you disable this policy setting Microsoft Excel 2016 user se
ou enable this policy setting Microsoft InfoPath 2010 user settings continue to synchronize.If you disable this policy setting Microsoft InfoP
ou enable this policy setting Microsoft InfoPath 2013 user settings continue to synchronize.If you disable this policy setting Microsoft InfoP
his policy setting Microsoft Lync 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2010 user setti
his policy setting Microsoft Lync 2013 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2013 user settin
his policy setting Microsoft Lync 2016 user settings continue to synchronize.If you disable this policy setting Microsoft Lync 2016 user settin
t the user settings which are common between the Microsoft Office Suite 2010 applications from synchronization between computers. If y
t the user settings which are common between the Microsoft Office Suite 2013 applications from synchronization between computers.If y
nchronization between computers.If you enable this policy setting Microsoft Office 2013 Upload Center user settings continue to synchron
t the user settings which are common between the Microsoft Office Suite 2016 applications from synchronization between computers.If y
nchronization between computers.If you enable this policy setting Microsoft Office 2016 Upload Center user settings continue to synchron
3 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft O
6 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft O
s which are common between the Microsoft Office Suite 2013 applications will synchronize between a user’s work computers with UE-V b
s which are common between the Microsoft Office Suite 2016 applications will synchronize between a user’s work computers with UE-V b
ill synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offi
ill synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offi
2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micros
synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offic
synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offic
2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micro
2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micro
013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microso
016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microso
Point 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of M
Point 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of M
r 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micro
r 2016 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Micro
5 SharePoint Designer 2013 will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the
will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offi
will synchronize between a user’s work computers with UE-V by default. Use this policy setting to prevent the user settings of Microsoft Offi
puters.If you enable this policy setting OneDrive for Business 2013 user settings continue to synchronize.If you disable this policy setting O
puters.If you enable this policy setting OneDrive for Business 2016 user settings continue to synchronize.If you disable this policy setting O
you enable this policy setting Microsoft OneNote 2010 user settings continue to synchronize.If you disable this policy setting Microsoft On
u enable this policy setting Microsoft Outlook 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Outloo
puters.If you enable this policy setting Microsoft PowerPoint 2010 user settings continue to synchronize.If you disable this policy setting M
nable this policy setting Microsoft Project 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Project 20
f you enable this policy setting Microsoft Publisher 2010 user settings continue to synchronize.If you disable this policy setting Microsoft P
hronization between computers.If you enable this policy setting Microsoft SharePoint Designer 2010 user settings continue to synchronize
hronization between computers.If you enable this policy setting Microsoft SharePoint Designer 2013 user settings continue to synchronize
m synchronization between computers.If you enable this policy setting Microsoft SharePoint Workspace 2010 user settings continue to sy
his policy setting Microsoft Visio 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Visio 2010 user setti
e this policy setting Microsoft Word 2010 user settings continue to synchronize.If you disable this policy setting Microsoft Word 2010 user
settings continue to synchronize. If you disable this policy setting Notepad user settings are excluded from the synchronization settings.If y
his policy setting certain user settings of Microsoft OneNote 2013 will continue to be backed up.If you disable this policy setting certain us
his policy setting certain user settings of Microsoft OneNote 2016 will continue to be backed up.If you disable this policy setting certain us
policy setting certain user settings of Microsoft Outlook 2013 will continue to be backed up.If you disable this policy setting certain user se
policy setting certain user settings of Microsoft Outlook 2016 will continue to be backed up.If you disable this policy setting certain user se
enable this policy setting certain user settings of Microsoft PowerPoint 2013 will continue to be backed up.If you disable this policy setting
enable this policy setting certain user settings of Microsoft PowerPoint 2016 will continue to be backed up.If you disable this policy setting
licy setting certain user settings of Microsoft Project 2013 will continue to be backed up.If you disable this policy setting certain user settin
licy setting certain user settings of Microsoft Project 2016 will continue to be backed up.If you disable this policy setting certain user settin
this policy setting certain user settings of Microsoft Publisher 2013 will continue to be backed up.If you disable this policy setting certain u
this policy setting certain user settings of Microsoft Publisher 2016 will continue to be backed up.If you disable this policy setting certain u
gner 2013 settings.If you enable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will continue to be backed
tting certain user settings of Microsoft Visio 2013 will continue to be backed up.If you disable this policy setting certain user settings of Mic
tting certain user settings of Microsoft Visio 2016 will continue to be backed up.If you disable this policy setting certain user settings of Mic
setting certain user settings of Microsoft Word 2013 will continue to be backed up.If you disable this policy setting certain user settings of M
setting certain user settings of Microsoft Word 2016 will continue to be backed up.If you disable this policy setting certain user settings of M
er settings continue to synchronize. If you disable this policy setting WordPad user settings are excluded from the synchronization settings
ontinue to sync.If you disable this policy setting Finance user settings are excluded from synchronization.If you do not configure this policy
tinue to sync.If you disable this policy setting Games user settings are excluded from synchronization.If you do not configure this policy setti
to sync.If you disable this policy setting Maps user settings are excluded from synchronization.If you do not configure this policy setting an
e to sync.If you disable this policy setting Music user settings are excluded from the synchronizing settings.If you do not configure this polic
to sync.If you disable this policy setting News user settings are excluded from synchronization.If you do not configure this policy setting an
tinue to sync.If you disable this policy setting Reader user settings are excluded from the synchronization.If you do not configure this polic
ue to sync.If you disable this policy setting Sports user settings are excluded from synchronization.If you do not configure this policy settin
e to sync.If you disable this policy setting Travel user settings are excluded from synchronization.If you do not configure this policy setting
to sync.If you disable this policy setting Video user settings are excluded from synchronization.If you do not configure this policy setting a
ngs continue to sync.If you disable this policy setting Weather user settings are excluded from synchronization.If you do not configure this
n their profile.If you enable this policy setting users cannot share files within their profile using the sharing wizard. Also the sharing wizard
d the privacy experience will not launch for newly-created user accounts or for accounts that would have been prompted to choose their p
users a quick and easy way to configure their system settings before a presentation to block system notifications and screen blanking adju
attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.You can enforce this p
his policy setting is enforced users cannot override this setting even if they select the "Use these RD Gateway server settings" option on the
nforced users cannot override this setting even if they select the "Use these RD Gateway server settings" option on the client.Note: It is hig
ent computer. Before a user starts an RDP session the user receives a warning message and is asked to confirm whether they want to conn
certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example whe
saves his settings any password that previously existed in the RDP file will be deleted.If you disable this setting or leave it not configured t
es to start an .rdp file that is signed by a trusted certificate the user does not receive any warning messages when they start the file. To ob
user session.2. Full Control with user's permission: Allows the administrator to interact with the session with the user's consent.3. Full Con
any reason the Remote Desktop Easy Print printer driver cannot be used a printer driver on the RD Session Host server that matches the c
rwise specified with this setting by the server administrator or by the user in configuring the client connection. Enabling this setting overri
sessions are reached. By default Remote Desktop Services disconnects sessions that reach their time limits.Time limits are set locally by th
ervices will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes b
y disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Serv
Remote Desktop Services session without logging off and ending the session.When a session is in a disconnected state running programs a
ment file types to be associated with RemoteApp programs.The default connection URL must be configured in the form of http://contoso
ss the feed list in the Favorites Center.
gure this policy setting the user receives a notification when a feed or Web Slice is available and can click the feed discovery button.
tting through the Feed APIs.If you disable or do not configure this policy setting the user can set the Feed Sync Engine to download an enclo
elete a feed or Web Slice by using the Feed APIs. A developer also cannot create or delete folders.If you disable or do not configure this po
s in the background.
cure HTTP connection.If you disable or do not configure this policy setting the Windows RSS Platform does not authenticate feeds to serve
ths that do not reference a specific SID will not be excluded from indexing if these are only specified in the Group Policy under "User Confi
ot reference a specific SID will not be included for indexing if these are only specified in the Group Policy under "User Configuration." To in
tions to the index.This policy has no effect if the Files on Microsoft Networks add-in is not installed.Disabled by default.
em paths that do not reference a specific SID will not be excluded from indexing if these are only specified in the Group Policy under "User
onfigure this policy setting users will get search suggestions based on previous searches in the search pane.
not configure this policy setting Sound Recorder can be run.
catalog in the Microsoft Store.
you do not configure this policy users will be able to use this feature to print to a Journal Note.
d pen cursors will be shown unless the user disables them in Control Panel.
ping will occur.
).If you disable this policy applications can be launched from a hardware button.If you do not configure this policy applications can be laun
tact your system administrator."If you disable this policy press and hold actions for buttons will be available.If you do not configure this po
is policy user and OEM defined button actions will occur when the buttons are pressed.
guage.Touch Keyboard and Handwriting panel enables you to use handwriting or an on-screen keyboard to enter text symbols numbers or
to enter text symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to text entry areas when
ext symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will never appear next to any text entry area when a user
ista only) only when these input languages or keyboards are installed. Touch Keyboard and Handwriting panel (a.k.a. Tablet PC Input Pane
ge of the Tablet PC screen. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Inp
ble this policy application auto complete lists will never appear next to Input Panel. Users will not be able to configure this setting in the In
ot showing what keys are tapped when entering a password.Touch Keyboard and Handwriting panel enables you to use handwriting or an
esture shapes. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter te
are disabled and that the pen flicks notification will never be displayed. However pen flicks the pen flicks tray icon and pen flicks training
onfigure this policy pen flicks and related features are available.
and other touch-specific features.If you disable this setting the user can produce input with touch by using gestures the touch pointer and
to pan windows by touch. If you disable this setting the user can pan windows by touch.If you do not configure this setting Touch Panning
eated task's property sheet upon completion of the "Add Scheduled Task" wizard. The task's property sheet allows users to change task c
roperties that appear in Detail view and in the task preview.This setting prevents users from viewing and changing characteristics such as t
Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over
or the "Start in" box that determine the program and path for a task.As a result when users create a task they must select a program from
r.As a result users cannot add new scheduled tasks by dragging moving or copying a document or program into the Scheduled tasks folder
tion and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the settin
duled Tasks folder.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured
e turned on.The default is for Windows Calendar to be turned on.
ninstall color profiles that they previously installed. Administrators will be able to uninstall all color profiles.
ble this setting Windows Defender SmartScreen is turned on and employees can't turn it off.If you disable this setting Windows Defender S
or don't configure this setting employees can ignore Windows Defender SmartScreen warnings and continue to the site.
any memory dumps generated for error reports by Microsoft Windows are automatically uploaded without notification to the user.If you
rting events and errors are logged to the system event log as with other Windows-based programs.
to Microsoft. Additionally solution information is not available in Security and Maintenance in Control Panel.If you disable or do not config
ou disable or do not configure this policy setting then consent policy settings in Computer Configuration/Administrative Templates/Window
al CAB files that can contain data about the same event types as an earlier uploaded report.If you disable or do not configure this policy se
ent power source.If you enable this policy setting WER does not determine whether the computer is running on battery power but checks
d.If you disable or do not configure this policy setting WER does not send data but will check the network cost policy again if the network
or is set to Store parameters only only the minimum information required to check for an existing solution is stored. The Maximum numbe
curs whether the report should be placed in the reporting queue or the user should be prompted to send it immediately. When Queuing b
rting never reports errors click Show and then add or remove applications from the list of application file names in the Show Contents dia
k before sending data: Windows prompts users for consent to send reports.- Send parameters: Only the minimum data that is required to
neric non-fatal errors: crash no response and kernel fault errors. For each specified event type you can set a consent level of 0 1 2 3 or 4.-
tting custom consent policy settings for error reporting determine the consent level for specified event types and the default consent settin
tting Windows Hello for Business will use a key or a Kerberos ticket (depending on other policy settings) for on-premises authentication.NO
or all users.If you disable this policy setting the device does not provision Windows Hello for Business for any user.If you do not configure t
ned to the computer (installed automatically) or made available in Add or Remove Programs in Control Panel. This profile setting lets users
n when the installation is running in the user's security context.If you disable or do not configure this policy setting users can install from r
on. It also prevents Windows Installer from retaining files it intends to delete later. As a result Windows Installer cannot restore the compu
s policy setting you can change the search order by specifying the letters representing each file source in the order that you want Windows
hours expire.If you disable or do not configure this setting users receive warnings before the logon hours expire if actions have been set t
abled or not configured no popup will be displayed to the user.
ed logon hours.If you choose to log off a user the user cannot log on again except during permitted logon hours. If you choose to log off a u
nformation for CDs and DVDs from the Internet check box on the Privacy Options tab in the first use dialog box and on the Privacy tab in th
addition the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box in the first
olicy is configured are not be updated and presets a user adds are not be displayed.If you disable or do not configure this policy setting the
oxy settings are used.If the Custom proxy type is selected the rest of the options on the Setting tab must be specified because no default se
st of the options on the Setting tab must be specified; otherwise the default settings are used. The options are ignored if Autodetect is sele
60 that streaming media is buffered.- Default: default network buffering is used and the number of seconds that is specified is ignored.The
t of the options on the Setting tab must be specified; otherwise the default settings are used. The options are ignored if Autodetect is sele
twork tab appears and users can use it to configure network settings.
tream initiated through an MMS or RTSP URL from a Windows Media server. If the RSTP/UDP check box is selected a user can specify UDP
eck box on the Player tab in the Player is selected and is not available.If you disable this policy setting a screen saver does not interrupt pla
ble.If you disable this policy setting codecs are automatically downloaded and the Download codecs automatically check box is not availab
n this policy is not configured or disabled users can show or hide the anchor window when the Player is in skin mode by using the Player ta
nless the "Prevent music file media information retrieval" policy setting is enabled.The default privacy settings are used for the options on
unless these settings have been hidden or disabled by Internet Explorer policies.If you disable or do not configure this policy setting users
mz) and the skin must be installed in the %programfiles%\Windows Media Player\Skins Folder on a user's computer. If the skin is not insta
dows Messenger.Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present the C
his policy setting simply prevents Windows Messenger from running initially. If the user invokes and uses Windows Messenger from that p
ndows Mobility Center and the .exe file launches it.If you do not configure this policy setting Windows Mobility Center is on by default.
t value with the SourcePath parameter on the Update-Help cmdlet.If this policy setting is disabled or not configured this policy setting doe
setting the LogPipelineExecutionDetails property of the module to True. If you disable this policy setting logging of execution events is
mation. If you disable this policy setting logging of PowerShell script input is disabled. If you enable the Script Block Invoc
he Windows PowerShell engine. By default Windows PowerShell will record transcript output to each users' My Documents directory
ublisher.The "Allow local scripts and remote signed scripts" policy setting allows any local scrips to run; scripts that originate from the Inte
box regardless of whether the 'Install Updates and Shut Down' option is available in the 'What do you want the computer to do?' list.If yo
installation when the user selects the Shut Down option in the Start menu.If you disable or do not configure this policy setting the 'Install
Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive criti
d PC. If this policy setting is disabled or not configured no Work Folders settings are specified for the affected users though users can manu
revious session.
you enable this setting you can select specific items not to display on the Control Panel window and the Start screen.To hide a Control Pan
reSearch resultsIf users try to select a Control Panel item from the Properties item on a context menu a message appears explaining that a
hown instead.This policy has two modes: it can either specify a list of settings pages to show or a list of pages to hide. To specify a list of p
exe. This policy has no effect on items displayed in PC settings.To display a Control Panel item enable this policy setting and click Show to a
nfigured system services. If you enable this setting "Set up services" never appears.This setting does not prevent users from using other me
ds to install programs.
e Add/Remove Windows Components button is available to all users.This setting does not prevent users from using other tools and metho
other tools and methods to delete or uninstall programs.
ve program components.Note: If the "Hide Add New Programs page" setting is enabled this setting is ignored. Also if the "Prevent removab
w Programs page" setting is enabled this setting is ignored.
ws Installer. Typically system administrators publish programs to notify users that the programs are available to recommend their use or t
tting or do not configure it the Set Program Access and Defaults button is available to all users.This setting does not prevent users from usi
Remove Programs.If you disable this setting or do not configure it Add or Remove Programs is available to all users.When enabled this setti
uct ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet such as the Mi
ou must enter a category that is already defined in Add or Remove Programs. To define a category use Software Installation.If you disable
ar) settings.
id screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client compu
not configure this setting the users can select the visual style that they want to use by changing themes (if the Personalization Control Pane
enable this setting type the name of the file that contains the screen saver including the .scr file name extension. If the screen saver file is
default theme will be applied at the first logon.
ection setting.If you do not configure this setting users can choose whether or not to set password protection on each screen saver.To ensu
ws.If this setting is disabled or not configured the Color (or Window Color) page or Color Scheme dialog is available in the Personalization
also enable the "Desktop Wallpaper" setting to prevent users from changing the desktop wallpaper. Refer to KB article: Q327998 for mor
oad a specific theme" setting the theme defaults to whatever the user previously set or the system default.
er may not apply a different visual style when changing themes.
aver" setting is disabled. - Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Perso
ternet or on a home or office network" option. When users click Browse the system opens an Internet browser and navigates to the specifi
on Add Printer Wizard's page 3 and do not specify a printer name in the adjacent "Name" edit box then Add Printer Wizard displays the lis
Directory searches for printers. It does not restrict user searches through Active Directory.
are no restrictions to printing based on connection type or printer Make/Model.
ations (separated by commas) that correspond to approved USB printer models. When a user tries to print to a USB printer queue the dev
d print only.
e point and print connection anytime a package point and print connection fails including attempts that are blocked by this policy. Admini
nt driver is available on the client a printer connection will be made. If a compatible print driver is not available on the client no connection
If they try a message appears explaining that the setting prevents the action. However this setting does not prevent users from using
ing the methods described above.
rams that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically system admi
ge will be available to all users.This setting does not prevent users from using other tools and methods to install or uninstall programs.
s Control Panel Features including Windows Features Get Programs or Windows Marketplace.
ations.If this setting is disabled or not configured the Set Program Access and Defaults button is available to all users.This setting does not
ot prevent users from using other tools and methods to configure services or enable or disable program components.
ther methods. If this feature is disabled or is not configured the "Get new programs from Windows Marketplace" task link will be available
also appear in the Programs Control Panel.If this setting is disabled or not configured the Programs Control Panel in Category View and Pro
enable this policy setting the user cannot see the Administrative options.If you disable or do not configure this policy setting the user can s
this policy setting the user sees the option for changing the user location (GeoID).Note: Even if a user can see the GeoID option the "Disal
f you disable or do not configure this policy setting the user sees the option for changing the UI language.Note: Even if a user can see the
ure this policy setting the user sees the regional formats options for changing and customizing the user locale.
or the user. If you disable or do not configure this policy setting there is no language packs or language features installation restriction
rom specifying a language different than the one used.To enable this policy setting in Windows Vista use the "Restricts the UI languages W
icy setting the language selection defaults to the language selected by the user.If you disable or do not configure this policy setting there i
ot Configured then the user will be free to change the setting according to their preference. Note that the availability and function of t
d then the user will be free to change the setting according to their preference. Note that the availability and function of this setting is
option will be locked to not insert a space after selecting a text prediction. If the policy is Disabled or Not Configured then the user will
he policy is Disabled or Not Configured then the user will be free to change the setting according to their preference. Note that the av
rom the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to t
Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
beside the Start button) and point to "Toolbars."Also see the "Prohibit adjusting desktop toolbars" setting.
amespace allowing them to present their users with a simpler desktop environment.If you enable this setting Computer is hidden on the d
art menu. To do so use the "Remove My Documents icon from Start Menu" setting.Note: To make changes to this setting effective you mu
gure this policy setting the Properties menu command is displayed.
n run the Desktop Cleanup Wizard or have it run automatically every 60 days from Display by clicking the Desktop tab and then clicking the
filter bar open Network Locations click Entire Network and then click Directory. Right-click the name of a Windows domain and click Find.
t tempt them to casually browse Active Directory.
objects returned" box to limit returns from an Active Directory search.If you disable this setting or do not configure it the system displays u
em is deleted each time the setting is refreshed.Note: Removing an item from the "Add" list for this setting is not the same as deleting it. I
as Wallpaper".Also see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\
as C:\Windows\web\wallpaper\home.jpg or a UNC path such as \\Server\Share\Corp.jpg. If the specified file is not available when the use
If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enable
IF for their desktop wallpaper.
If the "Turn on Classic Shell" setting ( in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabl
b content or disable lock or synchronize Active Desktop components.

g items from their Active Desktop.
dialog box is available to users.If you enable this setting a Properties menu item appears when any user right-clicks the icon for a remote ac
n Data\Microsoft\Network\Connections\Pbk to delete a shared remote access connection.If you disable this setting (and enable the "Enab
for Administrators" setting) double-clicking the icon has no effect and the Enable and Disable menu items are disabled for all users (includ
e File menu.If you disable this setting the Rename option is disabled for nonadministrators only.If you do not configure the setting only Ad
work Configuration Operators can rename LAN connectionsNote: This setting does not apply to Administrators.Note: When the "Ability to
connections is disabled for all users (including Administrators and Network Configuration Operators).Important: If the "Enable Network Co
P Professional do not have the ability to prohibit the use of features from Administrators.If you enable this setting the Windows XP setting
e Local Area Connection Properties dialog box.Important: If the "Enable Network Connections settings for Administrators" is disabled or no
Configuration Operators are prohibited from accessing connection components regardless of the "Enable Network Connections settings fo
ll users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured
e Advanced Settings item is disabled for administrators.Important: If the "Enable Network Connections settings for Administrators" is disab
he "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to administrators on p
is disabled for all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled o
ents in the Windows Components Wizard.Important: If the "Enable Network Connections settings for Administrators" is disabled or not con
ection Properties dialog box for a private connection is available to users.If you enable this setting (and enable the "Enable Network Conne
ot configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure i
If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to administrators
s settings for Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.
or all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled or not configu
WINS server information.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setti
g box are not available to users (including administrators). The Status option is disabled in the context menu for the connection and on the
quest with a valid IP address. By default a notification is displayed providing the user with information on how the problem can be resolve
ine" indicates that the computer can use local copies of network files while the server is inaccessible.-- "Never go offline" indicates that n
ding to the events you want the system to log. The levels are cumulative; that is each level includes the events in all preceding levels."0" re
st reminder.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting
can work offline when they are disconnected from this server or type "1" if they cannot.This setting appears in the Computer Configuration
s available offline. Also it does not prevent them from using other programs such as Windows Explorer to view their offline files.This settin
ehensive setting that locks down the configuration you establish by using other settings in this folder.This setting appears in the Computer
y 60 minutes and are displayed for 15 seconds. You can use this setting to change the update interval.This setting appears in the Compute
ng appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configura
want to make available offline.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both poli
. Leave the Value column field blank.If you disable this policy setting the list of files and folders is deleted including any lists inherited from
the file or folder. Leave the Value column field blank.If you disable this policy setting the list of files or folders made always available offlin
he system only performs a quick synchronization. Quick synchronization ensures that files are complete but does not ensure that they are
ng automatically enables logon synchronization in Synchronization Manager.If this setting is disabled and Synchronization Manager is con
r do not configuring this setting files are not synchronized when the computer is suspended.Note: If the computer is suspended by closing
m.If you disable the setting the system displays the reminder balloons and prevents users from hiding them.If this setting is not configured
a wireless router or access point" and "Add a wireless device." The default for this policy setting allows users to access all WCN wizards.
o allow shared folders to be published when this setting is not configured.
ed. Note: The default is to allow shared folders to be published when this setting is not configured.
y share the memory space allocated to the VDM process and cannot run simultaneously.Enabling this setting adds a check box to the Run
em from the Start Menu.If you disable this setting or do not configure it users can use the Display Logoff item to add and remove the Log O
the start menu.
Shut Down by default and the user can change this setting to another action.
or do not configure this setting the system retains document shortcuts and when a user logs on the Recent Items menu and the Jump List
user logged off including the history of previous notifications for each tile.This setting does not prevent new notifications from appearing.
ear as toast notifications.A reboot is required for this policy setting to take effect.
websites and other items to a program's Jump List so that the items is always present in this menu.
o not configure this policy setting users can change the programs currently pinned to the Taskbar.
ar. Moreover the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start butto
s that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or show
ot display shortcuts at the bottom of the File menu. In addition the Jump Lists off of programs in the Start Menu and Taskbar do not show
ated with the shortcut. If the target file is located on an NTFS partition the system then uses the target's file ID to find a path. If the resulti
l paths associated with the shortcut. If the target file is located on an NTFS partition the system then uses the target's file ID to find a path
the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.If you disable this settin
nfigure it all Start menu shortcuts appear as black text.Note: Enabling this setting can make the Start menu slow to open.
ny) and the system clock.If this setting is disabled or is not configured the notification area is shown in the user's taskbar.Note: Enabling th
n the apps are sorted by category and the user can configure this setting.
While the taskbar is locked auto-hide and other taskbar options are still available in Taskbar properties.If you disable this setting or do not
om Settings on the Start menu.

at share the same program are grouped together. The users have the option to disable grouping if they choose.
nter the customize mode and rearrange tiles within Start and Apps.
ng other methods to issue the commands that appear on these menus.

able the "Show app list in Start menu" in Settings so users cannot turn it to On.Selecting "Remove and disable setting" will remove the all a
menu. The Power button is also removed from the Windows Security screen which appears when you press CTRL+ALT+DELETE.If you disab
s gone" on the Start menu and "Where have my icons gone" in the notification area.If you disable this setting or do not configure it all pop
ch programs are accessible from the Start menu desktop and other locations.If you disable or do not configure this policy setting the Defa
e you must log off and then log on.If you disable or do not configure this policy setting he Documents icon is available from the Start menu
d then click Customize. If you are using Start menu click the Advanced tab and then under Start menu items click the Favorites menu. If yo
ernet Explorer.Windows Update the online extension of Windows offers software updates to keep a user’s system up-to-date. The Window
figure this policy setting users can use the Display Logoff item to add and remove the Log Off item.This policy setting affects the Start menu
if users try to start it a message appears explaining that a setting prevents the action.If you disable or do not configure this policy setting N
ew any notifications they miss.If you disable or do not configure this policy setting Notification and Security and Maintenance will be displ
uch as right-clicking the desktop to start Display or right-clicking Computer to start System.If you disable or do not configure this policy setti
not turn the menu on.If you later disable the setting so that the Recent Items menu appears in the Start Menu the document shortcuts sav
ocal drives: e.g. C:--- Accessing local folders: e.g. \temp>Also users with extended keyboards will no longer be able to display the Run dial
he Application key (the key with the Windows logo)+ F.Note: Enabling this policy setting also prevents the user from using the F3 key.In Fil
esults" link.
g the user name label appears on the Start Menu in Windows XP and Windows Server 2003.
nfuse users you can use this setting to hide user-specific folders.Note that this setting hides all user-specific folders not just those associate
rom using other methods such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" com
f you enable this policy setting users can show an additional calendar in either Simplified Chinese (Lunar) or Traditional Chinese (Lunar) re
r do not configure this policy setting all will allow users to turn on or off the display of "Most used" list using the Settings app. This is defau
display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on
between the Apps view and the Start screen. Also the user will be able to configure this setting.
werShell cmdlet on that same device. The cmdlet will generate an XML file representing the layout you configured.Once the XML file is gen
ble this setting the system notification area expands to show all of the notifications that use this area.If you disable this setting the system
nus" option so users do not try to change the setting while a setting is in effect.Note: Personalized menus require user tracking. If you ena
ams in the Start Menu.Also see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off persona
s policy setting a default value will be used which administrators and users will be able to modify.
policy setting a default value will be used which administrators and users will be able to modify.
her Quiet Hours settings. If you do not configure this policy setting voice and video calls will be allowed during Quiet Hours by default.
will not be able to change this or any other Quiet Hours settings. If you do not configure this policy setting Quiet Hours are enable
isable or do not configure this policy setting toast notifications are enabled and can be turned off by the administrator or user. No re
s less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interp
interface program including the file name extension in the Shell name text box. If the interface program file is not located in a folder spec
the welcome screen is displayed each time a user logs on to the computer.This setting applies only to Windows 2000 Professional. It does
rograms such as Task Manager which are started by the system process or by other processes. Also if users have access to the command
nent registration is missing the system searches for it in Active Directory and if it is found downloads it. The resulting searches might make
e and batch files normally.Note: Do not prevent the computer from running batch files if the computer uses logon logoff startup or shutdo
Help. Note: You can also restrict users from running applications by using the Software Restriction Policy settings available in Comp
g programs such as Task Manager which are started by the system process or by other processes. Also if users have access to the comma
this setting it prohibits Windows from searching for updates.If you disable or do not configure it Windows searches for updates and autom
ir password is expiring.
using Ctrl+Alt+Del.Tip:To lock a computer without configuring a setting press Ctrl+Alt+Delete and then click Lock this computer.
gure this policy setting users can see and select the Log off menu item when they press Ctrl+Alt+Del.
ccess Task Manager. If users try to start Task Manager a message appears explaining that a policy prevents the action.If you disable or do n
splay scale factor) many desktop applications can display blurry. Desktop applications that have not been updated to display properly in th
nable this setting use the drop-down box to specify the desired response.-- "Ignore" directs the system to proceed with the installation ev
box beside the location name.If you disable or do not configure this setting Windows searches the installation location floppy drives and C
mpted to search Windows Update.If you disable or do not configure this setting and "Turn off Windows Update device driver searching" is
ailable offline. All subfolders within the redirected folders are also made available offline. Note: This policy setting does not prevent files f
Note: This policy setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching
copying the content to the new location the cached content is renamed in the local cache and not copied to the new location. To use this
t software or a script to add primary computer attributes to the user's account in Active Directory Domain Services (AD DS). This policy setti
ders when redirecting the Start Menu or legacy My Documents folder.If you disable or not configure this policy setting Windows Vista Win
tory Snap-ins" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller that Active Directo
he policy can specify the response to a slow link. Also the policy processing settings in this folder lets you override the programs' specified
ks for use on the system.If you disable this setting or do not configure it new Group Policy object links are created in the enabled state. If y
nable or disable this policy setting by default administrators can view RSoP data.Note: To view RSoP data on a client computer use the RSo
tries in other subkeys.If you enable this policy setting the "Show Policies Only" command is turned on and administrators cannot turn it off
setting is Disabled or Not Configured the default display name of New Group Policy object is used.
set of 0 to 30 minutes.If you enable this setting you can specify an update rate from 0 to 64800 minutes (45 days). If you select 0 minutes
ory and the source files stored in the GPO. If the local files are newer they are copied into the GPO.Changing the status of this setting to E
e set such that their respective features can access the Internet.If you do not configure this policy setting all of the the policy settings in th
ore" item in the Open With dialog is removed.If you disable or do not configure this policy setting the user is allowed to use the Store servi
annot be downloaded over HTTP.If you disable or do not configure this policy setting users can download print drivers over HTTP.
s them to Microsoft over a secure connection.If you enable this policy Tablet PC users cannot choose to share writing samples from the ha
andwriting recognition error reporting tool or send error reports to Microsoft.If you disable this policy Tablet PC users can report handwri
he Help Experience Improvement program feature from the Help and Support settings page.
tting Windows does not download providers and only the service providers that are cached in the local registry are displayed.If you disable
he Web service to open an unhandled file association are removed.If you disable or do not configure this policy setting the user is allowed
ent from printing to Internet printers over HTTP.If you disable or do not configure this policy setting users can choose to print to Internet
ndows folders.If you disable or do not configure this policy setting the tasks are shown.
er does not collect usage information and the user settings to enable the collection of usage information are not shown.If you disable this p
to the Internet and have not disabled Windows Online from the Help and Support Options page.
ed. If you do not configure this policy setting at the computer level restrictions are based on per-user policy settings.To set this policy setti
e policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale even if this policy setting is not configure
they will be unable to customize those choices. The user cannot customize their user locale with user overrides.If this policy setting is dis
-computer policy setting.The locale list is specified using language tags separated by a semicolon (;). For example en-US is English (United S
dows Vista Windows XP Professional and Windows 2000 Professional.If you disable or do not configure this policy setting Windows Vista a
tting the system runs the programs in the run-once list.This policy setting appears in the Computer Configuration and User Configuration fo
gram (.exe) file or document file. To specify another name press ENTER and type the name. Unless the file is located in the %Systemroot%
etains its existing value prior to GPO evaluation). The recognized bit locations are: PROCESS_CREATION_MITIGATION_POLICY_DEP_EN
ing a resume operation.
in "Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Removable Data Drives."

s right does not take effect until the operating system is restarted.
you disable or do not configure this policy setting the instructions are suppressed.
disable or do not configure this policy setting the instructions are suppressed.
000 does not display logon scripts written for Windows NT 4.0 and earlier.If you disable or do not configure this policy setting Windows 20
or do not configure this policy setting the logon scripts and File Explorer are not synchronized and can run simultaneously.This policy settin
the following scenario: There are three GPOs (GPO A GPO B and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include
NT 4.0 definitions. %HOMESHARE% stores only the network share (such as \\server\share). %HOMEPATH% stores the remainder of the full
should not be roamed then add only that application's specific folder under the AppData\Roaming folder rather than all of the AppData\R
he registry files are included in the calculation of the profile size.-- Determine whether users are notified when the profile exceeds the perm
Offline Files during user logon and logoff and will be taken offline while the user is logged on.If you disable or do not configure this policy se
esktop app for a file type; they can open files only in other Windows Store apps.If you disable or do not configure this policy setting Windo
desktop app for a URI scheme; they can open URIs only in other Windows Store apps.If you disable or do not configure this policy setting W
he file.Moderate Risk: If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone Windows promp
with their zone information.If you disable this policy setting Windows marks file attachments with their zone information.If you do not con
ws hides the check box and Unblock button.If you disable this policy setting Windows shows the check box and Unblock button.If you do n
han one inclusion list).If you enable this policy setting you can create a custom list of high-risk file types.If you disable this policy setting W
ne inclusion list).If you enable this policy setting you can specify file types that pose a low risk.If you disable this policy setting Windows us
inclusion list (where an extension is listed in more than one inclusion list).If you enable this policy setting you can specify file types which
when a user opens a file attachment. If the antivirus program fails the attachment is blocked from being opened.If you disable this policy
ng both the file handler and type data is the most restrictive option. Windows chooses the more restrictive recommendation which will cau
executed without user's knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command i
ndows XP SP2 Autoplay is enabled for removable drives as well including Zip drives and some USB mass storage devices. If you enable
Enterprise spotlight content service in Azure the lock screen will display internal messages and communications configured in that service
hird-party software publishers in addition to Microsoft apps and content.
es. If these features are enabled users will still see recommendations tips and offers but they may be less relevant.If you disable or do not
d and may be controlled individually using their corresponding policy settings.
user to select "Spotlight collection" as the Desktop provider and display daily images from Microsoft on the desktop.
ws Welcome Experience will be launched to help onboard users to Windows telling them about what's new changed and suggested.
ox.By default the password reveal button is displayed after a user types a password in the password entry text box. To display the passwor
agnostic data off (not recommended). Using this value no diagnostic data is sent from the device. This value is only supported on Enterpris
ab keys a visual version of the desktop is presented and items can be flipped through to select. Changing this policy setting requires a logo
specific color for window frames that cannot be changed by users.

e "Prevent color changes of window frames" setting to enforce a specific color for window frames that cannot be changed by users.
g the recent apps will be available by default and the user can configure this setting.
ut not from that menu.If you disable or don't configure this policy setting Command Prompt will be listed in the menu by default and user
this policy setting Search Share Start Devices and Settings will be available by default and the user can configure this setting.
quently used apps will appear at the top.

he administrator and are available to all users of the computer there must be an entry at HKEY_LOCAL_MACHINE\Software\Microsoft\Wi
name. For example the Sample Videos known folder can be disabled by specifying {440fcffd-a92b-4739-ae1a-d4a54907c53f} or SampleVid
tions command and they will not be able to open Folder Options.If you disable or do not configure this policy setting users can open Folde
who have logged on as regular users to install programs without logging off and logging on again using their administrator credentials.Ma
ed to a different computer the original path might lead to a network computer including external resources such as an Internet server.If y
moves the drive icons. Users can still gain access to drive contents by using other methods such as by typing the path to a directory on the
of these tools.This setting does not remove the Computer Management item from the Start menu (Start Programs Administrative Tools Co
ing to the path defined.If you disable or do not configure this policy setting no changes are made to the location of the default Library defi
stem displays shortcuts to the 10 most recently opened documents.

