deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx enhancement effort

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-03-07 18:21:24 +05:30
parent 9e11bd7031
commit 4cd8dd50a3
15 changed files with 230 additions and 230 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
windows/client-management/mdm/policy-csp-admx-controlpaneldisplay.md
View File

@ -132,7 +132,7 @@ manager: dansimp
<!--Description-->
Disables the Display Control Panel.
If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action.
If you enable this setting, the Display Control Panel doesn't run. When users try to start Display, a message appears explaining that a setting prevents the action.
Also, see the "Prohibit access to the Control Panel" (User Configuration\Administrative Templates\Control Panel) and "Remove programs on Settings menu" (User Configuration\Administrative Templates\Start Menu & Taskbar) settings.
@ -222,9 +222,9 @@ ADMX Info:
<!--Description-->
This setting forces the theme color scheme to be the default color scheme.
If you enable this setting, a user cannot change the color scheme of the current desktop theme.
If you enable this setting, a user can't change the color scheme of the current desktop theme.
If you disable or do not configure this setting, a user may change the color scheme of the current desktop theme.
If you disable or don't configure this setting, a user may change the color scheme of the current desktop theme.
For Windows 7 and later, use the "Prevent changing color and appearance" setting.
@ -269,12 +269,12 @@ ADMX Info:
<!--Description-->
This setting disables the theme gallery in the Personalization Control Panel.
If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
If you enable this setting, users can't change or save a theme. Elements of a theme such as the desktop background, color, sounds, and screen saver can still be changed (unless policies are set to turn them off).
If you disable or do not configure this setting, there is no effect.
If you disable or don't configure this setting, there's no effect.
> [!NOTE]
> If you enable this setting but do not specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
> If you enable this setting but don't specify a theme using the "load a specific theme" setting, the theme defaults to whatever the user previously set or the system default.
<!--/Description-->
@ -362,9 +362,9 @@ ADMX Info:
<!--Description-->
Enables desktop screen savers.
If you disable this setting, screen savers do not run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users cannot change the screen saver options.
If you disable this setting, screen savers don't run. Also, this setting disables the Screen Saver section of the Screen Saver dialog in the Personalization or Display Control Panel. As a result, users can't change the screen saver options.
If you do not configure it, this setting has no effect on the system.
If you don't configure it, this setting has no effect on the system.
If you enable it, a screen saver runs, provided the following two conditions hold: First, a valid screen saver on the client is specified through the "Screen Saver executable name" setting or through Control Panel on the client computer. Second, the screen saver timeout is set to a nonzero value through the setting or Control Panel.
@ -409,13 +409,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This setting allows you to force a specific default lock screen and logon image by entering the path (location) of the image file. The same image will be used for both the lock and logon screens.
This setting allows you to force a specific default lock screen and sign-in image by entering the path (location) of the image file. The same image will be used for both the lock and sign-in screens.
This setting lets you specify the default lock screen and logon image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image).
This setting lets you specify the default lock screen and sign-in image shown when no user is signed in, and also sets the specified image as the default for all users (it replaces the inbox default image).
To use this setting, type the fully qualified path and name of the file that stores the default lock screen and logon image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`.
To use this setting, type the fully qualified path and name of the file that stores the default lock screen and sign-in image. You can type a local path, such as C:\Windows\Web\Screen\img104.jpg or a UNC path, such as `\\Server\Share\Corp.jpg`.
This can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and logon image to be shown.
This setting can be used in conjunction with the "Prevent changing lock screen and logon image" setting to always force the specified lock screen and sign-in image to be shown.
Note: This setting only applies to Enterprise, Education, and Server SKUs.
@ -463,7 +463,7 @@ Prevents users from changing the size of the font in the windows and buttons dis
If this setting is enabled, the "Font size" drop-down list on the Appearance tab in Display Properties is disabled.
If you disable or do not configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
If you disable or don't configure this setting, a user may change the font size using the "Font size" drop-down list on the Appearance tab.
<!--/Description-->
@ -504,11 +504,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from changing the background image shown when the machine is locked or when on the logon screen.
Prevents users from changing the background image shown when the machine is locked or when on the sign-in screen.
By default, users can change the background image shown when the machine is locked or displaying the logon screen.
By default, users can change the background image shown when the machine is locked or displaying the sign-in screen.
If you enable this setting, the user will not be able to change their lock screen and logon image, and they will instead see the default image.
If you enable this setting, the user won't be able to change their lock screen and sign-in image, and they'll instead see the default image.
<!--/Description-->
@ -553,7 +553,7 @@ Prevents users from changing the look of their start menu background, such as it
By default, users can change the look of their start menu background, such as its color or accent.
If you enable this setting, the user will be assigned the default start menu background and colors and will not be allowed to change them.
If you enable this setting, the user will be assigned the default start menu background and colors and won't be allowed to change them.
If the "Force a specific background and accent color" policy is also set on a supported version of Windows, then those colors take precedence over this policy.
@ -598,13 +598,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available.
Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature isn't available.
This setting prevents users from using Control Panel to change the window border and taskbar color (on Windows 8), glass color (on Windows Vista and Windows 7), system colors, or color scheme of the desktop and windows.
If this setting is disabled or not configured, the Color (or Window Color) page or Color Scheme dialog is available in the Personalization or Display Control Panel.
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the in Display in Control Panel.
For systems prior to Windows Vista, this setting hides the Appearance and Themes tabs in the Display in Control Panel.
<!--/Description-->
@ -745,9 +745,9 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. This policy setting controls whether the lock screen appears for users.
If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
If you enable this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC.
If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
If you disable or don't configure this policy setting, users that aren't required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
<!--/Description-->
@ -835,7 +835,7 @@ ADMX Info:
<!--Description-->
Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel.
This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running.
This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It doesn't prevent a screen saver from running.
<!--/Description-->
@ -925,7 +925,7 @@ Forces Windows to use the specified colors for the background and accent. The co
By default, users can change the background and accent colors.
If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users cannot change those colors. This setting will not be applied if the specified colors do not meet a contrast ratio of 2:1 with white text.
If this setting is enabled, the background and accent colors of Windows will be set to the specified colors and users can't change those colors. This setting won't be applied if the specified colors don't meet a contrast ratio of 2:1 with white text.
<!--/Description-->
@ -968,11 +968,11 @@ ADMX Info:
<!--Description-->
Determines whether screen savers used on the computer are password protected.
If you enable this setting, all screen savers are password protected. If you disable this setting, password protection cannot be set on any screen saver.
If you enable this setting, all screen savers are password protected. If you disable this setting, password protection can't be set on any screen saver.
This setting also disables the "Password protected" checkbox on the Screen Saver dialog in the Personalization or Display Control Panel, preventing users from changing the password protection setting.
If you do not configure this setting, users can choose whether or not to set password protection on each screen saver.
If you don't configure this setting, users can choose whether or not to set password protection on each screen saver.
To ensure that a computer will be password protected, enable the "Enable Screen Saver" setting and specify a timeout via the "Screen Saver timeout" setting.
@ -1020,7 +1020,7 @@ ADMX Info:
<!--Description-->
Specifies how much user idle time must elapse before the screen saver is launched.
When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver will not be started.
When configured, this idle time can be set from a minimum of 1 second to a maximum of 86,400 seconds, or 24 hours. If set to zero, the screen saver won't be started.
This setting has no effect under any of the following circumstances:
@ -1030,7 +1030,7 @@ This setting has no effect under any of the following circumstances:
- The "Enable Screen Saver" setting is disabled.
- Neither the "Screen saver executable name" setting nor the Screen Saver dialog of the client computer's Personalization or Display Control Panel specifies a valid existing screen saver program on the client.
- The "Screen saver executable name" setting and the Screen Saver dialog of the client computer's Personalization or Display Control Panel don't specify a valid existing screen saver program on the client.
When not configured, whatever wait time is set on the client through the Screen Saver dialog in the Personalization or Display Control Panel is used. The default is 15 minutes.
@ -1077,14 +1077,14 @@ Specifies the screen saver for the user's desktop.
If you enable this setting, the system displays the specified screen saver on the user's desktop. Also, this setting disables the drop-down list of screen savers in the Screen Saver dialog in the Personalization or Display Control Panel, which prevents users from changing the screen saver.
If you disable this setting or do not configure it, users can select any screen saver.
If you disable this setting or don't configure it, users can select any screen saver.
If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file is not in the %Systemroot%\System32 directory, type the fully qualified path to the file.
If you enable this setting, type the name of the file that contains the screen saver, including the .scr file name extension. If the screen saver file isn't in the %Systemroot%\System32 directory, type the fully qualified path to the file.
If the specified screen saver is not installed on a computer to which this setting applies, the setting is ignored.
If the specified screen saver isn't installed on a computer to which this setting applies, the setting is ignored.
> [!NOTE]
> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers do not run.
> This setting can be superseded by the "Enable Screen Saver" setting. If the "Enable Screen Saver" setting is disabled, this setting is ignored, and screen savers don't run.
<!--/Description-->
@ -1127,9 +1127,9 @@ ADMX Info:
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. Specifies which theme file is applied to the computer the first time a user logs on.
If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first logon.
If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy doesn't prevent the user from changing the theme or any of the theme elements such as the desktop background, color, sounds, or screen saver after the first sign in.
If you disable or do not configure this setting, the default theme will be applied at the first logon.
If you disable or don't configure this setting, the default theme will be applied at the first sign in.
<!--/Description-->
@ -1172,18 +1172,18 @@ ADMX Info:
<!--Description-->
This setting allows you to force a specific visual style file by entering the path (location) of the visual style file.
This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles).
This file can be a local computer visual style (aero.msstyles) one, or a file located on a remote server using a UNC path (\\Server\Share\aero.msstyles).
If you enable this setting, the visual style file that you specify will be used. Also, a user may not apply a different visual style when changing themes.
If you disable or do not configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available).
If you disable or don't configure this setting, the users can select the visual style that they want to use by changing themes (if the Personalization Control Panel is available).
> [!NOTE]
> If this setting is enabled and the file is not available at user logon, the default visual style is loaded.
> If this setting is enabled and the file isn't available at user logon, the default visual style is loaded.
>
> When running Windows XP, you can select the Luna visual style by typing %windir%\resources\Themes\Luna\Luna.msstyles.
>
> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you cannot apply the Windows Classic visual style.
> To select the Windows Classic visual style, leave the box blank beside "Path to Visual Style:" and enable this setting. When running Windows 8 or Windows RT, you can't apply the Windows Classic visual style.
<!--/Description-->
@ -1228,7 +1228,7 @@ Forces the Start screen to use one of the available backgrounds, 1 through 20, a
If this setting is set to zero or not configured, then Start uses the default background, and users can change it.
If this setting is set to a nonzero value, then Start uses the specified background, and users cannot change it. If the specified background is not supported, the default background is used.
If this setting is set to a nonzero value, then Start uses the specified background, and users can't change it. If the specified background isn't supported, the default background is used.
<!--/Description-->

