deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

More changes per feedback

Browse Source
This commit is contained in:
Vinay Pamnani 2023-01-06 18:15:07 -05:00
parent 95c02cb6b7
commit 3927b0e331
6 changed files with 2137 additions and 2097 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1089
windows/client-management/mdm/policy-csp-admx-globalization.md
View File

File diff suppressed because it is too large Load Diff

276
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Netlogon Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/05/2023
ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Netlogon
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@ -56,7 +54,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_AddressLookupOnPingBehavior-Description-End -->
<!-- Netlogon_AddressLookupOnPingBehavior-Editable-Begin -->
@ -74,7 +72,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_AddressLookupOnPingBehavior-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -115,11 +113,11 @@ This policy setting detremines the type of IP address that is returned for a dom
By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior.
If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
- If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.
- If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.
If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
- If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
<!-- Netlogon_AddressTypeReturned-Description-End -->
<!-- Netlogon_AddressTypeReturned-Editable-Begin -->
@ -137,7 +135,7 @@ If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv
<!-- Netlogon_AddressTypeReturned-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -179,9 +177,9 @@ This policy setting specifies whether the computers to which this setting is app
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails.
- If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails.
If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
- If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
<!-- Netlogon_AllowDnsSuffixSearch-Description-End -->
<!-- Netlogon_AllowDnsSuffixSearch-Editable-Begin -->
@ -199,7 +197,7 @@ If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is
<!-- Netlogon_AllowDnsSuffixSearch-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -241,11 +239,11 @@ This policy setting controls whether the Net Logon service will allow the use of
By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller.
If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk.
- If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk.
If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
- If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
- If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
<!-- Netlogon_AllowNT4Crypto-Description-End -->
<!-- Netlogon_AllowNT4Crypto-Editable-Begin -->
@ -263,7 +261,7 @@ If you do not configure this policy setting, Net Logon will not allow the negoti
<!-- Netlogon_AllowNT4Crypto-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -305,11 +303,11 @@ This policy setting specifies whether the computers to which this setting is app
By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
- If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
- If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_AllowSingleLabelDnsDomain-Description-End -->
<!-- Netlogon_AllowSingleLabelDnsDomain-Editable-Begin -->
@ -327,7 +325,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!-- Netlogon_AllowSingleLabelDnsDomain-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -367,11 +365,11 @@ If you do not configure this policy setting, it is not applied to any computers,
<!-- Description-Source-ADMX -->
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
- If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.
- If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_AutoSiteCoverage-Description-End -->
<!-- Netlogon_AutoSiteCoverage-Editable-Begin -->
@ -389,7 +387,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_AutoSiteCoverage-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -431,11 +429,11 @@ This policy setting allows you to control the domain controller (DC) location al
NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended.
Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
**Note** that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
- If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Description-End -->
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-Editable-Begin -->
@ -453,7 +451,7 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba
<!-- Netlogon_AvoidFallbackNetbiosDiscovery-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -493,13 +491,13 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba
<!-- Description-Source-ADMX -->
This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
Contacting the PDC emulator is useful in case the clients password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
Contacting the PDC emulator is useful in case the client's password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password.
- If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password.
If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator.
- If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator.
If you do not configure this policy setting, it is not applied to any DCs.
- If you do not configure this policy setting, it is not applied to any DCs.
<!-- Netlogon_AvoidPdcOnWan-Description-End -->
<!-- Netlogon_AvoidPdcOnWan-Editable-Begin -->
@ -517,7 +515,7 @@ If you do not configure this policy setting, it is not applied to any DCs.
<!-- Netlogon_AvoidPdcOnWan-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -563,7 +561,8 @@ This setting is relevant only to those callers of DsGetDcName that have specifie
If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used.
Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
> [!WARNING]
> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
<!-- Netlogon_BackgroundRetryInitialPeriod-Description-End -->
<!-- Netlogon_BackgroundRetryInitialPeriod-Editable-Begin -->
@ -581,7 +580,7 @@ Warning: If the value for this setting is too large, a client will not attempt t
<!-- Netlogon_BackgroundRetryInitialPeriod-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -626,7 +625,8 @@ The default value for this setting is 60 minutes (60*60). The maximum value for
If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used.
Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC.
> [!WARNING]
> If the value for this setting is too large, a client may take very long periods to try to find a DC.
If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic.
<!-- Netlogon_BackgroundRetryMaximumPeriod-Description-End -->
@ -646,7 +646,7 @@ If the value for this setting is too small and the DC is not available, the freq
<!-- Netlogon_BackgroundRetryMaximumPeriod-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -687,7 +687,8 @@ This policy setting determines when retries are no longer allowed for applicatio
The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
Warning: If the value for this setting is too small, a client will stop trying to find a DC too soon.
> [!WARNING]
> If the value for this setting is too small, a client will stop trying to find a DC too soon.
<!-- Netlogon_BackgroundRetryQuitTime-Description-End -->
<!-- Netlogon_BackgroundRetryQuitTime-Editable-Begin -->
@ -705,7 +706,7 @@ Warning: If the value for this setting is too small, a client will stop trying t
<!-- Netlogon_BackgroundRetryQuitTime-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -760,7 +761,7 @@ This policy setting determines when a successful DC cache entry is refreshed. Th
<!-- Netlogon_BackgroundSuccessfulRefreshPeriod-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -801,11 +802,11 @@ This policy setting specifies the level of debug output for the Net Logon servic
The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.
If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.
- If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.
If you specify zero for this policy setting, the default behavior occurs as described above.
If you disable this policy setting or do not configure it, the default behavior occurs as described above.
- If you disable this policy setting or do not configure it, the default behavior occurs as described above.
<!-- Netlogon_DebugFlag-Description-End -->
<!-- Netlogon_DebugFlag-Editable-Begin -->
@ -823,7 +824,7 @@ If you disable this policy setting or do not configure it, the default behavior
<!-- Netlogon_DebugFlag-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -859,43 +860,42 @@ If you disable this policy setting or do not configure it, the default behavior
<!-- Netlogon_DnsAvoidRegisterRecords-OmaUri-End -->
<!-- Netlogon_DnsAvoidRegisterRecords-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
Select the mnemonics from the following list:
Mnemonic Type DNS Record
LdapIpAddress A `<DnsDomainName>`
Ldap SRV _ldap._tcp.`<DnsDomainName>`
LdapAtSite SRV _ldap._tcp.`<SiteName>`._sites.`<DnsDomainName>`
Pdc SRV _ldap._tcp.pdc._msdcs.`<DnsDomainName>`
Gc SRV _ldap._tcp.gc._msdcs.`<DnsForestName>`
GcAtSite SRV _ldap._tcp.`<SiteName>`._sites.gc._msdcs.`<DnsForestName>`
DcByGuid SRV _ldap._tcp.`<DomainGuid>`.domains._msdcs.`<DnsForestName>`
GcIpAddress A gc._msdcs.`<DnsForestName>`
DsaCname CNAME `<DsaGuid>`._msdcs.`<DnsForestName>`
Kdc SRV _kerberos._tcp.dc._msdcs.`<DnsDomainName>`
KdcAtSite SRV _kerberos._tcp.`<SiteName>`._sites.dc._msdcs.`<DnsDomainName>`
Dc SRV _ldap._tcp.dc._msdcs.`<DnsDomainName>`
DcAtSite SRV _ldap._tcp.`<SiteName>`._sites.dc._msdcs.`<DnsDomainName>`
Rfc1510Kdc SRV _kerberos._tcp.`<DnsDomainName>`
Rfc1510KdcAtSite SRV _kerberos._tcp.`<SiteName>`._sites.`<DnsDomainName>`
GenericGc SRV _gc._tcp.`<DnsForestName>`
GenericGcAtSite SRV _gc._tcp.`<SiteName>`._sites.`<DnsForestName>`
Rfc1510UdpKdc SRV _kerberos._udp.`<DnsDomainName>`
Rfc1510Kpwd SRV _kpasswd._tcp.`<DnsDomainName>`
Rfc1510UdpKpwd SRV _kpasswd._udp.`<DnsDomainName>`
If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
If you do not configure this policy setting, DCs use their local configuration.
<!-- Description-Source-Manual-Forced -->
<!-- Netlogon_DnsAvoidRegisterRecords-Description-End -->
<!-- Netlogon_DnsAvoidRegisterRecords-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service.
- If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied. Select the mnemonics from the following table:
| Mnemonic | Type | DNS Record |
|------------------|-------|----------------------------------------------------------------|
| LdapIpAddress | A | `<DnsDomainName>` |
| Ldap | SRV | _ldap._tcp.`<DnsDomainName>` |
| LdapAtSite | SRV | _ldap._tcp.`<SiteName>`._sites.`<DnsDomainName>` |
| Pdc | SRV | _ldap._tcp.pdc._msdcs.`<DnsDomainName>` |
| Gc | SRV | _ldap._tcp.gc._msdcs.`<DnsForestName>` |
| GcAtSite | SRV | _ldap._tcp.`<SiteName>`._sites.gc._msdcs.`<DnsForestName>` |
| DcByGuid | SRV | _ldap._tcp.`<DomainGuid>`.domains._msdcs.`<DnsForestName>` |
| GcIpAddress | A | gc._msdcs.`<DnsForestName>` |
| DsaCname | CNAME | `<DsaGuid>`._msdcs.`<DnsForestName>` |
| Kdc | SRV | _kerberos._tcp.dc._msdcs.`<DnsDomainName>` |
| KdcAtSite | SRV | _kerberos._tcp.`<SiteName>`._sites.dc._msdcs. |
| KdcAtSite | SRV | _kerberos._tcp.`<SiteName>`._sites.dc._msdcs.`<DnsDomainName>` |
| Dc | SRV | _ldap._tcp.dc._msdcs.`<DnsDomainName>` |
| DcAtSite | SRV | _ldap._tcp.`<SiteName>`._sites.dc._msdcs.`<DnsDomainName>` |
| Rfc1510Kdc | SRV | _kerberos._tcp.`<DnsDomainName>` |
| Rfc1510KdcAtSite | SRV | _kerberos._tcp.`<SiteName>`._sites.`<DnsDomainName>` |
| GenericGc | SRV | _gc._tcp.`<DnsForestName>` |
| GenericGcAtSite | SRV | _gc._tcp.`<SiteName>`._sites.`<DnsForestName>` |
| Rfc1510UdpKdc | SRV | _kerberos._udp.`<DnsDomainName>` |
| Rfc1510Kpwd | SRV | _kpasswd._tcp.`<DnsDomainName>` |
| Rfc1510UdpKpwd | SRV | _kpasswd._udp.`<DnsDomainName>` |
- If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
- If you don't configure this policy setting, DCs use their local configuration.
