From 368182715e4a83c1bc1fa7dd47d85bbff9067910 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 21 Mar 2022 17:34:23 +0530 Subject: [PATCH] Acrolinx enhancement effort --- .../mdm/policy-csp-admx-terminalserver.md | 396 +++++++++--------- .../mdm/policy-csp-admx-touchinput.md | 20 +- .../mdm/policy-csp-admx-tpm.md | 48 +-- .../mdm/policy-csp-admx-userprofiles.md | 42 +- .../mdm/policy-csp-admx-w32time.md | 24 +- 5 files changed, 265 insertions(+), 265 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md index a1920a3b5e..9dedd54d73 100644 --- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md +++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md @@ -331,7 +331,7 @@ This policy specifies whether to allow Remote Desktop Connection clients to auto By default, a maximum of 20 reconnection attempts are made at five-second intervals. If the status is set to Enabled, automatic reconnection is attempted for all clients running Remote Desktop Connection whenever their network connection is lost. -If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to Not Configured, automatic reconnection is not specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. +If the status is set to Disabled, automatic reconnection of clients is prohibited. If the status is set to Not Configured, automatic reconnection isn't specified at the Group Policy level. However, users can configure automatic reconnection using the "Reconnect if connection is dropped" checkbox on the Experience tab in Remote Desktop Connection. @@ -376,9 +376,9 @@ ADMX Info: This policy setting lets you control the redirection of video capture devices to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirection of video capture devices. -If you enable this policy setting, users cannot redirect their video capture devices to the remote computer. +If you enable this policy setting, users can't redirect their video capture devices to the remote computer. -If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. +If you disable or don't configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer. @@ -425,9 +425,9 @@ This policy setting allows you to specify the name of the certificate template t A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. -If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. +If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate hasn't been selected. -If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. +If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or don't configure this policy, the certificate template name isn't specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. >[!NOTE] >If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. @@ -500,11 +500,11 @@ ADMX Info: This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. -This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). +This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying a .rdp file). -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. +If you enable or don't configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. +If you disable this policy setting, users can't run .rdp files that are signed with a valid certificate. Additionally, users can't start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. >[!NOTE] >You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. @@ -551,11 +551,11 @@ ADMX Info: This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. -This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file). +This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying a .rdp file). -If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. +If you enable or don't configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. +If you disable this policy setting, users can't run .rdp files that are signed with a valid certificate. Additionally, users can't start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked. >[!NOTE] >You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected. @@ -603,9 +603,9 @@ ADMX Info: This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +If you enable or don't configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +If you disable this policy setting, users can't run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. @@ -650,9 +650,9 @@ ADMX Info: This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. -If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. +If you enable or don't configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect. -If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. +If you disable this policy setting, users can't run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked. @@ -699,11 +699,11 @@ This policy setting allows you to specify whether users can redirect the remote Users can specify where to play the remote computer's audio output by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). Users can choose to play the remote audio on the remote computer or on the local computer. Users can also choose to not play the audio. Video playback can be configured by using the video playback setting in a Remote Desktop Protocol (.rdp) file. By default, video playback is enabled. -By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. +By default, audio and video playback redirection isn't allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional. If you enable this policy setting, audio and video playback redirection is allowed. -If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level. +If you disable this policy setting, audio and video playback redirection isn't allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file. If you don't configure this policy setting, audio and video playback redirection isn't specified at the Group Policy level. @@ -748,11 +748,11 @@ ADMX Info: This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources tab in Remote Desktop Connection (RDC). -Users can record audio by using an audio input device on the local computer, such as a built-in microphone. By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. +Users can record audio by using an audio input device on the local computer, such as a built-in microphone. By default, audio recording redirection isn't allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2. If you enable this policy setting, audio recording redirection is allowed. -If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC. If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level. +If you disable this policy setting, audio recording redirection isn't allowed, even if audio recording redirection is specified in RDC. If you don't configure this policy setting, Audio recording redirection isn't specified at the Group Policy level. @@ -795,7 +795,7 @@ ADMX Info: -This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. +This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of the following values: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This audio transmission requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection. The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. @@ -803,7 +803,7 @@ For example, if the audio playback quality configured on the client computer is Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic. -If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic. +If you disable or don't configure this policy setting, audio playback quality will be set to Dynamic. @@ -850,11 +850,11 @@ This policy setting specifies whether to prevent the sharing of Clipboard conten You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection. -If you enable this policy setting, users cannot redirect Clipboard data. +If you enable this policy setting, users can't redirect Clipboard data. If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection. -If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level. +If you don't configure this policy setting, Clipboard redirection isn't specified at the Group Policy level. @@ -899,13 +899,13 @@ ADMX Info: This policy setting specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. -You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. +You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they're logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection. -If you enable this policy setting, users cannot redirect server data to the local COM port. +If you enable this policy setting, users can't redirect server data to the local COM port. If you disable this policy setting, Remote Desktop Services always allows COM port redirection. -If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level. +If you don't configure this policy setting, COM port redirection isn't specified at the Group Policy level. @@ -956,7 +956,7 @@ If you enable this policy setting, the default printer is the printer specified If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection. -If you do not configure this policy setting, the default printer is not specified at the Group Policy level. +If you don't configure this policy setting, the default printer isn't specified at the Group Policy level. @@ -1001,7 +1001,7 @@ ADMX Info: This policy setting specifies whether the Remote Desktop Connection can use hardware acceleration if supported hardware is available. -If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you have a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you will know that there are additional issues to investigate. +If you use this setting, the Remote Desktop Client will use only software decoding. For example, if you've a problem that you suspect may be related to hardware acceleration, use this setting to disable the acceleration; then, if the problem still occurs, you'll know that there are more issues to investigate. If you disable this setting or leave it not configured, the Remote Desktop client will use hardware accelerated decoding if supported hardware is available. @@ -1048,7 +1048,7 @@ ADMX Info: This policy specifies whether to allow Remote Desktop Connection Controls whether a user can save passwords using Remote Desktop Connection. -If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file using Remote Desktop Connection and saves his settings, any password that previously existed in the RDP file will be deleted. +If you enable this setting, the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When users open an RDP file using Remote Desktop Connection and save their settings, any password that previously existed in the RDP file will be deleted. If you disable this setting or leave it not configured, the user will be able to save passwords using Remote Desktop Connection @@ -1095,9 +1095,9 @@ ADMX Info: This policy setting specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection. -If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port. +If you enable this policy setting, users in a Remote Desktop Services session can't redirect server data to the local LPT port. -If you disable this policy setting, LPT port redirection is always allowed. If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level. +If you disable this policy setting, LPT port redirection is always allowed. If you don't configure this policy setting, LPT port redirection isn't specified at the Group Policy level. @@ -1140,11 +1140,11 @@ ADMX Info: -This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices. +This policy setting lets you control the redirection of supported Plug and Play and RemoteFX USB devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services doesn't allow redirection of supported Plug and Play and RemoteFX USB devices. If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. -If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions. +If you enable this policy setting, users can't redirect their supported Plug and Play devices to the remote computer. If you don't configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it's running Windows