62
windows/client-management/mdm/policy-csp-admx-credssp.md
View File

@ -95,9 +95,9 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via NTLM.
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first signing in to Windows).
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any machine.
If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating default credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -152,11 +152,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved by using a trusted X509 certificate or Kerberos.
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those that you use when first logging on to Windows).
If you enable this policy setting, you can specify the servers to which the user's default credentials can be delegated (default credentials are those credentials that you use when first logging on to Windows).
The policy becomes effective the next time the user signs on to a computer running Windows.
If you disable or do not configure (by default) this policy setting, delegation of default credentials is not permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
If you disable or don't configure (by default) this policy setting, delegation of default credentials isn't permitted to any computer. Applications depending upon this delegation behavior might fail authentication. For more information, see KB.
FWlink for KB:
https://go.microsoft.com/fwlink/?LinkId=301508
@ -215,14 +215,14 @@ Some versions of the CredSSP protocol are vulnerable to an encryption oracle att
If you enable this policy setting, CredSSP version support will be selected based on the following options:
- Force Updated Clients: Client applications which use CredSSP will not be able to fall back to the insecure versions and services using CredSSP will not accept unpatched clients.
- Force Updated Clients: Client applications that use CredSSP won't be able to fall back to the insecure versions and services using CredSSP won't accept unpatched clients.
> [!NOTE]
> This setting should not be deployed until all remote hosts support the newest version.
- Mitigated: Client applications which use CredSSP will not be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
- Mitigated: Client applications that use CredSSP won't be able to fall back to the insecure version but services using CredSSP will accept unpatched clients. See the link below for important information about the risk posed by remaining unpatched clients.
- Vulnerable: Client applications which use CredSSP will expose the remote servers to attacks by supporting fall back to the insecure versions and services using CredSSP will accept unpatched clients.
- Vulnerable: Client applications that use CredSSP will expose the remote servers to attacks by supporting a fallback to the insecure versions and services using CredSSP will accept unpatched clients.
For more information about the vulnerability and servicing requirements for protection, see https://go.microsoft.com/fwlink/?linkid=866660
@ -269,11 +269,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard is permitted when specifying the SPN.
@ -327,11 +327,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via NTLM.
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those that you are prompted for when executing the application).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can be delegated (fresh credentials are those credentials that you're prompted for when executing the application).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of fresh credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you disable this policy setting, delegation of fresh credentials is not permitted to any machine.
If you disable this policy setting, delegation of fresh credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating fresh credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -385,11 +385,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via a trusted X509 certificate or Kerberos.
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*).
If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
If you disable this policy setting, delegation of saved credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -443,11 +443,11 @@ This policy setting applies to applications using the Cred SSP component (for ex
This policy setting applies when server authentication was achieved via NTLM.
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you enable this policy setting, you can specify the servers to which the user's saved credentials can be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager).
If you do not configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine is not a member of any domain. If the client is domain-joined, by default the delegation of saved credentials is not permitted to any machine.
If you don't configure (by default) this policy setting, after proper mutual authentication, delegation of saved credentials is permitted to Remote Desktop Session Host running on any machine (TERMSRV/*) if the client machine isn't a member of any domain. If the client is domain-joined, by default, the delegation of saved credentials isn't permitted to any machine.
If you disable this policy setting, delegation of saved credentials is not permitted to any machine.
If you disable this policy setting, delegation of saved credentials isn't permitted to any machine.
> [!NOTE]
> The "Allow delegating saved credentials with NTLM-only server authentication" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can be delegated. The use of a single wildcard character is permitted when specifying the SPN.
@ -499,12 +499,12 @@ ADMX Info:
<!--Description-->
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's default credentials cannot be delegated (default credentials are those that you use when first logging on to Windows).
If you enable this policy setting, you can specify the servers to which the user's default credentials can't be delegated (default credentials are those credentials that you use when first logging on to Windows).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server.
> [!NOTE]
> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
> The "Deny delegating default credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN.
>
> For Example:
>
@ -555,12 +555,12 @@ ADMX Info:
<!--Description-->
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application).
If you enable this policy setting, you can specify the servers to which the user's fresh credentials can't be delegated (fresh credentials are those credentials that you're prompted for when executing the application).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server.
> [!NOTE]
> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
> The "Deny delegating fresh credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN.
>
> For Example:
>
@ -611,12 +611,12 @@ ADMX Info:
<!--Description-->
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection).
If you enable this policy setting, you can specify the servers to which the user's saved credentials cannot be delegated (saved credentials are those that you elect to save/remember using the Windows credential manager).
If you enable this policy setting, you can specify the servers to which the user's saved credentials can't be delegated (saved credentials are those credentials that you elect to save/remember using the Windows credential manager).
If you disable or do not configure (by default) this policy setting, this policy setting does not specify any server.
If you disable or don't configure (by default) this policy setting, this policy setting doesn't specify any server.
> [!NOTE]
> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN.
> The "Deny delegating saved credentials" policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials can't be delegated. The use of a single wildcard character is permitted when specifying the SPN.
>
> For Example:
>
@ -665,7 +665,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
When running in Restricted Admin or Remote Credential Guard mode, participating apps do not expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials are not delegated. Remote Credential Guard does not limit access to resources because it redirects all requests back to the client device.
When the participating applications are running in Restricted Admin or Remote Credential Guard mode, participating applications don't expose signed in or supplied credentials to a remote host. Restricted Admin limits access to resources located on other servers or networks from the remote host because credentials aren't delegated. Remote Credential Guard doesn't limit access to resources because it redirects all requests back to the client device.
Participating apps:
Remote Desktop Client
@ -676,12 +676,12 @@ If you enable this policy setting, the following options are supported:
- Require Remote Credential Guard: Participating applications must use Remote Credential Guard to connect to remote hosts.
- Require Restricted Admin: Participating applications must use Restricted Admin to connect to remote hosts.
If you disable or do not configure this policy setting, Restricted Admin and Remote Credential Guard mode are not enforced and participating apps can delegate credentials to remote devices.
If you disable or don't configure this policy setting, Restricted Admin and Remote Credential Guard mode aren't enforced and participating apps can delegate credentials to remote devices.
> [!NOTE]
> To disable most credential delegation, it may be sufficient to deny delegation in Credential Security Support Provider (CredSSP) by modifying Administrative template settings (located at Computer Configuration\Administrative Templates\System\Credentials Delegation).
>
> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions do not support Remote Credential Guard.
> On Windows 8.1 and Windows Server 2012 R2, enabling this policy will enforce Restricted Administration mode, regardless of the mode chosen. These versions don't support Remote Credential Guard.
<!--/Description-->

