From 3927b0e3319c6977b0a1b7af782494993ae22533 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Fri, 6 Jan 2023 18:15:07 -0500
Subject: [PATCH] More changes per feedback
---
.../mdm/policy-csp-admx-globalization.md | 1089 ++++++------
.../mdm/policy-csp-admx-netlogon.md | 276 +--
.../mdm/policy-csp-admx-scripts.md | 780 +++++----
.../mdm/policy-csp-admx-startmenu.md | 1479 +++++++++--------
.../mdm/policy-csp-admx-taskbar.md | 265 ++-
.../mdm/policy-csp-admx-terminalserver.md | 345 ++--
6 files changed, 2137 insertions(+), 2097 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-globalization.md b/windows/client-management/mdm/policy-csp-admx-globalization.md
index c3bbfb3d75..bc42d298f5 100644
--- a/windows/client-management/mdm/policy-csp-admx-globalization.md
+++ b/windows/client-management/mdm/policy-csp-admx-globalization.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Globalization Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 12/21/2022
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Globalization
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -46,11 +44,11 @@ ms.topic: reference
This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account.
-Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt.
+**Note** this does not affect the availability of user input methods on the lock screen or with the UAC prompt.
-If the policy is Enabled, then the user will get input methods enabled for the system account on the sign-in page.
+- If the policy is enabled, then the user will get input methods enabled for the system account on the sign-in page.
-If the policy is Disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page.
+- If the policy is disabled or Not Configured, then the user will be able to use input methods enabled for their user account on the sign-in page.
@@ -68,7 +66,7 @@ If the policy is Disabled or Not Configured, then the user will be able to use i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -89,466 +87,6 @@ If the policy is Disabled or Not Configured, then the user will be able to use i
-
-## CustomLocalesNoSelect_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_2
-```
-
-
-
-
-This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
-
-This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.
-
-The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.
-
-If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed.
-
-If you disable or do not configure this policy setting, the user can select a custom locale as their user locale.
-
-If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings.
-
-To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | CustomLocalesNoSelect |
-| Friendly Name | Disallow selection of Custom Locales |
-| Location | Computer Configuration |
-| Path | System > Locale Services |
-| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
-| Registry Value Name | CustomLocalesNoSelect |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
-
-## ImplicitDataCollectionOff_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_2
-```
-
-
-
-
-This policy setting turns off the automatic learning component of handwriting recognition personalization.
-
-Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user.
-
-Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
-
-Note: Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information.
-
-If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.
-
-If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
-
-If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.
-
-This policy setting is related to the "Turn off handwriting personalization" policy setting.
-
-Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
-
-Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | ImplicitDataCollectionOff |
-| Friendly Name | Turn off automatic learning |
-| Location | Computer Configuration |
-| Path | Control Panel > Regional and Language Options > Handwriting personalization |
-| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
-
-## LocaleSystemRestrict
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleSystemRestrict
-```
-
-
-
-
-This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
-
-The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
-
-If you enable this policy setting, administrators can select a system locale only from the specified system locale list.
-
-If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LocaleSystemRestrict |
-| Friendly Name | Restrict system locales |
-| Location | Computer Configuration |
-| Path | System > Locale Services |
-| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
-| Registry Value Name | RestrictSystemLocales |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
-
-## LocaleUserRestrict_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_2
-```
-
-
-
-
-This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
-
-To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.
-
-The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).
-
-If you enable this policy setting, only locales in the specified locale list can be selected by users.
-
-If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting.
-
-If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LocaleUserRestrict |
-| Friendly Name | Restrict user locales |
-| Location | Computer Configuration |
-| Path | System > Locale Services |
-| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
-| Registry Value Name | RestrictUserLocales |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
-
-## LockMachineUILanguage
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockMachineUILanguage
-```
-
-
-
-
-This policy setting restricts the Windows UI language for all users.
-
-This is a policy setting for computers with more than one UI language installed.
-
-If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages.
-
-If you disable or do not configure this policy setting, the user can specify which UI language is used.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | LockMachineUILanguage |
-| Friendly Name | Restricts the UI language Windows uses for all logged users |
-| Location | Computer Configuration |
-| Path | Control Panel > Regional and Language Options |
-| Registry Key Name | Software\Policies\Microsoft\MUI\Settings |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
-
-## PreventGeoIdChange_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_2
-```
-
-
-
-
-This policy setting prevents users from changing their user geographical location (GeoID).
-
-If you enable this policy setting, users cannot change their GeoID.
-
-If you disable or do not configure this policy setting, users may select any GeoID.
-
-If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.
-
-To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | PreventGeoIdChange |
-| Friendly Name | Disallow changing of geographic location |
-| Location | Computer Configuration |
-| Path | System > Locale Services |
-| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
-| Registry Value Name | PreventGeoIdChange |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
-
-## PreventUserOverrides_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_2
-```
-
-
-
-
-This policy setting prevents the user from customizing their locale by changing their user overrides.
-
-Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
-
-When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides.
-
-If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
-
-If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies.
-
-To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | PreventUserOverrides |
-| Friendly Name | Disallow user override of locale settings |
-| Location | Computer Configuration |
-| Path | System > Locale Services |
-| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
-| Registry Value Name | PreventUserOverrides |
-| ADMX File Name | Globalization.admx |
-
-
-
-
-
-
-
-
## CustomLocalesNoSelect_1
@@ -572,11 +110,12 @@ This does not affect the selection of replacement locales. To prevent the select
The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.
-If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed.
+- If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed.
-If you disable or do not configure this policy setting, the user can select a custom locale as their user locale.
+- If you disable or do not configure this policy setting, the user can select a custom locale as their user locale.
-If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting. If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings.
+- If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting.
+- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings.
To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
@@ -596,13 +135,13 @@ To set this policy setting on a per-user basis, make sure that you do not config
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | CustomLocalesNoSelect |
+| Name | CustomLocalesNoSelect_1 |
| Friendly Name | Disallow selection of Custom Locales |
| Location | User Configuration |
| Path | System > Locale Services |
@@ -617,6 +156,75 @@ To set this policy setting on a per-user basis, make sure that you do not config
+
+## CustomLocalesNoSelect_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/CustomLocalesNoSelect_2
+```
+
+
+
+
+This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system.
+
+This does not affect the selection of replacement locales. To prevent the selection of replacement locales, adjust the permissions of the %windir%\Globalization directory to prevent the installation of locales by unauthorized users.
+
+The policy setting "Restrict user locales" can also be enabled to disallow selection of a custom locale, even if this policy setting is not configured.
+
+- If you enable this policy setting, the user cannot select a custom locale as their user locale, but they can still select a replacement locale if one is installed.
+
+- If you disable or do not configure this policy setting, the user can select a custom locale as their user locale.
+
+- If this policy setting is enabled at the machine level, it cannot be disabled by a per-user policy setting.
+- If this policy setting is disabled at the machine level, the per-user policy setting will be ignored. If this policy setting is not configured at the machine level, restrictions will be based on per-user policy settings.
+
+To set this policy setting on a per-user basis, make sure that you do not configure the per-machine policy setting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | CustomLocalesNoSelect_2 |
+| Friendly Name | Disallow selection of Custom Locales |
+| Location | Computer Configuration |
+| Path | System > Locale Services |
+| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
+| Registry Value Name | CustomLocalesNoSelect |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
## HideAdminOptions
@@ -638,11 +246,12 @@ This policy setting removes the Administrative options from the Region settings
This policy setting is used only to simplify the Regional Options control panel.
-If you enable this policy setting, the user cannot see the Administrative options.
+- If you enable this policy setting, the user cannot see the Administrative options.
-If you disable or do not configure this policy setting, the user can see the Administrative options.
+- If you disable or do not configure this policy setting, the user can see the Administrative options.
-Note: Even if a user can see the Administrative options, other policies may prevent them from modifying the values.
+> [!NOTE]
+> Even if a user can see the Administrative options, other policies may prevent them from modifying the values.
@@ -660,7 +269,7 @@ Note: Even if a user can see the Administrative options, other policies may prev
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -702,11 +311,12 @@ This policy setting removes the option to change the user's geographical locatio
This policy setting is used only to simplify the Regional Options control panel.
-If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically.
+- If you enable this policy setting, the user does not see the option to change the GeoID. This does not prevent the user or an application from changing the GeoID programmatically.
-If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID).
+- If you disable or do not configure this policy setting, the user sees the option for changing the user location (GeoID).
-Note: Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location.
+> [!NOTE]
+> Even if a user can see the GeoID option, the "Disallow changing of geographical location" option can prevent them from actually changing their current geographical location.
@@ -724,7 +334,7 @@ Note: Even if a user can see the GeoID option, the "Disallow changing of geograp
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -766,11 +376,12 @@ This policy setting removes the option to change the user's menus and dialogs (U
This policy setting is used only to simplify the Regional Options control panel.
-If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically.
+- If you enable this policy setting, the user does not see the option for changing the UI language. This does not prevent the user or an application from changing the UI language programmatically.
-If you disable or do not configure this policy setting, the user sees the option for changing the UI language.
+- If you disable or do not configure this policy setting, the user sees the option for changing the UI language.
-Note: Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language.
+> [!NOTE]
+> Even if a user can see the option to change the UI language, other policy settings can prevent them from changing their UI language.
@@ -788,7 +399,7 @@ Note: Even if a user can see the option to change the UI language, other policy
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -830,9 +441,9 @@ This policy setting removes the regional formats interface from the Region setti
This policy setting is used only to simplify the Regional and Language Options control panel.
-If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically.
+- If you enable this policy setting, the user does not see the regional formats options. This does not prevent the user or an application from changing their user locale or user overrides programmatically.
-If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale.
+- If you disable or do not configure this policy setting, the user sees the regional formats options for changing and customizing the user locale.
@@ -850,7 +461,7 @@ If you disable or do not configure this policy setting, the user sees the region
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -894,19 +505,22 @@ Automatic learning enables the collection and storage of text and ink written by
Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
-Note: Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information.
+> [!NOTE]
+> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information.
-If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.
+- If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.
-If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
+- If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
-If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.
+- If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.
This policy setting is related to the "Turn off handwriting personalization" policy setting.
-Note: The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
+> [!NOTE]
+> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
-Note: Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
+> [!NOTE]
+> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
@@ -924,13 +538,13 @@ Note: Handwriting personalization works only for Microsoft handwriting recognize
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | ImplicitDataCollectionOff |
+| Name | ImplicitDataCollectionOff_1 |
| Friendly Name | Turn off automatic learning |
| Location | User Configuration |
| Path | Control Panel > Regional and Language Options > Handwriting personalization |
@@ -944,6 +558,144 @@ Note: Handwriting personalization works only for Microsoft handwriting recognize
+
+## ImplicitDataCollectionOff_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/ImplicitDataCollectionOff_2
+```
+
+
+
+
+This policy setting turns off the automatic learning component of handwriting recognition personalization.
+
+Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabulary and handwriting style of the user.
+
+Text that is collected includes all outgoing messages in Windows Mail, and MAPI enabled email clients, as well as URLs from the Internet Explorer browser history. The information that is stored includes word frequency and new words not already known to the handwriting recognition engines (for example, proper names and acronyms). Deleting email content or the browser history does not delete the stored personalization data. Ink entered through Input Panel is collected and stored.
+
+> [!NOTE]
+> Automatic learning of both text and ink might not be available for all languages, even when handwriting personalization is available. See Tablet PC Help for more information.
+
+- If you enable this policy setting, automatic learning stops and any stored data is deleted. Users cannot configure this setting in Control Panel.
+
+- If you disable this policy setting, automatic learning is turned on. Users cannot configure this policy setting in Control Panel. Collected data is only used for handwriting recognition, if handwriting personalization is turned on.
+
+- If you do not configure this policy, users can choose to enable or disable automatic learning either from the Handwriting tab in the Tablet Settings in Control Panel or from the opt-in dialog.
+
+This policy setting is related to the "Turn off handwriting personalization" policy setting.
+
+> [!NOTE]
+> The amount of stored ink is limited to 50 MB and the amount of text information to approximately 5 MB. When these limits are reached and new data is collected, old data is deleted to make room for more recent data.
+
+> [!NOTE]
+> Handwriting personalization works only for Microsoft handwriting recognizers, and not with third-party recognizers.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | ImplicitDataCollectionOff_2 |
+| Friendly Name | Turn off automatic learning |
+| Location | Computer Configuration |
+| Path | Control Panel > Regional and Language Options > Handwriting personalization |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\InputPersonalization |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
+
+## LocaleSystemRestrict
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleSystemRestrict
+```
+
+
+
+
+This policy setting restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy setting does not change the existing system locale; however, the next time that an administrator attempts to change the computer's system locale, they will be restricted to the specified list.
+
+The locale list is specified using language names, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-US;en-CA" would restrict the system locale to English (United States) and English (Canada).
+
+- If you enable this policy setting, administrators can select a system locale only from the specified system locale list.
+
+- If you disable or do not configure this policy setting, administrators can select any system locale shipped with the operating system.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LocaleSystemRestrict |
+| Friendly Name | Restrict system locales |
+| Location | Computer Configuration |
+| Path | System > Locale Services |
+| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
+| Registry Value Name | RestrictSystemLocales |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
## LocaleUserRestrict_1
@@ -967,11 +719,12 @@ To set this policy setting on a per-user basis, make sure that you do not config
The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).
-If you enable this policy setting, only locales in the specified locale list can be selected by users.
+- If you enable this policy setting, only locales in the specified locale list can be selected by users.
-If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting.
+- If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting.
-If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy. If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
+- If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy.
+- If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
@@ -989,13 +742,13 @@ If this policy setting is enabled at the computer level, it cannot be disabled b
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | LocaleUserRestrict |
+| Name | LocaleUserRestrict_1 |
| Friendly Name | Restrict user locales |
| Location | User Configuration |
| Path | System > Locale Services |
@@ -1010,6 +763,134 @@ If this policy setting is enabled at the computer level, it cannot be disabled b
+
+## LocaleUserRestrict_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LocaleUserRestrict_2
+```
+
+
+
+
+This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change their user locale, their choices will be restricted to locales in this list.
+
+To set this policy setting on a per-user basis, make sure that you do not configure the per-computer policy setting.
+
+The locale list is specified using language tags, separated by a semicolon (;). For example, en-US is English (United States). Specifying "en-CA;fr-CA" would restrict the user locale to English (Canada) and French (Canada).
+
+- If you enable this policy setting, only locales in the specified locale list can be selected by users.
+
+- If you disable or do not configure this policy setting, users can select any locale installed on the computer, unless restricted by the "Disallow selection of Custom Locales" policy setting.
+
+- If this policy setting is enabled at the computer level, it cannot be disabled by a per-user policy.
+- If this policy setting is disabled at the computer level, the per-user policy is ignored. If this policy setting is not configured at the computer level, restrictions are based on per-user policies.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LocaleUserRestrict_2 |
+| Friendly Name | Restrict user locales |
+| Location | Computer Configuration |
+| Path | System > Locale Services |
+| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
+| Registry Value Name | RestrictUserLocales |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
+
+## LockMachineUILanguage
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/LockMachineUILanguage
+```
+
+
+
+
+This policy setting restricts the Windows UI language for all users.
+
+This is a policy setting for computers with more than one UI language installed.
+
+- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language will follow the language specified by the administrator as the system UI languages. The UI language selected by the user will be ignored if it is different than any of the system UI languages.
+
+- If you disable or do not configure this policy setting, the user can specify which UI language is used.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | LockMachineUILanguage |
+| Friendly Name | Restricts the UI language Windows uses for all logged users |
+| Location | Computer Configuration |
+| Path | Control Panel > Regional and Language Options |
+| Registry Key Name | Software\Policies\Microsoft\MUI\Settings |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
## LockUserUILanguage
@@ -1031,9 +912,9 @@ This policy setting restricts the Windows UI language for specific users.
This policy setting applies to computers with more than one UI language installed.
-If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user.
+- If you enable this policy setting, the UI language of Windows menus and dialogs for systems with more than one language is restricted to a specified language for the selected user. If the specified language is not installed on the target computer or you disable this policy setting, the language selection defaults to the language selected by the user.
-If you disable or do not configure this policy setting, there is no restriction on which language users should use.
+- If you disable or do not configure this policy setting, there is no restriction on which language users should use.
To enable this policy setting in Windows Server 2003, Windows XP, or Windows 2000, to use the "Restrict selection of Windows menus and dialogs language" policy setting.
@@ -1053,7 +934,7 @@ To enable this policy setting in Windows Server 2003, Windows XP, or Windows 200
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1092,11 +973,13 @@ To enable this policy setting in Windows Server 2003, Windows XP, or Windows 200
This policy setting prevents users from changing their user geographical location (GeoID).
-If you enable this policy setting, users cannot change their GeoID.
+- If you enable this policy setting, users cannot change their GeoID.
-If you disable or do not configure this policy setting, users may select any GeoID.
+- If you disable or do not configure this policy setting, users may select any GeoID.
-If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting. If you disable this policy setting at the computer level, the per-user policy is ignored. If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.
+- If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting.
+- If you disable this policy setting at the computer level, the per-user policy is ignored.
+- If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.
To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
@@ -1116,13 +999,13 @@ To set this policy setting on a per-user basis, make sure that the per-computer
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | PreventGeoIdChange |
+| Name | PreventGeoIdChange_1 |
| Friendly Name | Disallow changing of geographic location |
| Location | User Configuration |
| Path | System > Locale Services |
@@ -1137,6 +1020,72 @@ To set this policy setting on a per-user basis, make sure that the per-computer
+
+## PreventGeoIdChange_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventGeoIdChange_2
+```
+
+
+
+
+This policy setting prevents users from changing their user geographical location (GeoID).
+
+- If you enable this policy setting, users cannot change their GeoID.
+
+- If you disable or do not configure this policy setting, users may select any GeoID.
+
+- If you enable this policy setting at the computer level, it cannot be disabled by a per-user policy setting.
+- If you disable this policy setting at the computer level, the per-user policy is ignored.
+- If you do not configure this policy setting at the computer level, restrictions are based on per-user policy settings.
+
+To set this policy setting on a per-user basis, make sure that the per-computer policy setting is not configured.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PreventGeoIdChange_2 |
+| Friendly Name | Disallow changing of geographic location |
+| Location | Computer Configuration |
+| Path | System > Locale Services |
+| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
+| Registry Value Name | PreventGeoIdChange |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
## PreventUserOverrides_1
@@ -1160,9 +1109,11 @@ Any existing overrides in place when this policy is enabled will be frozen. To r
When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides.
-If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
+- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
-If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy. If this policy is set to Disabled at the computer level, then the per-User policy will be ignored. If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies.
+- If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy.
+- If this policy is set to Disabled at the computer level, then the per-User policy will be ignored.
+- If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies.
To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
@@ -1182,13 +1133,13 @@ To set this policy on a per-user basis, make sure that the per-computer policy i
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | PreventUserOverrides |
+| Name | PreventUserOverrides_1 |
| Friendly Name | Disallow user override of locale settings |
| Location | User Configuration |
| Path | System > Locale Services |
@@ -1203,6 +1154,74 @@ To set this policy on a per-user basis, make sure that the per-computer policy i
+
+## PreventUserOverrides_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Globalization/PreventUserOverrides_2
+```
+
+
+
+
+This policy setting prevents the user from customizing their locale by changing their user overrides.