Server 2012 R2 and earlier versions. >[!NOTE] >You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings. @@ -1192,11 +1192,11 @@ ADMX Info: This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping. -If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. +If you enable this policy setting, users can't redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions. If you disable this policy setting, users can redirect print jobs with client printer mapping. -If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level. +If you don't configure this policy setting, client printer mapping isn't specified at the Group Policy level. @@ -1241,16 +1241,16 @@ ADMX Info: This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user doesn't receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. +If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. >[!NOTE] >You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that isn't a certificate thumbprint, it's ignored. @@ -1295,16 +1295,16 @@ ADMX Info: This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. -If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. +If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user doesn't receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field. -If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher. +If you disable or don't configure this policy setting, no publisher is treated as a trusted .rdp publisher. >[!NOTE] >You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user. -This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that is not a certificate thumbprint, it is ignored. +This policy setting overrides the behavior of the "Allow .rdp files from valid publishers and user's default .rdp settings" policy setting. If the list contains a string that isn't a certificate thumbprint, it's ignored. @@ -1351,7 +1351,7 @@ This policy setting specifies whether the UDP protocol will be used to access se If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. -If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. +If you disable or don't configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols. @@ -1398,15 +1398,15 @@ This policy setting allows you to specify the maximum color resolution (color de If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used. -If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level. +If you disable or don't configure this policy setting, the color depth for connections isn't specified at the Group Policy level. >[!NOTE] > 1. Setting the color depth to 24 bits is only supported on Windows Server 2003 and Windows XP Professional. ->2. The value specified in this policy setting is not applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. +>2. The value specified in this policy setting isn't applied to connections from client computers that are using at least Remote Desktop Protocol 8.0 (computers running at least Windows 8 or Windows Server 2012). The 32-bit color depth format is always used for these connections. >3. For connections from client computers that are using Remote Desktop Protocol 7.1 or earlier versions that are connecting to computers running at least Windows 8 or Windows Server 2012, the minimum of the following values is used as the color depth format: > - a. Value specified by this policy setting > - b. Maximum color depth supported by the client -> - c. Value requested by the client If the client does not support at least 16 bits, the connection is terminated. +> - c. Value requested by the client If the client doesn't support at least 16 bits, the connection is terminated. @@ -1456,9 +1456,9 @@ This policy setting allows you to limit the size of the entire roaming user prof If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. -When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. +When the size of the entire roaming user profile cache exceeds the maximum size that you've specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified. -If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. +If you disable or don't configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive. Note: This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled. @@ -1503,7 +1503,7 @@ ADMX Info: This policy specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. -You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 do not display wallpaper by default to Remote Desktop Services sessions. +You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, depending on the client configuration (see the Experience tab in the Remote Desktop Connection options for more information). Servers running Windows Server 2003 don't display wallpaper by default to Remote Desktop Services sessions. If the status is set to Enabled, wallpaper never appears in a Remote Desktop Services session. @@ -1553,10 +1553,10 @@ This policy setting enables system administrators to change the graphics renderi If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter. -If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. +If you don't configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default. >[!NOTE] ->The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting. +>The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session isn't affected by this policy setting. @@ -1601,9 +1601,9 @@ ADMX Info: This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. +If you enable or don't configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver can't be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server doesn't have a printer driver that matches the client printer, the client printer isn't available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doesn't have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver can't be used, the client printer isn't available for the Remote Desktop Services session. >[!NOTE] >If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. @@ -1651,9 +1651,9 @@ ADMX Info: This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. -If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session. +If you enable or don't configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver can't be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server doesn't have a printer driver that matches the client printer, the client printer isn't available for the Remote Desktop session. -If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session. +If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server doesn't have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver can't be used, the client printer isn't available for the Remote Desktop Services session. >[!NOTE] >If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored. @@ -1707,7 +1707,7 @@ If you enable this policy setting, RemoteFX will be used to deliver a rich user If you disable this policy setting, RemoteFX will be disabled. -If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. +If you don't configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. @@ -1750,16 +1750,16 @@ ADMX Info: -This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. +This policy setting allows you to specify the RD Session Host server fallback printer driver behavior. By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server doesn't have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session. -If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are: +If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one isn't found, the client's printer isn't available. You can choose to change this default behavior. The available options are: -- **Do nothing if one is not found** - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior. +- **Do nothing if one is not found** - If there's a printer driver mismatch, the server will attempt to find a suitable driver. If one isn't found, the client's printer isn't available. This behavior is the default behavior. - **Default to PCL if one is not found** - If no suitable printer driver can be found, default to the Printer Control Language (PCL) fallback printer driver. - **Default to PS if one is not found**- If no suitable printer driver can be found, default to the PostScript (PS) fallback printer driver. - **Show both PCL and PS if one is not found**- If no suitable driver can be found, show both PS and PCL-based fallback printer drivers. -If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver. If you do not configure this policy setting, the fallback printer driver behavior is off by default. +If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server won't attempt to use the fallback printer driver. If you don't configure this policy setting, the fallback printer driver behavior is off by default. >[!NOTE] >If the **Do not allow client printer redirection** setting is enabled, this policy setting is ignored and the fallback printer driver is disabled. @@ -1805,11 +1805,11 @@ ADMX Info: -This policy setting determines whether an administrator attempting to connect remotely to the console of a server can log off an administrator currently logged on to the console. This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost. +This policy setting determines whether an administrator attempting to connect remotely to the console of a server can sign out an administrator currently signed in to the console. This policy is useful when the currently connected administrator doesn't want to be signed out by another administrator. If the connected administrator is signed out, any data not previously saved is lost. -If you enable this policy setting, logging off the connected administrator is not allowed. +If you enable this policy setting, signing out the connected administrator isn't allowed. -If you disable or do not configure this policy setting, logging off the connected administrator is allowed. +If you disable or don't configure this policy setting, signing out the connected administrator is allowed. >[!NOTE] >The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line. @@ -1854,17 +1854,17 @@ ADMX Info: -If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. +If you enable this policy setting, when Remote Desktop Connection can't connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting. You can enforce this policy setting or you can allow users to overwrite this setting. -By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. +By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. To enforce this policy setting, you must also specify the address of the RD Gateway server by using the "Set RD Gateway server address" policy setting, or client connection attempts to any remote computer will fail, if the client can't connect directly to the remote computer. -To enhance security, it is also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you do not specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. +To enhance security, it's also highly recommended that you specify the authentication method by using the "Set RD Gateway authentication method" policy setting. If you don't specify an authentication method by using this policy setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. -When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default. +When you enable this setting, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify a connection method, the connection method that you specify in this policy setting is used by default. -If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. +If you disable or don't configure this policy setting, clients won't use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. @@ -1908,11 +1908,11 @@ ADMX Info: This policy specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. -By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. +By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. -To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. +To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you enable this setting, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default. -If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. +If you disable or don't configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method isn't specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication. @@ -1957,17 +1957,17 @@ ADMX Info: This policy specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. -By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client. +By default, when you enable this policy setting, it's enforced. When this policy setting is enforced, users can't override this setting, even if they select the "Use these RD Gateway server settings" option on the client. >[!NOTE] ->It is highly recommended that you also specify the authentication method by using the **Set RD Gateway authentication method** policy setting. If you do not specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. +>It's highly recommended that you also specify the authentication method by using the **Set RD Gateway authentication method** policy setting. If you don't specify an authentication method by using this setting, either the NTLM protocol that is enabled on the client or a smart card can be used. To allow users to overwrite the **Set RD Gateway server address** policy setting and connect to another RD Gateway server, you must select the **Allow users to change this setting** check box and users will be allowed to specify an alternate RD Gateway server. -Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. +Users can specify an alternative RD Gateway server by configuring settings on the client, using an RDP file, or using an HTML script. If users don't specify an alternate RD Gateway server, the server that you specify in this policy setting is used by default. >[!NOTE] ->If you disable or do not configure this policy setting, but enable the **Enable connections through RD Gateway** policy setting, client connection attempts to any remote computer will fail, if the client cannot connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. +>If you disable or don't configure this policy setting, but enable the **Enable connections through RD Gateway** policy setting, client connection attempts to any remote computer will fail, if the client can't connect directly to the remote computer. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server. @@ -2013,9 +2013,9 @@ This policy setting allows you to specify whether the RD Session Host server sho If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting. -If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. +If you disable this policy setting, the server doesn't join a farm in RD Connection Broker, and user session tracking isn't performed. If the policy setting is disabled, you can't use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker. -If the policy setting is not configured, the policy setting is not specified at the Group Policy level. +If the policy setting isn't configured, the policy setting isn't specified at the Group Policy level. >[!NOTE] >1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings. @@ -2064,11 +2064,11 @@ ADMX Info: This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. -After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. +After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client signs in to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active. If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999. -If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state. +If you disable or don't configure this policy setting, a keep-alive interval isn't set and the server won't check the session state. @@ -2117,7 +2117,7 @@ You can use this policy setting to control which RD Session Host servers are iss If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server. By default, the RDS Endpoint Servers group is empty. -If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting. +If you disable or don't configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group isn't deleted or changed in any way by disabling or not configuring this policy setting. >[!NOTE] >You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain. @@ -2165,13 +2165,13 @@ ADMX Info: This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers. -If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. +If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers can't be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order: 1. Remote Desktop license servers that are published in Active Directory Domain Services. 2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server. -1If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level. +1If you disable or don't configure this policy setting, the RD Session Host server doesn't specify a license server at the Group Policy level. @@ -2216,11 +2216,11 @@ ADMX Info: This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. -By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. +By default, notifications are displayed on an RD Session Host server after you sign in as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire. -If you enable this policy setting, these notifications will not be displayed on the RD Session Host server. +If you enable this policy setting, these notifications won't be displayed on the RD Session Host server. -If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator. +If you disable or don't configure this policy setting, these notifications will be displayed on the RD Session Host server after you sign in as a local administrator. @@ -2265,14 +2265,14 @@ ADMX Info: This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. -You can use this policy setting to select one of three licensing modes: Per User , Per Device and AAD Per User . +You can use this policy setting to select one of three licensing modes: Per User, Per Device, and AAD Per User. - Per User licensing mode requires that each user account connecting to this RD Session Host server have an RDS Per User CAL issued from an RD Licensing server. - Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server. - AAD Per User licensing mode requires that each user account connecting to this RD Session Host server have a service plan that supports RDS licenses assigned in AAD. If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host. -If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level. +If you disable or don't configure this policy setting, the licensing mode isn't specified at the Group Policy level. @@ -2315,7 +2315,7 @@ ADMX Info: -This policy specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, additional users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. +This policy specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, other users who try to connect receive an error message telling them that the server is busy and to try again later. Restricting the number of sessions improves performance because fewer sessions are demanding system resources. By default, RD Session Host servers allow an unlimited number of Remote Desktop Services sessions, and Remote Desktop for Administration allows two Remote Desktop Services sessions. @@ -2323,7 +2323,7 @@ To use this setting, enter the number of connections you want to specify as the If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the mode of Remote Desktop Services running on the server. -If the status is set to Disabled or Not Configured, limits to the number of connections are not enforced at the Group Policy level. +If the status is set to Disabled or Not Configured, limits to the number of connections aren't enforced at the Group Policy level. >[!NOTE] >This setting is designed to be used on RD Session Host servers (that is, on servers running Windows with Remote Desktop Session Host role service installed). @@ -2373,7 +2373,7 @@ This policy setting allows you to specify the maximum display resolution that ca If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session. -If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. +If you disable or don't configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool. @@ -2420,7 +2420,7 @@ This policy setting allows you to limit the number of monitors that a user can u If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16. -If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level. +If you disable or don't configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session isn't specified at the Group Policy level. @@ -2465,14 +2465,14 @@ ADMX Info: This policy setting allows you to remove the "Disconnect" option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server. -If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box. +If you enable this policy setting, "Disconnect" doesn't appear as an option in the drop-down list in the Shut Down Windows dialog box. -If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box. +If you disable or don't configure this policy setting, "Disconnect" isn't removed from the list in the Shut Down Windows dialog box. >[!NOTE] ->This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. +>This policy setting affects only the Shut Down Windows dialog box. It doesn't prevent users from using other methods to disconnect from a Remote Desktop Services session. -This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the **Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions** policy setting. +This policy setting also doesn't prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the **Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions** policy setting. @@ -2517,7 +2517,7 @@ ADMX Info: This policy specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. -If the status is set to Enabled, Windows Security does not appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. +If the status is set to Enabled, Windows Security doesn't appear in Settings on the Start menu. As a result, users must type a security attention sequence, such as CTRL+ALT+END, to open the Windows Security dialog box on the client computer. If the status is set to Disabled or Not Configured, Windows Security remains in the Settings menu. @@ -2566,13 +2566,13 @@ This policy setting allows you to specify which version of Remote Desktop Servic A license server attempts to provide the most appropriate RDS or TS CAL for a connection. For example, a Windows Server 2008 license server will try to issue a Windows Server 2008 TS CAL for clients connecting to a terminal server running Windows Server 2008, and will try to issue a Windows Server 2003 TS CAL for clients connecting to a terminal server running Windows Server 2003. -By default, if the most appropriate RDS CAL is not available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following: +By default, if the most appropriate RDS CAL isn't available for a connection, a Windows Server 2008 license server will issue a Windows Server 2008 TS CAL, if available, to the following types of clients: - A client connecting to a Windows Server 2003 terminal server - A client connecting to a Windows 2000 terminal server -If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired. +If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server isn't available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client won't be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server hasn't expired. -If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier. +If you disable or don't configure this policy setting, the license server will exhibit the default behavior noted earlier. @@ -2617,14 +2617,14 @@ ADMX Info: This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. -If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials. +If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user won't be prompted to provide credentials. >[!NOTE] >If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration. -If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. +If you disable or don't configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. -For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. +For Windows Server 2003 and Windows 2000 Server, a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection. @@ -2670,11 +2670,11 @@ ADMX Info: This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, the default connection URL allows document file types to be associated with RemoteApp programs. The default connection URL must be configured in the form of [http://contoso.com/rdweb/Feed/webfeed.aspx](http://contoso.com/rdweb/Feed/webfeed.aspx). -- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL. +- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user can't change the default connection URL. The user's default sign-in credentials are used when setting up the default connection URL. -- If you disable or do not configure this policy setting, the user has no default connection URL. +- If you disable or don't configure this policy setting, the user has no default connection URL. -RemoteApp programs that are installed through RemoteApp and Desktop Connections from an un-trusted server can compromise the security of a user's account. +RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account. @@ -2720,9 +2720,9 @@ ADMX Info: This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete. -- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. +- If you enable this policy setting, user sign in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers. -- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background. +- If you disable or don't configure this policy setting, the Start screen is shown and apps are registered in the background. @@ -2861,11 +2861,11 @@ ADMX Info: This policy setting allows you to specify the visual experience that remote users will have in Remote Desktop Connection (RDC) connections that use RemoteFX. You can use this policy to balance the network bandwidth usage with the type of graphics experience that is delivered. Depending on the requirements of your users, you can reduce network bandwidth usage by reducing the screen capture rate. You can also reduce network bandwidth usage by reducing the image quality (increasing the amount of image compression that is performed). -If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. +If you've a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality. By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. -If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). +If you disable or don't configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior). @@ -2909,14 +2909,14 @@ ADMX Info: This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. -Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name does not have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. +Therefore, you must use the same farm name for all RD Session Host servers in the same load-balanced farm. The farm name doesn't have to correspond to a name in Active Directory Domain Services. If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker. - If you enable this policy setting, you must specify the name of a farm in RD Connection Broker. -- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level. +- If you disable or don't configure this policy setting, the farm name isn't specified at the Group Policy level. > [!NOTE] -> This policy setting is not effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. +> This policy setting isn't effective unless both the Join RD Connection Broker and the Configure RD Connection Broker server name policy settings are enabled and configured by using Group Policy. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -2963,9 +2963,9 @@ This policy setting allows you to specify the redirection method to use when a c - If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm. -- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. +- If you disable this policy setting, the IP address of the RD Session Host server isn't sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you don't want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm. -If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. +If you don't configure this policy setting, the Use IP address redirection policy setting isn't enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default. > [!NOTE] > For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. @@ -3014,12 +3014,12 @@ The specified server must be running the Remote Desktop Connection Broker servic - If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers. -- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level. +- If you disable or don't configure this policy setting, the policy setting isn't specified at the Group Policy level. > [!NOTE] > For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard. -> This policy setting is not effective unless the Join RD Connection Broker policy setting is enabled. +> This policy setting isn't effective unless the Join RD Connection Broker policy setting is enabled. > To be an active member of an RD Session Host server farm, the computer account for each RD Session Host server in the farm must be a member of one of the following local groups on the RD Connection Broker server: Session Directory Computers, Session Broker Computers, or RDS Endpoint Servers. @@ -3069,11 +3069,11 @@ This policy setting specifies whether to require the use of a specific security The following security methods are available: -- **Negotiate**: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -- **RDP**: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended. -- **SSL (TLS 1.0)**: The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy. +- **Negotiate**: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it's used to authenticate the RD Session Host server. If TLS isn't supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server isn't authenticated. Native RDP encryption (as opposed to SSL encryption) isn't recommended. +- **RDP**: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting, the RD Session Host server isn't authenticated. Native RDP encryption (as opposed to SSL encryption) isn't recommended. +- **SSL (TLS 1.0)**: The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS isn't supported, the connection fails. This enablement is the recommended setting for this policy. -If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level. +If you disable or don't configure this policy setting, the security method to be used for remote connections to RD Session Host servers isn't specified at the Group Policy level. @@ -3118,13 +3118,13 @@ ADMX Info: This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Network Detect. -- If you disable Connect Time Detect, Remote Desktop Protocol will not determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. +- If you disable Connect Time Detect, Remote Desktop Protocol won't determine the network quality at the connect time, and it will assume that all traffic to this server originates from a low-speed connection. -- If you disable Continuous Network Detect, Remote Desktop Protocol will not try to adapt the remote user experience to varying network quality. +- If you disable Continuous Network Detect, Remote Desktop Protocol won't try to adapt the remote user experience to varying network quality. -- If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality. +- If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol won't try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it won't try to adapt the user experience to varying network quality. -- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. +- If you disable or don't configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality. @@ -3171,9 +3171,9 @@ This policy setting allows you to specify which protocols can be used for Remote - If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)" -If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP. +If you select "Use either UDP or TCP" and the UDP connection is successful, most of the RDP traffic will use UDP. If the UDP connection isn't successful or if you select "Use only TCP," all of the RDP traffic will use TCP. -- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. +- If you disable or don't configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience. @@ -3217,11 +3217,11 @@ ADMX Info: This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. -This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions. +This policy setting applies only to RemoteApp programs and doesn't apply to remote desktop sessions. -- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. +- If you enable or don't configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics. -- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics. +- If you disable this policy setting, RemoteApp programs published from this RD Session Host server won't use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs don't support these advanced graphics. @@ -3264,17 +3264,17 @@ ADMX Info: -This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. +This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client can't authenticate the RD Session Host server. - If you enable this policy setting, you must specify one of the following settings: - - Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server. + - Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client can't authenticate the RD Session Host server. - - Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server cannot be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. + - Warn me if authentication fails: The client attempts to authenticate the RD Session Host server. If the RD Session Host server can be authenticated, the client establishes a connection to the RD Session Host server. If the RD Session Host server can't be authenticated, the user is prompted to choose whether to connect to the RD Session Host server without authenticating the RD Session Host server. - - Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. + - don't connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated. -- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. +- If you disable or don't configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client can't authenticate the RD Session Host server. @@ -3319,9 +3319,9 @@ ADMX Info: This policy setting lets you enable H.264/AVC hardware encoding support for Remote Desktop Connections. -- When you enable hardware encoding, if an error occurs, we will attempt to use software encoding. +- When you enable hardware encoding, if an error occurs, we'll attempt to use software encoding. -- If you disable or do not configure this policy, we will always use software encoding. +- If you disable or don't configure this policy, we'll always use software encoding. @@ -3415,11 +3415,11 @@ This policy setting allows you to specify which Remote Desktop Protocol (RDP) co If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. -In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. +In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used. You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you're using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed. -- If you disable or do not configure this policy setting, the default RDP compression algorithm will be used. +- If you disable or don't configure this policy setting, the default RDP compression algorithm will be used. @@ -3469,9 +3469,9 @@ This policy setting allows you to specify the visual quality for remote users wh - If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth. -- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only. +- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data isn't impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you enable this setting for specific cases only. -- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. +- If you disable or don't configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. @@ -3519,7 +3519,7 @@ When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user - If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1. -- If you disable this policy setting, RemoteFX will be disabled. If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. +- If you disable this policy setting, RemoteFX will be disabled. If you don't configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled. @@ -3567,7 +3567,7 @@ This policy setting allows the administrator to configure the RemoteFX experienc If you enable this policy setting, the RemoteFX experience could be set to one of the following options: 1. Let the system choose the experience for the network condition 2. Optimize for server scalability -3. Optimize for minimum bandwidth usage If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." +3. Optimize for minimum bandwidth usage. If you disable or don't configure this policy setting, the RemoteFX experience will change dynamically based on the network condition." @@ -3614,7 +3614,7 @@ This policy setting allows you to specify the visual experience that remote user - If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text. -- If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. +- If you disable or don't configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia. @@ -3659,9 +3659,9 @@ ADMX Info: This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections. -- If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. +- If you enable or don't configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver. -- If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. For this change to take effect, you must restart Windows. +- If you disable this policy setting, Remote Desktop Connections won't use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver. For this change to take effect, you must restart Windows. @@ -3710,11 +3710,11 @@ See the policy settings Set time limit for active Remote Desktop Services sessio - If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you don't configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. This policy setting only applies to time-out limits that are explicitly set by the administrator. -This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. +This policy setting doesn't apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. @@ -3763,11 +3763,11 @@ See the policy settings Set time limit for active Remote Desktop Services sessio - If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit. -- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. +- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator. If you don't configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings. This policy setting only applies to time-out limits that are explicitly set by the administrator. -This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. +This policy setting doesn't apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence. @@ -3813,9 +3813,9 @@ ADMX Info: This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you've a console session, disconnected session time limits don't apply. -- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. +- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. >[!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -3864,9 +3864,9 @@ ADMX Info: This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote Desktop Services allows users to disconnect from a Remote Desktop Services session without logging off and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server. -- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply. +- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you've a console session, disconnected session time limits don't apply. -- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. +- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. Be default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time. >[!NOTE] > This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence. @@ -3912,11 +3912,11 @@ ADMX Info: -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it's automatically disconnected. -- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you've a console session, idle session time limits don't apply. -- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +- If you disable or don't configure this policy setting, the time limit isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -3964,11 +3964,11 @@ ADMX Info: -This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. +This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it's automatically disconnected. -- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you've a console session, idle session time limits don't apply. -- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. +- If you disable or don't configure this policy setting, the time limit isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4016,11 +4016,11 @@ ADMX Info: -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it's automatically disconnected. -- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you've a console session, active session time limits don't apply. -- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. +- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4069,11 +4069,11 @@ ADMX Info: -This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. +This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it's automatically disconnected. -- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply. +- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you've a console session, active session time limits don't apply. -- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. +- If you disable or don't configure this policy setting, this policy setting isn't specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time. If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached. @@ -4122,11 +4122,11 @@ ADMX Info: -This policy setting allows you to restrict users to a single Remote Desktop Services session. If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. +This policy setting allows you to restrict users to a single Remote Desktop Services session. If you enable this policy setting, users who sign in remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. -If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. +If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next sign in. -If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. +If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. If you don't configure this policy setting, this policy setting isn't specified at the Group Policy level. @@ -4172,9 +4172,9 @@ ADMX Info: This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. -- If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. +- If you enable this policy setting, Remote Desktop Services users can't use a smart card to sign in to a Remote Desktop Services session. -- If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. +- If you disable or don't configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection. >[!NOTE] > The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain. @@ -4220,11 +4220,11 @@ ADMX Info: -Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. +Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user signs in to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. -The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. +The Start menu and Windows Desktop aren't displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. -If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) +If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory isn't the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) >[!NOTE] > This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. @@ -4270,11 +4270,11 @@ ADMX Info: -Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. +Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user signs in to a remote computer. By default, Remote Desktop Services sessions provide access to the full Windows desktop, unless otherwise specified with this setting, by the server administrator, or by the user in configuring the client connection. Enabling this setting overrides the "Start Program" settings set by the server administrator or user. -The Start menu and Windows Desktop are not displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. +The Start menu and Windows Desktop aren't displayed, and when the user exits the program the session is automatically logged off. To use this setting, in Program path and file name, type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary, in Working Directory, type the fully qualified path to the starting directory for the program. -If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory is not the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory is not specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) +If you leave Working Directory blank, the program runs with its default working directory. If the specified program path, file name, or working directory isn't the name of a valid directory, the RD Session Host server connection fails with an error message. If the status is set to Enabled, Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory, if Working Directory isn't specified) as the working directory for the program. If the status is set to Disabled or Not Configured, Remote Desktop Services sessions start with the full desktop, unless the server administrator or user specify otherwise. (See "Computer Configuration\Administrative Templates\System\Logon\Run these programs at user logon" setting.) >[!NOTE] > This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting overrides. @@ -4320,14 +4320,14 @@ ADMX Info: -This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off. +This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at sign out. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user signs out from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user signs out. -If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session. +If you enable this policy setting, a user's per-session temporary folders are retained when the user signs out from a session. -If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise. If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator. +If you disable this policy setting, temporary folders are deleted when a user signs out, even if the server administrator specifies otherwise. If you don't configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at sign out, unless specified otherwise by the server administrator. >[!NOTE] -> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect. +> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the don't use temporary folders per session policy setting, this policy setting has no effect. @@ -4372,11 +4372,11 @@ ADMX Info: This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. -You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid. +You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the session ID. -- If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. +- If you enable this policy setting, per-session temporary folders aren't created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer. -- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. +- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise. If you don't configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise. @@ -4423,7 +4423,7 @@ This policy setting allows you to specify whether the client computer redirects - If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone). -- If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone. +- If you disable or don't configure this policy setting, the client computer doesn't redirect its time zone information and the session time zone is the same as the server time zone. >[!NOTE] > Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 or later. @@ -4471,9 +4471,9 @@ ADMX Info: This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes. -- If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. +- If you enable this policy setting, the default security descriptors for existing groups on the RD Session Host server can't be changed. All the security descriptors are read-only. -- If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. +- If you disable or don't configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. >[!NOTE] > The preferred method of managing user access is by adding a user to the Remote Desktop Users group. @@ -4523,7 +4523,7 @@ This policy setting determines whether the desktop is always displayed after a c - If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings. -- If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. +- If you disable or don't configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program isn't specified, the desktop is always displayed on the remote computer after the client connects to the remote computer. >[!NOTE] > If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored. @@ -4571,11 +4571,11 @@ ADMX Info: This policy setting allows you to restrict users to a single Remote Desktop Services session. -If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon. +If you enable this policy setting, users who sign in remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next sign in. - If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. -- If you do not configure this policy setting, this policy setting is not specified at the Group Policy level. +- If you don't configure this policy setting, this policy setting isn't specified at the Group Policy level. @@ -4618,9 +4618,9 @@ ADMX Info: -This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. +This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices won't be available for local usage on this computer. If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer. -If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. +If you disable or don't configure this policy setting, other supported RemoteFX USB devices aren't available for RDP redirection by using any user account. For this change to take effect, you must restart Windows. @@ -4667,7 +4667,7 @@ This policy setting enhances security by requiring that user authentication occu - If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported. -- If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. +- If you disable this policy setting, Network Level Authentication isn't required for user authentication before allowing remote connections to the RD Session Host server. If you don't configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default. Disabling this policy setting provides less security because user authentication will occur later in the remote connection process. @@ -4714,11 +4714,11 @@ ADMX Info: This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections. -- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. +- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate hasn't been selected. If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. -- If you disable or do not configure this policy, the certificate template name is not specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. +- If you disable or don't configure this policy, the certificate template name isn't specified at the Group Policy level. By default, a self-signed certificate is used to authenticate the RD Session Host server. If you select a specific certificate to be used to authenticate the RD Session Host server, that certificate will take precedence over this policy setting. @@ -4767,7 +4767,7 @@ This policy setting allows you to specify whether Remote Desktop Services uses a - If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile. -- If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server. +- If you disable or don't configure this policy setting, mandatory user profiles aren't used by users connecting remotely to the RD Session Host server. For this policy setting to take effect, you must also enable and configure the "Set path for Remote Desktop Services Roaming User Profile" policy setting. @@ -4813,13 +4813,13 @@ ADMX Info: -This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. +This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles. If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user. -To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. +To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Don't specify a placeholder for the user account name, because Remote Desktop Services automatically adds this location when the user signs in and the profile is created. -If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. +If the specified network share doesn't exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server. -If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. +If you disable or don't configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box. 1. The roaming user profiles enabled by the policy setting apply only to Remote Desktop Services connections. A user might also have a Windows roaming user profile configured. The Remote Desktop Services roaming user profile always takes precedence in a Remote Desktop Services session. 2. To configure a mandatory Remote Desktop Services roaming user profile for all users connecting remotely to the RD Session Host server, use this policy setting together with the "Use mandatory profiles on the RD Session Host server" policy setting located in Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Profiles. The path set in the "Set path for Remote Desktop Services Roaming User Profile" policy setting should contain the mandatory profile. diff --git a/windows/client-management/mdm/policy-csp-admx-touchinput.md b/windows/client-management/mdm/policy-csp-admx-touchinput.md index 288b99a963..4f7283a5a7 100644 --- a/windows/client-management/mdm/policy-csp-admx-touchinput.md +++ b/windows/client-management/mdm/policy-csp-admx-touchinput.md @@ -72,10 +72,10 @@ manager: dansimp Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. -- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you enable this setting, the user won't be able to produce input with touch. They won't be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. - If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. -If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. +If you don't configure this setting, touch input is on by default. Note: Changes to this setting won't take effect until the user signs out. @@ -116,10 +116,10 @@ ADMX Info: Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. -- If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. +- If you enable this setting, the user won't be able to produce input with touch. They won't be able to use touch input or touch gestures such as tap and double tap, the touch pointer, and other touch-specific features. - If you disable this setting, the user can produce input with touch, by using gestures, the touch pointer, and other-touch specific features. -If you do not configure this setting, touch input is on by default. Note: Changes to this setting will not take effect until the user logs off. +If you don't configure this setting, touch input is on by default. Note: Changes to this setting won't take effect until the user signs out. @@ -163,12 +163,12 @@ ADMX Info: Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. -- If you enable this setting, the user will not be able to pan windows by touch. +- If you enable this setting, the user won't be able to pan windows by touch. -- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. +- If you disable this setting, the user can pan windows by touch. If you don't configure this setting, Touch Panning is on by default. > [!NOTE] -> Changes to this setting will not take effect until the user logs off. +> Changes to this setting won't take effect until the user logs off. @@ -210,12 +210,12 @@ ADMX Info: Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. -- If you enable this setting, the user will not be able to pan windows by touch. +- If you enable this setting, the user won't be able to pan windows by touch. -- If you disable this setting, the user can pan windows by touch. If you do not configure this setting, Touch Panning is on by default. +- If you disable this setting, the user can pan windows by touch. If you don't configure this setting, Touch Panning is on by default. > [!NOTE] -> Changes to this setting will not take effect until the user logs off. +> Changes to this setting won't take effect until the user logs off. diff --git a/windows/client-management/mdm/policy-csp-admx-tpm.md b/windows/client-management/mdm/policy-csp-admx-tpm.md index 7f8cb02e07..cc8d6387aa 100644 --- a/windows/client-management/mdm/policy-csp-admx-tpm.md +++ b/windows/client-management/mdm/policy-csp-admx-tpm.md @@ -91,7 +91,7 @@ This policy setting allows you to manage the Policy list of Trusted Platform Mod If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is TPM_OwnerReadInternalPub, and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command with TPM 1.2, run "tpm.msc" and navigate to the "Command Management" section. -If you disable or do not configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. +If you disable or don't configure this policy setting, only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands. @@ -132,7 +132,7 @@ ADMX Info: -This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user login only if the logged in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and login until the policy is disabled or until the TPM is in a Ready state. +This policy setting configures the system to prompt the user to clear the TPM if the TPM is detected to be in any state other than Ready. This policy will take effect only if the system’s TPM is in a state other than Ready, including if the TPM is “Ready, with reduced functionality”. The prompt to clear the TPM will start occurring after the next reboot, upon user sign in only if the signed in user is part of the Administrators group for the system. The prompt can be dismissed, but will reappear after every reboot and sign in until the policy is disabled or until the TPM is in a Ready state. @@ -179,7 +179,7 @@ If you enable this policy setting, Windows will ignore the computer's default li The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running "tpm.msc", navigating to the "Command Management" section, and making visible the "On Default Block List" column. The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Policy list of blocked TPM commands. -If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Policy and local lists of blocked TPM commands. +If you disable or don't configure this policy setting, Windows will block the TPM commands in the default list, in addition to commands in the Policy and local lists of blocked TPM commands. @@ -226,7 +226,7 @@ If you enable this policy setting, Windows will ignore the computer's local list The local list of blocked TPM commands is configured outside of Policy by running "tpm.msc" or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Policy list of blocked TPM commands. -If you disable or do not configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Policy and default lists of blocked TPM commands. +If you disable or don't configure this policy setting, Windows will block the TPM commands found in the local list, in addition to commands in the Policy and default lists of blocked TPM commands. @@ -267,13 +267,13 @@ ADMX Info: -This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. +This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions that require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. -Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used. +Choose the operating system managed TPM authentication setting of "Full" to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios that don't depend on preventing reset of the TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting to be changed before making the features that depend on the TPM anti-hammering logic usable. Choose the operating system managed TPM authentication setting of "Delegated" to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. @@ -321,7 +321,7 @@ ADMX Info: -This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and will not interfere with their workflows. +This Policy enables Device Health Attestation reporting (DHA-report) on supported devices. It enables supported devices to send Device Health Attestation related information (device boot logs, PCR values, TPM certificate, etc.) to Device Health Attestation Service (DHA-Service) every time a device starts. Device Health Attestation Service validates the security state and health of the devices, and makes the findings accessible to enterprise administrators via a cloud based reporting portal. This policy is independent of DHA reports that are initiated by device manageability solutions (like MDM or SCCM), and won't interfere with their workflows. @@ -370,15 +370,15 @@ An authorization failure occurs each time a standard user sends a command to the For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. -The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value is not configured, a default value of 480 minutes (8 hours) is used. +If this value isn't configured, a default value of 480 minutes (8 hours) is used. > @@ -425,19 +425,19 @@ This setting helps administrators prevent the TPM hardware from entering a locko An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. -For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. +For each standard user, two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. +This value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. -The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. +The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value is not configured, a default value of 4 is used. +If this value isn't configured, a default value of 4 is used. -A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. +A value of 0 means the OS won't allow standard users to send commands to the TPM, which may cause an authorization failure. @@ -484,19 +484,19 @@ This setting helps administrators prevent the TPM hardware from entering a locko An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. -For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. +For each standard user, two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. -The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. +The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user isn't allowed to send commands requiring authorization to the TPM. -This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. +This value is the maximum total number of authorization failures all standard users may have before all standard users aren't allowed to send commands requiring authorization to the TPM. -The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. +The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode, it's global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM's hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. -If this value is not configured, a default value of 9 is used. +If this value isn't configured, a default value of 9 is used. -A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure. +A value of 0 means the OS won't allow standard users to send commands to the TPM, which may cause an authorization failure. @@ -537,7 +537,7 @@ ADMX Info: -This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Note that enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this Policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from Policy and b)clear the TPM on the system. +This policy setting configures the TPM to use the Dictionary Attack Prevention Parameters (lockout threshold and recovery time) to the values that were used for Windows 10 Version 1607 and below. Setting this policy will take effect only if a) the TPM was originally prepared using a version of Windows after Windows 10 Version 1607 and b) the System has a TPM 2.0. Enabling this policy will only take effect after the TPM maintenance task runs (which typically happens after a system restart). Once this policy has been enabled on a system and has taken effect (after a system restart), disabling it will have no impact and the system's TPM will remain configured using the legacy Dictionary Attack Prevention parameters, regardless of the value of this Policy. The only way for the disabled setting of this policy to take effect on a system where it was once enabled is to a) disable it from Policy and b) clear the TPM on the system. diff --git a/windows/client-management/mdm/policy-csp-admx-userprofiles.md b/windows/client-management/mdm/policy-csp-admx-userprofiles.md index 72e9a3ea84..01ff1725af 100644 --- a/windows/client-management/mdm/policy-csp-admx-userprofiles.md +++ b/windows/client-management/mdm/policy-csp-admx-userprofiles.md @@ -81,14 +81,14 @@ manager: dansimp -This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. +This policy setting allows an administrator to automatically delete user profiles on system restart that haven't been used within a specified number of days. > [!NOTE] > One day is interpreted as 24 hours after a specific user profile was accessed. -If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that have not been used within the specified number of days. +If you enable this policy setting, the User Profile Service will automatically delete on the next system restart all user profiles on the computer that haven't been used within the specified number of days. -If you disable or do not configure this policy setting, User Profile Service will not automatically delete any profiles on the next system restart. +If you disable or don't configure this policy setting, User Profile Service won't automatically delete any profiles on the next system restart. @@ -129,14 +129,14 @@ ADMX Info: -This policy setting controls whether Windows forcefully unloads the user's registry at logoff, even if there are open handles to the per-user registry keys. +This policy setting controls whether Windows forcefully unloads the user's registry at sign out, even if there are open handles to the per-user registry keys. > [!NOTE] > This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. -If you enable this policy setting, Windows will not forcefully unload the users registry at logoff, but will unload the registry when all open handles to the per-user registry keys are closed. +If you enable this policy setting, Windows won't forcefully unload the user's registry at sign out, but will unload the registry when all open handles to the per-user registry keys are closed. -If you disable or do not configure this policy setting, Windows will always unload the users registry at logoff, even if there are any open handles to the per-user registry keys at user logoff. +If you disable or don't configure this policy setting, Windows will always unload the user's registry at sign out, even if there are any open handles to the per-user registry keys at user sign out. @@ -179,11 +179,11 @@ ADMX Info: This policy setting determines whether the system retains a roaming user's Windows Installer and Group Policy based software installation data on their profile deletion. -By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time a roaming user whose profile was previously deleted on that client logs on, they will need to reinstall all apps published via policy at logon increasing logon time. You can use this policy setting to change this behavior. +By default Windows deletes all information related to a roaming user (which includes the user's settings, data, Windows Installer related data, and the like) when their profile is deleted. As a result, the next time roaming users whose profiles were previously deleted on that client sign in, they'll need to reinstall all apps published via policy at sign in, increasing sign-in time. You can use this policy setting to change this behavior. -If you enable this policy setting, Windows will not delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This will improve the performance of Group Policy based Software Installation during user logon when a user profile is deleted and that user subsequently logs on to the machine. +If you enable this policy setting, Windows won't delete Windows Installer or Group Policy software installation data for roaming users when profiles are deleted from the machine. This data retention will improve the performance of Group Policy-based Software Installation during user sign in when a user profile is deleted and that user later signs in to the machine. -If you disable or do not configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. +If you disable or don't configure this policy setting, Windows will delete the entire profile for roaming users, including the Windows Installer and Group Policy software installation data when those profiles are deleted. > [!NOTE] > If this policy setting is enabled for a machine, local administrator action is required to remove the Windows Installer or Group Policy software installation data stored in the registry and file system of roaming users' profiles on the machine. @@ -229,7 +229,7 @@ ADMX Info: This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. -If you disable this policy setting or do not configure it, the system does not limit the size of user profiles. +If you disable this policy setting or don't configure it, the system doesn't limit the size of user profiles. If you enable this policy setting, you can: @@ -278,13 +278,13 @@ ADMX Info: -This policy setting will automatically log off a user when Windows cannot load their profile. +This policy setting will automatically sign out a user when Windows can't load their profile. -If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. +If Windows can't access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This policy setting allows the administrator to disable this behavior, preventing Windows from logging on the user with a temporary profile. -If you enable this policy setting, Windows will not log on a user with a temporary profile. Windows logs the user off if their profile cannot be loaded. +If you enable this policy setting, Windows won't sign in users with a temporary profile. Windows signs out the users if their profiles can't be loaded. -If you disable this policy setting or do not configure it, Windows logs on the user with a temporary profile when Windows cannot load their user profile. +If you disable this policy setting or don't configure it, Windows logs on the user with a temporary profile when Windows can't load their user profile. Also, see the "Delete cached copies of roaming profiles" policy setting. @@ -335,7 +335,7 @@ This policy setting and related policy settings in this folder together define t If you enable this policy setting, you can change how long Windows waits for a response from the server before considering the connection to be slow. -If you disable or do not configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there is no local copy of the roaming profile to load when the system detects a slow connection. +If you disable or don't configure this policy setting, Windows considers the network connection to be slow if the server returns less than 500 kilobits of data per second or take 120 milliseconds to respond.Consider increasing this value for clients using DHCP Service-assigned addresses or for computers accessing profiles across dial-up connections.Important: If the "Do not detect slow network connections" policy setting is enabled, this policy setting is ignored. Also, if the "Delete cached copies of roaming profiles" policy setting is enabled, there's no local copy of the roaming profile to load when the system detects a slow connection. @@ -376,18 +376,18 @@ ADMX Info: -This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. +This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a sign-in session. If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder for each user name. To use this policy setting, in the Location list, choose the location for the home folder. If you choose “On the network,” enter the path to a file share in the Path box (for example, \\\\ComputerName\ShareName), and then choose the drive letter to assign to the file share. If you choose “On the local computer,” enter a local path (for example, C:\HomeFolder) in the Path box. -Do not specify environment variables or ellipses in the path. Also, do not specify a placeholder for the user name because the user name will be appended at logon. +Don't specify environment variables or ellipses in the path. Also, don't specify a placeholder for the user name because the user name will be appended at sign in. > [!NOTE] > The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share, the user's home folder will be placed in the network location without mapping the file share to a drive letter. -If you disable or do not configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. +If you disable or don't configure this policy setting, the user's home folder is configured as specified in the user's Active Directory Domain Services account. If the "Set Remote Desktop Services User Home Directory" policy setting is enabled, the “Set user home folder” policy setting has no effect. @@ -434,11 +434,11 @@ This setting prevents users from managing the ability to allow apps to access th If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: -- "Always on" - users will not be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. +- "Always on" - users won't be able to change this setting and the user's name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user's UPN, SIP/URI, and DNS. -- "Always off" - users will not be able to change this setting and the user's name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. +- "Always off" - users won't be able to change this setting and the user's name and account picture won't be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability won't be able to retrieve the user's UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. -If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off. +If you don't configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn off the setting. diff --git a/windows/client-management/mdm/policy-csp-admx-w32time.md b/windows/client-management/mdm/policy-csp-admx-w32time.md index f57fa5f258..880375abd7 100644 --- a/windows/client-management/mdm/policy-csp-admx-w32time.md +++ b/windows/client-management/mdm/policy-csp-admx-w32time.md @@ -71,9 +71,9 @@ manager: dansimp This policy setting allows you to specify Clock discipline and General values for the Windows Time service (W32time) for domain controllers including RODCs. -If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the service on target machines use locally configured settings values. +If this policy setting is enabled, W32time Service on target machines use the settings provided here. Otherwise, the Service on target machines use locally configured settings values. -For more details on individual parameters, combinations of parameter values as well as definitions of flags, see https://go.microsoft.com/fwlink/?linkid=847809. +For more information on individual parameters, combinations of parameter values, and definitions of flags, see https://go.microsoft.com/fwlink/?linkid=847809. **FrequencyCorrectRate** This parameter controls the rate at which the W32time corrects the local clock's frequency. Lower values cause slower corrections; larger values cause more frequent corrections. Default: 4 (scalar). @@ -117,7 +117,7 @@ This parameter controls special events that may be logged to the Event Viewer Sy This parameter indicates the maximum error in seconds that is reported by the NTP server to clients that are requesting a time sample. (Applies only when the NTP server is using the time of the local CMOS clock.) Default: 10 seconds. **MaxPollInterval** -This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Should not be set higher than 15.) +This parameter controls the maximum polling interval, which defines the maximum amount of time between polls of a peer. Default: 10 in log base-2, or 1024 seconds. (Shouldn't be set higher than 15.) **MinPollInterval** This parameter controls the minimum polling interval that defines the minimum amount of time between polls of a peer. Default: 6 in log base-2, or 64 seconds. @@ -126,10 +126,10 @@ This parameter controls the minimum polling interval that defines the minimum am This parameter indicates the maximum number of seconds a system clock can nominally hold its accuracy without synchronizing with a time source. If this period of time passes without W32time obtaining new samples from any of its input providers, W32time initiates a rediscovery of time sources. Default: 7800 seconds. **RequireSecureTimeSyncRequests** -This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC will not respond to requests using such protocols. Default: 0 Boolean. +This parameter controls whether or not the DC will respond to time sync requests that use older authentication protocols. If enabled (set to 1), the DC won't respond to requests using such protocols. Default: 0 Boolean. **UtilizeSslTimeData** -This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an additional input for correcting the local clock. Default: 1 (enabled) Boolean +This parameter controls whether W32time will use time data computed from SSL traffic on the machine as an extra input for correcting the local clock. Default: 1 (enabled) Boolean **ClockAdjustmentAuditLimit** This parameter specifies the smallest local clock adjustments that may be logged to the W32time service event log on the target machine. Default: 800 Parts per million (PPM). @@ -143,10 +143,10 @@ This parameter specifies the maximum amount of time that an entry can remain in This parameter controls the maximum number of entries that are allowed in the chaining table. If the chaining table is full and no expired entries can be removed, any incoming requests are discarded. Default: 128 entries. **ChainMaxHostEntries** -This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: 4 entries. +This parameter controls the maximum number of entries that are allowed in the chaining table for a particular host. Default: Four entries. **ChainDisable** -This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that do not have their passwords cached on the RODC will not be able to synchronize with the RODC. Default: 0 Boolean. +This parameter controls whether or not the chaining mechanism is disabled. If chaining is disabled (set to 0), the RODC can synchronize with any domain controller, but hosts that don't have their passwords cached on the RODC won't be able to synchronize with the RODC. Default: 0 Boolean. **ChainLoggingRate** This parameter controls the frequency at which an event that indicates the number of successful and unsuccessful chaining attempts is logged to the System log in Event Viewer. Default: 30 minutes. @@ -195,7 +195,7 @@ This policy setting specifies a set of parameters for controlling the Windows NT If you enable this policy setting, you can specify the following parameters for the Windows NTP Client. -If you disable or do not configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. +If you disable or don't configure this policy setting, the Windows NTP Client uses the defaults of each of the following parameters. **NtpServer** The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of ""dnsName,flags"" where ""flags"" is a hexadecimal bitmask of the flags for that host. For more information, see the NTP Client Group Policy Settings Associated with Windows Time section of the Windows Time Service Group Policy Settings. The default value is ""time.windows.com,0x09"". @@ -204,7 +204,7 @@ The Domain Name System (DNS) name or IP address of an NTP time source. This valu This value controls the authentication that W32time uses. The default value is NT5DS. **CrossSiteSyncFlags** -This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client should not attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value is not set. The default value is 2 decimal (0x02 hexadecimal). +This value, expressed as a bitmask, controls how W32time chooses time sources outside its own site. The possible values are 0, 1, and 2. Setting this value to 0 (None) indicates that the time client shouldn't attempt to synchronize time outside its site. Setting this value to 1 (PdcOnly) indicates that only the computers that function as primary domain controller (PDC) emulator operations masters in other domains can be used as synchronization partners when the client has to synchronize time with a partner outside its own site. Setting a value of 2 (All) indicates that any synchronization partner can be used. This value is ignored if the NT5DS value isn't set. The default value is 2 decimal (0x02 hexadecimal). **ResolvePeerBackoffMinutes** This value, expressed in minutes, controls how long W32time waits before it attempts to resolve a DNS name when a previous attempt failed. The default value is 15 minutes. @@ -216,7 +216,7 @@ This value controls how many times W32time attempts to resolve a DNS name before This NTP client value, expressed in seconds, controls how often a manually configured time source is polled when the time source is configured to use a special polling interval. If the SpecialInterval flag is enabled on the NTPServer setting, the client uses the value that is set as the SpecialPollInterval, instead of a variable interval between MinPollInterval and MaxPollInterval values, to determine how frequently to poll the time source. SpecialPollInterval must be in the range of [MinPollInterval, MaxPollInterval], else the nearest value of the range is picked. Default: 1024 seconds. **EventLogFlags** -This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it is a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. +This value is a bitmask that controls events that may be logged to the System log in Event Viewer. Setting this value to 0x1 indicates that W32time will create an event whenever a time jump is detected. Setting this value to 0x2 indicates that W32time will create an event whenever a time source change is made. Because it's a bitmask value, setting 0x3 (the addition of 0x1 and 0x2) indicates that both time jumps and time source changes will be logged. @@ -264,7 +264,7 @@ Enabling the Windows NTP Client allows your computer to synchronize its computer If you enable this policy setting, you can set the local computer clock to synchronize time with NTP servers. -If you disable or do not configure this policy setting, the local computer clock does not synchronize time with NTP servers. +If you disable or don't configure this policy setting, the local computer clock doesn't synchronize time with NTP servers. @@ -310,7 +310,7 @@ This policy setting allows you to specify whether the Windows NTP Server is enab If you enable this policy setting for the Windows NTP Server, your computer can service NTP requests from other computers. -If you disable or do not configure this policy setting, your computer cannot service NTP requests from other computers. +If you disable or don't configure this policy setting, your computer can't service NTP requests from other computers.