6
windows/client-management/mdm/policy-csp-admx-credui.md
View File

@ -69,9 +69,9 @@ This policy setting requires the user to enter Microsoft Windows credentials usi
> [!NOTE]
> This policy affects nonlogon authentication tasks only. As a security best practice, this policy should be enabled.
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism.
If you enable this policy setting, users will be required to enter Windows credentials on the Secure Desktop through the trusted path mechanism.
If you disable or do not configure this policy setting, users will enter Windows credentials within the users desktop session, potentially allowing malicious code access to the users Windows credentials.
If you disable or don't configure this policy setting, users will enter Windows credentials within the users desktop session, potentially allowing malicious code access to the users Windows credentials.
<!--/Description-->
@ -112,7 +112,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Available in the latest Windows 10 Insider Preview Build. If you turn this policy setting on, local users wont be able to set up and use security questions to reset their passwords.
Available in the latest Windows 10 Insider Preview Build. If you turn on this policy setting, local users wont be able to set up and use security questions to reset their passwords.
<!--/Description-->

16
windows/client-management/mdm/policy-csp-admx-ctrlaltdel.md
View File

@ -72,7 +72,7 @@ manager: dansimp
<!--Description-->
This policy setting prevents users from changing their Windows password on demand.
If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del.
If you enable this policy setting, the **Change Password** button on the Windows Security dialog box won't appear when you press Ctrl+Alt+Del.
However, users are still able to change their password when prompted by the system. The system prompts users for a new password when an administrator requires a new password or their password is expiring.
@ -119,11 +119,11 @@ ADMX Info:
<!--Description-->
This policy setting prevents users from locking the system.
While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it.
While locked, the desktop is hidden and the system can't be used. Only the user who locked the system or the system administrator can unlock it.
If you enable this policy setting, users cannot lock the computer from the keyboard using Ctrl+Alt+Del.
If you enable this policy setting, users can't lock the computer from the keyboard using Ctrl+Alt+Del.
If you disable or do not configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.
If you disable or don't configure this policy setting, users will be able to lock the computer from the keyboard using Ctrl+Alt+Del.
> [!TIP]
> To lock a computer without configuring a setting, press Ctrl+Alt+Delete, and then click Lock this computer.
@ -170,9 +170,9 @@ This policy setting prevents users from starting Task Manager.
Task Manager (**taskmgr.exe**) lets users start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
If you enable this policy setting, users will not be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action.
If you enable this policy setting, users won't be able to access Task Manager. If users try to start Task Manager, a message appears explaining that a policy prevents the action.
If you disable or do not configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
If you disable or don't configure this policy setting, users can access Task Manager to start and stop programs, monitor the performance of their computers, view and monitor all programs running on their computers, including system services, find the executable names of programs, and change the priority of the process in which programs run.
<!--/Description-->
@ -215,11 +215,11 @@ ADMX Info:
<!--Description-->
This policy setting disables or removes all menu items and buttons that log the user off the system.
If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the computer, or clicking Log off from the Start menu.
If you enable this policy setting, users won't see the Log off menu item when they press Ctrl+Alt+Del. This scenario will prevent them from logging off unless they restart or shut down the computer, or clicking Log off from the Start menu.
Also, see the 'Remove Logoff on the Start Menu' policy setting.
If you disable or do not configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
If you disable or don't configure this policy setting, users can see and select the Log off menu item when they press Ctrl+Alt+Del.
<!--/Description-->

4
windows/client-management/mdm/policy-csp-admx-datacollection.md
View File

@ -63,9 +63,9 @@ manager: dansimp
<!--Description-->
This policy setting defines the identifier used to uniquely associate this devices telemetry data as belonging to a given organization.
If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
If your organization is participating in a program that requires this device to be identified as belonging to your organization, then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program.
If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its telemetry data with your organization.
If you disable or don't configure this policy setting, then Microsoft won't be able to use this identifier to associate this machine and its telemetry data with your organization.
<!--/Description-->

20
windows/client-management/mdm/policy-csp-admx-dcom.md
View File

@ -66,10 +66,10 @@ manager: dansimp
<!--Description-->
This policy setting allows you to specify that local computer administrators can supplement the "Define Activation Security Check exemptions" list.
- If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
- If you enable this policy setting, and DCOM doesn't find an explicit entry for a DCOM server application ID (appid) in the "Define Activation Security Check exemptions" policy (if enabled). Then DCOM will look for an entry in the locally configured list.
- If you disable this policy setting, DCOM will not look in the locally configured DCOM activation security check exemption list.
If you do not configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy is not configured.
- If you disable this policy setting, DCOM won't look in the locally configured DCOM activation security check exemption list.
If you don't configure this policy setting, DCOM will only look in the locally configured exemption list if the "Define Activation Security Check exemptions" policy isn't configured.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.
@ -113,25 +113,25 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to view and change a list of DCOM server application IDs (app ids), which are exempted from the DCOM Activation security check.
This policy setting allows you to view and change a list of DCOM server application IDs (app IDs), which are exempted from the DCOM Activation security check.
DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions of local computer administrators.
DCOM ignores the second list when this policy setting is configured, unless the "Allow local activation security check exemptions" policy is enabled.
DCOM server application IDs added to this policy must be listed in curly brace format.
For example, `{b5dcb061-cefb-42e0-a1be-e6a6438133fe}`.
If you enter a non-existent or improperly formatted application ID DCOM will add it to the list without checking for errors.
If you enter a non-existent or improperly formatted application, ID DCOM will add it to the list without checking for errors.
- If you enable this policy setting, you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings.
If you add an application ID to this list and set its value to one, DCOM will not enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to zero DCOM will always enforce the Activation security check for that DCOM server regardless of local
If you add an application ID to this list and set its value to one, DCOM won't enforce the Activation security check for that DCOM server.
If you add an application ID to this list and set its value to 0, DCOM will always enforce the Activation security check for that DCOM server regardless of local
settings.
- If you disable this policy setting, the application ID exemption list defined by Group Policy is deleted, and the one defined by local computer administrators is used.
If you do not configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
If you don't configure this policy setting, the application ID exemption list defined by local computer administrators is used. Notes: The DCOM Activation security check is done after a DCOM server process is started, but before an object activation request is dispatched to the server process.
This access check is done against the DCOM server's custom launch permission security descriptor if it exists, or otherwise against the configured defaults. If the DCOM server's custom launch permission contains explicit DENY entries, then the object activations that would have previously succeeded for such specified users, once the DCOM server process was up and running, might now fail instead.
The proper action in this situation is to reconfigure the DCOM server's custom launch permission settings for correct security settings, but this policy setting may be used in the short term as an application compatibility deployment aid.
DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
DCOM servers added to this exemption list are only exempted if their custom launch permissions don't contain specific LocalLaunch, RemoteLaunch, LocalActivate, or RemoteActivate grant or deny entries for any users or groups.
> [!NOTE]
> Exemptions for DCOM Server Application IDs added to this list will apply to both 32-bit and 64-bit versions of the server if present.

102
windows/client-management/mdm/policy-csp-admx-desktop.md
View File

@ -145,13 +145,13 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results.
Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying more filters to search results.
If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but users can hide it.
If you disable this setting or do not configure it, the filter bar does not appear, but users can display it by selecting "Filter" on the "View" menu.
If you disable this setting or don't configure it, the filter bar doesn't appear, but users can display it by selecting "Filter" on the "View" menu.
To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar does not appear above the resulting display, on the View menu, click Filter.
To see the filter bar, open Network Locations, click Entire Network, and then click Directory. Right-click the name of a Windows domain, and click Find. Type the name of an object in the directory, such as "Administrator." If the filter bar doesn't appear above the resulting display, on the View menu, click Filter.
<!--/Description-->
@ -197,9 +197,9 @@ Hides the Active Directory folder in Network Locations.
The Active Directory folder displays Active Directory objects in a browse window.
If you enable this setting, the Active Directory folder does not appear in the Network Locations folder.
If you enable this setting, the Active Directory folder doesn't appear in the Network Locations folder.
If you disable this setting or do not configure it, the Active Directory folder appears in the Network Locations folder.
If you disable this setting or don't configure it, the Active Directory folder appears in the Network Locations folder.
This setting is designed to let users search Active Directory but not tempt them to casually browse Active Directory.
@ -243,11 +243,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those displays in Local Users and Groups, Active Directory Users and Computers, and dialog boxes used to set permissions for user or group objects in Active Directory.
If you enable this setting, you can use the "Number of objects returned" box to limit returns from an Active Directory search.
If you disable this setting or do not configure it, the system displays up to 10,000 objects. This consumes approximately 2 MB of memory or disk space.
If you disable this setting or don't configure it, the system displays up to 10,000 objects. This screen-display consumes approximately 2 MB of memory or disk space.
This setting is designed to protect the network and the domain controller from the effect of expansive searches.
@ -295,7 +295,7 @@ Enables Active Desktop and prevents users from disabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both of these policies are ignored.
@ -343,7 +343,7 @@ Disables Active Desktop and prevents users from enabling it.
This setting prevents users from trying to enable or disable Active Desktop while a policy controls it.
If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can enable it.
If you disable this setting or don't configure it, Active Desktop is disabled by default, but users can enable it.
> [!NOTE]
> If both the "Enable Active Desktop" setting and the "Disable Active Desktop" setting are enabled, the "Disable Active Desktop" setting is ignored. If the "Turn on Classic Shell" setting (in User Configuration\Administrative Templates\Windows Components\Windows Explorer) is enabled, Active Desktop is disabled, and both these policies are ignored.
@ -390,7 +390,7 @@ ADMX Info:
<!--Description-->
Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration.
This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users cannot enable or disable Active Desktop. If Active Desktop is already enabled, users cannot add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components.
This setting is a comprehensive one that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Control Panel. As a result, users can't enable or disable Active Desktop. If Active Desktop is already enabled, users can't add, remove, or edit Web content or disable, lock, or synchronize Active Desktop components.
<!--/Description-->
@ -433,9 +433,9 @@ ADMX Info:
<!--Description-->
Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations.
Removing icons and shortcuts does not prevent the user from using another method to start the programs or opening the items they represent.
Removing icons and shortcuts doesn't prevent the user from using another method to start the programs or opening the items they represent.
Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. This will help prevent users from saving data to the Desktop.
Also, see "Items displayed in Places Bar" in User Configuration\Administrative Templates\Windows Components\Common Open File Dialog to remove the Desktop icon from the Places Bar. The removal of the Desktop icon will help prevent users from saving data to the Desktop.
<!--/Description-->
@ -479,12 +479,12 @@ ADMX Info:
<!--Description-->
Prevents users from using the Desktop Cleanup Wizard.
If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.
If you enable this setting, the Desktop Cleanup wizard doesn't automatically run on a user's workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard.
If you disable this setting or do not configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs.
If you disable this setting or don't configure it, the default behavior of the Desktop Clean Wizard running every 60 days occurs.
> [!NOTE]
> When this setting is not enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
> When this setting isn't enabled, users can run the Desktop Cleanup Wizard, or have it run automatically every 60 days from Display, by clicking the Desktop tab and then clicking the Customize Desktop button.
<!--/Description-->
@ -528,7 +528,7 @@ ADMX Info:
<!--Description-->
Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar.
This setting does not prevent the user from starting Internet Explorer by using other methods.
This setting doesn't prevent the user from starting Internet Explorer by using other methods.
<!--/Description-->
@ -576,10 +576,10 @@ If you enable this setting, Computer is hidden on the desktop, the new Start men
If you disable this setting, Computer is displayed as usual, appearing as normal on the desktop, Start menu, folder tree pane, and Web views, unless restricted by another setting.
If you do not configure this setting, the default is to display Computer as usual.
If you don't configure this setting, the default is to display Computer as usual.
> [!NOTE]
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents does not hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Computer icon. Hiding Computer and its contents doesn't hide the contents of the child folders of Computer. For example, if the users navigate into one of their hard drives, they see all of their folders and files there, even if this setting is enabled.
<!--/Description-->
@ -625,9 +625,9 @@ Removes most occurrences of the My Documents icon.
This setting removes the My Documents icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
This setting does not prevent the user from using other methods to gain access to the contents of the My Documents folder.
This setting doesn't prevent the user from using other methods to gain access to the contents of the My Documents folder.
This setting does not remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting.
This setting doesn't remove the My Documents icon from the Start menu. To do so, use the "Remove My Documents icon from Start Menu" setting.
> [!NOTE]
> To make changes to this setting effective, you must log off from and log back on to Windows 2000 Professional.
@ -673,7 +673,7 @@ ADMX Info:
<!--Description-->
Removes the Network Locations icon from the desktop.
This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network.
This setting only affects the desktop icon. It doesn't prevent users from connecting to the network or browsing for shared computers on the network.
> [!NOTE]
> In operating systems earlier than Microsoft Windows Vista, this policy applies to the My Network Places icon.
@ -720,9 +720,9 @@ ADMX Info:
<!--Description-->
This setting hides Properties on the context menu for Computer.
If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected.
If you enable this setting, the Properties option won't be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Enter does nothing when Computer is selected.
If you disable or do not configure this setting, the Properties option is displayed as usual.
If you disable or don't configure this setting, the Properties option is displayed as usual.
<!--/Description-->
@ -766,13 +766,13 @@ ADMX Info:
<!--Description-->
This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon.
If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following:
If you enable this policy setting, the Properties menu command won't be displayed when the user does any of the following tasks:
- Right-clicks the My Documents icon.
- Clicks the My Documents icon, and then opens the File menu.
- Clicks the My Documents icon, and then presses ALT+ENTER.
If you disable or do not configure this policy setting, the Properties menu command is displayed.
If you disable or don't configure this policy setting, the Properties menu command is displayed.
<!--/Description-->
@ -814,11 +814,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Remote shared folders are not added to Network Locations whenever you open a document in the shared folder.
Remote shared folders aren't added to Network Locations whenever you open a document in the shared folder.
If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations.
If you disable this setting or don't configure it, when you open a document in a remote shared folder, the system adds a connection to the shared folder to Network Locations.
If you enable this setting, shared folders are not added to Network Locations automatically when you open a document in the shared folder.
If you enable this setting, shared folders aren't added to Network Locations automatically when you open a document in the shared folder.
<!--/Description-->
@ -864,7 +864,7 @@ Removes most occurrences of the Recycle Bin icon.
This setting removes the Recycle Bin icon from the desktop, from File Explorer, from programs that use the File Explorer windows, and from the standard Open dialog box.
This setting does not prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.
This setting doesn't prevent the user from using other methods to gain access to the contents of the Recycle Bin folder.
> [!NOTE]
> To make changes to this setting effective, you must log off and then log back on.
@ -910,9 +910,9 @@ ADMX Info:
<!--Description-->
Removes the Properties option from the Recycle Bin context menu.
If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.
If you enable this setting, the Properties option won't be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does nothing when Recycle Bin is selected.
If you disable or do not configure this setting, the Properties option is displayed as usual.
If you disable or don't configure this setting, the Properties option is displayed as usual.
<!--/Description-->
@ -956,7 +956,7 @@ ADMX Info:
<!--Description-->
Prevents users from saving certain changes to the desktop.
If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts placed on the desktop are always saved.
If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, aren't saved when users sign out. However, shortcuts placed on the desktop are always saved.
<!--/Description-->
@ -1000,9 +1000,9 @@ ADMX Info:
<!--Description-->
Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse.
If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and forth with the mouse.
If you enable this policy, application windows won't be minimized or restored when the active window is shaken back and forth with the mouse.
If you disable or do not configure this policy, this window minimizing and restoring gesture will apply.
If you disable or don't configure this policy, this window minimizing and restoring gesture will apply.
<!--/Description-->
@ -1047,14 +1047,14 @@ Specifies the desktop background ("wallpaper") displayed on all users' desktops.
This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (*.jpg) file.
To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file is not available when the user logs on, no wallpaper is displayed. Users cannot specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users cannot change this specification.
To use this setting, type the fully qualified path and name of the file that stores the wallpaper image. You can type a local path, such as C:\Windows\web\wallpaper\home.jpg or a UNC path, such as \\\Server\Share\Corp.jpg. If the specified file isn't available when the user logs on, no wallpaper is displayed. Users can't specify alternative wallpaper. You can also use this setting to specify that the wallpaper image be centered, tiled, or stretched. Users can't change this specification.
If you disable this setting or do not configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
If you disable this setting or don't configure it, no wallpaper is displayed. However, users can select the wallpaper of their choice.
Also, see the "Allow only bitmapped wallpaper" in the same location, and the "Prevent changing wallpaper" setting in User Configuration\Administrative Templates\Control Panel.
> [!NOTE]
> This setting does not apply to remote desktop server sessions.
> This setting doesn't apply to remote desktop server sessions.
<!--/Description-->
@ -1097,7 +1097,7 @@ ADMX Info:
<!--Description-->
Prevents users from adding Web content to their Active Desktop.
This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.
This setting removes the "New" button from Web tab in Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop. This setting doesn't remove existing Web content from their Active Desktop, or prevent users from removing existing Web content.
Also, see the "Disable all items" setting.
@ -1142,12 +1142,12 @@ ADMX Info:
<!--Description-->
Prevents users from removing Web content from their Active Desktop.
In Active Desktop, you can add items to the desktop but close them so they are not displayed.
In Active Desktop, you can add items to the desktop but close them so they aren't displayed.
If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
If you enable this setting, items added to the desktop can't be closed; they always appear on the desktop. This setting removes the check boxes from items on the Web tab in Display in Control Panel.
> [!NOTE]
> This setting does not prevent users from deleting items from their Active Desktop.
> This setting doesn't prevent users from deleting items from their Active Desktop.
<!--/Description-->
@ -1193,7 +1193,7 @@ Prevents users from deleting Web content from their Active Desktop.
This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop.
This setting does not prevent users from adding Web content to their Active Desktop.
This setting doesn't prevent users from adding Web content to their Active Desktop.
Also, see the "Prohibit closing items" and "Disable all items" settings.
@ -1239,7 +1239,7 @@ ADMX Info:
<!--Description-->
Prevents users from changing the properties of Web content items on their Active Desktop.
This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users cannot change the properties of an item, such as its synchronization schedule, password, or display characteristics.
This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a result, users can't change the properties of an item, such as its synchronization schedule, password, or display characteristics.
<!--/Description-->
@ -1283,10 +1283,10 @@ ADMX Info:
<!--Description-->
Removes Active Desktop content and prevents users from adding Active Desktop content.
This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop.
This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users can't add Web pages or pictures from the Internet or an intranet to the desktop.
> [!NOTE]
> This setting does not disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
> This setting doesn't disable Active Desktop. Users can still use image formats, such as JPEG and GIF, for their desktop wallpaper.
<!--/Description-->
@ -1335,10 +1335,10 @@ You can use the "Add" box in this setting to add particular Web-based items or s
You can also use this setting to delete particular Web-based items from users' desktops. Users can add the item again (if settings allow), but the item is deleted each time the setting is refreshed.
> [!NOTE]
> Removing an item from the "Add" list for this setting is not the same as deleting it. Items that are removed from the "Add" list are not removed from the desktop. They are simply not added again.
> Removing an item from the "Add" list for this setting isn't the same as deleting it. Items that are removed from the "Add" list aren't removed from the desktop. They are simply not added again.
> [!NOTE]
> For this setting to take affect, you must log off and log on to the system.
> For this setting to take effect, you must log off and log on to the system.
<!--/Description-->
@ -1382,7 +1382,7 @@ ADMX Info:
<!--Description-->
Prevents users from manipulating desktop toolbars.
If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars.
If you enable this setting, users can't add or remove toolbars from the desktop. Also, users can't drag toolbars onto or off from the docked toolbars.
> [!NOTE]
> If users have added or removed toolbars, this setting prevents them from restoring the default configuration.
@ -1432,9 +1432,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars.
Prevents users from adjusting the length of desktop toolbars. Also, users can't reposition items or toolbars on docked toolbars.
This setting does not prevent users from adding or removing toolbars on the desktop.
This setting doesn't prevent users from adding or removing toolbars on the desktop.
> [!NOTE]
> If users have adjusted their toolbars, this setting prevents them from restoring the default configuration.
@ -1481,7 +1481,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does not load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
Permits only bitmap images for wallpaper. This setting limits the desktop background ("wallpaper") to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper doesn't load. Files that are autoconverted to a .bmp format, such as JPEG, GIF, and PNG, can be set as Wallpaper by right-clicking the image and selecting "Set as Wallpaper".
Also, see the "Desktop Wallpaper" and the "Prevent changing wallpaper" (in User Configuration\Administrative Templates\Control Panel\Display) settings.

4
windows/client-management/mdm/policy-csp-admx-deviceguard.md
View File

@ -65,12 +65,12 @@ This policy setting lets you deploy a Code Integrity Policy to a machine to cont
If you deploy a Code Integrity Policy, Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy.
To enable this policy the machine must be rebooted.
To enable this policy, the machine must be rebooted.
The file path must be either a UNC path (for example, `\\ServerName\ShareName\SIPolicy.p7b`),
or a locally valid path (for example, `C:\FolderName\SIPolicy.p7b)`.
The local machine account (LOCAL SYSTEM) must have access permission to the policy file.
If using a signed and protected policy then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
If using a signed and protected policy, then disabling this policy setting doesn't remove the feature from the computer. Instead, you must either:
1. First update the policy to a non-protected policy and then disable the setting.
2. Disable the setting and then remove the policy from each computer, with a physically present user.

26
windows/client-management/mdm/policy-csp-admx-deviceinstallation.md
View File

@ -86,7 +86,7 @@ This policy setting allows you to determine whether members of the Administrator
If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
If you disable or don't configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.
<!--/Description-->
@ -132,7 +132,7 @@ This policy setting allows you to display a custom message to users in a notific
If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
If you disable or don't configure this policy setting, Windows displays a default message when a policy setting prevents device installation.
<!--/Description-->
@ -178,7 +178,7 @@ This policy setting allows you to display a custom message title in a notificati
If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of a notification when a policy setting prevents device installation.
If you disable or do not configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
If you disable or don't configure this policy setting, Windows displays a default title in a notification when a policy setting prevents device installation.
<!--/Description-->
@ -224,7 +224,7 @@ This policy setting allows you to configure the number of seconds Windows waits
If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation.
If you disable or do not configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
If you disable or don't configure this policy setting, Windows waits 240 seconds for a device installation task to complete before terminating the installation.
<!--/Description-->
@ -268,11 +268,11 @@ ADMX Info:
<!--Description-->
This policy setting establishes the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.
If you enable this policy setting, set the amount of seconds you want the system to wait until a reboot.
If you enable this policy setting, set the number of seconds you want the system to wait until a reboot.
If you disable or do not configure this policy setting, the system does not force a reboot.
If you disable or don't configure this policy setting, the system doesn't force a reboot.
Note: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.
Note: If no reboot is forced, the device installation restriction right won't take effect until the system is restarted.
<!--/Description-->
@ -314,11 +314,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it's connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices can't have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.
If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
If you disable or don't configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.
<!--/Description-->
@ -361,9 +361,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity, such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity.
If you enable this policy setting, Windows does not create a system restore point when one would normally be created.
If you enable this policy setting, Windows doesn't create a system restore point when one would normally be created.
If you disable or do not configure this policy setting, Windows creates a system restore point as it normally would.
If you disable or don't configure this policy setting, Windows creates a system restore point as it normally would.
<!--/Description-->
@ -409,7 +409,7 @@ This policy setting specifies a list of device setup class GUIDs describing devi
If you enable this policy setting, members of the Users group may install new drivers for the specified device setup classes. The drivers must be signed according to Windows Driver Signing Policy, or be signed by publishers already in the TrustedPublisher store.
If you disable or do not configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system.
If you disable or don't configure this policy setting, only members of the Administrators group are allowed to install new device drivers on the system.
<!--/Description-->

8
windows/client-management/mdm/policy-csp-admx-devicesetup.md
View File

@ -66,9 +66,9 @@ manager: dansimp
<!--Description-->
This policy setting allows you to turn off "Found New Hardware" balloons during device installation.
If you enable this policy setting, "Found New Hardware" balloons do not appear while a device is being installed.
If you enable this policy setting, "Found New Hardware" balloons don't appear while a device is being installed.
If you disable or do not configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
If you disable or don't configure this policy setting, "Found New Hardware" balloons appear while a device is being installed, unless the driver for the device suppresses the balloons.
<!--/Description-->
@ -114,9 +114,9 @@ This policy setting allows you to specify the order in which Windows searches so
If you enable this policy setting, you can select whether Windows searches for drivers on Windows Update unconditionally, only if necessary, or not at all.
Note that searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows will not continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver is not locally available on the system.
Searching always implies that Windows will attempt to search Windows Update exactly one time. With this setting, Windows won't continually search for updates. This setting is used to ensure that the best software will be found for the device, even if the network is temporarily available. If the setting for searching only if needed is specified, then Windows will search for a driver only if a driver isn't locally available on the system.
If you disable or do not configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
If you disable or don't configure this policy setting, members of the Administrators group can determine the priority order in which Windows searches source locations for device drivers.
<!--/Description-->

8
windows/client-management/mdm/policy-csp-admx-digitallocker.md
View File

@ -68,9 +68,9 @@ This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
If you enable this setting, Digital Locker will not run.
If you enable this setting, Digital Locker won't run.
If you disable or do not configure this setting, Digital Locker can be run.
If you disable or don't configure this setting, Digital Locker can be run.
<!--/Description-->
@ -116,9 +116,9 @@ This policy setting specifies whether Digital Locker can run.
Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Locker.
If you enable this setting, Digital Locker will not run.
If you enable this setting, Digital Locker won't run.
If you disable or do not configure this setting, Digital Locker can be run.
If you disable or don't configure this setting, Digital Locker can be run.
<!--/Description-->

14
windows/client-management/mdm/policy-csp-admx-disknvcache.md
View File

@ -67,14 +67,14 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting turns off the boot and resume optimizations for the hybrid hard disks in the system.
This policy setting turns off the boot and resumes optimizations for the hybrid hard disks in the system.
If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume.
If you enable this policy setting, the system doesn't use the non-volatile (NV) cache to optimize boot and resume.
If you disable this policy setting, the system uses the NV cache to achieve faster boot and resume.
The system determines the data that will be stored in the NV cache to optimize boot and resume.
The required data is stored in the NV cache during shutdown and hibernate, respectively. This might cause a slight increase in the time taken for shutdown and hibernate. If you do not configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
The required data is stored in the NV cache during shutdown and hibernate, respectively. This storage in such a location might cause a slight increase in the time taken for shutdown and hibernate. If you don't configure this policy setting, the default behavior is observed and the NV cache is used for boot and resume optimizations.
This policy setting is applicable only if the NV cache feature is on.
@ -119,11 +119,11 @@ This policy setting turns off all support for the non-volatile (NV) cache on all
To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used to optimize boot and resume by reading data from the cache while the disks are spinning up. The NV cache can also be used to reduce the power consumption of the system by keeping the disks spun down while satisfying reads and writes from the cache.
If you enable this policy setting, the system will not manage the NV cache and will not enable NV cache power saving mode.
If you enable this policy setting, the system won't manage the NV cache and won't enable NV cache power saving mode.
If you disable this policy setting, the system will manage the NV cache on the disks if the other policy settings for the NV cache are appropriately configured.
This policy setting will take effect on next boot. If you do not configure this policy setting, the default behavior is to turn on support for the NV cache.
This policy setting will take effect on next boot. If you don't configure this policy setting, the default behavior is to turn on support for the NV cache.
@ -170,9 +170,9 @@ This policy setting turns off the solid state mode for the hybrid hard disks.
If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache.
If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
If you disable this policy setting, the system will store frequently written data into the non-volatile (NV) cache. This storage allows the system to exclusively run out of the NV cache and power down the disk for longer periods to save power.
This can cause increased wear of the NV cache. If you do not configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
This usage can cause increased wear of the NV cache. If you don't configure this policy setting, the default behavior of the system is observed and frequently written files will be stored in the NV cache. Note: This policy setting is applicable only if the NV cache feature is on.
<!--/Description-->

26
windows/client-management/mdm/policy-csp-admx-diskquota.md
View File

@ -79,7 +79,7 @@ manager: dansimp
<!--Description-->
This policy setting extends the disk quota policies in this folder to NTFS file system volumes on the removable media.
If you disable or do not configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
If you disable or don't configure this policy setting, the disk quota policies established in this folder apply to fixed-media NTFS volumes only.
When this policy setting is applied, the computer will apply the disk quota to both fixed and removable media.
@ -124,13 +124,13 @@ ADMX Info:
<!--Description-->
This policy setting turns on and turns off disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting.
If you enable this policy setting, disk quota management is turned on, and users cannot turn it off.
If you enable this policy setting, disk quota management is turned on, and users can't turn it off.
If you disable the policy setting, disk quota management is turned off, and users cannot turn it on. When this policy setting is not configured then the disk quota management is turned off by default, and the administrators can turn it on.
If you disable the policy setting, disk quota management is turned off, and users can't turn it on. When this policy setting isn't configured then the disk quota management is turned off by default, and the administrators can turn it on.
To prevent users from changing the setting while a setting is in effect, the system disables the "Enable quota management" option on the Quota tab of NTFS volumes.
This policy setting turns on disk quota management but does not establish or enforce a particular disk quota limit.
This policy setting turns on disk quota management but doesn't establish or enforce a particular disk quota limit.
To specify a disk quota limit, use the "Default quota limit and warning level" policy setting. Otherwise, the system uses the physical space on the volume as the quota limit.
@ -180,9 +180,9 @@ This policy setting determines whether disk quota limits are enforced and preven
If you enable this policy setting, disk quota limits are enforced.
If you disable this policy setting, disk quota limits are not enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators cannot make changes while the setting is in effect.
If you disable this policy setting, disk quota limits aren't enforced. When you enable or disable this policy setting, the system disables the "Deny disk space to users exceed quota limit" option on the Quota tab. Therefore, the administrators can't make changes while the setting is in effect.
If you do not configure this policy setting, the disk quota limit is not enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
If you don't configure this policy setting, the disk quota limit isn't enforced by default, but administrators can change the setting. Enforcement is optional. When users reach an enforced disk quota limit, the system responds as though the physical space on the volume were exhausted. When users reach an unenforced limit, their status in the Quota Entries window changes. However, the users can continue to write to the volume as long as physical space is available.
This policy setting overrides user settings that enable or disable quota enforcement on their volumes.
@ -232,9 +232,9 @@ This policy setting determines whether the system records an event in the local
If you enable this policy setting, the system records an event when the user reaches their limit.
If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators cannot change the setting while a setting is in effect. If you do not configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
If you disable this policy setting, no event is recorded. Also, when you enable or disable this policy setting, the system disables the "Log event when a user exceeds their quota limit" option on the Quota tab, so administrators can't change the setting while a setting is in effect. If you don't configure this policy setting, no events are recorded, but administrators can use the Quota tab option to change the setting.
This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their limit, because their status in the Quota Entries window changes.
This policy setting is independent of the enforcement policy settings for disk quotas. As a result, you can direct the system to log an event, regardless of whether or not you choose to enforce the disk quota limit. Also, this policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their limit, because their status in the Quota Entries window changes.
To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
@ -282,9 +282,9 @@ This policy setting determines whether the system records an event in the Applic
If you enable this policy setting, the system records an event.
If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators cannot change logging while a policy setting is in effect.
If you disable this policy setting, no event is recorded. When you enable or disable this policy setting, the system disables the corresponding "Log event when a user exceeds their warning level" option on the Quota tab so that administrators can't change logging while a policy setting is in effect.
If you do not configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting does not affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they have reached their warning level because their status in the Quota Entries window changes.
If you don't configure this policy setting, no event is recorded, but administrators can use the Quota tab option to change the logging setting. This policy setting doesn't affect the Quota Entries window on the Quota tab. Even without the logged event, users can detect that they've reached their warning level because their status in the Quota Entries window changes.
To find the logging option, in My Computer, right-click the name of an NTFS file system volume, click Properties, and then click the Quota tab.
@ -332,11 +332,11 @@ This policy setting specifies the default disk quota limit and warning level for
This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also specifies the warning level, the point at which the user's status in the Quota Entries window changes to indicate that the user is approaching the disk quota limit.
This setting overrides new users settings for the disk quota limit and warning level on their volumes, and it disables the corresponding options in the "Select the default quota limit for new users of this volume" section on the Quota tab.
This policy setting applies to all new users as soon as they write to the volume. It does not affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
This policy setting applies to all new users as soon as they write to the volume. It doesn't affect disk quota limits for current users, or affect customized limits and warning levels set for particular users (on the Quota tab in Volume Properties).
If you disable or do not configure this policy setting, the disk space available to users is not limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it is reasonable for the range of volumes in the group.
If you disable or don't configure this policy setting, the disk space available to users isn't limited. The disk quota management feature uses the physical space on each volume as its quota limit and warning level. When you select a limit, remember that the same limit applies to all users on all volumes, regardless of actual volume size. Be sure to set the limit and warning level so that it's reasonable for the range of volumes in the group.
This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas are not enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
This policy setting is effective only when disk quota management is enabled on the volume. Also, if disk quotas aren't enforced, users can exceed the quota limit you set. When users reach the quota limit, their status in the Quota Entries window changes, but users can continue to write to the volume.
<!--/Description-->

2
windows/client-management/mdm/policy-csp-admx-distributedlinktracking.md
View File

@ -64,7 +64,7 @@ manager: dansimp
This policy specifies that Distributed Link Tracking clients in this domain may use the Distributed Link Tracking (DLT) server, which runs on domain controllers.
The DLT client enables programs to track linked files that are moved within an NTFS volume, to another NTFS volume on the same computer, or to an NTFS volume on another computer.
The DLT client can more reliably track links when allowed to use the DLT server.
This policy should not be set unless the DLT server is running on all domain controllers in the domain.
This policy shouldn't be set unless the DLT server is running on all domain controllers in the domain.
> [!NOTE]
> This policy setting applies to all sites in Trusted zones.

86
windows/client-management/mdm/policy-csp-admx-dnsclient.md
View File

@ -127,7 +127,7 @@ This policy setting specifies that NetBIOS over TCP/IP (NetBT) queries are issue
If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names, such as "www.example.com" in addition to single-label names.
If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
If you disable this policy setting, or if you don't configure this policy setting, NetBT queries will only be issued for single-label names, such as "example" and not for multi-label and fully qualified domain names.
<!--/Description-->
@ -180,7 +180,7 @@ If you enable this policy setting, suffixes are allowed to be appended to an unq
If you disable this policy setting, no suffixes are appended to unqualified multi-label name queries if the original name query fails.
If you do not configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
If you don't configure this policy setting, computers will use their local DNS client settings to determine the query behavior for unqualified multi-label names.
<!--/Description-->
@ -225,7 +225,7 @@ This policy setting specifies a connection-specific DNS suffix. This policy sett
If you enable this policy setting, the DNS suffix that you enter will be applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied connection specific DNS suffix, if configured.
<!--/Description-->
@ -273,22 +273,22 @@ With devolution, a DNS client creates queries by appending a single-label, unqua
The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
Devolution is not enabled if a global suffix search list is configured using Group Policy.
Devolution isn't enabled if a global suffix search list is configured using Group Policy.
If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
- The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
- Each connection-specific DNS suffix, assigned either through DHCP or specified in the DNS suffix for this connection box on the DNS tab in the Advanced TCP/IP Settings dialog box for each connection.
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using this policy setting. The default devolution level is two.
If you enable this policy setting and DNS devolution is also enabled, DNS clients use the DNS devolution level that you specify.
If you disable this policy setting or do not configure it, DNS clients use the default devolution level of two provided that DNS devolution is enabled.
If you disable this policy setting or don't configure it, DNS clients use the default devolution level of two if DNS devolution is enabled.
<!--/Description-->
@ -333,9 +333,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured.
If this policy setting is enabled, IDNs are not converted to Punycode.
If this policy setting is enabled, IDNs aren't converted to Punycode.
If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
If this policy setting is disabled, or if this policy setting isn't configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
<!--/Description-->
@ -381,7 +381,7 @@ This policy setting specifies whether the DNS client should convert internationa
If this policy setting is enabled, IDNs are converted to the Nameprep form.
If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.
If this policy setting is disabled, or if this policy setting isn't configured, IDNs aren't converted to the Nameprep form.
<!--/Description-->
@ -429,7 +429,7 @@ To use this policy setting, click Enabled, and then enter a space-delimited list
If you enable this policy setting, the list of DNS servers is applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied list of DNS servers, if configured.
<!--/Description-->
@ -475,7 +475,7 @@ This policy setting specifies that responses from link local name resolution pro
If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order.
If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
If you disable this policy setting, or if you don't configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order.
> [!NOTE]
> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
@ -531,7 +531,7 @@ If you enable this policy setting, it supersedes the primary DNS suffix configur
You can use this policy setting to prevent users, including local administrators, from changing the primary DNS suffix.
If you disable this policy setting, or if you do not configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it is joined.
If you disable this policy setting, or if you don't configure this policy setting, each computer uses its local primary DNS suffix, which is usually the DNS name of Active Directory domain to which it's joined.
<!--/Description-->
@ -576,13 +576,13 @@ This policy setting specifies if a computer performing dynamic DNS registration
By default, a DNS client performing dynamic DNS registration registers A and PTR resource records with a concatenation of its computer name and the primary DNS suffix. For example, a computer name of mycomputer and a primary DNS suffix of microsoft.com will be registered as: mycomputer.microsoft.com.
If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This applies to all network connections used by computers that receive this policy setting.
If you enable this policy setting, a computer will register A and PTR resource records with its connection-specific DNS suffix, in addition to the primary DNS suffix. This suffix-update applies to all network connections used by computers that receive this policy setting.
For example, with a computer name of mycomputer, a primary DNS suffix of microsoft.com, and a connection specific DNS suffix of VPNconnection, a computer will register A and PTR resource records for mycomputer.VPNconnection and mycomputer.microsoft.com when this policy setting is enabled.
Important: This policy setting is ignored on a DNS client computer if dynamic DNS registration is disabled.
If you disable this policy setting, or if you do not configure this policy setting, a DNS client computer will not register any A and PTR resource records using a connection-specific DNS suffix.
If you disable this policy setting, or if you don't configure this policy setting, a DNS client computer won't register any A and PTR resource records using a connection-specific DNS suffix.
<!--/Description-->
@ -631,11 +631,11 @@ If you enable this policy setting, registration of PTR records will be determine
To use this policy setting, click Enabled, and then select one of the following options from the drop-down list:
- Do not register: Computers will not attempt to register PTR resource records
- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records was not successful.
- don't register: Computers won't attempt to register PTR resource records
- Register: Computers will attempt to register PTR resource records even if registration of the corresponding A records wasn't successful.
- Register only if A record registration succeeds: Computers will attempt to register PTR resource records only if registration of the corresponding A records was successful.
If you disable this policy setting, or if you do not configure this policy setting, computers will use locally configured settings.
If you disable this policy setting, or if you don't configure this policy setting, computers will use locally configured settings.
<!--/Description-->
@ -678,7 +678,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies if DNS dynamic update is enabled. Computers configured for DNS dynamic update automatically register and update their DNS resource records with a DNS server.
If you enable this policy setting, or you do not configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
If you enable this policy setting, or you don't configure this policy setting, computers will attempt to use dynamic DNS registration on all network connections that have connection-specific dynamic DNS registration enabled. For a dynamic DNS registration to be enabled on a network connection, the connection-specific configuration must allow dynamic DNS registration, and this policy setting must not be disabled.
If you disable this policy setting, computers may not use dynamic DNS registration for any of their network connections, regardless of the configuration for individual network connections.
@ -724,13 +724,13 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses.
This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and does not allow a DNS client to overwrite records that are registered by other computers.
This policy setting is designed for computers that register address (A) resource records in DNS zones that don't use Secure Dynamic Updates. Secure Dynamic Update preserves ownership of resource records and doesn't allow a DNS client to overwrite records that are registered by other computers.
During dynamic update of resource records in a zone that does not use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
During dynamic update of resource records in a zone that doesn't use Secure Dynamic Updates, an A resource record might exist that associates the client's host name with an IP address different than the one currently in use by the client. By default, the DNS client attempts to replace the existing A resource record with an A resource record that has the client's current IP address.
If you enable this policy setting or if you do not configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
If you enable this policy setting or if you don't configure this policy setting, DNS clients maintain their default behavior and will attempt to replace conflicting A resource records during dynamic update.
If you disable this policy setting, existing A resource records that contain conflicting IP addresses will not be replaced during a dynamic update, and an error will be recorded in Event Viewer.
If you disable this policy setting, existing A resource records that contain conflicting IP addresses won't be replaced during a dynamic update, and an error will be recorded in Event Viewer.
<!--/Description-->
@ -774,7 +774,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the interval used by DNS clients to refresh registration of A and PTR resource. This policy setting only applies to computers performing dynamic DNS updates.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record has not changed. This reregistration is required to indicate to DNS servers that records are current and should not be automatically removed (scavenged) when a DNS server is configured to delete stale records.
Computers configured to perform dynamic DNS registration of A and PTR resource records periodically reregister their records with DNS servers, even if the record hasn't changed. This reregistration is required to indicate to DNS servers that records are current and shouldn't be automatically removed (scavenged) when a DNS server is configured to delete stale records.
> [!WARNING]
> If record scavenging is enabled on the zone, the value of this policy setting should never be longer than the value of the DNS zone refresh interval. Configuring the registration refresh interval to be longer than the refresh interval of the DNS zone might result in the undesired deletion of A and PTR resource records.
@ -783,7 +783,7 @@ To specify the registration refresh interval, click Enabled and then enter a val
If you enable this policy setting, registration refresh interval that you specify will be applied to all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
If you disable this policy setting, or if you don't configure this policy setting, computers will use the local or DHCP supplied setting. By default, client computers configured with a static IP address attempt to update their DNS resource records once every 24 hours and DHCP clients will attempt to update their DNS resource records when a DHCP lease is granted or renewed.
<!--/Description-->
@ -831,7 +831,7 @@ To specify the TTL, click Enabled and then enter a value in seconds (for example
If you enable this policy setting, the TTL value that you specify will be applied to DNS resource records registered for all network connections used by computers that receive this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
If you disable this policy setting, or if you don't configure this policy setting, computers will use the TTL settings specified in DNS. By default, the TTL is 1200 seconds (20 minutes).
<!--/Description-->
@ -875,7 +875,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name.
An unqualified single-label name contains no dots. The name "example" is a single-label name. This is different from a fully qualified domain name such as "example.microsoft.com."
An unqualified single-label name contains no dots. The name "example" is a single-label name. This name is different from a fully qualified domain name such as "example.microsoft.com."
Client computers that receive this policy setting will attach one or more suffixes to DNS queries for a single-label name. For example, a DNS query for the single-label name "example" will be modified to "example.microsoft.com" before sending the query to a DNS server if this policy setting is enabled with a suffix of "microsoft.com."
@ -883,7 +883,7 @@ To use this policy setting, click Enabled, and then enter a string value represe
If you enable this policy setting, one DNS suffix is attached at a time for each query. If a query is unsuccessful, a new DNS suffix is added in place of the failed suffix, and this new query is submitted. The values are used in the order they appear in the string, starting with the leftmost value and proceeding to the right until a query is successful or all suffixes are tried.
If you disable this policy setting, or if you do not configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
If you disable this policy setting, or if you don't configure this policy setting, the primary DNS suffix and network connection-specific DNS suffixes are appended to the unqualified queries.
<!--/Description-->
@ -926,11 +926,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept.
This policy setting specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. If multiple positive responses are received, the network binding order is used to determine which response to accept.
If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
If you enable this policy setting, the DNS client won't perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail.
If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
If you disable this policy setting, or if you don't configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
<!--/Description-->
@ -976,7 +976,7 @@ This policy setting specifies that the DNS client should prefer responses from l
If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.
If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
If you disable this policy setting, or if you don't configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
> [!NOTE]
> This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
@ -1030,7 +1030,7 @@ To use this policy setting, click Enabled and then select one of the following v
If you enable this policy setting, computers that attempt to send dynamic DNS updates will use the security level that you specify in this policy setting.
If you disable this policy setting, or if you do not configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
If you disable this policy setting, or if you don't configure this policy setting, computers will use local settings. By default, DNS clients attempt to use unsecured dynamic update first. If an unsecured update is refused, clients try to use secure update.
<!--/Description-->
@ -1078,7 +1078,7 @@ By default, a DNS client that is configured to perform dynamic DNS update will u
If you enable this policy setting, computers send dynamic updates to any zone that is authoritative for the resource records that the computer needs to update, except the root zone.
If you disable this policy setting, or if you do not configure this policy setting, computers do not send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
If you disable this policy setting, or if you don't configure this policy setting, computers don't send dynamic updates to the root zone or top-level domain zones that are authoritative for the resource records that the computer needs to update.
<!--/Description-->
@ -1126,9 +1126,9 @@ With devolution, a DNS client creates queries by appending a single-label, unqua
The DNS client appends DNS suffixes to the single-label, unqualified domain name based on the state of the Append primary and connection specific DNS suffixes radio button and Append parent suffixes of the primary DNS suffix check box on the DNS tab in Advanced TCP/IP Settings for the Internet Protocol (TCP/IP) Properties dialog box.
Devolution is not enabled if a global suffix search list is configured using Group Policy.
Devolution isn't enabled if a global suffix search list is configured using Group Policy.
If a global suffix search list is not configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
If a global suffix search list isn't configured, and the Append primary and connection specific DNS suffixes radio button is selected, the DNS client appends the following names to a single-label name when it sends DNS queries:
The primary DNS suffix, as specified on the Computer Name tab of the System control panel.
@ -1136,13 +1136,13 @@ Each connection-specific DNS suffix, assigned either through DHCP or specified i
For example, when a user submits a query for a single-label name such as "example," the DNS client attaches a suffix such as "microsoft.com" resulting in the query "example.microsoft.com," before sending the query to a DNS server.
If a DNS suffix search list is not specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
If a DNS suffix search list isn't specified, the DNS client attaches the primary DNS suffix to a single-label name. If this query fails, the connection-specific DNS suffix is attached for a new query. If none of these queries are resolved, the client devolves the primary DNS suffix of the computer (drops the leftmost label of the primary DNS suffix), attaches this devolved primary DNS suffix to the single-label name, and submits this new query to a DNS server.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix cannot be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
For example, if the primary DNS suffix ooo.aaa.microsoft.com is attached to the non-dot-terminated single-label name "example," and the DNS query for example.ooo.aaa.microsoft.com fails, the DNS client devolves the primary DNS suffix (drops the leftmost label) till the specified devolution level, and submits a query for example.aaa.microsoft.com. If this query fails, the primary DNS suffix is devolved further if it is under specified devolution level and the query example.microsoft.com is submitted. If this query fails, devolution continues if it is under specified devolution level and the query example.microsoft.com is submitted, corresponding to a devolution level of two. The primary DNS suffix can't be devolved beyond a devolution level of two. The devolution level can be configured using the primary DNS suffix devolution level policy setting. The default devolution level is two.
If you enable this policy setting, or if you do not configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
If you enable this policy setting, or if you don't configure this policy setting, DNS clients attempt to resolve single-label names using concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
If you disable this policy setting, DNS clients do not attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
If you disable this policy setting, DNS clients don't attempt to resolve names that are concatenations of the single-label name to be resolved and the devolved primary DNS suffix.
<!--/Description-->
@ -1186,11 +1186,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies that link local multicast name resolution (LLMNR) is disabled on client computers.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible.
LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR doesn't require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution isn't possible.
If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer.
If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
If you disable this policy setting, or you don't configure this policy setting, LLMNR will be enabled on all available network adapters.
<!--/Description-->