+
+Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and then apply this policy.
+
+When this policy setting is enabled, users can still choose alternate locales installed on the system unless prevented by other policies, however, they will be unable to customize those choices. The user cannot customize their user locale with user overrides.
+
+- If this policy setting is disabled or not configured, then the user can customize their user locale overrides.
+
+- If this policy is set to Enabled at the computer level, then it cannot be disabled by a per-User policy.
+- If this policy is set to Disabled at the computer level, then the per-User policy will be ignored.
+- If this policy is set to Not Configured at the computer level, then restrictions will be based on per-User policies.
+
+To set this policy on a per-user basis, make sure that the per-computer policy is set to Not Configured.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | PreventUserOverrides_2 |
+| Friendly Name | Disallow user override of locale settings |
+| Location | Computer Configuration |
+| Path | System > Locale Services |
+| Registry Key Name | Software\Policies\Microsoft\Control Panel\International |
+| Registry Value Name | PreventUserOverrides |
+| ADMX File Name | Globalization.admx |
+
+
+
+
+
+
+
+
## RestrictUILangSelect
@@ -1222,11 +1241,11 @@ To set this policy on a per-user basis, make sure that the per-computer policy i
This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defaults to English.
-If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used.
+- If you enable this policy setting, the dialog box controls in the Regional and Language Options control panel are not accessible to the logged on user. This prevents users from specifying a language different than the one used.
To enable this policy setting in Windows Vista, use the "Restricts the UI languages Windows should use for the selected user" policy setting.
-If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language.
+- If you disable or do not configure this policy setting, the logged-on user can access the dialog box controls in the Regional and Language Options control panel to select any available UI language.
@@ -1244,7 +1263,7 @@ If you disable or do not configure this policy setting, the logged-on user can a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1285,11 +1304,11 @@ This policy turns off the autocorrect misspelled words option. This does not, ho
The autocorrect misspelled words option controls whether or not errors in typed text will be automatically corrected.
-If the policy is Enabled, then the option will be locked to not autocorrect misspelled words.
+- If the policy is enabled, then the option will be locked to not autocorrect misspelled words.
-If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference.
-Note that the availability and function of this setting is dependent on supported languages being enabled.
+**Note** that the availability and function of this setting is dependent on supported languages being enabled.
@@ -1307,7 +1326,7 @@ Note that the availability and function of this setting is dependent on supporte
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1349,11 +1368,11 @@ This policy turns off the highlight misspelled words option. This does not, howe
The highlight misspelled words option controls whether or next spelling errors in typed text will be highlighted.
-If the policy is Enabled, then the option will be locked to not highlight misspelled words.
+- If the policy is enabled, then the option will be locked to not highlight misspelled words.
-If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference.
-Note that the availability and function of this setting is dependent on supported languages being enabled.
+**Note** that the availability and function of this setting is dependent on supported languages being enabled.
@@ -1371,7 +1390,7 @@ Note that the availability and function of this setting is dependent on supporte
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1413,11 +1432,11 @@ This policy turns off the insert a space after selecting a text prediction optio
The insert a space after selecting a text prediction option controls whether or not a space will be inserted after the user selects a text prediction candidate when using the on-screen keyboard.
-If the policy is Enabled, then the option will be locked to not insert a space after selecting a text prediction.
+- If the policy is enabled, then the option will be locked to not insert a space after selecting a text prediction.
-If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference.
-Note that the availability and function of this setting is dependent on supported languages being enabled.
+**Note** that the availability and function of this setting is dependent on supported languages being enabled.
@@ -1435,7 +1454,7 @@ Note that the availability and function of this setting is dependent on supporte
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1477,11 +1496,11 @@ This policy turns off the offer text predictions as I type option. This does not
The offer text predictions as I type option controls whether or not text prediction suggestions will be presented to the user on the on-screen keyboard.
-If the policy is Enabled, then the option will be locked to not offer text predictions.
+- If the policy is enabled, then the option will be locked to not offer text predictions.
-If the policy is Disabled or Not Configured, then the user will be free to change the setting according to their preference.
+- If the policy is disabled or Not Configured, then the user will be free to change the setting according to their preference.
-Note that the availability and function of this setting is dependent on supported languages being enabled.
+**Note** that the availability and function of this setting is dependent on supported languages being enabled.
@@ -1499,7 +1518,7 @@ Note that the availability and function of this setting is dependent on supporte
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1541,11 +1560,11 @@ This policy setting determines how programs interpret two-digit years.
This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentation or manufacturer of the program.
-If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19.
+- If you enable this policy setting, the system specifies the largest two-digit year interpreted as being preceded by 20. All numbers less than or equal to the specified value are interpreted as being preceded by 20. All numbers greater than the specified value are interpreted as being preceded by 19.
For example, the default value, 2029, specifies that all two-digit years less than or equal to 29 (00 to 29) are interpreted as being preceded by 20, that is 2000 to 2029. Conversely, all two-digit years greater than 29 (30 to 99) are interpreted as being preceded by 19, that is, 1930 to 1999.
-If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program.
+- If you disable or do not configure this policy setting, Windows does not interpret two-digit year formats using this scheme for the program.
@@ -1563,7 +1582,7 @@ If you disable or do not configure this policy setting, Windows does not interpr
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index 80c36f00cc..9b6d315322 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Netlogon Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/05/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Netlogon
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -56,7 +54,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -74,7 +72,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -115,11 +113,11 @@ This policy setting detremines the type of IP address that is returned for a dom
By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior.
-If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
+- If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
-If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.
+- If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.
-If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
+- If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
@@ -137,7 +135,7 @@ If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -179,9 +177,9 @@ This policy setting specifies whether the computers to which this setting is app
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
-If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails.
+- If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails.
-If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
+- If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
@@ -199,7 +197,7 @@ If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -241,11 +239,11 @@ This policy setting controls whether the Net Logon service will allow the use of
By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller.
-If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk.
+- If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk.
-If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
+- If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
-If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
+- If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
@@ -263,7 +261,7 @@ If you do not configure this policy setting, Net Logon will not allow the negoti
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -305,11 +303,11 @@ This policy setting specifies whether the computers to which this setting is app
By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
-If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
+- If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
-If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
+- If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
-If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
@@ -327,7 +325,7 @@ If you do not configure this policy setting, it is not applied to any computers,
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -367,11 +365,11 @@ If you do not configure this policy setting, it is not applied to any computers,
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
-If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
+- If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
-If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.
+- If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -389,7 +387,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -431,11 +429,11 @@ This policy setting allows you to control the domain controller (DC) location al
NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended.
-Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
+**Note** that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
-If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
+- If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
-If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
+- If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
@@ -453,7 +451,7 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -493,13 +491,13 @@ If you disable this policy setting, the DC location algorithm can use NetBIOS-ba
This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
-Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
+Contacting the PDC emulator is useful in case the client's password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
-If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password.
+- If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password.
-If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator.
+- If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator.
-If you do not configure this policy setting, it is not applied to any DCs.
+- If you do not configure this policy setting, it is not applied to any DCs.
@@ -517,7 +515,7 @@ If you do not configure this policy setting, it is not applied to any DCs.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -563,7 +561,8 @@ This setting is relevant only to those callers of DsGetDcName that have specifie
If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used.
-Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
+> [!WARNING]
+> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
@@ -581,7 +580,7 @@ Warning: If the value for this setting is too large, a client will not attempt t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -626,7 +625,8 @@ The default value for this setting is 60 minutes (60*60). The maximum value for
If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used.
-Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC.
+> [!WARNING]
+> If the value for this setting is too large, a client may take very long periods to try to find a DC.
If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic.
@@ -646,7 +646,7 @@ If the value for this setting is too small and the DC is not available, the freq
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -687,7 +687,8 @@ This policy setting determines when retries are no longer allowed for applicatio
The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
-Warning: If the value for this setting is too small, a client will stop trying to find a DC too soon.
+> [!WARNING]
+> If the value for this setting is too small, a client will stop trying to find a DC too soon.
@@ -705,7 +706,7 @@ Warning: If the value for this setting is too small, a client will stop trying t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -760,7 +761,7 @@ This policy setting determines when a successful DC cache entry is refreshed. Th
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -801,11 +802,11 @@ This policy setting specifies the level of debug output for the Net Logon servic
The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.
-If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.
+- If you enable this policy setting and specify a non-zero value, debug information will be logged to the file. Higher values result in more verbose logging; the value of 536936447 is commonly used as an optimal setting.
If you specify zero for this policy setting, the default behavior occurs as described above.
-If you disable this policy setting or do not configure it, the default behavior occurs as described above.
+- If you disable this policy setting or do not configure it, the default behavior occurs as described above.
@@ -823,7 +824,7 @@ If you disable this policy setting or do not configure it, the default behavior
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -859,43 +860,42 @@ If you disable this policy setting or do not configure it, the default behavior
-
-This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
-
-If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
-
-Select the mnemonics from the following list:
-
-Mnemonic Type DNS Record
-
-LdapIpAddress A ``
-Ldap SRV _ldap._tcp.``
-LdapAtSite SRV _ldap._tcp.``._sites.``
-Pdc SRV _ldap._tcp.pdc._msdcs.``
-Gc SRV _ldap._tcp.gc._msdcs.``
-GcAtSite SRV _ldap._tcp.``._sites.gc._msdcs.``
-DcByGuid SRV _ldap._tcp.``.domains._msdcs.``
-GcIpAddress A gc._msdcs.``
-DsaCname CNAME ``._msdcs.``
-Kdc SRV _kerberos._tcp.dc._msdcs.``
-KdcAtSite SRV _kerberos._tcp.``._sites.dc._msdcs.``
-Dc SRV _ldap._tcp.dc._msdcs.``
-DcAtSite SRV _ldap._tcp.``._sites.dc._msdcs.``
-Rfc1510Kdc SRV _kerberos._tcp.``
-Rfc1510KdcAtSite SRV _kerberos._tcp.``._sites.``
-GenericGc SRV _gc._tcp.``
-GenericGcAtSite SRV _gc._tcp.``._sites.``
-Rfc1510UdpKdc SRV _kerberos._udp.``
-Rfc1510Kpwd SRV _kpasswd._tcp.``
-Rfc1510UdpKpwd SRV _kpasswd._udp.``
-
-If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
-
-If you do not configure this policy setting, DCs use their local configuration.
+
+This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service.
+
+- If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied. Select the mnemonics from the following table:
+
+ | Mnemonic | Type | DNS Record |
+ |------------------|-------|----------------------------------------------------------------|
+ | LdapIpAddress | A | `` |
+ | Ldap | SRV | _ldap._tcp.`` |
+ | LdapAtSite | SRV | _ldap._tcp.``._sites.`` |
+ | Pdc | SRV | _ldap._tcp.pdc._msdcs.`` |
+ | Gc | SRV | _ldap._tcp.gc._msdcs.`` |
+ | GcAtSite | SRV | _ldap._tcp.``._sites.gc._msdcs.`` |
+ | DcByGuid | SRV | _ldap._tcp.``.domains._msdcs.`` |
+ | GcIpAddress | A | gc._msdcs.`` |
+ | DsaCname | CNAME | ``._msdcs.`` |
+ | Kdc | SRV | _kerberos._tcp.dc._msdcs.`` |
+ | KdcAtSite | SRV | _kerberos._tcp.``._sites.dc._msdcs. |
+ | KdcAtSite | SRV | _kerberos._tcp.``._sites.dc._msdcs.`` |
+ | Dc | SRV | _ldap._tcp.dc._msdcs.`` |
+ | DcAtSite | SRV | _ldap._tcp.``._sites.dc._msdcs.`` |
+ | Rfc1510Kdc | SRV | _kerberos._tcp.`` |
+ | Rfc1510KdcAtSite | SRV | _kerberos._tcp.``._sites.`` |
+ | GenericGc | SRV | _gc._tcp.`` |
+ | GenericGcAtSite | SRV | _gc._tcp.``._sites.`` |
+ | Rfc1510UdpKdc | SRV | _kerberos._udp.`` |
+ | Rfc1510Kpwd | SRV | _kpasswd._tcp.`` |
+ | Rfc1510UdpKpwd | SRV | _kpasswd._udp.`` |
+
+- If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
+
+- If you don't configure this policy setting, DCs use their local configuration.
@@ -909,7 +909,7 @@ If you do not configure this policy setting, DCs use their local configuration.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -948,13 +948,14 @@ If you do not configure this policy setting, DCs use their local configuration.
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
-DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
+DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records' data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
-Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
+> [!WARNING]
+> If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -972,7 +973,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1039,7 +1040,7 @@ More information is available at
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1081,7 +1082,7 @@ This policy setting specifies the value for the Time-To-Live (TTL) field in SRV
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -1099,7 +1100,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1136,11 +1137,11 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
-This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
+This policy setting specifies the additional time for the computer to wait for the domain controller's (DC) response when logging on to the network.
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
-If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
@@ -1158,7 +1159,7 @@ If you do not configure this policy setting, it is not applied to any computers,
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1199,11 +1200,11 @@ This policy setting determines the interval for when a Force Rediscovery is carr
The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
-If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
+- If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
-If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.
+- If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.
-If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
+- If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
@@ -1221,7 +1222,7 @@ If you do not configure this policy setting, Force Rediscovery will be used by d
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1264,7 +1265,7 @@ The GC Locator DNS records and the site-specific SRV records are dynamically reg
To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.
-If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
@@ -1282,7 +1283,7 @@ If you do not configure this policy setting, it is not applied to any GCs, and G
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1321,13 +1322,14 @@ If you do not configure this policy setting, it is not applied to any GCs, and G
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
-Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
+> [!NOTE]
+> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.
-If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location.
+- If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location.
-If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
+- If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
@@ -1345,7 +1347,7 @@ If you disable or do not configure this policy setting, this DC processes incomi
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1385,11 +1387,11 @@ If you disable or do not configure this policy setting, this DC processes incomi
This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
-The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
+The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record's Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -1407,7 +1409,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1450,7 +1452,7 @@ The Weight field in the SRV record can be used in addition to the Priority value
To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -1468,7 +1470,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1507,9 +1509,10 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
-By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
+By default, the maximum size of the log file is 20MB.
+- If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
-If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
+- If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
@@ -1527,7 +1530,7 @@ If you disable or do not configure this policy setting, the default behavior occ
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1570,7 +1573,7 @@ The application directory partition DC Locator DNS records and the site-specific
To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -1588,7 +1591,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1629,7 +1632,8 @@ This policy setting specifies the amount of time (in seconds) the DC locator rem
The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
-Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
+> [!WARNING]
+> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
@@ -1647,7 +1651,7 @@ Warning: If the value for this setting is too large, a client will not attempt t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1686,15 +1690,16 @@ Warning: If the value for this setting is too large, a client will not attempt t
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
-If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
+- If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
-If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
+- If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested.
-Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
+> [!NOTE]
+> The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
-If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
+- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
@@ -1712,7 +1717,7 @@ If you enable this policy setting, domain administrators should ensure that the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1770,7 +1775,7 @@ The default value for this setting is 30 minutes (1800). The maximum value for t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1818,7 +1823,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.
-If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
@@ -1836,7 +1841,7 @@ If you do not configure this policy setting, it is not applied to any computers,
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1879,7 +1884,7 @@ This policy setting determines the interval at which Netlogon performs the follo
- On the domain controllers (DC), discovers a DC that has not been discovered.
-- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn’t already been successfully added.
+- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn't already been successfully added.
None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.
@@ -1901,7 +1906,7 @@ To enable the setting, click Enabled, and then specify the interval in seconds.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1944,7 +1949,7 @@ The DC Locator DNS records are dynamically registered by the Net Logon service,
To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -1962,7 +1967,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2005,7 +2010,7 @@ An Active Directory site is one or more well-connected TCP/IP subnets that allow
To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.
-If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+- If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
@@ -2023,7 +2028,7 @@ If you do not configure this policy setting, it is not applied to any computers,
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2068,9 +2073,10 @@ When this setting is disabled or not configured, the SYSVOL share will grant sha
By default, the SYSVOL share will grant shared read access to files on the share when exclusive access is requested.
-Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
+> [!NOTE]
+> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
-If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
+- If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
@@ -2088,7 +2094,7 @@ If you enable this policy setting, domain administrators should ensure that the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2130,11 +2136,11 @@ This policy setting enables DC Locator to attempt to locate a DC in the nearest
The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
-If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.
+- If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.
-If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
+- If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
-If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
+- If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
@@ -2152,7 +2158,7 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2192,11 +2198,11 @@ If you do not configure this policy setting, Try Next Closest Site DC Location w
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
-If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
+- If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
-If you disable this policy setting, DCs will not register DC Locator DNS resource records.
+- If you disable this policy setting, DCs will not register DC Locator DNS resource records.
-If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+- If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
@@ -2214,7 +2220,7 @@ If you do not configure this policy setting, it is not applied to any DCs, and D
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-admx-scripts.md b/windows/client-management/mdm/policy-csp-admx-scripts.md
index cea112d18a..63f4bdafb9 100644
--- a/windows/client-management/mdm/policy-csp-admx-scripts.md
+++ b/windows/client-management/mdm/policy-csp-admx-scripts.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Scripts Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/05/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Scripts
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -46,9 +44,9 @@ ms.topic: reference
This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured, and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer.
-If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
+- If you enable this policy setting, user logon scripts run if NetBIOS or WINS is disabled during cross-forest logons without the DNS suffixes being configured.
-If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
+- If you disable or do not configure this policy setting, user account cross-forest, interactive logging cannot run logon scripts if NetBIOS or WINS is disabled, and the DNS suffixes are not configured.
@@ -66,7 +64,7 @@ If you disable or do not configure this policy setting, user account cross-fores
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -108,13 +106,13 @@ This policy setting determines how long the system waits for scripts applied by
This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If the scripts have not finished running when the specified time expires, the system stops script processing and records an error event.
-If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.
+- If you enable this setting, then, in the Seconds box, you can type a number from 1 to 32,000 for the number of seconds you want the system to wait for the set of scripts to finish. To direct the system to wait until the scripts have finished, no matter how long they take, type 0.
-This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the ""Run logon scripts synchronously"" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
+This interval is particularly important when other system tasks must wait while the scripts complete. By default, each startup script must complete before the next one runs. Also, you can use the "Run logon scripts synchronously" setting to direct the system to wait for the logon scripts to complete before loading the desktop.
An excessively long interval can delay the system and inconvenience users. However, if the interval is too short, prerequisite tasks might not be done, and the system can appear to be ready prematurely.
-If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
+- If you disable or do not configure this setting the system lets the combined set of scripts run for up to 600 seconds (10 minutes). This is the default.
@@ -132,7 +130,7 @@ If you disable or do not configure this setting the system lets the combined set
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -168,39 +166,35 @@ If you disable or do not configure this setting the system lets the combined set
-
-This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
-
-If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
-
-For example, assume the following scenario:
-
-There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A.
-
-GPO B and GPO C include the following computer startup scripts:
-
-GPO B: B.cmd, B.ps1
-GPO C: C.cmd, C.ps1
-
-Assume also that there are two computers, DesktopIT and DesktopSales.
