From 0630d0e12b2daff9d17736717e049689018a6ee1 Mon Sep 17 00:00:00 2001
From: Liz Long <104389055+lizgt2000@users.noreply.github.com>
Date: Thu, 5 Jan 2023 09:53:12 -0500
Subject: [PATCH] rpc sam scripts
---
.../mdm/policy-csp-admx-rpc.md | 428 +++---
.../mdm/policy-csp-admx-sam.md | 12 +-
.../mdm/policy-csp-admx-scripts.md | 1199 +++++++++--------
3 files changed, 900 insertions(+), 739 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-rpc.md b/windows/client-management/mdm/policy-csp-admx-rpc.md
index c2e8188d71..5970b4ca01 100644
--- a/windows/client-management/mdm/policy-csp-admx-rpc.md
+++ b/windows/client-management/mdm/policy-csp-admx-rpc.md
@@ -1,199 +1,197 @@
---
-title: Policy CSP - ADMX_RPC
-description: Learn about Policy CSP - ADMX_RPC.
+title: ADMX_RPC Policy CSP
+description: Learn more about the ADMX_RPC Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/05/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 12/08/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_RPC
+
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_RPC policies
+
+## RpcExtendedErrorInformation
-
- -
- ADMX_RPC/RpcExtendedErrorInformation
-
- -
- ADMX_RPC/RpcIgnoreDelegationFailure
-
- -
- ADMX_RPC/RpcMinimumHttpConnectionTimeout
-
- -
- ADMX_RPC/RpcStateInformation
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcExtendedErrorInformation
+```
+
-
-
-
-**ADMX_RPC/RpcExtendedErrorInformation**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting controls whether the RPC runtime generates extended error information when an error occurs.
Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurred, or from which it was propagated. Programs can retrieve the extended error information by using standard Windows application programming interfaces (APIs).
If you disable this policy setting, the RPC Runtime only generates a status code to indicate an error condition.
-If you don't configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition.
+If you do not configure this policy setting, it remains disabled. It will only generate a status code to indicate an error condition.
-If you enable this policy setting, the RPC runtime will generate extended error information.
+If you enable this policy setting, the RPC runtime will generate extended error information. You must select an error response type in the drop-down box.
-You must select an error response type from the folowing options in the drop-down box:
+-- "Off" disables all extended error information for all processes. RPC only generates an error code.
-- "Off" disables all extended error information for all processes. RPC only generates an error code.
-- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.
-- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.
-- "On" enables extended error information for all processes.
+-- "On with Exceptions" enables extended error information, but lets you disable it for selected processes. To disable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.
-> [!NOTE]
-> For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK).
->
-> Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information.
->
-> The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely.
->
-> This policy setting won't be applied until the system is rebooted.
+-- "Off with Exceptions" disables extended error information, but lets you enable it for selected processes. To enable extended error information for a process while this policy setting is in effect, the command that starts the process must begin with one of the strings in the Extended Error Information Exception field.
-
+-- "On" enables extended error information for all processes.
-
-ADMX Info:
-- GP Friendly name: *Propagate extended error information*
-- GP name: *RpcExtendedErrorInformation*
-- GP path: *System\Remote Procedure Call*
-- GP ADMX file name: *RPC.admx*
+Note: For information about the Extended Error Information Exception field, see the Windows Software Development Kit (SDK).
-
-
-
+Note: Extended error information is formatted to be compatible with other operating systems and older Microsoft operating systems, but only newer Microsoft operating systems can read and respond to the information.
-
-**ADMX_RPC/RpcIgnoreDelegationFailure**
+Note: The default policy setting, "Off," is designed for systems where extended error information is considered to be sensitive, and it should not be made available remotely.
-
+Note: This policy setting will not be applied until the system is rebooted.
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
+**Description framework properties**:
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-> [!div class = "checklist"]
-> * Device
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-
+| Name | Value |
+|:--|:--|
+| Name | RpcExtendedErrorInformation |
+| Friendly Name | Propagate extended error information |
+| Location | Computer Configuration |
+| Path | System > Remote Procedure Call |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc |
+| ADMX File Name | RPC.admx |
+
+
+
+
+
+
+
+
+
+## RpcIgnoreDelegationFailure
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcIgnoreDelegationFailure
+```
+
+
+
+
This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested.
-The constrained delegation model, introduced in Windows Server 2003, doesn't report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.
+The constrained delegation model, introduced in Windows Server 2003, does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag, but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation.
If you disable this policy setting, the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation.
-If you don't configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation.
+If you do not configure this policy setting, it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation.
If you enable this policy setting, then:
-- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context doesn't support delegation.
-- "On" directs the RPC Runtime to accept security contexts that don't support delegation even if delegation was asked for.
+-- "Off" directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation, but the created security context does not support delegation.
-> [!NOTE]
-> This policy setting won't be applied until the system is rebooted.
+-- "On" directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for.
-
+Note: This policy setting will not be applied until the system is rebooted.
+
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Ignore Delegation Failure*
-- GP name: *RpcIgnoreDelegationFailure*
-- GP path: *System\Remote Procedure Call*
-- GP ADMX file name: *RPC.admx*
+
+**Description framework properties**:
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_RPC/RpcMinimumHttpConnectionTimeout**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | RpcIgnoreDelegationFailure |
+| Friendly Name | Ignore Delegation Failure |
+| Location | Computer Configuration |
+| Path | System > Remote Procedure Call |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc |
+| ADMX File Name | RPC.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## RpcMinimumHttpConnectionTimeout
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcMinimumHttpConnectionTimeout
+```
+
-
-
+
+
This policy setting controls the idle connection timeout for RPC/HTTP connections.
This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server running the RPC/HTTP proxy. In such cases, RPC/HTTP clients may encounter errors because connections will be timed out faster than expected. Using this policy setting you can force the RPC Runtime and the RPC/HTTP Proxy to use a lower connection timeout.
@@ -204,89 +202,131 @@ The minimum allowed value for this policy setting is 90 seconds. The maximum is
If you disable this policy setting, the idle connection timeout on the IIS server running the RPC HTTP proxy will be used.
-If you don't configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used.
+If you do not configure this policy setting, it will remain disabled. The idle connection timeout on the IIS server running the RPC HTTP proxy will be used.
If you enable this policy setting, and the IIS server running the RPC HTTP proxy is configured with a lower idle connection timeout, the timeout on the IIS server is used. Otherwise, the provided timeout value is used. The timeout is given in seconds.
-> [!NOTE]
-> This policy setting won't be applied until the system is rebooted.
+Note: This policy setting will not be applied until the system is rebooted.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Minimum Idle Connection Timeout for RPC/HTTP connections*
-- GP name: *RpcMinimumHttpConnectionTimeout*
-- GP path: *System\Remote Procedure Call*
-- GP ADMX file name: *RPC.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_RPC/RpcStateInformation**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | RpcMinimumHttpConnectionTimeout |
+| Friendly Name | Set Minimum Idle Connection Timeout for RPC/HTTP connections |
+| Location | Computer Configuration |
+| Path | System > Remote Procedure Call |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc |
+| ADMX File Name | RPC.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## RpcStateInformation
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_RPC/RpcStateInformation
+```
+
-
-
+
+
This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troubleshooting RPC problems.
If you disable this policy setting, the RPC runtime defaults to "Auto2" level.
-If you don't configure this policy setting, the RPC defaults to "Auto2" level.
+If you do not configure this policy setting, the RPC defaults to "Auto2" level.
-If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information from the following:
+If you enable this policy setting, you can use the drop-down box to determine which systems maintain RPC state information.
-- "None" indicates that the system doesn't maintain any RPC state information. Note: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting isn't recommended for most installations.
-- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory.
-- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server.
-- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity.
-- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it's recommended for use only while you're investigating an RPC problem.
+-- "None" indicates that the system does not maintain any RPC state information.
-> [!NOTE]
-> To retrieve the RPC state information from a system that maintains it, you must use a debugging tool.
->
-> This policy setting won't be applied until the system is rebooted.
+**Note**: Because the basic state information required for troubleshooting has a negligible effect on performance and uses only about 4K of memory, this setting is not recommended for most installations.
-
+-- "Auto1" directs RPC to maintain basic state information only if the computer has at least 64 MB of memory.
-
-ADMX Info:
-- GP Friendly name: *Maintain RPC Troubleshooting State Information*
-- GP name: *RpcStateInformation*
-- GP path: *System\Remote Procedure Call*
-- GP ADMX file name: *RPC.admx*
+-- "Auto2" directs RPC to maintain basic state information only if the computer has at least 128 MB of memory and is running Windows 2000 Server, Windows 2000 Advanced Server, or Windows 2000 Datacenter Server.
-
-
-
+-- "Server" directs RPC to maintain basic state information on the computer, regardless of its capacity.
+-- "Full" directs RPC to maintain complete RPC state information on the system, regardless of its capacity. Because this level can degrade performance, it is recommended for use only while you are investigating an RPC problem.
-
+Note: To retrieve the RPC state information from a system that maintains it, you must use a debugging tool.
-## Related topics
+Note: This policy setting will not be applied until the system is rebooted.
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | RpcStateInformation |
+| Friendly Name | Maintain RPC Troubleshooting State Information |
+| Location | Computer Configuration |
+| Path | System > Remote Procedure Call |
+| Registry Key Name | Software\Policies\Microsoft\Windows NT\Rpc |
+| ADMX File Name | RPC.admx |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-sam.md b/windows/client-management/mdm/policy-csp-admx-sam.md
index 16f8928707..b0eae0e07b 100644
--- a/windows/client-management/mdm/policy-csp-admx-sam.md
+++ b/windows/client-management/mdm/policy-csp-admx-sam.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_sam Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 11/29/2022
+ms.date: 01/05/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -43,13 +43,14 @@ ms.topic: reference
+
This policy setting allows you to configure how domain controllers handle Windows Hello for Business (WHfB) keys that are vulnerable to the "Return of Coppersmith's attack" (ROCA) vulnerability.
For more information on the ROCA vulnerability, please see:
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
+
-https://en.wikipedia.org/wiki/ROCA_vulnerability
+
If you enable this policy setting the following options are supported:
@@ -67,7 +68,7 @@ A reboot is not required for changes to this setting to take effect.
Note: to avoid unexpected disruptions this setting should not be set to Block until appropriate mitigations have been performed, for example patching of vulnerable TPMs.
-More information is available at https://go.microsoft.com/fwlink/?linkid=2116430.
+More information is available at .
@@ -84,6 +85,9 @@ More information is available at https://go.microsoft.com/fwlink/?linkid=2116430
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
**ADMX mapping**:
| Name | Value |
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index 8fb9f59bb0..cea112d18a 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -1,199 +1,174 @@
---
-title: Policy CSP - ADMX_Scripts
-description: Learn about Policy CSP - ADMX_Scripts.
+title: ADMX_Scripts Policy CSP
+description: Learn more about the ADMX_Scripts Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/05/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/17/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_Scripts
+
> [!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_Scripts policies
+
+## Allow_Logon_Script_NetbiosDisabled
-
- -
- ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled
-
- -
- ADMX_Scripts/MaxGPOScriptWaitPolicy
-
- -
- ADMX_Scripts/Run_Computer_PS_Scripts_First
-
- -
- ADMX_Scripts/Run_Legacy_Logon_Script_Hidden
-
- -
- ADMX_Scripts/Run_Logoff_Script_Visible
-
- -
- ADMX_Scripts/Run_Logon_Script_Sync_1
-
- -
- ADMX_Scripts/Run_Logon_Script_Sync_2
-
- -
- ADMX_Scripts/Run_Logon_Script_Visible
-
- -
- ADMX_Scripts/Run_Shutdown_Script_Visible
-
- -
- ADMX_Scripts/Run_Startup_Script_Sync
-
- -
- ADMX_Scripts/Run_Startup_Script_Visible
-
- -
- ADMX_Scripts/Run_User_PS_Scripts_First
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled
+```
+
-
-
-
-**ADMX_Scripts/Allow_Logon_Script_NetbiosDisabled**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes aren't configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
+
+
+This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
-If you disable or don't configure this policy setting, user account cross-forest, interactive logging can't run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes aren't configured.
+If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow logon scripts when NetBIOS or WINS is disabled*
-- GP name: *Allow_Logon_Script_NetbiosDisabled*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Scripts/MaxGPOScriptWaitPolicy**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Allow_Logon_Script_NetbiosDisabled |
+| Friendly Name | Allow logon scripts when NetBIOS or WINS is disabled |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | Allow-LogonScript-NetbiosDisabled |
+| ADMX File Name | Scripts.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## MaxGPOScriptWaitPolicy
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/MaxGPOScriptWaitPolicy
+```
+
-
-
+
+
This policy setting determines how long the system waits for scripts applied by Group Policy to run.
-This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts haven't finished running when the specified time expires, the system stops script processing and records an error event.
+This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.
If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.
-This interval is important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
+This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
-An excessively long interval can delay the system and cause inconvenience to users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.
+An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.
-If you disable or don't configure this setting, the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This value is the default value.
+If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify maximum wait time for Group Policy scripts*
-- GP name: *MaxGPOScriptWaitPolicy*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Scripts/Run_Computer_PS_Scripts_First**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | MaxGPOScriptWaitPolicy |
+| Friendly Name | Specify maximum wait time for Group Policy scripts |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| ADMX File Name | Scripts.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Run_Computer_PS_Scripts_First
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Computer_PS_Scripts_First
+```
+
-
-
+
+
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
@@ -204,470 +179,338 @@ There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled i
GPO B and GPO C include the following computer startup scripts:
-- GPO B: B.cmd, B.ps1
-- GPO C: C.cmd, C.ps1
+GPO B: B.cmd, B.ps1
+GPO C: C.cmd, C.ps1
Assume also that there are two computers, DesktopIT and DesktopSales.
For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:
-- Within GPO B: B.ps1, B.cmd
-- Within GPO C: C.ps1, C.cmd
+Within GPO B: B.ps1, B.cmd
+Within GPO C: C.ps1, C.cmd
For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:
-- Within GPO B: B.cmd, B.ps1
-- Within GPO C: C.cmd, C.ps1
+Within GPO B: B.cmd, B.ps1
+Within GPO C: C.cmd, C.ps1
-> [!NOTE]
-> This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
-> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
-> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
+Note: This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
-
+Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
+Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
+
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Run Windows PowerShell scripts first at computer startup, shutdown*
-- GP name: *Run_Computer_PS_Scripts_First*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+
+**Description framework properties**:
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**ADMX_Scripts/Run_Legacy_Logon_Script_Hidden**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | Run_Computer_PS_Scripts_First |
+| Friendly Name | Run Windows PowerShell scripts first at computer startup, shutdown |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunComputerPSScriptsFirst |
+| ADMX File Name | Scripts.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * User
+
+## Run_Logon_Script_Sync_2
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
-This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2
+```
+
-Logon scripts are batch files of instructions that run when the user logs on. By default, Windows displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it doesn't display logon scripts written for Windows.
-
-If you enable this setting, Windows doesn't display logon scripts written for Windows NT 4.0 and earlier.
-
-If you disable or don't configure this policy setting, Windows displays login scripts written for Windows NT 4.0 and earlier.
-
-Also, see the "Run Logon Scripts Visible" setting.
-
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Run legacy logon scripts hidden*
-- GP name: *Run_Legacy_Logon_Script_Hidden*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
-
-
-
-
-
-
-**ADMX_Scripts/Run_Logoff_Script_Visible**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-
-
-
-
-
-This policy setting displays the instructions in logoff scripts as they run.
-
-Logoff scripts are batch files of instructions that run when the user signs out. By default, the system doesn't display the instructions in the logoff script.
-
-If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
-
-If you disable or don't configure this policy setting, the instructions are suppressed.
-
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Display instructions in logoff scripts as they run*
-- GP name: *Run_Logoff_Script_Visible*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
-
-
-
-
-
-
-**ADMX_Scripts/Run_Logon_Script_Sync_1**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-
-
-
-
-
+
+
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
-If you enable this policy setting, File Explorer doesn't start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
+If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
-If you disable or don't configure this policy setting, the logon scripts and File Explorer aren't synchronized and can run simultaneously.
+If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Run logon scripts synchronously*
-- GP name: *Run_Logon_Script_Sync_1*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Scripts/Run_Logon_Script_Sync_2**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Run_Logon_Script_Sync |
+| Friendly Name | Run logon scripts synchronously |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunLogonScriptSync |
+| ADMX File Name | Scripts.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Run_Shutdown_Script_Visible
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible
+```
+
-
-
-This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
-
-If you enable this policy setting, File Explorer doesn't start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
-
-If you disable or don't configure this policy setting, the logon scripts and File Explorer aren't synchronized and can run simultaneously.
-
-This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
-
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Run logon scripts synchronously*
-- GP name: *Run_Logon_Script_Sync_2*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
-
-
-
-
-
-
-**ADMX_Scripts/Run_Logon_Script_Visible**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * User
-
-
-
-
-
-This policy setting displays the instructions in logon scripts as they run.
-
-Logon scripts are batch files of instructions that run when the user logs on. By default, the system doesn't display the instructions in logon scripts.
-
-If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
-
-If you disable or don't configure this policy setting, the instructions are suppressed.
-
-
-
-
-
-ADMX Info:
-- GP Friendly name: *Display instructions in logon scripts as they run*
-- GP name: *Run_Logon_Script_Visible*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
-
-
-
-
-
-
-**ADMX_Scripts/Run_Shutdown_Script_Visible**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting displays the instructions in shutdown scripts as they run.
-Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system doesn't display the instructions in the shutdown script.
+Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.
-If you disable or don't configure this policy setting, the instructions are suppressed.
+If you disable or do not configure this policy setting, the instructions are suppressed.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Display instructions in shutdown scripts as they run*
-- GP name: *Run_Shutdown_Script_Visible*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Scripts/Run_Startup_Script_Sync**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Run_Shutdown_Script_Visible |
+| Friendly Name | Display instructions in shutdown scripts as they run |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideShutdownScripts |
+| ADMX File Name | Scripts.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Run_Startup_Script_Sync
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync
+```
+
-
-
+
+
This policy setting lets the system run startup scripts simultaneously.
Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
-If you enable this policy setting, the system doesn't coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
+If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
-If you disable or don't configure this policy setting, a startup can't run until the previous script is complete.
+If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete.
-> [!NOTE]
-> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not.
+Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the ""Run startup scripts visible"" policy setting is enabled or not.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Run startup scripts asynchronously*
-- GP name: *Run_Startup_Script_Sync*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Scripts/Run_Startup_Script_Visible**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Run_Startup_Script_Sync |
+| Friendly Name | Run startup scripts asynchronously |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunStartupScriptSync |
+| ADMX File Name | Scripts.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Run_Startup_Script_Visible
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible
+```
+
-
-
+
+
This policy setting displays the instructions in startup scripts as they run.
-Startup scripts are batch files of instructions that run before the user is invited to sign in. By default, the system doesn't display the instructions in the startup script.
+Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.
-If you disable or don't configure this policy setting, the instructions are suppressed.
+If you disable or do not configure this policy setting, the instructions are suppressed.
-> [!NOTE]
-> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
+Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Display instructions in startup scripts as they run*
-- GP name: *Run_Startup_Script_Visible*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Scripts/Run_User_PS_Scripts_First**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Run_Startup_Script_Visible |
+| Friendly Name | Display instructions in startup scripts as they run |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideStartupScripts |
+| ADMX File Name | Scripts.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Run_User_PS_Scripts_First
-> [!div class = "checklist"]
-> * Device
-> * User
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
+```
-
-
-This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user sign in and sign out. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
+```
+
-If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user sign in and sign out.
+
+
+This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
+
+If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
For example, assume the following scenario:
@@ -675,46 +518,320 @@ There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled i
GPO B and GPO C include the following user logon scripts:
-- GPO B: B.cmd, B.ps1
-- GPO C: C.cmd, C.ps1
+GPO B: B.cmd, B.ps1
+GPO C: C.cmd, C.ps1
Assume also that there are two users, Qin Hong and Tamara Johnston.
For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:
-- Within GPO B: B.ps1, B.cmd
-- Within GPO C: C.ps1, C.cmd
+Within GPO B: B.ps1, B.cmd
+Within GPO C: C.ps1, C.cmd
For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:
-- Within GPO B: B.cmd, B.ps1
-- Within GPO C: C.cmd, C.ps1
+Within GPO B: B.cmd, B.ps1
+Within GPO C: C.cmd, C.ps1
-> [!NOTE]
-> This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
-> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
-> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
+Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
+
+User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
+User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Run Windows PowerShell scripts first at user logon, logoff*
-- GP name: *Run_User_PS_Scripts_First*
-- GP path: *System\Scripts*
-- GP ADMX file name: *Scripts.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | Run_User_PS_Scripts_First |
+| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff |
+| Location | Computer and User Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunUserPSScriptsFirst |
+| ADMX File Name | Scripts.admx |
+
-
+
+
+
-## Related topics
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
+
+## Run_Legacy_Logon_Script_Hidden
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Legacy_Logon_Script_Hidden
+```
+
+
+
+
+This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier.
+
+Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.
+
+If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
+
+If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
+
+Also, see the "Run Logon Scripts Visible" setting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Legacy_Logon_Script_Hidden |
+| Friendly Name | Run legacy logon scripts hidden |
+| Location | User Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideLegacyLogonScripts |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+## Run_Logoff_Script_Visible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logoff_Script_Visible
+```
+
+
+
+
+This policy setting displays the instructions in logoff scripts as they run.
+
+Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.
+
+If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
+
+If you disable or do not configure this policy setting, the instructions are suppressed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Logoff_Script_Visible |
+| Friendly Name | Display instructions in logoff scripts as they run |
+| Location | User Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideLogoffScripts |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+## Run_Logon_Script_Sync_1
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_1
+```
+
+
+
+
+This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
+
+If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
+
+If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Logon_Script_Sync |
+| Friendly Name | Run logon scripts synchronously |
+| Location | User Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunLogonScriptSync |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+## Run_Logon_Script_Visible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :x: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Visible
+```
+
+
+
+
+This policy setting displays the instructions in logon scripts as they run.
+
+Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.
+
+If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
+
+If you disable or do not configure this policy setting, the instructions are suppressed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Logon_Script_Visible |
+| Friendly Name | Display instructions in logon scripts as they run |
+| Location | User Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideLogonScripts |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)