o not configure this policy setting computers in the user's workgroup and domain appear in lists of network resources in File Explorer and N
ecting to computers in their workgroup or domain. It also does not prevent users from connecting to remote computers by other common
L of the search site in OpenSearch format with {searchTerms} for the query string (for example http://www.example.com/results.aspx?q={
Library.Library-ms" for the Documents library or "C:\sampleSearchConnector.searchConnector-ms" for a Search Connector). The pinned li
ombination of drives from the drop-down list. To allow access to all drive directories disable this setting or select the "Do not restrict drive
s to the root of their Users Files folder in File Explorer.Note: Enabling this policy setting does not prevent the user from being able to add n
om connecting to another computer by typing the name of a shared folder in the Run dialog box.Note:This setting was documented incorre
oes not prevent users from using third-party applications to create or modify CDs using a CD writer.
m using other methods to configure DFS.If you disable or do not configure this policy setting the DFS tab is available.
esolve problems with the device.

t browser windows such as the Internet Explorer window.If you disable or do not configure this policy setting the Search button is availabl
ble to access the security tab.
er is not displayed in the Web view or in My Computer.If you disable or do not configure this policy setting the Shared Documents folder is
n the user performs a search in the Explorer window.
or distracting to some users.If you disable or do not configure this policy setting users are allowed to turn on or off these minor system an
her User" dialog box prompts the current user for the user name and password of an administrator. This setting allows administrators who
by everyone.
ot store Search Box entries into the registry for future references. If the user types a property values that match this property will be show
ommended to leave this protocol in the protected mode to increase the security of Windows.If you enable this policy setting the protocol
tting the Windows Key hotkeys are available.
than "Date Modified" and "Size" * Disable view of file content snippets in Content mode when search results are returned * Disable ab
nd set the folder options for File Explorer to Use classic folders view and disable the users ability to change these options.If you disable or
Open dialog box.If you disable or do not configure this policy setting the Back button is displayed for any standard Open dialog box.To see
ad and on the File menu click Open.Note: In Windows Vista this policy setting applies only to applications that are using the Windows XP c
000 Professional so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect programs that use t
may be specified:Desktop Recent Places Documents Pictures Music Recently Changed Attachments and Saved Searches.If you disable or d
e since the two cannot be displayed at the same time.If you disable or do not configure this policy setting the Details Pane is hidden by def
it defaults to disabled.
cy setting users can see previous versions corresponding to backup copies as well as previous versions corresponding to on-disk restore po
ks the Restore button Windows attempts to restore the file from the local disk.If you do not configure this policy setting it is disabled by de
version corresponding to a backup. If the Restore button is clicked Windows attempts to restore the file from the backup media.If you do
e share. If the user clicks the Restore button Windows attempts to restore the file from the file share.If you do not configure this policy setti
cation. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: Co
setting applies only to Microsoft Japanese IME.Note: Changes to this setting will not take effect until the user logs off.
setting applies only to Microsoft Korean IME.Note: Changes to this setting will not take effect until the user logs off.
setting applies only to Microsoft Simplified Chinese IME.Note: Changes to this setting will not take effect until the user logs off.
setting applies only to Microsoft Traditional Chinese IME.Note: Changes to this setting will not take effect until the user logs off.
h are included in the candidate list.This policy setting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take eff
nded code0x0008 // IBM extended code0x0010 // Half width katakana code0x0100 // EUDC(GAIJI)0x0200 // S-JIS unmapped area0x0400 /
Clear auto-tuning information] removes self-tuned words from the custom dictionary even if a group policy setting is turned on. To do this
applies to Japanese Microsoft IME.Note: Changes to this setting will not take effect until the user logs off.
used by default.This policy setting is applied to Japanese Microsoft IME.
with this feature is turned off and the user won't be able to turn it on.If you don't configure this policy setting it will be turned off by defa
with this feature is turned off and the user won't be able to turn it on.If you don't configure this policy setting it will be turned off by defa
search providers (found under [HKCU or HKLM\Software\policies\Microsoft\Internet Explorer\SearchScopes]). Note: This list can be creat
.com/fwlink/?linkid=2102115
y UI during shutdown (default behavior in Internet Explorer 9).
e this policy setting users won't receive enhanced suggestions while typing in the Address bar. In addition users won't be able to change t
or Explorer bars. ActiveX controls are referred to as plug-ins and are not part of this definition.If you enable this policy setting newly insta
ou enable the Media Explorer Bar or do not configure it users can show and hide the Media Explorer Bar.Administrators also have the abil
enable or disable the blocking of attachments in options.
nnel are installed the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge Stable channel is used. This is t
ple "MSIE 7.0").
ay this option the users open the Internet Options dialog box click the Contents Tab and click the Settings button.
mplates\Windows Components\Internet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the Gene
dvanced page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Contro
nternet Explorer Maintenance under Admin Templates using group policy editor.If you disable or do no configure this policy setting the us
nd contacts if programs that perform these tasks are installed.This "Disable the Programs Page" policy (located in \User Configuration\Adm
e already been accepted.The "Disable the Content page" policy (located in \User Configuration\Administrative Templates\Windows Comp
Web pages.If you set the "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Componen
r\Internet Control Panel) you do not need to set this policy because the "Disable the Connections page" policy removes the Connections ta
en Internet Explorer performs this check it prompts the user to specify which browser to use as the default.This policy is intended for orga
ocated in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need
me page policies.If you disable or do not configure this policy setting the Home page box is enabled and users can choose their own home
or languages in which the character set has been installed.If you set the "Disable the General page" policy (located in \User Configuration\
he "Disable the General page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\In
ups and placing Internet calls if programs that perform these tasks are installed.The "Disable the Programs page" policy (located in \User C
tive Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Content tab from Internet Explorer in
s\Windows Components\Internet Explorer\Internet Control Panel) which removes the Ratings tab from Internet Explorer in Control Panel
re this policy setting the user can add secondary home pages.Note: If the “Disable Changing Home Page Settings” policy is enabled the use
re it users can change their cache settings.If you set the "Disable the General page" policy (located in \User Configuration\Administrative T
p for Internet services.This policy is intended for administrators who want to maintain a consistent browser across an organization.
he user to export favorites feeds and cookies to a file.If you enable this policy setting the user will not be able to use the Import/Export Se
ction Wizard.If you disable this policy or do not configure it users can change their connection settings by running the Internet Connection
ernet Explorer 11.If you disable or don’t configure this policy all sites are opened using the current active browser settings. Note: Microsoft
ows Components\Internet Explorer\Internet Control Panel) which removes the Programs tab from Internet Explorer in Control Panel takes
rosoft.com/fwlink/?linkid=2102115
u bar contains menus that open lists of commands for printing customizing Internet Explorer copying and pasting text managing favorites
tion will be removed from the File menu in Address Book.If you disable this policy or do not configure it users can set up and change identi
is policy all intranet sites are automatically opened in Microsoft Edge.We strongly recommend keeping this policy in sync with the ‘Send a
on't specify a report location Enterprise Mode will still be available to your users but you won't get any reports.If you disable or don't confi
ed in Site Discovery.To configure the domain(s) included in data collection for the IE Site Discovery Toolkit Add one domain per line to the
n Site Discovery.To configure zone(s) included in site discovery a binary number is formed based on the selected zones. The decimal repres
gure this policy setting users can choose whether to be notified that Internet Explorer is not the default web browser through the Tell me
e allowed so *.contoso.com is also valid.If you disable this or do not configure this policy setting you will not be able to provide a default P
for printing customizing Internet Explorer copying and pasting text managing favorites and accessing Help.If you enable this policy setting
this policy setting the Internet Explorer Help menu is available to the user. The user can also use the Command bar and F1 to access Help.
policy setting the user can bypass SmartScreen Filter warnings.
u disable or do not configure this policy setting the user can manage pop-ups by changing the filter level.You may also want to enable the "
ted in this scenario. • Open a new Internet Explorer window.If you disable or do not configure this policy setting the user can configure h
elect.If you disable or do not configure this policy setting the user can configure how new tabs are created by default.
policy setting Internet Explorer does not enumerate search providers for the Accelerators infrastructure. If Accelerators are turned on user
Explorer process's Pop-Up Blocker settings by enabling the "Specify pop-up allow list" policy setting.
thout prompting the user.If you disable or do not configure this policy setting the user is prompted to decide whether to turn on SmartScr
ocal analysis and the user is prompted to permit any data to be sent to Microsoft. If the feature is fully enabled all website addresses that a
u.If you do not configure this policy setting the user can choose to participate in the CEIP.
Windows 8 the "Welcome to Internet Explorer" webpage is not available. The user's home page will display regardless of which option is ch
nable this policy setting the user cannot configure the list of search providers on his or her computer and any default providers installed do
ress F3 to search the Internet (from Internet Explorer) or the hard disk (from File Explorer).This policy is intended for situations in which ad
to help administrators maintain consistent settings for searching across an organization.
d in the Enterprise Mode Site List in Microsoft Edge.Disabling or not configuring this setting opens all sites based on the currently active br
physical memory. The default setting creates the optimal number of tab processes based on the operating system and amount of physical
s and no additional page appears.
user for permission to load an ActiveX control and Internet Explorer loads the control if it passes all other internal security checks.If you d
the user to disable add-ons and configure the threshold.If you enable this policy setting users are not notified when the average time to lo
you disable or do not configure this policy setting Internet Explorer uses the user's setting for pop-up windows in tabbed browsing.
ature for add-on management will be functional.
ot on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable or do not configure this policy setti
ws launched off screen will continue to be re-positioned onscreen.If you disable or do not configure this policy setting the popup managem
ry points appear on the user interface for Internet Explorer and the user cannot turn them off.If you do not configure this policy setting the
-complete for web-address setting.If you do not configure this policy setting a user will have the freedom to choose to turn the auto-comp
s policy setting ActiveX Filtering is not enabled by default for the user. The user can turn ActiveX Filtering on or off.
atures. The user cannot turn on logging.If you do not configure this policy setting the user can change the logging settings.
off by default. The user can turn on or turn off the menu bar.
for the SDTK.
tting the entry points and functionality associated with this feature are turned off.If you do not configure this policy setting the user can tur
hange "User name and passwords on forms" or "prompt me to save passwords". The Auto Complete feature for User names and password
ction unless specified by the user.
se Mode IE.If you disable or don't configure this policy setting Internet Explorer opens all websites using Standards mode.
rators that are provided through first use of the browser.
ccelerators that are provided through first use of the browser.
roved controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Ex
nfigure it this control will not be designated as administrator-approved.To specify how administrator-approved controls are handled for ea
e available as an administrator approved control and can be run if the user specifies to run administrator-approved Active-X controls and p
.Select the check boxes for the controls that you want to designate as administrator-approved.To specify how administrator-approved con
d click Enabled and then select the check box for the control:-- MCSiMenu - enables Web authors to control the placement and appearanc
t these controls will not be designated as administrator-approved.To specify how administrator-approved controls are handled for each se
nated as administrator-approved.To specify how administrator-approved controls are handled for each security zone carry out the follow
roved controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Ex
owing steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security
for the controls that you want to designate as administrator-approved.To specify how administrator-approved controls are handled for e
he following steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Se
eps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones a
abled.If you disable this policy setting the user is prompted when a script that is running in any process on the computer attempts to perfo
ne behavior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting the user is prompted when a script
cess" policy setting is enabled the processes configured in this policy setting take precedence over that policy setting.If you enable this pol
ption" policy which prevents users from opening the browser in a new window by clicking the File menu pointing to New and then clicking
ad programs from their browsers.
not available.
ew browser window from the File menu.Caution: This policy does not prevent users from opening a new browser window by right-clicking
es not prevent users from right-clicking a link on a Web page and then clicking the Open or Open in New Window command. To prevent u
guage (HTML) files or as text files but graphics scripts and other elements are not saved. To display the Save Web Page dialog box users cli
contents that are displayed or run from a Web Page such as graphics scripts and linked files but does not prevent users from saving the te
he Microsoft Internet Explorer Help file.
ble.If you disable this policy or do not configure it users can manage their Favorites list.Note: If you enable this policy users also cannot clic
e this policy or do not configure it users can change their Internet settings from the browser Tools menu.Caution: This policy does not prev
e available and users will not see printers under the Devices charm.If you disable or do not configure this policy setting the Print menu in I
t toolbars which might be confusing for some beginning users.

y right-clicking a Web page to open the shortcut menu and then clicking View Source. To prevent users from viewing the HTML source of
not used. Additionally the user cannot activate the feature by using the Compatibility View Settings dialog box.If you do not configure this
ith an additional string appended). Additionally all Standards Mode webpages appear in Internet Explorer 7 Standards Mode. This option r
. The user cannot change this behavior through the Compatibility View Settings dialog box.If you disable this policy setting Internet Explore
owsing history on exit is turned off.If you do not configure this policy setting it can be configured on the General tab in Internet Options.If
es in the History List. You must specify the number of days that Internet Explorer tracks views of pages in the History List. Users can not de
n on the Settings charm.If you disable or do not configure this policy setting the user can access the Delete Browsing History dialog box. St
wsing.With at least Internet Explorer 11:This policy setting prevents users from deleting ActiveX Filtering data Tracking Protection data and
f the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
ownload history when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting
ite data when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no
elete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
n the user clicks Delete.If you disable this policy setting InPrivate Filtering data is deleted when the user clicks Delete.If you do not configu
s Delete.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
or preserve temporary Internet files when he or she clicks Delete.If the "Prevent access to Delete Browsing History" policy setting is enable
etting the user can choose whether to delete or preserve visited websites when he or she clicks Delete.If the "Prevent access to Delete Bro
files and cookies.
in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the Advanced ta
he interface:"Disable Internet Connection Wizard""Disable changing connection settings""Prevent changing proxy settings""Disable chang
onfiguration\Administrative Templates\Windows Components\Internet Explorer\) because this policy removes the General tab from the in
m the interface:"Disable changing Messaging settings""Disable changing Calendar and Contact settings""Disable the Reset Web Settings fe
cy removes the Security tab from the interface:"Security zones: Do not allow users to change policies""Security zones: Do not allow users
ames are converted to IDN format only for addresses that are not in the Intranet zone. 2) Unicode domain names are converted to IDN fo
er can change this behavior on the Internet Explorer Tools menu: Click Internet Options click the Advanced tab and then under Internation
g users will be prompted when non-Internet Explorer components would be installed.If you do not configure this policy setting non-Intern
eb components such as fonts will be automatically installed as necessary.If you disable this policy setting users will be prompted when We
g users can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
e this policy setting users can turn this behavior on or off using Internet Explorer Advanced Internet Options settings. The default is on.
th an invalid signature.If you do not configure this policy users can choose to run or install files with an invalid signature.
isable this policy setting browser helper objects do not launch.If you do not configure this policy Internet Explorer automatically launches
nabled or inPrivate Browsing mode is used.For at least Internet Explorer 11:If you disable this policy setting Internet Explorer only sends th
d new versions when they are available.If you disable this policy setting Internet Explorer does not check the Internet for new versions of t
.If you disable this policy setting Internet Explorer will not check server certificates to see if they have been revoked.If you do not configur
em to user computers.If you disable this policy setting Internet Explorer will not check the digital signatures of executable programs or dis
ces all websites to run in Enhanced Protected Mode.Enhanced Protected Mode provides additional protection against malicious websites
ternet Explorer Settings.
save encrypted pages containing secure (HTTPS) information to the cache.If you do not configure this policy Internet Explorer will save enc
rary Internet Files folder when all browser windows are closed.If you disable this policy setting Internet Explorer will not delete the conten
ctures helping pages display more quickly.If you do not configure this policy setting Internet Explorer will play animated pictures found in W
ping pages display more quickly.If you enable this policy setting Internet Explorer will play sounds found in Web content.
re quickly.If you do not configure this policy setting Internet Explorer will play videos found in Web content.
ype rendering engine.
e. The browser and server attempt to match each other’s list of supported protocols and versions and they select the most preferred matc
sites and content in the background.If you don't configure this policy setting users can turn this behavior on or off using Internet Explorer s
s can also choose to allow this information to be shared with the Web site in the future without being prompted.If you do not configure th
gs for URLs that are in the Intranet zone. 3) Always encode query strings.If you disable or don't configure this policy setting users can tur
ckground.If you disable this policy setting flip ahead with page prediction is turned on and the next webpage is loaded into the background
ing in Enhanced Protected Mode on 64-bit versions of Windows.If you disable this policy setting Internet Explorer 11 will use 32-bit tab pro
g is turned on.If you disable this policy setting Caret Browsing is turned off.If you do not configure this policy setting Caret Browsing suppo
nabled will use Enhanced Protected Mode. Users will not be able to disable Enhanced Protected Mode.If you disable this policy setting Enh
oxy connections.
nt tab of the Internet Options dialog box.Note: This policy is no longer supported starting with Windows 10 Version 1607.
ge this option to start with the home page.If you disable this policy setting Internet Explorer starts a new browsing session with the home
e and caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to store
atabase and caches on Website Data Settings will be unavailable to users.If you do not configure this policy setting websites will be able to
oup policy sets the maximum file storage limit for domains that are trusted by users. When you set this policy setting you provide the cach
policy setting.If you disable or do not configure this policy setting Internet Explorer will use the default application cache expiration time lim
nd application caches.
cy sets the maximum data storage limit for domains that are trusted by users. When you set this policy setting you provide the cache limit
cy setting Internet Explorer will allow the creation of application caches whose individual manifest file entries are less than or equal to the
vide the resource limit as a number. The default is 1000 resources.If you enable this policy setting Internet Explorer will allow the creation
ng you can set the maximum storage limit for all application caches. The default is 1 GB.If you disable or do not configure this policy settin
icy setting you can set the maximum storage limit for all indexed databases. The default is 4 GB.If you disable or do not configure this polic
onfigure this template policy setting no security level is configured.Note. Local Machine Zone Lockdown Security and Network Protocol Lo
ould typically be in the Internet Zone).If you do not configure this policy setting users choose whether to force local sites into the Intranet
d into the Intranet Zone.
users choose whether sites which bypass the proxy server are mapped into the Intranet Zone.
zone. Security settings can be set for each of these zones through other policy settings and their default settings are: Trusted Sites zone (Lo
ey are configured.If this policy setting is not configured the user can choose whether or not to automatically detect the intranet through th
gure this policy setting the user can choose whether the certificate address mismatch warning appears (by using the Advanced page in the
tting a Notification bar notification does not appear when the user loads content from an intranet site that is being treated as though it is
be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.If you disable this policy setting users cannot
ocols on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control over questionabl
e this policy setting script code on pages in the zone can run automatically.
re available.If you disable this policy setting binary and script behaviors are not available unless applications have implemented a custom
ot configure this policy setting a script can perform a clipboard operation.
copying and pasting files from this zone.If you do not configure this policy setting users can drag files or copy and paste files from this zone
licy setting files can be downloaded from the zone.
policy setting HTML fonts can be downloaded automatically.
ktop items from this zone.If you do not configure this policy setting users are queried to choose whether to install desktop items from this
orer. The user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XBAPs.If you disable
he user cannot change this behavior. If you set the drop-down box to Prompt the user is prompted for loading XAML files.If you disable th
pted for loading XPS files.If you disable this policy setting XPS files are not loaded inside Internet Explorer. The user cannot change this be
oads a page containing an active Meta Refresh setting cannot be redirected to another Web page.If you do not configure this policy settin
the per-site ActiveX prompt and ActiveX controls can run from all sites in this zone.
s.If you disable this policy setting users are prevented from performing OpenSearch queries in this zone using Search Connectors.If you do
mple some application-specific items such as MAPI (Messaging Application Programming Interface) items that are returned as search result
WebBrowser control is allowed only in the Local Machine and Intranet zones.
and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zone as dictated
ure or disable this policy setting VBScript is prevented from running.

deo files.If you enable this policy setting video and animation can be played through older media players in specified zones.If you disable t
user can choose whether websites can open new Internet Explorer Windows that have no status bar or Address bar.
do not configure this policy setting ActiveX control installations will be blocked using the Notification bar. Users can click on the Notificati
e Notification bar instead of the file download dialog. Users can then click the Notification bar to allow the file download prompt.
ay the nonsecure items?) and nonsecure content can be displayed.If the drop-down box is set to Prompt the user will receive the security
tication" message when they connect to a Web site that has no certificate or only one certificate.If you do not configure this policy setting
to create an instance of the ActiveX control.If you don't configure this policy setting Internet Explorer always checks with your antimalwar
cy setting signed controls cannot be downloaded.If you do not configure this policy setting users are queried whether to download contro
is policy setting users cannot run unsigned controls.If you do not configure this policy setting users cannot run unsigned controls.
ers cannot drag content from one domain to a different domain when both the source and destination are in different windows. Users can
rs cannot drag content from one domain to a different domain when the source and destination are in the same window. Users cannot ch
setting the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the
TML form.If you disable this policy setting path information is removed when the user is uploading a file via an HTML form.If you do not co
s marked safe for scripting option.If you enable this policy setting and select Prompt in the drop-down box users are queried whether to a
safe and secure storage area on the client computer) and user-controlled file I/O.High Safety enables applets to run in their sandbox. Disa
download files from IFRAMEs on the pages in this zone.If you disable this policy setting users are prevented from running applications and
for the remainder of the session.Automatic logon only in Intranet zone to query users for user IDs and passwords in other zones. After a u
e this policy setting users cannot open windows and frames to access applications from different domains.If you do not configure this poli
urity tab of the Internet Options dialog box. Filters are not rendered by default in this zone.
n box Internet Explorer will prompt the user to determine whether to execute unsigned managed components.If you disable this policy se
nternet Explorer will prompt the user to determine whether to execute signed managed components.If you disable this policy setting Inte
u do not configure this policy setting controls and plug-ins can run without user intervention.
configure this policy setting script interaction can occur automatically without user intervention.
y setting scripts can access applets automatically without user intervention.
efore the files open.If you disable this policy setting these files do not open.If you do not configure this policy setting the user can configur
notified of software updates by e-mail and software packages to be automatically downloaded to (but not installed on) users' computers.
to choose whether to allow information using HTML forms on pages in this zone to be submitted.If you disable this policy setting informa
g .NET Framework Setup is turned off. The user cannot change this behavior.If you disable this policy setting .NET Framework Setup is turn
the first-run prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned off by
on Protected Mode.If you do not configure this policy setting the user can turn on or turn off Protected Mode.
for malicious content.Note: In Internet Explorer 7 this policy setting controls whether Phishing Filter scans pages in this zone for malicious
ows are prevented from appearing.
tly within a Web page saved to disk.If you disable this policy setting users cannot preserve information in the browser's history in favorites
he drop-down box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the po
ure or disable this policy setting VBScript will run without user intervention.
do not configure this policy setting users will receive a prompt when a site instantiates an ActiveX control they do not have installed.
to create an instance of the ActiveX control.If you don't configure this policy setting Internet Explorer won't check with your antimalware
urity tab of the Internet Options dialog box. Filters are rendered by default in this zone.
the first-run prompt is turned on in the corresponding zone.If you do not configure this policy setting the first-run prompt is turned on by
vented from appearing.
ktop items from this zone.If you do not configure this policy setting users can install desktop items from this zone automatically.
cy setting signed controls cannot be downloaded.If you do not configure this policy setting users can download signed controls without us
is policy setting users cannot run unsigned controls.If you do not configure this policy setting users can run unsigned controls without user
drop-down box a warning is issued to the user that potentially risky navigation is about to occur.If you disable this policy setting the possib
e this policy setting users are queried to choose whether to allow script code on pages in the Local Machine zone to run.
u do not configure this policy setting controls and plug-ins are prevented from running.
ure or disable this policy setting users are asked to choose whether to allow VBScript to run.
e this policy setting script code on pages in the zone is prevented from running.
ot configure this policy setting a script cannot perform a clipboard operation.
copying and pasting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files
licy setting files are prevented from being downloaded from the zone.
policy setting users are queried whether to allow HTML fonts to download.
ktop items from this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

cy setting signed controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
domains.If you disable this policy setting users cannot open other windows and frames from other domains or access applications from d
configure this policy setting script interaction is prevented from occurring.
y setting scripts are prevented from accessing applets.
d even for protocols on the restricted list. If you select Prompt from the drop-down box the Notification bar will appear to allow control ov
e this policy setting script code on pages in the zone is prevented from running.
ot configure this policy setting a script cannot perform a clipboard operation.
copying and pasting files from this zone.If you do not configure this policy setting users are queried to choose whether to drag or copy files
licy setting files are prevented from being downloaded from the zone.
policy setting users are queried whether to allow HTML fonts to download.
ktop items from this zone.If you do not configure this policy setting users are prevented from installing desktop items from this zone.

cy setting signed controls cannot be downloaded.If you do not configure this policy setting signed controls cannot be downloaded.
domains.If you disable this policy setting users cannot open other windows and frames from other domains or access applications from d
configure this policy setting script interaction is prevented from occurring.
y setting scripts are prevented from accessing applets.
is policy setting users cannot run unsigned controls.If you do not configure this policy setting users are queried to choose whether to allow
ternet Explorer can be configured by the user.
to correct the problem. The user cannot change this policy setting.If you disable this policy setting when there is a problem connecting wit
cy setting the user can turn on or off page transitions.This feature only applies to versions of Internet Explorer up to and including Interne
e this policy setting users can turn this behavior on or off using Internet Explorer settings. The default is on.
Internet Explorer.
cript debugging.If you disable this policy setting script debugging is turned off. The user cannot turn on script debugging.If you do not confi
disable this policy setting the user is not shown script errors when a page does not appear properly because of problems with its scripting
ard does not start automatically. The user can start the wizard manually.If you do not configure this policy setting the user can decide whe
media elements" setting on the Advanced tab in the Internet Options dialog box.
ot change this policy setting. The "Turn off image display" policy setting must be disabled if this policy setting is enabled.If you disable this
utomatic image resizing.
on that represents the image and then clicking Show Picture. The "Allow the display of image download placeholders" policy setting must
able this policy setting the printing of background colors and images is turned off. The user cannot turn it on.If you do not configure this po
button. • Display the results in the main window: When the user searches on the Address bar the list of search results is displayed in the
he user is directed to an external top result website determined by the search provider if available.If you enable this policy setting you can
ou disable this policy setting Internet Explorer is not started automatically to complete the signup process after the branding is complete fo
mplete for File Explorer is turned on. The user cannot turn it off.If you do not configure this policy setting a user will have the freedom to tu
Suggestions will be turned on. Users will not be able to turn off URL Suggestions.If you do not configure this policy setting URL Suggestion
mplete for providing relevant results in the Address bar. The user cannot change this setting.If you disable this policy setting Internet Explo
cannot turn it on.If you do not configure this policy setting the user can turn on or turn off inline AutoComplete.By default inline AutoCom
or do not configure this policy setting the user can specify the color of links already clicked.
or do not configure this policy setting the user can specify the color of links not yet clicked.
you disable this policy setting Internet Explorer allows sending the path portion of URLs as UTF-8. The user cannot change this policy settin
op items from Microsoft's Active Desktop Gallery to their desktop.If you disable this policy or do not configure it users can add channels to
s policy or do not configure it users can add new offline content schedules.This policy is intended for organizations that are concerned abo
e select a Web page click the Properties button and then click the Schedule tab.If you disable this policy then Web pages can be updated o
e it users can view and subscribe to channels from the Channel bar interface.
s been updated since the last time the user synchronized with or visited the page.If you disable this policy or do not configure it content w
elect a Web page click the Properties button and then click the Schedule tab.If you disable this policy or do not configure it users can add r
and then click the Properties button no properties are displayed. Users do not receive an alert stating that the command is unavailable.If y
an record information about when their channel pages are viewed by users who are working offline.
to help administrators ensure that users' computers are being updated uniformly across their organization.Note: This policy does not prev
d but dimmed. To display the Make This Page Available Offline check box users click the Tools menu click Synchronize and then click the Pr
s searched for new information and downloaded.Caution: Although the Maximum Number of Offline Pages option determines how many l
ue range is 3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setting
value range is 3 through 30.If you enable this policy setting the selected value is enforced.If you disable or do not configure this policy setti
.If you disable this policy setting toolbars and BHOs are loaded by default during an InPrivate Browsing session.If you do not configure this
collection is turned on.If you do not configure this policy setting InPrivate Filtering data collection can be turned on or off on the Privacy t
vate Browsing can be turned on or off through the registry.
nd InPrivate Filtering data is not collected.If you disable this policy setting InPrivate Filtering is available for use.If you do not configure this
ons and Tracking Protection data is not collected.If you disable this policy setting Tracking Protection is available for use.If you do not confi
developers will not be able to depend on the reveal password button being displayed in any web form or web application.If you disable o
e interpreted as a failed URL.If you disable this policy setting Data URI support is turned on.If you do not configure this policy setting Data
nes whether add-ons not listed here are assumed to be denied.If you enable this policy setting you can enter a list of add-ons to be allowe
user preferences and policy settings.If you disable or do not configure this policy setting all processes will not respect add-on managemen
hrough Group Policy. However users can still use the Add-on Manager within Internet Explorer to manage add-ons not listed within the 'A
t.If you enable this policy setting and enter a Value of 1 the process entered will respect the add-on management user preferences and po
on the warning message that appears when Internet Explorer blocks an outdated ActiveX control. Clicking this button lets the user run th
h newly outdated controls potentially compromising the security of your computer.If you disable or don't configure this setting IE continue
tiveX Controls" in the Internet Explorer TechNet library.
name.TLD". For example if you want to include *.contoso.com/* use "contoso.com"2. "hostname". For example if you want to include http
ng on or off regardless of the "Turn off blocking of outdated ActiveX controls for Internet Explorer" or "Turn off blocking of outdated Active
net Explorer before Internet Explorer 8 the default connection limit for HTTP 1.1 was 2.
gh a server.If you enable this policy setting websites cannot request data across domains by using the WebSocket object.If you disable or
ains by using the XDomainRequest object.If you disable or do not configure this policy setting websites can request data across domains b
h zone for which Script and Binary Behaviors is set to 'admin-approved'. Behaviors must be entered in #package#behavior notation e.g. #d
or do not configure this policy setting binary behaviors are allowed for all processes.
ou disable or do not configure this policy setting Internet Explorer 9 does not install binaries signed by MD2 and MD4 signing technologies
y behaviors are allowed for the File Explorer and Internet Explorer processes.If you do not configure this policy setting binary behaviors ar
icy setting and enter a Value of 1 binary behaviors are prevented. If you enter a Value of 0 binary behaviors are allowed. The Value Name
plorer renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Consistent Mim
plorer renames the file by saving it in the Internet Explorer cache and changing its extension.If you enable this policy setting Internet Explo
plorer renames the file by saving it in the Internet Explorer cache and changing its extension.This policy setting allows administrators to de
ed as an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone security applies to all local file
ere the Local Machine zone is used as an attack vector to load malicious HTML code.If you enable this policy setting the Local Machine zone
e is used as an attack vector to load malicious HTML code.If you enable this policy setting and enter a value of 1 Local Machine Zone secur
figure this policy setting MIME sniffing will never promote a file of one type to a more dangerous file type.
more dangerous file types. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setti
will work for the File Explorer and Internet Explorer processes.If you do not configure this policy setting the MK Protocol is prevented for
K protocol is allowed. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer pro
you disable this policy setting restricting content obtained through restricted protocols is prevented for all processes other than File Explor
es. For example you can restrict active content from pages served over the http and https protocols by adding the value names http and htt
owed.If you enable this policy setting and enter a Value of 1 restricting content obtained through restricted protocols is allowed. If you ent
zone this sets the list of protocols to be restricted if that zone is set to Prompt or Disable for "Allow active content over restricted protocol
tification bar will be displayed for all processes.If you disable or do not configure this policy setting the Notification bar will not be displaye
orer processes.If you do not configure this policy setting the Notification bar will be displayed for Internet Explorer Processes.
is displayed. If you enter a Value of 0 the Notification bar is not displayed. The Value Name is the name of the executable. If a Value Name
processes.If you do not configure this policy setting an object reference is no longer accessible when navigating within or across domains
s to objects are still accessible after navigation. The Value Name is the name of the executable. If a Value Name is empty or the Value is no
e can be protected from zone elevation for all processes.If you disable or do not configure this policy setting processes other than Internet
is no security context.If you enable this policy setting any zone can be protected from zone elevation by Internet Explorer processes.If you
there is no security context.This policy setting allows administrators to define applications for which they want this security feature to be
ll processes.
will be used to determine whether to block ActiveX control installations for Internet Explorer processes.
Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer P
not user initiated for all processes.
es whether to prompt for file downloads that are not user initiated for Internet Explorer processes.
e is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related In
sable or do not configure this policy setting scripted windows are not restricted.
orer and Internet Explorer processes.If you disable this policy setting scripts can continue to create popup windows and windows that obfu
ecurity feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 such windows may not be opened. If you
: Some command buttons have only text; some have icons and text.Show only icons: All command buttons have only icons.If you disable o
ou enable this policy the Customize option will be removed from the menu.If you disable this policy or do not configure it users can custom
be used in coordination with the "Disable customizing browser toolbar buttons" policy which prevents users from adding or removing too
Refresh buttons are next to the Address bar by default and the user can choose to move them.
ck.If you enable this policy setting the toolbar upgrade tool does not check for incompatible toolbars. The user is not prompted and incom
els and the user can make them bigger (20 x 20 pixels).
disable or don't configure this setting Microsoft Edge downloads book files to a per-user folder for each student or teacher.
ce over the "Configure search suggestions in Address bar" setting. If you enable or don't configure this setting employees can see the A
ft applying the updates during browser navigation. Visiting any site on the Microsoft Compatibility List prompts the employee to use Intern
time required to start up Microsoft Edge.If you prevent pre-launch Microsoft Edge won’t pre-launch during Windows sign in when the syst
required to start up Microsoft Edge and to start a new tab.If you prevent preloading Microsoft Edge won’t load the Start or New Tab page
is policy when disabled does not stop roaming of existing history or history coming from other roamed devices.
w search engines and change the default used in the address bar from within Microsoft Edge Settings.If you disable this setting users can't a
e for business) enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage). When disabled this policy does no
bs appears.
e it's supported.
browserpolicy).If you enable this setting you can add up to 5 additional search engines. For each additional engine you must also add a link
n't configure this setting employees can choose whether to use Autofill to automatically fill in forms while using Microsoft Edge.
king info.If you don't configure this setting employees can choose whether to send Do Not Track requests to websites asking for tracking in
ble or don't configure this setting employees will see the Favorites that they set in the Favorites hub.
ur organization manages some settings. The show bar/hide bar option is hidden from the context menu.If disabled the favorites bar is hidd
e the Unlock Home Button policy.If Enabled AND:- Show home button & set to Start page is selected clicking the home button loads the Sta
are ignored. To learn more about assigned access and kiosk configuration see “Configure kiosk and shared devices running Windows desk
le app for this policy to work. Once the idle time meets the time specified a confirmation message prompts the user to continue and if no
e Configure Start Pages policy.- A specific page or pages: the URL(s) specified with Configure Start Pages policy load(s). If selected you mus
use Password Manager to save their passwords locally.
.If you don't configure this setting employees can choose whether search suggestions appear in the Address bar of Microsoft Edge.
fied in App settings loads as the default Start pages.Version 1703 or later:If you do not want to send traffic to Microsoft enable this policy a
ft Edge won't use the Enterprise Mode Site List XML file. In this case employees might experience compatibility problems while using legac
tting Windows Defender SmartScreen is turned off and employees can't turn it on.If you don't configure this setting employees can choose
or not configured the Start pages configured in the Configure Start Pages policy cannot be changed and remain locked down.Supported d
ntinue the download process.
nc between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employees from syncing their favorites between Int
the Live Tile metadata providing a fuller and more complete experience when a user pins a Live Tile to the Start menu.
uture updates of the extension gets granted automatically.When you enable this policy you must provide a semi-colon delimited list of ex
oth this setting and the Keep favorites in sync between Internet Explorer and Microsoft Edge setting. Enabling both settings stops employe
is enabled you must also add the default engine to the “Set default search engine” setting by adding a link to your OpenSearch XML file inc
page is used.Default setting: Disabled or not configuredRelated policy: Allow web content on New Tab page
ng in Microsoft Edge option from the drop-down list under Options.If disabled or not configured the default app behavior occurs and no a
cluding hiding and showing the home button as well as configuring a custom URL.If disabled or not configured the UI settings for the hom
at the files contain.This setting permits users to open MMC user-mode console files such as those on the Administrative Tools menu in Win
setting in the folder is disabled or not configured the snap-in is prohibited.-- If you disable this setting or do not configure it all snap-ins a
message is displayed stating that policy is prohibiting the use of this snap-in. If this policy setting is not configured the setting of the "Rest
cept those explicitly permitted. To explicitly permit use of this snap-in enable this setting. If this setting is not configured (or disabled) this
up Policy tab is not displayed in those snap-ins.If this setting is not configured the setting of the "Restrict users to the explicitly permitted l
always connected to the settings storage location.When SyncMethod is set to “None” the UE-V Agent uses no sync provider. Settings are w
or Windows apps. If you do not configure this policy setting any defined values are deleted.Note: If the user connects their Microsoft accou
rage location before synchronizing settings packages.If you disable this policy setting the sync provider doesn’t ping the settings storage lo
nt log.If you disable or do not configure this policy setting no event is written to the event log to report settings package size.
ot configure this policy setting any defined values are deleted.

that is roaming.With this setting disabled the UE-V Agent will not synchronize settings over a metered connection that is roaming.If you do
onization of users' sign-in information for certain apps networks and certificates.If you enable this policy setting only the selected Window
ession. Enable this setting to register a VDI-specific settings location template and restore data on computers in pooled VDI environments
etting certain user settings of Microsoft Access 2013 will not be backed up.If you do not configure this policy setting any defined values wi
etting certain user settings of Microsoft Access 2016 will not be backed up.If you do not configure this policy setting any defined values wi
m the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
cy setting certain user settings which are common between the Microsoft Office Suite 2013 applications will continue to be backed up.If y
cy setting certain user settings which are common between the Microsoft Office Suite 2016 applications will continue to be backed up.If y
certain user settings of Microsoft Excel 2013 will not be backed up.If you do not configure this policy setting any defined values will be del
certain user settings of Microsoft Excel 2016 will not be backed up.If you do not configure this policy setting any defined values will be del
policy setting certain user settings of Microsoft InfoPath 2013 will not be backed up.If you do not configure this policy setting any defined
Internet Explorer 10 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined val
nternet Explorer 11 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined valu
rnet Explorer 8 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
rnet Explorer 9 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
ch are common between the versions of Internet Explorer continue to synchronize.If you disable this policy setting the user settings which
rtain user settings of Microsoft Lync 2013 will not be backed up.If you do not configure this policy setting any defined values will be delete
rtain user settings of Microsoft Lync 2016 will not be backed up.If you do not configure this policy setting any defined values will be delete
tting Microsoft Access 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defi
tting Microsoft Access 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defin
tting Microsoft Access 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defin
Microsoft Excel 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined val
icrosoft Excel 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined valu
icrosoft Excel 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined valu
olicy setting Microsoft InfoPath 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting
olicy setting Microsoft InfoPath 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting
rosoft Lync 2010 user settings are excluded from the synchronization settings. If you do not configure this policy setting any defined values
osoft Lync 2013 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
osoft Lync 2016 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values w
n between computers. If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2010 appli
n between computers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2013 applic
ttings continue to synchronize.If you disable this policy setting Microsoft Office 2013 Upload Center user settings are excluded from the syn
n between computers.If you enable this policy setting the user settings which are common between the Microsoft Office Suite 2016 applic
ttings continue to synchronize.If you disable this policy setting Microsoft Office 2016 Upload Center user settings are excluded from the syn
user settings of Microsoft Office 365 Access 2013 from synchronization between computers with UE-V.If you enable this policy setting Mic
user settings of Microsoft Office 365 Access 2016 from synchronization between computers with UE-V.If you enable this policy setting Mic
rk computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Su
rk computers with UE-V by default. Use this policy setting to prevent the user settings which are common between the Microsoft Office Su
r settings of Microsoft Office 365 Excel 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
r settings of Microsoft Office 365 Excel 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
he user settings of Microsoft Office 365 InfoPath 2013 from synchronization between computers with UE-V.If you enable this policy settin
settings of Microsoft Office 365 Lync 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
settings of Microsoft Office 365 Lync 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
the user settings of Microsoft Office 365 OneNote 2013 from synchronization between computers with UE-V.If you enable this policy setti
the user settings of Microsoft Office 365 OneNote 2016 from synchronization between computers with UE-V.If you enable this policy setti
he user settings of Microsoft Office 365 Outlook 2013 from synchronization between computers with UE-V.If you enable this policy setting
he user settings of Microsoft Office 365 Outlook 2016 from synchronization between computers with UE-V.If you enable this policy setting
event the user settings of Microsoft Office 365 PowerPoint 2013 from synchronization between computers with UE-V.If you enable this po
event the user settings of Microsoft Office 365 PowerPoint 2016 from synchronization between computers with UE-V.If you enable this po
user settings of Microsoft Office 365 Project 2013 from synchronization between computers with UE-V.If you enable this policy setting Mi
user settings of Microsoft Office 365 Project 2016 from synchronization between computers with UE-V.If you enable this policy setting Mi
t the user settings of Microsoft Office 365 Publisher 2013 from synchronization between computers with UE-V.If you enable this policy setti
t the user settings of Microsoft Office 365 Publisher 2016 from synchronization between computers with UE-V.If you enable this policy setti
olicy setting to prevent the user settings of Microsoft Office 365 SharePoint Designer 2013 from synchronization between computers with
settings of Microsoft Office 365 Visio 2013 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
settings of Microsoft Office 365 Visio 2016 from synchronization between computers with UE-V.If you enable this policy setting Microsoft
er settings of Microsoft Office 365 Word 2013 from synchronization between computers with UE-V.If you enable this policy setting Micros
er settings of Microsoft Office 365 Word 2016 from synchronization between computers with UE-V.If you enable this policy setting Micros
disable this policy setting OneDrive for Business 2013 user settings are excluded from the synchronization settings.If you do not configure t
disable this policy setting OneDrive for Business 2016 user settings are excluded from the synchronization settings.If you do not configure t
policy setting Microsoft OneNote 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setti
cy setting Microsoft Outlook 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting an
sable this policy setting Microsoft PowerPoint 2010 user settings are excluded from the synchronization settings.If you do not configure th
etting Microsoft Project 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any de
policy setting Microsoft Publisher 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setti
gs continue to synchronize.If you disable this policy setting Microsoft SharePoint Designer 2010 user settings are excluded from the synchr
gs continue to synchronize.If you disable this policy setting Microsoft SharePoint Designer 2013 user settings are excluded from the synchr
ser settings continue to synchronize.If you disable this policy setting Microsoft SharePoint Workspace 2010 user settings are excluded from
rosoft Visio 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values
Microsoft Word 2010 user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined va
ynchronization settings.If you do not configure this policy setting any defined values will be deleted.
is policy setting certain user settings of Microsoft OneNote 2013 will not be backed up.If you do not configure this policy setting any defin
is policy setting certain user settings of Microsoft OneNote 2016 will not be backed up.If you do not configure this policy setting any defin
olicy setting certain user settings of Microsoft Outlook 2013 will not be backed up.If you do not configure this policy setting any defined va
olicy setting certain user settings of Microsoft Outlook 2016 will not be backed up.If you do not configure this policy setting any defined va
disable this policy setting certain user settings of Microsoft PowerPoint 2013 will not be backed up.If you do not configure this policy setti
disable this policy setting certain user settings of Microsoft PowerPoint 2016 will not be backed up.If you do not configure this policy setti
setting certain user settings of Microsoft Project 2013 will not be backed up.If you do not configure this policy setting any defined values
setting certain user settings of Microsoft Project 2016 will not be backed up.If you do not configure this policy setting any defined values
his policy setting certain user settings of Microsoft Publisher 2013 will not be backed up.If you do not configure this policy setting any defin
his policy setting certain user settings of Microsoft Publisher 2016 will not be backed up.If you do not configure this policy setting any defin
will continue to be backed up.If you disable this policy setting certain user settings of Microsoft SharePoint Designer 2013 will not be backe
ertain user settings of Microsoft Visio 2013 will not be backed up.If you do not configure this policy setting any defined values will be delet
ertain user settings of Microsoft Visio 2016 will not be backed up.If you do not configure this policy setting any defined values will be delet
ng certain user settings of Microsoft Word 2013 will not be backed up.If you do not configure this policy setting any defined values will be d
ng certain user settings of Microsoft Word 2016 will not be backed up.If you do not configure this policy setting any defined values will be d
e synchronization settings.If you do not configure this policy setting any defined values will be deleted.
onfigure this policy setting any defined values will be deleted.
d. Also the sharing wizard cannot create a share at %root%\users and can only be used to create SMB shares on folders.If you disable or d
rompted to choose their privacy settings after an upgrade.If this policy is disabled or not configured then the privacy experience may laun
s and screen blanking adjust speaker volume and apply a custom background image.Note: Users will be able to customize their system setti
tting.You can enforce this policy setting or you can allow users to overwrite this setting. By default when you enable this policy setting it is e
rver settings" option on the client.To allow users to overwrite this policy setting select the "Allow users to change this setting" check box. W
on the client.Note: It is highly recommended that you also specify the authentication method by using the "Set RD Gateway authenticatio
whether they want to connect.If you disable this policy setting users cannot run unsigned .rdp files and .rdp files from unknown publishers
settings (for example when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).If you enabl
or leave it not configured the user will be able to save passwords using Remote Desktop Connection
n they start the file. To obtain the thumbprint view the certificate details and then click the Thumbprint field.If you disable or do not confi
user's consent.3. Full Control without user's permission: Allows the administrator to interact with the session without the user's consent.4
server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer
Enabling this setting overrides the "Start Program" settings set by the server administrator or user. The Start menu and Windows Desktop
e limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop
es a warning two minutes before the session disconnects which allows the user to press a key or move the mouse to keep the session activ
the Remote Desktop Services session disconnects which allows the user to save open files and close programs. If you have a console sess
d state running programs are kept active even though the user is no longer actively connected. By default these disconnected sessions are
he form of http://contoso.com/rdweb/Feed/webfeed.aspx. If you enable this policy setting the specified URL is configured as the defau
d discovery button.
ngine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
or do not configure this policy setting the user can subscribe to a feed or Web Slice through the Subscribe button in Internet Explorer and
uthenticate feeds to servers by using the Basic authentication scheme in combination with a less secure HTTP connection.A developer can
p Policy under "User Configuration." To restrict a file system path from indexing please specify the file system path to be indexed under th
User Configuration." To include a file system path for indexing please specify the file system path to be indexed under the "Computer Con
Group Policy under "User Configuration." To restrict a file system path from indexing please specify the file system path to be indexed un
cy applications can be launched from a hardware button.

ou do not configure this policy press and hold actions will be available.
r text symbols numbers or keyboard shortcuts.If you enable this policy Input Panel will not provide text prediction suggestions. Users will
xt to text entry areas when using a tablet pen as an input device. Users will not be able to configure this setting in the Input Panel Options
ext entry area when a user is using touch input. Users will not be able to configure this setting in the Input Panel Options dialog box.If you
a.k.a. Tablet PC Input Panel in Windows 7 and Windows Vista) enables you to use handwriting or an on-screen keyboard to enter text sym
f you disable this policy Input Panel tab will appear on the edge of the Tablet PC screen. Users will not be able to configure this setting in t
figure this setting in the Input Panel Options dialog box.If you disable this policy application auto complete lists will appear next to Input P
u to use handwriting or an on-screen keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy and choose “
reen keyboard to enter text symbols numbers or keyboard shortcuts. If you enable this policy and choose “All” from the drop-down m
on and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flick
ures the touch pointer and other-touch specific features.If you do not configure this setting touch input is on by default.Note: Changes to
his setting Touch Panning is on by default.Note: Changes to this setting will not take effect until the user logs off.
ows users to change task characteristics such as: the program the task runs details of its schedule idle time and power management setting
ng characteristics such as the program the task runs its schedule details idle time and power management settings and its security context
tion takes precedence over the setting in User Configuration.
must select a program from the list in the Scheduled Task Wizard which displays only the tasks that appear on the Start menu and its subm
the Scheduled tasks folder.This setting does not prevent users from using other methods to create new tasks and it does not prevent user
precedence over the setting in User Configuration.Important: This setting does not prevent administrators of a computer from using At.ex
oth settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Important: This
tting Windows Defender SmartScreen is turned off and employees can't turn it on.If you don't configure this setting employees can choose
the site.
tification to the user.If you disable this policy setting then all memory dumps are uploaded according to the default consent and notificatio
ou disable or do not configure this policy setting the Turn off Windows Error Reporting policy setting in Computer Configuration/Administr
strative Templates/Windows Components/Windows Error Reporting/Consent take precedence.
not configure this policy setting WER throttles data by default; that is WER does not upload more than one CAB file for a report that conta
battery power but checks for solutions and uploads report data normally.If you disable or do not configure this policy setting WER checks
olicy again if the network profile is changed.
red. The Maximum number of reports to store setting determines how many reports are stored before older reports are automatically del
ediately. When Queuing behavior is set to Always queue all reports are added to the queue until the user is prompted to send the reports
in the Show Contents dialog box (example: notepad.exe). File names must always include the .exe file name extension. To remove an app
m data that is required to check for an existing solution is sent automatically and Windows prompts users for consent to send any addition
sent level of 0 1 2 3 or 4.- 0 (Disable): Windows Error Reporting sends no data to Microsoft for this event type.- 1 (Always ask before send
the default consent setting determines only the consent level of any other error reports.
premises authentication.NOTE: Disabling or not configuring this policy setting and enabling the "Use Windows Hello for Business" policy se
er.If you do not configure this policy setting users can provision Windows Hello for Business as a convenience credential that encrypts thei
is profile setting lets users install programs that require access to directories that the user might not have permission to view or change in
ng users can install from removable media when the installation is running in their own security context but only system administrators ca
cannot restore the computer to its original state if the installation does not complete.This policy setting is designed to reduce the amount
er that you want Windows Installer to search:-- "n" represents the network;-- "m" represents media;-- "u" represents URL or the Intern
e if actions have been set to occur when the logon hours expire.Note: If you configure this setting you might want to examine and appropr
If you choose to log off a user the user might lose unsaved data.If you enable this setting the system will perform the action you specify w
and on the Privacy tab in the Player are not selected and are not available.If you disable or do not configure this policy setting users can ch
rnet check box in the first use dialog box and on the Privacy and Media Library tabs in the Player are not selected and are not available.If y
gure this policy setting the Player automatically retrieves radio station presets from the Internet.
ified because no default settings are used for the proxy. The options are ignored if Autodetect or Browser is selected.The Configure button
nored if Autodetect is selected.The Configure button on the Network tab in the Player is not available and the protocol cannot be configu
is specified is ignored.The "Use default buffering" and "Buffer" options on the Performance tab in the Player are not available.If you disab
nored if Autodetect is selected.The Configure button on the Network tab in the Player is not available and the protocol cannot be configur
ted a user can specify UDP ports in the Use ports check box. If the user does not specify UDP ports the Player uses default ports when usin
aver does not interrupt playback even if users have selected a screen saver. The Allow screen saver during playback check box is cleared a
lly check box is not available.If you do not configure this policy setting users can change the setting for the Download codecs automatically
mode by using the Player tab in the Player.When this policy is not configured and the Set and Lock Skin policy is enabled some options in th
re used for the options on the Privacy tab unless the user changed the settings previously.If you disable or do not configure this policy setti
ure this policy setting users can configure the security settings on the Security tab.
uter. If the skin is not installed on a user's computer or if the Skin box is blank the Player opens by using the Corporate skin. The only way t
n. If both are present the Computer Configuration version of this policy setting takes precedence.
ws Messenger from that point on Windows Messenger will be loaded.The user can also configure this behavior on the Preferences tab on
Center is on by default.
ured this policy setting does not set a default value for the SourcePath parameter of the Update-Help cmdlet.Note: This policy setting exist
ging of execution events is disabled for all Windows PowerShell modules. Disabling this policy setting for a module is equivalent to setting t
able the Script Block Invocation Logging PowerShell additionally logs events when invocation of a command script block function or script
Documents directory with a file name that includes 'PowerShell_transcript' along with the computer name and time started. Enabling
hat originate from the Internet must be signed by a trusted publisher.The "Allow all scripts" policy setting allows all scripts to run.If you dis
computer to do?' list.If you disable or do not configure this policy setting the 'Install Updates and Shut Down' option will be the default op
s policy setting the 'Install Updates and Shut Down' option will be available in the Shut Down Windows dialog box if updates are available
ut nor will you receive critical updates from Windows Update. This setting also prevents Device Manager from automatically installing drive
ers though users can manually set up Work Folders by using the Work Folders Control Panel item.The "Work Folders URL" can specify eith
t screen.To hide a Control Panel item enable this policy setting and click Show to access the list of disallowed Control Panel items. In the Sh
ssage appears explaining that a setting prevents the action.
s to hide. To specify a list of pages to show the policy string must begin with "showonly:" (without quotes) and to specify a list of pages to
licy setting and click Show to access the list of allowed Control Panel items. In the Show Contents dialog box in the Value column enter the
vent users from using other methods to configure services.Note: When "Set up services" does not appear clicking the Add/Remove Windo
m using other tools and methods to configure services or add or remove program components. However this setting blocks user access to t
d. Also if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows C
e to recommend their use or to enable users to install them without having to search for installation files.If you enable this setting users ca
oes not prevent users from using other tools and methods to change program access or defaults.This setting does not prevent the Set Prog
users.When enabled this setting takes precedence over the other settings in this folder.This setting does not prevent users from using oth
on the Internet such as the Microsoft Product Support Services Web page.If you disable this setting or do not configure it the Support Info
ware Installation.If you disable this setting or do not configure it all programs (Category: All) are displayed when the "Add New Programs" p
trol Panel on the client computer. Second the screen saver timeout is set to a nonzero value through the setting or Control Panel.Also see
e Personalization Control Panel is available).Note: If this setting is enabled and the file is not available at user logon the default visual style
sion. If the screen saver file is not in the %Systemroot%\System32 directory type the fully qualified path to the file.If the specified screen s
n on each screen saver.To ensure that a computer will be password protected enable the "Enable Screen Saver" setting and specify a timeo
ailable in the Personalization or Display Control Panel.For systems prior to Windows Vista this setting hides the Appearance and Themes t
o KB article: Q327998 for more information.Also see the "Allow only bitmapped wallpaper" setting.
of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client.When not con
ser and navigates to the specified URL address to display the available printers. This setting makes it easy for users to find the printer
d Printer Wizard displays the list of shared printers on the network and invites to choose a printer from the shown list.If you disable this se
to a USB printer queue the device vid/pid will be compared to the approved list.
blocked by this policy. Administrators may need to set both policies to block all print connections to a specific print server.If this setting is
ble on the client no connection will be made. -You can configure Windows Vista clients so that security warnings and elevated comma
s not prevent users from using the Add Hardware Wizard to add a printer. Nor does it prevent users from running other programs to add p
staller. Typically system administrators publish programs to notify users of their availability to recommend their use or to enable users to
tall or uninstall programs.
all users.This setting does not prevent users from using other tools and methods to change program access or defaults.This setting does n
place" task link will be available to all users.Note: If the "Hide Programs control Panel" setting is enabled this setting is ignored.
Panel in Category View and Programs and Features in Classic View will be available to all users.When enabled this setting takes precedence
is policy setting the user can see the Administrative options.Note: Even if a user can see the Administrative options other policies may pre
ee the GeoID option the "Disallow changing of geographical location" option can prevent them from actually changing their current geogra
ote: Even if a user can see the option to change the UI language other policy settings can prevent them from changing their UI language.
features installation restriction for the user.

"Restricts the UI languages Windows should use for the selected user" policy setting.If you disable or do not configure this policy setting t
figure this policy setting there is no restriction on which language users should use.To enable this policy setting in Windows Server 2003 W
he availability and function of this setting is dependent on supported languages being enabled.
y and function of this setting is dependent on supported languages being enabled.
Configured then the user will be free to change the setting according to their preference. Note that the availability and function of thi
eference. Note that the availability and function of this setting is dependent on supported languages being enabled.
words not already known to the handwriting recognition engines (for example proper names and acronyms). Deleting email content or th
ta to the Desktop.
g Computer is hidden on the desktop the new Start menu the Explorer folder tree pane and the Explorer Web views. If the user manages
o this setting effective you must log off from and log back on to Windows 2000 Professional.
sktop tab and then clicking the Customize Desktop button.
indows domain and click Find. Type the name of an object in the directory such as "Administrator." If the filter bar does not appear above
nfigure it the system displays up to 10000 objects. This consumes approximately 2 MB of memory or disk space.This setting is designed to
s not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added ag
on\Administrative Templates\Control Panel\Display) settings.
e is not available when the user logs on no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting
s\Windows Explorer) is enabled Active Desktop is disabled and both these policies are ignored.
ts\Windows Explorer) is enabled Active Desktop is disabled and both of these policies are ignored.
-clicks the icon for a remote access connection. Also when any user selects the connection Properties appears on the File menu.If you disa
setting (and enable the "Enable Network Connections settings for Administrators" setting) users (including administrators) cannot delete a
re disabled for all users (including administrators).Important: If the "Enable Network Connections settings for Administrators" is disabled o
t configure the setting only Administrators and Network Configuration Operators can rename all-user remote access connections.Note: Th
ors.Note: When the "Ability to rename LAN connections or remote access connections available to all users" setting is configured (set to ei
ant: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not apply to administrat
etting the Windows XP settings that existed in Windows 2000 Professional will have the ability to prohibit Administrators from using certa
dministrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable th
twork Connections settings for Administrators" setting.Important: If the "Enable Network Connections settings for Administrators" is disab
" is disabled or not configured this setting does not apply to administrators on post-Windows 2000 computers.If you disable this setting or
ngs for Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you d
ot apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it the Make New Connection ic
r Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable
strators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setti
le the "Enable Network Connections settings for Administrators" setting) the Properties menu items are disabled and no users (including a
is setting or do not configure it the Connect and Disconnect options for remote access connections are available to all users. Users can con
ill not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not configure it all users can delete their p
st-Windows 2000 computers.If you disable this setting or do not configure it the Properties dialog box for a connection includes a check b
tors" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting
bled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting the Advanc
for the connection and on the File menu in the Network Connections folder. Users cannot choose to show the connection icon in the task
ow the problem can be resolved.If you enable this policy setting this condition will not be reported as an error to the user.If you disable or
ver go offline" indicates that network files are not available while the server is inaccessible.If you disable this setting or select the "Work offl
nts in all preceding levels."0" records an error when the offline storage cache is corrupted."1" also records an event when the server hostin
ngs are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
in the Computer Configuration and User Configuration folders. If both settings are configured for a particular server the setting in Comput
ew their offline files.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the
tting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Config
etting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Confi
setting in Computer Configuration takes precedence over the setting in User Configuration.
nfiguration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence.The "Make Availab
cluding any lists inherited from lower precedence GPOs and the "Make Available Offline" command is displayed for all files and folders.If yo
rs made always available offline (including those inherited from lower precedence GPOs) is deleted and no files or folders are made availa
does not ensure that they are current.If you do not configure this setting the system performs a quick synchronization by default but users
nchronization Manager is configured for logon synchronization the system performs only a quick synchronization. Quick synchronization e
mputer is suspended by closing the display on a portable computer files are not synchronized. If multiple users are logged on to the comput
f this setting is not configured reminder balloons are displayed by default when you enable offline files but users can change the setting.To
s to access all WCN wizards.
g adds a check box to the Run dialog box giving users the option of running a 16-bit program in its own dedicated NTVDM process. The add
m to add and remove the Log Off item.This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security
Items menu and the Jump Lists appear just as it did when the user logged off.Note: The system saves document shortcuts in the user profi
w notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications.
ar displays only the Start button taskbar buttons the notification area and the system clock.If this setting is disabled or is not configured the
puters are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic particularly over slow network connections.If y
Menu and Taskbar do not show lists of recently or frequently used files folders or websites.If you disable or do not configure this setting the
ID to find a path. If the resulting path is not correct it conducts a comprehensive search of the target drive in an attempt to find the file.N
e target's file ID to find a path. If the resulting path is not correct it conducts a comprehensive search of the target drive in an attempt to fi
icons.If you disable this setting the Start menu only displays in the new style meaning the desktop icons are now on the Start page.If you
slow to open.
ser's taskbar.Note: Enabling this setting overrides the "Turn off notification area cleanup" setting because if the notification area is hidden
disable this setting or do not configure it the user can configure the taskbar position.Note: Enabling this setting also locks the QuickLaunc
le setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings so users cannot turn it to On. Se
CTRL+ALT+DELETE.If you disable or do not configure this policy setting the Power button and the Shut Down Restart Sleep and Hibernate c
g or do not configure it all pop-up text is displayed on the Start menu and in the notification area.
ure this policy setting the Default Programs link is available from the Start menu.Note: This policy setting does not prevent the Set Default
available from the Start menu.Also see the "Remove Documents icon on the desktop" policy setting.
click the Favorites menu. If you are using the classic Start menu click Display Favorites under Advanced Start menu options.Note:The item
ystem up-to-date. The Windows Update Product Catalog determines any system files security fixes and Microsoft updates that users need
y setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press C
t configure this policy setting Network Connections is available from the Start Menu.Also see the "Disable programs on Settings menu" and
and Maintenance will be displayed on the taskbar.A reboot is required for this policy setting to take effect.
do not configure this policy setting the Control Panel Printers and Network and Connection folders from Settings are available on the Start
nu the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.When the se
be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.If you disable or do not configur
ser from using the F3 key.In File Explorer the Search item still appears on the Standard buttons toolbar but the system does not respond w
folders not just those associated with redirected folders.If you enable this setting no folders appear on the top section of the Start menu. I
the "Run as different user" command.

Traditional Chinese (Lunar) regardless of the locale.If you disable this policy setting users cannot show an additional calendar regardless o
the Settings app. This is default behavior.Note: configuring this policy to "Show" or "Hide" on supported versions of Windows 10 will supe
by pressing the Start button on that display. Also the user will be able to configure this setting.
gured.Once the XML file is generated and moved to the desired file path type the fully qualified path and name of the XML file. You can ty
disable this setting the system notification area will always collapse notifications.If you do not configure it the user can choose if they wan
quire user tracking. If you enable the "Turn off user tracking" setting the system disables user tracking and personalized menus and ignore
Menu" and "Turn off personalized menus".This policy setting does not prevent users from pinning programs to the Start Menu or Taskba
uring Quiet Hours by default. Adminstrators and users will be able to modify this setting.
setting Quiet Hours are enabled by default but can be turned off or by the administrator or user.
ministrator or user. No reboots or service restarts are required for this policy setting to take effect.
n the specified value are interpreted as being preceded by 19.For example the default value 2029 specifies that all two-digit years less than
e is not located in a folder specified in the Path environment variable for your system enter the fully qualified path to the file.If you disable
ows 2000 Professional. It does not affect the ""Configure Your Server on a Windows 2000 Server"" screen on Windows 2000 Server.Note: T
have access to the command prompt (Cmd.exe) this policy setting does not prevent them from starting programs in the command window
esulting searches might make some programs start or run slowly.If you disable or do not configure this policy setting the program continu
logon logoff startup or shutdown batch file scripts or for users that use Remote Desktop Services.
olicy settings available in Computer Configuration\Security Settings. Note: This policy setting is available under Computer Configur
ers have access to the command prompt (Cmd.exe) this policy setting does not prevent them from starting programs in the command win
earches for updates and automatically downloads them.Note: Windows Update is an online catalog customized for your computer that co
Lock this computer.
he action.If you disable or do not configure this policy setting users can access Task Manager to start and stop programs monitor the perfo
pdated to display properly in this scenario will be blurry until the user logs out and back in to Windows. When you enable this policy some
roceed with the installation even if it includes unsigned files.-- "Warn" notifies the user that files are not digitally signed and lets the user
on location floppy drives and CD-ROM drives.Note: To prevent searching Windows Update for drivers also see "Turn off Windows Update
ate device driver searching" is disabled or not configured the administrator will be prompted for consent before going to Windows Update
setting does not prevent files from being automatically cached if the network share is configured for "Automatic Caching" nor does it affec
gured for "Automatic Caching" nor does it affect the availability of the "Always available offline" menu option in the user interface.Note: T
o the new location. To use this policy setting you must move or restore the server content to the new network location using a method tha
ervices (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function.If you enable
icy setting Windows Vista Windows 7 Windows 8 and Windows Server 2012 will use the standard English names for these subfolders when
controller that Active Directory Users and Computers or Active Directory Sites and Services snap-ins use."Use any available domain contro
erride the programs' specified responses to slow links.If you enable this setting you can in the "Connection speed" box type a decimal num
eated in the enabled state. If you do not want them to be effective until they are configured and tested you must disable the object link.
a client computer use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line
dministrators cannot turn it off. As a result Group Policy Object Editor displays only true settings; preferences do not appear.If you disable
days). If you select 0 minutes the computer tries to update user Group Policy every 7 seconds. However because updates might interfere
g the status of this setting to Enabled will keep any source files from copying to the GPO.Changing the status of this setting to Disabled wil
of the the policy settings in the "Internet Communication settings" section are set to not configured.
allowed to use the Store service and the Store item is available in the Open With dialog.
int drivers over HTTP.
e writing samples from the handwriting recognition personalization tool with Microsoft.If you disable this policy Tablet PC user writing sam
t PC users can report handwriting recognition errors to Microsoft.If you do not configure this policy Tablet PC users can report handwriting
try are displayed.If you disable or do not configure this policy setting a list of providers are downloaded when the user uses the web publis
olicy setting the user is allowed to use the Web service.
an choose to print to Internet printers over HTTP.Also see the "Web-based printing" policy setting in Computer Configuration/Administrati
not shown.If you disable this policy setting Windows Messenger collects anonymous usage information and the setting is not shown.If you
settings.To set this policy setting on a per-user basis make sure that the per-computer policy setting is not configured.
s policy setting is not configured.If you enable this policy setting the user cannot select a custom locale as their user locale but they can sti
ides.If this policy setting is disabled or not configured then the user can customize their user locale overrides.If this policy is set to Enabled
mple en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).If yo
policy setting Windows Vista adds any customized run list configured to its run list.This policy setting appears in the Computer Configuratio
tion and User Configuration folders. If both policy settings are configured the policy setting in Computer Configuration takes precedence o
s located in the %Systemroot% directory you must specify the fully qualified path to the file.If you disable or do not configure this policy se
MITIGATION_POLICY_DEP_ENABLE (0x00000001) Enables data execution prevention (DEP) for the child process PROCESS_CREATI
emovable Data Drives."
this policy setting Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.Also see the "Run Logon Scripts Visible" setti
multaneously.This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer
O A. GPO B and GPO C include the following user logon scripts:GPO B: B.cmd B.ps1GPO C: C.cmd C.ps1Assume also that there are two use
tores the remainder of the fully qualified path to the home directory (such as \dir1\dir2\homedir). As a result users can access any directo
ther than all of the AppData\Roaming folder to the exclusion list.By default the Appdata\Local and Appdata\LocalLow folders and all their
en the profile exceeds the permitted maximum size.-- Specify a customized message notifying users of the oversized profile.-- Determine h
do not configure this policy setting the paths specified in this policy setting will behave like any other cached data via Offline Files and con
figure this policy setting Windows Store apps can open files in the default desktop app for a file type.
t configure this policy setting Windows Store apps can open URIs in the default desktop app for a URI scheme.Note: Enabling this policy se
nternet zone Windows prompts the user before accessing the file.Low Risk: If the attachment is in the list of low-risk file types Windows w
information.If you do not configure this policy setting Windows marks file attachments with their zone information.
and Unblock button.If you do not configure this policy setting Windows hides the check box and Unblock button.
ou disable this policy setting Windows uses its built-in list of file types that pose a high risk.If you do not configure this policy setting Windo
this policy setting Windows uses its default trust logic.If you do not configure this policy setting Windows uses its default trust logic.
u can specify file types which pose a moderate risk.If you disable this policy setting Windows uses its default trust logic.If you do not confi
ened.If you disable this policy setting Windows does not call the registered antivirus programs when file attachments are opened.If you do
ecommendation which will cause users to see more trust prompts than choosing the other options.If you enable this policy setting you can
whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this
age devices. If you enable this policy setting Autoplay is disabled on CD-ROM and removable media drives or disabled on all drives.
tions configured in that service when available. If your organization does not have an Enterprise spotlight content service the checkbox wil
evant.If you disable or do not configure this policy setting Microsoft will use diagnostic data to provide personalized recommendations tip
changed and suggested.
xt box. To display the password click the password reveal button.The policy applies to all Windows components and applications that use
is only supported on Enterprise Education and Server editions. - Send required diagnostic data. This is the minimum diagnostic data nece
s policy setting requires a logoff for it to be applied.
ot be changed by users.
the menu by default and users can configure this setting.

gure this setting.
CHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved.For shell extensions to run on a per-user basis there mus
a-d4a54907c53f} or SampleVideos.Note: Disabling a known folder can introduce application compatibility issues in applications that depen
y setting users can open Folder Options from the View tab on the ribbon.
administrator credentials.Many programs can be installed only by an administrator. If you enable this setting and a user does not have su
such as an Internet server.If you enable this policy setting Windows only searches the current target path. It does not search for the origin
g the path to a directory on the drive in the Map Network Drive dialog box in the Run dialog box or in a command window.Also this policy s
grams Administrative Tools Computer Management) nor does it prevent users from using other methods to start Computer Management.
ation of the default Library definition files.
esources in File Explorer and Network Locations.This policy setting does not prevent users from connecting to computers in their workgro
e computers by other commonly used methods such as by typing the share name in the Run dialog box or the Map Network Drive dialog bo
example.com/results.aspx?q={searchTerms}).You can add up to five additional links to the "Search again" links at the bottom of results ret
arch Connector). The pinned link will only work if this path is valid and the location contains the specified .Library-ms or .searchConnector-
elect the "Do not restrict drives" option from the drop-down list.Note: The icons representing the specified drives still appear in My Comp
user from being able to add new items such as files and folders to their actual file system profile folder at %userprofile%.
etting was documented incorrectly on the Explain tab in Group Policy for Windows 2000. The Explain tab states incorrectly that this setting
g the Search button is available from the File Explorer toolbar.This policy setting does not affect the Search items on the File Explorer conte
he Shared Documents folder is displayed in Web view and also in My Computer when the client is part of a workgroup.Note: The ability to
n or off these minor system animations using the "Use transition effects for menus and tooltips" option in Display in Control Panel.
tting allows administrators who have logged on as regular users to install programs without logging off and logging on again using their adm
atch this property will be shown but no data will be saved in the registry or re-shown on subsequent uses of the search box.
his policy setting the protocol is fully enabled allowing the opening of folders and files.If you disable this policy setting the protocol is in th
ults are returned * Disable ability to stack in the Context menu and Column headers * Exclude Libraries from the scope of Start searchT
hese options.If you disable or not configure this policy the default File Explorer behavior is applied to the user.Note: In operating systems
ndard Open dialog box.To see an example of the standard Open dialog box start Notepad and on the File menu click Open.Note: In Windo
at are using the Windows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box st
only affect programs that use the standard Open dialog box provided to developers of Windows programs.To see an example of the standa
ed Searches.If you disable or do not configure this setting the default list of items will be displayed in the Places Bar.Note: In Windows Vis
e Details Pane is hidden by default and can be displayed by the user. This is the default policy setting.
sponding to on-disk restore points.If you do not configure this policy setting it is disabled by default.
olicy setting it is disabled by default. The Restore button is active when the previous version is of a local file.
m the backup media.If you do not configure this policy setting it is disabled by default. The Restore button is active when the previous vers
o not configure this policy setting it is disabled by default. The Restore button is active when the previous version is of a file on a file share
me format. Example value: Contoso.comContosoIT.HumanResourcesApp_m5g0r7arhahqy If you enable this policy setting the application
til the user logs off.

ntil the user logs off.
to this setting will not take effect until the user logs off.
S-JIS unmapped area0x0400 // Unicode char0x0800 // surrogate char0x1000 // IVS char0xFFFF // no definition.If you disable or do not co
setting is turned on. To do this select Settings > Time & Language > Japanese Options > Microsoft IME Options. If compatibility mode is tur
ng it will be turned off by default and the user can turn on and turn off the cloud candidates feature.This Policy setting applies to Microsoft
ng it will be turned off by default and the user can turn on and turn off the cloud candidates feature.This Policy setting applies only to Micr
s]). Note: This list can be created from a custom administrative template file. For information about creating this custom administrative te
sers won't be able to change the Suggestions setting on the Settings charm.If you don't configure this policy setting users can change the S
this policy setting newly installed add-ons are automatically activated in the browser.If you disable or do not configure this policy setting
ministrators also have the ability to turn the auto-play feature on or off. This setting only applies if the Media Explorer Bar is enabled.If ch
Stable channel is used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in up to three of th
because the "Disable the General page" policy removes the General tab from the interface.
rnet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the Advanced page" policy removes the Adva
figure this policy setting the user will have the freedom to automatically configure these settings.
ted in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) takes precedence o
ve Templates\Windows Components\Internet Explorer\Internet Control Panel) which removes the Content tab from Internet Explorer in C
mplates\Windows Components\Internet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the Gen
cy removes the Connections tab from the interface.
This policy is intended for organizations that do not want users to determine which browser should be their default.The "Disable the Progr
Control Panel) you do not need to set this policy because the "Disable the General page" policy removes the General tab from the interface
rs can choose their own home page.
ocated in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need
mponents\Internet Explorer\Internet Control Panel) you do not need to set this policy because the "Disable the General page" policy remo
age" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) wh
t tab from Internet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
rnet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
ttings” policy is enabled the user cannot add secondary home pages.
Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) you do not need to set this polic
across an organization.
e to use the Import/Export Settings wizard.If you disable or do not configure this policy setting the user will be able to use the Import/Exp
nning the Internet Connection Wizard.Note: This policy overlaps with the "Disable the Connections page" policy (located in \User Configur
owser settings. Note: Microsoft Edge Stable Channel must be installed for this policy to take effect.
Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
asting text managing favorites and accessing Help. The Command bar enables the user to access and manage favorites feeds shortcuts to h
s can set up and change identities.
policy in sync with the ‘Send all intranet sites to Internet Explorer’ (‘SendIntranetToInternetExplorer’) policy. Additionally it’s best to enabl
rts.If you disable or don't configure this policy setting the menu option won't appear and users won't be able to run websites in Enterprise
dd one domain per line to the text box. For example:microsoft.sharepoint.comoutlook.comonedrive.comtimecard.contoso.comLOBApp.co
cted zones. The decimal representation of this number is used to represent this number in policy. For example:• 2 - Intranet site zone onl
browser through the Tell me if Internet Explorer is not the default web browser check box on the Programs tab in the Internet Options di
be able to provide a default Pop-up Blocker exception list.Note: You can disable users from adding or removing websites to the exception
you enable this policy setting the menu bar is above the navigation bar. The user cannot interchange the positions of the menu bar and th
and bar and F1 to access Help.
may also want to enable the "Prevent managing pop-up exception list" and "Turn off pop-up management" policy settings to prevent the
etting the user can configure how windows open when he or she clicks links from other applications.
ccelerators are turned on users can install search providers as Accelerators to include them on the Accelerator menu.
e whether to turn on SmartScreen Filter during the first-run experience.

ed all website addresses that are not on the filter's allow list are sent automatically to Microsoft without prompting the user.If you disable
egardless of which option is chosen.If you disable or do not configure this policy setting Internet Explorer may run the First Run wizard the
default providers installed do not appear (including providers installed from other applications). The only providers that appear are those
nded for situations in which administrators do not want users to explore the Internet or the hard disk.This policy can be used in coordinati
ased on the currently active browser.Note: If you've also enabled the Administrative Templates\Windows Components\Microsoft Edge\Se
ystem and amount of physical memory. We recommend the default setting.The second algorithm must be explicitly enabled through the c
nternal security checks.If you disable or do not configure this policy setting the ActiveX Opt-In prompt appears.
ed when the average time to load all the user's enabled add-ons exceeds the threshold.If you disable or do not configure this policy setting
ows in tabbed browsing.
o not configure this policy setting the user is prompted to decide whether to turn on the SmartScreen Filter during the first-run experience
cy setting the popup management feature will be functional.
onfigure this policy setting the user can turn on or turn off tabbed browsing.
choose to turn the auto-complete setting for web-addresses on or off.
gging settings.
policy setting the user can turn on and turn off the Suggested Sites feature.
e for User names and passwords on Forms is turned off. The user also cannot opt to be prompted to save passwords.If you do not configur
ndards mode.
Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import t
ed controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explo
proved Active-X controls and plug-ins under security zones.If you disable this policy or do not configure it this control will not be designate
w administrator-approved controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configura
the placement and appearance of Windows pop-up menus on Web pages-- Popup Menu Object - enables Web authors to add pop-up me
ontrols are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer M
urity zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and then click Secur
Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import t
ecurity.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3
ved controls are handled for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explo
ick Security.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Setti
. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select
he computer attempts to perform a Clipboard operation.If you do not configure this policy setting current values of the URL action for the
ser is prompted when a script that is running in the Internet Explorer process attempts to perform a Clipboard operation.If you do not con
y setting.If you enable this policy setting and enter a value of 1 prompts are bypassed. If you enter a value of 0 prompts are not bypassed.
ting to New and then clicking Window.Note: When users click the Open in New Window command the link will not open in a new window
owser window by right-clicking and then clicking the Open in New Window command. To prevent users from using the shortcut menu to o
ndow command. To prevent users from opening Web pages by using the shortcut menu set the "Disable Open in New Window menu opti
Web Page dialog box users click the File menu and then click the Save As command.If you disable this policy or do not configure it users ca
event users from saving the text of a Web page.Caution: If you enable this policy users are not prevented from saving Web content by poin
his policy users also cannot click Synchronize on the Tools menu (in Internet Explorer 6) to manage their favorite links that are set up for offl
tion: This policy does not prevent users from viewing and changing Internet settings by clicking the Internet Options icon in Windows Cont
licy setting the Print menu in Internet Explorer will be available. Starting with Windows 8 the Print flyout for Internet Explorer will be avail
m viewing the HTML source of a Web page from the shortcut menu set the "Turn off Shortcut Menu" policy which disables the entire short
ox.If you do not configure this policy setting the Microsoft-provided website lists are not active. The user can activate the feature by using
Standards Mode. This option results in the greatest compatibility with existing webpages but newer content written to common Internet s
policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string appended) for local intranet conten
neral tab in Internet Options.If the "Prevent access to Delete Browsing History" policy setting is enabled this policy setting has no effect.
e History List. Users can not delete browsing history.If you disable or do not configure this policy setting a user can set the number of days
rowsing History dialog box. Starting with Windows 8 users can click the Delete Browsing History button on the Settings charm.
a Tracking Protection data and Do Not Track exceptions stored for visited websites.This feature is available in the Delete Browsing History
g is enabled this policy setting is enabled by default.
bled this policy setting has no effect.
d by default.
ks Delete.If you do not configure this policy setting the user can choose whether to delete or preserve InPrivate Filtering data when he or s
bled by default.
History" policy setting is enabled this policy setting is enabled by default.
"Prevent access to Delete Browsing History" policy setting is enabled this policy setting is enabled by default.
olicy removes the Advanced tab from the interface.

proxy settings""Disable changing Automatic Configuration settings"
ves the General tab from the interface:"Disable changing home page settings""Disable changing Temporary Internet files settings""Disable
able the Reset Web Settings feature""Disable changing default browser check"
rity zones: Do not allow users to add/delete sites"
names are converted to IDN format only for addresses that are in the Intranet zone. 3) Unicode domain names are always converted to I
ab and then under International select the "Use UTF-8 for mailto links" check box.
e this policy setting non-Internet Explorer components will be automatically installed as necessary.
ers will be prompted when Web Components such as fonts would be downloaded.If you do not configure this policy users will be prompte
settings. The default is on.

id signature.
plorer automatically launches any browser helper objects that are installed on the user's computer.
Internet Explorer only sends the Do Not Track header if inPrivate Browsing mode is used.If you don't configure the policy setting users can
Internet for new versions of the browser so does not prompt users to install them.If you do not configure this policy setting Internet Explo
revoked.If you do not configure this policy setting Internet Explorer will not check server certificates to see if they have been revoked.
of executable programs or display their identities before downloading them to user computers.If you do not configure this policy Internet
on against malicious websites by using 64-bit processes on 64-bit versions of Windows. For computers running at least Windows 8 Enhanc
Internet Explorer will save encrypted pages containing secure (HTTPS) information to the cache.
orer will not delete the contents of the user's Temporary Internet Files folder when browser windows are closed.If you do not configure th
y animated pictures found in Web content.
Web content.
select the most preferred match.If you enable this policy setting the browser negotiates or does not negotiate an encryption tunnel by usin
or off using Internet Explorer settings. This feature is turned on by default
pted.If you do not configure this policy setting a user will have the freedom to accept requests from Web sites for Profile Assistant informa
his policy setting users can turn this behavior on or off using Internet Explorer Advanced Options settings. The default is to encode all quer
e is loaded into the background.If you don't configure this setting users can turn this behavior on or off using the Settings charm.
plorer 11 will use 32-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows.If you don't configure thi
setting Caret Browsing support can be turned on or off through the registry.
disable this policy setting Enhanced Protected Mode will be turned off. Any zone that has Protected Mode enabled will use the version of
Version 1607.
owsing session with the home page. Users cannot change this option to start with the tabs from the last browsing session.If you do not con
websites will be able to store application caches on client computers. Allow website database and caches on Website Data Settings will b
setting websites will be able to store an indexed database on client computers. Allow website database and caches on Website Data Settin
cy setting you provide the cache limit in MB. The default is 50 MB.If you enable this policy setting Internet Explorer will allow trusted doma
ation cache expiration time limit for all application caches. The default is 30 days.
ng you provide the cache limit in MB. The default is 500 MB.If you enable this policy setting Internet Explorer will allow trusted domains to
s are less than or equal to the size set in this policy setting.If you disable or do not configure this policy setting Internet Explorer will use th
xplorer will allow the creation of application caches whose manifest file contains the number of resources including the page that referen
not configure this policy setting Internet Explorer will use the default maximum storage limit for all application caches. The default is 1 GB
e or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed databases. The default
urity and Network Protocol Lockdown operate by comparing the settings in the active URL's zone against those in the Locked-Down equiva
ce local sites into the Intranet Zone.
ttings are: Trusted Sites zone (Low template) Intranet zone (Medium-Low template) Internet zone (Medium template) and Restricted Sites z
detect the intranet through the intranet settings dialog in Control Panel.
using the Advanced page in the Internet Control panel).
s being treated as though it is in the Internet zone.If this policy setting is not configured a Notification bar notification appears for intranet
his policy setting users cannot load a page in the zone that uses MSXML or ADO to access data from another site in the zone.If you do not
allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.If you disable th
have implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are available.
and paste files from this zone automatically.
nstall desktop items from this zone.

r loading XBAPs.If you disable this policy setting XBAPs are not loaded inside Internet Explorer. The user cannot change this behavior.If you
ng XAML files.If you disable this policy setting XAML files are not loaded inside Internet Explorer. The user cannot change this behavior.If y
he user cannot change this behavior.If you do not configure this policy setting the user can decide whether to load XPS files inside Interne
not configure this policy setting a user's browser that loads a page containing an active Meta Refresh setting can be redirected to another
ng Search Connectors.If you do not configure this policy setting users can perform OpenSearch queries in this zone using Search Connector
t are returned as search results in File Explorer will be affected. MAPI items reside in the Internet zone so disabling this policy for the Inter
be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.If you do not configure
specified zones.If you disable this policy setting video and animation cannot be played through older media players.If you do not configure
sers can click on the Notification bar to allow the ActiveX control prompt.
e download prompt.
e user will receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content
ot configure this policy setting Internet Explorer prompts users with a Client Authentication message when they connect to a Web site that
s checks with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or o
d whether to download controls signed by publishers who aren't trusted. Code signed by trusted publishers is silently downloaded.
un unsigned controls.
n different windows. Users cannot change this setting.In Internet Explorer 10 if you disable this policy setting or do not configure it users c
ame window. Users cannot change this setting in the Internet Options dialog.In Internet Explorer 10 if you disable this policy setting or do
in this zone as dictated by the feature control setting for the process.If you do not configure this policy setting the MIME Sniffing Safety Fe
an HTML form.If you do not configure this policy setting the user can choose whether path information is sent when he or she is uploading
users are queried whether to allow the control to be loaded with parameters or scripted.If you disable this policy setting ActiveX controls t
ts to run in their sandbox. Disable Java to prevent any applets from running.If you disable this policy setting Java applets cannot run.If you
from running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users a
words in other zones. After a user is queried these values can be used silently for the remainder of the session.Automatic logon with curre
you do not configure this policy setting users can open windows and frames from othe domains and access applications from other doma
nts.If you disable this policy setting Internet Explorer will not execute unsigned managed components.If you do not configure this policy se
disable this policy setting Internet Explorer will not execute signed managed components.If you do not configure this policy setting Interne
y setting the user can configure how the computer handles these files. By default these files are blocked in the Restricted zone enabled in
nstalled on) users' computers.High safety to prevent users from being notified of software updates by e-mail software packages from bein
able this policy setting information using HTML forms on pages in this zone is prevented from being submitted.If you do not configure this
.NET Framework Setup is turned on. The user cannot change this behavior.If you do not configure this policy setting .NET Framework Setu
rst-run prompt is turned off by default.
ages in this zone for malicious content.
e browser's history in favorites in an XML store or directly within a Web page saved to disk.If you do not configure this policy setting users
sable this policy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set

hey do not have installed.
ot configure this policy setting Internet Explorer does not prompt users with a "Client Authentication" message when they connect to a We
check with your antimalware program to see if it's safe to create an instance of the ActiveX control. Users can turn this behavior on or off
rst-run prompt is turned on by default.
zone automatically.
oad signed controls without user intervention.
nsigned controls without user intervention.
from running applications and downloading files from IFRAMEs on the pages in this zone.If you do not configure this policy setting users ca
le this policy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by
zone to run.
have implemented a custom security manager.If you do not configure this policy setting only behaviors listed in the Admin-approved Beh

e download prompt.
in this zone as dictated by the feature control setting for the process.If you do not configure this policy setting the actions that may be har
zone to run.

e download prompt.
zone to run.
zone automatically.
e download prompt.
have implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unle
e whether to drag or copy files from this zone.
op items from this zone.

not configure this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to anoth
ng Search Connectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connec
e download prompt.
annot be downloaded.
s or access applications from different domains.If you do not configure this policy setting users cannot open other windows and frames fro
zone to run.
zone automatically.
e download prompt.
will appear to allow control over questionable content accessed over any restricted protocols; content over other protocols is unaffected.I
have implemented a custom security manager.If you do not configure this policy setting binary and script behaviors are not available unle
e whether to drag or copy files from this zone.
op items from this zone.

not configure this policy setting a user's browser that loads a page containing an active Meta Refresh setting cannot be redirected to anoth
ng Search Connectors.If you do not configure this policy setting users cannot perform OpenSearch queries in this zone using Search Connec
e download prompt.
annot be downloaded.
s or access applications from different domains.If you do not configure this policy setting users cannot open other windows and frames fro
zone automatically.
ed to choose whether to allow the unsigned control to run.
re is a problem connecting with an Internet server the user sees a detailed description with hints about how to correct the problem. The u
er up to and including Internet Explorer 8.
t debugging.If you do not configure this policy setting the user can turn on or turn off script debugging.
of problems with its scripting. The user cannot change this policy setting.If you do not configure this policy setting the user can turn on or
tting the user can decide whether the Internet Connection Wizard should start automatically.
is enabled.If you disable this policy setting placeholders will not appear for graphical images while the images are downloading. The user
ceholders" policy setting must be disabled if this policy setting is enabled.If you disable this policy setting images appear. The user cannot t
If you do not configure this policy setting the user can turn on or turn off the printing of background colors and images.
arch results is displayed in the main window.If you disable or do not configure this policy setting the user can specify what action applies t
ble this policy setting you can choose where to direct the user after a search on the Address bar: a top-result website or a search-results w
er the branding is complete for ISPs (IEAK). The user cannot change this behavior.If you do not configure this policy setting the user can de
er will have the freedom to turn on or off Inline AutoComplete for File Explorer.
policy setting URL Suggestions will be turned on. Users will be able to turn on or turn off URL Suggestions in the Internet Options dialog. B
is policy setting Internet Explorer uses Windows Search AutoComplete to provide relevant results in the Address bar. The user cannot cha
ete.By default inline AutoComplete is turned off for Windows Vista Windows 7 Internet Explorer 7 and Internet Explorer 8. By default inlin
annot change this policy setting.If you do not configure this policy setting the user can allow or prevent the sending of the path portion of
re it users can add channels to the Channel bar or to their desktop.Note: Most channel providers use the words Add Active Channel for thi
ations that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Ad
n Web pages can be updated on the schedules specified on the Schedule tab.This policy is intended for organizations that are concerned a
r do not configure it content will not be prevented from being downloaded.The "Disable downloading of site subscription content" policy
ot configure it users can add remove and edit schedules for Web sites and groups of Web sites.The "Disable editing schedules for offline p
e command is unavailable.If you disable this policy or do not configure it users can edit an existing schedule for downloading Web content
Note: This policy does not prevent users from removing active content from the desktop interface.
chronize and then click the Properties button.If you disable this policy or do not configure it users can remove the preconfigured settings f
option determines how many levels of a Web site are searched for new information it does not change the user interface in the Offline Fav
not configure this policy setting the user can establish the InPrivate Filtering threshold by clicking the Safety button and then clicking InPriv
o not configure this policy setting the user can establish the Tracking Protection threshold by clicking the Safety button and then clicking Tr
on.If you do not configure this policy setting it can be configured on the Privacy tab in Internet Options.
rned on or off on the Privacy tab in Internet Options.
se.If you do not configure this policy setting it can be configured through the registry.
able for use.If you do not configure this policy setting it can be configured through the registry.
eb application.If you disable or do not configure this policy setting the reveal password button can be shown by the application as a user t
nfigure this policy setting Data URI support can be turned on or off through the registry.
a list of add-ons to be allowed or denied by Internet Explorer. For each entry that you add to the list enter the following information:Nam
ot respect add-on management user preferences or policy settings.
dd-ons not listed within the 'Add-on List' policy setting. This policy setting effectively removes this option from users - all add-ons are assu
ment user preferences and policy settings. If you enter a Value of 0 the add-on management user preferences and policy settings are igno
his button lets the user run the outdated ActiveX control once.For more information see "Outdated ActiveX Controls" in the Internet Explo
nfigure this setting IE continues to download updated versions of VersionList.XML.For more information see "Out-of-date ActiveX control b
mple if you want to include http://example use "example"3. "file:///path/filename.htm". For example use "file:///C:/Users/contoso/Deskto
off blocking of outdated ActiveX controls for Internet Explorer on specific domains" policy settings.For more information see "Outdated Ac
ocket object.If you disable or do not configure this policy setting websites can request data across domains by using the WebSocket objec
equest data across domains by using the XDomainRequest object.
age#behavior notation e.g. #default#vml.If you disable this policy setting no behaviors will be allowed in zones set to 'admin-approved' ju
and MD4 signing technologies.

icy setting binary behaviors are prevented for the File Explorer and Internet Explorer processes.
are allowed. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignore
is policy setting Consistent Mime Handling is enabled for all processes.If you disable or do not configure this policy setting Consistent Mim
is policy setting Internet Explorer requires consistent MIME data for all received files.If you disable this policy setting Internet Explorer will
ng allows administrators to define applications for which they want this security feature to be prevented or allowed.If you enable this polic
security applies to all local files and content processed by any process other than Internet Explorer or those defined in a process list.If you
setting the Local Machine zone security applies to all local files and content processed by Internet Explorer.If you disable this policy setting
of 1 Local Machine Zone security applies. If you enter a value of 0 Local Machine Zone security does not apply. If a Value Name is empty o
alue is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Pro
MK Protocol is prevented for File Explorer and Internet Explorer and resources hosted on the MK protocol will fail.
enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the
rocesses other than File Explorer or Internet Explorer.If you do not configure this policy setting no policy is enforced for processes other th
ng the value names http and https.If you disable this policy setting restricting content obtained through restricted protocols is prevented fo
protocols is allowed. If you enter a Value of 0 restricting content obtained through restricted protocols is blocked. The Value Name is the n
ntent over restricted protocols to access my computer."If you disable or do not configure this policy setting for a zone no protocols are res
cation bar will not be displayed for all processes other than Internet Explorer or those listed in the Process List.
xplorer Processes.
e executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes
ting within or across domains for Internet Explorer processes.

ame is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related
processes other than Internet Explorer or those listed in the Process List receive no such protection.
ernet Explorer processes.If you disable this policy setting no zone receives such protection for Internet Explorer processes.If you do not con
ant this security feature to be prevented or allowed.If you enable this policy setting and enter a Value of 1 elevation to more privileged zon
the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes
s in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enable
ndows and windows that obfuscate other windows.If you do not configure this policy setting popup windows and other restrictions apply
ows may not be opened. If you enter a Value of 0 windows have none of these restrictions. The Value Name is the name of the executable
have only icons.If you disable or do not configure this policy setting the command buttons show selective text by default and the user can c
t configure it users can customize which buttons appear on the Internet Explorer and File Explorer toolbars.This policy can be used in coor
s from adding or removing toolbars from Internet Explorer.
ser is not prompted and incompatible toolbars run unless previously disabled through policy settings or user choice.If you disable or do no
dent or teacher.
etting employees can see the Address bar drop-down functionality in Microsoft Edge. If you disable this setting employees won't see th
pts the employee to use Internet Explorer 11 where the site is automatically rendered as though it’s in whatever version of IE is necessary f
Windows sign in when the system is idle or each time Microsoft Edge is closed.
ad the Start or New Tab page during Windows sign in and each time Microsoft Edge is closed.
isable this setting users can't add search engines or change the default used in the address bar.
en disabled this policy does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this in Group Policy E
engine you must also add a link to your OpenSearch XML file including at least the short name and https: URL of the search engine. For mo
ing Microsoft Edge.
websites asking for tracking info.
sabled the favorites bar is hidden and the favorites bar toggle resets to Off but disabled preventing your users from making changes. An er
the home button loads the Start page.- Show home button & set to New tab page is selected clicking the home button loads a New tab pa
devices running Windows desktop editions” (https://aka.ms/E489vw).If enabled and set to 0 (Default or not configured):- If it’s a single app
the user to continue and if no user action Microsoft Edge resets after 30 seconds.If you set this policy to 0 Microsoft Edge does not use an
cy load(s). If selected you must specify at least one URL in Configure Start Pages; otherwise this policy is ignored.When enabled and you w
bar of Microsoft Edge.

Microsoft enable this policy and use the <about:blank> value which honors domain- and non-domain-joined devices when it is the only co
ity problems while using legacy apps.

setting employees can choose whether to use Windows Defender SmartScreen.
main locked down.Supported devices: Domain-joined or MDM-enrolledRelated policy:- Configure Start Pages- Configure Open Microsoft Ed
ng their favorites between Internet Explorer and Microsoft Edge.If you disable or don't configure this setting (default) employees can add
Start menu.
semi-colon delimited list of extension package family names (PFNs). For example adding Microsoft.OneNoteWebClipper_8wekyb3d8bbw
ng both settings stops employees from syncing their favorites between Internet Explorer and Microsoft Edge.If you disable or don't configu
o your OpenSearch XML file including at least the short name and https: URL of the search engine. For more info about creating the OpenS
app behavior occurs and no additional page displays.Default setting: Disabled or not configuredRelated policies:-Configure the Enterprise
ed the UI settings for the home button are disabled preventing your users from making changes.Default setting: Disabled or not configured
ministrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However users cannot open a blank MMC console
not configure it all snap-ins are permitted except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap
gured the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or
ot configured (or disabled) this snap-in is prohibited.-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not config
ers to the explicitly permitted list of snap-ins" setting determines whether this tab is displayed.-- If "Restrict users to the explicitly permitte
no sync provider. Settings are written directly to the settings storage location rather than being cached to sync later. Set SyncMethod to “E
connects their Microsoft account for their computer then the UE-V Agent will not synchronize Windows apps. The Windows apps will defa
n’t ping the settings storage location before synchronizing settings packages. If you do not configure this policy any defined values will be d
ngs package size.
ection that is roaming.If you do not configure this policy setting any defined values are deleted.
tting only the selected Windows settings synchronize. Unselected Windows settings are excluded from settings synchronization.If you disab
s in pooled VDI environments that reset to a clean state on logout. With this policy enabled you can roll settings back to the state when UE
continue to be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 201
continue to be backed up.If you disable this policy setting certain user settings which are common between the Microsoft Office Suite 201
any defined values will be deleted.
any defined values will be deleted.
policy setting any defined values will be deleted.
setting the user settings which are common between the versions of Internet Explorer are excluded from settings synchronization. If any v
licy setting any defined values will be deleted.
crosoft Office Suite 2010 applications continue to synchronize.If you disable this policy setting the user settings which are common betwe
crosoft Office Suite 2013 applications continue to synchronize.If you disable this policy setting the user settings which are common betwee
ngs are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
crosoft Office Suite 2016 applications continue to synchronize.If you disable this policy setting the user settings which are common betwee
ngs are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
enable this policy setting Microsoft Office 365 Access 2013 user settings continue to sync with UE-V.If you disable this policy setting Micro
enable this policy setting Microsoft Office 365 Access 2016 user settings continue to sync with UE-V.If you disable this policy setting Micro
etween the Microsoft Office Suite 2013 applications from synchronization between computers with UE-V.If you enable this policy setting u
etween the Microsoft Office Suite 2016 applications from synchronization between computers with UE-V.If you enable this policy setting u
ble this policy setting Microsoft Office 365 Excel 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft O
ble this policy setting Microsoft Office 365 Excel 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft O
If you enable this policy setting Microsoft Office 365 InfoPath 2013 user settings continue to sync with UE-V.If you disable this policy settin
e this policy setting Microsoft Office 365 Lync 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offi
e this policy setting Microsoft Office 365 Lync 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offi
V.If you enable this policy setting Microsoft Office 365 OneNote 2013 user settings continue to sync with UE-V.If you disable this policy setti
V.If you enable this policy setting Microsoft Office 365 OneNote 2016 user settings continue to sync with UE-V.If you disable this policy setti
you enable this policy setting Microsoft Office 365 Outlook 2013 user settings continue to sync with UE-V.If you disable this policy setting
you enable this policy setting Microsoft Office 365 Outlook 2016 user settings continue to sync with UE-V.If you disable this policy setting
with UE-V.If you enable this policy setting Microsoft Office 365 PowerPoint 2013 user settings continue to sync with UE-V.If you disable this
with UE-V.If you enable this policy setting Microsoft Office 365 PowerPoint 2016 user settings continue to sync with UE-V.If you disable this
u enable this policy setting Microsoft Office 365 Project 2013 user settings continue to sync with UE-V.If you disable this policy setting Mic
u enable this policy setting Microsoft Office 365 Project 2016 user settings continue to sync with UE-V.If you disable this policy setting Mic
-V.If you enable this policy setting Microsoft Office 365 Publisher 2013 user settings continue to sync with UE-V.If you disable this policy se
-V.If you enable this policy setting Microsoft Office 365 Publisher 2016 user settings continue to sync with UE-V.If you disable this policy se
tion between computers with UE-V.If you enable this policy setting Microsoft Office 365 SharePoint Designer 2013 user settings continue t
le this policy setting Microsoft Office 365 Visio 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offi
le this policy setting Microsoft Office 365 Visio 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Offi
able this policy setting Microsoft Office 365 Word 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft
able this policy setting Microsoft Office 365 Word 2016 user settings continue to sync with UE-V.If you disable this policy setting Microsoft
ttings.If you do not configure this policy setting any defined values will be deleted.
o not configure this policy setting any defined values will be deleted.
are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
user settings are excluded from the synchronization settings.If you do not configure this policy setting any defined values will be deleted.
re this policy setting any defined values will be deleted.

re this policy setting any defined values will be deleted.
esigner 2013 will not be backed up.If you do not configure this policy setting any defined values will be deleted.
ny defined values will be deleted.
ny defined values will be deleted.
s on folders.If you disable or don't configure this policy setting users can share files out of their user profile after an administrator has opte
e privacy experience may launch for newly-created user accounts or for accounts that should be prompted to choose their privacy settings
to customize their system settings for presentations in Windows Mobility Center.If you do not configure this policy setting Windows prese
enable this policy setting it is enforced. When this policy setting is enforced users cannot override this setting even if they select the "Use
ange this setting" check box. When you do this users can specify an alternate authentication method by configuring settings on the client u
Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this setting either the NTL
files from unknown publishers on the client computer. If the user tries to start an RDP session the user receives a message that the publish
ifying an .rdp file).If you enable or do not configure this policy setting users can run .rdp files that are signed with a valid certificate. Users
d.If you disable or do not configure this policy setting no publisher is treated as a trusted .rdp publisher.Note:You can define this policy setti
n without the user's consent.4. View Session with user's permission: Allows the administrator to watch the session of a remote user with
hat matches the client printer the client printer is not available for the Remote Desktop session.If you disable this policy setting the RD Ses
menu and Windows Desktop are not displayed and when the user exits the program the session is automatically logged off.To use this setti
mit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.If yo
ouse to keep the session active. If you have a console session idle session time limits do not apply.If you disable or do not configure this p
ms. If you have a console session active session time limits do not apply.If you disable or do not configure this policy setting this policy setti
ese disconnected sessions are maintained for an unlimited time on the server.If you enable this policy setting disconnected sessions are d
URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the defaul
tting through the Feed APIs.

utton in Internet Explorer and delete a feed or Web Slice through the feed list control. A developer can add or delete a feed or Web Slice b
TP connection.A developer cannot change this policy setting through the Feed APIs.
m path to be indexed under the "Computer Configuration" Group Policy.
xed under the "Computer Configuration" Group Policy.
system path to be indexed under the "Computer Configuration" Group Policy.If you enable and then disable this policy setting users can in
diction suggestions. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy Input Pan
ng in the Input Panel Options dialog box.If you disable this policy Input Panel will appear next to any text entry area in applications where
anel Options dialog box.If you disable this policy Input Panel will appear next to text entry areas in applications where this behavior is avail
en keyboard to enter text symbols numbers or keyboard shortcuts.If you enable this policy rarely used Chinese Kanji and Hanja characters
le to configure this setting in the Input Panel Options dialog box.If you do not configure this policy Input Panel tab will appear on the edge
sts will appear next to Input Panel in applications where the functionality is available. Users will not be able to configure this setting in the
nable this policy and choose “Low” from the drop-down box password security is set to “Low.” At this setting all password security setting
se “All” from the drop-down menu no scratch-out gestures will be available in Input Panel. Users will not be able to configure this setting in
subset of the Disable pen flicks policy.If you disable or do not configure this policy all the features described above will be available.
n by default.Note: Changes to this setting will not take effect until the user logs off.
nd power management settings and its security context. Beginning users will often not be interested or confused by having the property s
ettings and its security context.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings ar
n the Start menu and its submenus. Once a task is created users cannot change the program a task runs.Important: This setting does not p
s and it does not prevent users from deleting tasks.Note: This setting appears in the Computer Configuration and User Configuration folde
f a computer from using At.exe to create new tasks or prevent administrators from submitting tasks from remote computers.
Configuration.Important: This setting does not prevent administrators of a computer from using At.exe to delete tasks.
setting employees can choose whether to use Windows Defender SmartScreen.
default consent and notification settings.

puter Configuration/Administrative Templates/System/Internet Communication Management/Internet Communication settings takes pre
AB file for a report that contains data about the same event types.
this policy setting WER checks for solutions while a computer is running on battery power but does not upload report data until the compu
reports are automatically deleted.If you disable or do not configure this policy setting no Windows Error Reporting information is stored.
prompted to send the reports or until the user sends problem reports by using the Solutions to Problems page in Control Panel.The Maxim
e extension. To remove an application from the list click the name and then press DELETE. If this policy setting is enabled the Exclude error
r consent to send any additional data that is requested by Microsoft.- Send parameters and safe additional data: the minimum data that is
pe.- 1 (Always ask before sending data): Windows prompts the user for consent to send reports.- 2 (Send parameters): Windows Error Rep
s Hello for Business" policy setting requires the environment to have one or more Windows Server 2016 domain controllers to prevent W
e credential that encrypts their domain password.Select "Do not start Windows Hello provisioning after sign-in" when you use a third-part
ermission to view or change including directories on highly restricted computers.If you disable or do not configure this policy setting the sy
only system administrators can use removable media when an installation is running with elevated system privileges such as installations
esigned to reduce the amount of temporary disk space required to install programs. Also it prevents malicious users from interrupting an
u" represents URL or the Internet.To exclude a file source omit or delete the letter representing that source type.
want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon h
form the action you specify when the user’s logon hours expire.If you disable or do not configure this setting the system takes no action w
this policy setting users can change the setting of the Retrieve media information for CDs and DVDs from the Internet check box.
ected and are not available.If you disable or do not configure this policy setting users can change the setting of the Update my music files (
selected.The Configure button on the Network tab in the Player is not available for the HTTP protocol and the proxy cannot be configured
he protocol cannot be configured. If the "Hide network tab" policy setting is also enabled the entire Network tab is hidden.This policy setti
r are not available.If you disable or do not configure this policy setting users can change the buffering options on the Performance tab.
he protocol cannot be configured. If the "Hide network tab" policy setting is also enabled the entire Network tab is hidden.If you disable th
r uses default ports when using the UDP protocol. This policy setting also specifies that multicast streams can be received if the "Allow the
layback check box is cleared and is not available.If you do not configure this policy setting users can change the setting for the Allow scree
Download codecs automatically check box.
y is enabled some options in the anchor window are not available.
o not configure this policy setting the Privacy tab is not hidden and users can configure any privacy settings not configured by other police
Corporate skin. The only way to specify the Corporate skin is to leave the Skin box blank.A user has access only to the Player features that
vior on the Preferences tab on the Tools menu in the Windows Messenger user interface.Note: If you do not want users to use Windows M
t.Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Con
odule is equivalent to setting the LogPipelineExecutionDetails property of the module to False. If this policy setting is not configured th
script block function or script starts or stops. Enabling Invocation Logging generates a high volume of event logs. Note: This po
me and time started. Enabling this policy is equivalent to calling the Start-Transcript cmdlet on each Windows PowerShell session.
ows all scripts to run.If you disable this policy setting no scripts are allowed to run.Note: This policy setting exists under both "Computer C
n' option will be the default option in the Shut Down Windows dialog box if updates are available for installation at the time the user selec
g box if updates are available when the user selects the Shut Down option in the Start menu.
m automatically installing driver updates from the Windows Update Web site.If enabled you can configure one of the following notification
k Folders URL" can specify either the URL used by the organization for Work Folders discovery or the specific URL of the file server that stor
d Control Panel items. In the Show Contents dialog box in the Value column enter the Control Panel item's canonical name. For example en
nd to specify a list of pages to hide it must begin with "hide:". If a page in a showonly list would normally be hidden for other reasons (suc
in the Value column enter the Control Panel item's canonical name. For example enter Microsoft.Mouse Microsoft.System or Microsoft.P
cking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining op
setting blocks user access to the Windows Component Wizard.
strative Templates\Windows Components\Windows Installer) is enabled users cannot add programs from removable media regardless of
you enable this setting users cannot tell which programs have been published by the system administrator and they cannot use Add or Rem
does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and
t prevent users from using other tools and methods to install or uninstall programs.
t configure it the Support Info hyperlink appears.Note: Not all programs provide a support information hyperlink.
en the "Add New Programs" page opens.You can use this setting to direct users to the programs they are most likely to need.Note: This se
tting or Control Panel.Also see the "Prevent changing Screen Saver" setting.
r logon the default visual style is loaded.Note: When running Windows XP you can select the Luna visual style by typing %windir%\resourc
he file.If the specified screen saver is not installed on a computer to which this setting applies the setting is ignored.Note: This setting can
ver" setting and specify a timeout via the "Screen Saver timeout" setting.Note: To remove the Screen Saver dialog use the "Prevent changi
the Appearance and Themes tabs in the in Display in Control Panel.
am on the client.When not configured whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Dis
sy for users to find the printers you want them to add. Also see the "Custom support URL in the Printers folder's left pane" and "Activ
hown list.If you disable this setting the network printer browse page is removed from within the Add Printer Wizard and users cannot sear
fic print server.If this setting is enabled users will only be able to package point and print to print servers approved by the network adminis
warnings and elevated command prompts do not appear when users Point and Print or when printer connection drivers need to be updat
nning other programs to add printers. This setting does not delete printers that users have already added. However if users have not
their use or to enable users to install them without having to search for installation files.If this setting is enabled users cannot view the pro
or defaults.This setting does not prevent the Default Programs icon from appearing on the Start menu.
setting is ignored.
d this setting takes precedence over the other settings in this folder.This setting does not prevent users from using other tools and method
options other policies may prevent them from modifying the values.
changing their current geographical location.
changing their UI language.
t configure this policy setting the logged-on user can access the dialog box controls in the Regional and Language Options control panel to
ng in Windows Server 2003 Windows XP or Windows 2000 to use the "Restrict selection of Windows menus and dialogs language" policy s
availability and function of this setting is dependent on supported languages being enabled.
ng enabled.
). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collec
eb views. If the user manages to navigate to Computer the folder will be empty.If you disable this setting Computer is displayed as usual ap
ter bar does not appear above the resulting display on the View menu click Filter.
ace.This setting is designed to protect the network and the domain controller from the effect of expansive searches.
. They are simply not added again.Note: For this setting to take affect you must log off and log on to the system.
. You can also use this setting to specify that the wallpaper image be centered tiled or stretched. Users cannot change this specification.If
rs on the File menu.If you disable this setting (and enable the "Enable Network Connections settings for Administrators" setting) the Prope
dministrators) cannot delete all-user remote access connections. (By default users can still delete their private connections but you can ch
or Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you do no
e access connections.Note: This setting does not apply to AdministratorsNote: When the "Ability to rename LAN connections or remote ac
setting is configured (set to either enabled or disabled) this setting does not apply.
g will not apply to administrators on post-Windows 2000 computers.If this setting is not configured only Administrators and Network Confi
dministrators from using certain features. These settings are "Ability to rename LAN connections or remote access connections available t
00 computers.If you disable this setting or do not configure it a Properties menu item appears when users right-click the icon representing
ngs for Administrators" is disabled or not configured this setting does not apply to administrators on post-Windows 2000 computers.If you
ers.If you disable this setting or do not configure it the Properties button is enabled for all users.The Networking tab of the Remote Access
ndows 2000 computers.If you disable this setting or do not configure it the Advanced Settings item is enabled for administrators.Note: Non
the Make New Connection icon appears in the Start menu and in the Network Connections folder for all users. Clicking the Make New Co
2000 computers.If you disable this setting or do not configure it the Remote Access Preferences item is enabled for all users.
mputers.If you disable this setting or do not configure it the Install and Uninstall buttons for components of connections in the Network C
abled and no users (including administrators) can open the Remote Access Connection Properties dialog box for a private connection.Impo
able to all users. Users can connect or disconnect a remote access connection by double-clicking the icon representing the connection by r
re it all users can delete their private remote access connections. Private connections are those that are available only to one user. (By def
connection includes a check box beside the name of each component that the connection uses. Selecting the check box enables the comp
uters.If you disable this setting or do not configure it the Rename option is enabled for all users' private remote access connections. Users
disable this setting the Advanced button is enabled and all users can open the Advanced TCP/IP Setting dialog box.Note: This setting is sup
he connection icon in the taskbar from the Connection Properties dialog box.Important: If the "Enable Network Connections settings for A
r to the user.If you disable or do not configure this policy setting a DHCP-configured connection that has not been assigned an IP address
s setting or select the "Work offline" option users can work offline if disconnected.If you do not configure this setting users can work offline
n event when the server hosting the offline file is disconnected from the network."2" also records events when the local computer is conne
ar server the setting in Computer Configuration takes precedence over the setting in User Configuration. Both Computer and User configu
oth settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To view the
he setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: This setting provides a quick method fo
the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To set reminder balloon frequency wit
precedence.The "Make Available Offline" command is called "Always available offline" on computers running Windows Server 2012 Windo
yed for all files and folders.If you do not configure this policy setting the "Make Available Offline" command is available for all files and fold
files or folders are made available for offline use by Group Policy (though users can still specify their own files and folders for offline use).If
ronization by default but users can change this option.This setting appears in the Computer Configuration and User Configuration folders.
ation. Quick synchronization ensures that files are complete but does not ensure that they are current.If you do not configure this setting
s are logged on to the computer at the time the computer is suspended a synchronization is not performed.
users can change the setting.To prevent users from changing the setting while a setting is in effect the system disables the "Enable reminde
ated NTVDM process. The additional check box is enabled only when a user enters a 16-bit program in the Run dialog box.
tem on the Windows Security dialog box that appears when you press Ctrl+Alt+Del.Note: To add or remove the Log Off item on a compute
ent shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.Also see the "Remove Recent Items menu from Start
sabled or is not configured the taskbar displays all toolbars. Users can add or remove custom toolbars and the "Toolbars" command appea
slow network connections.If you disable or do not configure this policy setting all files that the user opens appear in the menus including
o not configure this setting the system will store and display shortcuts to recently and frequently used files folders and websites.Note: The
n an attempt to find the file.Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID track
target drive in an attempt to find the file.Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have
e now on the Start page.If you do not configure this setting the default is the new style and the user can change the view.
the notification area is hidden there is no need to clean up the icons.
tting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked and the user
users cannot turn it to On. Select this option for compatibility with earlier versions of Windows.If you disable or do not configure this setti
Restart Sleep and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also availab
s not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
t menu options.Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to
osoft updates that users need and shows the newest versions available for download.If you disable or do not configure this policy setting
that appears when you press Ctrl+Alt+Del and it does not prevent users from using other methods to log off.Tip: To add or remove the Log
ograms on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Compute
ngs are available on the Start menu and from Computer and File Explorer.Also see the "Disable Control Panel" "Disable Display in Control
cent Items menu.When the setting is disabled the Recent Items menu appears in the Start Menu and users cannot remove it.If the setting
you disable or do not configure this setting users will be able to access the Run command in the Start menu and in Task Manager and use
he system does not respond when the user presses Ctrl+F. Also Search does not appear in the context menu when you right-click an icon r
op section of the Start menu. If users add folders to the Start Menu directory in their user profiles the folders appear in the directory but n
ditional calendar regardless of the locale.If you do not configure this policy setting the calendar will be set according to the default logic.
sions of Windows 10 will supercede any policy setting of "Remove frequent programs list from the Start Menu" (which manages same par
me of the XML file. You can type a local path such as C:\StartLayouts\myLayout.xml or a UNC path such as \\Server\Share\Layout.xml. If t
e user can choose if they want notifications collapsed.

ersonalized menus and ignores this setting.Tip: To Turn off personalized menus without specifying a setting click Start click Settings click Ta
ms to the Start Menu or Taskbar. See the "Remove pinned programs list from the Start Menu" and "Do not allow pinning programs to the T
hat all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20 that is 2000 to 2029. Conversely all two-d
d path to the file.If you disable this setting or do not configure it the setting is ignored and the system displays the Explorer interface.Tip: T
Windows 2000 Server.Note: This setting appears in the Computer Configuration and User Configuration folders. If both settings are config
grams in the command window even though they would be prevented from doing so using File Explorer.Note: Non-Microsoft applications
y setting the program continues without the registration. As a result the program might not perform all its functions or it might stop.This s
able under Computer Configuration and User Configuration. If both are settings are used any programs listed in either of these locations ca
programs in the command window even though they would be prevented from doing so using File Explorer.Note: Non-Microsoft applicatio
zed for your computer that consists of items such as drivers critical updates Help files and Internet products that you can download to kee
op programs monitor the performance of their computers view and monitor all programs running on their computers including system ser
n you enable this policy some blurry applications will be crisp after they are restarted without requiring the user to log out and back in to W
gitally signed and lets the user decide whether to stop or to proceed with the installation and whether to permit unsigned files to be instal
ee "Turn off Windows Update device driver searching" in Administrative Templates/System/Internet Communication Management/Interne
ore going to Windows Update to search for device drivers.
atic Caching" nor does it affect the availability of the "Always available offline" menu option in the user interface. Note: Do not enable thi
n in the user interface.Note: The configuration of this policy for any folder will override the configured value of "Do not automatically mak
rk location using a method that preserves the state of the files including their timestamps before updating the Folder Redirection location.
hema to function.If you enable this policy setting and the user has redirected folders such as the Documents and Pictures folders the folde
mes for these subfolders when redirecting the Start Menu or legacy My Documents folder.Note: This policy is valid only on Windows Vista
se any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available doma
peed" box type a decimal number between 0 and 4294967200 indicating a transfer rate in kilobits per second. Any connection slower than
must disable the object link.
ap-in from the command line by typing RSOP.mscNote: This policy setting exists as both a User Configuration and Computer Configuration
s do not appear.If you disable or do not configure this policy setting the "Show Policies Only" command is turned on by default but admini
ause updates might interfere with users' work and increase network traffic very short update intervals are not appropriate for most instal
of this setting to Disabled will enforce the default behavior. Files will always be copied to the GPO if they have a later timestamp.NOTE: I
olicy Tablet PC user writing samples from the handwriting recognition personalization tool will automatically be shared with Microsoft.If yo
C users can report handwriting recognition errors to Microsoft.
n the user uses the web publishing or online ordering wizards.See the documentation for the web publishing and online ordering wizards
ter Configuration/Administrative Templates/Printers.
the setting is not shown.If you do not configure this policy setting users have the choice to opt in and allow information to be collected.
eir user locale but they can still select a replacement locale if one is installed.If you disable or do not configure this policy setting the user c
s.If this policy is set to Enabled at the computer level then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the c
ada) and French (Canada).If you enable this policy setting only locales in the specified locale list can be selected by users.If you disable or d
s in the Computer Configuration and User Configuration folders. If both policy settings are configured the policy setting in Computer Confi
figuration takes precedence over the policy setting in User Configuration.Note: Customized run-once lists are stored in the registry in HKE
do not configure this policy setting the user will have to start the appropriate programs after logon.Note: This setting appears in the Comp
process PROCESS_CREATION_MITIGATION_POLICY_DEP_ATL_THUNK_ENABLE (0x00000002) Enables DEP-ATL thunk emulation fo
Run Logon Scripts Visible" setting.

policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
me also that there are two users Qin Hong and Tamara Johnston. For Qin GPOs A B and C are applied. Therefore the scripts for GPOs B and
t users can access any directory on the home share by using the home directory drive letter.If you disable or do not configure this policy s
LocalLow folders and all their subfolders such as the History Temp and Temporary Internet Files folders are excluded from the user's roam
versized profile.-- Determine how often the customized message is displayed.Note: In operating systems earlier than Microsoft Windows V
d data via Offline Files and continue to remain online while the user is logged on if the network paths are accessible. Note: You should no
e.Note: Enabling this policy setting does not block Windows Store apps from opening the default desktop app for the http https and mailt
low-risk file types Windows will not prompt the user before accessing the file regardless of the file's zone information.If you enable this p
figure this policy setting Windows uses its built-in list of high-risk file types.
es its default trust logic.
trust logic.If you do not configure this policy setting Windows uses its default trust logic.
chments are opened.If you do not configure this policy setting Windows does not call the registered antivirus programs when file attachm
able this policy setting you can choose the order in which Windows processes risk assessment data.If you disable this policy setting Windo
dialog. If you enable this policy setting an Administrator can change the default Windows Vista or later behavior for autorun to:
es or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable A
ntent service the checkbox will have no effect.If you disable this policy setting Windows spotlight will be turned off and users will no longe
onalized recommendations tips and offers to tailor Windows for the user's needs and make it work better for them.Note: this setting does
ents and applications that use the Windows system controls including Internet Explorer.
minimum diagnostic data necessary to keep Windows secure up to date and performing as expected. Using this value disables the "Option
on a per-user basis there must be an entry at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Appr
sues in applications that depend on the existence of the known folder.
ng and a user does not have sufficient permissions to install a program the installation continues with the current user's logon credentials.
t does not search for the original path even when it cannot find the target file in the current target path.If you disable or do not configure
mand window.Also this policy setting does not prevent users from using programs to access these drives or their contents. And it does not
start Computer Management.Tip: To hide all context menus use the "Remove File Explorer's default context menu" setting.
to computers in their workgroup or domain by other commonly used methods such as typing the share name in the Run dialog box or the
e Map Network Drive dialog box.To remove computers in the user's workgroup or domain from lists of network resources use the "No Com
ks at the bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites an
brary-ms or .searchConnector-ms file.You can add up to five additional links to the "Search again" links at the bottom of results returned in
drives still appear in My Computer but if users double-click the icons a message appears explaining that a setting prevents the action. Also
userprofile%.
tes incorrectly that this setting prevents users from connecting and disconnecting drives.Note: It is a requirement for third-party applicatio
tems on the File Explorer context menu or on the Start menu. To remove Search from the Start menu use the "Remove Search menu from
workgroup.Note: The ability to remove the Shared Documents folder via Group Policy is only available on Windows XP Professional.
isplay in Control Panel.

gging on again using their administrator credentials.If the dialog box does not appear the installation proceeds with the current user's perm
the search box.
icy setting the protocol is in the protected mode allowing applications to only open a limited set of folders.If you do not configure this poli
om the scope of Start searchThis policy will not enable users to add unsupported locations to Libraries.If you enable this policy Windows L
er.Note: In operating systems earlier than Windows Vista enabling this policy will also disable the Active Desktop and Web view. This settin
enu click Open.Note: In Windows Vista this policy setting applies only to applications that are using the Windows XP common dialog box s
ws Vista common dialog box style. It is a requirement for third-party applications with Windows 2000 or later certification to adhere to thi
o see an example of the standard Open dialog box start Wordpad and on the File menu click Open.Note: In Windows Vista this policy settin
aces Bar.Note: In Windows Vista this policy setting applies only to applications that are using the Windows XP common dialog box style. T
active when the previous version is of a local file and stored on the backup.
ersion is of a file on a file share.
s policy setting the application identified by the Package Family Name will be permitted to revoke access to all content protected using the
tion.If you disable or do not configure this policy setting no range of characters are filtered by default.This policy setting applies to Japanes
ns. If compatibility mode is turned on select Advanced options > Dictionary/Auto-tuning > [Clear auto-tuning information].[Clear input hist
icy setting applies to Microsoft CHS Pinyin IME and JPN IME.
icy setting applies only to Microsoft CHS Pinyin IME.
this custom administrative template file see the Internet Explorer documentation on search providers.If you disable or do not configure th
setting users can change the Suggestions setting on the Settings charm.
t configure this policy setting newly installed add-ons are not automatically activated in the browser. Internet Explorer notifies the user w
a Explorer Bar is enabled.If checked the Media Explorer Bar will automatically display and play the media content when the user clicks on
es to open in up to three of the following channels where: 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = M
page" policy removes the Advanced tab from the interface.
trol Panel) takes precedence over this policy. If it is enabled this policy is ignored.
tab from Internet Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.Caution: If you enable th
because the "Disable the General page" policy removes the General tab from the interface.Note: The default Web page colors are ignored
default.The "Disable the Programs page" policy (located in \User Configuration\Administrative Templates\Windows Components\Internet
General tab from the interface.Note: The default font settings colors are ignored in cases in which the Web page author has specified the
Control Panel) you do not need to set this policy because the "Disable the General page" policy removes the General tab from the interfac
the General page" policy removes the General tab from the interface.Note: The default link colors are ignored on Web pages on which the
rer\Internet Control Panel) which removes the Programs tab from Internet Explorer in Control Panel takes precedence over this policy. If i
ou do not need to set this policy because the "Disable the General page" policy removes the General tab from the interface.
be able to use the Import/Export Settings wizard.

licy (located in \User Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Control Panel) which rem
e favorites feeds shortcuts to home page and more. Full-screen mode disables not only these three bars but also the shortcuts to these ba
Additionally it’s best to enable this policy only if your intranet sites have known compatibility problems with Microsoft Edge.Related polic
e to run websites in Enterprise Mode.
mecard.contoso.comLOBApp.contoso.com
le:• 2 - Intranet site zone only Binary Representation - 00010• 0 - Restricted Sites Zone• 0 - Internet Zone• 0 - Trusted Sites Zone• 1 - Lo
tab in the Internet Options dialog box. Note that starting with Internet Explorer 10 on Windows 8 the check box is located on the Advanc
ing websites to the exception list by enabling "Turn off Managing Pop-up Allow list" policy.
sitions of the menu bar and the navigation bar.If you disable this policy setting the menu bar is below the navigation bar. The user cannot
policy settings to prevent the user from configuring pop-up behavior.

mpting the user.If you disable or do not configure this policy setting the user is prompted to decide the mode of operation for the phishin
y run the First Run wizard the first time the browser is started after installation.
roviders that appear are those in the list of policy keys for search providers. Note: This list can be created through a custom administrative
olicy can be used in coordination with the "File Menu: Disable Open menu option" policy (located in \User Configuration\Administrative Te
omponents\Microsoft Edge\Send all intranet sites to Internet Explorer 11 policy setting then all intranet sites will continue to open in Inter
xplicitly enabled through the creation of an integer setting. In this case each Internet Explorer isolation setting will quickly grow to use the
ot configure this policy setting users are notified when the average time to load all the user's enabled add-ons exceeds the threshold. This
during the first-run experience.
sswords.If you do not configure this setting the user has the freedom of turning on Auto complete for User name and passwords on forms
Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you wa
figuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the
s control will not be designated as administrator-approved.
oup Policy click User Configuration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content R
Web authors to add pop-up menus to Web pagesTo specify how administrator-approved controls are handled for each security zone carry
ation click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Curre
ntenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones Settings and t
Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you w
nd then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In th
nfiguration click Internet Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the
ngs and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4.
click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run Ac
lues of the URL action for the application or process on the computer prevail.
rd operation.If you do not configure this policy setting current values of the URL action for the Internet Explorer process prevail.
f 0 prompts are not bypassed. Value Name is the name of the executable file. If Value Name is empty or the value is not 0 or 1 the policy s
will not open in a new window and they will be informed that the command is not available.
using the shortcut menu to open new browser windows you should also set the "Disable Open in New Window menu option" policy whic
en in New Window menu option" policy which disables this command on the shortcut menu or the "Turn off Shortcut Menu" policy which
or do not configure it users can save all elements on a Web page.The "File menu: Disable Save As... menu option" policy which removes t
om saving Web content by pointing to a link on a Web page clicking the right mouse button and then clicking Save Target As.
orite links that are set up for offline viewing.

Options icon in Windows Control Panel.Also see policies for Internet options in the \Administrative Templates\Windows Components\Inte
Internet Explorer will be available and users will see installed printers under the Devices charm.
which disables the entire shortcut menu.

n activate the feature by using the Compatibility View Settings dialog box.
written to common Internet standards may be displayed incorrectly.If you disable this policy setting Internet Explorer uses a current user
nded) for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet Explorer 7 Standards Mode. The u
policy setting has no effect.

ser can set the number of days that Internet Explorer tracks views of pages in the History list. Users can delete browsing history.
he Settings charm.
n the Delete Browsing History dialog box.If you enable this policy setting ActiveX Filtering Tracking Protection and Do Not Track data is pre
ate Filtering data when he or she clicks Delete.
Internet files settings""Disable changing history settings""Disable changing color settings""Disable changing link color settings""Disable cha
mes are always converted to IDN format.If you disable or do not configure this policy setting the user can control this setting by using Adv
is policy users will be prompted when Web Components such as fonts would be downloaded.
ure the policy setting users can select the Always send Do Not Track header option in Internet Explorer settings. By selecting this option Int
his policy setting Internet Explorer does not check the Internet for new versions of the browser so does not prompt users to install them.
they have been revoked.
configure this policy Internet Explorer will not check the digital signatures of executable programs or display their identities before down
ng at least Windows 8 Enhanced Protected Mode also limits the locations Internet Explorer can read from in the registry and the file syste
osed.If you do not configure this policy Internet Explorer will not delete the contents of the Temporary Internet Files folder when browser
te an encryption tunnel by using the encryption methods that you select from the drop-down list.If you disable or do not configure this po
es for Profile Assistant information.

e default is to encode all query strings in UTF-8.
the Settings charm.
dows.If you don't configure this policy setting users can turn this feature on or off using Internet Explorer settings. This feature is turned off
enabled will use the version of Protected Mode introduced in Internet Explorer 7 for Windows Vista.If you do not configure this policy use
wsing session.If you do not configure this policy setting Internet Explorer starts with the home page. Users can change this option to start w
n Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their computers.
caches on Website Data Settings will be available to users. Users can choose whether or not to allow websites to store data on their comp
plorer will allow trusted domains to store additional files in application caches up to the limit set in this policy setting.If you disable or do n
r will allow trusted domains to store additional data in indexed databases up to the limit set in this group policy.If you disable or do not co
ng Internet Explorer will use the default application cache individual resource size for all application caches resources. The default is 50 MB
ncluding the page that referenced the manifest that are less than or equal to the limit set in this policy setting.If you disable or do not confi
on caches. The default is 1 GB.
ndexed databases. The default is 4 GB.
ose in the Locked-Down equivalent zone. If you select a security level for any zone (including selecting no security) the same change should
emplate) and Restricted Sites zone (High template). (The Local Machine zone and its locked down equivalent have special security settings
otification appears for intranet content loaded on a browser on a computer that is not a domain member until the user turns off the Notifi
r site in the zone.If you do not configure this policy setting users cannot load a page in the zone that uses MSXML or ADO to access data fro
s is unaffected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If you do not co
ehaviors are available.
not change this behavior.If you do not configure this policy setting the user can decide whether to load XBAPs inside Internet Explorer.
annot change this behavior.If you do not configure this policy setting the user can decide whether to load XAML files inside Internet Explor
o load XPS files inside Internet Explorer.
can be redirected to another Web page.
s zone using Search Connectors.
sabling this policy for the Internet zone will prevent the previewing of these items in File Explorer. For the case of custom thumbnails it is t
rocess.If you do not configure this policy setting the possible harmful actions contained in script-initiated pop-up windows and windows th
players.If you do not configure this policy setting video and animation can be played through older media players in specified zones.
d nonsecure (http://) content.If you disable this policy setting users cannot receive the security information message and nonsecure conte
hey connect to a Web site that has no certificate or only one certificate.
can turn this behavior on or off using Internet Explorer Security settings.
is silently downloaded.
g or do not configure it users cannot drag content from one domain to a different domain when the source and destination are in different
isable this policy setting or do not configure it users cannot drag content from one domain to a different domain when the source and des
ng the MIME Sniffing Safety Feature will not apply in this zone.
nt when he or she is uploading a file via an HTML form. By default path information is sent.
olicy setting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.If you do not configure this policy settin
ava applets cannot run.If you do not configure this policy setting the permission is set to High Safety.
gure this policy setting users are queried to choose whether to run applications and download files from IFRAMEs on the pages in this zone
on.Automatic logon with current user name and password to attempt logon using Windows NT Challenge Response (also known as NTLM
applications from other domains.
do not configure this policy setting Internet Explorer will execute unsigned managed components.
figure this policy setting Internet Explorer will execute signed managed components.
he Restricted zone enabled in the Intranet and Local Computer zones and set to prompt in the Internet and Trusted zones.
software packages from being automatically downloaded to users' computers and software packages from being automatically installed o
d.If you do not configure this policy setting users are queried to choose whether to allow information using HTML forms on pages in this z
y setting .NET Framework Setup is turned on by default. The user can change this behavior.
figure this policy setting users can preserve information in the browser's history in favorites in an XML store or directly within a Web page
e will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from
r site in the zone.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone th

rocess.If you do not configure this policy setting Windows Restrictions security will not apply in this zone. The security zone runs without t
ge when they connect to a Web site that has no certificate or only one certificate.
an turn this behavior on or off using Internet Explorer Security settings.
ava applets cannot run.If you do not configure this policy setting the permission is set to Medium Safety.
d.If you do not configure this policy setting information using HTML forms on pages in this zone can be submitted automatically.
e will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting Web sites from
r site in the zone.If you do not configure this policy setting users can load a page in the zone that uses MSXML or ADO to access data from

ava applets cannot run.If you do not configure this policy setting the permission is set to Medium Safety.
gure this policy setting users can run applications and download files from IFRAMEs on the pages in this zone without user intervention.
do not configure this policy setting Internet Explorer will not execute unsigned managed components.
figure this policy setting Internet Explorer will not execute signed managed components.
will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting the possibly harm
ed in the Admin-approved Behaviors under Binary Behaviors Security Restriction policy are available.

ng the actions that may be harmful cannot run; this Internet Explorer security feature will be turned on in this zone as dictated by the feat
ava applets cannot run.If you do not configure this policy setting Java applets are disabled.
r site in the zone.If you do not configure this policy setting users are queried to choose whether to allow a page to be loaded in the zone th


ehaviors are not available unless applications have implemented a custom security manager.
cannot be redirected to another Web page.
this zone using Search Connectors.

gure this policy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
other windows and frames from different domains or access applications from different domains.
figure this policy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web pa

other protocols is unaffected.If you disable this policy setting all attempts to access such content over the restricted protocols is blocked.If
ehaviors are not available unless applications have implemented a custom security manager.
cannot be redirected to another Web page.
this zone using Search Connectors.

gure this policy setting users are prevented from running applications and downloading files from IFRAMEs on the pages in this zone.
other windows and frames from different domains or access applications from different domains.
figure this policy setting users cannot preserve information in the browser's history in favorites in an XML store or directly within a Web pa

ava applets cannot run.If you do not configure this policy setting the permission is set to Low Safety.
e will be on in this zone as set by Protection from Zone Elevation feature control.If you do not configure this policy setting a warning is issu
to correct the problem. The user cannot change this policy setting.If you do not configure this policy setting the user can turn on or turn o
setting the user can turn on or turn off the display of script errors.
es are downloading. The user cannot change this policy setting.If you do not configure this policy setting the user can allow or prevent the
ages appear. The user cannot turn off image display.If you do not configure this policy setting the user can turn on or turn off image display
and images.
n specify what action applies to searches on the Address bar.
t website or a search-results webpage in the main window.If you disable or do not configure this policy setting the user can select their pr
s policy setting the user can decide whether to start Internet Explorer automatically to complete the signup process after the branding is c
the Internet Options dialog. By default URL Suggestions are turned on.
dress bar. The user cannot change this setting.If you do not configure this policy setting the user can choose to turn the Use Windows Sear
net Explorer 8. By default inline AutoComplete is turned on for Internet Explorer 9.
ending of the path portion of URLs as UTF-8.

rds Add Active Channel for this option; however a few use different words such as Subscribe.
ated in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is e
nizations that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\A
e subscription content" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\Windows Co
editing schedules for offline pages" policy and the "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\
for downloading Web content for offline viewing.This policy is intended for organizations that are concerned about server load for downlo
ve the preconfigured settings for pages to be downloaded for offline viewing.This policy is intended for organizations that are concerned a
ser interface in the Offline Favorites wizard.Note: The begin and end times for downloading are measured in minutes after midnight. The
button and then clicking InPrivate Filtering.

ety button and then clicking Tracking Protection.
n by the application as a user types in a password. The reveal password button is visible by default.On at least Windows 8 if the "Do not dis
he following information:Name of the Value - the CLSID (class identifier) for the add-on you wish to add to the list. The CLSID should be in
m users - all add-ons are assumed to be denied unless they are specifically allowed through the 'Add-on List' policy setting.If you enable th
es and policy settings are ignored by the specified process. The Value Name is the name of the executable. If a Value Name is empty or th
Controls" in the Internet Explorer TechNet library.
"Out-of-date ActiveX control blocking" in the Internet Explorer TechNet library.
e:///C:/Users/contoso/Desktop/index.htm"If you disable or don't configure this policy setting the list is deleted and Internet Explorer conti
information see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
by using the WebSocket object. By default the WebSocket object is enabled.
nes set to 'admin-approved' just as if those zones were set to 'disable'.If you do not configure this policy setting only VML will be allowed in
or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy
policy setting Consistent Mime Handling is prevented for all processes.
y setting Internet Explorer will not require consistent MIME data for all received files.If you do not configure this policy setting Internet Exp
allowed.If you enable this policy setting and enter a Value of 1 MIME handling is in effect. If you enter a Value of 0 file-type information is
defined in a process list.If you disable or do not configure this policy setting Local Machine zone security is not applied to local files or con
f you disable this policy setting Local Machine zone security is not applied to local files or content processed by Internet Explorer.If you do
ly. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list:
e related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes co
or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting
nforced for processes other than File Explorer and Internet Explorer.
icted protocols is prevented for File Explorer and Internet Explorer processes.If you do not configure this policy setting the policy setting is
cked. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do no
for a zone no protocols are restricted for that zone regardless of the setting for "Allow active content over restricted protocols to access m
he Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable for IE processes. If the All
ses in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is ena
rer processes.If you do not configure this policy setting any zone can be protected from zone elevation by Internet Explorer processes.
evation to more privileged zones can be prevented. If you enter a Value of 0 elevation to any zone is allowed. The Value Name is the name
tting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting
ocesses policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure t
s and other restrictions apply for File Explorer and Internet Explorer processes.
is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Ex
t by default and the user can change this.

This policy can be used in coordination with the "Disable customizing browser toolbars" policy which prevents users from determining whi
choice.If you disable or do not configure this policy setting the toolbar upgrade tool checks for incompatible toolbars. The user can enable
setting employees won't see the Address bar drop-down functionality in Microsoft Edge. This setting also disables the user-defined setting
ever version of IE is necessary for it to appear properly.If you disable this setting the Microsoft Compatibility List isn’t used during browser
o prevent this in Group Policy Editor enable Allows development of Windows Store apps and installing them from an integrated developme
L of the search engine. For more info about creating the OpenSearch XML file see the Understanding OpenSearch Standards (https://msdn
rs from making changes. An error message also shows at the top of the Settings pane indicating that your organization manages some setti
me button loads a New tab page.- Show home button & set a specific page is selected clicking the home button loads the URL specified in
configured):- If it’s a single app it runs InPrivate full screen for digital signage or interactive displays.- If it’s one of many apps Microsoft Edg
Microsoft Edge does not use an idle timer.If disabled or not configured the default value is 5 minutes.If you do not configure Microsoft Edge
ored.When enabled and you want to make changes you must first set the Disable Lockdown of Start Pages to not configured make the cha
d devices when it is the only configured URL.Version 1809:If enabled and you select either Start page New Tab page or previous page in th
- Configure Open Microsoft Edge With
g (default) employees can add import and make changes to the Favorites list.
eWebClipper_8wekyb3d8bbwe;Microsoft.OfficeOnline_8wekyb3d8bbwe prevents a user from turning off the OneNote Web Clipper and O
.If you disable or don't configure this setting employees will see the favorites they set in the Hub and Favorites Bar.
info about creating the OpenSearch XML file see the Understanding OpenSearch Standards (https://msdn.microsoft.com/en-us/library/dd
cies:-Configure the Enterprise Mode Site List-Send all intranet sites to Internet Explorer 11
tting: Disabled or not configuredRelated policy:-Configure Home Button-Set Home Button URL
not open a blank MMC console window on the Start menu. (To open the MMC click Start click Run and type mmc.) Users also cannot open
an to permit use of most snap-ins. To explicitly prohibit a snap-in open the Restricted/Permitted snap-ins setting folder and then disable
er this snap-in is permitted or prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is enabled users
p-ins" is disabled or not configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in
users to the explicitly permitted list of snap-ins" is enabled users will not have access to the Group Policy tab. To explicitly permit use of
nc later. Set SyncMethod to “External” when an external synchronization engine is being deployed for settings sync. This could use OneDri
s. The Windows apps will default to whatever settings are configured in the Sync your settings configuration in Windows.
cy any defined values will be deleted.
gs synchronization.If you disable this policy setting all Windows Settings are excluded from the settings synchronization.If you do not confi
ngs back to the state when UE-V was installed or to “last-known-good” configurations. Only enable this policy setting on computers runnin
the Microsoft Office Suite 2013 applications will not be backed up. If you do not configure this policy setting any defined values will be de
the Microsoft Office Suite 2016 applications will not be backed up. If you do not configure this policy setting any defined values will be de
ttings synchronization. If any version of the Internet Explorer settings are enabled this policy setting should not be disabled.If you do not co
ngs which are common between the Microsoft Office Suite 2010 applications are excluded from the synchronization settings. If any of the
gs which are common between the Microsoft Office Suite 2013 applications are excluded from the synchronization settings. If any of the M
ues will be deleted.
gs which are common between the Microsoft Office Suite 2016 applications are excluded from the synchronization settings. If any of the M
ues will be deleted.
isable this policy setting Microsoft Office 365 Access 2013 user settings are excluded from synchronization with UE-V.If you do not configu
isable this policy setting Microsoft Office 365 Access 2016 user settings are excluded from synchronization with UE-V.If you do not configu
you enable this policy setting user settings which are common between the Microsoft Office Suite 2013 applications continue to synchroniz
you enable this policy setting user settings which are common between the Microsoft Office Suite 2016 applications continue to synchroniz
this policy setting Microsoft Office 365 Excel 2013 user settings are excluded from synchronization with UE-V.If you do not configure this p
this policy setting Microsoft Office 365 Excel 2016 user settings are excluded from synchronization with UE-V.If you do not configure this p
If you disable this policy setting Microsoft Office 365 InfoPath 2013 user settings are excluded from synchronization with UE-V.If you do no
is policy setting Microsoft Office 365 Lync 2013 user settings are excluded from synchronization with UE-V.If you do not configure this poli
is policy setting Microsoft Office 365 Lync 2016 user settings are excluded from synchronization with UE-V.If you do not configure this poli
-V.If you disable this policy setting Microsoft Office 365 OneNote 2013 user settings are excluded from synchronization with UE-V.If you do
-V.If you disable this policy setting Microsoft Office 365 OneNote 2016 user settings are excluded from synchronization with UE-V.If you do
you disable this policy setting Microsoft Office 365 Outlook 2013 user settings are excluded from synchronization with UE-V.If you do not
you disable this policy setting Microsoft Office 365 Outlook 2016 user settings are excluded from synchronization with UE-V.If you do not
nc with UE-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2013 user settings are excluded from synchronization with U
nc with UE-V.If you disable this policy setting Microsoft Office 365 PowerPoint 2016 user settings are excluded from synchronization with U
disable this policy setting Microsoft Office 365 Project 2013 user settings are excluded from synchronization with UE-V.If you do not confi
disable this policy setting Microsoft Office 365 Project 2016 user settings are excluded from synchronization with UE-V.If you do not confi
E-V.If you disable this policy setting Microsoft Office 365 Publisher 2013 user settings are excluded from synchronization with UE-V.If you d
E-V.If you disable this policy setting Microsoft Office 365 Publisher 2016 user settings are excluded from synchronization with UE-V.If you d
r 2013 user settings continue to sync with UE-V.If you disable this policy setting Microsoft Office 365 SharePoint Designer 2013 user setting
his policy setting Microsoft Office 365 Visio 2013 user settings are excluded from synchronization with UE-V.If you do not configure this po
his policy setting Microsoft Office 365 Visio 2016 user settings are excluded from synchronization with UE-V.If you do not configure this po
le this policy setting Microsoft Office 365 Word 2013 user settings are excluded from synchronization with UE-V.If you do not configure th
le this policy setting Microsoft Office 365 Word 2016 user settings are excluded from synchronization with UE-V.If you do not configure th
will be deleted.
will be deleted.
fter an administrator has opted in the computer.
o choose their privacy settings after an upgrade.
s policy setting Windows presentation settings can be invoked.
g even if they select the "Use these RD Gateway server settings" option on the client.Note: To enforce this policy setting you must also spe
figuring settings on the client using an RDP file or using an HTML script. If users do not specify an alternate authentication method the aut
sing this setting either the NTLM protocol that is enabled on the client or a smart card can be used.To allow users to overwrite the "Set RD
ves a message that the publisher has been blocked.
with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user start
:You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy settin
session of a remote user with the user's consent. 5. View Session without user's permission: Allows the administrator to watch the session
e this policy setting the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host serve
cally logged off.To use this setting in Program path and file name type the fully qualified path and file name of the executable file to be run
es sessions policy settings.If you enable this policy setting Remote Desktop Services ends any session that reaches its time-out limit.If you
able or do not configure this policy setting the time limit is not specified at the Group Policy level. By default Remote Desktop Services allo
is policy setting this policy setting is not specified at the Group Policy level. By default Remote Desktop Services allows sessions to remain
g disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected
user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL
or delete a feed or Web Slice by using the Feed APIs.

this policy setting users can index any path not restricted by other policies but their original list of paths to index is not restored.
u disable this policy Input Panel will provide text prediction suggestions. Users will not be able to configure this setting in the Input Panel O
try area in applications where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog bo
ns where this behavior is available. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not confi
se Kanji and Hanja characters will be included in recognition results when handwriting is converted to typed text. Users will not be able to
el tab will appear on the edge of the Tablet PC screen. Users will be able to configure this setting on the Opening tab in Input Panel Option
to configure this setting in the Input Panel Options dialog box.If you do not configure this policy application auto complete lists will appea
g all password security settings are turned off. Users will not be able to configure this setting in the Input Panel Options dialog box. If you e
able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose “Tolerant" users will be able to
above will be available.
fused by having the property sheet displayed automatically. Note that the checkbox is not checked by default even if this setting is Disable
tion folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration
portant: This setting does not prevent users from creating a new task by pasting or dragging any program into the Scheduled Tasks folder.
n and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in
mote computers.
elete tasks.
munication settings takes precedence. If Turn off Windows Error Reporting is also either disabled or not configured user settings in Contro
ad report data until the computer is connected to a more permanent power source.
porting information is stored.

ge in Control Panel.The Maximum number of reports to queue setting determines how many reports can be queued before older reports
ng is enabled the Exclude errors for applications on this list setting takes precedence.If you disable or do not configure this policy setting er
data: the minimum data that is required to check for an existing solution along with data which Windows has determined (within a high pr
rameters): Windows Error Reporting automatically sends the minimum data required to check for an existing solution and Windows promp
main controllers to prevent Windows Hello for Business authentication from failing.
-in" when you use a third-party solution to provision Windows Hello for Business.If you select "Do not start Windows Hello provisioning aft
figure this policy setting the system applies the current user's permissions when it installs programs that a system administrator does not d
privileges such as installations offered on the desktop or in Add or Remove Programs.Also see the "Enable user to use media source while
us users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. Howeve
et action to take when logon hours expire” is disabled or not configured the “Remove logon hours expiration warnings” setting will have n
g the system takes no action when the user’s logon hours expire. The user can continue the existing session but cannot log on to a new ses
e Internet check box.
of the Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet check box.
he proxy cannot be configured. If the "Hide network tab" policy setting is also enabled the entire Network tab is hidden.This policy is ignor
tab is hidden.This policy setting is ignored if the "Streaming media protocols" policy setting is enabled and Multicast is not selected.If you
s on the Performance tab.
tab is hidden.If you disable this policy setting the RTSP proxy server cannot be used and users cannot change the RTSP proxy settings.If yo
n be received if the "Allow the Player to receive multicast streams" check box on the Network tab is selected.If you enable this policy setti
the setting for the Allow screen saver during playback check box.
not configured by other polices.
nly to the Player features that are available with the specified skin. Users cannot switch the Player to full mode and cannot choose a differe
want users to use Windows Messenger enable the "Do not allow Windows Messenger to run" policy setting.Note: This policy setting is av
licy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
licy setting is not configured the LogPipelineExecutionDetails property of a module or snap-in determines whether the execution events o
ent logs. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. Th
dows PowerShell session. If you disable this policy setting transcripting of PowerShell-based applications is disabled by default althoug
xists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has p
tion at the time the user selects the Shut Down option in the Start menu.Note that this policy setting has no impact if the User Configurati
ne of the following notification options:0 = Do not show any notificationsThis setting will remove all access to Windows Update features a
URL of the file server that stores the affected users' data.The "Work Folders Local Path" specifies the local folder used on the client machi
anonical name. For example enter Microsoft.Mouse Microsoft.System or Microsoft.Personalization.Note: For Windows Vista Windows Serv
hidden for other reasons (such as a missing hardware device) this policy will not force that page to appear. After this the policy string mus
crosoft.System or Microsoft.Personalization.Note: For Windows Vista Windows Server 2008 and earlier versions of Windows the module n
Because the only remaining option on the Add/Remove Windows Components page starts the wizard that option is selected automatically
emovable media regardless of this setting.
nd they cannot use Add or Remove Programs to install published programs. However they can still install programs by using other method
move Set Program Access and Defaults from Start menu" setting.
ost likely to need.Note: This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs pa
e by typing %windir%\resources\Themes\Luna\Luna.msstylesNote: To select the Windows Classic visual style leave the box blank beside "
gnored.Note: This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled this setti
dialog use the "Prevent changing Screen Saver" setting.
g in the Personalization or Display Control Panel is used. The default is 15 minutes.

s folder's left pane" and "Activate Internet printing" settings in "Computer Configuration\Administrative Templates\Printers."
Wizard and users cannot search the network but must type a printer name.Note: This setting affects the Add Printer Wizard only. It does
proved by the network administrator. When using package point and print client computers will check the driver signature of all drivers tha
ction drivers need to be updated. If you do not configure this policy setting: -Windows Vista client computers can point and print
ed. However if users have not added a printer when this setting is applied they cannot print. Note: You can use printer permissions to
bled users cannot view the programs that have been published by the system administrator and they cannot use the "Get Programs" page
using other tools and methods to install or uninstall programs.
uage Options control panel to select any available UI language.

and dialogs language" policy setting.
d through Input Panel is collected and stored. Note: Automatic learning of both text and ink might not be available for all languages even w
mputer is displayed as usual appearing as normal on the desktop Start menu folder tree pane and Web views unless restricted by another
ot change this specification.If you disable this setting or do not configure it no wallpaper is displayed. However users can select the wallpa
ministrators" setting) the Properties menu items are disabled and users (including administrators) cannot open the remote access connecti
ate connections but you can change the default by using the "Prohibit deletion of remote access connections" setting.)Important: If the "En
s 2000 computers.If you do not configure this setting only Administrators and Network Configuration Operators can enable/disable LAN co
LAN connections or remote access connections available to all users" setting is configured (set to either Enabled or Disabled) this setting d
ministrators and Network Configuration Operators have the right to rename LAN or all user remote access connections.Note: When config
access connections available to all users" "Prohibit access to properties of components of a LAN connection" "Prohibit access to properties
ght-click the icon representing a LAN connection. Also when users select the connection Properties is enabled on the File menu.Note: This
ndows 2000 computers.If you disable this setting or do not configure it the Properties button is enabled for administrators and Network C
king tab of the Remote Access Connection Properties dialog box includes a list of the network components that the connection uses. To vie
d for administrators.Note: Nonadministrators are already prohibited from accessing the Advanced Settings dialog box regardless of this setti
ers. Clicking the Make New Connection icon starts the New Connection Wizard.Note: Changing this setting from Enabled to Not Configured
bled for all users.
connections in the Network Connections folder are enabled. Also administrators can gain access to network components in the Windows
for a private connection.Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setti
presenting the connection by right-clicking it or by using the File menu.
ilable only to one user. (By default only Administrators and Network Configuration Operators can delete connections available to all users
e check box enables the component and clearing the check box disables the component.Note: When the "Prohibit access to properties of
ote access connections. Users can rename their private connection by clicking an icon representing the connection or by using the File me
og box.Note: This setting is superseded by settings that prohibit access to properties of connections or connection components. When thes
work Connections settings for Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 20
t been assigned an IP address will be reported via a notification providing the user with information as to how the problem can be resolved
s setting users can work offline by default but they can change this option.This setting appears in the Computer Configuration and User Co
en the local computer is connected and disconnected from the network."3" also records an event when the server hosting the offline file i
h Computer and User configuration take precedence over a user's setting. This setting does not prevent users from setting custom action
Configuration.Tip: To view the Offline Files Folder in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and
ng provides a quick method for locking down the default settings for Offline Files. To accept the defaults just enable this setting. You do no
eminder balloon frequency without establishing a setting in Windows Explorer on the Tools menu click Folder Options and then click the O
g Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 Windows 8 Windows 7 or Windows Vista.
s available for all files and folders.Notes:This policy setting appears in the Computer Configuration and User Configuration folders. If both
s and folders for offline use).If you do not configure this policy setting no files or folders are made available for offline use by Group Policy.
nd User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in U
u do not configure this setting and Synchronization Manager is configured for logon synchronization the system performs a quick synchron
m disables the "Enable reminders" option on the Offline Files tabThis setting appears in the Computer Configuration and User Configuration
Run dialog box.
the Log Off item on a computer click Start click Settings click Taskbar and Start Menu click the Start Menu Options tab and then in the Star
Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only use
he "Toolbars" command appears in the context menu.

ppear in the menus including files located remotely on another computer.Note: This setting does not prevent Windows from displaying re
olders and websites.Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.A
tions do not have this ID tracking and search capability.Also see the "Do not track Shell shortcuts during roaming" and the "Do not use the
ons. FAT partitions do not have this ID tracking and search capability.Also see the "Do not track Shell shortcuts during roaming" and the "D
nge the view.
position is locked and the user cannot show and hide various toolbars using the taskbar context menu.
le or do not configure this setting the all apps list will be visible by default and the user can change "Show app list in Start" in Settings.
s Security screen is also available.Note: Third-party programs certified as compatible with Microsoft Windows Vista Windows XP SP2 Wind
ontrol panel.
red by the system to appeal to most users. However users can add and remove items from this menu and system administrators can crea
ot configure this policy setting the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explor
.Tip: To add or remove the Log Off item on a computer click Start click Settings click Taskbar and Start Menu click the Start Menu Options t
Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections).
el" "Disable Display in Control Panel" and "Remove Network Connections from Start Menu" policy settings.
annot remove it.If the setting is not configured users can turn the Recent Items menu on and off.Note: This setting does not prevent Wind
and in Task Manager and use the Internet Explorer Address Bar.Note:This setting affects the specified interface only. It does not prevent u
when you right-click an icon representing a drive or a folder.This policy setting affects the specified user interface elements only. It does n
s appear in the directory but not on the Start menu.If you disable this setting or do not configured it Windows 2000 Professional and Wind
ccording to the default logic.

nu" (which manages same part of Start menu but with fewer options).
\Server\Share\Layout.xml. If the specified file is not available when the user logs on the layout won't be changed. Users cannot customize
click Start click Settings click Taskbar and Start Menu and then on the General tab clear the "Use Personalized Menus" option.
ow pinning programs to the Taskbar" policy settings.
0 to 2029. Conversely all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19 that is 1930 to 1999.If you disa
s the Explorer interface.Tip: To find the folders indicated by the Path environment variable click System Properties in Control Panel click th
ders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.Tip: To
e: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.Note: To create a lis
unctions or it might stop.This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured
d in either of these locations cannot launched from Help

Note: Non-Microsoft applications with Windows 2000 or later certification are required to comply with this policy setting.Note: To create a
that you can download to keep your computer up to date.Also see the "Remove links and access to Windows Update" setting. If the "Rem
omputers including system services find the executable names of programs and change the priority of the process in which programs run.
user to log out and back in to Windows. Be aware of the following:Per Process System DPI will only improve the rendering of desktop appl
rmit unsigned files to be installed. "Warn" is the default.-- "Block" directs the system to refuse to install unsigned files. As a result the inst
nication Management/Internet Communication settings.
rface. Note: Do not enable this policy setting if users will need access to their redirected files if the network or server holding the redirecte
e of "Do not automatically make all redirected folders available offline".
he Folder Redirection location.If you disable or do not configure this policy setting when the path to a redirected folder is changed and Fol
and Pictures folders the folders are redirected on the user's primary computer only.If you disable or do not configure this policy setting an
is valid only on Windows Vista Windows 7 Windows 8 and Windows Server 2012 when it processes a legacy redirection policy already dep
changes to any available domain controller.If you disable this setting or do not configure it the Group Policy Object Editor snap-in uses the
d. Any connection slower than this rate is considered to be slow. If you type 0 all connections are considered to be fast.If you disable this
n and Computer Configuration setting.Also see the "Turn off Resultant set of Policy logging" policy setting in Computer Configuration\Adm
rned on by default but administrators can view preferences by turning off the "Show Policies Only" command.Note: To find the "Show Pol
ot appropriate for most installations.If you disable this setting user Group Policy is updated every 90 minutes (the default). To specify that
ave a later timestamp.NOTE: If the Computer Configuration policy setting "Always use local ADM files for the Group Policy Object Editor" i
be shared with Microsoft.If you do not configure this policy Tablet PC users can choose whether or not they want to share their writing sa
g and online ordering wizards for more information including details on specifying service providers in the registry.
information to be collected.
re this policy setting the user can select a custom locale as their user locale.If this policy setting is enabled at the machine level it cannot b
policy is set to Disabled at the computer level then the per-User policy will be ignored. If this policy is set to Not Configured at the compute
ted by users.If you disable or do not configure this policy setting users can select any locale installed on the computer unless restricted by
licy setting in Computer Configuration takes precedence over the policy setting in User Configuration.Note: To create a customized run lis
e stored in the registry in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce.Also see the ""Do not process
is setting appears in the Computer Configuration and User Configuration folders. If both settings are configured the system starts the prog
es DEP-ATL thunk emulation for the child process. DEP-ATL thunk emulation causes the system to intercept NX faults that originate from th
ore the scripts for GPOs B and C run in the following order for Qin:Within GPO B: B.ps1 B.cmdWithin GPO C: C.ps1 C.cmd For Tamara GPO
r do not configure this policy setting the system uses the definitions introduced with Windows 2000. %HOMESHARE% stores the fully quali
excluded from the user's roaming profile.In operating systems earlier than Microsoft Windows Vista only the History Local Settings Temp a
lier than Microsoft Windows Vista Windows will not allow users to log off until the profile size has been reduced to within the allowable lim
cessible. Note: You should not use this policy setting to suspend any of the root redirected folders such as Appdata\Roaming Start Menu
pp for the http https and mailto URI schemes. The handlers for these URI schemes are hardened against URI-based vulnerabilities from unt
formation.If you enable this policy setting you can specify the default risk level for file types.If you disable this policy setting Windows sets
us programs when file attachments are opened.

sable this policy setting Windows uses its default trust logic which prefers the file handler over the file type.If you do not configure this pol
r behavior for autorun to: a) Completely disable autorun commands or b) Revert back to pre-Windows Vista behavior of automa
ot use this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting
ned off and users will no longer be able to select it as their lock screen. Users will see the default lock screen image and will be able to sele
r them.Note: this setting does not control Cortana tailored experiences since there are separate policies to configure it.
this value disables the "Optional diagnostic data" control in the Settings app. - Send optional diagnostic data. Additional diagnostic data
Version\Shell Extensions\Approved.
rrent user's logon credentials. As a result the installation might fail or it might complete but not include all features. Or it might appear to c
u disable or do not configure this policy setting Windows searches for the original path when it cannot find the target file in the current ta
heir contents. And it does not prevent users from using the Disk Management snap-in to view and change drive characteristics.If you disab
menu" setting.
e in the Run dialog box or the Map Network Drive dialog box.To remove network computers from lists of network resources use the "No E
ork resources use the "No Computers Near Me in Network Locations" setting.Note: It is a requirement for third-party applications with Wi
tween Internet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.Th
e bottom of results returned in File Explorer after a search is executed. These links will be shared between Internet search sites and Search
tting prevents the action. Also this setting does not prevent users from using programs to access local and network drives. And it does not
ment for third-party applications with Windows 2000 or later certification to adhere to this setting.
e "Remove Search menu from Start menu" policy setting (in User Configuration\Administrative Templates\Start Menu and Taskbar). To hid
ndows XP Professional.
ds with the current user's permissions. If these permissions are not sufficient the installation might fail or it might complete but not includ
you do not configure this policy setting the protocol is in the protected mode allowing applications to only open a limited set of folders.
u enable this policy Windows Libraries features that rely on indexed file data will be disabled.If you disable or do not configure this policy a
ktop and Web view. This setting will also take precedence over the "Enable Active Desktop" setting. If both policies are enabled Active Des
dows XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style. Also third-party
r certification to adhere to this setting.
Windows Vista this policy setting applies only to applications that are using the Windows XP common dialog box style. This policy setting d
XP common dialog box style. This policy setting does not apply to the new Windows Vista common dialog box style.
all content protected using the specified EID on the device. If you disable or do not configure this policy setting the only Windows Runtime
olicy setting applies to Japanese Microsoft IME only.Note: Changes to this setting will not take effect until the user logs off.
g information].[Clear input history] removes self-tuned words from the custom dictionary even if a group policy setting is turned on. To do
u disable or do not configure this policy setting the user can configure their list of search providers unless another policy setting restricts su
et Explorer notifies the user when newly installed add-ons are ready for use. The user must choose to activate them by responding to the
ntent when the user clicks on a media link.If unchecked the content will be played by the default media client on their system.
Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microsoft Edge Canary version 77 or laterIf the Windows Update
nored.Caution: If you enable this policy users can still run the Certificate Manager Import Wizard by double-clicking a software publishing c
t Web page colors are ignored on Web pages in which the author has specified the background and text colors.
Windows Components\Internet Explorer\Internet Control Panel) which removes the Programs tab from Internet Explorer in Control Panel t
page author has specified the font attributes.
General tab from the interface.

ed on Web pages on which the author has specified link colors.
recedence over this policy. If it is enabled this policy is ignored.
m the interface.
ernet Control Panel) which removes the Connections tab from the interface. Removing the Connections tab from the interface however do
also the shortcuts to these bars.If you enable this policy setting the navigation bar the menu bar and the Command bar are not visible and
h Microsoft Edge.Related policies:- Send all intranet sites to Internet Explorer (‘SendIntranetToInternetExplorer’)- Send all sites not include
• 0 - Trusted Sites Zone• 1 - Local Intranet Zone• 0 - Local Machine Zone• 6 - Intranet and Trusted site zones only Binary Representation -
box is located on the Advanced tab in the Internet Options dialog box. For more information see "Group Policy Settings in Internet Explor
vigation bar. The user cannot interchange the positions of the menu bar and the navigation bar.If you do not configure this policy setting
de of operation for the phishing filter.
rough a custom administrative template file. For information about creating this custom administrative template file see the Internet Expl
onfiguration\Administrative Templates\Windows Components\Internet Explorer\Browser Menus) which prevents users from opening files
s will continue to open in Internet Explorer 11.

ng will quickly grow to use the specified integer number of tab processes regardless of the physical memory on the computer or how man
ns exceeds the threshold. This is the default.
ame and passwords on forms and the option of prompting to save passwords. To display this option the users open the Internet Options d
content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area
ntent Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want
k Security Zones and Content Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content z
d for each security zone carry out the following steps:1. In Group Policy click User Configuration click Internet Explorer Maintenance and th
Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to m
t Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX controls and then
e content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area
hen click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
ontent Ratings click Import the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you wan
and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
orer process prevail.

value is not 0 or 1 the policy setting is ignored.If you enable this policy setting for an application or process in the list a script can perform
dow menu option" policy which disables this command on the shortcut menu or the "Turn off Shortcut Menu" policy which disables the en
ff Shortcut Menu" policy which disables the entire shortcut menu.
ption" policy which removes the Save As command takes precedence over this policy. If it is enabled this policy is ignored.
Save Target As.
es\Windows Components\Internet Explorer and in \Administrative Templates\Windows Components\Internet Explorer\Internet Control P
t Explorer uses a current user agent string. Additionally all Standards Mode webpages appear in the Standards Mode available in the lates
orer 7 Standards Mode. The user cannot change this behavior through the Compatibility View Settings dialog box.If you do not configure t
te browsing history.
n and Do Not Track data is preserved when the user clicks Delete.If you disable this policy setting ActiveX Filtering Tracking Protection and
ink color settings""Disable changing font settings""Disable changing language settings""Disable changing accessibility settings"
ontrol this setting by using Advanced Options in Internet Control Panel. By default domain names are converted to IDN format only for add
gs. By selecting this option Internet Explorer sends a DNT:1 header with all HTTP and HTTPS requests; unless the user grants a site-specific
rompt users to install them.
y their identities before downloading them to user computers.

n the registry and the file system.When Enhanced Protected Mode is enabled and a user encounters a website that attempts to load an Ac
net Files folder when browser windows are closed.
ble or do not configure this policy setting the user can select which encryption method the browser supports.Note: SSL 2.0 is off by default
ttings. This feature is turned off by default.
o not configure this policy users will be able to turn on or turn off Enhanced Protected Mode on the Advanced tab of the Internet Options
an change this option to start with the tabs from the last session.
re data on their computers.
es to store data on their computers.
cy setting.If you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all applicatio
licy.If you disable or do not configure this policy setting Internet Explorer will use the default maximum storage limit for all indexed datab
esources. The default is 50 MB.
g.If you disable or do not configure this policy setting Internet Explorer will use the default maximum application cache resource list size fo
curity) the same change should be made to the Locked-Down equivalent.Note. It is recommended to configure template policy settings in
have special security settings that protect your local computer.)If you enable this policy setting you can enter a list of sites and their relat
til the user turns off the Notification bar.

SXML or ADO to access data from another site in the zone.
ols is blocked.If you do not configure this policy setting the Notification bar will appear to allow control over questionable content accesse
Ps inside Internet Explorer.

ML files inside Internet Explorer.
se of custom thumbnails it is the zone of the thumbnail that is checked not the zone of item. Typically these are the same but a source is
p-up windows and windows that include the title and status bars cannot be run. This Internet Explorer security feature will be on in this zo
ayers in specified zones.
message and nonsecure content cannot be displayed.If you do not configure this policy setting the user will receive the security informati
nd destination are in different windows. Users can change this setting in the Internet Options dialog.In Internet Explorer 9 and earlier vers
main when the source and destination are in the same window. Users can change this setting in the Internet Options dialog.In Internet Exp
not configure this policy setting ActiveX controls that cannot be made safe are not loaded with parameters or scripted.
AMEs on the pages in this zone.

esponse (also known as NTLM authentication). If Windows NT Challenge Response is supported by the server the logon uses the user's net
Trusted zones.
being automatically installed on users' computers.If you disable this policy setting permissions are set to high safety.If you do not configur
HTML forms on pages in this zone to be submitted.
or directly within a Web page saved to disk.

policy setting Web sites from less privileged zones can open new windows in or navigate into this zone.
age to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

he security zone runs without the added layer of security provided by this feature.

Trusted zones.
mitted automatically.

policy setting Web sites from less privileged zones can open new windows in or navigate into this zone.
ML or ADO to access data from another site in the zone.

not configure this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.
e without user intervention.

Trusted zones.

olicy setting the possibly harmful navigations are prevented. The Internet Explorer security feature will be on in this zone as set by Protecti

is zone as dictated by the feature control setting for the process.

Trusted zones.

age to be loaded in the zone that uses MSXML or ADO to access data from another site in the zone.

Trusted zones.


Trusted zones.



Trusted zones.
ore or directly within a Web page saved to disk.



Trusted zones.

stricted protocols is blocked.If you do not configure this policy setting all attempts to access such content over the restricted protocols is b

Trusted zones.
ore or directly within a Web page saved to disk.

not configure this policy setting users are queried whether to allow the control to be loaded with parameters or scripted.
Trusted zones.

policy setting a warning is issued to the user that potentially risky navigation is about to occur.
the user can turn on or turn off details in these error messages.
user can allow or prevent the display of placeholders for graphical images while the images are downloading.
rn on or turn off image display.
ng the user can select their preference for this behavior. Browsing to the top-result website is the default.
process after the branding is complete for ISPs (IEAK).
to turn the Use Windows Search setting on or off.Note: If you enable this policy setting feeds do not appear in the Address bar. This does n
dence over this policy. If it is enabled this policy is ignored.
ocated in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is
rative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled this policy is ignore
on\Administrative Templates\Windows Components\Internet Explorer) take precedence over this policy. If either policy is enabled this po
d about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\Administrative Templates\W
nizations that are concerned about server load for downloading content.The "Hide Favorites menu" policy (located in User Configuration\A
n minutes after midnight. The Maximum Offline Page Crawl Depth setting specifies how many levels of a Web site are searched for new inf
st Windows 8 if the "Do not display the reveal password button" policy setting located in Computer Configuration\Administrative Template
he list. The CLSID should be in brackets for example ‘{000000000-0000-0000-0000-0000000000000}'. The CLSID for an add-on can be obta
' policy setting.If you enable this policy setting Internet Explorer only allows add-ons that are specifically listed (and allowed) through the '
f a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter Internet Explorer processes in this list because
ted and Internet Explorer continues to block specific outdated ActiveX controls on all domains in the Internet Zone.For more information s
tting only VML will be allowed in zones set to 'admin-approved'.Note. If this policy is set in both Computer Configuration and User Configur
rnet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in th
this policy setting Internet Explorer requires consistent MIME data for all received files.
e of 0 file-type information is allowed to be inconsistent. The Value Name is the name of the executable. If a Value Name is empty or the V
ot applied to local files or content processed by any process other than Internet Explorer or those defined in a process list.
by Internet Explorer.If you do not configure this policy setting the Local Machine zone security applies to all local files and content process
Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes polic
ng is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting th
e precedence over that setting.If you disable or do not configure this policy setting the policy setting is ignored.
icy setting the policy setting is ignored.

policy setting is ignored.Do not enter the File Explorer or Internet Explorer processes in this list: use the related Internet Explorer Processe
estricted protocols to access my computer."Note. If policy for a zone is set in both Computer Configuration and User Configuration both li
ble for IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting. If
Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure
ternet Explorer processes.

d. The Value Name is the name of the executable. If a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not en
ot configure this policy setting the security feature is allowed.

u disable or do not configure this policy setting the security feature is allowed.
d.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE proces
ts users from determining which toolbars are displayed in Internet Explorer and File Explorer.
e toolbars. The user can enable or disable incompatible toolbars. Toolbars that are enabled or disabled via policy settings do not undergo t
ables the user-defined setting "Show search and site suggestions as I type".
List isn’t used during browser navigation.
from an integrated development environment (IDE) which is located at:Computer Configuration > Administrative Templates > Windows Co
earch Standards (https://msdn.microsoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link(s) you wish to add: <
ganization manages some settings.If not configured the favorites bar is hidden but is visible on the Start and New Tab pages and the favori
tton loads the URL specified in the Set Home Button URL policy.- Hide home button is selected the home button is hidden in Microsoft Edge
ne of many apps Microsoft Edge runs as normal.If enabled and set to 1:- If it’s a single app it runs a limited multi-tab version of InPrivate an
o not configure Microsoft Edge in assigned access then this policy does not take effect.
o not configured make the changes to the Configure Open Microsoft Edge With policy and then enable the Disable Lockdown of Start Page
ab page or previous page in the Configure Open Microsoft Edge With policy Microsoft Edge ignores the Configure Start Pages policy. If not
he OneNote Web Clipper and Office Online extension.When enabled removing extensions from the list does not uninstall the extension fro
icrosoft.com/en-us/library/dd163546.aspx) topic. Use this format to specify the link you wish to add: <https://fabrikam.com/opensearch.x
mmc.) Users also cannot open a blank MMC console window from a command prompt.If you disable this setting or do not configure it use
etting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or no
t of snap-ins" is enabled users cannot use any snap-in except those explicitly permitted. To explicitly permit use of this snap-in enable this
ly prohibit use of this snap-in disable this setting. If this setting is not configured (or enabled) the snap-in is permitted.When a snap-in is pr
b. To explicitly permit use of the Group Policy tab enable this setting. If this setting is not configured (or disabled) the Group Policy tab is i
gs sync. This could use OneDrive Work Folders SharePoint or any other engine that uses a local folder to synchronize data between users’
in Windows.
hronization.If you do not configure this policy setting any defined values will be deleted.
cy setting on computers running in a non-persistent VDI environment. The VDI Collection Name defines the name of the virtual desktop co
g any defined values will be deleted.

g any defined values will be deleted.
ot be disabled.If you do not configure this policy setting any defined values will be deleted.
nization settings. If any of the Microsoft Office Suite 2010 applications are enabled this policy setting should not be disabled If you do not c
nization settings. If any of the Microsoft Office Suite 2013 applications are enabled this policy setting should not be disabled.If you do not c
nization settings. If any of the Microsoft Office Suite 2016 applications are enabled this policy setting should not be disabled.If you do not c
cations continue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office
cations continue to synchronize with UE-V.If you disable this policy setting user settings which are common between the Microsoft Office
V.If you do not configure this policy setting any defined values will be deleted.
V.If you do not configure this policy setting any defined values will be deleted.
nization with UE-V.If you do not configure this policy setting any defined values will be deleted.
hronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
d from synchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
d from synchronization with UE-V.If you do not configure this policy setting any defined values will be deleted.
n with UE-V.If you do not configure this policy setting any defined values will be deleted.
n with UE-V.If you do not configure this policy setting any defined values will be deleted.
oint Designer 2013 user settings are excluded from synchronization with UE-V.If you do not configure this policy setting any defined values
olicy setting you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting or cl
uthentication method the authentication method that you specify in this policy setting is used by default.If you disable or do not configure
users to overwrite the "Set RD Gateway server address" policy setting and connect to another RD Gateway server you must select the "Allo
RDC client. When a user starts an RDP session the user is asked to confirm whether they want to connect.If you disable this policy setting
you configure this policy setting for the computer the list of certificate thumbprints trusted for a user is a combination of the list defined fo
inistrator to watch the session of a remote user without the user's consent.If you disable this policy setting administrators can interact wit
r. If the RD Session Host server does not have a printer driver that matches the client printer the server tries to use the Remote Desktop E
of the executable file to be run when the user logs on. If necessary in Working Directory type the fully qualified path to the starting directo
aches its time-out limit.If you disable this policy setting Remote Desktop Services always disconnects a timed-out session even if specified
Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services
ces allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a
ult behavior that disconnected sessions are maintained for an unlimited time select Never. If you have a console session disconnected ses
up the default connection URL.If you disable or do not configure this policy setting the user has no default connection URL.Note: RemoteA
ndex is not restored.
this setting in the Input Panel Options dialog box.If you do not configure this policy Input Panel will provide text prediction suggestions. Us
Input Panel Options dialog box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where th
dialog box.If you do not configure this policy Input Panel will appear next to text entry areas in applications where this behavior is availab
text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you disable this policy rarely used Chinese Kan
ning tab in Input Panel Options.Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and t
auto complete lists will appear next to Input Panel in applications where the functionality is available. Users will be able to configure this s
nel Options dialog box. If you enable this policy and choose “Medium-Low” from the drop-down box password security is set to “Medium-
“Tolerant" users will be able to use the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. Users w
ult even if this setting is Disabled or Not Configured.Note: This setting appears in the Computer Configuration and User Configuration folde
e setting in User Configuration.Tip: This setting affects existing tasks only. To prevent users from changing the properties of newly created
o the Scheduled Tasks folder. To prevent this action use the "Prohibit Drag-and-Drop" setting.Note: This setting appears in the Computer C
precedence over the setting in User Configuration.
figured user settings in Control Panel for Windows Error Reporting are applied.
e queued before older reports are automatically deleted. The setting for Number of days between solution check reminders determines th
configure this policy setting errors are reported on all Microsoft and Windows applications by default.
s determined (within a high probability) does not contain personally-identifiable information is sent automatically and Windows prompts t
g solution and Windows prompts the user for consent to send any additional data requested by Microsoft.- 3 (Send parameters and safe ad
Windows Hello provisioning after sign-in" Windows Hello for Business does not automatically start provisioning after the user has signed in
stem administrator does not distribute or offer.Note: This policy setting appears both in the Computer Configuration and User Configurati
ser to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
ch secure system files. However because an incomplete installation can render the system or a program inoperable do not use this policy s
n warnings” setting will have no effect and users receive no warnings about logon hour expiration
but cannot log on to a new session.Note: If you configure this setting you might want to examine and appropriately configure the “Remov
t check box.
b is hidden.This policy is ignored if the "Streaming media protocols" policy setting is enabled and HTTP is not selected.If you disable this po
Multicast is not selected.If you disable this policy setting the MMS proxy server cannot be used and users cannot configure the MMS proxy
e the RTSP proxy settings.If you do not configure this policy setting users can configure the RTSP proxy settings.
d.If you enable this policy setting the administrator must also specify the protocols that are available to users on the Network tab. If the ad
de and cannot choose a different skin.If you disable or do not configure this policy setting users can display the Player in full or skin mode
.Note: This policy setting is available under both Computer Configuration and User Configuration. If both are present the Computer Config
etting.
hether the execution events of a module or snap-in are logged. By default the LogPipelineExecutionDetails property of all modules and sna
in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
s is disabled by default although transcripting can still be enabled through the Start-Transcript cmdlet. If you use the OutputDi
Computer Configuration" has precedence over "User Configuration."If you disable or do not configure this policy setting it reverts to a per-
impact if the User Configuration\Administrative Templates\Windows Components\Windows Update\Do not display 'Install Updates and S
o Windows Update features and no notifications will be shown.1 = Show restart required notificationsThis setting will show notifications a
older used on the client machine to sync files. This path may contain environment variables. Note: In order for this configuration to take eff
r Windows Vista Windows Server 2008 and earlier versions of Windows the module name should be entered for example timedate.cpl or i
After this the policy string must contain a semicolon-delimited list of settings page identifiers. The identifier for any given settings page is t
ions of Windows the module name for example timedate.cpl or inetcpl.cpl should be entered. If a Control Panel item does not have a CPL
ption is selected automatically and the page is bypassed.To remove "Set up services" and prevent the Windows Component Wizard from s
ograms by using other methods and they can view and install assigned (partially installed) programs that are offered on the desktop or on
e "Hide Add New Programs page" setting is enabled.
le leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT you cannot apply th
ver" setting is disabled this setting is ignored and screen savers do not run.
mplates\Printers."
d Printer Wizard only. It does not prevent users from using other programs to search for shared printers or to connect to network printers
iver signature of all drivers that are downloaded from print servers.If this setting is disabled or not configured package point and print will
computers can point and print to any server. -Windows Vista computers will show a warning and an elevated command prompt whe
can use printer permissions to restrict the use of printers without specifying a setting. In the Printers folder right-click a printer click Prope
use the "Get Programs" page to install published programs. Enabling this feature does not prevent users from installing programs by usin
ailable for all languages even when handwriting personalization is available. See Tablet PC Help for more information.If you enable this po
s unless restricted by another setting.If you do not configure this setting the default is to display Computer as usual.Note: In operating sys
ver users can select the wallpaper of their choice.Also see the "Allow only bitmapped wallpaper" in the same location and the "Prevent ch
en the remote access connection properties dialog box.Important: If the "Enable Network Connections settings for Administrators" is disab
s" setting.)Important: If the "Enable Network Connections settings for Administrators" is disabled or not configured this setting will not app
ors can enable/disable LAN connections.Note: Administrators can still enable/disable LAN connections from Device Manager when this se
bled or Disabled) this setting does not apply.Note: This setting does not prevent users from using other programs such as Internet Explore
onnections.Note: When configured this setting always takes precedence over the "Ability to rename LAN connections" and "Ability to rena
" "Prohibit access to properties of components of a remote access connection" "Ability to access TCP/IP advanced configuration" "Prohibit
d on the File menu.Note: This setting takes precedence over settings that manipulate the availability of features inside the Local Area Con
administrators and Network Configuration Operators.The Local Area Connection Properties dialog box includes a list of the network comp
hat the connection uses. To view or change the properties of a component click the name of the component and then click the Properties
ialog box regardless of this setting.
om Enabled to Not Configured does not restore the Make New Connection icon until the user logs off or on. When other changes to this s
components in the Windows Components Wizard.The Install button opens the dialog boxes used to add network components. Clicking th
bled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you disable this setting or do not co
nections available to all users but you can change the default by using the "Ability to delete all user remote access connections" setting.)Im
rohibit access to properties of a LAN connection" setting is enabled users are blocked from accessing the check boxes for enabling and disa
ection or by using the File menu.Note: This setting does not prevent users from using other programs such as Internet Explorer to bypass
ction components. When these policies are set to deny access to the connection properties dialog box or Properties button for connection
nistrators on post-Windows 2000 computers.If you disable this setting or do not configure it the connection status taskbar icon and Statu
w the problem can be resolved.
ter Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence
server hosting the offline file is reconnected to the network.Note: This setting appears in the Computer Configuration and User Configurati
ers from setting custom actions through the Offline Files tab. However users are unable to change any custom actions established via this
ns click the Offline Files tab and then click "View Files."
enable this setting. You do not have to disable any other settings in this folder.
r Options and then click the Offline Files tab. This setting corresponds to the "Display reminder balloons every ... minutes" option.
Configuration folders. If both policy settings are configured the policy settings are combined and the "Make Available Offline" command is
or offline use by Group Policy.Note: This setting appears in the Computer Configuration and User Configuration folders. If both policy setti
ecedence over the setting in User Configuration.Tip: To change the synchronization method without changing a setting in Windows Explore
em performs a quick synchronization by default but users can change this option.This setting appears in the Computer Configuration and U
uration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the se
ptions tab and then in the Start Menu Settings box click Display Logoff.Also see "Remove Logoff" in User Configuration\Administrative Tem
his folder. The system only uses this setting when neither of these related settings are selected.This setting does not clear the list of recent
nt Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump
rs\User-name\Recent folder.Also see the "Remove Recent Items menu from Start Menu" and "Clear history of recently opened document
ming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings.
ts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings.
pp list in Start" in Settings.

s Vista Windows XP SP2 Windows XP SP1 Windows XP or Windows 2000 Professional are required to support this policy setting.
ystem administrators can create a customized Favorites menu for a user group.Note:This setting only affects the Start menu. The Favorites
Tools menu in Internet Explorer.Also see the "Hide the "Add programs from Microsoft" option" policy setting.
click the Start Menu Options tab and in the Start Menu Settings box click Display Logoff.See also: "Remove Logoff" policy setting in User C
etwork Connections).
setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of rec
ace only. It does not prevent users from using other methods to run programs.Note: It is a requirement for third-party applications with W
erface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.If you disable
ws 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
nged. Users cannot customize their Start screen while this setting is enabled.If you disable this setting or do not configure it the Start scree
d Menus" option.
hat is 1930 to 1999.If you disable or do not configure this policy setting Windows does not interpret two-digit year formats using this sche
perties in Control Panel click the Advanced tab click the Environment Variables button and then in the System variables box click Path.
g in User Configuration.Tip: To display the welcome screen click Start point to Programs point to Accessories point to System Tools and the
cy setting.Note: To create a list of allowed applications click Show. In the Show Contents dialog box in the Value column type the applicati
If both settings are configured the setting in Computer Configuration takes precedence over the setting in User Configuration.
policy setting.Note: To create a list of allowed applications click Show. In the Show Contents dialog box in the Value column type the applic
ws Update" setting. If the "Remove links and access to Windows Update" setting is enabled the links to Windows Update on the Start menu
ocess in which programs run.

the rendering of desktop applications that are positioned on the primary display. Some desktop applications can still be blurry on seconda
signed files. As a result the installation stops and none of the files in the driver package are installed.To change driver file security without
or server holding the redirected files becomes unavailable.Note: If one or more valid folder GUIDs are specified in the policy setting "Do n
cted folder is changed and Folder Redirection is configured to move the content to the new location Windows copies the contents of the l
configure this policy setting and the user has redirected folders the folders are redirected on every computer that the user logs on to.Note
redirection policy already deployed for these folders in your existing localized environment.
Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.Note: To change the PDC Oper
d to be fast.If you disable this setting or do not configure it the system uses the default value of 500 kilobits per second.This setting appear
Computer Configuration\Administrative Templates\System\GroupPolicy.

nd.Note: To find the "Show Policies Only" command in Group Policy Object Editor click the Administrative Templates folder (either one) rig
s (the default). To specify that Group Policy for users should never be updated while the computer is in use select the "Turn off backgroun
e Group Policy Object Editor" is enabled the state of this setting is ignored and always treated as Enabled.
want to share their writing samples from the handwriting recognition personalization tool with Microsoft.
the machine level it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level the per-user polic
Not Configured at the computer level then restrictions will be based on per-User policies.To set this policy on a per-user basis make sure th
omputer unless restricted by the "Disallow selection of Custom Locales" policy setting.If this policy setting is enabled at the computer leve
To create a customized run list by using a policy setting use the ""Run these applications at startup"" policy setting.Also see the ""Do not p
Also see the ""Do not process the legacy run list"" policy setting.
red the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User
NX faults that originate from the Active Template Library (ATL) thunk layer. PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABL
C.ps1 C.cmd For Tamara GPOs B and C are applied but not GPO A. Therefore the scripts for GPOs B and C run in the following order for Ta
ESHARE% stores the fully qualified path to the home directory (such as \\server\share\dir1\dir2\homedir). Users can access the home dire
e History Local Settings Temp and Temporary Internet Files folders are excluded from the user's roaming profile by default.If you enable th
uced to within the allowable limit. In Microsoft Windows Vista Windows will not block users from logging off. Instead if the user has a roam
Appdata\Roaming Start Menu and Documents. You should suspend only the subfolders of these parent folders.
based vulnerabilities from untrusted sources reducing the associated risk.
his policy setting Windows sets the default risk level to moderate.If you do not configure this policy setting Windows sets the default risk le
f you do not configure this policy setting Windows uses its default trust logic which prefers the file handler over the file type.
ows Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting Windows Vist
ot configure this policy setting AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Co
image and will be able to select another image unless you have enabled the "Prevent changing lock screen image" policy.If you do not con
onfigure it.
ta. Additional diagnostic data is collected that helps us to detect diagnose and fix issues as well as make product improvements. Required
atures. Or it might appear to complete successfully but the installed program might not operate correctly.If you disable this setting or do n
the target file in the current target path.
rive characteristics.If you disable or do not configure this policy setting all drives are displayed or select the "Do not restrict drives" option
twork resources use the "No Entire Network in Network Locations" policy setting.
hird-party applications with Windows 2000 or later certification to adhere to this setting.
ce over Internet search links.The first several links will also be pinned to the Start menu. A total of four links can be pinned on the Start me
nternet search sites and Search Connectors/Libraries. Search Connector/Library links take precedence over Internet search links.The first s
etwork drives. And it does not prevent them from using the Disk Management snap-in to view and change drive characteristics.Also see th
tart Menu and Taskbar). To hide all context menus use the "Remove File Explorer's default context menu" policy setting.
might complete but not include all features. Or it might appear to complete successfully but the installed program might not operate corre
open a limited set of folders.

r do not configure this policy all default Windows Libraries features will be enabled.
policies are enabled Active Desktop is disabled.Also see the "Disable Active Desktop" setting in User Configuration\Administrative Templat
alog box style. Also third-party applications with Windows 2000 or later certification to are required to adhere to this policy setting.
box style. This policy setting does not apply to the new Windows Vista common dialog box style. It is a requirement for third-party applica
ng the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and
e user logs off.

icy setting is turned on. To do this select Settings > Time & Language > Japanese Options > Microsoft IME Options > Learning and Dictionar
other policy setting restricts such configuration.
te them by responding to the notification using Manage Add-ons or using other methods.
nt on their system.
r laterIf the Windows Update for the next version of Microsoft Edge* or Microsoft Edge Stable channel are not installed the following beh
clicking a software publishing certificate (.spc) file. This wizard enables users to import and configure settings for certificates from software
net Explorer in Control Panel takes precedence over this policy. If it is enabled this policy is ignored.
rom the interface however does not prevent users from running the Internet Connection Wizard from the desktop or the Start menu.
mmand bar are not visible and the user cannot access them.If you disable or do not configure this policy setting the user can view and acc
rer’)- Send all sites not included in the Enterprise Mode Site List to Microsoft Edge (‘RestrictIE’)For more info about how to use this policy
s only Binary Representation - 00110• 0 - Restricted Sites Zone• 0 - Internet Zone• 1 - Trusted Sites Zone• 1 - Local Intranet Zone• 0 - Loc
licy Settings in Internet Explorer 10" in the Internet Explorer TechNet library.
t configure this policy setting the user can interchange the positions of the menu bar and the navigation bar.
plate file see the Internet Explorer documentation on search providers.If you disable or do not configure this policy setting the user can co
vents users from opening files by using the browser.
on the computer or how many Internet Explorer isolation settings are running.If you enable this policy setting you set the rate at which In
rs open the Internet Options dialog box click the Contents Tab and click the Settings button.
eX Controls and Plug-ins area click Administrator Approved.
ntent zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area clic
Settings.3. Select the content zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Contro
t Explorer Maintenance and then click Security.2. Double-click Security Zones and Content Ratings click Import the Current Security Zones
zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Adm
age ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
veX Controls and Plug-ins area click Administrator Approved.
ontent zone in which you want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area cli
n the list a script can perform a Clipboard operation without prompting the user. This means that if the zone behavior is currently set to p
u" policy which disables the entire shortcut menu.Note: the user will still be able to open New Tabs.
icy is ignored.
et Explorer\Internet Control Panel folders.
ds Mode available in the latest version of Internet Explorer. This option matches the default behavior of Internet Explorer.If you do not co
g box.If you do not configure this policy setting Internet Explorer uses an Internet Explorer 7 user agent string (with an additional string ap
tering Tracking Protection and Do Not Track data is deleted when the user clicks Delete.If you don't configure this policy setting users can
cessibility settings"
ted to IDN format only for addresses that are not in the Intranet zone.
s the user grants a site-specific exception. Internet Explorer sends a DNT:0 header to any sites granted an exception. By default this option
te that attempts to load an ActiveX control that is not compatible with Enhanced Protected Mode Internet Explorer notifies the user and g
s.Note: SSL 2.0 is off by default and is no longer supported starting with Windows 10 Version 1607. SSL 2.0 is an outdated security protoco
ed tab of the Internet Options dialog.

m storage limit for all application caches. The default is 50 MB.
age limit for all indexed databases. The default is 500 MB.
ation cache resource list size for all application caches. The default is 1000 resources.
ure template policy settings in one Group Policy object (GPO) and configure any related individual policy settings in a separate GPO. You ca
er a list of sites and their related zone numbers. The association of a site with a zone will ensure that the security settings for the specified
questionable content accessed over any restricted protocols when the Network Protocol Lockdown security feature is enabled.
e are the same but a source is able to define a specific location of a thumbnail that is different than the location of the item.If you enable t
rity feature will be on in this zone as dictated by the Scripted Windows Security Restrictions feature control setting for the process.
receive the security information message on the Web pages that contain both secure (https://) and nonsecure (http://) content.
net Explorer 9 and earlier versions if you disable this policy or do not configure it users can drag content from one domain to a different do
Options dialog.In Internet Explorer 9 and earlier versions if you disable this policy setting or do not configure it users can drag content fro
or scripted.
r the logon uses the user's network user name and password for logon. If Windows NT Challenge Response is not supported by the server
h safety.If you do not configure this policy setting permissions are set to Medium safety.
or scripted.
h safety.If you do not configure this policy setting permissions are set to Medium safety.
rs or scripted.
h safety.If you do not configure this policy setting permissions are set to Low safety.
n in this zone as set by Protection from Zone Elevation feature control.
or scripted.

or scripted.
or scripted.
or scripted.
or scripted.
er the restricted protocols is blocked when the Network Protocol Lockdown security feature is enabled.
or scripted.
h safety.If you do not configure this policy setting permissions are set to High safety.
rs or scripted.
in the Address bar. This does not affect subscribing to feeds and interacting with them through the Favorites Center.
cedence over this policy. If it is enabled this policy is ignored.
is enabled this policy is ignored.

either policy is enabled this policy is ignored.
n\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is enabled this policy is ignor
ocated in User Configuration\Administrative Templates\Windows Components\Internet Explorer) takes precedence over this policy. If it is
b site are searched for new information.
ation\Administrative Templates\Windows Components\Credential User Interface is enabled for the system it will override this policy setti
LSID for an add-on can be obtained by reading the OBJECT tag from a Web page on which the add-on is referenced.Value - A number indic
ed (and allowed) through the 'Add-on List' policy setting.If you disable or do not configure this policy setting users may use Add-on Manag
r processes in this list because these processes always respect add-on management user preferences and policy settings. If the All Process
t Zone.For more information see "Outdated ActiveX Controls" in the Internet Explorer TechNet library.
nfiguration and User Configuration both lists of behaviors will be allowed as appropriate.
the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security fea
a Value Name is empty or the Value is not 0 or 1 the policy setting is ignored.Do not enter the Internet Explorer processes in this list: use th
n a process list.
local files and content processed by Internet Explorer.
esses. If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or d
configure this policy setting the security feature is allowed.
ted Internet Explorer Processes policy to enable or disable these processes. If the All Processes policy setting is enabled the processes con
and User Configuration both lists of protocols will be restricted for that zone.
ecedence over that setting. If you disable or do not configure this policy setting the Notification bar is not displayed for the specified proce
you disable or do not configure this policy setting the security feature is allowed.
icy setting is ignored.Do not enter the Internet Explorer processes in this list: use the related Internet Explorer Processes policy to enable o
to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take precedence over t
olicy settings do not undergo these checks.
ative Templates > Windows Components > App Package DeploymentSupported versions: Microsoft Edge on Windows 10 version 1809Def
y the link(s) you wish to add: <https://fabrikam.com/opensearch.xml><https://www.contoso.com/opensearch.xml>If you disable this setti
New Tab pages and the favorites bar toggle in Settings sets to Off but is enabled allowing the user to make changes.
tton is hidden in Microsoft Edge.Default setting: Disabled or not configuredRelated policies:- Set Home Button URL- Unlock Home Button
ulti-tab version of InPrivate and is the only app available for public browsing. Users can’t minimize close or open windows or customize M
isable Lockdown of Start Pages policy.If disabled or not configured and you enable the Disable Lockdown of Start Pages policy your users c
figure Start Pages policy. If not configured or you set the Configure Open Microsoft Edge With policy to a specific page or pages Microsoft E
not uninstall the extension from the user’s computer automatically. To uninstall the extension use any available enterprise deployment ch
://fabrikam.com/opensearch.xml>NoteIf you'd like your employees to use the default Microsoft Edge settings for each market you can set
tting or do not configure it users can enter author mode and open author-mode console files.
g in the folder is enabled or not configured the snap-in is permitted.When a snap-in is prohibited it does not appear in the Add/Remove Sn
use of this snap-in enable this policy setting. If this policy setting is not configured or disabled this snap-in is prohibited. -- If the policy setti
permitted.When a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console
abled) the Group Policy tab is inaccessible.-- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured user
chronize data between users’ computers. In this mode UE-V writes settings data to the local folder specified in the settings storage path. T
name of the virtual desktop collection containing the virtual computers. If you enable this policy setting the UE-V rollback state is copied to
not be disabled If you do not configure this policy setting any defined values will be deleted.
not be disabled.If you do not configure this policy setting any defined values will be deleted.
not be disabled.If you do not configure this policy setting any defined values will be deleted.
between the Microsoft Office Suite 2013 applications are excluded from synchronization with UE-V.If you do not configure this policy setti
between the Microsoft Office Suite 2016 applications are excluded from synchronization with UE-V.If you do not configure this policy setti
licy setting any defined values will be deleted.

er address" policy setting or client connection attempts to any remote computer will fail if the client cannot connect directly to the remote
you disable or do not configure this policy setting the authentication method that is specified by the user is used if one is specified. If an au
erver you must select the "Allow users to change this setting" check box and users will be allowed to specify an alternate RD Gateway serv
you disable this policy setting users cannot run .rdp files that are signed with a valid certificate. Additionally users cannot start an RDP ses
mbination of the list defined for the computer and the list defined for the user.This policy setting overrides the behavior of the "Allow .rdp
dministrators can interact with a user's Remote Desktop Services session with the user's consent.
s to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver ca
fied path to the starting directory for the program. If you leave Working Directory blank the program runs with its default working director
d-out session even if specified otherwise by the server administrator.If you do not configure this policy setting Remote Desktop Services d
want Remote Desktop Services to end instead of disconnect a session when the time limit is reached you can configure the policy setting C
to end instead of disconnect a session when the time limit is reached you can configure the policy setting Computer Configuration\Admini
nsole session disconnected session time limits do not apply.If you disable or do not configure this policy setting this policy setting is not spe
nnection URL.Note: RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can c
ext prediction suggestions. Users will be able to configure this setting on the Text Completion tab in Input Panel Options in Windows 7 and
areas in applications where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options
where this behavior is available. Users will be able to configure this setting on the Opening tab in Input Panel Options.
policy rarely used Chinese Kanji and Hanja characters will not be included in recognition results when handwriting is converted to typed te
text entry areas” policy and the “Prevent Input Panel tab from appearing” policy and disable the “Show Input Panel taskbar icon” policy t
will be able to configure this setting on the Text completion tab in Input Panel Options.
ord security is set to “Medium-Low.” At this setting when users enter passwords from Input Panel they use the on-screen keyboard by defa
ws XP Tablet PC Edition. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy an
n and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the setting in
e properties of newly created tasks use the "Remove Advanced Menu" setting.
tting appears in the Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configu
heck reminders determines the interval time between the display of system notifications that remind the user to check for solutions to pro
tically and Windows prompts the user for consent to send any additional data that is requested by Microsoft.- Send all data: any error repo
3 (Send parameters and safe additional data): Windows Error Reporting automatically sends the minimum data required to check for an ex
ng after the user has signed in.If you do not select "Do not start Windows Hello provisioning after sign-in" Windows Hello for Business aut
figuration and User Configuration folders. To make this policy setting effective you must enable it in both folders.Caution: Skilled users can
policy settings.
perable do not use this policy setting unless it is essential.This policy setting appears in the Computer Configuration and User Configuration
priately configure the “Remove logon hours expiration warnings” setting
selected.If you disable this policy setting the HTTP proxy server cannot be used and the user cannot configure the HTTP proxy.If you do n
nnot configure the MMS proxy settings.If you do not configure this policy setting users can configure the MMS proxy settings.
s on the Network tab. If the administrator does not specify any protocols the Player cannot access an MMS or RTSP URL from a Windows M
he Player in full or skin mode and have access to all available features of the Player.
e present the Computer Configuration version of this policy setting takes precedence.
roperty of all modules and snap-ins is set to False. To add modules and snap-ins to the policy setting list click Show and then type the m
guration policy setting.
If you use the OutputDirectory setting to enable transcript logging to a shared location be sure to limit access to that directory to pr
olicy setting it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed."
t display 'Install Updates and Shut Down' option in Shut Down Windows dialog box policy setting is enabled.
etting will show notifications about restarts that are required to complete an installation.On Windows 8 and Windows RT if this policy is En
or this configuration to take effect a valid 'Work Folders URL' must also be specified. The “On-demand file access preference” option cont
d for example timedate.cpl or inetcpl.cpl. If a Control Panel item does not have a CPL file or the CPL file contains multiple applets then its m
for any given settings page is the published URI for that page minus the "ms-settings:" protocol part.Example: to specify that only the Abo
anel item does not have a CPL file or the CPL file contains multiple applets then its module name and string resource identification number
ows Component Wizard from starting enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windo
offered on the desktop or on the Start menu.If you disable this setting or do not configure it "Add programs from your network" is availab
ndows RT you cannot apply the Windows Classic visual style.
to connect to network printers.
d package point and print will not be restricted to specific print servers.
evated command prompt when users create a printer connection to any server using Point and Print. -Windows Vista computers will s
right-click a printer click Properties and then click the Security tab. If this policy is disabled or not configured users can add printers us
om installing programs by using other methods. Users will still be able to view and installed assigned (partially installed) programs that are
ormation.If you enable this policy setting automatic learning stops and any stored data is deleted. Users cannot configure this setting in Co
s usual.Note: In operating systems earlier than Microsoft Windows Vista this policy applies to the My Computer icon. Hiding Computer an
e location and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.Note: This setting d
ngs for Administrators" is disabled or not configured this setting will not apply to administrators on post-Windows 2000 computers.If you d
figured this setting will not apply to administrators on post-Windows 2000 computers.If you do not configure this setting only Administrato
Device Manager when this setting is disabled.
rams such as Internet Explorer to bypass this setting.
nnections" and "Ability to rename all user remote access connections" settings.Note: This setting does not prevent users from using other p
anced configuration" "Prohibit access to the Advanced Settings Item on the Advanced Menu" "Prohibit adding and removing components f
ures inside the Local Area Connection Properties dialog box. If this setting is enabled nothing within the properties dialog box for a LAN con
des a list of the network components that the connection uses. To view or change the properties of a component click the name of the com
and then click the Properties button beneath the component list.Note: Not all network components have configurable properties. For com
When other changes to this setting are applied the icon does not appear or disappear in the Network Connections folder until the folder i
twork components. Clicking the Uninstall button removes the selected component in the components list (above the button).The Install an
isable this setting or do not configure it a Properties menu item appears when any user right-clicks the icon representing a private remote
access connections" setting.)Important: When enabled this setting takes precedence over the "Ability to delete all user remote access con
ck boxes for enabling and disabling the components of a LAN connection.Note: Nonadministrators are already prohibited from enabling o
as Internet Explorer to bypass this setting.
operties button for connection components users cannot gain access to the Advanced button for TCP/IP configuration.Note: Nonadministr
status taskbar icon and Status dialog box are available to all users.
nfiguration takes precedence over the setting in User Configuration.Tip: To configure this setting without establishing a setting in Window
figuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes precedence over the
m actions established via this setting.Tip: To configure this setting without establishing a setting in Windows Explorer on the Tools menu c
ry ... minutes" option.
Available Offline" command is unavailable for all specified files and folders.The "Make Available Offline" command is called "Always avail
tion folders. If both policy settings are configured the policy settings will be combined and all specified files will be available for offline use.
g a setting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select the "Synchronize all offlin
Computer Configuration and User Configuration folders. If both settings are configured the setting in Computer Configuration takes preced
takes precedence over the setting in User Configuration.Tip: To display or hide reminder balloons without establishing a setting in Windo
figuration\Administrative Templates\System\Logon/Logoff.
oes not clear the list of recent files that Windows programs display at the bottom of the File menu. See the "Do not keep history of recent
ot allow pinning items in Jump Lists"" policy setting.

of recently opened documents on exit" policies in this folder.If you enable this setting but do not enable the "Remove Recent Items menu
rt this policy setting.
the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer.
ogoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff.
he "Do not keep history of recently opened documents" setting.This setting also does not hide document shortcuts displayed in the Open
hird-party applications with Windows 2000 or later certification to adhere to this setting.
thods to search.If you disable or do not configure this policy setting the Search link is available from the Start menu.
not configure it the Start screen layout won't be changed and users will be able to customize it.
it year formats using this scheme for the program.

m variables box click Path.
point to System Tools and then click ""Getting Started."" To suppress the welcome screen without specifying a setting clear the ""Show th
alue column type the application executable name (e.g. Winword.exe Poledit.exe Powerpnt.exe).
User Configuration.
e Value column type the application executable name (e.g. Winword.exe Poledit.exe Powerpnt.exe).
ows Update on the Start menu are also removed.Note: If you have installed Windows XP Service Pack 1 or the update to Automatic Updat
can still be blurry on secondary displays that have different display scale factors. Per Process System DPI will not work for all applications
ge driver file security without specifying a setting use System in Control Panel. Right-click My Computer click Properties click the Hardware
fied in the policy setting "Do not automatically make specific redirected folders available offline" that setting will override the configured v
ws copies the contents of the local cache to the new network location then deleted the content from the old network location.
er that the user logs on to.Note: If you enable this policy setting in Computer Configuration and User Configuration the Computer Configur
Note: To change the PDC Operations Master for a domain in Active Directory Users and Computers right-click a domain and then click "Ope
per second.This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defi
mplates folder (either one) right-click the same folder and then point to "View."In Group Policy Object Editor preferences have a red icon
select the "Turn off background refresh of Group Policy" setting.This setting also lets you specify how much the actual update interval vari
achine level the per-user policy setting will be ignored. If this policy setting is not configured at the machine level restrictions will be based
a per-user basis make sure that the per-computer policy is set to Not Configured.
enabled at the computer level it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level the per-use
setting.Also see the ""Do not process the run once list"" policy setting.
programs specified in the User Configuration setting.Also see the ""Do not process the legacy run list"" and the ""Do not process the run o
ATION_POLICY_SEHOP_ENABLE (0x00000004) Enables structured exception handler overwrite protection (SEHOP) for the child process
n in the following order for Tamara:Within GPO B: B.cmd B.ps1Within GPO C: C.cmd C.ps1Note: This policy setting determines the order in
Users can access the home directory and any of its subdirectories from the home drive letter but they cannot see or access its parent direct
file by default.If you enable this policy setting you can exclude additional folders.If you disable this policy setting or do not configure it onl
. Instead if the user has a roaming user profile Windows will not synchronize the user's profile with the roaming profile server if the maxim
Windows sets the default risk level to moderate.
ver the file type.
is policy setting Windows Vista or later will prompt the user whether autorun command is to be run.
ter Configuration and User Configuration folders. If the policy settings conflict the policy setting in Computer Configuration takes preceden
mage" policy.If you do not configure this policy Windows spotlight will be available on the lock screen and will be selected by default unle
duct improvements. Required diagnostic data will always be included when you choose to send optional diagnostic data. Optional diagnos
you disable this setting or do not configure it the "Install Program As Other User" dialog box appears whenever users install programs loca
Do not restrict drives" option in the drop-down list.Also see the "Prevent access to drives from My Computer" policy setting.
can be pinned on the Start menu. The "See more results" link will be pinned first by default unless it is disabled via Group Policy. The "Se
nternet search links.The first several links will also be pinned to the Start menu. A total of four links can be included on the Start menu. T
rive characteristics.Also see the "Hide these specified drives in My Computer" setting.
olicy setting.
ogram might not operate correctly.Note: If it is enabled the "Do not request alternate credentials" setting takes precedence over this settin
ration\Administrative Templates\Desktop\Active Desktop and the "Do not allow Folder Options to be opened from the Options button on
e to this policy setting.
rement for third-party applications with Windows 2000 or later certification to adhere to this setting.
device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to
ptions > Learning and Dictionary > [Clear input history].This policy setting is applied to Japanese Microsoft IME.Note: Changes to this settin
not installed the following behaviors occur:- If you disable or don't configure this policy Microsoft Edge version 45 or earlier is automaticall
s for certificates from software publishers that haven't already been configured for Internet Explorer.
esktop or the Start menu.
tting the user can view and access the navigation bar the menu bar and the Command bar.
o about how to use this policy together with other related policies to create the optimal configuration for your organization see https://go.
1 - Local Intranet Zone• 0 - Local Machine Zone• 22 - Trusted Intranet and Restricted site zones only Binary Representation - 10110• 1 - R
policy setting the user can configure his or her list of search providers.
ng you set the rate at which Internet Explorer creates new tab processes to low medium or high or to an integer.If you disable or do not co
Controls and Plug-ins area click Administrator Approved.
el.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approved.
ort the Current Security Zones Settings and then click Modify Settings.3. Select the content zone in which you want to manage ActiveX con
rols and Plug-ins area click Administrator Approved.
nistrator Approved.
X Controls and Plug-ins area click Administrator Approved.
e behavior is currently set to prompt it will be bypassed and enabled.If you disable this policy setting for an application or process in the lis
ernet Explorer.If you do not configure this policy setting the user can turn on and turn off Internet Explorer 7 Standards Mode.
g (with an additional string appended) for local intranet content. Additionally all local intranet Standards Mode pages appear in Internet E
e this policy setting users can turn this feature on and off determining whether to delete ActiveX Filtering Tracking Protection and Do Not
ception. By default this option is turned on.
xplorer notifies the user and gives the option to disable Enhanced Protected Mode for that particular website.If you enable this policy setti
an outdated security protocol and enabling SSL 2.0 impairs the performance and functionality of TLS 1.0.
ngs in a separate GPO. You can then use Group Policy management features (for example precedence inheritance or enforce) to apply ind
urity settings for the specified zone are applied to the site. For each entry that you add to the list enter the following information:Value
y feature is enabled.
tion of the item.If you enable this policy setting users can preview items and get custom thumbnails from OpenSearch query results in this
setting for the process.
ure (http://) content.
m one domain to a different domain when the source and destination are in different windows. Users cannot change this setting.
e it users can drag content from one domain to a different domain when the source and destination are in the same window. Users canno
s not supported by the server the user is queried to provide the user name and password.If you disable this policy setting logon is set to Au


t is enabled this policy is ignored.
cedence over this policy. If it is enabled this policy is ignored.
t will override this policy setting.
renced.Value - A number indicating whether Internet Explorer should deny or allow the add-on to be loaded. To specify that an add-on sh
users may use Add-on Manager to allow or deny any add-ons that are not included in the 'Add-on List' policy setting.Note: If an add-on is
olicy settings. If the All Processes policy setting is enabled the processes configured in this policy setting take precedence over that setting.
s policy setting the security feature is allowed.
rer processes in this list: use the related Internet Explorer Processes policy to enable or disable IE processes. If the All Processes policy setti
that setting.If you disable or do not configure this policy setting the security feature is allowed.
g is enabled the processes configured in this box take precedence over that setting.If you disable or do not configure this policy setting the
splayed for the specified processes.
er Processes policy to enable or disable IE processes. If the All Processes policy setting is enabled the processes configured in this box take
his box take precedence over that setting.If you disable or do not configure this policy setting the security feature is allowed.
Windows 10 version 1809Default setting: Disabled or not configuredRelated policies:- Allows development of Windows Store apps and in
ch.xml>If you disable this setting any added search engines are removed from your employee's devices.If you don't configure this setting t
n URL- Unlock Home Button

open windows or customize Microsoft Edge but can clear browsing data and downloads and restart by clicking “End session.” You can confi
Start Pages policy your users can change or customize the Start page.Default setting: A specific page or pages (default)Related policies:-Di
cific page or pages Microsoft Edge uses the Configure Start Pages policy.Supported devices: Domain-joined or MDM-enrolledRelated polic
able enterprise deployment channel.If you enable the Allow Developer Tools policy then this policy does not prevent users from debuggin
gs for each market you can set the string to EDGEDEFAULT. If you'd like your employees to use Microsoft Bing as the default search engine
appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that includes a prohibited snap-in the console
prohibited. -- If the policy setting "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured users can use any
when a user opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
sabled or not configured users will have access to the Group Policy tab. To explicitly prohibit use of the Group Policy tab disable this setti
in the settings storage path. These settings are then synchronized to other computers by an external synchronization engine. UE-V has no
UE-V rollback state is copied to the settings storage location on logout and restored on login.If you disable this policy setting no UE-V rollba
connect directly to the remote computer. To enhance security it is also highly recommended that you specify the authentication method b
used if one is specified. If an authentication method is not specified the Negotiate protocol that is enabled on the client or a smart card can
an alternate RD Gateway server. Users can specify an alternative RD Gateway server by configuring settings on the client using an RDP file
users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to star
he behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting.If the list contains a string that is no
op Easy Print printer driver cannot be used the client printer is not available for the Remote Desktop Services session.Note: If the "Do not
th its default working directory. If the specified program path file name or working directory is not the name of a valid directory the RD Se
ng Remote Desktop Services disconnects a timed-out session unless specified otherwise in local settings.Note: This policy setting only appl
n configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote
mputer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session
ng this policy setting is not specified at the Group Policy level. Be y default Remote Desktop Services disconnected sessions are maintained
from an untrusted server can compromise the security of a user's account.
anel Options in Windows 7 and Windows Vista.
ning tab in Input Panel Options.Caution: If you enable both the “Prevent Input Panel from appearing next to text entry areas” policy and th
el Options.
writing is converted to typed text. Users will not be able to configure this setting in the Input Panel Options dialog box.If you do not configu
ut Panel taskbar icon” policy the user will then have no way to access Input Panel.
he on-screen keyboard by default skin switching is allowed and Input Panel displays the cursor and which keys are tapped. Users will not b
If you enable this policy and choose “None” users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-o
precedence over the setting in User Configuration.
e setting in Computer Configuration takes precedence over the setting in User Configuration.
er to check for solutions to problems. A value of 0 disables the reminder.If you disable or do not configure this policy setting Windows Erro
.- Send all data: any error reporting data requested by Microsoft is sent automatically.If this policy setting is disabled or not configured the
ata required to check for an existing solution as well as data which Windows has determined (within a high probability) does not contain p
Windows Hello for Business automatically starts provisioning after the user has signed in.
ders.Caution: Skilled users can take advantage of the permissions this policy setting grants to change their privileges and gain permanent a
uration and User Configuration folders. If the policy setting is enabled in either folder it is considered be enabled even if it is explicitly disab
ure the HTTP proxy.If you do not configure this policy setting users can configure the HTTP proxy settings.
MS proxy settings.
or RTSP URL from a Windows Media server. If the "Hide network tab" policy setting is enabled the entire Network tab is hidden.If you do n
click Show and then type the module names in the list. The modules and snap-ins in the list must be installed on the computer. Note:
t access to that directory to prevent users from viewing the transcripts of other users or computers. Note: This policy setting exists
allowed."
Windows RT if this policy is Enabled then only notifications related to restarts and the inability to detect updates will be shown. The notifi
ccess preference” option controls whether to enable on-demand file access. When enabled the user controls which files in Work Folders a
ains multiple applets then its module name and string resource identification number should be entered for example @systemcpl.dll-1 for
e: to specify that only the About and Bluetooth pages should be shown (their respective URIs are ms-settings:about and ms-settings:blueto
esource identification number should be entered. For example enter @systemcpl.dll-1 for System or @themecpl.dll-1 for Personalization.
the "Hide Add/Remove Windows Components page" setting is enabled this setting is ignored.
from your network" is available to all users.Note: If the "Hide Add New Programs page" setting is enabled this setting is ignored.
Windows Vista computers will show a warning and an elevated command prompt when an existing printer connection driver needs to be u
ured users can add printers using the methods described above.
lly installed) programs that are offered on the desktop or on the Start menu.If this setting is disabled or is not configured the "Install a pro
not configure this setting in Control Panel.If you disable this policy setting automatic learning is turned on. Users cannot configure this pol
uter icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example if the users navigate
ntrol Panel.Note: This setting does not apply to remote desktop server sessions.
dows 2000 computers.If you do not configure this setting only Administrators and Network Configuration Operators can change propertie
e this setting only Administrators and Network Configuration Operators can delete all user remote access connections.Important: When en
event users from using other programs such as Internet Explorer to rename remote access connections.
ng and removing components for a LAN or remote access connection" "Prohibit access to properties of a LAN connection" "Prohibit Enablin
perties dialog box for a LAN connection is available to users.Note: Nonadministrators have the right to view the properties dialog box for a
onent click the name of the component and then click the Properties button beneath the component list.Note: Not all network component
onfigurable properties. For components that are not configurable the Properties button is always disabled.Note: When the "Ability to chan
ections folder until the folder is refreshed.Note: This setting does not prevent users from using other programs such as Internet Explorer to
bove the button).The Install and Uninstall buttons appear in the properties dialog box for connections. These buttons are on the General t
representing a private remote access connection. Also when any user selects the connection Properties appears on the File menu.Note: Th
ete all user remote access connections" setting. Users cannot delete any remote access connections and the "Ability to delete all user rem
dy prohibited from enabling or disabling components for a LAN connection regardless of this setting.
figuration.Note: Nonadministrators (excluding Network Configuration Operators) do not have permission to access TCP/IP advanced confi
tablishing a setting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab click Advanced and then select an
tion takes precedence over the setting in User Configuration.
Explorer on the Tools menu click Folder Options click the Offline Files tab and then click Advanced. This setting corresponds to the setting
mmand is called "Always available offline" on computers running Windows Server 2012 Windows Server 2008 R2 Windows Server 2008 W
ill be available for offline use.

elect the "Synchronize all offline files before logging off" option.
ter Configuration takes precedence over the setting in User Configuration.Tip: To change the synchronization method without setting a se
establishing a setting in Windows Explorer on the Tools menu click Folder Options and then click the Offline Files tab. This setting correspon
"Do not keep history of recently opened documents" setting.This policy setting also does not hide document shortcuts displayed in the Op
"Remove Recent Items menu from Start Menu" setting the Recent Items menu appears on the Start menu but it is empty.If you enable th
ortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
g a setting clear the ""Show this screen at startup"" check box on the welcome screen.
he update to Automatic Updates that was released after Windows XP was originally shipped then you should use the new Automatic Upda
ll not work for all applications as some older desktop applications will always be blurry on high DPI displays. In some cases you may see so
Properties click the Hardware tab and then click the Driver Signing button.
will override the configured value of "Do not automatically make all redirected folders available offline".
network location.
ration the Computer Configuration policy setting takes precedence.
k a domain and then click "Operations Masters."

n Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a
r preferences have a red icon to distinguish them from true settings which have a blue icon.
the actual update interval varies. To prevent clients with the same update interval from requesting updates simultaneously the system var
level restrictions will be based on per-user policy settings.To set this policy setting on a per-user basis make sure that you do not configure
he computer level the per-user policy is ignored. If this policy setting is not configured at the computer level restrictions are based on per-
he ""Do not process the run once list"" settings.

n (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique. PROCESS_
setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting f
see or access its parent directories. %HOMEPATH% stores a final backslash and is included for compatibility with earlier systems.
tting or do not configure it only the default folders are excluded.Note: You cannot use this policy setting to include the default folders in a
ming profile server if the maximum profile size limit specified here is exceeded.
r Configuration takes precedence over the policy setting in User Configuration.
will be selected by default unless you have configured another default lock screen image using the "Force a specific default lock screen and
gnostic data. Optional diagnostic data can also include diagnostic log files and crash dumps. Use the "Limit Dump Collection" and the "Lim
ver users install programs locally on the computer.By default users are not prompted for alternate logon credentials when installing progr
er" policy setting.
bled via Group Policy. The "Search the Internet" link is pinned second if it is pinned via Group Policy (though this link is disabled by default
ncluded on the Start menu. The "See more results" link will be pinned first by default unless it is disabled via Group Policy. The "Search th
kes precedence over this setting. When that setting is enabled users are not prompted for alternate logon credentials on any installation.
d from the Options button on the View tab of the ribbon" setting in User Configuration\Administrative Templates\Windows Components\
application will only be able to revoke access to content it protected. Note: File revocation applies to all content protected under the sam
E.Note: Changes to this setting will not take effect until the user logs off.
on 45 or earlier is automatically used. This is the default behavior.- If you enable this policy you can configure redirected sites to open in u
ur organization see https://go.microsoft.com/fwlink/?linkid=2094210.
Representation - 10110• 1 - Restricted Sites Zone• 0 - Internet Zone• 1 - Trusted Sites Zone• 1 - Local Intranet Zone• 0 - Local Machine Zo
ger.If you disable or do not configure this policy setting the tab process growth is set to the default. The user can change this value by usin
u want to manage ActiveX controls and then click Custom Level.4. In the Run ActiveX Controls and Plug-ins area click Administrator Approv
pplication or process in the list a script that is running in the application or process cannot bypass the prompt for delete copy or paste ope
Standards Mode.
ode pages appear in Internet Explorer 7 Standards Mode. This option results in the greatest compatibility with existing webpages but newe
acking Protection and Do Not Track data when clicking Delete.

te.If you enable this policy setting Internet Explorer will not give the user the option to disable Enhanced Protected Mode. All Protected M
itance or enforce) to apply individual settings to specific targets.

he following information:Valuename – A host for an intranet site or a fully qualified domain name for other sites. The valuename may also
enSearch query results in this zone using File Explorer.If you disable this policy setting users will be prevented from previewing items and g
t change this setting.

he same window. Users cannot change this setting in the Internet Options dialog.
policy setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Automatic logo




policy setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Prompt for user

policy setting logon is set to Automatic logon only in Intranet zone.If you do not configure this policy setting logon is set to Prompt for user

. To specify that an add-on should be denied enter a 0 (zero) into this field. To specify that an add-on should be allowed enter a 1 (one) in
y setting.Note: If an add-on is listed in the 'Add-on List' policy setting the user cannot change its state through Add-on Manager (unless its
precedence over that setting.If you do not configure this policy processes other than the Internet Explorer processes will not be affected b
If the All Processes policy setting is enabled the processes configured in this box take precedence over that setting.If you disable or do not
onfigure this policy setting the security feature is allowed.
ses configured in this box take precedence over that setting.If you disable or do not configure this policy setting the security feature is allo
ature is allowed.
of Windows Store apps and installing them from an integrated development environment (IDE)- Allow all trusted apps to install
u don't configure this setting the search engine list is set to what is specified in App settings.
ng “End session.” You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeo
s (default)Related policies:-Disable Lockdown of Start Pages-Configure Start Pages
or MDM-enrolledRelated policy:- Configure Open Microsoft Edge With- Disable Lockdown of Start Pages
t prevent users from debugging and altering the logic on an extension.If disabled or not configured extensions defined as part of this policy
g as the default search engine you can set the string to EDGEBING.Employees can change the default search engine at any time unless you
rohibited snap-in the console file opens but the prohibited snap-in does not appear.Note: If you enable this setting and you do not enable
configured users can use any snap-in except those explicitly prohibited. To explicitly prohibit use of this snap-in disable this policy setting
d snap-in does not appear.
oup Policy tab disable this setting. If this setting is not configured (or enabled) the Group Policy tab is accessible.When the Group Policy ta
onization engine. UE-V has no control over this synchronization. It only reads and writes the settings data when the normal UE-V triggers t
his policy setting no UE-V rollback state is copied to the settings storage location.If you do not configure this policy no UE-V rollback state is
y the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication
n the client or a smart card can be used for authentication.
on the client using an RDP file or using an HTML script. If users do not specify an alternate RD Gateway server the server that you specify
ame. When a user tries to start an RDP session the user receives a message that the publisher has been blocked.Note: You can define this
e list contains a string that is not a certificate thumbprint it is ignored.
es session.Note: If the "Do not allow client printer redirection" policy setting is enabled the "Use Remote Desktop Easy Print printer driver
e of a valid directory the RD Session Host server connection fails with an error message.If the status is set to Enabled Remote Desktop Serv
e: This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-ou
mote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy settin
Desktop Session Host\Session Time Limits\End session when time limits are reached.Note: This policy setting appears in both Computer C
nected sessions are maintained for an unlimited amount of time. Note: This policy setting appears in both Computer Configuration and Use
text entry areas” policy and the “Prevent Input Panel tab from appearing” policy and disable the “Show Input Panel taskbar icon” policy th
ialog box.If you do not configure this policy rarely used Chinese Kanji and Hanja characters will not be included in recognition results when
ys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you enable this policy and choose “M
res and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you d
his policy setting Windows Error Reporting reports are not queued and users can only send reports at the time that a problem occurs.
disabled or not configured then the consent level defaults to the highest-privacy setting: Always ask before sending data.
robability) does not contain personally identifiable data and prompts the user for consent to send any additional data requested by Micro
ivileges and gain permanent access to restricted files and folders. Note that the User Configuration version of this policy setting is not gua
bled even if it is explicitly disabled in the other folder.
work tab is hidden.If you do not configure this policy setting users can select the protocols to use on the Network tab.If you disable this po
d on the computer. Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Edit
Note: This policy setting exists under both Computer Configuration and User Configuration in the Group Policy Editor. The Computer Confi
dates will be shown. The notification options are not supported. Notifications on the login screen will always show up.
s which files in Work Folders are available offline on a given PC. The rest of the files in Work Folders are always visible and don’t take up an
example @systemcpl.dll-1 for System or @themecpl.dll-1 for Personalization. A complete list of canonical and module names can be foun
s:about and ms-settings:bluetooth) and all other pages hidden:showonly:about;bluetoothExample: to specify that only the Bluetooth page
mecpl.dll-1 for Personalization. A complete list of canonical and module names of Control Panel items can be found in MSDN by searching "
his setting is ignored.
onnection driver needs to be updated. -Windows Server 2003 and Windows XP client computers can create a printer connection to an
t configured the "Install a program from the network" task to the "Get Programs" page will be available to all users.Note: If the "Hide Pro
sers cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition if handwriting personaliz
example if the users navigate into one of their hard drives they see all of their folders and files there even if this setting is enabled.
perators can change properties of all-user remote access connections.Note: This setting takes precedence over settings that manipulate th
nnections.Important: When enabled the "Prohibit deletion of remote access connections" setting takes precedence over this setting. User
N connection" "Prohibit Enabling/Disabling components of a LAN connection" "Ability to change properties of an all user remote access con
he properties dialog box for a connection but not to make changes regardless of this setting.
e: Not all network components have configurable properties. For components that are not configurable the Properties button is always di
ote: When the "Ability to change properties of an all user remote access connection" or "Prohibit changing properties of a private remote
ms such as Internet Explorer to bypass this setting.
e buttons are on the General tab for LAN connections and on the Networking tab for remote access connections.Note: When the "Prohibit
ears on the File menu.Note: This setting takes precedence over settings that manipulate the availability of features in the Remote Access C
"Ability to delete all user remote access connections" setting is ignored.Note: LAN connections are created and deleted automatically wh
access TCP/IP advanced configuration for a LAN connection regardless of this setting.Tip: To open the Advanced TCP/IP Setting dialog box
k Advanced and then select an option in the "When a network connection is lost" section.Also see the "Non-default server disconnect acti
tting corresponds to the settings in the "Exception list" section.
08 R2 Windows Server 2008 Windows 8 Windows 7 or Windows Vista.This policy setting does not prevent files from being automatically ca
n method without setting a setting in Windows Explorer on the Tools menu click Folder Options click the Offline Files tab and then select t
iles tab. This setting corresponds to the "Enable reminders" check box.
t shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.This policy also does not clear items th
but it is empty.If you enable this setting but then later disable it or set it to Not Configured the document shortcuts saved before the settin
d use the new Automatic Updates settings located at: 'Computer Configuration / Administrative Templates / Windows Update'
In some cases you may see some odd behavior in some desktop applications. If that happens Per Process System DPI should be disabled.E
n User Configuration defines a slow link for settings in the User Configuration folder.Also see the "Do not detect slow network connections
simultaneously the system varies the update interval for each client by a random number of minutes. The number you type in the random
sure that you do not configure the per-machine policy setting.
restrictions are based on per-user policies.
write technique. PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100) The force Add

n override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO: User Co
with earlier systems.
nclude the default folders in a roaming user profile.
pecific default lock screen and logon image" policy.Note: This policy is only available for Enterprise SKUs
Dump Collection" and the "Limit Diagnostic Log Collection" policies for more granular control of what optional diagnostic data is sent.If you
dentials when installing programs from a network share. If enabled this setting overrides the "Request credentials for network installation
this link is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy this lin
a Group Policy. The "Search the Internet" link is pinned second if it is pinned via Group Policy (though this link is disabled by default). If a
edentials on any installation.

plates\Windows Components\File Explorer.
tent protected under the same second level domain as the provided enterprise identifier. So revoking an enterprise ID of mail.contoso.co
e redirected sites to open in up to three of the following channels where: 0 = Microsoft Edge version 45 or earlier 1 = Microsoft Edge St
net Zone• 0 - Local Machine Zone
r can change this value by using the registry key. Note: On Terminal Server the default value is the integer “1”.
rea click Administrator Approved.
pt for delete copy or paste operations from the Clipboard.If you do not configure this policy setting current values of the URL action for an
th existing webpages but newer content written to common Internet standards may be displayed incorrectly. This option matches the defa
otected Mode. All Protected Mode websites will run in Enhanced Protected Mode.If you disable or do not configure this policy setting Inter
ites. The valuename may also include a specific protocol. For example if you enter http://www.contoso.com as the valuename other prot
d from previewing items and get custom thumbnails from OpenSearch query results in this zone using File Explorer.If you do not configure
logon is set to Automatic logon only in Intranet zone.


logon is set to Automatic logon with current username and password.


logon is set to Prompt for username and password.
logon is set to Prompt for username and password.

d be allowed enter a 1 (one) into this field. To specify that an add-on should be allowed and also permit the user to manage the add-on thr
h Add-on Manager (unless its value has been set to allow user management - see the 'Add-on List' policy for more details).
rocesses will not be affected by add-on management user preferences or policy settings (unless "All Processes" is enabled).
setting.If you disable or do not configure this policy setting the security feature is allowed.
tting the security feature is allowed.

usted apps to install
ure kiosk reset after idle timeout” policy.- If it’s one of many apps it runs in a limited multi-tab version of InPrivate for public browsing wit
ns defined as part of this policy get ignored.Default setting: Disabled or not configuredRelated policies: Allow Developer ToolsRelated Doc
h engine at any time unless you disable the "Allow search engine customization" setting which restricts any changes.If you disable this setti
setting and you do not enable any settings in the Restricted/Permitted snap-ins folder users cannot use any MMC snap-ins.
p-in disable this policy setting. If this policy setting is not configured or enabled the snap-in is permitted. When a snap-in is prohibited it do
ble.When the Group Policy tab is inaccessible it does not appear in the site domain or organizational unit property sheets.
hen the normal UE-V triggers take place.With notifications enabled UE-V users receive a message when the settings sync is delayed. The no
policy no UE-V rollback state is copied to the settings storage location.

not specify an authentication method by using this policy setting either the NTLM protocol that is enabled on the client or a smart card ca
er the server that you specify in this policy setting is used by default.Note: If you disable or do not configure this policy setting but enable
ked.Note: You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this po
ktop Easy Print printer driver first" policy setting is ignored.

Enabled Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the progra
tting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Config
eached.Note: This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured the
g appears in both Computer Configuration and User Configuration. If both policy settings are configured the Computer Configuration polic
mputer Configuration and User Configuration. If both policy settings are configured the Computer Configuration policy setting takes prece
ut Panel taskbar icon” policy the user will then have no way to access Input Panel.
ed in recognition results when handwriting is converted to typed text. Users will be able to configure this setting on the Ink to text conver
able this policy and choose “Medium” from the drop-down box password security is set to “Medium.” At this setting when users enter pas
Options dialog box. If you disable this policy users will be able to use both the tolerant scratch-out gestures and the Z-shaped scratch-o
me that a problem occurs.
sending data.
tional data requested by Microsoft.- 4 (Send all data): Any data requested by Microsoft is sent automatically.If you disable or do not config
of this policy setting is not guaranteed to be secure.
twork tab.If you disable this policy setting the Protocols for MMS URLs and Multicast streams areas of the Network tab are not available an
uration in the Group Policy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
icy Editor. The Computer Configuration policy setting takes precedence over the User Configuration policy setting.
show up.
ays visible and don’t take up any space on the PC but the user must be connected to the Internet to access them.If you enable this policy s
nd module names can be found in MSDN by searching "Control Panel items". If both the "Hide specified Control Panel items" setting and th
y that only the Bluetooth page (which has URI ms-settings:bluetooth) should be hidden:hide:bluetoothThe availability of per-user support
found in MSDN by searching "Control Panel items".If both the "Hide specified Control Panel items" setting and the "Show only specified C
eate a printer connection to any server in their forest using Point and Print. If you disable this policy setting: -Windows Vista clien
ll users.Note: If the "Hide Programs Control Panel" setting is enabled this setting is ignored.
ition if handwriting personalization is turned on.If you do not configure this policy users can choose to enable or disable automatic learnin
f this setting is enabled.

ver settings that manipulate the availability of features inside the Remote Access Connection Properties dialog box. If this setting is disable
edence over this setting. Users (including administrators) cannot delete any remote access connections and this setting is ignored.Note: LA
f an all user remote access connection" "Prohibit changing properties of a private remote access connection" "Prohibit deletion of remote
Properties button is always disabled.Note: When the "Prohibit access to properties of a LAN connection" setting is enabled users are block
properties of a private remote access connection" settings are set to deny access to the Remote Access Connection Properties dialog box th
ons.Note: When the "Prohibit access to properties of a LAN connection" "Ability to change properties of an all user remote access connec
eatures in the Remote Access Connection Properties dialog box. If this setting is enabled nothing within the properties dialog box for a rem
and deleted automatically when a LAN adapter is installed or removed. You cannot use the Network Connections folder to create or delet
nced TCP/IP Setting dialog box in the Network Connections folder right-click a connection icon and click Properties. For remote access con
-default server disconnect actions" setting.
es from being automatically cached if the network share is configured for "Automatic Caching." It only affects the display of the "Make Ava
ffline Files tab and then select the "Synchronize all offline files before logging on" option.
icy also does not clear items that the user may have pinned to the Jump Lists or Tasks that the application has provided for their menu. Se
ortcuts saved before the setting was enabled reappear in the Recent Items menu and program File menus and Jump Lists.This setting does
Windows Update'
stem DPI should be disabled.Enabling this setting lets you specify the system-wide default for desktop applications as well as per-applicati
ect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile. Note: If the
umber you type in the random time box sets the upper limit for the range of variance. For example if you type 30 minutes the system sele
0x00000100) The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatib
y settings for the GPO: User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogonUser Configuration\Policies\Windows S
al diagnostic data is sent.If you disable or do not configure this policy setting the device will send required diagnostic data and the end use
entials for network installations" setting.
provider" Group Policy this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Internet/intr
nk is disabled by default). If a custom Internet search link is pinned using the "Custom Internet search provider" Group Policy this link will
terprise ID of mail.contoso.com will revoke the user’s access to all content protected under the contoso.com hierarchy.
earlier 1 = Microsoft Edge Stable 2 = Microsoft Edge Beta version 77 or later 3 = Microsoft Edge Dev version 77 or later 4 = Microso
alues of the URL action for an application or process in the list prevail.
. This option matches the default behavior of Internet Explorer.

nfigure this policy setting Internet Explorer notifies users and provides an option to run websites with incompatible ActiveX controls in reg
m as the valuename other protocols are not affected. If you enter just www.contoso.com then all protocols are affected for that site includ
xplorer.If you do not configure this policy setting users can preview items and get custom thumbnails from OpenSearch query results in th
xplorer.If you do not configure this policy setting users cannot preview items or get custom thumbnails from OpenSearch query results in
xplorer.If you do not configure this policy setting users cannot preview items or get custom thumbnails from OpenSearch query results in
user to manage the add-on through Add-on Manager enter a 2 (two) into this field.If you disable this policy setting the list is deleted. The 'D
more details).
es" is enabled).
Private for public browsing with other apps. Users can minimize close and open multiple InPrivate windows but they can’t customize Micro
w Developer ToolsRelated Documents:- Find a package family name (PFN) for per-app VPN (https://docs.microsoft.com/en-us/sccm/prote
hanges.If you disable this setting the policy-set default search engine is removed. If this is also the current in-use default the engine chang
MMC snap-ins.
en a snap-in is prohibited it does not appear in the Add/Remove Snap-in window in MMC. Also when a user opens a console file that inclu
operty sheets.
settings sync is delayed. The notification delay policy setting defines the delay before a notification appears.If you disable this policy setting
n the client or a smart card can be used.To allow users to overwrite this policy setting select the "Allow users to change this setting" check
this policy setting but enable the "Enable connections through RD Gateway" policy setting client connection attempts to any remote comp
n node. If you configure this policy setting for the computer all users on the computer are affected.
orking Directory (or the program default directory if Working Directory is not specified) as the working directory for the program.If the sta
pears in both Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting takes pre
licy settings are configured the Computer Configuration policy setting takes precedence.
Computer Configuration policy setting takes precedence.
tion policy setting takes precedence.
tting on the Ink to text conversion tab in Input Panel Options (in Windows 7 and Windows Vista).
s setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is not allowed and Input
es and the Z-shaped scratch-out gesture. Users will not be able to configure this setting in the Input Panel Options dialog box. If you do
If you disable or do not configure this policy setting then the default consent settings that are applied are those specified by the user in Co
etwork tab are not available and the Player cannot receive an MMS or RTSP stream from a Windows Media server.
r Configuration policy setting.
etting.
hem.If you enable this policy setting on-demand file access is enabled.If you disable this policy setting on-demand file access is disabled an
trol Panel items" setting and the "Show only specified Control Panel items" setting are enabled the "Show only specified Control Panel item
vailability of per-user support is documented here: https://go.microsoft.com/fwlink/?linkid=2102995

and the "Show only specified Control Panel items" setting are enabled the "Show only specified Control Panel items" setting is ignored.Not
tting: -Windows Vista client computers can create a printer connection to any server using Point and Print. -Windows Vista comp
e or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.This policy
og box. If this setting is disabled nothing within the properties dialog box for a remote access connection will be available to users.Note: Th
this setting is ignored.Note: LAN connections are created and deleted automatically by the system when a LAN adapter is installed or rem
" "Prohibit deletion of remote access connections" "Ability to delete all user remote access connections" "Prohibit connecting and disconn
tting is enabled users are blocked from accessing the Properties button for LAN connection components.Note: Network Configuration Ope
ection Properties dialog box the Properties button for remote access connection components is blocked.Note: This setting does not preve
all user remote access connection" or "Prohibit changing properties of a private remote access connection" settings are set to deny access
properties dialog box for a remote access connection will be available to users.Note: This setting does not prevent users from using other p
ctions folder to create or delete a LAN connection.Note: This setting does not prevent users from using other programs such as Internet Ex
perties. For remote access connections click the Networking tab. In the "Components checked are used by this connection" box click Inter
s the display of the "Make Available Offline" command in File Explorer.If the "Remove 'Make Available Offline' command" policy setting is
as provided for their menu. See the "Do not allow pinning items in Jump Lists" setting.
nd Jump Lists.This setting does not hide or prevent the user from pinning files folders or websites to the Jump Lists. See the "Do not allow p
cations as well as per-application overrides. If you disable or do not configure this setting Per Process System DPI will not apply to any proc
stem\User Profile. Note: If the profile server has IP connectivity the connection speed setting is used. If the profile server does not have IP
pe 30 minutes the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely th
re not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required images tha
figuration\Policies\Windows Settings\Scripts (Logon/Logoff)\LogoffThis policy setting appears in the Computer Configuration and User Con
agnostic data and the end user can choose whether to send optional diagnostic data from the Settings app.Note:The "Configure diagnostic
between pinned Internet/intranet links and pinned Search Connectors/Libraries. Search Connector/Library links take precedence over Int
der" Group Policy this link will be pinned third on the Start menu. The remaining link(s) will be shared between pinned Search Connectors
m hierarchy.
rsion 77 or later 4 = Microsoft Edge Canary version 77 or later*For more information about the Windows update for the next version of M
patible ActiveX controls in regular Protected Mode. This is the default behavior.
re affected for that site including http https ftp and so on. The site may also be expressed as an IP address (e.g. 127.0.0.1) or range (e.g. 12
OpenSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows.
m OpenSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows
m OpenSearch query results in this zone using File Explorer.Changes to this setting may not be applied until the user logs off from Windows
etting the list is deleted. The 'Deny all add-ons unless specifically allowed in the Add-on List' policy setting will still determine whether add
but they can’t customize Microsoft Edge.
rosoft.com/en-us/sccm/protect/deploy-use/find-a-pfn-for-per-app-vpn)- How to manage apps you purchased from the Microsoft Store fo
-use default the engine changes to the Microsoft Edge specified engine for the market.If you don't configure this setting the default searc
opens a console file that includes a prohibited snap-in the console file opens but the prohibited snap-in does not appear.
f you disable this policy setting the sync provider is used to synchronize settings between computers and the settings storage location.If y
s to change this setting" check box. When you do this users on the client can choose not to connect through the RD Gateway server by sel
attempts to any remote computer will fail if the client cannot connect directly to the remote computer. If an RD Gateway server is specifi
tory for the program.If the status is set to Disabled or Not Configured Remote Desktop Services sessions start with the full desktop unless
Configuration setting takes precedence.
ching is not allowed and Input Panel displays the cursor and which keys are tapped. Users will not be able to configure this setting in the I
ptions dialog box. If you do not configure this policy users will be able to use both the tolerant scratch-out gestures and the Z-shaped s
ose specified by the user in Control Panel or in the Configure Default Consent policy setting.
mand file access is disabled and enough storage space to store all the user’s files is required on each of their PCs.If you specify User choice
nly specified Control Panel items" setting is ignored.Note: The Display Control Panel item cannot be hidden in the Desktop context menu b
l items" setting is ignored.Note: The Display Control Panel item cannot be hidden in the Desktop context menu by using this setting. To hid
nt. -Windows Vista computers will not show a warning or an elevated command prompt when users create a printer connection to a
m the opt-in dialog.This policy setting is related to the "Turn off handwriting personalization" policy setting.Note: The amount of stored in
be available to users.Note: This setting does not prevent users from using other programs such as Internet Explorer to bypass this setting.
AN adapter is installed or removed. You cannot use the Network Connections folder to create or delete a LAN connection.Note: This settin
ohibit connecting and disconnecting a remote access connection" "Ability to Enable/Disable a LAN connection" "Prohibit access to the Ne
e: Network Configuration Operators only have permission to change TCP/IP properties. Properties for all other components are unavailab
te: This setting does not prevent users from using other programs such as Internet Explorer to bypass this setting.
settings are set to deny access to the connection properties dialog box the Install and Uninstall buttons for connections are blocked.Note:
event users from using other programs such as Internet Explorer to bypass this setting.
r programs such as Internet Explorer to bypass this setting.
his connection" box click Internet Protocol (TCP/IP) click the Properties button and then click the Advanced button.Note: Changing this setti
ne' command" policy setting is enabled this setting has no effect.

p Lists. See the "Do not allow pinning items in Jump Lists" setting. This policy also does not hide Tasks that the application has provided for
DPI will not apply to any processes on the system.
profile server does not have IP connectivity the SMB timing is used.
ange and makes it less likely that client requests overlap. However updates might be delayed significantly.Important: If the "Turn off backg
ations are required images that do not have a base relocation section will not be loaded. PROCESS_CREATION_MITIGATION_POLICY_B
er Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in
Note:The "Configure diagnostic data opt-in settings user interface" group policy can be used to prevent end users from changing their data
links take precedence over Internet/intranet search links.If you enable this policy setting the specified Internet sites will appear in the "Se
een pinned Search Connectors/Libraries and pinned Internet/intranet search links. Search Connector/Library links take precedence over In
pdate for the next version of Microsoft Edge including how to disable it see https://go.microsoft.com/fwlink/?linkid=2102115. This update
e.g. 127.0.0.1) or range (e.g. 127.0.0.1-10). To avoid creating conflicting policies do not include additional characters after the domain such
user logs off from Windows.
he user logs off from Windows.
he user logs off from Windows.
ill still determine whether add-ons not in this list are assumed to be denied.
ed from the Microsoft Store for Business with Microsoft Intune (https://docs.microsoft.com/en-us/intune/windows-store-for-business)- Ho
e this setting the default search engine is set to the one specified in App settings.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
s not appear.
e settings storage location.If you do not configure this policy setting any defined values will be deleted.
the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring
n RD Gateway server is specified by the user a client connection attempt will be made through that RD Gateway server.
rt with the full desktop unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates
o configure this setting in the Input Panel Options dialog box. If you enable this policy and choose to “Medium-High” from the drop-down b
ut gestures and the Z-shaped scratch-out gesture. Users will be able to configure this setting on the Gestures tab in Input Panel Options.
PCs.If you specify User choice or do not configure this policy setting the user decides whether to enable on-demand file access. However
n the Desktop context menu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's
nu by using this setting. To hide the Display Control Panel item and prevent users from modifying the computer's display settings use the
eate a printer connection to any server using Point and Print. -Windows Vista computers will not show a warning or an elevated comm
Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reac
Explorer to bypass this setting.
N connection.Note: This setting does not prevent users from using other programs such as Internet Explorer to bypass this setting.
on" "Prohibit access to the New Connection Wizard" "Prohibit renaming private remote access connections" "Prohibit access to the Remot
her components are unavailable to these users.Note: Nonadministrators are already prohibited from accessing properties of components f
onnections are blocked.Note: Nonadministrators are already prohibited from adding and removing connection components regardless of
button.Note: Changing this setting from Enabled to Not Configured does not enable the Advanced button until the user logs off.
he application has provided for their Jump List. This setting does not hide document shortcuts displayed in the Open dialog box. See the "H
portant: If the "Turn off background refresh of Group Policy" setting is enabled this setting is ignored.Note: This setting establishes the upd
TION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000) PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP

cedence over the setting set in User Configuration.
users from changing their data collection settings.

net sites will appear in the "Search again" links and the Start menu links.If you disable or do not configure this policy setting no custom Inte
y links take precedence over Internet/intranet search links.If you enable this policy setting the specified Libraries or Search Connectors wil
/?linkid=2102115. This update applies only to Windows 10 version 1709 and higher.
aracters after the domain such as trailing slashes or URL path. For example policy settings for www.contoso.com and www.contoso.com/m
indows-store-for-business)- How to assign apps to groups with Microsoft Intune (https://docs.microsoft.com/en-us/intune/apps-deploy)-
nection method by configuring settings on the client using an RDP file or using an HTML script. If users do not specify a connection method
way server.
tion\Administrative Templates\System\Logon\Run these programs at user logon" setting.)Note: This setting appears in both Computer Con
m-High” from the drop-down box password security is set to “Medium-High.” At this setting when users enter passwords from Input Panel
s tab in Input Panel Options.
demand file access. However if the Force automatic setup policy setting is enabled Work Folders is set up automatically with on-demand fi
rom modifying the computer's display settings use the "Disable Display Control Panel" setting instead.Note: To hide pages in the System Se
uter's display settings use the "Disable Display Control Panel" setting instead.Note: To hide pages in the System Settings app use the "Setti
a warning or an elevated command prompt when an existing printer connection driver needs to be updated. -Windows Server 2003 a
MB. When these limits are reached and new data is collected old data is deleted to make room for more recent data.Note: Handwriting pe
r to bypass this setting.
"Prohibit access to the Remote Access Preferences item on the Advanced menu" "Prohibit viewing of status for an active connection". W
ng properties of components for a LAN connection regardless of this setting.
on components regardless of this setting.
til the user logs off.

he Open dialog box. See the "Hide the dropdown list of recent files" setting.Note: It is a requirement for third-party applications with Wind
This setting establishes the update rate for user Group Policies. To set an update rate for computer Group Policies use the "Group Policy re
GATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000) The bottom-up randomization policy which includes stack randomiz
is policy setting no custom Internet search sites will be added to the "Search again" links or the Start menu links.
aries or Search Connectors will appear in the "Search again" links and the Start menu links.If you disable or do not configure this policy setti
com and www.contoso.com/mail would be treated as the same policy setting by Internet Explorer and would therefore be in conflict.Valu
m/en-us/intune/apps-deploy)- Manage apps from the Microsoft Store for Business with System Center Configuration Manager (https://doc
t specify a connection method the connection method that you specify in this policy setting is used by default.If you disable or do not confi
appears in both Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting overr
er passwords from Input Panel they use the on-screen keyboard by default skin switching is allowed and Input Panel does not display the c
utomatically with on-demand file access enabled.The "Force automatic setup" option specifies that Work Folders should be set up automa
To hide pages in the System Settings app use the "Settings Page Visibility" setting under Computer Configuration.
em Settings app use the "Settings Page Visibility" setting under Computer Configuration.
. -Windows Server 2003 and Windows XP client computers can create a printer connection to any server using Point and Print. -
ent data.Note: Handwriting personalization works only for Microsoft handwriting recognizers and not with third-party recognizers.
s for an active connection". When this setting is enabled settings that exist in both Windows 2000 Professional and Windows XP Profession
d-party applications with Windows 2000 or later certification to adhere to this setting.
olicies use the "Group Policy refresh interval for computers" setting (located in Computer Configuration\Administrative Templates\System\
which includes stack randomization options causes a random location to be used as the lowest user address. For instance to enable PR
o not configure this policy setting no Libraries or Search Connectors will appear in the "Search again" links or the Start menu links.
d therefore be in conflict.Value - A number indicating the zone with which this site should be associated for security settings. The Internet
guration Manager (https://docs.microsoft.com/en-us/sccm/apps/deploy-use/manage-apps-from-the-windows-store-for-business)- How t
lt.If you disable or do not configure this policy setting clients will not use the RD Gateway server address that is specified in the "Set RD Ga
er Configuration setting overrides.

ut Panel does not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dia
ders should be set up automatically without prompting users. This prevents users from choosing not to use Work Folders on the compute
er using Point and Print. -The "Users can only point and print to computers in their forest" setting applies only to Windows Server 200
hird-party recognizers.
al and Windows XP Professional behave the same for administrators.If you disable this setting or do not configure it Windows XP settings
ministrative Templates\System\Group Policy).Tip: Consider notifying users that their policy is updated periodically so that they recognize th
For instance to enable PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE and PROCESS_CREATION_MITIGATION_POLICY_FORC

r the Start menu links.
security settings. The Internet Explorer zones described above are 1-4.If you disable or do not configure this policy users may choose their
ws-store-for-business)- How to add Windows line-of-business (LOB) apps to Microsoft Intune (https://docs.microsoft.com/en-us/intune/lo
t is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user a client connection att
in the Input Panel Options dialog box.If you enable this policy and choose “High” from the drop-down box password security is set to “Hig
Work Folders on the computer; it also prevents them from manually specifying the local folder in which Work Folders stores files. By defau
es only to Windows Server 2003 and Windows XP SP1 (and later service packs).
figure it Windows XP settings that existed in Windows 2000 will not apply to administrators.Note: This setting is intended to be used in a s
cally so that they recognize the signs of a policy update. When Group Policy is updated the Windows desktop is refreshed; it flickers briefl
ON_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON disable PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR

policy users may choose their own site-to-zone assignments.
microsoft.com/en-us/intune/lob-apps-windows)
he user a client connection attempt will be made through that RD Gateway server.
password security is set to “High.” At this setting when users enter passwords from Input Panel they use the on-screen keyboard by defaul
rk Folders stores files. By default Work Folders is stored in the "%USERPROFILE%\Work Folders" folder. If this option is not specified users
ng is intended to be used in a situation in which the Group Policy object that these settings are being applied to contains both Windows 20
p is refreshed; it flickers briefly and closes open menus. Also restrictions imposed by Group Policies such as those that limit the programs
ON_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF and to leave all other options at their default values specify a value of: ???????????????
on-screen keyboard by default skin switching is not allowed and Input Panel does not display the cursor or which keys are tapped. Users w
s option is not specified users must use the Work Folders Control Panel item on their computers to set up Work Folders.
to contains both Windows 2000 Professional and Windows XP Professional computers and identical Network Connections policy behavio
those that limit the programs a user can run might interfere with tasks in progress.
value of: ???????????????0???????1???????1 Setting flags not specified here to any value other than ? results in undefined behav
which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box. If you disable this policy passw
rk Connections policy behavior is required between all Windows 2000 Professional and Windows XP Professional computers.
n ? results in undefined behavior.
f you disable this policy password security is set to “Medium-High.” At this setting when users enter passwords from Input Panel they use
rds from Input Panel they use the on-screen keyboard by default skin switching is allowed and Input Panel does not display the cursor or w
oes not display the cursor or which keys are tapped. Users will not be able to configure this setting in the Input Panel Options dialog box.
put Panel Options dialog box. If you do not configure this policy password security is set to “Medium-High” by default. At this setting when
by default. At this setting when users enter passwords from Input Panel they use the on-screen keyboard by default skin switching is allow
default skin switching is allowed and Input Panel does not display the cursor or which keys are tapped. Users will be able to configure this
s will be able to configure this setting on the Advanced tab in Input Panel Options in Windows 7 and Windows Vista.Caution: If you lower p
ws Vista.Caution: If you lower password security settings people who can see the user’s screen might be able to see their passwords.
Type
Scheduled Task
Services
Services
Services
Services
Name
XblGameSaveTask
Xbox Accessory Management Service
Xbox Live Auth Manager
Xbox Live Game Save
Xbox Live Networking Service
Windows 11
Disabled
Disabled
Disabled
Disabled
Disabled

FINAL-MS Security Baseline Windows 11

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FINAL-MS Security Baseline Windows 11

Uploaded by

Copyright:

Available Formats

General Information

Settings contained are as of Build 22000.194

Last modified on October 4, 2021

Settings contained are as of Build 22000.194

Last modified on October 4, 2021

age (SDDL) syntax

roller is not available)

Send NTLMv2 response only. Refuse LM & NTLM

Administrators, SERVICE, Local Service, Network Service

When the Create Vulnerable Connections list (allow list) is configured:

This policy is supported on at least Windows Server 2008 R2.

Interactive Logon: Display user information when session is locked

Network access: Restrict clients allowed to make remote calls to SAM

Windows Server 2003: Send NTLM response only

Default: Administrators, Users

Default: Administrators, Power Users, Users

User Rights security settings are not registry keys

Restart of service might be sufficient

Require restart of recovery console

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Success and Failure

Success and Failure

System\Device Installation\Device Installation Restrictions

System\Early Launch Antimalware

System\Kernel DMA Protection

Windows Components\BitLocker Drive Encryption\Removable Data Drives

Windows Components\Internet Explorer\Security Features\Consistent Mime Handling

Windows Components\Internet Explorer\Security Features\Mime Sniffing Safety Feature

Windows Components\Internet Explorer\Security Features\MK Protocol Security Restriction

Windows Components\Internet Explorer\Security Features\Notification bar

Windows Components\Internet Explorer\Security Features\Protection From Zone Elevation

Windows Components\Internet Explorer\Security Features\Restrict ActiveX Install

Windows Components\Internet Explorer\Security Features\Restrict File Download

Windows Components\Internet Explorer\Security Features\Scripted Window Security Restrictions

Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Attack Surface Reduction

Windows Components\Windows PowerShell

Hardened UNC Paths

Encryption Oracle Remediation

Turn On Virtualization Based Security

Boot-Start Driver Initialization Policy

Configure registry policy processing

Deny write access to removable drives not protected by BitLocker

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Internet Explorer Processes

Configure Attack Surface Reduction rules

Turn on PowerShell Script Block Logging

Disable driver (recommended)

mended except for highly secure environments)

resses (could lead to DoS)

ection request is not acknowledged

crosoft XPS format (*.xps)

mpt creation of a restore point

software during installation

nt registered DNS suffixes if the AllowSingleLabelDnsDomain setting is not enabled.

ps (not desktop apps)