-For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:
-
-Within GPO B: B.ps1, B.cmd
-Within GPO C: C.ps1, C.cmd
-
-For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:
-
-Within GPO B: B.cmd, B.ps1
-Within GPO C: C.cmd, C.ps1
-
-Note: This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
-
-Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
-Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
+
+This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), Windows PowerShell scripts are run before non-Windows PowerShell scripts during computer startup and shutdown.
+
+For example, assume the following scenario:
+
+There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following computer startup scripts:
+
+- GPO B: B.cmd, B.ps1
+- GPO C: C.cmd, C.ps1
+
+Assume also that there are two computers, DesktopIT and DesktopSales. For DesktopIT, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for DesktopIT:
+
+- Within GPO B: B.ps1, B.cmd
+- Within GPO C: C.ps1, C.cmd
+
+For DesktopSales, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for DesktopSales:
+
+- Within GPO B: B.cmd, B.ps1
+- Within GPO C: C.cmd, C.ps1
+
+> [!NOTE]
+> This policy setting determines the order in which computer startup and shutdown scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
+>
+> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Startup
+> - Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shutdown
@@ -214,7 +208,7 @@ Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shut
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -235,347 +229,6 @@ Computer Configuration\Policies\Windows Settings\Scripts (Startup/Shutdown)\Shut
-
-## Run_Logon_Script_Sync_2
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2
-```
-
-
-
-
-This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
-
-If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
-
-If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
-
-This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Run_Logon_Script_Sync |
-| Friendly Name | Run logon scripts synchronously |
-| Location | Computer Configuration |
-| Path | System > Scripts |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | RunLogonScriptSync |
-| ADMX File Name | Scripts.admx |
-
-
-
-
-
-
-
-
-
-## Run_Shutdown_Script_Visible
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible
-```
-
-
-
-
-This policy setting displays the instructions in shutdown scripts as they run.
-
-Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
-
-If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.
-
-If you disable or do not configure this policy setting, the instructions are suppressed.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Run_Shutdown_Script_Visible |
-| Friendly Name | Display instructions in shutdown scripts as they run |
-| Location | Computer Configuration |
-| Path | System > Scripts |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | HideShutdownScripts |
-| ADMX File Name | Scripts.admx |
-
-
-
-
-
-
-
-
-
-## Run_Startup_Script_Sync
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync
-```
-
-
-
-
-This policy setting lets the system run startup scripts simultaneously.
-
-Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
-
-If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
-
-If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete.
-
-Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the ""Run startup scripts visible"" policy setting is enabled or not.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Run_Startup_Script_Sync |
-| Friendly Name | Run startup scripts asynchronously |
-| Location | Computer Configuration |
-| Path | System > Scripts |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | RunStartupScriptSync |
-| ADMX File Name | Scripts.admx |
-
-
-
-
-
-
-
-
-
-## Run_Startup_Script_Visible
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible
-```
-
-
-
-
-This policy setting displays the instructions in startup scripts as they run.
-
-Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
-
-If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.
-
-If you disable or do not configure this policy setting, the instructions are suppressed.
-
-Note: Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Run_Startup_Script_Visible |
-| Friendly Name | Display instructions in startup scripts as they run |
-| Location | Computer Configuration |
-| Path | System > Scripts |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | HideStartupScripts |
-| ADMX File Name | Scripts.admx |
-
-
-
-
-
-
-
-
-
-## Run_User_PS_Scripts_First
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
-```
-
-
-
-
-This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts.
-
-If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
-
-For example, assume the following scenario:
-
-There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A.
-
-GPO B and GPO C include the following user logon scripts:
-
-GPO B: B.cmd, B.ps1
-GPO C: C.cmd, C.ps1
-
-Assume also that there are two users, Qin Hong and Tamara Johnston.
-For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:
-
-Within GPO B: B.ps1, B.cmd
-Within GPO C: C.ps1, C.cmd
-
-For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:
-
-Within GPO B: B.cmd, B.ps1
-Within GPO C: C.cmd, C.ps1
-
-Note: This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
-
-User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
-User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
-
-This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the setting set in User Configuration.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | Run_User_PS_Scripts_First |
-| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff |
-| Location | Computer and User Configuration |
-| Path | System > Scripts |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
-| Registry Value Name | RunUserPSScriptsFirst |
-| ADMX File Name | Scripts.admx |
-
-
-
-
-
-
-
-
## Run_Legacy_Logon_Script_Hidden
@@ -597,9 +250,9 @@ This policy setting hides the instructions in logon scripts written for Windows
Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windows NT 4.0 and earlier in a command window as they run, although it does not display logon scripts written for Windows 2000.
-If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
+- If you enable this setting, Windows 2000 does not display logon scripts written for Windows NT 4.0 and earlier.
-If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
+- If you disable or do not configure this policy setting, Windows 2000 displays login scripts written for Windows NT 4.0 and earlier.
Also, see the "Run Logon Scripts Visible" setting.
@@ -619,7 +272,7 @@ Also, see the "Run Logon Scripts Visible" setting.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -661,9 +314,9 @@ This policy setting displays the instructions in logoff scripts as they run.
Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script.
-If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
+- If you enable this policy setting, the system displays each instruction in the logoff script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
-If you disable or do not configure this policy setting, the instructions are suppressed.
+- If you disable or do not configure this policy setting, the instructions are suppressed.
@@ -681,7 +334,7 @@ If you disable or do not configure this policy setting, the instructions are sup
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -721,9 +374,9 @@ If you disable or do not configure this policy setting, the instructions are sup
This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
-If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
+- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
-If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
+- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
@@ -743,13 +396,13 @@ This policy setting appears in the Computer Configuration and User Configuration
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | Run_Logon_Script_Sync |
+| Name | Run_Logon_Script_Sync_1 |
| Friendly Name | Run logon scripts synchronously |
| Location | User Configuration |
| Path | System > Scripts |
@@ -764,6 +417,68 @@ This policy setting appears in the Computer Configuration and User Configuration
+
+## Run_Logon_Script_Sync_2
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Logon_Script_Sync_2
+```
+
+
+
+
+This policy setting directs the system to wait for logon scripts to finish running before it starts the File Explorer interface program and creates the desktop.
+
+- If you enable this policy setting, File Explorer does not start until the logon scripts have finished running. This policy setting ensures that logon script processing is complete before the user starts working, but it can delay the appearance of the desktop.
+
+- If you disable or do not configure this policy setting, the logon scripts and File Explorer are not synchronized and can run simultaneously.
+
+This policy setting appears in the Computer Configuration and User Configuration folders. The policy setting set in Computer Configuration takes precedence over the policy setting set in User Configuration.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Logon_Script_Sync_2 |
+| Friendly Name | Run logon scripts synchronously |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunLogonScriptSync |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
## Run_Logon_Script_Visible
@@ -785,9 +500,9 @@ This policy setting displays the instructions in logon scripts as they run.
Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts.
-If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
+- If you enable this policy setting, the system displays each instruction in the logon script as it runs. The instructions appear in a command window. This policy setting is designed for advanced users.
-If you disable or do not configure this policy setting, the instructions are suppressed.
+- If you disable or do not configure this policy setting, the instructions are suppressed.
@@ -805,7 +520,7 @@ If you disable or do not configure this policy setting, the instructions are sup
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -826,6 +541,281 @@ If you disable or do not configure this policy setting, the instructions are sup
+
+## Run_Shutdown_Script_Visible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Shutdown_Script_Visible
+```
+
+
+
+
+This policy setting displays the instructions in shutdown scripts as they run.
+
+Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructions in the shutdown script.
+
+- If you enable this policy setting, the system displays each instruction in the shutdown script as it runs. The instructions appear in a command window.
+
+- If you disable or do not configure this policy setting, the instructions are suppressed.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Shutdown_Script_Visible |
+| Friendly Name | Display instructions in shutdown scripts as they run |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideShutdownScripts |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+## Run_Startup_Script_Sync
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Sync
+```
+
+
+
+
+This policy setting lets the system run startup scripts simultaneously.
+
+Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script.
+
+- If you enable this policy setting, the system does not coordinate the running of startup scripts. As a result, startup scripts can run simultaneously.
+
+- If you disable or do not configure this policy setting, a startup cannot run until the previous script is complete.
+
+> [!NOTE]
+> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether the "Run startup scripts visible" policy setting is enabled or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Startup_Script_Sync |
+| Friendly Name | Run startup scripts asynchronously |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunStartupScriptSync |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+## Run_Startup_Script_Visible
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_Startup_Script_Visible
+```
+
+
+
+
+This policy setting displays the instructions in startup scripts as they run.
+
+Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup script.
+
+- If you enable this policy setting, the system displays each instruction in the startup script as it runs. Instructions appear in a command window. This policy setting is designed for advanced users.
+
+- If you disable or do not configure this policy setting, the instructions are suppressed.
+
+> [!NOTE]
+> Starting with Windows Vista operating system, scripts that are configured to run asynchronously are no longer visible on startup, whether this policy setting is enabled or not.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_Startup_Script_Visible |
+| Friendly Name | Display instructions in startup scripts as they run |
+| Location | Computer Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | HideStartupScripts |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
+
+## Run_User_PS_Scripts_First
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Scripts/Run_User_PS_Scripts_First
+```
+
+
+
+
+
+
+
+
+This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enable this policy setting, within each applicable Group Policy Object (GPO), PowerShell scripts are run before non-PowerShell scripts during user logon and logoff.
+
+For example, assume the following scenario:
+
+There are three GPOs (GPO A, GPO B, and GPO C). This policy setting is enabled in GPO A. GPO B and GPO C include the following user logon scripts:
+
+- GPO B: B.cmd, B.ps1
+- GPO C: C.cmd, C.ps1
+
+Assume also that there are two users, Qin Hong and Tamara Johnston. For Qin, GPOs A, B, and C are applied. Therefore, the scripts for GPOs B and C run in the following order for Qin:
+
+- Within GPO B: B.ps1, B.cmd
+- Within GPO C: C.ps1, C.cmd
+
+For Tamara, GPOs B and C are applied, but not GPO A. Therefore, the scripts for GPOs B and C run in the following order for Tamara:
+
+- Within GPO B: B.cmd, B.ps1
+- Within GPO C: C.cmd, C.ps1
+
+> [!NOTE]
+> This policy setting determines the order in which user logon and logoff scripts are run within all applicable GPOs. You can override this policy setting for specific script types within a specific GPO by configuring the following policy settings for the GPO:
+>
+> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logon
+> - User Configuration\Policies\Windows Settings\Scripts (Logon/Logoff)\Logoff
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | Run_User_PS_Scripts_First |
+| Friendly Name | Run Windows PowerShell scripts first at user logon, logoff |
+| Location | Computer and User Configuration |
+| Path | System > Scripts |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\System |
+| Registry Value Name | RunUserPSScriptsFirst |
+| ADMX File Name | Scripts.admx |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-startmenu.md b/windows/client-management/mdm/policy-csp-admx-startmenu.md
index dfce165594..0d3f1d6f32 100644
--- a/windows/client-management/mdm/policy-csp-admx-startmenu.md
+++ b/windows/client-management/mdm/policy-csp-admx-startmenu.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_StartMenu Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/04/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_StartMenu
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -27,535 +25,6 @@ ms.topic: reference
-
-## HidePowerOptions
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/HidePowerOptions
-```
-
-
-
-
-This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
-
-If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen.
-
-If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | HidePowerOptions |
-| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands |
-| Location | Computer Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
-| Registry Value Name | HidePowerOptions |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## NoChangeStartMenu
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu
-```
-
-
-
-
-This policy setting allows you to prevent users from changing their Start screen layout.
-
-If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps.
-
-If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | NoChangeStartMenu |
-| Friendly Name | Prevent users from customizing their Start Screen |
-| Location | User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
-| Registry Value Name | NoChangeStartMenu |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## NoMoreProgramsList
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList
-```
-
-
-
-
-If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
-
-Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.
-
-Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On.
-
-Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows.
-
-If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | NoMoreProgramsList |
-| Friendly Name | Remove All Programs list from the Start menu |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## NoRun
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun
-```
-
-
-
-
-Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
-
-If you enable this setting, the following changes occur:
-
-(1) The Run command is removed from the Start menu.
-
-(2) The New Task (Run) command is removed from Task Manager.
-
-(3) The user will be blocked from entering the following into the Internet Explorer Address Bar:
-
---- A UNC path: \\``\\``
-
----Accessing local drives: e.g., C:
-
---- Accessing local folders: e.g., \temp>
-
-Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.
-
-If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar.
-
-
-
-Note:This setting affects the specified interface only. It does not prevent users from using other methods to run programs.
-
-Note: It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | NoRun |
-| Friendly Name | Remove Run menu from Start Menu |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
-| Registry Value Name | NoRun |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## NoSetTaskbar
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar
-```
-
-
-
-
-This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.
-
-If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.
-
-If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action.
-
-If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | NoSetTaskbar |
-| Friendly Name | Prevent changes to Taskbar and Start Menu Settings |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
-| Registry Value Name | NoSetTaskbar |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## NoTrayContextMenu
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu
-```
-
-
-
-
-This policy setting allows you to remove access to the context menus for the taskbar.
-
-If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons.
-
-If you disable or do not configure this policy setting, the context menus for the taskbar are available.
-
-This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | NoTrayContextMenu |
-| Friendly Name | Remove access to the context menus for the taskbar |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
-| Registry Value Name | NoTrayContextMenu |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## NoUninstallFromStart
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart
-```
-
-
-
-
-If you enable this setting, users cannot uninstall apps from Start.
-
-If you disable this setting or do not configure it, users can access the uninstall command from Start
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | NoUninstallFromStart |
-| Friendly Name | Prevent users from uninstalling applications from Start |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
-| Registry Value Name | NoUninstallFromStart |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
-
-## StartPinAppsWhenInstalled
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled
-```
-
-
-
-
-This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | StartPinAppsWhenInstalled |
-| Friendly Name | Pin Apps to Start when installed |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
-| Registry Value Name | StartPinAppsWhenInstalled |
-| ADMX File Name | StartMenu.admx |
-
-
-
-
-
-
-
-
## AddSearchInternetLinkInStartMenu
@@ -573,11 +42,11 @@ This policy setting allows pinning apps to Start by default, when they are inclu
-If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
+- If you enable this policy, a "Search the Internet" link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms.
-If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.
+- If you disable this policy, there will not be a "Search the Internet" link when the user performs a search in the start menu search box.
-If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu.
+- If you do not configure this policy (default), there will not be a "Search the Internet" link on the start menu.
@@ -595,7 +64,7 @@ If you do not configure this policy (default), there will not be a "Search the I
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -635,11 +104,12 @@ If you do not configure this policy (default), there will not be a "Search the I
Clear history of recently opened documents on exit.
-If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off.
+- If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the user logs on. In addition, recently and frequently used items in the Jump Lists off of programs in the Start Menu and Taskbar will be cleared when the user logs off.
-If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off.
+- If you disable or do not configure this setting, the system retains document shortcuts, and when a user logs on, the Recent Items menu and the Jump Lists appear just as it did when the user logged off.
-Note: The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.
+> [!NOTE]
+> The system saves document shortcuts in the user profile in the System-drive\Users\User-name\Recent folder.
Also, see the "Remove Recent Items menu from Start Menu" and "Do not keep history of recently opened documents" policies in this folder. The system only uses this setting when neither of these related settings are selected.
@@ -665,7 +135,7 @@ This policy also does not clear items that the user may have pinned to the Jump
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -703,9 +173,9 @@ This policy also does not clear items that the user may have pinned to the Jump
-If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
+- If you enable this policy setting, the recent programs list in the start menu will be blank for each new user.
-If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.
+- If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.
@@ -723,7 +193,7 @@ If you disable or do not configure this policy, the start menu recent programs l
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -761,9 +231,9 @@ If you disable or do not configure this policy, the start menu recent programs l
-If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
+- If you enable this setting, the system deletes tile notifications when the user logs on. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs on.
-If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile.
+- If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile.
This setting does not prevent new notifications from appearing. See the "Turn off Application Notifications" setting to prevent new notifications.
@@ -783,7 +253,7 @@ This setting does not prevent new notifications from appearing. See the "Turn of
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -823,9 +293,9 @@ This setting does not prevent new notifications from appearing. See the "Turn of
This policy setting allows desktop apps to be listed first in the Apps view in Start.
-If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options.
+- If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to be available and the user could choose to change their default sorting options.
-If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting.
+- If you disable or don't configure this policy setting, the desktop apps won't be listed first when the apps are sorted by category, and the user can configure this setting.
@@ -843,7 +313,7 @@ If you disable or don't configure this policy setting, the desktop apps won't be
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -885,9 +355,9 @@ This policy setting prevents the user from searching apps, files, settings (and
This policy setting is only applied when the Apps view is set as the default view for Start.
-If you enable this policy setting, searching from the Apps view will only search the list of installed apps.
+- If you enable this policy setting, searching from the Apps view will only search the list of installed apps.
-If you disable or don’t configure this policy setting, the user can configure this setting.
+- If you disable or don't configure this policy setting, the user can configure this setting.
@@ -905,7 +375,7 @@ If you disable or don’t configure this policy setting, the user can configure
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -947,13 +417,14 @@ This policy only applies to the classic version of the start menu and does not a
Adds the "Log Off ``" item to the Start menu and prevents users from removing it.
-If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu.
+- If you enable this setting, the Log Off `` item appears in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot remove the Log Off `` item from the Start Menu.
-If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item.
+- If you disable this setting or do not configure it, users can use the Display Logoff item to add and remove the Log Off item.
This setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del.
-Note: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff.
+> [!NOTE]
+> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab, and then, in the Start Menu Settings box, click Display Logoff.
Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\Logon/Logoff.
@@ -973,7 +444,7 @@ Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1013,11 +484,11 @@ Also, see "Remove Logoff" in User Configuration\Administrative Templates\System\
This policy setting allows users to go to the desktop instead of the Start screen when they sign in.
-If you enable this policy setting, users will always go to the desktop when they sign in.
+- If you enable this policy setting, users will always go to the desktop when they sign in.
-If you disable this policy setting, users will always go to the Start screen when they sign in.
+- If you disable this policy setting, users will always go to the Start screen when they sign in.
-If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.
+- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
@@ -1035,7 +506,7 @@ If you don’t configure this policy setting, the default setting for the user
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1079,9 +550,10 @@ This setting makes it easier for users to distinguish between programs that are
Partially installed programs include those that a system administrator assigns using Windows Installer and those that users have configured for full installation upon first use.
-If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.
+- If you disable this setting or do not configure it, all Start menu shortcuts appear as black text.
-Note: Enabling this setting can make the Start menu slow to open.
+> [!NOTE]
+> Enabling this setting can make the Start menu slow to open.
@@ -1099,7 +571,7 @@ Note: Enabling this setting can make the Start menu slow to open.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1120,6 +592,66 @@ Note: Enabling this setting can make the Start menu slow to open.
+
+## HidePowerOptions
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/HidePowerOptions
+```
+
+
+
+
+This policy setting prevents users from performing the following commands from the Windows security screen, the logon screen, and the Start menu: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
+
+- If you enable this policy setting, the shutdown, restart, sleep, and hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE, and from the logon screen.
+
+- If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security and logon screens is also available.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | HidePowerOptions |
+| Friendly Name | Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands |
+| Location | Computer Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | HidePowerOptions |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## Intellimenus
@@ -1141,11 +673,13 @@ Disables personalized menus.
Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu.
-If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect.
+- If you enable this setting, the system does not personalize menus. All menu items appear and remain in standard order. Also, this setting removes the "Use Personalized Menus" option so users do not try to change the setting while a setting is in effect.
-Note: Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting.
+> [!NOTE]
+> Personalized menus require user tracking. If you enable the "Turn off user tracking" setting, the system disables user tracking and personalized menus and ignores this setting.
-Tip: To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option.
+> [!TIP]
+> To Turn off personalized menus without specifying a setting, click Start, click Settings, click Taskbar and Start Menu, and then, on the General tab, clear the "Use Personalized Menus" option.
@@ -1163,7 +697,7 @@ Tip: To Turn off personalized menus without specifying a setting, click Start, c
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1205,11 +739,12 @@ This setting affects the taskbar, which is used to switch between running applic
The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any side of the screen. When it is locked, it cannot be moved or resized.
-If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties.
+- If you enable this setting, it prevents the user from moving or resizing the taskbar. While the taskbar is locked, auto-hide and other taskbar options are still available in Taskbar properties.
-If you disable this setting or do not configure it, the user can configure the taskbar position.
+- If you disable this setting or do not configure it, the user can configure the taskbar position.
-Note: Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu.
+> [!NOTE]
+> Enabling this setting also locks the QuickLaunch bar and any other toolbars that the user has on their taskbar. The toolbar's position is locked, and the user cannot show and hide various toolbars using the taskbar context menu.
@@ -1227,7 +762,7 @@ Note: Enabling this setting also locks the QuickLaunch bar and any other toolbar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1287,7 +822,7 @@ Enabling this setting adds a check box to the Run dialog box, giving users the o
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1329,9 +864,9 @@ This setting affects the notification area, also called the "system tray."
The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items are always expanded or always collapsed. By default, notifications are collapsed. The notification cleanup << icon can be referred to as the "notification chevron."
-If you enable this setting, the system notification area expands to show all of the notifications that use this area.
+- If you enable this setting, the system notification area expands to show all of the notifications that use this area.
-If you disable this setting, the system notification area will always collapse notifications.
+- If you disable this setting, the system notification area will always collapse notifications.
If you do not configure it, the user can choose if they want notifications collapsed.
@@ -1351,7 +886,7 @@ If you do not configure it, the user can choose if they want notifications colla
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1393,9 +928,9 @@ Hides pop-up text on the Start menu and in the notification area.
When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object.
-If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area.
+- If you enable this setting, some of this pop-up text is not displayed. The pop-up text affected by this setting includes "Click here to begin" on the Start button, "Where have all my programs gone" on the Start menu, and "Where have my icons gone" in the notification area.
-If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area.
+- If you disable this setting or do not configure it, all pop-up text is displayed on the Start menu and in the notification area.
@@ -1413,7 +948,7 @@ If you disable this setting or do not configure it, all pop-up text is displayed
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1434,6 +969,70 @@ If you disable this setting or do not configure it, all pop-up text is displayed
+
+## NoChangeStartMenu
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoChangeStartMenu
+```
+
+
+
+
+This policy setting allows you to prevent users from changing their Start screen layout.
+
+- If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the customize mode and rearranging tiles within Start and Apps.
+
+- If you disable or do not configure this setting, you will allow a user to select an app, resize a tile, pin/unpin a tile or a secondary tile, enter the customize mode and rearrange tiles within Start and Apps.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | NoChangeStartMenu |
+| Friendly Name | Prevent users from customizing their Start Screen |
+| Location | User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | NoChangeStartMenu |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## NoClose
@@ -1453,11 +1052,12 @@ If you disable this setting or do not configure it, all pop-up text is displayed
This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from running Windows-based programs that perform these functions.
-If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE.
+- If you enable this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are removed from the Start menu. The Power button is also removed from the Windows Security screen, which appears when you press CTRL+ALT+DELETE.
-If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available.
+- If you disable or do not configure this policy setting, the Power button and the Shut Down, Restart, Sleep, and Hibernate commands are available on the Start menu. The Power button on the Windows Security screen is also available.
-Note: Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
+> [!NOTE]
+> Third-party programs certified as compatible with Microsoft Windows Vista, Windows XP SP2, Windows XP SP1, Windows XP, or Windows 2000 Professional are required to support this policy setting.
@@ -1475,7 +1075,7 @@ Note: Third-party programs certified as compatible with Microsoft Windows Vista,
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1515,9 +1115,11 @@ Note: Third-party programs certified as compatible with Microsoft Windows Vista,
Removes items in the All Users profile from the Programs menu on the Start menu.
-By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile appear in the Programs menu.
+By default, the Programs menu contains items from the All Users profile and items from the user's profile.
+- If you enable this setting, only items in the user's profile appear in the Programs menu.
-Tip: To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.
+> [!TIP]
+> To see the Program menu items in the All Users profile, on the system drive, go to ProgramData\Microsoft\Windows\Start Menu\Programs.
@@ -1535,7 +1137,7 @@ Tip: To see the Program menu items in the All Users profile, on the system drive
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1575,15 +1177,18 @@ Tip: To see the Program menu items in the All Users profile, on the system drive
Prevents users from adding the Favorites menu to the Start menu or classic Start menu.
-If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box.
+- If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box.
-If you disable or do not configure this setting, the Display Favorite item is available.
+- If you disable or do not configure this setting, the Display Favorite item is available.
-Note:The Favorities menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options.
+> [!NOTE]
+> The Favorites menu does not appear on the Start menu by default. To display the Favorites menu, right-click Start, click Properties, and then click Customize. If you are using Start menu, click the Advanced tab, and then, under Start menu items, click the Favorites menu. If you are using the classic Start menu, click Display Favorites under Advanced Start menu options.
-Note:The items that appear in the Favorites menu when you install Windows are preconfigured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group.
+> [!NOTE]
+> The items that appear in the Favorites menu when you install Windows are pre-configured by the system to appeal to most users. However, users can add and remove items from this menu, and system administrators can create a customized Favorites menu for a user group.
-Note:This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer.
+> [!NOTE]
+> This setting only affects the Start menu. The Favorites item still appears in File Explorer and in Internet Explorer.
@@ -1601,7 +1206,7 @@ Note:This setting only affects the Start menu. The Favorites item still appears
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1643,15 +1248,16 @@ This policy setting allows you to remove the Search link from the Start menu, an
**Note** that this does not remove the search box from the new style Start menu.
-If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F.
+- If you enable this policy setting, the Search item is removed from the Start menu and from the context menu that appears when you right-click the Start menu. Also, the system does not respond when users press the Application key (the key with the Windows logo)+ F.
-Note: Enabling this policy setting also prevents the user from using the F3 key.
+> [!NOTE]
+> Enabling this policy setting also prevents the user from using the F3 key.
In File Explorer, the Search item still appears on the Standard buttons toolbar, but the system does not respond when the user presses Ctrl+F. Also, Search does not appear in the context menu when you right-click an icon representing a drive or a folder.
This policy setting affects the specified user interface elements only. It does not affect Internet Explorer and does not prevent the user from using other methods to search.
-If you disable or do not configure this policy setting, the Search link is available from the Start menu.
+- If you disable or do not configure this policy setting, the Search link is available from the Start menu.
@@ -1669,7 +1275,7 @@ If you disable or do not configure this policy setting, the Search link is avail
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1707,9 +1313,9 @@ If you disable or do not configure this policy setting, the Search link is avail
-If you enable this policy the start menu will not show a link to the Games folder.
+- If you enable this policy the start menu will not show a link to the Games folder.
-If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.
+- If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.
@@ -1727,7 +1333,7 @@ If you disable or do not configure this policy, the start menu will show a link
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1767,9 +1373,9 @@ If you disable or do not configure this policy, the start menu will show a link
This policy setting allows you to remove the Help command from the Start menu.
-If you enable this policy setting, the Help command is removed from the Start menu.
+- If you enable this policy setting, the Help command is removed from the Start menu.
-If you disable or do not configure this policy setting, the Help command is available from the Start menu.
+- If you disable or do not configure this policy setting, the Help command is available from the Start menu.
This policy setting only affects the Start menu. It does not remove the Help menu from File Explorer and does not prevent users from running Help.
@@ -1789,7 +1395,7 @@ This policy setting only affects the Start menu. It does not remove the Help men
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1829,9 +1435,9 @@ This policy setting only affects the Start menu. It does not remove the Help men
This policy setting allows you to turn off user tracking.
-If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu.
+- If you enable this policy setting, the system does not track the programs that the user runs, and does not display frequently used programs in the Start Menu.
-If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu.
+- If you disable or do not configure this policy setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu.
Also, see these related policy settings: "Remove frequent programs liist from the Start Menu" and "Turn off personalized menus".
@@ -1853,7 +1459,7 @@ This policy setting does not prevent users from pinning programs to the Start Me
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1874,6 +1480,73 @@ This policy setting does not prevent users from pinning programs to the Start Me
+
+## NoMoreProgramsList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoMoreProgramsList
+```
+
+
+
+
+- If you enable this setting, the Start Menu will either collapse or remove the all apps list from the Start menu.
+
+Selecting "Collapse" will not display the app list next to the pinned tiles in Start. An "All apps" button will be displayed on Start to open the all apps list. This is equivalent to setting the "Show app list in Start" in Settings to Off.
+
+Selecting "Collapse and disable setting" will do the same as the collapse option and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On.
+
+Selecting "Remove and disable setting" will remove the all apps list from Start and disable the "Show app list in Start menu" in Settings, so users cannot turn it to On. Select this option for compatibility with earlier versions of Windows.
+
+- If you disable or do not configure this setting, the all apps list will be visible by default, and the user can change "Show app list in Start" in Settings.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | NoMoreProgramsList |
+| Friendly Name | Remove All Programs list from the Start menu |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## NoNetAndDialupConnect
@@ -1893,13 +1566,13 @@ This policy setting does not prevent users from pinning programs to the Start Me
This policy setting allows you to remove Network Connections from the Start Menu.
-If you enable this policy setting, users are prevented from running Network Connections.
+- If you enable this policy setting, users are prevented from running Network Connections.
Enabling this policy setting prevents the Network Connections folder from opening. This policy setting also removes Network Connections from Settings on the Start menu.
Network Connections still appears in Control Panel and in File Explorer, but if users try to start it, a message appears explaining that a setting prevents the action.
-If you disable or do not configure this policy setting, Network Connections is available from the Start Menu.
+- If you disable or do not configure this policy setting, Network Connections is available from the Start Menu.
Also, see the "Disable programs on Settings menu" and "Disable Control Panel" policy settings and the policy settings in the Network Connections folder (Computer Configuration and User Configuration\Administrative Templates\Network\Network Connections).
@@ -1919,7 +1592,7 @@ Also, see the "Disable programs on Settings menu" and "Disable Control Panel" po
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1957,11 +1630,11 @@ Also, see the "Disable programs on Settings menu" and "Disable Control Panel" po
-If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
+- If you enable this setting, the "Pinned Programs" list is removed from the Start menu. Users cannot pin programs to the Start menu.
In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dialog.
-If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
+- If you disable this setting or do not configure it, the "Pinned Programs" list remains on the Start menu. Users can pin and unpin programs in the Start Menu.
@@ -1979,7 +1652,7 @@ If you disable this setting or do not configure it, the "Pinned Programs" list r
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2021,7 +1694,7 @@ Removes the Recent Items menu from the Start menu. Removes the Documents menu fr
The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen their documents.
-If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.
+- If you enable this setting, the system saves document shortcuts but does not display the Recent Items menu in the Start Menu, and users cannot turn the menu on.
If you later disable the setting, so that the Recent Items menu appears in the Start Menu, the document shortcuts saved before the setting was enabled and while it was in effect appear in the Recent Items menu.
@@ -2029,7 +1702,8 @@ When the setting is disabled, the Recent Items menu appears in the Start Menu, a
If the setting is not configured, users can turn the Recent Items menu on and off.
-Note: This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting.
+> [!NOTE]
+> This setting does not prevent Windows programs from displaying shortcuts to recently opened documents. See the "Do not keep history of recently opened documents" setting.
This setting also does not hide document shortcuts displayed in the Open dialog box. See the "Hide the dropdown list of recent files" setting.
@@ -2049,7 +1723,7 @@ This setting also does not hide document shortcuts displayed in the Open dialog
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2089,11 +1763,12 @@ This setting also does not hide document shortcuts displayed in the Open dialog
This policy setting prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut.
-If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found.
+- If you enable this policy setting, the system does not conduct the final drive search. It just displays a message explaining that the file is not found.
-If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.
+- If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.
-Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.
+> [!NOTE]
+> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.
Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the tracking-based method when resolving shell shortcuts" policy settings.
@@ -2113,7 +1788,7 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2153,11 +1828,12 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use
This policy setting prevents the system from using NTFS tracking features to resolve a shortcut.
-If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path.
+- If you enable this policy setting, the system does not try to locate the file by using its file ID. It skips this step and begins a comprehensive search of the drive specified in the target path.
-If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.
+- If you disable or do not configure this policy setting, by default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file is located on an NTFS partition, the system then uses the target's file ID to find a path. If the resulting path is not correct, it conducts a comprehensive search of the target drive in an attempt to find the file.
-Note: This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.
+> [!NOTE]
+> This policy setting only applies to target files on NTFS partitions. FAT partitions do not have this ID tracking and search capability.
Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use the search-based method when resolving shell shortcuts" policy settings.
@@ -2177,7 +1853,7 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2198,6 +1874,90 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use
+
+## NoRun
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoRun
+```
+
+
+
+
+Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager.
+
+- If you enable this setting, the following changes occur:
+
+(1) The Run command is removed from the Start menu.
+
+(2) The New Task (Run) command is removed from Task Manager.
+
+(3) The user will be blocked from entering the following into the Internet Explorer Address Bar:
+
+--- A UNC path: \\``\\``
+
+---Accessing local drives: e.g., C:
+
+--- Accessing local folders: e.g., \temp>
+
+Also, users with extended keyboards will no longer be able to display the Run dialog box by pressing the Application key (the key with the Windows logo) + R.
+
+- If you disable or do not configure this setting, users will be able to access the Run command in the Start menu and in Task Manager and use the Internet Explorer Address Bar.
+
+> [!NOTE]
+> This setting affects the specified interface only. It does not prevent users from using other methods to run programs.
+
+> [!NOTE]
+> It is a requirement for third-party applications with Windows 2000 or later certification to adhere to this setting.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | NoRun |
+| Friendly Name | Remove Run menu from Start Menu |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | NoRun |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## NoSearchCommInStartMenu
@@ -2215,9 +1975,9 @@ Also, see the "Do not track Shell shortcuts during roaming" and the "Do not use
-If you enable this policy the start menu search box will not search for communications.
+- If you enable this policy the start menu search box will not search for communications.
-If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.
+- If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.
@@ -2235,7 +1995,7 @@ If you disable or do not configure this policy, the start menu will search for c
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2273,9 +2033,9 @@ If you disable or do not configure this policy, the start menu will search for c
-If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
+- If you enable this policy, the "See all results" link will not be shown when the user performs a search in the start menu search box.
-If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box.
+- If you disable or do not configure this policy, the "See all results" link will be shown when the user performs a search in the start menu search box.
@@ -2293,7 +2053,7 @@ If you disable or do not configure this policy, the "See all results" link will
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2331,9 +2091,9 @@ If you disable or do not configure this policy, the "See all results" link will
-If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
+- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
-If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
+- If you disable or do not configure this policy, a "See more results" link will be shown when the user performs a search in the start menu search box. If a 3rd party protocol handler is installed, a "Search Everywhere" link will be shown instead of the "See more results" link.
@@ -2351,7 +2111,7 @@ If you disable or do not configure this policy, a "See more results" link will b
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2389,9 +2149,10 @@ If you disable or do not configure this policy, a "See more results" link will b
-If you enable this policy setting the Start menu search box will not search for files.
+- If you enable this policy setting the Start menu search box will not search for files.
-If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
+- If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel.
+- If you enable this policy, a "See more results" / "Search Everywhere" link will not be shown when the user performs a search in the start menu search box.
@@ -2409,7 +2170,7 @@ If you disable or do not configure this policy setting, the Start menu will sear
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2447,9 +2208,9 @@ If you disable or do not configure this policy setting, the Start menu will sear
-If you enable this policy the start menu search box will not search for internet history or favorites.
+- If you enable this policy the start menu search box will not search for internet history or favorites.
-If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel.
+- If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control panel.
@@ -2467,7 +2228,7 @@ If you disable or do not configure this policy, the start menu will search for f
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2505,9 +2266,9 @@ If you disable or do not configure this policy, the start menu will search for f
-If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
+- If you enable this policy setting the Start menu search box will not search for programs or Control Panel items.
-If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel.
+- If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unless the user chooses not to do so directly in Control Panel.
@@ -2525,7 +2286,7 @@ If you disable or do not configure this policy setting, the Start menu search bo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2565,11 +2326,11 @@ If you disable or do not configure this policy setting, the Start menu search bo
This policy setting allows you to remove programs on Settings menu.
-If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.
+- If you enable this policy setting, the Control Panel, Printers, and Network and Connection folders are removed from Settings on the Start menu, and from Computer and File Explorer. It also prevents the programs represented by these folders (such as Control.exe) from running.
However, users can still start Control Panel items by using other methods, such as right-clicking the desktop to start Display or right-clicking Computer to start System.
-If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer.
+- If you disable or do not configure this policy setting, the Control Panel, Printers, and Network and Connection folders from Settings are available on the Start menu, and from Computer and File Explorer.
Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "Remove Network Connections from Start Menu" policy settings.
@@ -2589,7 +2350,7 @@ Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2610,6 +2371,72 @@ Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "
+
+## NoSetTaskbar
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoSetTaskbar
+```
+
+
+
+
+This policy setting allows you to prevent changes to Taskbar and Start Menu Settings.
+
+- If you enable this policy setting, The user will be prevented from opening the Taskbar Properties dialog box.
+
+If the user right-clicks the taskbar and then clicks Properties, a message appears explaining that a setting prevents the action.
+
+- If you disable or do not configure this policy setting, the Taskbar and Start Menu items are available from Settings on the Start menu.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | NoSetTaskbar |
+| Friendly Name | Prevent changes to Taskbar and Start Menu Settings |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | NoSetTaskbar |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## NoSMConfigurePrograms
@@ -2629,13 +2456,14 @@ Also, see the "Disable Control Panel," "Disable Display in Control Panel," and "
This policy setting allows you to remove the Default Programs link from the Start menu.
-If you enable this policy setting, the Default Programs link is removed from the Start menu.
+- If you enable this policy setting, the Default Programs link is removed from the Start menu.
Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations.
-If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu.
+- If you disable or do not configure this policy setting, the Default Programs link is available from the Start menu.
-Note: This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
+> [!NOTE]
+> This policy setting does not prevent the Set Default Programs for This Computer option from appearing in the Default Programs control panel.
@@ -2653,7 +2481,7 @@ Note: This policy setting does not prevent the Set Default Programs for This Com
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2693,11 +2521,12 @@ Note: This policy setting does not prevent the Set Default Programs for This Com
This policy setting allows you to remove the Documents icon from the Start menu and its submenus.
-If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder.