<!-- Netlogon_DnsAvoidRegisterRecords-Editable-End -->
<!-- Netlogon_DnsAvoidRegisterRecords-DFProperties-Begin -->
@ -909,7 +909,7 @@ If you do not configure this policy setting, DCs use their local configuration.
<!-- Netlogon_DnsAvoidRegisterRecords-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -948,13 +948,14 @@ If you do not configure this policy setting, DCs use their local configuration.
<!-- Description-Source-ADMX -->
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records' data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
> [!WARNING]
> If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_DnsRefreshInterval-Description-End -->
<!-- Netlogon_DnsRefreshInterval-Editable-Begin -->
@ -972,7 +973,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_DnsRefreshInterval-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1039,7 +1040,7 @@ More information is available at <https://aka.ms/lowercasehostnamesrvrecord>
<!-- Netlogon_DnsSrvRecordUseLowerCaseHostNames-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1081,7 +1082,7 @@ This policy setting specifies the value for the Time-To-Live (TTL) field in SRV
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_DnsTtl-Description-End -->
<!-- Netlogon_DnsTtl-Editable-Begin -->
@ -1099,7 +1100,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_DnsTtl-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1136,11 +1137,11 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_ExpectedDialupDelay-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting specifies the additional time for the computer to wait for the domain controllers (DC) response when logging on to the network.
This policy setting specifies the additional time for the computer to wait for the domain controller's (DC) response when logging on to the network.
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_ExpectedDialupDelay-Description-End -->
<!-- Netlogon_ExpectedDialupDelay-Editable-Begin -->
@ -1158,7 +1159,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!-- Netlogon_ExpectedDialupDelay-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1199,11 +1200,11 @@ This policy setting determines the interval for when a Force Rediscovery is carr
The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
- If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.
- If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.
If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
- If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
<!-- Netlogon_ForceRediscoveryInterval-Description-End -->
<!-- Netlogon_ForceRediscoveryInterval-Editable-Begin -->
@ -1221,7 +1222,7 @@ If you do not configure this policy setting, Force Rediscovery will be used by d
<!-- Netlogon_ForceRediscoveryInterval-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1264,7 +1265,7 @@ The GC Locator DNS records and the site-specific SRV records are dynamically reg
To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.
If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
<!-- Netlogon_GcSiteCoverage-Description-End -->
<!-- Netlogon_GcSiteCoverage-Editable-Begin -->
@ -1282,7 +1283,7 @@ If you do not configure this policy setting, it is not applied to any GCs, and G
<!-- Netlogon_GcSiteCoverage-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1321,13 +1322,14 @@ If you do not configure this policy setting, it is not applied to any GCs, and G
<!-- Description-Source-ADMX -->
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
> [!NOTE]
> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.
If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location.
- If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location.
If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
- If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
<!-- Netlogon_IgnoreIncomingMailslotMessages-Description-End -->
<!-- Netlogon_IgnoreIncomingMailslotMessages-Editable-Begin -->
@ -1345,7 +1347,7 @@ If you disable or do not configure this policy setting, this DC processes incomi
<!-- Netlogon_IgnoreIncomingMailslotMessages-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1385,11 +1387,11 @@ If you disable or do not configure this policy setting, this DC processes incomi
<!-- Description-Source-ADMX -->
This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
The Priority field in the SRV record sets the preference for target hosts (specified in the SRV records Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record's Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_LdapSrvPriority-Description-End -->
<!-- Netlogon_LdapSrvPriority-Editable-Begin -->
@ -1407,7 +1409,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_LdapSrvPriority-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1450,7 +1452,7 @@ The Weight field in the SRV record can be used in addition to the Priority value
To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_LdapSrvWeight-Description-End -->
<!-- Netlogon_LdapSrvWeight-Editable-Begin -->
@ -1468,7 +1470,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_LdapSrvWeight-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1507,9 +1509,10 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Description-Source-ADMX -->
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
By default, the maximum size of the log file is 20MB.
- If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
- If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
<!-- Netlogon_MaximumLogFileSize-Description-End -->
<!-- Netlogon_MaximumLogFileSize-Editable-Begin -->
@ -1527,7 +1530,7 @@ If you disable or do not configure this policy setting, the default behavior occ
<!-- Netlogon_MaximumLogFileSize-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1570,7 +1573,7 @@ The application directory partition DC Locator DNS records and the site-specific
To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_NdncSiteCoverage-Description-End -->
<!-- Netlogon_NdncSiteCoverage-Editable-Begin -->
@ -1588,7 +1591,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_NdncSiteCoverage-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1629,7 +1632,8 @@ This policy setting specifies the amount of time (in seconds) the DC locator rem
The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
> [!WARNING]
> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
<!-- Netlogon_NegativeCachePeriod-Description-End -->
<!-- Netlogon_NegativeCachePeriod-Editable-Begin -->
@ -1647,7 +1651,7 @@ Warning: If the value for this setting is too large, a client will not attempt t
<!-- Netlogon_NegativeCachePeriod-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1686,15 +1690,16 @@ Warning: If the value for this setting is too large, a client will not attempt t
<!-- Description-Source-ADMX -->
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
- If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
- If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested.
Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
> [!NOTE]
> The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
<!-- Netlogon_NetlogonShareCompatibilityMode-Description-End -->
<!-- Netlogon_NetlogonShareCompatibilityMode-Editable-Begin -->
@ -1712,7 +1717,7 @@ If you enable this policy setting, domain administrators should ensure that the
<!-- Netlogon_NetlogonShareCompatibilityMode-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1770,7 +1775,7 @@ The default value for this setting is 30 minutes (1800). The maximum value for t
<!-- Netlogon_NonBackgroundSuccessfulRefreshPeriod-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1818,7 +1823,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_PingUrgencyMode-Description-End -->
<!-- Netlogon_PingUrgencyMode-Editable-Begin -->
@ -1836,7 +1841,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!-- Netlogon_PingUrgencyMode-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1879,7 +1884,7 @@ This policy setting determines the interval at which Netlogon performs the follo
- On the domain controllers (DC), discovers a DC that has not been discovered.
- On the PDC, attempts to add the `<DomainName>`[1B] NetBIOS name if it hasnt already been successfully added.
- On the PDC, attempts to add the `<DomainName>`[1B] NetBIOS name if it hasn't already been successfully added.
None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.
@ -1901,7 +1906,7 @@ To enable the setting, click Enabled, and then specify the interval in seconds.
<!-- Netlogon_ScavengeInterval-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1944,7 +1949,7 @@ The DC Locator DNS records are dynamically registered by the Net Logon service,
To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_SiteCoverage-Description-End -->
<!-- Netlogon_SiteCoverage-Editable-Begin -->
@ -1962,7 +1967,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_SiteCoverage-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -2005,7 +2010,7 @@ An Active Directory site is one or more well-connected TCP/IP subnets that allow
To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
<!-- Netlogon_SiteName-Description-End -->
<!-- Netlogon_SiteName-Editable-Begin -->
@ -2023,7 +2028,7 @@ If you do not configure this policy setting, it is not applied to any computers,
<!-- Netlogon_SiteName-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -2068,9 +2073,10 @@ When this setting is disabled or not configured, the SYSVOL share will grant sha
By default, the SYSVOL share will grant shared read access to files on the share when exclusive access is requested.
Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
> [!NOTE]
> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
<!-- Netlogon_SysvolShareCompatibilityMode-Description-End -->
<!-- Netlogon_SysvolShareCompatibilityMode-Editable-Begin -->
@ -2088,7 +2094,7 @@ If you enable this policy setting, domain administrators should ensure that the
<!-- Netlogon_SysvolShareCompatibilityMode-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -2130,11 +2136,11 @@ This policy setting enables DC Locator to attempt to locate a DC in the nearest
The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.
- If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.
If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
- If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
- If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
<!-- Netlogon_TryNextClosestSite-Description-End -->
<!-- Netlogon_TryNextClosestSite-Editable-Begin -->
@ -2152,7 +2158,7 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w
<!-- Netlogon_TryNextClosestSite-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -2192,11 +2198,11 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w
<!-- Description-Source-ADMX -->
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
- If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
If you disable this policy setting, DCs will not register DC Locator DNS resource records.
- If you disable this policy setting, DCs will not register DC Locator DNS resource records.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
<!-- Netlogon_UseDynamicDns-Description-End -->
<!-- Netlogon_UseDynamicDns-Editable-Begin -->
@ -2214,7 +2220,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
<!-- Netlogon_UseDynamicDns-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:

780
windows/client-management/mdm/policy-csp-admx-scripts.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Scripts Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/05/2023
ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Scripts
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@ -46,9 +44,9 @@ ms.topic: reference
<!-- Description-Source-ADMX -->
This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
- If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
- If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
<!-- Allow_Logon_Script_NetbiosDisabled-Description-End -->
<!-- Allow_Logon_Script_NetbiosDisabled-Editable-Begin -->
@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, user account cross-fores
<!-- Allow_Logon_Script_NetbiosDisabled-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -108,13 +106,13 @@ This policy setting determines how long the system waits for scripts applied by
This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.
If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.
- If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.
This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.
If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
- If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
<!-- MaxGPOScriptWaitPolicy-Description-End -->
<!-- MaxGPOScriptWaitPolicy-Editable-Begin -->
@ -132,7 +130,7 @@ If you disable or do not configure this setting the system lets the combined set
<!-- MaxGPOScriptWaitPolicy-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -168,39 +166,35 @@ If you disable or do not configure this setting the system lets the combined set
<!-- Run_Computer_PS_Scripts_First-OmaUri-End -->
<!-- Run_Computer_PS_Scripts_First-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
For example, assume the following scenario:
There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A.
GPO B and GPO C include the following computer startup scripts:
GPO B: B.cmd, B.ps1
GPO C: C.cmd, C.ps1
Assume also that there are two computers, DesktopIT and DesktopSales.
For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:
Within GPO B: B.ps1, B.cmd
Within GPO C: C.ps1, C.cmd
For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:
Within GPO B: B.cmd, B.ps1
Within GPO C: C.cmd, C.ps1
Note: This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
<!-- Description-Source-Manual-Forced -->
<!-- Run_Computer_PS_Scripts_First-Description-End -->
<!-- Run_Computer_PS_Scripts_First-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
For example, assume the following scenario:
There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts:
- GPO B: B.cmd, B.ps1
- GPO C: C.cmd, C.ps1
Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:
- Within GPO B: B.ps1, B.cmd
- Within GPO C: C.ps1, C.cmd
For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:
- Within GPO B: B.cmd, B.ps1
- Within GPO C: C.cmd, C.ps1
> [!NOTE]
> This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
>
> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
<!-- Run_Computer_PS_Scripts_First-Editable-End -->
<!-- Run_Computer_PS_Scripts_First-DFProperties-Begin -->
@ -214,7 +208,7 @@ Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shut
<!-- Run_Computer_PS_Scripts_First-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -235,347 +229,6 @@ Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shut
<!-- Run_Computer_PS_Scripts_First-End -->
<!-- Run_Logon_Script_Sync_2-Begin -->
## Run_Logon_Script_Sync_2
<!-- Run_Logon_Script_Sync_2-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Logon_Script_Sync_2-Applicability-End -->
<!-- Run_Logon_Script_Sync_2-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2
```
<!-- Run_Logon_Script_Sync_2-OmaUri-End -->
<!-- Run_Logon_Script_Sync_2-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
<!-- Run_Logon_Script_Sync_2-Description-End -->
<!-- Run_Logon_Script_Sync_2-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Logon_Script_Sync_2-Editable-End -->
<!-- Run_Logon_Script_Sync_2-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Logon_Script_Sync_2-DFProperties-End -->
<!-- Run_Logon_Script_Sync_2-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Logon_Script_Sync |
| Friendly Name | Run logon scripts synchronously |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | RunLogonScriptSync |
| ADMX File Name | Scripts.admx |
<!-- Run_Logon_Script_Sync_2-AdmxBacked-End -->
<!-- Run_Logon_Script_Sync_2-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Logon_Script_Sync_2-Examples-End -->
<!-- Run_Logon_Script_Sync_2-End -->
<!-- Run_Shutdown_Script_Visible-Begin -->
## Run_Shutdown_Script_Visible
<!-- Run_Shutdown_Script_Visible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Shutdown_Script_Visible-Applicability-End -->
<!-- Run_Shutdown_Script_Visible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible
```
<!-- Run_Shutdown_Script_Visible-OmaUri-End -->
<!-- Run_Shutdown_Script_Visible-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting displays the instructions in shutdown scripts as they run.
Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.
If you disable or do not configure this policy setting, the instructions are suppressed.
<!-- Run_Shutdown_Script_Visible-Description-End -->
<!-- Run_Shutdown_Script_Visible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Shutdown_Script_Visible-Editable-End -->
<!-- Run_Shutdown_Script_Visible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Shutdown_Script_Visible-DFProperties-End -->
<!-- Run_Shutdown_Script_Visible-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Shutdown_Script_Visible |
| Friendly Name | Display instructions in shutdown scripts as they run |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | HideShutdownScripts |
| ADMX File Name | Scripts.admx |
<!-- Run_Shutdown_Script_Visible-AdmxBacked-End -->
<!-- Run_Shutdown_Script_Visible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Shutdown_Script_Visible-Examples-End -->
<!-- Run_Shutdown_Script_Visible-End -->
<!-- Run_Startup_Script_Sync-Begin -->
## Run_Startup_Script_Sync
<!-- Run_Startup_Script_Sync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Startup_Script_Sync-Applicability-End -->
<!-- Run_Startup_Script_Sync-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync
```
<!-- Run_Startup_Script_Sync-OmaUri-End -->
<!-- Run_Startup_Script_Sync-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets the system run startup scripts simultaneously.
Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete.
Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the ""Run startup scripts visible"" policy setting is enabled or not.
<!-- Run_Startup_Script_Sync-Description-End -->
<!-- Run_Startup_Script_Sync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Startup_Script_Sync-Editable-End -->
<!-- Run_Startup_Script_Sync-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Startup_Script_Sync-DFProperties-End -->
<!-- Run_Startup_Script_Sync-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Startup_Script_Sync |
| Friendly Name | Run startup scripts asynchronously |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | RunStartupScriptSync |
| ADMX File Name | Scripts.admx |
<!-- Run_Startup_Script_Sync-AdmxBacked-End -->
<!-- Run_Startup_Script_Sync-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Startup_Script_Sync-Examples-End -->
<!-- Run_Startup_Script_Sync-End -->
<!-- Run_Startup_Script_Visible-Begin -->
## Run_Startup_Script_Visible
<!-- Run_Startup_Script_Visible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Startup_Script_Visible-Applicability-End -->
<!-- Run_Startup_Script_Visible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible
```
<!-- Run_Startup_Script_Visible-OmaUri-End -->
<!-- Run_Startup_Script_Visible-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting displays the instructions in startup scripts as they run.
Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.
If you disable or do not configure this policy setting, the instructions are suppressed.
Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
<!-- Run_Startup_Script_Visible-Description-End -->
<!-- Run_Startup_Script_Visible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Startup_Script_Visible-Editable-End -->
<!-- Run_Startup_Script_Visible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Startup_Script_Visible-DFProperties-End -->
<!-- Run_Startup_Script_Visible-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Startup_Script_Visible |
| Friendly Name | Display instructions in startup scripts as they run |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | HideStartupScripts |
| ADMX File Name | Scripts.admx |
<!-- Run_Startup_Script_Visible-AdmxBacked-End -->
<!-- Run_Startup_Script_Visible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Startup_Script_Visible-Examples-End -->
<!-- Run_Startup_Script_Visible-End -->
<!-- Run_User_PS_Scripts_First-Begin -->
## Run_User_PS_Scripts_First
<!-- Run_User_PS_Scripts_First-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_User_PS_Scripts_First-Applicability-End -->
<!-- Run_User_PS_Scripts_First-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
```
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
```
<!-- Run_User_PS_Scripts_First-OmaUri-End -->
<!-- Run_User_PS_Scripts_First-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
For example, assume the following scenario:
There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A.
GPO B and GPO C include the following user logon scripts:
GPO B: B.cmd, B.ps1
GPO C: C.cmd, C.ps1
Assume also that there are two users, Qin Hong and Tamara Johnston.
For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:
Within GPO B: B.ps1, B.cmd
Within GPO C: C.ps1, C.cmd
For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:
Within GPO B: B.cmd, B.ps1
Within GPO C: C.cmd, C.ps1
Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration.
<!-- Run_User_PS_Scripts_First-Description-End -->
<!-- Run_User_PS_Scripts_First-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_User_PS_Scripts_First-Editable-End -->
<!-- Run_User_PS_Scripts_First-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_User_PS_Scripts_First-DFProperties-End -->
<!-- Run_User_PS_Scripts_First-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_User_PS_Scripts_First |
| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff |
| Location | Computer and User Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | RunUserPSScriptsFirst |
| ADMX File Name | Scripts.admx |
<!-- Run_User_PS_Scripts_First-AdmxBacked-End -->
<!-- Run_User_PS_Scripts_First-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_User_PS_Scripts_First-Examples-End -->
<!-- Run_User_PS_Scripts_First-End -->
<!-- Run_Legacy_Logon_Script_Hidden-Begin -->
## Run_Legacy_Logon_Script_Hidden
@ -597,9 +250,9 @@ This policy setting hides the instructions in logon scripts written for Windows
Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.
If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
- If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
- If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
Also, see the "Run Logon Scripts Visible" setting.
<!-- Run_Legacy_Logon_Script_Hidden-Description-End -->
@ -619,7 +272,7 @@ Also, see the "Run Logon Scripts Visible" setting.
<!-- Run_Legacy_Logon_Script_Hidden-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -661,9 +314,9 @@ This policy setting displays the instructions in logoff scripts as they run.
Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.
If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
- If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
If you disable or do not configure this policy setting, the instructions are suppressed.
- If you disable or do not configure this policy setting, the instructions are suppressed.
<!-- Run_Logoff_Script_Visible-Description-End -->
<!-- Run_Logoff_Script_Visible-Editable-Begin -->
@ -681,7 +334,7 @@ If you disable or do not configure this policy setting, the instructions are sup
<!-- Run_Logoff_Script_Visible-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -721,9 +374,9 @@ If you disable or do not configure this policy setting, the instructions are sup
<!-- Description-Source-ADMX -->
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
<!-- Run_Logon_Script_Sync_1-Description-End -->
@ -743,13 +396,13 @@ This policy setting appears in the Computer Configuration and User Configuration
<!-- Run_Logon_Script_Sync_1-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Logon_Script_Sync |
| Name | Run_Logon_Script_Sync_1 |
| Friendly Name | Run logon scripts synchronously |
| Location | User Configuration |
| Path | System > Scripts |
@ -764,6 +417,68 @@ This policy setting appears in the Computer Configuration and User Configuration
<!-- Run_Logon_Script_Sync_1-End -->
<!-- Run_Logon_Script_Sync_2-Begin -->
## Run_Logon_Script_Sync_2
<!-- Run_Logon_Script_Sync_2-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Logon_Script_Sync_2-Applicability-End -->
<!-- Run_Logon_Script_Sync_2-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2
```
<!-- Run_Logon_Script_Sync_2-OmaUri-End -->
<!-- Run_Logon_Script_Sync_2-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
<!-- Run_Logon_Script_Sync_2-Description-End -->
<!-- Run_Logon_Script_Sync_2-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Logon_Script_Sync_2-Editable-End -->
<!-- Run_Logon_Script_Sync_2-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Logon_Script_Sync_2-DFProperties-End -->
<!-- Run_Logon_Script_Sync_2-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Logon_Script_Sync_2 |
| Friendly Name | Run logon scripts synchronously |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | RunLogonScriptSync |
| ADMX File Name | Scripts.admx |
<!-- Run_Logon_Script_Sync_2-AdmxBacked-End -->
<!-- Run_Logon_Script_Sync_2-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Logon_Script_Sync_2-Examples-End -->
<!-- Run_Logon_Script_Sync_2-End -->
<!-- Run_Logon_Script_Visible-Begin -->
## Run_Logon_Script_Visible
@ -785,9 +500,9 @@ This policy setting displays the instructions in logon scripts as they run.
Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.
If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
- If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
If you disable or do not configure this policy setting, the instructions are suppressed.
- If you disable or do not configure this policy setting, the instructions are suppressed.
<!-- Run_Logon_Script_Visible-Description-End -->
<!-- Run_Logon_Script_Visible-Editable-Begin -->
@ -805,7 +520,7 @@ If you disable or do not configure this policy setting, the instructions are sup
<!-- Run_Logon_Script_Visible-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -826,6 +541,281 @@ If you disable or do not configure this policy setting, the instructions are sup
<!-- Run_Logon_Script_Visible-End -->
<!-- Run_Shutdown_Script_Visible-Begin -->
## Run_Shutdown_Script_Visible
<!-- Run_Shutdown_Script_Visible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Shutdown_Script_Visible-Applicability-End -->
<!-- Run_Shutdown_Script_Visible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible
```
<!-- Run_Shutdown_Script_Visible-OmaUri-End -->
<!-- Run_Shutdown_Script_Visible-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting displays the instructions in shutdown scripts as they run.
Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
- If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.
- If you disable or do not configure this policy setting, the instructions are suppressed.
<!-- Run_Shutdown_Script_Visible-Description-End -->
<!-- Run_Shutdown_Script_Visible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Shutdown_Script_Visible-Editable-End -->
<!-- Run_Shutdown_Script_Visible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Shutdown_Script_Visible-DFProperties-End -->
<!-- Run_Shutdown_Script_Visible-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Shutdown_Script_Visible |
| Friendly Name | Display instructions in shutdown scripts as they run |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | HideShutdownScripts |
| ADMX File Name | Scripts.admx |
<!-- Run_Shutdown_Script_Visible-AdmxBacked-End -->
<!-- Run_Shutdown_Script_Visible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Shutdown_Script_Visible-Examples-End -->
<!-- Run_Shutdown_Script_Visible-End -->
<!-- Run_Startup_Script_Sync-Begin -->
## Run_Startup_Script_Sync
<!-- Run_Startup_Script_Sync-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Startup_Script_Sync-Applicability-End -->
<!-- Run_Startup_Script_Sync-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync
```
<!-- Run_Startup_Script_Sync-OmaUri-End -->
<!-- Run_Startup_Script_Sync-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting lets the system run startup scripts simultaneously.
Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
- If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
- If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete.
> [!NOTE]
> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not.
<!-- Run_Startup_Script_Sync-Description-End -->
<!-- Run_Startup_Script_Sync-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Startup_Script_Sync-Editable-End -->
<!-- Run_Startup_Script_Sync-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Startup_Script_Sync-DFProperties-End -->
<!-- Run_Startup_Script_Sync-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Startup_Script_Sync |
| Friendly Name | Run startup scripts asynchronously |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | RunStartupScriptSync |
| ADMX File Name | Scripts.admx |
<!-- Run_Startup_Script_Sync-AdmxBacked-End -->
<!-- Run_Startup_Script_Sync-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Startup_Script_Sync-Examples-End -->
<!-- Run_Startup_Script_Sync-End -->
<!-- Run_Startup_Script_Visible-Begin -->
## Run_Startup_Script_Visible
<!-- Run_Startup_Script_Visible-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :x: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_Startup_Script_Visible-Applicability-End -->
<!-- Run_Startup_Script_Visible-OmaUri-Begin -->
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible
```
<!-- Run_Startup_Script_Visible-OmaUri-End -->
<!-- Run_Startup_Script_Visible-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting displays the instructions in startup scripts as they run.
Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
- If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.
- If you disable or do not configure this policy setting, the instructions are suppressed.
> [!NOTE]
> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
<!-- Run_Startup_Script_Visible-Description-End -->
<!-- Run_Startup_Script_Visible-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- Run_Startup_Script_Visible-Editable-End -->
<!-- Run_Startup_Script_Visible-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_Startup_Script_Visible-DFProperties-End -->
<!-- Run_Startup_Script_Visible-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_Startup_Script_Visible |
| Friendly Name | Display instructions in startup scripts as they run |
| Location | Computer Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | HideStartupScripts |
| ADMX File Name | Scripts.admx |
<!-- Run_Startup_Script_Visible-AdmxBacked-End -->
<!-- Run_Startup_Script_Visible-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_Startup_Script_Visible-Examples-End -->
<!-- Run_Startup_Script_Visible-End -->
<!-- Run_User_PS_Scripts_First-Begin -->
## Run_User_PS_Scripts_First
<!-- Run_User_PS_Scripts_First-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- Run_User_PS_Scripts_First-Applicability-End -->
<!-- Run_User_PS_Scripts_First-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
```
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
```
<!-- Run_User_PS_Scripts_First-OmaUri-End -->
<!-- Run_User_PS_Scripts_First-Description-Begin -->
<!-- Description-Source-Manual-Forced -->
<!-- Run_User_PS_Scripts_First-Description-End -->
<!-- Run_User_PS_Scripts_First-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
For example, assume the following scenario:
There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following user logon scripts:
- GPO B: B.cmd, B.ps1
- GPO C: C.cmd, C.ps1
Assume also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:
- Within GPO B: B.ps1, B.cmd
- Within GPO C: C.ps1, C.cmd
For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:
- Within GPO B: B.cmd, B.ps1
- Within GPO C: C.cmd, C.ps1
> [!NOTE]
> This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
>
> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
<!-- Run_User_PS_Scripts_First-Editable-End -->
<!-- Run_User_PS_Scripts_First-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- Run_User_PS_Scripts_First-DFProperties-End -->
<!-- Run_User_PS_Scripts_First-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | Run_User_PS_Scripts_First |
| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff |
| Location | Computer and User Configuration |
| Path | System > Scripts |
| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
| Registry Value Name | RunUserPSScriptsFirst |
| ADMX File Name | Scripts.admx |
<!-- Run_User_PS_Scripts_First-AdmxBacked-End -->
<!-- Run_User_PS_Scripts_First-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- Run_User_PS_Scripts_First-Examples-End -->
<!-- Run_User_PS_Scripts_First-End -->
<!-- ADMX_Scripts-CspMoreInfo-Begin -->
<!-- Add any additional information about this CSP here. Anything outside this section will get overwritten. -->
<!-- ADMX_Scripts-CspMoreInfo-End -->

1479
windows/client-management/mdm/policy-csp-admx-startmenu.md
View File

File diff suppressed because it is too large Load Diff

265
windows/client-management/mdm/policy-csp-admx-taskbar.md
View File

@ -4,7 +4,7 @@ description: Learn more about the ADMX_Taskbar Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
ms.date: 01/04/2023
ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Taskbar
> [!TIP]
> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@ -52,9 +50,9 @@ This policy setting removes Notifications and Action Center from the notificatio
The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock.
If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they wont be able to review any notifications they miss.
- If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won't be able to review any notifications they miss.
If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar.
- If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar.
A reboot is required for this policy setting to take effect.
<!-- DisableNotificationCenter-Description-End -->
@ -74,7 +72,7 @@ A reboot is required for this policy setting to take effect.
<!-- DisableNotificationCenter-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -95,70 +93,6 @@ A reboot is required for this policy setting to take effect.
<!-- DisableNotificationCenter-End -->
<!-- TaskbarNoPinnedList-Begin -->
## TaskbarNoPinnedList
<!-- TaskbarNoPinnedList-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- TaskbarNoPinnedList-Applicability-End -->
<!-- TaskbarNoPinnedList-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
```
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
```
<!-- TaskbarNoPinnedList-OmaUri-End -->
<!-- TaskbarNoPinnedList-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to remove pinned programs from the taskbar.
If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.
If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
<!-- TaskbarNoPinnedList-Description-End -->
<!-- TaskbarNoPinnedList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TaskbarNoPinnedList-Editable-End -->
<!-- TaskbarNoPinnedList-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TaskbarNoPinnedList-DFProperties-End -->
<!-- TaskbarNoPinnedList-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TaskbarNoPinnedList |
| Friendly Name | Remove pinned programs from the Taskbar |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | TaskbarNoPinnedList |
| ADMX File Name | Taskbar.admx |
<!-- TaskbarNoPinnedList-AdmxBacked-End -->
<!-- TaskbarNoPinnedList-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TaskbarNoPinnedList-Examples-End -->
<!-- TaskbarNoPinnedList-End -->
<!-- EnableLegacyBalloonNotifications-Begin -->
## EnableLegacyBalloonNotifications
@ -178,11 +112,11 @@ If you disable or do not configure this policy setting, users can pin programs s
<!-- Description-Source-ADMX -->
This policy disables the functionality that converts balloons to toast notifications.
If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
- If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications.
If you disable or dont configure this policy setting, all notifications will appear as toast notifications.
- If you disable or don't configure this policy setting, all notifications will appear as toast notifications.
A reboot is required for this policy setting to take effect.
<!-- EnableLegacyBalloonNotifications-Description-End -->
@ -202,7 +136,7 @@ A reboot is required for this policy setting to take effect.
<!-- EnableLegacyBalloonNotifications-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -242,9 +176,9 @@ A reboot is required for this policy setting to take effect.
<!-- Description-Source-ADMX -->
This policy setting allows you to remove Security and Maintenance from the system control area.
If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area.
- If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area.
If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area.
- If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area.
<!-- HideSCAHealth-Description-End -->
<!-- HideSCAHealth-Editable-Begin -->
@ -262,7 +196,7 @@ If you disable or do not configure this policy setting, the Security and Mainten
<!-- HideSCAHealth-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -302,9 +236,9 @@ If you disable or do not configure this policy setting, the Security and Mainten
<!-- Description-Source-ADMX -->
This policy setting allows you to remove the networking icon from the system control area.
If you enable this policy setting, the networking icon is not displayed in the system notification area.
- If you enable this policy setting, the networking icon is not displayed in the system notification area.
If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area.
- If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area.
<!-- HideSCANetwork-Description-End -->
<!-- HideSCANetwork-Editable-Begin -->
@ -322,7 +256,7 @@ If you disable or do not configure this policy setting, the networking icon is d
<!-- HideSCANetwork-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -362,9 +296,9 @@ If you disable or do not configure this policy setting, the networking icon is d
<!-- Description-Source-ADMX -->
This policy setting allows you to remove the battery meter from the system control area.
If you enable this policy setting, the battery meter is not displayed in the system notification area.
- If you enable this policy setting, the battery meter is not displayed in the system notification area.
If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.
- If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.
<!-- HideSCAPower-Description-End -->
<!-- HideSCAPower-Editable-Begin -->
@ -382,13 +316,13 @@ If you disable or do not configure this policy setting, the battery meter is dis
<!-- HideSCAPower-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | HideSCABattery |
| Name | HideSCAPower |
| Friendly Name | Remove the battery meter |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
@ -422,9 +356,9 @@ If you disable or do not configure this policy setting, the battery meter is dis
<!-- Description-Source-ADMX -->
This policy setting allows you to remove the volume control icon from the system control area.
If you enable this policy setting, the volume control icon is not displayed in the system notification area.
- If you enable this policy setting, the volume control icon is not displayed in the system notification area.
If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area.
- If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area.
<!-- HideSCAVolume-Description-End -->
<!-- HideSCAVolume-Editable-Begin -->
@ -442,7 +376,7 @@ If you disable or do not configure this policy setting, the volume control icon
<!-- HideSCAVolume-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -482,7 +416,7 @@ If you disable or do not configure this policy setting, the volume control icon
<!-- Description-Source-ADMX -->
This policy setting allows you to turn off feature advertisement balloon notifications.
If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
- If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
If you disable do not configure this policy setting, feature advertisement balloons are shown.
<!-- NoBalloonFeatureAdvertisements-Description-End -->
@ -502,7 +436,7 @@ If you disable do not configure this policy setting, feature advertisement ballo
<!-- NoBalloonFeatureAdvertisements-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -542,9 +476,9 @@ If you disable do not configure this policy setting, feature advertisement ballo
<!-- Description-Source-ADMX -->
This policy setting allows you to control pinning the Store app to the Taskbar.
If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login.
- If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login.
If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar.
- If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar.
<!-- NoPinningStoreToTaskbar-Description-End -->
<!-- NoPinningStoreToTaskbar-Editable-Begin -->
@ -562,7 +496,7 @@ If you disable or do not configure this policy setting, users can pin the Store
<!-- NoPinningStoreToTaskbar-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -602,9 +536,9 @@ If you disable or do not configure this policy setting, users can pin the Store
<!-- Description-Source-ADMX -->
This policy setting allows you to control pinning items in Jump Lists.
If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
- If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
- If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
<!-- NoPinningToDestinations-Description-End -->
<!-- NoPinningToDestinations-Editable-Begin -->
@ -622,7 +556,7 @@ If you disable or do not configure this policy setting, users can pin files, fol
<!-- NoPinningToDestinations-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -662,9 +596,9 @@ If you disable or do not configure this policy setting, users can pin files, fol
<!-- Description-Source-ADMX -->
This policy setting allows you to control pinning programs to the Taskbar.
If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.
- If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.
If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
- If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
<!-- NoPinningToTaskbar-Description-End -->
<!-- NoPinningToTaskbar-Editable-Begin -->
@ -682,7 +616,7 @@ If you disable or do not configure this policy setting, users can change the pro
<!-- NoPinningToTaskbar-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -724,11 +658,12 @@ This policy setting allows you to control displaying or tracking items in Jump L
The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.
If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.
- If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.
If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer.
- If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer.
Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump Lists"" policy setting.
> [!NOTE]
> This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting.
<!-- NoRemoteDestinations-Description-End -->
<!-- NoRemoteDestinations-Editable-Begin -->
@ -746,7 +681,7 @@ Note: This setting does not prevent Windows from displaying remote files that th
<!-- NoRemoteDestinations-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -786,9 +721,9 @@ Note: This setting does not prevent Windows from displaying remote files that th
<!-- Description-Source-ADMX -->
This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.
If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
- If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
- If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
<!-- NoSystraySystemPromotion-Description-End -->
<!-- NoSystraySystemPromotion-Editable-Begin -->
@ -806,7 +741,7 @@ If you disable or do not configure this policy setting, newly added notification
<!-- NoSystraySystemPromotion-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -846,11 +781,11 @@ If you disable or do not configure this policy setting, newly added notification
<!-- Description-Source-ADMX -->
This policy setting allows users to see Windows Store apps on the taskbar.
If you enable this policy setting, users will see Windows Store apps on the taskbar.
- If you enable this policy setting, users will see Windows Store apps on the taskbar.
If you disable this policy setting, users wont see Windows Store apps on the taskbar.
- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
If you dont configure this policy setting, the default setting for the users device will be used, and the user can choose to change it.
- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
<!-- ShowWindowsStoreAppsOnTaskbar-Description-End -->
<!-- ShowWindowsStoreAppsOnTaskbar-Editable-Begin -->
@ -868,7 +803,7 @@ If you dont configure this policy setting, the default setting for the user
<!-- ShowWindowsStoreAppsOnTaskbar-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -908,9 +843,9 @@ If you dont configure this policy setting, the default setting for the user
<!-- Description-Source-ADMX -->
This policy setting allows you to lock all taskbar settings.
If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.
- If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.
If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting.
- If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting.
<!-- TaskbarLockAll-Description-End -->
<!-- TaskbarLockAll-Editable-Begin -->
@ -928,7 +863,7 @@ If you disable or do not configure this policy setting, the user will be able to
<!-- TaskbarLockAll-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -968,9 +903,9 @@ If you disable or do not configure this policy setting, the user will be able to
<!-- Description-Source-ADMX -->
This policy setting allows you to prevent users from adding or removing toolbars.
If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.
- If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.
If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar.
- If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar.
<!-- TaskbarNoAddRemoveToolbar-Description-End -->
<!-- TaskbarNoAddRemoveToolbar-Editable-Begin -->
@ -988,7 +923,7 @@ If you disable or do not configure this policy setting, the users and applicatio
<!-- TaskbarNoAddRemoveToolbar-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1028,9 +963,9 @@ If you disable or do not configure this policy setting, the users and applicatio
<!-- Description-Source-ADMX -->
This policy setting allows you to prevent users from rearranging toolbars.
If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar.
- If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar.
If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar.
- If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar.
<!-- TaskbarNoDragToolbar-Description-End -->
<!-- TaskbarNoDragToolbar-Editable-Begin -->
@ -1048,7 +983,7 @@ If you disable or do not configure this policy setting, users are able to rearra
<!-- TaskbarNoDragToolbar-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1088,9 +1023,9 @@ If you disable or do not configure this policy setting, users are able to rearra
<!-- Description-Source-ADMX -->
This policy setting allows you to prevent taskbars from being displayed on more than one monitor.
If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog.
- If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog.
If you disable or do not configure this policy setting, users can show taskbars on more than one display.
- If you disable or do not configure this policy setting, users can show taskbars on more than one display.
<!-- TaskbarNoMultimon-Description-End -->
<!-- TaskbarNoMultimon-Editable-Begin -->
@ -1108,7 +1043,7 @@ If you disable or do not configure this policy setting, users can show taskbars
<!-- TaskbarNoMultimon-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1148,9 +1083,9 @@ If you disable or do not configure this policy setting, users can show taskbars
<!-- Description-Source-ADMX -->
This policy setting allows you to turn off all notification balloons.
If you enable this policy setting, no notification balloons are shown to the user.
- If you enable this policy setting, no notification balloons are shown to the user.
If you disable or do not configure this policy setting, notification balloons are shown to the user.
- If you disable or do not configure this policy setting, notification balloons are shown to the user.
<!-- TaskbarNoNotification-Description-End -->
<!-- TaskbarNoNotification-Editable-Begin -->
@ -1168,7 +1103,7 @@ If you disable or do not configure this policy setting, notification balloons ar
<!-- TaskbarNoNotification-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1189,6 +1124,70 @@ If you disable or do not configure this policy setting, notification balloons ar
<!-- TaskbarNoNotification-End -->
<!-- TaskbarNoPinnedList-Begin -->
## TaskbarNoPinnedList
<!-- TaskbarNoPinnedList-Applicability-Begin -->
| Scope | Editions | Applicable OS |
|:--|:--|:--|
| :heavy_check_mark: Device <br> :heavy_check_mark: User | :x: Home <br> :heavy_check_mark: Pro <br> :heavy_check_mark: Enterprise <br> :heavy_check_mark: Education <br> :heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later <br> :heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later <br> :heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later <br> :heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
<!-- TaskbarNoPinnedList-Applicability-End -->
<!-- TaskbarNoPinnedList-OmaUri-Begin -->
```User
./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
```
```Device
./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
```
<!-- TaskbarNoPinnedList-OmaUri-End -->
<!-- TaskbarNoPinnedList-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to remove pinned programs from the taskbar.
- If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.
- If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
<!-- TaskbarNoPinnedList-Description-End -->
<!-- TaskbarNoPinnedList-Editable-Begin -->
<!-- Add any additional information about this policy here. Anything outside this section will get overwritten. -->
<!-- TaskbarNoPinnedList-Editable-End -->
<!-- TaskbarNoPinnedList-DFProperties-Begin -->
**Description framework properties**:
| Property name | Property value |
|:--|:--|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
<!-- TaskbarNoPinnedList-DFProperties-End -->
<!-- TaskbarNoPinnedList-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
| Name | TaskbarNoPinnedList |
| Friendly Name | Remove pinned programs from the Taskbar |
| Location | Computer and User Configuration |
| Path | Start Menu and Taskbar |
| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
| Registry Value Name | TaskbarNoPinnedList |
| ADMX File Name | Taskbar.admx |
<!-- TaskbarNoPinnedList-AdmxBacked-End -->
<!-- TaskbarNoPinnedList-Examples-Begin -->
<!-- Add any examples for this policy here. Examples outside this section will get overwritten. -->
<!-- TaskbarNoPinnedList-Examples-End -->
<!-- TaskbarNoPinnedList-End -->
<!-- TaskbarNoRedock-Begin -->
## TaskbarNoRedock
@ -1208,9 +1207,9 @@ If you disable or do not configure this policy setting, notification balloons ar
<!-- Description-Source-ADMX -->
This policy setting allows you to prevent users from moving taskbar to another screen dock location.
If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).
- If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).
If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting.
- If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting.
<!-- TaskbarNoRedock-Description-End -->
<!-- TaskbarNoRedock-Editable-Begin -->
@ -1228,7 +1227,7 @@ If you disable or do not configure this policy setting, users are able to drag t
<!-- TaskbarNoRedock-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1268,9 +1267,9 @@ If you disable or do not configure this policy setting, users are able to drag t
<!-- Description-Source-ADMX -->
This policy setting allows you to prevent users from resizing the taskbar.
If you enable this policy setting, users are not be able to resize their taskbar.
- If you enable this policy setting, users are not be able to resize their taskbar.
If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting.
- If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting.
<!-- TaskbarNoResize-Description-End -->
<!-- TaskbarNoResize-Editable-Begin -->
@ -1288,7 +1287,7 @@ If you disable or do not configure this policy setting, users are able to resize
<!-- TaskbarNoResize-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@ -1328,9 +1327,9 @@ If you disable or do not configure this policy setting, users are able to resize
<!-- Description-Source-ADMX -->
This policy setting allows you to turn off taskbar thumbnails.
If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips.
- If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips.
If you disable or do not configure this policy setting, the taskbar thumbnails are displayed.
- If you disable or do not configure this policy setting, the taskbar thumbnails are displayed.
<!-- TaskbarNoThumbnail-Description-End -->
<!-- TaskbarNoThumbnail-Editable-Begin -->
@ -1348,7 +1347,7 @@ If you disable or do not configure this policy setting, the taskbar thumbnails a
<!-- TaskbarNoThumbnail-AdmxBacked-Begin -->
> [!TIP]
> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:

345
windows/client-management/mdm/policy-csp-admx-terminalserver.md
View File

@ -108,9 +108,9 @@ This policy setting lets you control the redirection of video capture devices to
By default, Remote Desktop Services allows redirection of video capture devices.
If you enable this policy setting, users cannot redirect their video capture devices to the remote computer.
- If you enable this policy setting, users cannot redirect their video capture devices to the remote computer.
If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer.
- If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer.
<!-- TS_CAMERA_REDIRECTION-Description-End -->
<!-- TS_CAMERA_REDIRECTION-Editable-Begin -->
@ -170,7 +170,7 @@ This policy setting allows you to specify the name of the certificate template t
A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections.
If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.
- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.
If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected.
@ -234,9 +234,9 @@ If you disable or do not configure this policy, the certificate template name is
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
> [!NOTE]
> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
@ -297,9 +297,9 @@ If you disable this policy setting, users cannot run .rdp files that are signed
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
> [!NOTE]
> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
@ -360,9 +360,9 @@ If you disable this policy setting, users cannot run .rdp files that are signed
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer.
If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
<!-- TS_CLIENT_ALLOW_UNSIGNED_FILES_1-Description-End -->
<!-- TS_CLIENT_ALLOW_UNSIGNED_FILES_1-Editable-Begin -->
@ -420,9 +420,9 @@ If you disable this policy setting, users cannot run unsigned .rdp files and .rd
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer.
If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
<!-- TS_CLIENT_ALLOW_UNSIGNED_FILES_2-Description-End -->
<!-- TS_CLIENT_ALLOW_UNSIGNED_FILES_2-Editable-Begin -->
@ -483,11 +483,11 @@ Users can specify where to play the remote computer's audio output by configurin
By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional.
If you enable this policy setting, audio and video playback redirection is allowed.
- If you enable this policy setting, audio and video playback redirection is allowed.
If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file.
- If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file.
If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level.
- If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level.
<!-- TS_CLIENT_AUDIO-Description-End -->
<!-- TS_CLIENT_AUDIO-Editable-Begin -->
@ -548,11 +548,11 @@ Users can specify whether to record audio to the remote computer by configuring
By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2.
If you enable this policy setting, audio recording redirection is allowed.
- If you enable this policy setting, audio recording redirection is allowed.
If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC.
- If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC.
If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level.
- If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level.
<!-- TS_CLIENT_AUDIO_CAPTURE-Description-End -->
<!-- TS_CLIENT_AUDIO_CAPTURE-Editable-Begin -->
@ -610,13 +610,13 @@ If you do not configure this policy setting, Audio recording redirection is not
<!-- Description-Source-ADMX -->
This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links.
If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection.
- If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection.
The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used.
Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic.
If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic.
- If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic.
<!-- TS_CLIENT_AUDIO_QUALITY-Description-End -->
<!-- TS_CLIENT_AUDIO_QUALITY-Editable-Begin -->
@ -675,11 +675,11 @@ This policy setting specifies whether to prevent the sharing of Clipboard conten
You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection.
If you enable this policy setting, users cannot redirect Clipboard data.
- If you enable this policy setting, users cannot redirect Clipboard data.
If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
- If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
- If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
<!-- TS_CLIENT_CLIPBOARD-Description-End -->
<!-- TS_CLIENT_CLIPBOARD-Editable-Begin -->
@ -739,11 +739,11 @@ This policy setting specifies whether to prevent the redirection of data to clie
You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection.
If you enable this policy setting, users cannot redirect server data to the local COM port.
- If you enable this policy setting, users cannot redirect server data to the local COM port.
If you disable this policy setting, Remote Desktop Services always allows COM port redirection.
- If you disable this policy setting, Remote Desktop Services always allows COM port redirection.
If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level.
- If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level.
<!-- TS_CLIENT_COM-Description-End -->
<!-- TS_CLIENT_COM-Editable-Begin -->
@ -803,11 +803,11 @@ This policy setting allows you to specify whether the client default printer is
By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior.
If you enable this policy setting, the default printer is the printer specified on the remote computer.
- If you enable this policy setting, the default printer is the printer specified on the remote computer.
If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection.
- If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection.
If you do not configure this policy setting, the default printer is not specified at the Group Policy level.
- If you do not configure this policy setting, the default printer is not specified at the Group Policy level.
<!-- TS_CLIENT_DEFAULT_M-Description-End -->
<!-- TS_CLIENT_DEFAULT_M-Editable-Begin -->
@ -983,11 +983,11 @@ This policy setting specifies whether to prevent the redirection of data to clie
You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection.
If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port.
- If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port.
If you disable this policy setting, LPT port redirection is always allowed.
- If you disable this policy setting, LPT port redirection is always allowed.
