deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

add admx_winlogon csp

Browse Source
This commit is contained in:
Aaron Czechowski 2022-12-21 12:03:39 -08:00
parent d2ea1bfe56
commit 0c4ee800a2
1 changed files with 361 additions and 306 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

663
windows/client-management/mdm/policy-csp-admx-winlogon.md
View File

@ -1,363 +1,418 @@
---
title: Policy CSP - ADMX_WinLogon
description: Policy CSP - ADMX_WinLogon
title: ADMX_WinLogon Policy CSP
description: Learn more about the ADMX_WinLogon Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 12/21/2022
ms.localizationpriority: medium
ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
author: vinaypamnani-msft
ms.date: 11/09/2020
ms.reviewer:
manager: aaroncz
ms.topic: reference
---
<!-- Auto-Generated CSP Document -->
<!-- ADMX_WinLogon-Begin -->
# Policy CSP - ADMX_WinLogon
>[!TIP]
> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
<!-- ADMX_WinLogon-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ADMX_WinLogon-Editable-End -->
<hr/>
<!-- DisplayLastLogonInfoDescription-Begin -->
## DisplayLastLogonInfoDescription
<!--Policies-->
## ADMX_WinLogon policies
<!-- DisplayLastLogonInfoDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- DisplayLastLogonInfoDescription-Applicability-End -->
<dl>
<dd>
<a href="#admx-winlogon-customshell">ADMX_WinLogon/CustomShell</a>
</dd>
<dd>
<a href="#admx-winlogon-displaylastlogoninfodescription">ADMX_WinLogon/DisplayLastLogonInfoDescription</a>
</dd>
<dd>
<a href="#admx-winlogon-logonhoursnotificationpolicydescription">ADMX_WinLogon/LogonHoursNotificationPolicyDescription</a>
</dd>
<dd>
<a href="#admx-winlogon-logonhourspolicydescription">ADMX_WinLogon/LogonHoursPolicyDescription</a>
</dd>
<dd>
<a href="#admx-winlogon-reportcachedlogonpolicydescription">ADMX_WinLogon/ReportCachedLogonPolicyDescription</a>
</dd>
<dd>
<a href="#admx-winlogon-softwaresasgeneration">ADMX_WinLogon/SoftwareSASGeneration</a>
</dd>
</dl>
<!-- DisplayLastLogonInfoDescription-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/DisplayLastLogonInfoDescription
```
<!-- DisplayLastLogonInfoDescription-OmaUri-End -->
<!-- DisplayLastLogonInfoDescription-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting controls whether or not the system displays information about previous logons and logon failures to the user.
<hr/>
For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful logon by that user, the date and time of the last unsuccessful logon attempted with that user name, and the number of unsuccessful logons since the last successful logon by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.
<!--Policy-->
<a href="" id="admx-winlogon-customshell"></a>**ADMX_WinLogon/CustomShell**
For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows could not retrieve the information and the user will not be able to log on. Therefore, you should not enable this policy setting if the domain is not at the Windows Server 2008 domain functional level.
<!--SupportedSKUs-->
If you disable or do not configure this setting, messages about the previous logon or logon failures are not displayed.
<!-- DisplayLastLogonInfoDescription-Description-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- DisplayLastLogonInfoDescription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- DisplayLastLogonInfoDescription-Editable-End -->
<!-- DisplayLastLogonInfoDescription-DFProperties-Begin -->
**Description framework properties**:
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface.
If you enable this setting, the system starts the interface you specify instead of Explorer.exe. To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file isn't located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
If you disable this setting or don't configure it, the setting is ignored and the system displays the Explorer interface.
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- DisplayLastLogonInfoDescription-DFProperties-End -->
<!-- DisplayLastLogonInfoDescription-AdmxBacked-Begin -->
> [!TIP]
> To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path.
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--/Description-->
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | DisplayLastLogonInfoDescription |
| Friendly Name | Display information about previous logons during user logon |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | DisplayLastLogonInfo |
| ADMX File Name | WinLogon.admx |
<!-- DisplayLastLogonInfoDescription-AdmxBacked-End -->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Custom User Interface*
- GP name: *CustomShell*
- GP path: *System*
- GP ADMX file name: *WinLogon.admx*
<!-- DisplayLastLogonInfoDescription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- DisplayLastLogonInfoDescription-Examples-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- DisplayLastLogonInfoDescription-End -->
<!--Policy-->
<a href="" id="admx-winlogon-displaylastlogoninfodescription"></a>**ADMX_WinLogon/DisplayLastLogonInfoDescription**
<!-- ReportCachedLogonPolicyDescription-Begin -->
## ReportCachedLogonPolicyDescription
<!--SupportedSKUs-->
<!-- ReportCachedLogonPolicyDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- ReportCachedLogonPolicyDescription-Applicability-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- ReportCachedLogonPolicyDescription-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/ReportCachedLogonPolicyDescription
```
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/ReportCachedLogonPolicyDescription
```
<!-- ReportCachedLogonPolicyDescription-OmaUri-End -->
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether or not the system displays information about previous sign-ins and sign-in failures to the user.
For local user accounts and domain user accounts in domains of at least a Windows Server 2008 functional level, if you enable this setting, a message appears after the user logs on that displays the date and time of the last successful sign in by that user, the date and time of the last unsuccessful sign in attempted with that user name, and the number of unsuccessful logons since the last successful sign in by that user. This message must be acknowledged by the user before the user is presented with the Microsoft Windows desktop.
For domain user accounts in Windows Server 2003, Windows 2000 native, or Windows 2000 mixed functional level domains, if you enable this setting, a warning message will appear that Windows couldn't retrieve the information and the user won't be able to sign in. Therefore, you shouldn't enable this policy setting if the domain isn't at the Windows Server 2008 domain functional level.
If you disable or don't configure this setting, messages about the previous sign in or sign-in failures aren't displayed.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Display information about previous logons during user logon*
- GP name: *DisplayLastLogonInfoDescription*
- GP path: *Windows Components\Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-winlogon-logonhoursnotificationpolicydescription"></a>**ADMX_WinLogon/LogonHoursNotificationPolicyDescription**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether the signed-in user should be notified when their sign-in hours are about to expire. By default, a user is notified before sign-in hours expire, if actions have been set to occur when the sign-in hours expire.
If you enable this setting, warnings aren't displayed to the user before the sign-in hours expire.
If you disable or don't configure this setting, users receive warnings before the sign-in hours expire, if actions have been set to occur when the sign-in hours expire.
> [!NOTE]
> If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Remove logon hours expiration warnings*
- GP name: *LogonHoursNotificationPolicyDescription*
- GP path: *Windows Components\Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-winlogon-logonhourspolicydescription"></a>**ADMX_WinLogon/LogonHoursPolicyDescription**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls which action will be taken when the sign-in hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
If you choose to lock or disconnect a session, the user can't unlock the session or reconnect except during permitted sign-in hours.
If you choose to sign out a user, the user can't sign in again except during permitted sign-in hours. If you choose to sign out a user, the user might lose unsaved data. If you enable this setting, the system will perform the action you specify when the users sign-in hours expire.
If you disable or don't configure this setting, the system takes no action when the users sign-in hours expire. The user can continue the existing session, but can't sign in to a new session.
> [!NOTE]
> If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting.
<!--/Description-->
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Set action to take when logon hours expire*
- GP name: *LogonHoursPolicyDescription*
- GP path: *Windows Components\Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!--Policy-->
<a href="" id="admx-winlogon-reportcachedlogonpolicydescription"></a>**ADMX_WinLogon/ReportCachedLogonPolicyDescription**
<!--SupportedSKUs-->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!--/SupportedSKUs-->
<hr/>
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
> [!div class = "checklist"]
> * Device
> * User
<hr/>
<!--/Scope-->
<!--Description-->
This policy controls whether the signed-in user should be notified if the sign-in server couldn't be contacted during sign in and if they've been signed in using previously stored account information.
<!-- ReportCachedLogonPolicyDescription-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information.
If enabled, a notification popup will be displayed to the user when the user logs on with cached credentials.
If disabled or not configured, no pop up will be displayed to the user.
If disabled or not configured, no popup will be displayed to the user.
<!-- ReportCachedLogonPolicyDescription-Description-End -->
<!--/Description-->
<!-- ReportCachedLogonPolicyDescription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- ReportCachedLogonPolicyDescription-Editable-End -->
<!-- ReportCachedLogonPolicyDescription-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Report when logon server was not available during user logon*
- GP name: *ReportCachedLogonPolicyDescription*
- GP path: *Windows Components\Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- ReportCachedLogonPolicyDescription-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- ReportCachedLogonPolicyDescription-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
<!--Policy-->
<a href="" id="admx-winlogon-softwaresasgeneration"></a>**ADMX_WinLogon/SoftwareSASGeneration**
**ADMX mapping**:
<!--SupportedSKUs-->
| Name | Value |
|:--|:--|
| Name | ReportCachedLogonPolicyDescription |
| Friendly Name | Report when logon server was not available during user logon |
| Location | Computer and User Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | ReportControllerMissing |
| ADMX File Name | WinLogon.admx |
<!-- ReportCachedLogonPolicyDescription-AdmxBacked-End -->
|Edition|Windows 10|Windows 11|
|--- |--- |--- |
|Home|No|No|
|Pro|Yes|Yes|
|Windows SE|No|Yes|
|Business|Yes|Yes|
|Enterprise|Yes|Yes|
|Education|Yes|Yes|
<!-- ReportCachedLogonPolicyDescription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- ReportCachedLogonPolicyDescription-Examples-End -->
<!-- ReportCachedLogonPolicyDescription-End -->
<!--/SupportedSKUs-->
<hr/>
<!-- SoftwareSASGeneration-Begin -->
## SoftwareSASGeneration
<!--Scope-->
[Scope](./policy-configuration-service-provider.md#policy-scope):
<!-- SoftwareSASGeneration-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- SoftwareSASGeneration-Applicability-End -->
> [!div class = "checklist"]
> * Device
<!-- SoftwareSASGeneration-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_WinLogon/SoftwareSASGeneration
```
<!-- SoftwareSASGeneration-OmaUri-End -->
<hr/>
<!--/Scope-->
<!--Description-->
This policy setting controls whether the software can simulate the Secure Attention Sequence (SAS).
<!-- SoftwareSASGeneration-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS).
If you enable this policy setting, you have one of four options:
- If you set this policy setting to "None," user mode software can't simulate the SAS.
- If you set this policy setting to "Services," services can simulate the SAS.
- If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS.
- If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS.
If you set this policy setting to "None," user mode software cannot simulate the SAS.
If you set this policy setting to "Services," services can simulate the SAS.
If you set this policy setting to "Ease of Access applications," Ease of Access applications can simulate the SAS.
If you set this policy setting to "Services and Ease of Access applications," both services and Ease of Access applications can simulate the SAS.
If you disable or don't configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS.
If you disable or do not configure this setting, only Ease of Access applications running on the secure desktop can simulate the SAS.
<!-- SoftwareSASGeneration-Description-End -->
<!--/Description-->
<!-- SoftwareSASGeneration-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- SoftwareSASGeneration-Editable-End -->
<!-- SoftwareSASGeneration-DFProperties-Begin -->
**Description framework properties**:
<!--ADMXBacked-->
ADMX Info:
- GP Friendly name: *Disable or enable software Secure Attention Sequence*
- GP name: *SoftwareSASGeneration*
- GP path: *Windows Components\Windows Logon Options*
- GP ADMX file name: *WinLogon.admx*
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- SoftwareSASGeneration-DFProperties-End -->
<!--/ADMXBacked-->
<!--/Policy-->
<hr/>
<!-- SoftwareSASGeneration-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | SoftwareSASGenerationDescription |
| Friendly Name | Disable or enable software Secure Attention Sequence |
| Location | Computer Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| ADMX File Name | WinLogon.admx |
<!-- SoftwareSASGeneration-AdmxBacked-End -->
<!--/Policies-->
<!-- SoftwareSASGeneration-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- SoftwareSASGeneration-Examples-End -->
<!-- SoftwareSASGeneration-End -->
<!-- CustomShell-Begin -->
## CustomShell
<!-- CustomShell-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- CustomShell-Applicability-End -->
<!-- CustomShell-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/CustomShell
```
<!-- CustomShell-OmaUri-End -->
<!-- CustomShell-Description-Begin -->
<!-- Description-Source-ADMX -->
Specifies an alternate user interface.
The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the interface you specify instead of Explorer.exe.
To use this setting, copy your interface program to a network share or to your system drive. Then, enable this setting, and type the name of the interface program, including the file name extension, in the Shell name text box. If the interface program file is not located in a folder specified in the Path environment variable for your system, enter the fully qualified path to the file.
If you disable this setting or do not configure it, the setting is ignored and the system displays the Explorer interface.
Tip: To find the folders indicated by the Path environment variable, click System Properties in Control Panel, click the Advanced tab, click the Environment Variables button, and then, in the System variables box, click Path.
<!-- CustomShell-Description-End -->
<!-- CustomShell-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- CustomShell-Editable-End -->
<!-- CustomShell-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- CustomShell-DFProperties-End -->
<!-- CustomShell-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | CustomShellPolicyDescription |
| Friendly Name | Custom User Interface |
| Location | User Configuration |
| Path | System |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| ADMX File Name | WinLogon.admx |
<!-- CustomShell-AdmxBacked-End -->
<!-- CustomShell-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- CustomShell-Examples-End -->
<!-- CustomShell-End -->
<!-- LogonHoursNotificationPolicyDescription-Begin -->
## LogonHoursNotificationPolicyDescription
<!-- LogonHoursNotificationPolicyDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- LogonHoursNotificationPolicyDescription-Applicability-End -->
<!-- LogonHoursNotificationPolicyDescription-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursNotificationPolicyDescription
```
<!-- LogonHoursNotificationPolicyDescription-OmaUri-End -->
<!-- LogonHoursNotificationPolicyDescription-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire.
If you enable this setting, warnings are not displayed to the user before the logon hours expire.
If you disable or do not configure this setting, users receive warnings before the logon hours expire, if actions have been set to occur when the logon hours expire.
Note: If you configure this setting, you might want to examine and appropriately configure the “Set action to take when logon hours expire” setting. If “Set action to take when logon hours expire” is disabled or not configured, the “Remove logon hours expiration warnings” setting will have no effect, and users receive no warnings about logon hour expiration
<!-- LogonHoursNotificationPolicyDescription-Description-End -->
<!-- LogonHoursNotificationPolicyDescription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LogonHoursNotificationPolicyDescription-Editable-End -->
<!-- LogonHoursNotificationPolicyDescription-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- LogonHoursNotificationPolicyDescription-DFProperties-End -->
<!-- LogonHoursNotificationPolicyDescription-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | LogonHoursNotificationPolicyDescription |
| Friendly Name | Remove logon hours expiration warnings |
| Location | User Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | DontDisplayLogonHoursWarnings |
| ADMX File Name | WinLogon.admx |
<!-- LogonHoursNotificationPolicyDescription-AdmxBacked-End -->
<!-- LogonHoursNotificationPolicyDescription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LogonHoursNotificationPolicyDescription-Examples-End -->
<!-- LogonHoursNotificationPolicyDescription-End -->
<!-- LogonHoursPolicyDescription-Begin -->
## LogonHoursPolicyDescription
<!-- LogonHoursPolicyDescription-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :x: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- LogonHoursPolicyDescription-Applicability-End -->
<!-- LogonHoursPolicyDescription-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_WinLogon/LogonHoursPolicyDescription
```
<!-- LogonHoursPolicyDescription-OmaUri-End -->
<!-- LogonHoursPolicyDescription-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely.
If you choose to lock or disconnect a session, the user cannot unlock the session or reconnect except during permitted logon hours.
If you choose to log off a user, the user cannot log on again except during permitted logon hours. If you choose to log off a user, the user might lose unsaved data.
If you enable this setting, the system will perform the action you specify when the users logon hours expire.
If you disable or do not configure this setting, the system takes no action when the users logon hours expire. The user can continue the existing session, but cannot log on to a new session.
Note: If you configure this setting, you might want to examine and appropriately configure the “Remove logon hours expiration warnings” setting
<!-- LogonHoursPolicyDescription-Description-End -->
<!-- LogonHoursPolicyDescription-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- LogonHoursPolicyDescription-Editable-End -->
<!-- LogonHoursPolicyDescription-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- LogonHoursPolicyDescription-DFProperties-End -->
<!-- LogonHoursPolicyDescription-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | LogonHoursPolicyDescription |
| Friendly Name | Set action to take when logon hours expire |
| Location | User Configuration |
| Path | Windows Components > Windows Logon Options |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| ADMX File Name | WinLogon.admx |
<!-- LogonHoursPolicyDescription-AdmxBacked-End -->
<!-- LogonHoursPolicyDescription-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- LogonHoursPolicyDescription-Examples-End -->
<!-- LogonHoursPolicyDescription-End -->
<!-- ADMX_WinLogon-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_WinLogon-CspMoreInfo-End -->
<!-- ADMX_WinLogon-End -->
## Related articles
[Policy configuration service provider](policy-configuration-service-provider.md)