+- If you enable this policy setting, the Documents icon is removed from the Start menu and its submenus. Enabling this policy setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder.
-Note: To make changes to this policy setting effective, you must log off and then log on.
+> [!NOTE]
+> To make changes to this policy setting effective, you must log off and then log on.
-If you disable or do not configure this policy setting, he Documents icon is available from the Start menu.
+- If you disable or do not configure this policy setting, he Documents icon is available from the Start menu.
Also, see the "Remove Documents icon on the desktop" policy setting.
@@ -2717,7 +2546,7 @@ Also, see the "Remove Documents icon on the desktop" policy setting.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2757,9 +2586,9 @@ Also, see the "Remove Documents icon on the desktop" policy setting.
This policy setting allows you to remove the Music icon from Start Menu.
-If you enable this policy setting, the Music icon is no longer available from Start Menu.
+- If you enable this policy setting, the Music icon is no longer available from Start Menu.
-If you disable or do not configure this policy setting, the Music icon is available from Start Menu.
+- If you disable or do not configure this policy setting, the Music icon is available from Start Menu.
@@ -2777,7 +2606,7 @@ If you disable or do not configure this policy setting, the Music icon is availa
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2817,9 +2646,9 @@ If you disable or do not configure this policy setting, the Music icon is availa
This policy setting allows you to remove the Network icon from Start Menu.
-If you enable this policy setting, the Network icon is no longer available from Start Menu.
+- If you enable this policy setting, the Network icon is no longer available from Start Menu.
-If you disable or do not configure this policy setting, the Network icon is available from Start Menu.
+- If you disable or do not configure this policy setting, the Network icon is available from Start Menu.
@@ -2837,7 +2666,7 @@ If you disable or do not configure this policy setting, the Network icon is avai
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2877,9 +2706,9 @@ If you disable or do not configure this policy setting, the Network icon is avai
This policy setting allows you to remove the Pictures icon from Start Menu.
-If you enable this policy setting, the Pictures icon is no longer available from Start Menu.
+- If you enable this policy setting, the Pictures icon is no longer available from Start Menu.
-If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu.
+- If you disable or do not configure this policy setting, the Pictures icon is available from Start Menu.
@@ -2897,7 +2726,7 @@ If you disable or do not configure this policy setting, the Pictures icon is ava
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2937,9 +2766,9 @@ If you disable or do not configure this policy setting, the Pictures icon is ava
This policy setting allows you to remove the Downloads link from the Start Menu.
-If you enable this policy setting, the Start Menu does not show a link to the Downloads folder.
+- If you enable this policy setting, the Start Menu does not show a link to the Downloads folder.
-If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu.
+- If you disable or do not configure this policy setting, the Downloads link is available from the Start Menu.
@@ -2957,7 +2786,7 @@ If you disable or do not configure this policy setting, the Downloads link is av
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -2995,9 +2824,9 @@ If you disable or do not configure this policy setting, the Downloads link is av
-If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
+- If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu.
-If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
+- If you disable or do not configure this policy, users can use the Start Menu options to add or remove the homegroup link from the Start Menu.
@@ -3015,7 +2844,7 @@ If you disable or do not configure this policy, users can use the Start Menu opt
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3055,9 +2884,9 @@ If you disable or do not configure this policy, users can use the Start Menu opt
This policy setting allows you to remove the Recorded TV link from the Start Menu.
-If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library.
+- If you enable this policy setting, the Start Menu does not show a link to the Recorded TV library.
-If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu.
+- If you disable or do not configure this policy setting, the Recorded TV link is available from the Start Menu.
@@ -3075,7 +2904,7 @@ If you disable or do not configure this policy setting, the Recorded TV link is
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3117,11 +2946,11 @@ Hides all folders on the user-specific (top) section of the Start menu. Other it
This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. However, the original, user-specific version of the folder still appears on the top section of the Start menu. Because the appearance of two folders with the same name might confuse users, you can use this setting to hide user-specific folders.
-Note that this setting hides all user-specific folders, not just those associated with redirected folders.
+**Note** that this setting hides all user-specific folders, not just those associated with redirected folders.
-If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu.
+- If you enable this setting, no folders appear on the top section of the Start menu. If users add folders to the Start Menu directory in their user profiles, the folders appear in the directory but not on the Start menu.
-If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
+- If you disable this setting or do not configured it, Windows 2000 Professional and Windows XP Professional display folders on both sections of the Start menu.
@@ -3139,7 +2968,7 @@ If you disable this setting or do not configured it, Windows 2000 Professional a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3179,9 +3008,9 @@ If you disable this setting or do not configured it, Windows 2000 Professional a
This policy setting allows you to remove the Videos link from the Start Menu.
-If you enable this policy setting, the Start Menu does not show a link to the Videos library.
+- If you enable this policy setting, the Start Menu does not show a link to the Videos library.
-If you disable or do not configure this policy setting, the Videos link is available from the Start Menu.
+- If you disable or do not configure this policy setting, the Videos link is available from the Start Menu.
@@ -3199,7 +3028,7 @@ If you disable or do not configure this policy setting, the Videos link is avail
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3241,11 +3070,11 @@ This setting affects the presentation of the Start menu.
The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are placed on the desktop: Documents, Pictures, Music, Computer, and Network. The new Start menu starts them directly.
-If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.
+- If you enable this setting, the Start menu displays the classic Start menu in the Windows 2000 style and displays the standard desktop icons.
-If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.
+- If you disable this setting, the Start menu only displays in the new style, meaning the desktop icons are now on the Start page.
-If you do not configure this setting, the default is the new style, and the user can change the view.
+- If you do not configure this setting, the default is the new style, and the user can change the view.
@@ -3263,7 +3092,7 @@ If you do not configure this setting, the default is the new style, and the user
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3303,9 +3132,9 @@ If you do not configure this setting, the default is the new style, and the user
Prevents the clock in the system notification area from being displayed.
-If you enable this setting, the clock will not be displayed in the system notification area.
+- If you enable this setting, the clock will not be displayed in the system notification area.
-If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur.
+- If you disable or do not configure this setting, the default behavior of the clock appearing in the notification area will occur.
@@ -3323,7 +3152,7 @@ If you disable or do not configure this setting, the default behavior of the clo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3365,7 +3194,7 @@ This setting affects the taskbar buttons used to switch between running programs
Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full.
-If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled.
+- If you enable this setting, it prevents the taskbar from grouping items that share the same program name. By default, this setting is always enabled.
If you disable or do not configure it, items on the taskbar that share the same program are grouped together. The users have the option to disable grouping if they choose.
@@ -3385,7 +3214,7 @@ If you disable or do not configure it, items on the taskbar that share the same
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3427,9 +3256,9 @@ This setting affects the taskbar.
The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom toolbars created by the user or by an application.
-If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock.
+- If this setting is enabled, the taskbar does not display any custom toolbars, and the user cannot add any custom toolbars to the taskbar. Moreover, the "Toolbars" menu command and submenu are removed from the context menu. The taskbar displays only the Start button, taskbar buttons, the notification area, and the system clock.
-If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu.
+- If this setting is disabled or is not configured, the taskbar displays all toolbars. Users can add or remove custom toolbars, and the "Toolbars" command appears in the context menu.
@@ -3447,7 +3276,7 @@ If this setting is disabled or is not configured, the taskbar displays all toolb
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3468,6 +3297,72 @@ If this setting is disabled or is not configured, the taskbar displays all toolb
+
+## NoTrayContextMenu
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoTrayContextMenu
+```
+
+
+
+
+This policy setting allows you to remove access to the context menus for the taskbar.
+
+- If you enable this policy setting, the menus that appear when you right-click the taskbar and items on the taskbar are hidden, such as the Start button, the clock, and the taskbar buttons.
+
+- If you disable or do not configure this policy setting, the context menus for the taskbar are available.
+
+This policy setting does not prevent users from using other methods to issue the commands that appear on these menus.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | NoTrayContextMenu |
+| Friendly Name | Remove access to the context menus for the taskbar |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
+| Registry Value Name | NoTrayContextMenu |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## NoTrayItemsDisplay
@@ -3489,11 +3384,12 @@ This setting affects the notification area (previously called the "system tray")
Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock.
-If this setting is enabled, the user’s entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock.
+- If this setting is enabled, the user's entire notification area, including the notification icons, is hidden. The taskbar displays only the Start button, taskbar buttons, custom toolbars (if any), and the system clock.
-If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.
+- If this setting is disabled or is not configured, the notification area is shown in the user's taskbar.
-Note: Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons.
+> [!NOTE]
+> Enabling this setting overrides the "Turn off notification area cleanup" setting, because if the notification area is hidden, there is no need to clean up the icons.
@@ -3511,7 +3407,7 @@ Note: Enabling this setting overrides the "Turn off notification area cleanup" s
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3532,6 +3428,68 @@ Note: Enabling this setting overrides the "Turn off notification area cleanup" s
+
+## NoUninstallFromStart
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/NoUninstallFromStart
+```
+
+
+
+
+- If you enable this setting, users cannot uninstall apps from Start.
+
+- If you disable this setting or do not configure it, users can access the uninstall command from Start
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | NoUninstallFromStart |
+| Friendly Name | Prevent users from uninstalling applications from Start |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | NoUninstallFromStart |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
## NoUserFolderOnStartMenu
@@ -3549,9 +3507,9 @@ Note: Enabling this setting overrides the "Turn off notification area cleanup" s
-If you enable this policy the start menu will not show a link to the user's storage folder.
+- If you enable this policy the start menu will not show a link to the user's storage folder.
-If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
+- If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.
@@ -3569,7 +3527,7 @@ If you disable or do not configure this policy, the start menu will display a li
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3609,11 +3567,11 @@ If you disable or do not configure this policy, the start menu will display a li
This policy setting allows you to remove the user name label from the Start Menu in Windows XP and Windows Server 2003.
-If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003.
+- If you enable this policy setting, the user name label is removed from the Start Menu in Windows XP and Windows Server 2003.
To remove the user name folder on Windows Vista, set the "Remove user folder link from Start Menu" policy setting.
-If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003.
+- If you disable or do not configure this policy setting, the user name label appears on the Start Menu in Windows XP and Windows Server 2003.
@@ -3631,7 +3589,7 @@ If you disable or do not configure this policy setting, the user name label appe
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3671,13 +3629,13 @@ If you disable or do not configure this policy setting, the user name label appe
This policy setting allows you to remove links and access to Windows Update.
-If you enable this policy setting, users are prevented from connecting to the Windows Update Web site.
+- If you enable this policy setting, users are prevented from connecting to the Windows Update Web site.
Enabling this policy setting blocks user access to the Windows Update Web site at . Also, the policy setting removes the Windows Update hyperlink from the Start menu and from the Tools menu in Internet Explorer.
-Windows Update, the online extension of Windows, offers software updates to keep a user’s system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download.
+Windows Update, the online extension of Windows, offers software updates to keep a user's system up-to-date. The Windows Update Product Catalog determines any system files, security fixes, and Microsoft updates that users need and shows the newest versions available for download.
-If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer.
+- If you disable or do not configure this policy setting, the Windows Update hyperlink is available from the Start menu and from the Tools menu in Internet Explorer.
Also, see the "Hide the "Add programs from Microsoft" option" policy setting.
@@ -3697,7 +3655,7 @@ Also, see the "Hide the "Add programs from Microsoft" option" policy setting.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3737,11 +3695,11 @@ Also, see the "Hide the "Add programs from Microsoft" option" policy setting.
Set the default action of the power button on the Start menu.
-If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action.
+- If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action.
If you set the button to either Sleep or Hibernate, and that state is not supported on a computer, then the button will fall back to Shut Down.
-If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action.
+- If you disable or do not configure this setting, the Start Menu power button will be set to Shut Down by default, and the user can change this setting to another action.
@@ -3759,13 +3717,13 @@ If you disable or do not configure this setting, the Start Menu power button wil
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | PowerButtonAction_DisplayName |
+| Name | PowerButtonAction |
| Friendly Name | Change Start Menu power button |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
@@ -3798,11 +3756,11 @@ If you disable or do not configure this setting, the Start Menu power button wil
This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar.
-If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off.
+- If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off.
-If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on.
+- If you disable this policy setting, the QuickLaunch bar will be hidden and cannot be turned on.
-If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off.
+- If you do not configure this policy setting, then users will be able to turn the QuickLaunch bar on and off.
@@ -3820,7 +3778,7 @@ If you do not configure this policy setting, then users will be able to turn the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3858,9 +3816,9 @@ If you do not configure this policy setting, then users will be able to turn the
-If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
+- If you enable this setting, the "Undock PC" button is removed from the simple Start Menu, and your PC cannot be undocked.
-If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked.
+- If you disable this setting or do not configure it, the "Undock PC" button remains on the simple Start menu, and your PC can be undocked.
@@ -3878,7 +3836,7 @@ If you disable this setting or do not configure it, the "Undock PC" button remai
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3918,9 +3876,9 @@ If you disable this setting or do not configure it, the "Undock PC" button remai
This policy setting allows the Apps view to be opened by default when the user goes to Start.
-If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen.
+- If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the Apps view and the Start screen.
-If you disable or don’t configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting.
+- If you disable or don't configure this policy setting, the Start screen will appear by default whenever the user goes to Start, and the user will be able to switch between the Apps view and the Start screen. Also, the user will be able to configure this setting.
@@ -3938,7 +3896,7 @@ If you disable or don’t configure this policy setting, the Start screen will a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -3978,11 +3936,12 @@ If you disable or don’t configure this policy setting, the Start screen will a
This policy setting shows or hides the "Run as different user" command on the Start application bar.
-If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality.
+- If you enable this setting, users can access the "Run as different user" command from Start for applications which support this functionality.
-If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications.
+- If you disable this setting or do not configure it, users cannot access the "Run as different user" command from Start for any applications.
-Note: This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command.
+> [!NOTE]
+> This setting does not prevent users from using other methods, such as the shift right-click menu on application's jumplists in the taskbar to issue the "Run as different user" command.
@@ -4000,7 +3959,7 @@ Note: This setting does not prevent users from using other methods, such as the
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4038,7 +3997,8 @@ Note: This setting does not prevent users from using other methods, such as the
-If you enable this setting, the Run command is added to the Start menu. If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect.
+- If you enable this setting, the Run command is added to the Start menu.
+- If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove Run link from Start Menu policy is set, the Add the Run command to the Start menu policy has no effect.
@@ -4056,7 +4016,7 @@ If you enable this setting, the Run command is added to the Start menu. If you d
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4096,9 +4056,9 @@ If you enable this setting, the Run command is added to the Start menu. If you d
This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays.
-If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key.
+- If you enable this policy setting, the Start screen will appear on the display the user is using when they press the Windows logo key.
-If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting.
+- If you disable or don't configure this policy setting, the Start screen will always appear on the main display when the user presses the Windows logo key. Users will still be able to open Start on other displays by pressing the Start button on that display. Also, the user will be able to configure this setting.
@@ -4116,7 +4076,7 @@ If you disable or don't configure this policy setting, the Start screen will alw
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4156,13 +4116,14 @@ If you disable or don't configure this policy setting, the Start screen will alw
This policy setting allows you to removes the "Log Off ``" item from the Start menu and prevents users from restoring it.
-If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu.
+- If you enable this policy setting, the Log Off `` item does not appear in the Start menu. This policy setting also removes the Display Logoff item from Start Menu Options. As a result, users cannot restore the Log Off `` item to the Start Menu.
-If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item.
+- If you disable or do not configure this policy setting, users can use the Display Logoff item to add and remove the Log Off item.
This policy setting affects the Start menu only. It does not affect the Log Off item on the Windows Security dialog box that appears when you press Ctrl+Alt+Del, and it does not prevent users from using other methods to log off.
-Tip: To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff.
+> [!TIP]
+> To add or remove the Log Off item on a computer, click Start, click Settings, click Taskbar and Start Menu, click the Start Menu Options tab and, in the Start Menu Settings box, click Display Logoff.
See also: "Remove Logoff" policy setting in User Configuration\Administrative Templates\System\Logon/Logoff.
@@ -4182,7 +4143,7 @@ See also: "Remove Logoff" policy setting in User Configuration\Administrative Te
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -4203,6 +4164,66 @@ See also: "Remove Logoff" policy setting in User Configuration\Administrative Te
+
+## StartPinAppsWhenInstalled
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_StartMenu/StartPinAppsWhenInstalled
+```
+
+
+
+
+This policy setting allows pinning apps to Start by default, when they are included by AppID on the list.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | StartPinAppsWhenInstalled |
+| Friendly Name | Pin Apps to Start when installed |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | StartPinAppsWhenInstalled |
+| ADMX File Name | StartMenu.admx |
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/policy-csp-admx-taskbar.md b/windows/client-management/mdm/policy-csp-admx-taskbar.md
index 37964f5ea5..ddb5e01490 100644
--- a/windows/client-management/mdm/policy-csp-admx-taskbar.md
+++ b/windows/client-management/mdm/policy-csp-admx-taskbar.md
@@ -4,7 +4,7 @@ description: Learn more about the ADMX_Taskbar Area in Policy CSP
author: vinaypamnani-msft
manager: aaroncz
ms.author: vinpa
-ms.date: 01/04/2023
+ms.date: 01/06/2023
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-manage
@@ -17,9 +17,7 @@ ms.topic: reference
# Policy CSP - ADMX_Taskbar
> [!TIP]
-> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
->
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+> This CSP contains ADMX-backed policies which require a special SyncML format to enable or disable. You must specify the data type in the SyncML as <Format>chr</Format>. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -52,9 +50,9 @@ This policy setting removes Notifications and Action Center from the notificatio
The notification area is located at the far right end of the taskbar and includes icons for current notifications and the system clock.
-If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won’t be able to review any notifications they miss.
+- If this setting is enabled, Notifications and Action Center is not displayed in the notification area. The user will be able to read notifications when they appear, but they won't be able to review any notifications they miss.
-If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar.
+- If you disable or do not configure this policy setting, Notification and Security and Maintenance will be displayed on the taskbar.
A reboot is required for this policy setting to take effect.
@@ -74,7 +72,7 @@ A reboot is required for this policy setting to take effect.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -95,70 +93,6 @@ A reboot is required for this policy setting to take effect.
-
-## TaskbarNoPinnedList
-
-
-| Scope | Editions | Applicable OS |
-|:--|:--|:--|
-| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
-
-
-
-```User
-./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
-```
-
-```Device
-./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
-```
-
-
-
-
-This policy setting allows you to remove pinned programs from the taskbar.
-
-If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.
-
-If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
-
-
-
-
-
-
-
-**Description framework properties**:
-
-| Property name | Property value |
-|:--|:--|
-| Format | chr (string) |
-| Access Type | Add, Delete, Get, Replace |
-
-
-
-> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX mapping**:
-
-| Name | Value |
-|:--|:--|
-| Name | TaskbarNoPinnedList |
-| Friendly Name | Remove pinned programs from the Taskbar |
-| Location | Computer and User Configuration |
-| Path | Start Menu and Taskbar |
-| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
-| Registry Value Name | TaskbarNoPinnedList |
-| ADMX File Name | Taskbar.admx |
-
-
-
-
-
-
-
-
## EnableLegacyBalloonNotifications
@@ -178,11 +112,11 @@ If you disable or do not configure this policy setting, users can pin programs s
This policy disables the functionality that converts balloons to toast notifications.