If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level.
- If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level.
<!-- TS_CLIENT_LPT-Description-End -->
<!-- TS_CLIENT_LPT-Editable-Begin -->
@ -1047,9 +1047,10 @@ This policy setting lets you control the redirection of supported Plug and Play
By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices.
If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
- If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
- If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.
- If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
> [!NOTE]
> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings.
@ -1112,11 +1113,11 @@ This policy setting allows you to specify whether to prevent the mapping of clie
You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping.
If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions.
- If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions.
If you disable this policy setting, users can redirect print jobs with client printer mapping.
- If you disable this policy setting, users can redirect print jobs with client printer mapping.
If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level.
- If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level.
<!-- TS_CLIENT_PRINTER-Description-End -->
<!-- TS_CLIENT_PRINTER-Editable-Begin -->
@ -1174,9 +1175,9 @@ If you do not configure this policy setting, client printer mapping is not speci
<!-- Description-Source-ADMX -->
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
**Note**:
@ -1241,9 +1242,9 @@ If the list contains a string that is not a certificate thumbprint, it is ignore
<!-- Description-Source-ADMX -->
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
**Note**:
@ -1308,9 +1309,9 @@ If the list contains a string that is not a certificate thumbprint, it is ignore
<!-- Description-Source-ADMX -->
This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol.
If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol.
- If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol.
If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
- If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
<!-- TS_CLIENT_TURN_OFF_UDP-Description-End -->
<!-- TS_CLIENT_TURN_OFF_UDP-Editable-Begin -->
@ -1370,9 +1371,9 @@ This policy setting allows you to specify the maximum color resolution (color de
You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load.
If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used.
- If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used.
If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level.
- If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level.
**Note**:
@ -1444,9 +1445,9 @@ This policy setting allows you to limit the size of the entire roaming user prof
> [!NOTE]
> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles.
If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified.
- If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified.
If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.
- If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.
> [!NOTE]
> This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
@ -1571,11 +1572,11 @@ If the status is set to Not Configured, the default behavior applies.
<!-- Description-Source-ADMX -->
This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions.
If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter.
- If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter.
If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter.
- If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter.
If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default.
- If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default.
NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting.
<!-- TS_DX_USE_FULL_HWGPU-Description-End -->
@ -1635,9 +1636,9 @@ NOTE: The policy setting enables load-balancing of graphics processing units (GP
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.
If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
> [!NOTE]
> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
@ -1698,9 +1699,9 @@ If you disable this policy setting, the RD Session Host server tries to find a s
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.
If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
> [!NOTE]
> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
@ -1765,11 +1766,11 @@ When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user
When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme.
If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1.
- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1.
If you disable this policy setting, RemoteFX will be disabled.
- If you disable this policy setting, RemoteFX will be disabled.
If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled.
- If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled.
<!-- TS_EnableVirtualGraphics-Description-End -->
<!-- TS_EnableVirtualGraphics-Editable-Begin -->
@ -1829,7 +1830,7 @@ This policy setting allows you to specify the RD Session Host server fallback pr
By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session.
If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are:
- If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are:
"Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior.
@ -1839,9 +1840,9 @@ If you enable this policy setting, the fallback printer driver is enabled, and t
"Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers.
If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver.
- If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver.
If you do not configure this policy setting, the fallback printer driver behavior is off by default.
- If you do not configure this policy setting, the fallback printer driver behavior is off by default.
> [!NOTE]
> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled.
@ -1904,9 +1905,9 @@ This policy setting determines whether an administrator attempting to connect re
This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.
If you enable this policy setting, logging off the connected administrator is not allowed.
- If you enable this policy setting, logging off the connected administrator is not allowed.
If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
- If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
> [!NOTE]
> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
@ -1969,7 +1970,7 @@ Specifies the authentication method that clients must use when attempting to con
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
- If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
<!-- TS_GATEWAY_POLICY_AUTH_METHOD-Description-End -->
<!-- TS_GATEWAY_POLICY_AUTH_METHOD-Editable-Begin -->
@ -2024,7 +2025,7 @@ If you disable or do not configure this policy setting, the authentication metho
<!-- TS_GATEWAY_POLICY_ENABLE-Description-Begin -->
<!-- Description-Source-ADMX -->
If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
- If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
@ -2033,7 +2034,7 @@ You can enforce this policy setting or you can allow users to overwrite this set
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.
If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
- If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
<!-- TS_GATEWAY_POLICY_ENABLE-Description-End -->
<!-- TS_GATEWAY_POLICY_ENABLE-Editable-Begin -->
@ -2156,13 +2157,14 @@ This policy setting allows you to specify whether the RD Session Host server sho
If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting.
If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
- If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
If the policy setting is not configured, the policy setting is not specified at the Group Policy level.
**Note**:
1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
1.
- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
<!-- TS_JOIN_SESSION_DIRECTORY-Description-End -->
@ -2224,9 +2226,9 @@ This policy setting allows you to enter a keep-alive interval to ensure that the
After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active.
If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999.
- If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999.
If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state.
- If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state.
<!-- TS_KEEP_ALIVE-Description-End -->
<!-- TS_KEEP_ALIVE-Editable-Begin -->
@ -2286,11 +2288,11 @@ This policy setting allows you to specify the RD Session Host servers to which a
You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one.
If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server.
- If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server.
By default, the RDS Endpoint Servers group is empty.
If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting.
- If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting.
> [!NOTE]
> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain.
@ -2351,13 +2353,13 @@ If you disable or do not configure this policy setting, the Remote Desktop licen
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers.
If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order:
- If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order:
1. Remote Desktop license servers that are published in Active Directory Domain Services.
2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level.
- If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level.
<!-- TS_LICENSE_SERVERS-Description-End -->
<!-- TS_LICENSE_SERVERS-Editable-Begin -->
@ -2416,9 +2418,9 @@ This policy setting determines whether notifications are displayed on an RD Sess
By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire.
If you enable this policy setting, these notifications will not be displayed on the RD Session Host server.
- If you enable this policy setting, these notifications will not be displayed on the RD Session Host server.
If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
- If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
<!-- TS_LICENSE_TOOLTIP-Description-End -->
<!-- TS_LICENSE_TOOLTIP-Editable-Begin -->
@ -2481,9 +2483,9 @@ Per User licensing mode requires that each user account connecting to this RD Se
Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server.
If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host.
- If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host.
If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level.
- If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level.
<!-- TS_LICENSING_MODE-Description-End -->
<!-- TS_LICENSING_MODE-Editable-Begin -->
@ -2606,9 +2608,9 @@ If the status is set to Disabled or Not Configured, limits to the number of conn
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load.
If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session.
- If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session.
If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool.
- If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool.
<!-- TS_MAXDISPLAYRES-Description-End -->
<!-- TS_MAXDISPLAYRES-Editable-Begin -->
@ -2665,9 +2667,9 @@ If you disable or do not configure this policy setting, the maximum resolution t
<!-- Description-Source-ADMX -->
This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load.
If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16.
- If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16.
If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
- If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
<!-- TS_MAXMONITOR-Description-End -->
<!-- TS_MAXMONITOR-Editable-Begin -->
@ -2726,9 +2728,9 @@ This policy setting allows you to remove the "Disconnect" option from the Shut D
You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server.
If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.
- If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.
If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box.
- If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box.
> [!NOTE]
> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
@ -2856,9 +2858,9 @@ By default, if the most appropriate RDS CAL is not available for a connection, a
* A client connecting to a Windows Server 2003 terminal server
* A client connecting to a Windows 2000 terminal server
If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired.
- If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired.
If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier.
- If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier.
<!-- TS_PreventLicenseUpgrade-Description-End -->
<!-- TS_PreventLicenseUpgrade-Editable-Begin -->
@ -2916,12 +2918,12 @@ If you disable or do not configure this policy setting, the license server will
<!-- Description-Source-ADMX -->
This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server.
If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials.
- If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials.
> [!NOTE]
> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration.
If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection.
- If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection.
<!-- TS_PROMT_CREDS_CLIENT_COMP-Description-End -->
<!-- TS_PROMT_CREDS_CLIENT_COMP-Editable-Begin -->
@ -2981,9 +2983,9 @@ This policy setting specifies the default connection URL for RemoteApp and Deskt
The default connection URL must be configured in the form of <https://contoso.com/rdweb/Feed/webfeed.aspx>.
If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
If you disable or do not configure this policy setting, the user has no default connection URL.
- If you disable or do not configure this policy setting, the user has no default connection URL.
> [!NOTE]
> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account.
@ -3045,9 +3047,9 @@ This policy setting allows you to specify whether the app registration is comple
By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete.
If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers.
- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers.
If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background.
- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background.
<!-- TS_RDSAppX_WaitForRegistration-Description-End -->
<!-- TS_RDSAppX_WaitForRegistration-Editable-Begin -->
@ -3103,7 +3105,7 @@ If you disable or do not configure this policy setting, the Start screen is show
<!-- TS_RemoteControl_1-Description-Begin -->
<!-- Description-Source-ADMX -->
If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
@ -3113,7 +3115,7 @@ If you enable this policy setting, administrators can interact with a user's Rem
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
<!-- TS_RemoteControl_1-Description-End -->
<!-- TS_RemoteControl_1-Editable-Begin -->
@ -3168,7 +3170,7 @@ If you disable this policy setting, administrators can interact with a user's Re
<!-- TS_RemoteControl_2-Description-Begin -->
<!-- Description-Source-ADMX -->
If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
@ -3178,7 +3180,7 @@ If you enable this policy setting, administrators can interact with a user's Rem
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
<!-- TS_RemoteControl_2-Description-End -->
<!-- TS_RemoteControl_2-Editable-Begin -->
@ -3239,7 +3241,8 @@ Depending on the requirements of your users, you can reduce network bandwidth us
If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality.
By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior).
By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions.
- If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior).
<!-- TS_RemoteDesktopVirtualGraphics-Description-End -->
<!-- TS_RemoteDesktopVirtualGraphics-Editable-Begin -->
@ -3298,9 +3301,9 @@ This policy setting allows you to specify the name of a farm to join in RD Conne
If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker.
If you enable this policy setting, you must specify the name of a farm in RD Connection Broker.
- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker.
If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level.
- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level.
**Note**:
@ -3363,11 +3366,11 @@ If you disable or do not configure this policy setting, the farm name is not spe
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server.
If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm.
- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm.
If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm.
- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm.
If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default.
- If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default.
**Note**:
@ -3429,9 +3432,9 @@ If you do not configure this policy setting, the Use IP address redirection poli
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server.
If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers.
- If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers.
If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level.
- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level.
**Note**:
@ -3496,7 +3499,7 @@ If you disable or do not configure this policy setting, the policy setting is no
<!-- Description-Source-ADMX -->
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.
If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:
- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:
* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.
@ -3504,7 +3507,7 @@ If you enable this policy setting, all communications between clients and RD Ses
* SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy.
If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
<!-- TS_SECURITY_LAYER_POLICY-Description-End -->
<!-- TS_SECURITY_LAYER_POLICY-Editable-Begin -->
@ -3569,7 +3572,7 @@ If you disable Continuous Network Detect, Remote Desktop Protocol will not try t
If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality.
If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality.
- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality.
<!-- TS_SELECT_NETWORK_DETECT-Description-End -->
<!-- TS_SELECT_NETWORK_DETECT-Editable-Begin -->
@ -3626,7 +3629,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol
<!-- Description-Source-ADMX -->
This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server.
If you enable this policy setting, you must specify if you would like RDP to use UDP.
- If you enable this policy setting, you must specify if you would like RDP to use UDP.
You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)"
@ -3634,7 +3637,7 @@ If you select "Use either UDP or TCP" and the UDP connection is successful, most
If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP.
If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience.
- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience.
<!-- TS_SELECT_TRANSPORT-Description-End -->
<!-- TS_SELECT_TRANSPORT-Editable-Begin -->
@ -3691,9 +3694,9 @@ If you disable or do not configure this policy setting, RDP will choose the opti
<!-- Description-Source-ADMX -->
This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions.
If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics.
- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics.
If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics.
- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics.
<!-- TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP-Description-End -->
<!-- TS_SERVER_ADVANCED_REMOTEFX_REMOTEAPP-Editable-Begin -->
@ -3751,7 +3754,7 @@ If you disable this policy setting, RemoteApp programs published from this RD Se
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.
If you enable this policy setting, you must specify one of the following settings:
- If you enable this policy setting, you must specify one of the following settings:
Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server.
@ -3759,7 +3762,7 @@ Warn me if authentication fails: The client attempts to authenticate the RD Sess
Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated.
If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.
- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.
<!-- TS_SERVER_AUTH-Description-End -->
<!-- TS_SERVER_AUTH-Editable-Begin -->
@ -3930,11 +3933,11 @@ This policy setting allows you to specify which Remote Desktop Protocol (RDP) co
By default, servers use an RDP compression algorithm that is based on the server's hardware configuration.
If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used.
- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used.
You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed.
If you disable or do not configure this policy setting, the default RDP compression algorithm will be used.
- If you disable or do not configure this policy setting, the default RDP compression algorithm will be used.
<!-- TS_SERVER_COMPRESSOR-Description-End -->
<!-- TS_SERVER_COMPRESSOR-Editable-Begin -->
@ -3990,11 +3993,11 @@ If you disable or do not configure this policy setting, the default RDP compress
<!-- TS_SERVER_IMAGE_QUALITY-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered.
If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes.
If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality.
If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth.
If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only.
If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.
- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes.
- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality.
- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth.
- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only.
- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.
<!-- TS_SERVER_IMAGE_QUALITY-Description-End -->
<!-- TS_SERVER_IMAGE_QUALITY-Editable-Begin -->
@ -4049,7 +4052,9 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi
<!-- TS_SERVER_LEGACY_RFX-Description-Begin -->
<!-- Description-Source-ADMX -->
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.
- If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.
- If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
<!-- TS_SERVER_LEGACY_RFX-Description-End -->
<!-- TS_SERVER_LEGACY_RFX-Editable-Begin -->
@ -4107,14 +4112,14 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
<!-- Description-Source-ADMX -->
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth.
If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
- If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
1. Let the system choose the experience for the network condition
2. Optimize for server scalability
3. Optimize for minimum bandwidth usage
If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition."
- If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition."
<!-- TS_SERVER_PROFILE-Description-End -->
<!-- TS_SERVER_PROFILE-Editable-Begin -->
@ -4173,9 +4178,9 @@ This policy setting allows you to specify the visual experience that remote user
By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation.
If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.
- If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.
If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia.
- If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia.
<!-- TS_SERVER_VISEXP-Description-End -->
<!-- TS_SERVER_VISEXP-Editable-Begin -->
@ -4232,9 +4237,9 @@ If you disable or do not configure this policy setting, Remote Desktop Services
<!-- Description-Source-ADMX -->
This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections.
If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver.
- If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver.
If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver.
- If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver.
For this change to take effect, you must restart Windows.
<!-- TS_SERVER_WDDM_GRAPHICS_DRIVER-Description-End -->
@ -4298,11 +4303,11 @@ You can use this setting to direct Remote Desktop Services to end a session (tha
Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.
If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
> [!NOTE]
> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
@ -4367,11 +4372,11 @@ You can use this setting to direct Remote Desktop Services to end a session (tha
Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.
If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
> [!NOTE]
> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
@ -4436,9 +4441,9 @@ You can use this policy setting to specify the maximum amount of time that a dis
When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@ -4502,9 +4507,9 @@ You can use this policy setting to specify the maximum amount of time that a dis
When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@ -4564,9 +4569,9 @@ If you disable or do not configure this policy setting, this policy setting is n
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@ -4628,9 +4633,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@ -4692,9 +4697,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@ -4756,9 +4761,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when
<!-- Description-Source-ADMX -->
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@ -4820,11 +4825,11 @@ If you want Remote Desktop Services to end instead of disconnect a session when
<!-- Description-Source-ADMX -->
This policy setting allows you to restrict users to a single Remote Desktop Services session.
If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon.
- If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon.
If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services.
- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services.
If you do not configure this policy setting, this policy setting is not specified at the Group Policy level.
- If you do not configure this policy setting, this policy setting is not specified at the Group Policy level.
<!-- TS_SINGLE_SESSION-Description-End -->
<!-- TS_SINGLE_SESSION-Editable-Begin -->
@ -4882,9 +4887,9 @@ If you do not configure this policy setting, this policy setting is not specifie
<!-- Description-Source-ADMX -->
This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session.
If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session.
- If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session.
If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection.
- If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection.
> [!NOTE]
> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain.
@ -5084,11 +5089,11 @@ This policy setting specifies whether Remote Desktop Services retains a user's p
You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off.
If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session.
- If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session.
If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise.
- If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise.
If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator.
- If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator.
> [!NOTE]
> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect.
@ -5151,11 +5156,11 @@ This policy setting allows you to prevent Remote Desktop Services from creating
You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid.
If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.
- If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.
If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise.
- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise.
If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise.
- If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise.
<!-- TS_TEMP_PER_SESSION-Description-End -->
<!-- TS_TEMP_PER_SESSION-Editable-Begin -->
@ -5213,9 +5218,9 @@ If you do not configure this policy setting, per-session temporary folders are c
<!-- Description-Source-ADMX -->
This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session.
If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
- If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
- If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
> [!NOTE]
> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
@ -5278,9 +5283,9 @@ This policy setting specifies whether to disable the administrator rights to cus
You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes.
If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.
- If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.
If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider.
- If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider.
> [!NOTE]
> The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
@ -5341,9 +5346,9 @@ If you disable or do not configure this policy setting, server administrators ha
<!-- Description-Source-ADMX -->
This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy.
If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.
- If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.
If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.
- If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.
> [!NOTE]
> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored.
@ -5410,7 +5415,7 @@ Remote Desktop sessions don't currently support UI Automation redirection.
If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session.
If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps.
- If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps.
<!-- TS_UIA-Description-End -->
<!-- TS_UIA-Editable-Begin -->
@ -5468,9 +5473,9 @@ If you disable this policy setting, UI Automation clients running on your local
<!-- Description-Source-ADMX -->
This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer.
If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer.
- If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer.
If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account.
- If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account.
For this change to take effect, you must restart Windows.
<!-- TS_USB_REDIRECTION_DISABLE-Description-End -->
@ -5529,13 +5534,13 @@ For this change to take effect, you must restart Windows.
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process.
If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.
- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.
To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported.
If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server.
- If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server.
If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default.
- If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default.
> [!IMPORTANT]
> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
@ -5662,9 +5667,9 @@ If the status is set to Disabled or Not Configured, the user's home directory is
<!-- Description-Source-ADMX -->
This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server.
If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile.
- If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile.
If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server.
- If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server.
**Note**:
@ -5728,11 +5733,11 @@ This policy setting allows you to specify the network path that Remote Desktop S
By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles.
If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user.
- If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user.
To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server.
If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.
- If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.
**Note**: