From 09de6decc31bafdf1e54960adfd6128db1a5ba3b Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Mon, 17 Aug 2020 16:36:28 -0700 Subject: [PATCH] ADMX policy CSP-ciphersuiteorder --- .../mdm/policy-csp-admx-addremoveprograms.md | 954 +++++++++ .../mdm/policy-csp-admx-appcompat.md | 744 +++++++ .../mdm/policy-csp-admx-auditsettings.md | 119 ++ .../mdm/policy-csp-admx-ciphersuiteorder.md | 203 ++ .../mdm/policy-csp-admx-dnsclient.md | 1725 +++++++++++++++++ .../mdm/policy-csp-admx-eventforwarding.md | 200 ++ 6 files changed, 3945 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-addremoveprograms.md create mode 100644 windows/client-management/mdm/policy-csp-admx-appcompat.md create mode 100644 windows/client-management/mdm/policy-csp-admx-auditsettings.md create mode 100644 windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md create mode 100644 windows/client-management/mdm/policy-csp-admx-dnsclient.md create mode 100644 windows/client-management/mdm/policy-csp-admx-eventforwarding.md diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md new file mode 100644 index 0000000000..37cf49d46f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -0,0 +1,954 @@ +--- +title: Policy CSP - ADMX_AddRemovePrograms +description: Policy CSP - ADMX_AddRemovePrograms +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 08/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AddRemovePrograms + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## Policy CSP - ADMX_AddRemovePrograms + +
+
+ ADMX_AddRemovePrograms/DefaultCategory +
+
+ ADMX_AddRemovePrograms/NoAddFromCDorFloppy +
+
+ ADMX_AddRemovePrograms/NoAddFromInternet +
+
+ ADMX_AddRemovePrograms/NoAddFromNetwork +
+
+ ADMX_AddRemovePrograms/NoAddPage +
+
+ ADMX_AddRemovePrograms/NoAddRemovePrograms +
+
+ ADMX_AddRemovePrograms/NoChooseProgramsPage +
+
+ ADMX_AddRemovePrograms/NoRemovePage +
+
+ ADMX_AddRemovePrograms/NoServices +
+
+ ADMX_AddRemovePrograms/NoSupportInfo +
+
+ ADMX_AddRemovePrograms/NoWindowsSetupPage +
+
+ + +
+ + +**ADMX_AddRemovePrograms/DefaultCategory** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. + +To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. + +If you disable this setting or do not configure it, all programs (Category: All) are displayed when the "Add New Programs" page opens. You can use this setting to direct users to the programs they are most likely to need. + +> [!NOTE] +> This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Specify default category for Add New Programs* +- GP name: *DefaultCategory* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddFromCDorFloppy** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. + +If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. + +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the "Add a program from CD-ROM or floppy disk" option* +- GP name: *NoAddFromCDorFloppy* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddFromInternet** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. + +If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. + +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the "Add programs from Microsoft" option* +- GP name: *NoAddFromInternet* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddFromNetwork** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. + +If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. + +If you disable this setting or do not configure it, "Add programs from your network" is available to all users. + +> [!NOTE] +> If the "Hide Add New Programs page" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the "Add programs from your network" option* +- GP name: *NoAddFromNetwork* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. + +If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Add New Programs page* +- GP name: *NoAddPage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoAddRemovePrograms** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. + +If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Add or Remove Programs* +- GP name: *NoAddRemovePrograms* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoChooseProgramsPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. + +If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide the Set Program Access and Defaults page* +- GP name: *NoChooseProgramsPage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoRemovePage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. + +If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Change or Remove Programs page* +- GP name: *NoRemovePage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoServices** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. + +If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. + +> [!NOTE] +> When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Go directly to Components Wizard* +- GP name: *NoServices* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoSupportInfo** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. + +If you disable this setting or do not configure it, the Support Info hyperlink appears. + +> [!NOTE] +> Not all programs provide a support information hyperlink. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Support Information* +- GP name: *NoSupportInfo* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +
+ + +**ADMX_AddRemovePrograms/NoWindowsSetupPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + + +Available in Windows 10 Insider Preview Build 20185. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. + +If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Hide Add/Remove Windows Components page* +- GP name: *NoWindowsSetupPage* +- GP path: *Control Panel/Add or Remove Programs* +- GP ADMX file name: *addremoveprograms.admx* + + + + + + + + + + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md new file mode 100644 index 0000000000..da013a6e46 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -0,0 +1,744 @@ +--- +title: Policy CSP - ADMX_AppCompat +description: Policy CSP - ADMX_AppCompat +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 08/10/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AppCompat + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## Policy CSP - ADMX_AppCompat + +
+
+ ADMX_AppCompat/AppCompatPrevent16BitMach + +
+
+ ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage + +
+
+ ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry + +
+
+ ADMX_AppCompat/AppCompatTurnOffSwitchBack + +
+
+ ADMX_AppCompat/AppCompatTurnOffEngine + +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1 + +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2 + +
+
+ ADMX_AppCompat/AppCompatTurnOffUserActionRecord + +
+
+ ADMX_AppCompat/AppCompatTurnOffProgramInventory + +
+
+ + +
+ + +**ADMX_AppCompat/AppCompatPrevent16BitMach** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. + +You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. + +If the status is set to Enabled, the MS-DOS subsystem is prevented from running, which then prevents any 16-bit applications from running. In addition, any 32-bit applications with 16-bit installers or other 16-bit components cannot run. + +If the status is set to Disabled, the MS-DOS subsystem runs for all users on this computer. + +If the status is set to Not Configured, the OS falls back on a local policy set by the registry DWORD value **HKLM\System\CurrentControlSet\Control\WOW\DisallowedPolicyDefault**. If that value is non-0, this prevents all 16-bit applications from running. If that value is 0, 16-bit applications are allowed to run. If that value is also not present, on Windows 10 and above, the OS will launch the 16-bit application support control panel to allow an elevated administrator to make the decision; on Windows 7 and down-level, the OS will allow 16-bit applications to run. + +> [!NOTE] +> This setting appears only in Computer Configuration. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prevent access to 16-bit applications* +- GP name: *AppCompatPrevent16BitMach* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatRemoveProgramCompatPropPage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. + +The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. + +Enabling this policy setting removes the property page from the context-menus, but does not affect previous compatibility settings applied to application using this interface. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Remove Program Compatibility Property Page* +- GP name: *AppCompatRemoveProgramCompatPropPage* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffApplicationImpactTelemetry** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Application Telemetry engine in the system. + +Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. + +Turning Application Telemetry off by selecting "enable" will stop the collection of usage data. + +If the customer Experience Improvement program is turned off, Application Telemetry will be turned off regardless of how this policy is set. + +Disabling telemetry will take effect on any newly launched applications. To ensure that telemetry collection has stopped for all applications, please reboot your machine. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Application Telemetry* +- GP name: *AppCompatTurnOffApplicationImpactTelemetry* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffSwitchBack** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. The policy setting controls the state of the Switchback compatibility engine in the system. + +Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. + +Switchback is on by default. + +If you enable this policy setting, Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. + +If you disable or do not configure this policy setting, the Switchback will be turned on. + +Reboot the system after changing the setting to ensure that your system accurately reflects those changes. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off SwitchBack Compatibility Engine* +- GP name: *AppCompatTurnOffSwitchBack* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffEngine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the application compatibility engine in the system. + +The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. + +Turning off the application compatibility engine will boost system performance. However, this will degrade the compatibility of many popular legacy applications, and will not block known incompatible applications from installing. For example, this may result in a blue screen if an old anti-virus application is installed. + +The Windows Resource Protection and User Account Control features of Windows use the application compatibility engine to provide mitigations for application problems. If the engine is turned off, these mitigations will not be applied to applications and their installers and these applications may fail to install or run properly. + +This option is useful to server administrators who require faster performance and are aware of the compatibility of the applications they are using. It is particularly useful for a web server where applications may be launched several hundred times a second, and the performance of the loader is essential. + +> [!NOTE] +> Many system processes cache the value of this setting for performance reasons. If you make changes to this setting, reboot to ensure that your system accurately reflects those changes. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Application Compatibility Engine* +- GP name: *AppCompatTurnOffEngine* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_1** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Program Compatibility Assistant* +- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_1* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffProgramCompatibilityAssistant_2** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. + +If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. + +If you disable or do not configure this policy setting, the PCA will be turned on. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. + +> [!NOTE] +> The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Program Compatibility Assistant* +- GP name: *AppCompatTurnOffProgramCompatibilityAssistant_2* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffUserActionRecord** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of Steps Recorder. + +Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screen shots. Steps Recorder includes an option to turn on and off data collection. + +If you enable this policy setting, Steps Recorder will be disabled. + +If you disable or do not configure this policy setting, Steps Recorder will be enabled. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Steps Recorder* +- GP name: *AppCompatTurnOffUserActionRecord* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +
+ + +**ADMX_AppCompat/AppCompatTurnOffProgramInventory** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls the state of the Inventory Collector. + +The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. + +If you enable this policy setting, the Inventory Collector will be turned off and data will not be sent to Microsoft. Collection of installation data through the Program Compatibility Assistant is also disabled. + +If you disable or do not configure this policy setting, the Inventory Collector will be turned on. + +> [!NOTE] +> This policy setting has no effect if the Customer Experience Improvement Program is turned off. The Inventory Collector will be off. + + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off Inventory Collector* +- GP name: *AppCompatTurnOffProgramInventory* +- GP path: *Windows Components/Application Compatibility* +- GP ADMX file name: *AppCompat.admx* + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-auditsettings.md b/windows/client-management/mdm/policy-csp-admx-auditsettings.md new file mode 100644 index 0000000000..2f91449316 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-auditsettings.md @@ -0,0 +1,119 @@ +--- +title: Policy CSP - ADMX_AuditSettings +description: Policy CSP - ADMX_AuditSettings +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/13/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_AuditSettings +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_AuditSettings policies + +
+
+ ADMX_AuditSettings/IncludeCmdLine +
+
+ + +
+ + +**ADMX_AuditSettings/IncludeCmdLine** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. + +If you enable this policy setting, the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied. + +If you disable or do not configure this policy setting, the process's command line information will not be included in Audit Process Creation events. + +Default is Not configured. + +> [!NOTE] +> When this policy setting is enabled, any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information, such as passwords or user data. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Include command line in process creation events* +- GP name: *IncludeCmdLine* +- GP path: *System/Audit Process Creation* +- GP ADMX file name: *AuditSettings.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md new file mode 100644 index 0000000000..3e28f47950 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-ciphersuiteorder.md @@ -0,0 +1,203 @@ +--- +title: Policy CSP - ADMX_CipherSuiteOrder +description: Policy CSP - ADMX_CipherSuiteOrder +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_CipherSuiteOrder + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_CipherSuiteOrder policies + +
+
+ ADMX_CipherSuiteOrder/SSLCipherSuiteOrder +
+
+ ADMX_CipherSuiteOrder/SSLCurveOrder +
+
+ + +
+ + +**ADMX_CipherSuiteOrder/SSLCipherSuiteOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines the cipher suites used by the Secure Socket Layer (SSL). + +If you enable this policy setting, SSL cipher suites are prioritized in the order specified. + +If you disable or do not configure this policy setting, default cipher suite order is used. + +For information about supported cipher Suites, see [Cipher Suites in TLS/SSL (Schannel SSP)](http://go.microsoft.com/fwlink/?LinkId=517265). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *SSL Cipher Suite Order* +- GP name: *Functions* +- GP path: *Network/SSL Configuration Settings* +- GP ADMX file name: *CipherSuiteOrder.admx* + + + +
+ +
+ + +**ADMX_CipherSuiteOrder/SSLCurveOrder** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting determines the priority order of ECC curves used with ECDHE cipher suites. + +If you enable this policy setting, ECC curves are prioritized in the order specified. Enter one curve name per line. + +If you disable or do not configure this policy setting, the default ECC curve order is used. + +The default curve order is as follows: + +- curve25519 +- NistP256 +- NistP384 + +To see all the curves supported on the system, enter the following command: + +``` cmd +CertUtil.exe -DisplayEccCurve +``` + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *ECC Curve Order* +- GP name: *EccCurves* +- GP path: *Network/SSL Configuration Settings* +- GP ADMX file name: *CipherSuiteOrder.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-dnsclient.md b/windows/client-management/mdm/policy-csp-admx-dnsclient.md new file mode 100644 index 0000000000..0c26d32f23 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-dnsclient.md @@ -0,0 +1,1725 @@ +--- +title: Policy CSP - ADMX_DnsClient +description: Policy CSP - ADMX_DnsClient +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/12/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_DnsClient + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_DnsClient policies + +
+
+ ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries +
+
+ ADMX_DnsClient/DNS_AppendToMultiLabelName +
+
+ ADMX_DnsClient/DNS_Domain +
+
+ ADMX_DnsClient/DNS_DomainNameDevolutionLevel +
+
+ ADMX_DnsClient/DNS_IdnEncoding +
+
+ ADMX_DnsClient/DNS_IdnMapping +
+
+ ADMX_DnsClient/DNS_NameServer +
+
+ ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns +
+
+ ADMX_DnsClient/DNS_PrimaryDnsSuffix +
+
+ ADMX_DnsClient/DNS_RegisterAdapterName +
+
+ ADMX_DnsClient/DNS_RegisterReverseLookup +
+
+ ADMX_DnsClient/DNS_RegistrationEnabled +
+
+ ADMX_DnsClient/DNS_RegistrationOverwritesInConflict +
+
+ ADMX_DnsClient/DNS_RegistrationRefreshInterval +
+
+ ADMX_DnsClient/DNS_RegistrationTtl +
+
+ ADMX_DnsClient/DNS_SearchList +
+
+ ADMX_DnsClient/DNS_SmartMultiHomedNameResolution +
+
+ ADMX_DnsClient/DNS_SmartProtocolReorder +
+
+ ADMX_DnsClient/DNS_UpdateSecurityLevel +
+
+ ADMX_DnsClient/DNS_UpdateTopLevelDomainZones +
+
+ ADMX_DnsClient/DNS_UseDomainNameDevolution +
+
+ ADMX_DnsClient/Turn_Off_Multicast +
+
+ + +
+ + +**ADMX_DnsClient/DNS_AllowFQDNNetBiosQueries** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. + +If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names. + +If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow NetBT queries for fully qualified domain names* +- GP name: *DNS_AllowFQDNNetBiosQueries* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + +
+ + +**ADMX_DnsClient/DNS_AppendToMultiLabelName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that computers may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries if the original name query fails. + +A name containing dots, but not dot-terminated, is called an unqualified multi-label name, for example "server.corp" is an unqualified multi-label name. The name "server.corp.contoso.com." is an example of a fully qualified name because it contains a terminating dot. + +For example, if attaching suffixes is allowed, an unqualified multi-label name query for "server.corp" will be queried by the DNS client first. If the query succeeds, the response is returned to the client. If the query fails, the unqualified multi-label name is appended with DNS suffixes. These suffixes can be derived from a combination of the local DNS client's primary domain suffix, a connection-specific domain suffix, and a DNS suffix search list. + +If attaching suffixes is allowed, and a DNS client with a primary domain suffix of "contoso.com" performs a query for "server.corp" the DNS client will send a query for "server.corp" first, and then a query for "server.corp.contoso.com." second if the first query fails. + +If you enable this policy setting, suffixes are allowed to be appended to an unqualified multi-label name if the original name query fails. + +If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails. + +If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Allow DNS suffix appending to unqualified multi-label name queries* +- GP name: *DNS_AppendToMultiLabelName* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_Domain** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. + +If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Connection-specific DNS suffix* +- GP name: *DNS_Domain* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_DomainNameDevolutionLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the devolution level that DNS clients will use if they perform primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +- The primary DNS suffix, as specified on the Computer Name tab of the System control panel. +- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two. + +If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify. + +If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Primary DNS suffix devolution level* +- GP name: *DNS_DomainNameDevolutionLevel* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_IdnEncoding** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. + +If this policy setting is enabled, IDNs are not converted to Punycode. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off IDN encoding* +- GP name: *DNS_IdnEncoding* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_IdnMapping** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. + +If this policy setting is enabled, IDNs are converted to the Nameprep form. + +If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *IDN mapping* +- GP name: *DNS_IdnMapping* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_NameServer** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. + +To use this policy setting, click Enabled, and then enter a space-delimited list of IP addresses in the available field. To use this policy setting, you must enter at least one IP address. + +If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *DNS servers* +- GP name: *DNS_NameServer* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_PreferLocalResponsesOverLowerOrderDns** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. + +If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Prefer link local responses over DNS when received over a network with higher precedence* +- GP name: *DNS_PreferLocalResponsesOverLowerOrderDns* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + + +
+ + +**ADMX_DnsClient/DNS_PrimaryDnsSuffix** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the primary DNS suffix used by computers in DNS name registration and DNS name resolution. + +To use this policy setting, click Enabled and enter the entire primary DNS suffix you want to assign. For example: microsoft.com. + +> [!IMPORTANT] +> In order for changes to this policy setting to be applied on computers that receive it, you must restart Windows. + +If you enable this policy setting, it supersedes the primary DNS suffix configured in the DNS Suffix and NetBIOS Computer Name dialog box using the System control panel. + +You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix. + +If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Primary DNS suffix* +- GP name: *DNS_PrimaryDnsSuffix* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegisterAdapterName** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if a computer performing dynamic DNS registration will register A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of its computer name and the primary DNS suffix. + +By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com. + +If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting. + +For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled. + +Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled. + +If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Register DNS records with connection-specific DNS suffix* +- GP name: *DNS_RegisterAdapterName* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegisterReverseLookup** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS client computers will register PTR resource records. + +By default, DNS clients configured to perform dynamic DNS registration will attempt to register PTR resource record only if they successfully registered the corresponding A resource record. + +If you enable this policy setting, registration of PTR records will be determined by the option that you choose under Register PTR records. + +To use this policy setting, click Enabled, and then select one of the following options from the drop-down list: + +- Do not register: Computers will not attempt to register PTR resource records +- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful. +- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Register PTR records* +- GP name: *DNS_RegisterReverseLookup* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationEnabled** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server. + +If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled. + +If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Dynamic update* +- GP name: *DNS_RegistrationEnabled* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationOverwritesInConflict** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. + +This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers. + +During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address. + +If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update. + +If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Replace addresses in conflicts* +- GP name: *DNS_RegistrationOverwritesInConflict* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationRefreshInterval** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates. + +Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records. + +> [!WARNING] +> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records. + +To specify the registration refresh interval, click Enabled and then enter a value of 1800 or greater. The value that you specify is the number of seconds to use for the registration refresh interval. For example, 1800 seconds is 30 minutes. + +If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Registration refresh interval* +- GP name: *DNS_RegistrationRefreshInterval* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_RegistrationTtl** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. + +To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). + +If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *TTL value for A and PTR records* +- GP name: *DNS_RegistrationTtl* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SearchList** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. + +An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com." + +Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com." + +To use this policy setting, click Enabled, and then enter a string value representing the DNS suffixes that should be appended to single-label names. You must specify at least one suffix. Use a comma-delimited string, such as "microsoft.com,serverua.microsoft.com,office.microsoft.com" to specify multiple suffixes. + +If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried. + +If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *DNS suffix search list* +- GP name: *DNS_SearchList* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SmartMultiHomedNameResolution** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. + +If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. + +If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off smart multi-homed name resolution* +- GP name: *DNS_SmartMultiHomedNameResolution* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_SmartProtocolReorder** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). + +If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. + +If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. + +> [!NOTE] +> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off smart protocol reordering* +- GP name: *DNS_SmartProtocolReorder* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UpdateSecurityLevel** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies the security level for dynamic DNS updates. + +To use this policy setting, click Enabled and then select one of the following values: + +- Unsecure followed by secure - computers send secure dynamic updates only when nonsecure dynamic updates are refused. +- Only unsecure - computers send only nonsecure dynamic updates. +- Only secure - computers send only secure dynamic updates. + +If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting. + +If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Update security level* +- GP name: *DNS_UpdateSecurityLevel* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UpdateTopLevelDomainZones** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if computers may send dynamic updates to zones with a single label name. These zones are also known as top-level domain zones, for example: "com." + +By default, a DNS client that is configured to perform dynamic DNS update will update the DNS zone that is authoritative for its DNS resource records unless the authoritative zone is a top-level domain or root zone. + +If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone. + +If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Update top level domain zones* +- GP name: *DNS_UpdateTopLevelDomainZones* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/DNS_UseDomainNameDevolution** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies if the DNS client performs primary DNS suffix devolution during the name resolution process. + +With devolution, a DNS client creates queries by appending a single-label, unqualified domain name with the parent suffix of the primary DNS suffix name, and the parent of that suffix, and so on, stopping if the name is successfully resolved or at a level determined by devolution settings. Devolution can be used when a user or application submits a query for a single-label domain name. + +The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box. + +Devolution is not enabled if a global suffix search list is configured using Group Policy. + +If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries: + +The primary DNS suffix, as specified on the Computer Name tab of the System control panel. + +Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection. + +For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server. + +If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server. + +For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two. + +If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + +If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Primary DNS suffix devolution* +- GP name: *DNS_UseDomainNameDevolution* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +
+ + +**ADMX_DnsClient/Turn_Off_Multicast** + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers. + +LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. + +If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. + +If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Turn off multicast name resolution* +- GP name: *Turn_Off_Multicast* +- GP path: *Network/DNS Client* +- GP ADMX file name: *DnsClient.admx* + + + + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + + diff --git a/windows/client-management/mdm/policy-csp-admx-eventforwarding.md b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md new file mode 100644 index 0000000000..b964fbde10 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-eventforwarding.md @@ -0,0 +1,200 @@ +--- +title: Policy CSP - ADMX_EventForwarding +description: Policy CSP - ADMX_EventForwarding +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.date: 08/17/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_EventForwarding + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_EventForwarding policies + +
+
+ ADMX_EventForwarding/ForwarderResourceUsage +
+
+ ADMX_EventForwarding/SubscriptionManager +
+
+ + +
+ + +**ADMX_EventForwarding/ForwarderResourceUsage** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. + +If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source computer. This may be required in high volume environments. + +If you disable or do not configure this policy setting, forwarder resource usage is not specified. + +This setting applies across all subscriptions for the forwarder (source computer). + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure forwarder resource usage* +- GP name: *MaxForwardingRate* +- GP path: *Windows Components/Event Forwarding* +- GP ADMX file name: *EventForwarding.admx* + + + +
+ +
+ + +**ADMX_EventForwarding/SubscriptionManager** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark
Businesscheck mark
Enterprisecheck mark
Educationcheck mark
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10 Insider Preview Build 20185. This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. + +If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Fully Qualified Domain Name) or IP Address and request subscription specifics. + +Use the following syntax when using the HTTPS protocol: + +``` syntax + +Server=https://:5986/wsman/SubscriptionManager/WEC,Refresh=,IssuerCA=. +``` + +When using the HTTP protocol, use port 5985. + +If you disable or do not configure this policy setting, the Event Collector computer will not be specified. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure target Subscription Manager* +- GP name: *SubscriptionManager* +- GP path: *Windows Components/Event Forwarding* +- GP ADMX file name: *EventForwarding.admx* + + + +
+ +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. + + +