-If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
+- If you enable this policy setting, system and application notifications will render as balloons instead of toast notifications.
Enable this policy setting if a specific app or system component that uses balloon notifications has compatibility issues with toast notifications.
-If you disable or don’t configure this policy setting, all notifications will appear as toast notifications.
+- If you disable or don't configure this policy setting, all notifications will appear as toast notifications.
A reboot is required for this policy setting to take effect.
@@ -202,7 +136,7 @@ A reboot is required for this policy setting to take effect.
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -242,9 +176,9 @@ A reboot is required for this policy setting to take effect.
This policy setting allows you to remove Security and Maintenance from the system control area.
-If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area.
+- If you enable this policy setting, the Security and Maintenance icon is not displayed in the system notification area.
-If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area.
+- If you disable or do not configure this policy setting, the Security and Maintenance icon is displayed in the system notification area.
@@ -262,7 +196,7 @@ If you disable or do not configure this policy setting, the Security and Mainten
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -302,9 +236,9 @@ If you disable or do not configure this policy setting, the Security and Mainten
This policy setting allows you to remove the networking icon from the system control area.
-If you enable this policy setting, the networking icon is not displayed in the system notification area.
+- If you enable this policy setting, the networking icon is not displayed in the system notification area.
-If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area.
+- If you disable or do not configure this policy setting, the networking icon is displayed in the system notification area.
@@ -322,7 +256,7 @@ If you disable or do not configure this policy setting, the networking icon is d
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -362,9 +296,9 @@ If you disable or do not configure this policy setting, the networking icon is d
This policy setting allows you to remove the battery meter from the system control area.
-If you enable this policy setting, the battery meter is not displayed in the system notification area.
+- If you enable this policy setting, the battery meter is not displayed in the system notification area.
-If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.
+- If you disable or do not configure this policy setting, the battery meter is displayed in the system notification area.
@@ -382,13 +316,13 @@ If you disable or do not configure this policy setting, the battery meter is dis
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
| Name | Value |
|:--|:--|
-| Name | HideSCABattery |
+| Name | HideSCAPower |
| Friendly Name | Remove the battery meter |
| Location | User Configuration |
| Path | Start Menu and Taskbar |
@@ -422,9 +356,9 @@ If you disable or do not configure this policy setting, the battery meter is dis
This policy setting allows you to remove the volume control icon from the system control area.
-If you enable this policy setting, the volume control icon is not displayed in the system notification area.
+- If you enable this policy setting, the volume control icon is not displayed in the system notification area.
-If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area.
+- If you disable or do not configure this policy setting, the volume control icon is displayed in the system notification area.
@@ -442,7 +376,7 @@ If you disable or do not configure this policy setting, the volume control icon
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -482,7 +416,7 @@ If you disable or do not configure this policy setting, the volume control icon
This policy setting allows you to turn off feature advertisement balloon notifications.
-If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
+- If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown.
If you disable do not configure this policy setting, feature advertisement balloons are shown.
@@ -502,7 +436,7 @@ If you disable do not configure this policy setting, feature advertisement ballo
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -542,9 +476,9 @@ If you disable do not configure this policy setting, feature advertisement ballo
This policy setting allows you to control pinning the Store app to the Taskbar.
-If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login.
+- If you enable this policy setting, users cannot pin the Store app to the Taskbar. If the Store app is already pinned to the Taskbar, it will be removed from the Taskbar on next login.
-If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar.
+- If you disable or do not configure this policy setting, users can pin the Store app to the Taskbar.
@@ -562,7 +496,7 @@ If you disable or do not configure this policy setting, users can pin the Store
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -602,9 +536,9 @@ If you disable or do not configure this policy setting, users can pin the Store
This policy setting allows you to control pinning items in Jump Lists.
-If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
+- If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items pinned to their Jump Lists. Existing items already pinned to their Jump Lists will continue to show.
-If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
+- If you disable or do not configure this policy setting, users can pin files, folders, websites, and other items to a program's Jump List so that the items is always present in this menu.
@@ -622,7 +556,7 @@ If you disable or do not configure this policy setting, users can pin files, fol
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -662,9 +596,9 @@ If you disable or do not configure this policy setting, users can pin files, fol
This policy setting allows you to control pinning programs to the Taskbar.
-If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.
+- If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue to show in the Taskbar. However, users cannot unpin these programs already pinned to the Taskbar, and they cannot pin new programs to the Taskbar.
-If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
+- If you disable or do not configure this policy setting, users can change the programs currently pinned to the Taskbar.
@@ -682,7 +616,7 @@ If you disable or do not configure this policy setting, users can change the pro
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -724,11 +658,12 @@ This policy setting allows you to control displaying or tracking items in Jump L
The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other relevant items for that program. This helps users more easily reopen their most important documents and other tasks.
-If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.
+- If you enable this policy setting, the Start Menu and Taskbar only track the files that the user opens locally on this computer. Files that the user opens over the network from remote computers are not tracked or shown in the Jump Lists. Use this setting to reduce network traffic, particularly over slow network connections.
-If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer.
+- If you disable or do not configure this policy setting, all files that the user opens appear in the menus, including files located remotely on another computer.
-Note: This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the ""Do not allow pinning items in Jump Lists"" policy setting.
+> [!NOTE]
+> This setting does not prevent Windows from displaying remote files that the user has explicitly pinned to the Jump Lists. See the "Do not allow pinning items in Jump Lists" policy setting.
@@ -746,7 +681,7 @@ Note: This setting does not prevent Windows from displaying remote files that th
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -786,9 +721,9 @@ Note: This setting does not prevent Windows from displaying remote files that th
This policy setting allows you to turn off automatic promotion of notification icons to the taskbar.
-If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
+- If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still configure icons to be shown or hidden in the Notification Control Panel.
-If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
+- If you disable or do not configure this policy setting, newly added notification icons are temporarily promoted to the Taskbar.
@@ -806,7 +741,7 @@ If you disable or do not configure this policy setting, newly added notification
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -846,11 +781,11 @@ If you disable or do not configure this policy setting, newly added notification
This policy setting allows users to see Windows Store apps on the taskbar.
-If you enable this policy setting, users will see Windows Store apps on the taskbar.
+- If you enable this policy setting, users will see Windows Store apps on the taskbar.
-If you disable this policy setting, users won’t see Windows Store apps on the taskbar.
+- If you disable this policy setting, users won't see Windows Store apps on the taskbar.
-If you don’t configure this policy setting, the default setting for the user’s device will be used, and the user can choose to change it.
+- If you don't configure this policy setting, the default setting for the user's device will be used, and the user can choose to change it.
@@ -868,7 +803,7 @@ If you don’t configure this policy setting, the default setting for the user
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -908,9 +843,9 @@ If you don’t configure this policy setting, the default setting for the user
This policy setting allows you to lock all taskbar settings.
-If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.
+- If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar.
-If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting.
+- If you disable or do not configure this policy setting, the user will be able to set any taskbar setting that is not prevented by another policy setting.
@@ -928,7 +863,7 @@ If you disable or do not configure this policy setting, the user will be able to
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -968,9 +903,9 @@ If you disable or do not configure this policy setting, the user will be able to
This policy setting allows you to prevent users from adding or removing toolbars.
-If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.
+- If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either.
-If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar.
+- If you disable or do not configure this policy setting, the users and applications are able to add toolbars to the taskbar.
@@ -988,7 +923,7 @@ If you disable or do not configure this policy setting, the users and applicatio
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1028,9 +963,9 @@ If you disable or do not configure this policy setting, the users and applicatio
This policy setting allows you to prevent users from rearranging toolbars.
-If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar.
+- If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar.
-If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar.
+- If you disable or do not configure this policy setting, users are able to rearrange the toolbars on the taskbar.
@@ -1048,7 +983,7 @@ If you disable or do not configure this policy setting, users are able to rearra
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1088,9 +1023,9 @@ If you disable or do not configure this policy setting, users are able to rearra
This policy setting allows you to prevent taskbars from being displayed on more than one monitor.
-If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog.
+- If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog.
-If you disable or do not configure this policy setting, users can show taskbars on more than one display.
+- If you disable or do not configure this policy setting, users can show taskbars on more than one display.
@@ -1108,7 +1043,7 @@ If you disable or do not configure this policy setting, users can show taskbars
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1148,9 +1083,9 @@ If you disable or do not configure this policy setting, users can show taskbars
This policy setting allows you to turn off all notification balloons.
-If you enable this policy setting, no notification balloons are shown to the user.
+- If you enable this policy setting, no notification balloons are shown to the user.
-If you disable or do not configure this policy setting, notification balloons are shown to the user.
+- If you disable or do not configure this policy setting, notification balloons are shown to the user.
@@ -1168,7 +1103,7 @@ If you disable or do not configure this policy setting, notification balloons ar
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1189,6 +1124,70 @@ If you disable or do not configure this policy setting, notification balloons ar
+
+## TaskbarNoPinnedList
+
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:heavy_check_mark: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+
+```User
+./User/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
+```
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Taskbar/TaskbarNoPinnedList
+```
+
+
+
+
+This policy setting allows you to remove pinned programs from the taskbar.
+
+- If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar.
+
+- If you disable or do not configure this policy setting, users can pin programs so that the program shortcuts stay on the Taskbar.
+
+
+
+
+
+
+
+**Description framework properties**:
+
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
+
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
+
+**ADMX mapping**:
+
+| Name | Value |
+|:--|:--|
+| Name | TaskbarNoPinnedList |
+| Friendly Name | Remove pinned programs from the Taskbar |
+| Location | Computer and User Configuration |
+| Path | Start Menu and Taskbar |
+| Registry Key Name | Software\Policies\Microsoft\Windows\Explorer |
+| Registry Value Name | TaskbarNoPinnedList |
+| ADMX File Name | Taskbar.admx |
+
+
+
+
+
+
+
+
## TaskbarNoRedock
@@ -1208,9 +1207,9 @@ If you disable or do not configure this policy setting, notification balloons ar
This policy setting allows you to prevent users from moving taskbar to another screen dock location.
-If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).
+- If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s).
-If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting.
+- If you disable or do not configure this policy setting, users are able to drag their taskbar to another area of the monitor unless prevented by another policy setting.
@@ -1228,7 +1227,7 @@ If you disable or do not configure this policy setting, users are able to drag t
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1268,9 +1267,9 @@ If you disable or do not configure this policy setting, users are able to drag t
This policy setting allows you to prevent users from resizing the taskbar.
-If you enable this policy setting, users are not be able to resize their taskbar.
+- If you enable this policy setting, users are not be able to resize their taskbar.
-If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting.
+- If you disable or do not configure this policy setting, users are able to resize their taskbar unless prevented by another setting.
@@ -1288,7 +1287,7 @@ If you disable or do not configure this policy setting, users are able to resize
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
@@ -1328,9 +1327,9 @@ If you disable or do not configure this policy setting, users are able to resize
This policy setting allows you to turn off taskbar thumbnails.
-If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips.
+- If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips.
-If you disable or do not configure this policy setting, the taskbar thumbnails are displayed.
+- If you disable or do not configure this policy setting, the taskbar thumbnails are displayed.
@@ -1348,7 +1347,7 @@ If you disable or do not configure this policy setting, the taskbar thumbnails a
> [!TIP]
-> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+> This is an ADMX-backed policy and requires SyncML format for configuration. For an example of SyncML format, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
**ADMX mapping**:
diff --git a/windows/client-management/mdm/policy-csp-admx-terminalserver.md b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
index 47389ccf0a..f0b95d516f 100644
--- a/windows/client-management/mdm/policy-csp-admx-terminalserver.md
+++ b/windows/client-management/mdm/policy-csp-admx-terminalserver.md
@@ -108,9 +108,9 @@ This policy setting lets you control the redirection of video capture devices to
By default, Remote Desktop Services allows redirection of video capture devices.
-If you enable this policy setting, users cannot redirect their video capture devices to the remote computer.
+- If you enable this policy setting, users cannot redirect their video capture devices to the remote computer.
-If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer.
+- If you disable or do not configure this policy setting, users can redirect their video capture devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the video capture devices to redirect to the remote computer.
@@ -170,7 +170,7 @@ This policy setting allows you to specify the name of the certificate template t
A certificate is needed to authenticate an RD Session Host server when TLS 1.0, 1.1 or 1.2 is used to secure communication between a client and an RD Session Host server during RDP connections.
-If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.
+- If you enable this policy setting, you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected.
If no certificate can be found that was created with the specified certificate template, the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template, the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected.
@@ -234,9 +234,9 @@ If you disable or do not configure this policy, the certificate template name is
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
-If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
+- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
-If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
+- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
> [!NOTE]
> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
@@ -297,9 +297,9 @@ If you disable this policy setting, users cannot run .rdp files that are signed
This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority recognized by the client, such as the issuers in the client's Third-Party Root Certification Authorities certificate store. This policy setting also controls whether the user can start an RDP session by using default .rdp settings (for example, when a user directly opens the Remote Desktop Connection [RDC] client without specifying an .rdp file).
-If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
+- If you enable or do not configure this policy setting, users can run .rdp files that are signed with a valid certificate. Users can also start an RDP session with default .rdp settings by directly opening the RDC client. When a user starts an RDP session, the user is asked to confirm whether they want to connect.
-If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
+- If you disable this policy setting, users cannot run .rdp files that are signed with a valid certificate. Additionally, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, the user receives a message that the publisher has been blocked.
> [!NOTE]
> You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, all users on the computer are affected.
@@ -360,9 +360,9 @@ If you disable this policy setting, users cannot run .rdp files that are signed
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer.
-If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
+- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
-If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
+- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
@@ -420,9 +420,9 @@ If you disable this policy setting, users cannot run unsigned .rdp files and .rd
This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer.
-If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
+- If you enable or do not configure this policy setting, users can run unsigned .rdp files and .rdp files from unknown publishers on the client computer. Before a user starts an RDP session, the user receives a warning message and is asked to confirm whether they want to connect.
-If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
+- If you disable this policy setting, users cannot run unsigned .rdp files and .rdp files from unknown publishers on the client computer. If the user tries to start an RDP session, the user receives a message that the publisher has been blocked.
@@ -483,11 +483,11 @@ Users can specify where to play the remote computer's audio output by configurin
By default, audio and video playback redirection is not allowed when connecting to a computer running Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Audio and video playback redirection is allowed by default when connecting to a computer running Windows 8, Windows Server 2012, Windows 7, Windows Vista, or Windows XP Professional.
-If you enable this policy setting, audio and video playback redirection is allowed.
+- If you enable this policy setting, audio and video playback redirection is allowed.
-If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file.
+- If you disable this policy setting, audio and video playback redirection is not allowed, even if audio playback redirection is specified in RDC, or video playback is specified in the .rdp file.
-If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level.
+- If you do not configure this policy setting audio and video playback redirection is not specified at the Group Policy level.
@@ -548,11 +548,11 @@ Users can specify whether to record audio to the remote computer by configuring
By default, audio recording redirection is not allowed when connecting to a computer running Windows Server 2008 R2. Audio recording redirection is allowed by default when connecting to a computer running at least Windows 7, or Windows Server 2008 R2.
-If you enable this policy setting, audio recording redirection is allowed.
+- If you enable this policy setting, audio recording redirection is allowed.
-If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC.
+- If you disable this policy setting, audio recording redirection is not allowed, even if audio recording redirection is specified in RDC.
-If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level.
+- If you do not configure this policy setting, Audio recording redirection is not specified at the Group Policy level.
@@ -610,13 +610,13 @@ If you do not configure this policy setting, Audio recording redirection is not
This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links.
-If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection.
+- If you enable this policy setting, you must select one of the following: High, Medium, or Dynamic. If you select High, the audio will be sent without any compression and with minimum latency. This requires a large amount of bandwidth. If you select Medium, the audio will be sent with some compression and with minimum latency as determined by the codec that is being used. If you select Dynamic, the audio will be sent with a level of compression that is determined by the bandwidth of the remote connection.
The audio playback quality that you specify on the remote computer by using this policy setting is the maximum quality that can be used for a Remote Desktop Services session, regardless of the audio playback quality configured on the client computer. For example, if the audio playback quality configured on the client computer is higher than the audio playback quality configured on the remote computer, the lower level of audio playback quality will be used.
Audio playback quality can be configured on the client computer by using the audioqualitymode setting in a Remote Desktop Protocol (.rdp) file. By default, audio playback quality is set to Dynamic.
-If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic.
+- If you disable or do not configure this policy setting, audio playback quality will be set to Dynamic.
@@ -675,11 +675,11 @@ This policy setting specifies whether to prevent the sharing of Clipboard conten
You can use this setting to prevent users from redirecting Clipboard data to and from the remote computer and the local computer. By default, Remote Desktop Services allows Clipboard redirection.
-If you enable this policy setting, users cannot redirect Clipboard data.
+- If you enable this policy setting, users cannot redirect Clipboard data.
-If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
+- If you disable this policy setting, Remote Desktop Services always allows Clipboard redirection.
-If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
+- If you do not configure this policy setting, Clipboard redirection is not specified at the Group Policy level.
@@ -739,11 +739,11 @@ This policy setting specifies whether to prevent the redirection of data to clie
You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they are logged on to a Remote Desktop Services session. By default, Remote Desktop Services allows this COM port redirection.
-If you enable this policy setting, users cannot redirect server data to the local COM port.
+- If you enable this policy setting, users cannot redirect server data to the local COM port.
-If you disable this policy setting, Remote Desktop Services always allows COM port redirection.
+- If you disable this policy setting, Remote Desktop Services always allows COM port redirection.
-If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level.
+- If you do not configure this policy setting, COM port redirection is not specified at the Group Policy level.
@@ -803,11 +803,11 @@ This policy setting allows you to specify whether the client default printer is
By default, Remote Desktop Services automatically designates the client default printer as the default printer in a session on an RD Session Host server. You can use this policy setting to override this behavior.
-If you enable this policy setting, the default printer is the printer specified on the remote computer.
+- If you enable this policy setting, the default printer is the printer specified on the remote computer.
-If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection.
+- If you disable this policy setting, the RD Session Host server automatically maps the client default printer and sets it as the default printer upon connection.
-If you do not configure this policy setting, the default printer is not specified at the Group Policy level.
+- If you do not configure this policy setting, the default printer is not specified at the Group Policy level.
@@ -983,11 +983,11 @@ This policy setting specifies whether to prevent the redirection of data to clie
You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Remote Desktop Services allows LPT port redirection.
-If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port.
+- If you enable this policy setting, users in a Remote Desktop Services session cannot redirect server data to the local LPT port.
-If you disable this policy setting, LPT port redirection is always allowed.
+- If you disable this policy setting, LPT port redirection is always allowed.
-If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level.
+- If you do not configure this policy setting, LPT port redirection is not specified at the Group Policy level.
@@ -1047,9 +1047,10 @@ This policy setting lets you control the redirection of supported Plug and Play
By default, Remote Desktop Services does not allow redirection of supported Plug and Play and RemoteFX USB devices.
-If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
+- If you disable this policy setting, users can redirect their supported Plug and Play devices to the remote computer. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer.
-If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer. If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
+- If you enable this policy setting, users cannot redirect their supported Plug and Play devices to the remote computer.
+- If you do not configure this policy setting, users can redirect their supported Plug and Play devices to the remote computer only if it is running Windows Server 2012 R2 and earlier versions.
> [!NOTE]
> You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions policy settings.
@@ -1112,11 +1113,11 @@ This policy setting allows you to specify whether to prevent the mapping of clie
You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to their local (client) computer. By default, Remote Desktop Services allows this client printer mapping.
-If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions.
+- If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Remote Desktop Services sessions.
-If you disable this policy setting, users can redirect print jobs with client printer mapping.
+- If you disable this policy setting, users can redirect print jobs with client printer mapping.
-If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level.
+- If you do not configure this policy setting, client printer mapping is not specified at the Group Policy level.
@@ -1174,9 +1175,9 @@ If you do not configure this policy setting, client printer mapping is not speci
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
-If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
+- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
-If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
+- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
**Note**:
@@ -1241,9 +1242,9 @@ If the list contains a string that is not a certificate thumbprint, it is ignore
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.
-If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
+- If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.
-If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
+- If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.
**Note**:
@@ -1308,9 +1309,9 @@ If the list contains a string that is not a certificate thumbprint, it is ignore
This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol.
-If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol.
+- If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol.
-If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
+- If you disable or do not configure this policy setting, Remote Desktop Protocol traffic will attempt to use both TCP and UDP protocols.
@@ -1370,9 +1371,9 @@ This policy setting allows you to specify the maximum color resolution (color de
You can use this policy setting to set a limit on the color depth of any connection that uses RDP. Limiting the color depth can improve connection performance, particularly over slow links, and reduce server load.
-If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used.
+- If you enable this policy setting, the color depth that you specify is the maximum color depth allowed for a user's RDP connection. The actual color depth for the connection is determined by the color support available on the client computer. If you select Client Compatible, the highest color depth supported by the client will be used.
-If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level.
+- If you disable or do not configure this policy setting, the color depth for connections is not specified at the Group Policy level.
**Note**:
@@ -1444,9 +1445,9 @@ This policy setting allows you to limit the size of the entire roaming user prof
> [!NOTE]
> If you want to limit the size of an individual user profile, use the "Limit profile size" policy setting located in User Configuration\Policies\Administrative Templates\System\User Profiles.
-If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified.
+- If you enable this policy setting, you must specify a monitoring interval (in minutes) and a maximum size (in gigabytes) for the entire roaming user profile cache. The monitoring interval determines how often the size of the entire roaming user profile cache is checked. When the size of the entire roaming user profile cache exceeds the maximum size that you have specified, the oldest (least recently used) roaming user profiles will be deleted until the size of the entire roaming user profile cache is less than the maximum size specified.
-If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.
+- If you disable or do not configure this policy setting, no restriction is placed on the size of the entire roaming user profile cache on the local drive.
> [!NOTE]
> This policy setting is ignored if the "Prevent Roaming Profile changes from propagating to the server" policy setting located in Computer Configuration\Policies\Administrative Templates\System\User Profiles is enabled.
@@ -1571,11 +1572,11 @@ If the status is set to Not Configured, the default behavior applies.
This policy setting enables system administrators to change the graphics rendering for all Remote Desktop Services sessions.
-If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter.
+- If you enable this policy setting, all Remote Desktop Services sessions use the hardware graphics renderer instead of the Microsoft Basic Render Driver as the default adapter.
-If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter.
+- If you disable this policy setting, all Remote Desktop Services sessions use the Microsoft Basic Render Driver as the default adapter.
-If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default.
+- If you do not configure this policy setting, Remote Desktop Services sessions on the RD Session Host server use the Microsoft Basic Render Driver as the default adapter. In all other cases, Remote Desktop Services sessions use the hardware graphics renderer by default.
NOTE: The policy setting enables load-balancing of graphics processing units (GPU) on a computer with more than one GPU installed. The GPU configuration of the local session is not affected by this policy setting.
@@ -1635,9 +1636,9 @@ NOTE: The policy setting enables load-balancing of graphics processing units (GP
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.
-If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
+- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
-If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
+- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
> [!NOTE]
> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
@@ -1698,9 +1699,9 @@ If you disable this policy setting, the RD Session Host server tries to find a s
This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers.
-If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
+- If you enable or do not configure this policy setting, the RD Session Host server first tries to use the Remote Desktop Easy Print printer driver to install all client printers. If for any reason the Remote Desktop Easy Print printer driver cannot be used, a printer driver on the RD Session Host server that matches the client printer is used. If the RD Session Host server does not have a printer driver that matches the client printer, the client printer is not available for the Remote Desktop session.
-If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
+- If you disable this policy setting, the RD Session Host server tries to find a suitable printer driver to install the client printer. If the RD Session Host server does not have a printer driver that matches the client printer, the server tries to use the Remote Desktop Easy Print driver to install the client printer. If for any reason the Remote Desktop Easy Print printer driver cannot be used, the client printer is not available for the Remote Desktop Services session.
> [!NOTE]
> If the "Do not allow client printer redirection" policy setting is enabled, the "Use Remote Desktop Easy Print printer driver first" policy setting is ignored.
@@ -1765,11 +1766,11 @@ When deployed on an RD Virtualization Host server, RemoteFX delivers a rich user
When deployed on an RD Session Host server, RemoteFX delivers a rich user experience by using a hardware-accelerated compression scheme.
-If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1.
+- If you enable this policy setting, RemoteFX will be used to deliver a rich user experience over LAN connections and RDP 7.1.
-If you disable this policy setting, RemoteFX will be disabled.
+- If you disable this policy setting, RemoteFX will be disabled.
-If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled.
+- If you do not configure this policy setting, the default behavior will be used. By default, RemoteFX for RD Virtualization Host is enabled and RemoteFX for RD Session Host is disabled.
@@ -1829,7 +1830,7 @@ This policy setting allows you to specify the RD Session Host server fallback pr
By default, the RD Session Host server fallback printer driver is disabled. If the RD Session Host server does not have a printer driver that matches the client's printer, no printer will be available for the Remote Desktop Services session.
-If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are:
+- If you enable this policy setting, the fallback printer driver is enabled, and the default behavior is for the RD Session Host server to find a suitable printer driver. If one is not found, the client's printer is not available. You can choose to change this default behavior. The available options are:
"Do nothing if one is not found" - If there is a printer driver mismatch, the server will attempt to find a suitable driver. If one is not found, the client's printer is not available. This is the default behavior.
@@ -1839,9 +1840,9 @@ If you enable this policy setting, the fallback printer driver is enabled, and t
"Show both PCL and PS if one is not found" - If no suitable driver can be found, show both PS and PCL-based fallback printer drivers.
-If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver.
+- If you disable this policy setting, the RD Session Host server fallback driver is disabled and the RD Session Host server will not attempt to use the fallback printer driver.
-If you do not configure this policy setting, the fallback printer driver behavior is off by default.
+- If you do not configure this policy setting, the fallback printer driver behavior is off by default.
> [!NOTE]
> If the "Do not allow client printer redirection" setting is enabled, this policy setting is ignored and the fallback printer driver is disabled.
@@ -1904,9 +1905,9 @@ This policy setting determines whether an administrator attempting to connect re
This policy is useful when the currently connected administrator does not want to be logged off by another administrator. If the connected administrator is logged off, any data not previously saved is lost.
-If you enable this policy setting, logging off the connected administrator is not allowed.
+- If you enable this policy setting, logging off the connected administrator is not allowed.
-If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
+- If you disable or do not configure this policy setting, logging off the connected administrator is allowed.
> [!NOTE]
> The console session is also known as Session 0. Console access can be obtained by using the /console switch from Remote Desktop Connection in the computer field name or from the command line.
@@ -1969,7 +1970,7 @@ Specifies the authentication method that clients must use when attempting to con
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users can specify an alternate authentication method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify an alternate authentication method, the authentication method that you specify in this policy setting is used by default.
-If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
+- If you disable or do not configure this policy setting, the authentication method that is specified by the user is used, if one is specified. If an authentication method is not specified, the Negotiate protocol that is enabled on the client or a smart card can be used for authentication.
@@ -2024,7 +2025,7 @@ If you disable or do not configure this policy setting, the authentication metho
-If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
+- If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway server. In this case, the clients will attempt to connect to the RD Gateway server that is specified in the "Set RD Gateway server address" policy setting.
You can enforce this policy setting or you can allow users to overwrite this setting. By default, when you enable this policy setting, it is enforced. When this policy setting is enforced, users cannot override this setting, even if they select the "Use these RD Gateway server settings" option on the client.
@@ -2033,7 +2034,7 @@ You can enforce this policy setting or you can allow users to overwrite this set
To allow users to overwrite this policy setting, select the "Allow users to change this setting" check box. When you do this, users on the client can choose not to connect through the RD Gateway server by selecting the "Do not use an RD Gateway server" option. Users can specify a connection method by configuring settings on the client, using an RDP file, or using an HTML script. If users do not specify a connection method, the connection method that you specify in this policy setting is used by default.
-If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
+- If you disable or do not configure this policy setting, clients will not use the RD Gateway server address that is specified in the "Set RD Gateway server address" policy setting. If an RD Gateway server is specified by the user, a client connection attempt will be made through that RD Gateway server.
@@ -2156,13 +2157,14 @@ This policy setting allows you to specify whether the RD Session Host server sho
If the policy setting is enabled, the RD Session Host server joins the farm that is specified in the RD Connection Broker farm name policy setting. The farm exists on the RD Connection Broker server that is specified in the Configure RD Connection Broker server name policy setting.
-If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
+- If you disable this policy setting, the server does not join a farm in RD Connection Broker, and user session tracking is not performed. If the policy setting is disabled, you cannot use either the Remote Desktop Session Host Configuration tool or the Remote Desktop Services WMI Provider to join the server to RD Connection Broker.
If the policy setting is not configured, the policy setting is not specified at the Group Policy level.
**Note**:
-1. If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
+1.
+- If you enable this policy setting, you must also enable the Configure RD Connection Broker farm name and Configure RD Connection Broker server name policy settings.
2. For Windows Server 2008, this policy setting is supported on at least Windows Server 2008 Standard.
@@ -2224,9 +2226,9 @@ This policy setting allows you to enter a keep-alive interval to ensure that the
After an RD Session Host server client loses the connection to an RD Session Host server, the session on the RD Session Host server might remain active instead of changing to a disconnected state, even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again, a new session might be established (if the RD Session Host server is configured to allow multiple sessions), and the original session might still be active.
-If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999.
+- If you enable this policy setting, you must enter a keep-alive interval. The keep-alive interval determines how often, in minutes, the server checks the session state. The range of values you can enter is 1 to 999,999.
-If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state.
+- If you disable or do not configure this policy setting, a keep-alive interval is not set and the server will not check the session state.
@@ -2286,11 +2288,11 @@ This policy setting allows you to specify the RD Session Host servers to which a
You can use this policy setting to control which RD Session Host servers are issued RDS CALs by the Remote Desktop license server. By default, a license server issues an RDS CAL to any RD Session Host server that requests one.
-If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server.
+- If you enable this policy setting and this policy setting is applied to a Remote Desktop license server, the license server will only respond to RDS CAL requests from RD Session Host servers whose computer accounts are a member of the RDS Endpoint Servers group on the license server.
By default, the RDS Endpoint Servers group is empty.
-If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting.
+- If you disable or do not configure this policy setting, the Remote Desktop license server issues an RDS CAL to any RD Session Host server that requests one. The RDS Endpoint Servers group is not deleted or changed in any way by disabling or not configuring this policy setting.
> [!NOTE]
> You should only enable this policy setting when the license server is a member of a domain. You can only add computer accounts for RD Session Host servers to the RDS Endpoint Servers group when the license server is a member of a domain.
@@ -2351,13 +2353,13 @@ If you disable or do not configure this policy setting, the Remote Desktop licen
This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license servers.
-If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order:
+- If you enable this policy setting, an RD Session Host server first attempts to locate the specified license servers. If the specified license servers cannot be located, the RD Session Host server will attempt automatic license server discovery. In the automatic license server discovery process, an RD Session Host server in a Windows Server-based domain attempts to contact a license server in the following order:
1. Remote Desktop license servers that are published in Active Directory Domain Services.
2. Remote Desktop license servers that are installed on domain controllers in the same domain as the RD Session Host server.
-If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level.
+- If you disable or do not configure this policy setting, the RD Session Host server does not specify a license server at the Group Policy level.
@@ -2416,9 +2418,9 @@ This policy setting determines whether notifications are displayed on an RD Sess
By default, notifications are displayed on an RD Session Host server after you log on as a local administrator, if there are problems with RD Licensing that affect the RD Session Host server. If applicable, a notification will also be displayed that notes the number of days until the licensing grace period for the RD Session Host server will expire.
-If you enable this policy setting, these notifications will not be displayed on the RD Session Host server.
+- If you enable this policy setting, these notifications will not be displayed on the RD Session Host server.
-If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
+- If you disable or do not configure this policy setting, these notifications will be displayed on the RD Session Host server after you log on as a local administrator.
@@ -2481,9 +2483,9 @@ Per User licensing mode requires that each user account connecting to this RD Se
Per Device licensing mode requires that each device connecting to this RD Session Host server have an RDS Per Device CAL issued from an RD Licensing server.
-If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host.
+- If you enable this policy setting, the Remote Desktop licensing mode that you specify is honored by the Remote Desktop license server and RD Session Host.
-If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level.
+- If you disable or do not configure this policy setting, the licensing mode is not specified at the Group Policy level.
@@ -2606,9 +2608,9 @@ If the status is set to Disabled or Not Configured, limits to the number of conn
This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly over slow links, and reduce server load.
-If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session.
+- If you enable this policy setting, you must specify a resolution width and height. The resolution specified will be the maximum resolution that can be used by each monitor used to display a Remote Desktop Services session.
-If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool.
+- If you disable or do not configure this policy setting, the maximum resolution that can be used by each monitor to display a Remote Desktop Services session will be determined by the values specified on the Display Settings tab in the Remote Desktop Session Host Configuration tool.
@@ -2665,9 +2667,9 @@ If you disable or do not configure this policy setting, the maximum resolution t
This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, and reduce server load.
-If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16.
+- If you enable this policy setting, you can specify the number of monitors that can be used to display a Remote Desktop Services session. You can specify a number from 1 to 16.
-If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
+- If you disable or do not configure this policy setting, the number of monitors that can be used to display a Remote Desktop Services session is not specified at the Group Policy level.
@@ -2726,9 +2728,9 @@ This policy setting allows you to remove the "Disconnect" option from the Shut D
You can use this policy setting to prevent users from using this familiar method to disconnect their client from an RD Session Host server.
-If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.
+- If you enable this policy setting, "Disconnect" does not appear as an option in the drop-down list in the Shut Down Windows dialog box.
-If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box.
+- If you disable or do not configure this policy setting, "Disconnect" is not removed from the list in the Shut Down Windows dialog box.
> [!NOTE]
> This policy setting affects only the Shut Down Windows dialog box. It does not prevent users from using other methods to disconnect from a Remote Desktop Services session. This policy setting also does not prevent disconnected sessions at the server. You can control how long a disconnected session remains active on the server by configuring the "Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\RD Session Host\Session Time Limits\Set time limit for disconnected sessions" policy setting.
@@ -2856,9 +2858,9 @@ By default, if the most appropriate RDS CAL is not available for a connection, a
* A client connecting to a Windows Server 2003 terminal server
* A client connecting to a Windows 2000 terminal server
-If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired.
+- If you enable this policy setting, the license server will only issue a temporary RDS CAL to the client if an appropriate RDS CAL for the RD Session Host server is not available. If the client has already been issued a temporary RDS CAL and the temporary RDS CAL has expired, the client will not be able to connect to the RD Session Host server unless the RD Licensing grace period for the RD Session Host server has not expired.
-If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier.
+- If you disable or do not configure this policy setting, the license server will exhibit the default behavior noted earlier.
@@ -2916,12 +2918,12 @@ If you disable or do not configure this policy setting, the license server will
This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server.
-If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials.
+- If you enable this policy setting, a user will be prompted on the client computer instead of on the RD Session Host server to provide credentials for a remote connection to an RD Session Host server. If saved credentials for the user are available on the client computer, the user will not be prompted to provide credentials.
> [!NOTE]
> If you enable this policy setting in releases of Windows Server 2008 R2 with SP1 or Windows Server 2008 R2, and a user is prompted on both the client computer and on the RD Session Host server to provide credentials, clear the Always prompt for password check box on the Log on Settings tab in Remote Desktop Session Host Configuration.
-If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection.
+- If you disable or do not configure this policy setting, the version of the operating system on the RD Session Host server will determine when a user is prompted to provide credentials for a remote connection to an RD Session Host server. For Windows Server 2003 and Windows 2000 Server a user will be prompted on the terminal server to provide credentials for a remote connection. For Windows Server 2008 and Windows Server 2008 R2, a user will be prompted on the client computer to provide credentials for a remote connection.
@@ -2981,9 +2983,9 @@ This policy setting specifies the default connection URL for RemoteApp and Deskt
The default connection URL must be configured in the form of .
-If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
+- If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user's default logon credentials are used when setting up the default connection URL.
-If you disable or do not configure this policy setting, the user has no default connection URL.
+- If you disable or do not configure this policy setting, the user has no default connection URL.
> [!NOTE]
> RemoteApp programs that are installed through RemoteApp and Desktop Connections from an untrusted server can compromise the security of a user's account.
@@ -3045,9 +3047,9 @@ This policy setting allows you to specify whether the app registration is comple
By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the background. However, some apps may not work until app registration is complete.
-If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers.
+- If you enable this policy setting, user sign-in is blocked for up to 6 minutes to complete the app registration. You can use this policy setting when customizing the Start screen on Remote Desktop Session Host servers.
-If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background.
+- If you disable or do not configure this policy setting, the Start screen is shown and apps are registered in the background.
@@ -3103,7 +3105,7 @@ If you disable or do not configure this policy setting, the Start screen is show
-If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
+- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
@@ -3113,7 +3115,7 @@ If you enable this policy setting, administrators can interact with a user's Rem
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
-If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
+- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -3168,7 +3170,7 @@ If you disable this policy setting, administrators can interact with a user's Re
-If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
+- If you enable this policy setting, administrators can interact with a user's Remote Desktop Services session based on the option selected. Select the desired level of control and permission from the options list:
1. No remote control allowed: Disallows an administrator to use remote control or view a remote user session.
2. Full Control with user's permission: Allows the administrator to interact with the session, with the user's consent.
@@ -3178,7 +3180,7 @@ If you enable this policy setting, administrators can interact with a user's Rem
5. View Session without user's permission: Allows the administrator to watch the session of a remote user without the user's consent.
-If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
+- If you disable this policy setting, administrators can interact with a user's Remote Desktop Services session, with the user's consent.
@@ -3239,7 +3241,8 @@ Depending on the requirements of your users, you can reduce network bandwidth us
If you have a higher than average bandwidth network, you can maximize the utilization of bandwidth by selecting the highest setting for screen capture rate and the highest setting for image quality.
-By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions. If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior).
+By default, Remote Desktop Connection sessions that use RemoteFX are optimized for a balanced experience over LAN conditions.
+- If you disable or do not configure this policy setting, Remote Desktop Connection sessions that use RemoteFX will be the same as if the medium screen capture rate and the medium image compression settings were selected (the default behavior).
@@ -3298,9 +3301,9 @@ This policy setting allows you to specify the name of a farm to join in RD Conne
If you specify a new farm name, a new farm is created in RD Connection Broker. If you specify an existing farm name, the server joins that farm in RD Connection Broker.
-If you enable this policy setting, you must specify the name of a farm in RD Connection Broker.
+- If you enable this policy setting, you must specify the name of a farm in RD Connection Broker.
-If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level.
+- If you disable or do not configure this policy setting, the farm name is not specified at the Group Policy level.
**Note**:
@@ -3363,11 +3366,11 @@ If you disable or do not configure this policy setting, the farm name is not spe
This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to use RD Connection Broker and not to the RD Connection Broker server.
-If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm.
+- If you enable this policy setting, a Remote Desktop Services client queries the RD Connection Broker server and is redirected to their existing session by using the IP address of the RD Session Host server where their session exists. To use this redirection method, client computers must be able to connect directly by IP address to RD Session Host servers in the farm.
-If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm.
+- If you disable this policy setting, the IP address of the RD Session Host server is not sent to the client. Instead, the IP address is embedded in a token. When a client reconnects to the load balancer, the routing token is used to redirect the client to their existing session on the correct RD Session Host server in the farm. Only disable this setting when your network load-balancing solution supports the use of RD Connection Broker routing tokens and you do not want clients to directly connect by IP address to RD Session Host servers in the load-balanced farm.
-If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default.
+- If you do not configure this policy setting, the Use IP address redirection policy setting is not enforced at the group Group policy Policy level and the default will be used. This setting is enabled by default.
**Note**:
@@ -3429,9 +3432,9 @@ If you do not configure this policy setting, the Use IP address redirection poli
This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Connection Broker service. All RD Session Host servers in a load-balanced farm should use the same RD Connection Broker server.
-If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers.
+- If you enable this policy setting, you must specify the RD Connection Broker server by using its fully qualified domain name (FQDN). In Windows Server 2012, for a high availability setup with multiple RD Connection Broker servers, you must provide a semi-colon separated list of the FQDNs of all the RD Connection Broker servers.
-If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level.
+- If you disable or do not configure this policy setting, the policy setting is not specified at the Group Policy level.
**Note**:
@@ -3496,7 +3499,7 @@ If you disable or do not configure this policy setting, the policy setting is no
This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections.
-If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:
+- If you enable this policy setting, all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:
* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1.0 is supported, it is used to authenticate the RD Session Host server. If TLS is not supported, native Remote Desktop Protocol (RDP) encryption is used to secure communications, but the RD Session Host server is not authenticated. Native RDP encryption (as opposed to SSL encryption) is not recommended.
@@ -3504,7 +3507,7 @@ If you enable this policy setting, all communications between clients and RD Ses
* SSL (TLS 1.0): The SSL method requires the use of TLS 1.0 to authenticate the RD Session Host server. If TLS is not supported, the connection fails. This is the recommended setting for this policy.
-If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
+- If you disable or do not configure this policy setting, the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.
@@ -3569,7 +3572,7 @@ If you disable Continuous Network Detect, Remote Desktop Protocol will not try t
If you disable Connect Time Detect and Continuous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time; instead it will assume that all traffic to this server originates from a low-speed connection, and it will not try to adapt the user experience to varying network quality.
-If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality.
+- If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection, and it will continuously try to adapt the user experience to varying network quality.
@@ -3626,7 +3629,7 @@ If you disable or do not configure this policy setting, Remote Desktop Protocol
This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server.
-If you enable this policy setting, you must specify if you would like RDP to use UDP.
+- If you enable this policy setting, you must specify if you would like RDP to use UDP.
You can select one of the following options: "Use both UDP and TCP", "Use only TCP" or "Use either UDP or TCP (default)"
@@ -3634,7 +3637,7 @@ If you select "Use either UDP or TCP" and the UDP connection is successful, most
If the UDP connection is not successful or if you select "Use only TCP," all of the RDP traffic will use TCP.
-If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience.
+- If you disable or do not configure this policy setting, RDP will choose the optimal protocols for delivering the best user experience.
@@ -3691,9 +3694,9 @@ If you disable or do not configure this policy setting, RDP will choose the opti
This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote desktop sessions.
-If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics.
+- If you enable or do not configure this policy setting, RemoteApp programs published from this RD Session Host server will use these advanced graphics.
-If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics.
+- If you disable this policy setting, RemoteApp programs published from this RD Session Host server will not use these advanced graphics. You may want to choose this option if you discover that applications published as RemoteApp programs do not support these advanced graphics.
@@ -3751,7 +3754,7 @@ If you disable this policy setting, RemoteApp programs published from this RD Se
This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.
-If you enable this policy setting, you must specify one of the following settings:
+- If you enable this policy setting, you must specify one of the following settings:
Always connect, even if authentication fails: The client connects to the RD Session Host server even if the client cannot authenticate the RD Session Host server.
@@ -3759,7 +3762,7 @@ Warn me if authentication fails: The client attempts to authenticate the RD Sess
Do not connect if authentication fails: The client establishes a connection to the RD Session Host server only if the RD Session Host server can be authenticated.
-If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.
+- If you disable or do not configure this policy setting, the authentication setting that is specified in Remote Desktop Connection or in the .rdp file determines whether the client establishes a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server.
@@ -3930,11 +3933,11 @@ This policy setting allows you to specify which Remote Desktop Protocol (RDP) co
By default, servers use an RDP compression algorithm that is based on the server's hardware configuration.
-If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used.
+- If you enable this policy setting, you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth. In Windows 8 only the compression algorithm that balances memory usage and bandwidth is used.
You can also choose not to use an RDP compression algorithm. Choosing not to use an RDP compression algorithm will use more network bandwidth and is only recommended if you are using a hardware device that is designed to optimize network traffic. Even if you choose not to use an RDP compression algorithm, some graphics data will still be compressed.
-If you disable or do not configure this policy setting, the default RDP compression algorithm will be used.
+- If you disable or do not configure this policy setting, the default RDP compression algorithm will be used.
@@ -3990,11 +3993,11 @@ If you disable or do not configure this policy setting, the default RDP compress
This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality that is delivered.
-If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes.
-If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality.
-If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth.
-If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only.
-If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.
+- If you enable this policy setting and set quality to Low, RemoteFX Adaptive Graphics uses an encoding mechanism that results in low quality images. This mode consumes the lowest amount of network bandwidth of the quality modes.
+- If you enable this policy setting and set quality to Medium, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images. This mode provides better graphics quality than low quality and uses less bandwidth than high quality.
+- If you enable this policy setting and set quality to High, RemoteFX Adaptive Graphics uses an encoding mechanism that results in high quality images and consumes moderate network bandwidth.
+- If you enable this policy setting and set quality to Lossless, RemoteFX Adaptive Graphics uses lossless encoding. In this mode, the color integrity of the graphics data is not impacted. However, this setting results in a significant increase in network bandwidth consumption. We recommend that you set this for very specific cases only.
+- If you disable or do not configure this policy setting, RemoteFX Adaptive Graphics uses an encoding mechanism that results in medium quality images.
@@ -4049,7 +4052,9 @@ If you disable or do not configure this policy setting, RemoteFX Adaptive Graphi
-This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec. If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
+This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed for Windows Server 2008 R2 SP1. These clients only support the Windows Server 2008 R2 SP1 RemoteFX Codec.
+- If you enable this policy setting, users' sessions on this server will only use the Windows Server 2008 R2 SP1 RemoteFX Codec for encoding. This mode is compatible with thin client devices that only support the Windows Server 2008 R2 SP1 RemoteFX Codec.
+- If you disable or do not configure this policy setting, non-Windows thin clients that only support the Windows Server 2008 R2 SP1 RemoteFX Codec will not be able to connect to this server. This policy setting applies only to clients that are using Remote Desktop Protocol (RDP) 7.1, and does not affect clients that are using other RDP versions.
@@ -4107,14 +4112,14 @@ This policy setting allows you to configure graphics encoding to use the RemoteF
This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth.
-If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
+- If you enable this policy setting, the RemoteFX experience could be set to one of the following options:
1. Let the system choose the experience for the network condition
2. Optimize for server scalability
3. Optimize for minimum bandwidth usage
-If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition."
+- If you disable or do not configure this policy setting, the RemoteFX experience will change dynamically based on the network condition."
@@ -4173,9 +4178,9 @@ This policy setting allows you to specify the visual experience that remote user
By default, Remote Desktop Services sessions are optimized for rich multimedia, such as applications that use Silverlight or Windows Presentation Foundation.
-If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.
+- If you enable this policy setting, you must select the visual experience for which you want to optimize Remote Desktop Services sessions. You can select either Rich multimedia or Text.
-If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia.
+- If you disable or do not configure this policy setting, Remote Desktop Services sessions are optimized for rich multimedia.
@@ -4232,9 +4237,9 @@ If you disable or do not configure this policy setting, Remote Desktop Services
This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections.
-If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver.
+- If you enable or do not configure this policy setting, Remote Desktop Connections will use WDDM graphics display driver.
-If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver.
+- If you disable this policy setting, Remote Desktop Connections will NOT use WDDM graphics display driver. In this case, the Remote Desktop Connections will use XDDM graphics display driver.
For this change to take effect, you must restart Windows.
@@ -4298,11 +4303,11 @@ You can use this setting to direct Remote Desktop Services to end a session (tha
Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.
-If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
+- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
-If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
+- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
-If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
+- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
> [!NOTE]
> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
@@ -4367,11 +4372,11 @@ You can use this setting to direct Remote Desktop Services to end a session (tha
Time limits are set locally by the server administrator or by using Group Policy. See the policy settings Set time limit for active Remote Desktop Services sessions and Set time limit for active but idle Remote Desktop Services sessions policy settings.
-If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
+- If you enable this policy setting, Remote Desktop Services ends any session that reaches its time-out limit.
-If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
+- If you disable this policy setting, Remote Desktop Services always disconnects a timed-out session, even if specified otherwise by the server administrator.
-If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
+- If you do not configure this policy setting, Remote Desktop Services disconnects a timed-out session, unless specified otherwise in local settings.
> [!NOTE]
> This policy setting only applies to time-out limits that are explicitly set by the administrator. This policy setting does not apply to time-out events that occur due to connectivity or network conditions. This setting appears in both Computer Configuration and User Configuration. If both settings are configured, the Computer Configuration setting takes precedence.
@@ -4436,9 +4441,9 @@ You can use this policy setting to specify the maximum amount of time that a dis
When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
-If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
+- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
-If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
+- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@@ -4502,9 +4507,9 @@ You can use this policy setting to specify the maximum amount of time that a dis
When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. By default, these disconnected sessions are maintained for an unlimited time on the server.
-If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
+- If you enable this policy setting, disconnected sessions are deleted from the server after the specified amount of time. To enforce the default behavior that disconnected sessions are maintained for an unlimited time, select Never. If you have a console session, disconnected session time limits do not apply.
-If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
+- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. Be y default, Remote Desktop Services disconnected sessions are maintained for an unlimited amount of time.
> [!NOTE]
> This policy setting appears in both Computer Configuration and User Configuration. If both policy settings are configured, the Computer Configuration policy setting takes precedence.
@@ -4564,9 +4569,9 @@ If you disable or do not configure this policy setting, this policy setting is n
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
-If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
+- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
-If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
+- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@@ -4628,9 +4633,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when
This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected.
-If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
+- If you enable this policy setting, you must select the desired time limit in the Idle session limit list. Remote Desktop Services will automatically disconnect active but idle sessions after the specified amount of time. The user receives a warning two minutes before the session disconnects, which allows the user to press a key or move the mouse to keep the session active. If you have a console session, idle session time limits do not apply.
-If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
+- If you disable or do not configure this policy setting, the time limit is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active but idle for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@@ -4692,9 +4697,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
-If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
+- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
-If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
+- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@@ -4756,9 +4761,9 @@ If you want Remote Desktop Services to end instead of disconnect a session when
This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected.
-If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
+- If you enable this policy setting, you must select the desired time limit in the Active session limit list. Remote Desktop Services will automatically disconnect active sessions after the specified amount of time. The user receives a warning two minutes before the Remote Desktop Services session disconnects, which allows the user to save open files and close programs. If you have a console session, active session time limits do not apply.
-If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
+- If you disable or do not configure this policy setting, this policy setting is not specified at the Group Policy level. By default, Remote Desktop Services allows sessions to remain active for an unlimited amount of time.
If you want Remote Desktop Services to end instead of disconnect a session when the time limit is reached, you can configure the policy setting Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits\End session when time limits are reached.
@@ -4820,11 +4825,11 @@ If you want Remote Desktop Services to end instead of disconnect a session when
This policy setting allows you to restrict users to a single Remote Desktop Services session.
-If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon.
+- If you enable this policy setting, users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state, the user automatically reconnects to that session at the next logon.
-If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services.
+- If you disable this policy setting, users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services.
-If you do not configure this policy setting, this policy setting is not specified at the Group Policy level.
+- If you do not configure this policy setting, this policy setting is not specified at the Group Policy level.
@@ -4882,9 +4887,9 @@ If you do not configure this policy setting, this policy setting is not specifie
This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session.
-If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session.
+- If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session.
-If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection.
+- If you disable or do not configure this policy setting, smart card device redirection is allowed. By default, Remote Desktop Services automatically redirects smart card devices on connection.
> [!NOTE]
> The client computer must be running at least Microsoft Windows 2000 Server or at least Microsoft Windows XP Professional and the target server must be joined to a domain.
@@ -5084,11 +5089,11 @@ This policy setting specifies whether Remote Desktop Services retains a user's p
You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remote Desktop Services deletes a user's temporary folders when the user logs off.
-If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session.
+- If you enable this policy setting, a user's per-session temporary folders are retained when the user logs off from a session.
-If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise.
+- If you disable this policy setting, temporary folders are deleted when a user logs off, even if the server administrator specifies otherwise.
-If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator.
+- If you do not configure this policy setting, Remote Desktop Services deletes the temporary folders from the remote computer at logoff, unless specified otherwise by the server administrator.
> [!NOTE]
> This setting only takes effect if per-session temporary folders are in use on the server. If you enable the Do not use temporary folders per session policy setting, this policy setting has no effect.
@@ -5151,11 +5156,11 @@ This policy setting allows you to prevent Remote Desktop Services from creating
You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remote Desktop Services creates a separate temporary folder for each active session that a user maintains on a remote computer. These temporary folders are created on the remote computer in a Temp folder under the user's profile folder and are named with the sessionid.
-If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.
+- If you enable this policy setting, per-session temporary folders are not created. Instead, a user's temporary files for all sessions on the remote computer are stored in a common Temp folder under the user's profile folder on the remote computer.
-If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise.
+- If you disable this policy setting, per-session temporary folders are always created, even if the server administrator specifies otherwise.
-If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise.
+- If you do not configure this policy setting, per-session temporary folders are created unless the server administrator specifies otherwise.
@@ -5213,9 +5218,9 @@ If you do not configure this policy setting, per-session temporary folders are c
This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session.
-If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
+- If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The server base time is then used to calculate the current session time (current session time = server base time + client time zone).
-If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
+- If you disable or do not configure this policy setting, the client computer does not redirect its time zone information and the session time zone is the same as the server time zone.
> [!NOTE]
> Time zone redirection is possible only when connecting to at least a Microsoft Windows Server 2003 terminal server with a client using RDP 5.1 and later.
@@ -5278,9 +5283,9 @@ This policy setting specifies whether to disable the administrator rights to cus
You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default, administrators are able to make such changes.
-If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.
+- If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only.
-If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider.
+- If you disable or do not configure this policy setting, server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider.
> [!NOTE]
> The preferred method of managing user access is by adding a user to the Remote Desktop Users group.
@@ -5341,9 +5346,9 @@ If you disable or do not configure this policy setting, server administrators ha
This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initial program is already specified in the default user profile, Remote Desktop Connection, Remote Desktop Services client, or through Group Policy.
-If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.
+- If you enable this policy setting, the desktop is always displayed when a client connects to a remote computer. This policy setting overrides any initial program policy settings.
-If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.
+- If you disable or do not configure this policy setting, an initial program can be specified that runs on the remote computer after the client connects to the remote computer. If an initial program is not specified, the desktop is always displayed on the remote computer after the client connects to the remote computer.
> [!NOTE]
> If this policy setting is enabled, then the "Start a program on connection" policy setting is ignored.
@@ -5410,7 +5415,7 @@ Remote Desktop sessions don't currently support UI Automation redirection.
If you enable or don't configure this policy setting, any UI Automation clients on your local computer can interact with remote apps. For example, you can use your local computer's Narrator and Magnifier clients to interact with UI on a web page you opened in a remote session.
-If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps.
+- If you disable this policy setting, UI Automation clients running on your local computer can't interact with remote apps.
@@ -5468,9 +5473,9 @@ If you disable this policy setting, UI Automation clients running on your local
This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer.
-If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer.
+- If you enable this policy setting, you can choose to give the ability to redirect other supported RemoteFX USB devices over RDP to all users or only to users who are in the Administrators group on the computer.
-If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account.
+- If you disable or do not configure this policy setting, other supported RemoteFX USB devices are not available for RDP redirection by using any user account.
For this change to take effect, you must restart Windows.
@@ -5529,13 +5534,13 @@ For this change to take effect, you must restart Windows.
This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process.
-If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.
+- If you enable this policy setting, only client computers that support Network Level Authentication can connect to the RD Session Host server.
To determine whether a client computer supports Network Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, look for the phrase Network Level Authentication supported.
-If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server.
+- If you disable this policy setting, Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server.
-If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default.
+- If you do not configure this policy setting, the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8, Network Level Authentication is enforced by default.
> [!IMPORTANT]
> Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.
@@ -5662,9 +5667,9 @@ If the status is set to Disabled or Not Configured, the user's home directory is
This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server.
-If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile.
+- If you enable this policy setting, Remote Desktop Services uses the path specified in the "Set path for Remote Desktop Services Roaming User Profile" policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile.
-If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server.
+- If you disable or do not configure this policy setting, mandatory user profiles are not used by users connecting remotely to the RD Session Host server.
**Note**:
@@ -5728,11 +5733,11 @@ This policy setting allows you to specify the network path that Remote Desktop S
By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this policy setting to specify a network share where user profiles can be centrally stored, allowing a user to access the same profile for sessions on all RD Session Host servers that are configured to use the network share for user profiles.
-If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user.
+- If you enable this policy setting, Remote Desktop Services uses the specified path as the root directory for all user profiles. The profiles are contained in subfolders named for the account name of each user.
To configure this policy setting, type the path to the network share in the form of \\Computername\Sharename. Do not specify a placeholder for the user account name, because Remote Desktop Services automatically adds this when the user logs on and the profile is created. If the specified network share does not exist, Remote Desktop Services displays an error message on the RD Session Host server and will store the user profiles locally on the RD Session Host server.
-If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.
+- If you disable or do not configure this policy setting, user profiles are stored locally on the RD Session Host server. You can configure a user's profile path on the Remote Desktop Services Profile tab on the user's account Properties dialog box.
**Note**: