deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx enhancement effort

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-03-14 17:42:05 +05:30
parent f8810a8858
commit ade0f87219
10 changed files with 352 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
windows/client-management/mdm/policy-csp-admx-logon.md
View File

@ -104,9 +104,9 @@ manager: dansimp
<!--Description-->
This policy prevents the user from showing account details (email address or user name) on the sign-in screen.
If you enable this policy setting, the user cannot choose to show account details on the sign-in screen.
If you enable this policy setting, the user can't choose to show account details on the sign-in screen.
If you disable or do not configure this policy setting, the user may choose to show account details on the sign-in screen.
If you disable or don't configure this policy setting, the user may choose to show account details on the sign-in screen.
<!--/Description-->
@ -152,7 +152,7 @@ This policy setting disables the acrylic blur effect on logon background image.
If you enable this policy, the logon background image shows without blur.
If you disable or do not configure this policy, the logon background image adopts the acrylic blur effect.
If you disable or don't configure this policy, the logon background image adopts the acrylic blur effect.
<!--/Description-->
@ -294,11 +294,11 @@ ADMX Info:
<!--Description-->
This policy setting ignores customized run-once lists.
You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
You can create a customized list of other programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
If you enable this policy setting, the system ignores the run-once list.
If you disable or do not configure this policy setting, the system runs the programs in the run-once list.
If you disable or don't configure this policy setting, the system runs the programs in the run-once list.
This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
@ -347,11 +347,11 @@ ADMX Info:
<!--Description-->
This policy setting ignores customized run-once lists.
You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
You can create a customized list of other programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of programs and services that the system starts.
If you enable this policy setting, the system ignores the run-once list.
If you disable or do not configure this policy setting, the system runs the programs in the run-once list.
If you disable or don't configure this policy setting, the system runs the programs in the run-once list.
This policy setting appears in the Computer Configuration and User Configuration folders. If both policy settings are configured, the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
@ -400,9 +400,9 @@ ADMX Info:
<!--Description-->
This policy setting suppresses system status messages.
If you enable this setting, the system does not display a message reminding users to wait while their system starts or shuts down, or while users log on or off.
If you enable this setting, the system doesn't display a message reminding users to wait while their system starts or shuts down, or while users sign in or sign out.
If you disable or do not configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users log on or off.
If you disable or don't configure this policy setting, the system displays the message reminding users to wait while their system starts or shuts down, or while users sign in or sign out.
<!--/Description-->
@ -446,9 +446,9 @@ ADMX Info:
<!--Description-->
This policy setting prevents connected users from being enumerated on domain-joined computers.
If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers.
If you enable this policy setting, the Logon UI won't enumerate any connected users on domain-joined computers.
If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers.
If you disable or don't configure this policy setting, connected users will be enumerated on domain-joined computers.
<!--/Description-->
@ -496,9 +496,9 @@ If you enable this policy setting, the welcome screen is hidden from the user lo
Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box.
If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer.
If you disable or don't configure this policy, the welcome screen is displayed each time a user signs in to the computer.
This setting applies only to Windows. It does not affect the "Configure Your Server on a Windows Server" screen on Windows Server.
This setting applies only to Windows. It doesn't affect the "Configure Your Server on a Windows Server" screen on Windows Server.
> [!NOTE]
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@ -553,7 +553,7 @@ If you enable this policy setting, the welcome screen is hidden from the user lo
Users can still display the welcome screen by selecting it on the Start menu or by typing "Welcome" in the Run dialog box.
If you disable or do not configure this policy, the welcome screen is displayed each time a user logs on to the computer. This setting applies only to Windows. It does not affect the "Configure Your Server on a Windows Server" screen on Windows Server.
If you disable or don't configure this policy, the welcome screen is displayed each time a user signs in to the computer. This setting applies only to Windows. It doesn't affect the "Configure Your Server on a Windows Server" screen on Windows Server.
> [!NOTE]
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the setting in Computer Configuration takes precedence over the setting in User Configuration.
@ -601,18 +601,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
This policy setting specifies other programs or documents that Windows starts automatically when a user signs in to the system.
If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied.
If you enable this policy setting, you can specify which programs can run at the time the user signs in to this computer that has this policy applied.
To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.
If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon.
If you disable or don't configure this policy setting, the user will have to start the appropriate programs after signing in.
> [!NOTE]
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.
Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings.
Also, see the "Do not process the legacy run list" and the "don't process the run once list" settings.
<!--/Description-->
@ -654,18 +654,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system.
This policy setting specifies other programs or documents that Windows starts automatically when a user signs in to the system.
If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has this policy applied.
If you enable this policy setting, you can specify which programs can run at the time the user signs in to this computer that has this policy applied.
To specify values for this policy setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file or document file. To specify another name, press ENTER, and type the name. Unless the file is located in the %Systemroot% directory, you must specify the fully qualified path to the file.
If you disable or do not configure this policy setting, the user will have to start the appropriate programs after logon.
If you disable or don't configure this policy setting, the user will have to start the appropriate programs after signing in.
> [!NOTE]
> This setting appears in the Computer Configuration and User Configuration folders. If both settings are configured, the system starts the programs specified in the Computer Configuration setting just before it starts the programs specified in the User Configuration setting.
Also, see the "Do not process the legacy run list" and the "Do not process the run once list" settings.
Also, see the "Do not process the legacy run list" and the "don't process the run once list" settings.
<!--/Description-->
@ -708,29 +708,29 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy processing is not synchronous; client computers typically do not wait for the network to be fully initialized at startup and logon. Existing users are logged on using cached credentials, which results in shorter logon times. Group Policy is applied in the background after the network becomes available.
This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in). By default, on client computers, Group Policy processing isn't synchronous; client computers typically don't wait for the network to be fully initialized at startup and sign in. Existing users are signed in using cached credentials, which results in shorter sign-in times. Group Policy is applied in the background after the network becomes available.
Note that because this is a background refresh, extensions such as Software Installation and Folder Redirection take two logons to apply changes. To be able to operate safely, these extensions require that no users be logged on. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two logons to be detected.
Because this process (of applying Group Policy) is a background refresh, extensions such as Software Installation and Folder Redirection take two sign-ins to apply changes. To be able to operate safely, these extensions require that no users be signed in. Therefore, they must be processed in the foreground before users are actively using the computer. In addition, changes that are made to the user object, such as adding a roaming profile path, home directory, or user object logon script, may take up to two sign-ins to be detected.
If a user with a roaming profile, home directory, or user object logon script logs on to a computer, computers always wait for the network to be initialized before logging the user on. If a user has never logged on to this computer before, computers always wait for the network to be initialized.
If a user with a roaming profile, home directory, or user object logon script signs in to a computer, computers always wait for the network to be initialized before signing in the user. If a user has never signed in to this computer before, computers always wait for the network to be initialized.
If you enable this policy setting, computers wait for the network to be fully initialized before users are logged on. Group Policy is applied in the foreground, synchronously.
If you enable this policy setting, computers wait for the network to be fully initialized before users are signed in. Group Policy is applied in the foreground, synchronously.
On servers running Windows Server 2008 or later, this policy setting is ignored during Group Policy processing at computer startup and Group Policy processing will be synchronous (these servers wait for the network to be initialized during computer startup).
If the server is configured as follows, this policy setting takes effect during Group Policy processing at user logon:
If the server is configured as follows, this policy setting takes effect during Group Policy processing at user sign in:
- The server is configured as a terminal server (that is, the Terminal Server role service is installed and configured on the server); and
- The “Allow asynchronous user Group Policy processing when logging on through Terminal Services” policy setting is enabled. This policy setting is located under Computer Configuration\Policies\Administrative templates\System\Group Policy\\.
If this configuration is not implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user logon is synchronous (these servers wait for the network to be initialized during user logon).
If this configuration isn't implemented on the server, this policy setting is ignored. In this case, Group Policy processing at user sign in is synchronous (these servers wait for the network to be initialized during user sign in).
If you disable or do not configure this policy setting and users log on to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically does not wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background.
If you disable or don't configure this policy setting and users sign in to a client computer or a server running Windows Server 2008 or later and that is configured as described earlier, the computer typically doesn't wait for the network to be fully initialized. In this case, users are logged on with cached credentials. Group Policy is applied asynchronously in the background.
> [!NOTE]
>
> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one logon, enable this policy setting to ensure that Windows waits for the network to be available before applying policy.
> - If Folder Redirection policy will apply during the next logon, security policies will be applied asynchronously during the next update cycle, if network connectivity is available.
> - If you want to guarantee the application of Folder Redirection, Software Installation, or roaming user profile settings in just one sign in, enable this policy setting to ensure that Windows waits for the network to be available before applying policy.
> - If Folder Redirection policy will apply during the next sign in, security policies will be applied asynchronously during the next update cycle, if network connectivity is available.
<!--/Description-->
@ -774,9 +774,9 @@ ADMX Info:
<!--Description-->
This policy setting ignores Windows Logon Background.
This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen always attempts to load a custom background instead of the Windows-branded logon background.
This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the sign-in screen always attempts to load a custom background instead of the Windows-branded logon background.
If you disable or do not configure this policy setting, Windows uses the default Windows logon background or custom background.
If you disable or don't configure this policy setting, Windows uses the default Windows logon background or custom background.
<!--/Description-->
@ -824,7 +824,7 @@ This policy setting is designed for advanced users who require this information.
If you enable this policy setting, the system displays status messages that reflect each step in the process of starting, shutting down, logging on, or logging off the system.
If you disable or do not configure this policy setting, only the default status messages are displayed to the user during these processes.
If you disable or don't configure this policy setting, only the default status messages are displayed to the user during these processes.
> [!NOTE]
> This policy setting is ignored if the "Remove Boot/Shutdown/Logon/Logoff status messages" policy setting is enabled.

288
windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus.md
View File

@ -338,7 +338,7 @@ manager: dansimp
<!--Description-->
This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance.
If you enable or do not configure this setting, the antimalware service will load as a normal priority task.
If you enable or don't configure this setting, the antimalware service will load as a normal priority task.
If you disable this setting, the antimalware service will load as a low priority task.
@ -384,13 +384,13 @@ ADMX Info:
<!--Description-->
This policy setting turns off Microsoft Defender Antivirus.
If you enable this policy setting, Microsoft Defender Antivirus does not run, and will not scan computers for malware or other potentially unwanted software.
If you enable this policy setting, Microsoft Defender Antivirus doesn't run, and won't scan computers for malware or other potentially unwanted software.
If you disable this policy setting, Microsoft Defender Antivirus will run regardless of any other installed antivirus product.
If you do not configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software.
If you don't configure this policy setting, Windows will internally manage Microsoft Defender Antivirus. If you install another antivirus program, Windows automatically disables Microsoft Defender Antivirus. Otherwise, Microsoft Defender Antivirus will scan your computers for malware and other potentially unwanted software.
Enabling or disabling this policy may lead to unexpected or unsupported behavior. It is recommended that you leave this policy setting unconfigured.
Enabling or disabling this policy may lead to unexpected or unsupported behavior. It's recommended that you leave this policy setting unconfigured.
<!--/Description-->
@ -438,7 +438,7 @@ Disabled (Default):
Microsoft Defender Antivirus will exclude pre-defined list of paths from the scan to improve performance.
Enabled:
Microsoft Defender Antivirus will not exclude pre-defined list of paths from scans. This can impact machine performance in some scenarios.
Microsoft Defender Antivirus won't exclude pre-defined list of paths from scans. This non-exclusion can impact machine performance in some scenarios.
Not configured:
Same as Disabled.
@ -483,17 +483,17 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check will not occur, which will lower the protection state of the device.
This feature ensures the device checks in real time with the Microsoft Active Protection Service (MAPS) before allowing certain content to be run or accessed. If this feature is disabled, the check won't occur, which will lower the protection state of the device.
Enabled The Block at First Sight setting is turned on.
Disabled The Block at First Sight setting is turned off.
This feature requires these Policy settings to be set as follows:
- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature will not function.
- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature will not function.
- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature will not function.
- Real-time Protection -> Do not enable the “Turn off real-time protection” policy or the “Block at First Sight” feature will not function.
- MAPS -> The “Join Microsoft MAPS” must be enabled or the “Block at First Sight” feature won't function.
- MAPS -> The “Send file samples when further analysis is required” should be set to 1 (Send safe samples) or 3 (Send all samples). Setting to 0 (Always Prompt) will lower the protection state of the device. Setting to 2 (Never send) means the “Block at First Sight” feature won't function.
- Real-time Protection -> The “Scan all downloaded files and attachments” policy must be enabled or the “Block at First Sight” feature won't function.
- Real-time Protection -> don't enable the “Turn off real-time protection” policy or the “Block at First Sight” feature won't function.
<!--/Description-->
@ -537,7 +537,7 @@ ADMX Info:
<!--Description-->
This policy setting controls whether or not complex list settings configured by a local administrator are merged with Policy settings. This setting applies to lists such as threats and Exclusions.
If you enable or do not configure this setting, unique items defined in Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. In the case of conflicts, Policy Settings will override preference settings.
If you enable or don't configure this setting, unique items defined in Policy and in preference settings configured by the local administrator will be merged into the resulting effective policy. If conflicts occur, Policy Settings will override preference settings.
If you disable this setting, only items defined by Policy will be used in the resulting effective policy. Policy settings will override preference settings configured by the local administrator.
@ -585,9 +585,9 @@ This policy setting turns off real-time protection prompts for known malware det
Microsoft Defender Antivirus alerts you when malware or potentially unwanted software attempts to install itself or to run on your computer.
If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections.
If you enable this policy setting, Microsoft Defender Antivirus won't prompt users to take actions on malware detections.
If you disable or do not configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections.
If you disable or don't configure this policy setting, Microsoft Defender Antivirus will prompt users to take actions on malware detections.
<!--/Description-->
@ -631,9 +631,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure whether Microsoft Defender Antivirus automatically takes action on all detected threats. The action to be taken on a particular threat is determined by the combination of the policy-defined action, user-defined action, and the signature-defined action.
If you enable this policy setting, Microsoft Defender Antivirus does not automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
If you enable this policy setting, Microsoft Defender Antivirus doesn't automatically take action on the detected threats, but prompts users to choose from the actions available for each threat.
If you disable or do not configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
If you disable or don't configure this policy setting, Microsoft Defender Antivirus automatically takes action on all detected threats after a nonconfigurable delay of approximately five seconds.
<!--/Description-->
@ -675,7 +675,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value is not used and it is recommended that this be set to 0.
This policy setting allows you to specify a list of file types that should be excluded from scheduled, custom, and real-time scanning. File types should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the file type extension (such as "obj" or "lib"). The value isn't used and it's recommended that this value is set to 0.
<!--/Description-->
@ -719,7 +719,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to disable scheduled and real-time scanning for files under the paths specified or for the fully qualified resources specified. Paths should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a path or a fully qualified resource name.
As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value is not used and it is recommended that this be set to 0.
As an example, a path might be defined as: "c:\Windows" to exclude all files in this directory. A fully qualified resource name might be defined as: "C:\Windows\App.exe". The value isn't used and it's recommended that this value is set to 0.
<!--/Description-->
@ -761,7 +761,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself will not be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Note that only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value is not used and it is recommended that this be set to 0.
This policy setting allows you to disable scheduled and real-time scanning for any file opened by any of the specified processes. The process itself won't be excluded. To exclude the process, use the Path exclusion. Processes should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of the path to the process image. Only executables can be excluded. For example, a process might be defined as: "c:\windows\app.exe". The value isn't used and it's recommended that this value is set to 0.
<!--/Description-->
@ -818,7 +818,7 @@ No exclusions will be applied to the ASR rules.
Not configured:
Same as Disabled.
You can configure ASR rules in the Configure Attack Surface Reduction rules GP setting.
You can configure ASR rules in the "Configure Attack Surface Reduction rules" GP setting.
<!--/Description-->
@ -860,13 +860,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Set the state for each Attack Surface Reduction (ASR) rule.
Set the state for each ASR rule.
After enabling this setting, you can set each rule to the following in the Options section:
After enabling this setting, you can set each rule to the following values in the Options section:
- Block: the rule will be applied
- Audit Mode: if the rule would normally cause an event, then it will be recorded (although the rule will not actually be applied)
- Off: the rule will not be applied
- Block: The rule will be applied
- Audit Mode: If the rule would normally cause an event, then it will be recorded (although the rule won't actually be applied)
- Off: The rule won't be applied
Enabled:
Specify the state for each ASR rule under the Options section for this setting.
@ -933,24 +933,24 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Add additional applications that should be considered "trusted" by controlled folder access.
Add other applications that should be considered "trusted" by controlled folder access.
These applications are allowed to modify or delete files in controlled folder access folders.
Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add additional applications.
Microsoft Defender Antivirus automatically determines which applications should be trusted. You can configure this setting to add other applications.
Enabled:
Specify additional allowed applications in the Options section..
Specify other allowed applications in the Options section.
Disabled:
No additional applications will be added to the trusted list.
No other applications will be added to the trusted list.
Not configured:
Same as Disabled.
You can enable controlled folder access in the Configure controlled folder access GP setting.
You can enable controlled folder access in the "Configure controlled folder access" GP setting.
Default system folders are automatically guarded, but you can add folders in the configure protected folders GP setting.
Default system folders are automatically guarded, but you can add folders in the "Configure protected folders" GP setting.
<!--/Description-->
@ -994,23 +994,23 @@ ADMX Info:
<!--Description-->
Specify additional folders that should be guarded by the Controlled folder access feature.
Files in these folders cannot be modified or deleted by untrusted applications.
Files in these folders can't be modified or deleted by untrusted applications.
Default system folders are automatically protected. You can configure this setting to add additional folders.
Default system folders are automatically protected. You can configure this setting to add more folders.
The list of default system folders that are protected is shown in Windows Security.
Enabled:
Specify additional folders that should be protected in the Options section.
Specify more folders that should be protected in the Options section.
Disabled:
No additional folders will be protected.
No other folders will be protected.
Not configured:
Same as Disabled.
You can enable controlled folder access in the Configure controlled folder access GP setting.
You can enable controlled folder access in the "Configure controlled folder access" GP setting.
Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add additional trusted applications in the Configure allowed applications GP setting.
Microsoft Defender Antivirus automatically determines which applications can be trusted. You can add more trusted applications in the "Configure allowed applications" GP setting.
<!--/Description-->
@ -1055,10 +1055,10 @@ ADMX Info:
Enable or disable file hash computation feature.
Enabled:
When this feature is enabled Microsoft Defender Antivirus will compute hash value for files it scans.
When this feature is enabled, Microsoft Defender Antivirus will compute hash value for files it scans.
Disabled:
File hash value is not computed
File hash value isn't computed
Not configured:
Same as Disabled.
@ -1103,9 +1103,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system is not vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerability. If the system isn't vulnerable to the exploit detected by a definition, then that definition is "retired". If all security intelligence for a given protocol are retired, then that protocol is no longer parsed. Enabling this feature helps to improve performance. On a computer that is up-to-date with all the latest security updates, network protection will have no impact on network performance.
If you enable or do not configure this setting, definition retirement will be enabled.
If you enable or don't configure this setting, definition retirement will be enabled.
If you disable this setting, definition retirement will be disabled.
@ -1149,7 +1149,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting defines additional definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value is not used and it is recommended that this be set to 0.
This policy setting defines more definition sets to enable for network traffic inspection. Definition set GUIDs should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name should be a string representation of a definition set GUID. As an example, the definition set GUID to enable test security intelligence is defined as: “{b54b6ac9-a737-498e-9120-6616ad3bf590}”. The value isn't used and it's recommended that this value is set to 0.
<!--/Description-->
@ -1193,7 +1193,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities.
If you enable or do not configure this setting, protocol recognition will be enabled.
If you enable or don't configure this setting, protocol recognition will be enabled.
If you disable this setting, protocol recognition will be disabled.
@ -1241,7 +1241,7 @@ This policy, if defined, will prevent antimalware from using the configured prox
If you enable this setting, the proxy server will be bypassed for the specified addresses.
If you disable or do not configure this setting, the proxy server will not be bypassed for the specified addresses.
If you disable or don't configure this setting, the proxy server won't be bypassed for the specified addresses.
<!--/Description-->
@ -1283,7 +1283,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there is no proxy auto-config specified, the client will fall back to the alternative options (in order):
This policy setting defines the URL of a proxy .pac file that should be used when the client attempts to connect the network for security intelligence updates and MAPS reporting. If the proxy auto-config fails or if there's no proxy auto-config specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
2. Proxy .pac URL (if specified)
@ -1293,7 +1293,7 @@ This policy setting defines the URL of a proxy .pac file that should be used whe
If you enable this setting, the proxy setting will be set to use the specified proxy .pac according to the order specified above.
If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
If you disable or don't configure this setting, the proxy will skip over this fallback step according to the order specified above.
<!--/Description-->
@ -1335,7 +1335,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the client will fall back to the alternative options (in order):
This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for security intelligence updates and MAPS reporting. If the named proxy fails or if there's no proxy specified, the client will fall back to the alternative options (in order):
1. Proxy server (if specified)
2. Proxy .pac URL (if specified)
@ -1345,7 +1345,7 @@ This policy setting allows you to configure the named proxy that should be used
If you enable this setting, the proxy will be set to the specified URL according to the order specified above. The URL should be proceeded with either http:// or https://.
If you disable or do not configure this setting, the proxy will skip over this fallback step according to the order specified above.
If you disable or don't configure this setting, the proxy will skip over this fallback step according to the order specified above.
<!--/Description-->
@ -1391,7 +1391,7 @@ This policy setting configures a local override for the configuration of the num
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -1437,7 +1437,7 @@ This policy setting defines the number of days items should be kept in the Quara
If you enable this setting, items will be removed from the Quarantine folder after the number of days specified.
If you disable or do not configure this setting, items will be kept in the quarantine folder indefinitely and will not be automatically removed.
If you disable or don't configure this setting, items will be kept in the quarantine folder indefinitely and won't be automatically removed.
<!--/Description-->
@ -1481,7 +1481,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled security intelligence update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machines sharing a host, to prevent multiple guest virtual machines from undertaking a disk-intensive operation at the same time.
If you enable or do not configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.
If you enable or don't configure this setting, scheduled tasks will begin at a random time within an interval of 30 minutes before and after the specified start time.
If you disable this setting, scheduled tasks will begin at the specified start time.
@ -1527,7 +1527,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure behavior monitoring.
If you enable or do not configure this setting, behavior monitoring will be enabled.
If you enable or don't configure this setting, behavior monitoring will be enabled.
If you disable this setting, behavior monitoring will be disabled.
@ -1573,7 +1573,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure scanning for all downloaded files and attachments.
If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled.
If you enable or don't configure this setting, scanning for all downloaded files and attachments will be enabled.
If you disable this setting, scanning for all downloaded files and attachments will be disabled.
@ -1619,7 +1619,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure monitoring for file and program activity.
If you enable or do not configure this setting, monitoring for file and program activity will be enabled.
If you enable or don't configure this setting, monitoring for file and program activity will be enabled.
If you disable this setting, monitoring for file and program activity will be disabled.
@ -1665,7 +1665,7 @@ ADMX Info:
<!--Description-->
This policy setting controls whether raw volume write notifications are sent to behavior monitoring.
If you enable or do not configure this setting, raw write notifications will be enabled.
If you enable or don't configure this setting, raw write notifications will be enabled.
If you disable this setting, raw write notifications be disabled.
@ -1709,11 +1709,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off.
This policy setting allows you to configure process scanning when real-time protection is turned on. This configuration helps to catch malware that could start when real-time protection is turned off.
If you enable or do not configure this setting, a process scan will be initiated when real-time protection is turned on.
If you enable or don't configure this setting, a process scan will be initiated when real-time protection is turned on.
If you disable this setting, a process scan will not be initiated when real-time protection is turned on.
If you disable this setting, a process scan won't be initiated when real-time protection is turned on.
<!--/Description-->
@ -1759,7 +1759,7 @@ This policy setting defines the maximum size (in kilobytes) of downloaded files
If you enable this setting, downloaded files and attachments smaller than the size specified will be scanned.
If you disable or do not configure this setting, a default size will be applied.
If you disable or don't configure this setting, a default size will be applied.
<!--/Description-->
@ -1805,7 +1805,7 @@ This policy setting configures a local override for the configuration of behavio
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -1851,7 +1851,7 @@ This policy setting configures a local override for the configuration of scannin
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -1897,7 +1897,7 @@ This policy setting configures a local override for the configuration of monitor
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -1943,7 +1943,7 @@ This policy setting configures a local override for the configuration to turn on
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -1989,7 +1989,7 @@ This policy setting configures a local override for the configuration of monitor
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -2035,7 +2035,7 @@ This policy setting configures a local override for the configuration of the tim
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -2093,7 +2093,7 @@ This setting can be configured with the following ordinal number values:
If you enable this setting, a scheduled full scan to complete remediation will run at the frequency specified.
If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
If you disable or don't configure this setting, a scheduled full scan to complete remediation will run at a default frequency.
<!--/Description-->
@ -2139,7 +2139,7 @@ This policy setting allows you to specify the time of day at which to perform a
If you enable this setting, a scheduled full scan to complete remediation will run at the time of day specified.
If you disable or do not configure this setting, a scheduled full scan to complete remediation will run at a default time.
If you disable or don't configure this setting, a scheduled full scan to complete remediation will run at a default time.
<!--/Description-->
@ -2267,9 +2267,9 @@ ADMX Info:
<!--Description-->
Use this policy setting to specify if you want Microsoft Defender Antivirus enhanced notifications to display on clients.
If you disable or do not configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients.
If you disable or don't configure this setting, Microsoft Defender Antivirus enhanced notifications will display on clients.
If you enable this setting, Microsoft Defender Antivirus enhanced notifications will not display on clients.
If you enable this setting, Microsoft Defender Antivirus enhanced notifications won't display on clients.
<!--/Description-->
@ -2312,9 +2312,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure whether or not Watson events are sent.
If you enable or do not configure this setting, Watson events will be sent.
If you enable or don't configure this setting, Watson events will be sent.
If you disable this setting, Watson events will not be sent.
If you disable this setting, Watson events won't be sent.
<!--/Description-->
@ -2531,9 +2531,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to manage whether or not end users can pause a scan in progress.
If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.
If you enable or don't configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan.
If you disable this setting, users will not be able to pause scans.
If you disable this setting, users won't be able to pause scans.
<!--/Description-->
@ -2579,7 +2579,7 @@ This policy setting allows you to configure the maximum directory depth level in
If you enable this setting, archive files will be scanned to the directory depth level specified.
If you disable or do not configure this setting, archive files will be scanned to the default directory depth level.
If you disable or don't configure this setting, archive files will be scanned to the default directory depth level.
<!--/Description-->
@ -2625,7 +2625,7 @@ This policy setting allows you to configure the maximum size of archive files su
If you enable this setting, archive files less than or equal to the size specified will be scanned.
If you disable or do not configure this setting, archive files will be scanned according to the default value.
If you disable or don't configure this setting, archive files will be scanned according to the default value.
<!--/Description-->
@ -2670,9 +2670,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files.
If you enable or do not configure this setting, archive files will be scanned.
If you enable or don't configure this setting, archive files will be scanned.
If you disable this setting, archive files will not be scanned.
If you disable this setting, archive files won't be scanned.
<!--/Description-->
@ -2718,7 +2718,7 @@ This policy setting allows you to configure e-mail scanning. When e-mail scannin
If you enable this setting, e-mail scanning will be enabled.
If you disable or do not configure this setting, e-mail scanning will be disabled.
If you disable or don't configure this setting, e-mail scanning will be disabled.
<!--/Description-->
@ -2760,9 +2760,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics.
This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It's recommended that you don't turn off heuristics.
If you enable or do not configure this setting, heuristics will be enabled.
If you enable or don't configure this setting, heuristics will be enabled.
If you disable this setting, heuristics will be disabled.
@ -2806,11 +2806,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled.
This policy setting allows you to configure scanning for packed executables. It's recommended that this type of scanning remains enabled.
If you enable or do not configure this setting, packed executables will be scanned.
If you enable or don't configure this setting, packed executables will be scanned.
If you disable this setting, packed executables will not be scanned.
If you disable this setting, packed executables won't be scanned.
<!--/Description-->
@ -2856,7 +2856,7 @@ This policy setting allows you to manage whether or not to scan for malicious so
If you enable this setting, removable drives will be scanned during any type of scan.
If you disable or do not configure this setting, removable drives will not be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
If you disable or don't configure this setting, removable drives won't be scanned during a full scan. Removable drives may still be scanned during quick scan and custom scan.
<!--/Description-->
@ -2898,11 +2898,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this is the recommended state for this functionality.
This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there's a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse point scanning is disabled by default and this setting is the recommended state for this functionality.
If you enable this setting, reparse point scanning will be enabled.
If you disable or do not configure this setting, reparse point scanning will be disabled.
If you disable or don't configure this setting, reparse point scanning will be disabled.
<!--/Description-->
@ -2948,7 +2948,7 @@ This policy setting allows you to create a system restore point on the computer
If you enable this setting, a system restore point will be created.
If you disable or do not configure this setting, a system restore point will not be created.
If you disable or don't configure this setting, a system restore point won't be created.
<!--/Description-->
@ -2993,7 +2993,7 @@ This policy setting allows you to configure scanning mapped network drives.
If you enable this setting, mapped network drives will be scanned.
If you disable or do not configure this setting, mapped network drives will not be scanned.
If you disable or don't configure this setting, mapped network drives won't be scanned.
<!--/Description-->
@ -3035,11 +3035,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting.
This policy setting allows you to configure scanning for network files. It's recommended that you don't enable this setting.
If you enable this setting, network files will be scanned.
If you disable or do not configure this setting, network files will not be scanned.
If you disable or don't configure this setting, network files won't be scanned.
<!--/Description-->
@ -3085,7 +3085,7 @@ This policy setting configures a local override for the configuration of maximum
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -3131,7 +3131,7 @@ This policy setting configures a local override for the configuration of the sca
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -3177,7 +3177,7 @@ This policy setting configures a local override for the configuration of schedul
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -3223,7 +3223,7 @@ This policy setting configures a local override for the configuration of schedul
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -3269,7 +3269,7 @@ This policy setting configures a local override for the configuration of schedul
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -3315,7 +3315,7 @@ This policy setting allows you to enable or disable low CPU priority for schedul
If you enable this setting, low CPU priority will be used during scheduled scans.
If you disable or do not configure this setting, not changes will be made to CPU priority for scheduled scans.
If you disable or don't configure this setting, not changes will be made to CPU priority for scheduled scans.
<!--/Description-->
@ -3361,7 +3361,7 @@ This policy setting allows you to define the number of consecutive scheduled sca
If you enable this setting, a catch-up scan will occur after the specified number consecutive missed scheduled scans.
If you disable or do not configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans.
If you disable or don't configure this setting, a catch-up scan will occur after the 2 consecutive missed scheduled scans.
<!--/Description-->
@ -3403,11 +3403,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will not be automatically removed. By default, the value is set to 30 days.
This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and won't be automatically removed. By default, the value is set to 30 days.
If you enable this setting, items will be removed from the scan history folder after the number of days specified.
If you disable or do not configure this setting, items will be kept in the scan history folder for the default number of days.
If you disable or don't configure this setting, items will be kept in the scan history folder for the default number of days.
<!--/Description-->
@ -3449,11 +3449,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans will not occur. By default, this setting is set to 0.
This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval quick scans won't occur. By default, this setting is set to 0.
If you enable this setting, a quick scan will run at the interval specified.
If you disable or do not configure this setting, a quick scan will run at a default time.
If you disable or don't configure this setting, a quick scan will run at a default time.
<!--/Description-->
@ -3497,7 +3497,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use.
If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use.
If you enable or don't configure this setting, scheduled scans will only run when the computer is on but not in use.
If you disable this setting, scheduled scans will run at the scheduled time.
@ -3557,7 +3557,7 @@ This setting can be configured with the following ordinal number values:
If you enable this setting, a scheduled scan will run at the frequency specified.
If you disable or do not configure this setting, a scheduled scan will run at a default frequency.
If you disable or don't configure this setting, a scheduled scan will run at a default frequency.
<!--/Description-->
@ -3603,7 +3603,7 @@ This policy setting allows you to specify the time of day at which to perform a
If you enable this setting, a scheduled scan will run at the time of day specified.
If you disable or do not configure this setting, a scheduled scan will run at a default time.
If you disable or don't configure this setting, a scheduled scan will run at a default time.
<!--/Description-->
@ -3645,11 +3645,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It is recommended that this setting remain disabled.
This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware security intelligence is disabled. It's recommended that this setting remains disabled.
If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence is disabled.
If you enable this setting, the antimalware service will always remain running even if both antivirus and antispyware security intelligence are disabled.
If you disable or do not configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it is set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.
If you disable or don't configure this setting, the antimalware service will be stopped when both antivirus and antispyware security intelligence is disabled. If the computer is restarted, the service will be started if it's set to Automatic startup. After the service has started, there will be a check to see if antivirus and antispyware security intelligence is enabled. If at least one is enabled, the service will remain running. If both are disabled, the service will be stopped.
<!--/Description-->
@ -3691,13 +3691,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
This policy setting allows you to define the number of days that must pass before spyware security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
We do not recommend setting the value to less than 2 days to prevent machines from going out of date.
We don't recommend setting the value to less than 2 days to prevent machines from going out of date.
If you enable this setting, spyware security intelligence will be considered out of date after the number of days specified have passed without an update.
If you disable or do not configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
If you disable or don't configure this setting, spyware security intelligence will be considered out of date after the default number of days have passed without an update.
<!--/Description-->
@ -3739,11 +3739,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several additional actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
This policy setting allows you to define the number of days that must pass before virus security intelligence is considered out of date. If security intelligence is determined to be out of date, this state may trigger several other actions, including falling back to an alternative update source or displaying a warning icon in the user interface. By default, this value is set to 14 days.
If you enable this setting, virus security intelligence will be considered out of date after the number of days specified have passed without an update.
If you disable or do not configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update.
If you disable or don't configure this setting, virus security intelligence will be considered out of date after the default number of days have passed without an update.
<!--/Description-->
@ -3787,9 +3787,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure UNC file share sources for downloading security intelligence updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the security intelligence update sources. For example: "{\\\unc1 | \\\unc2 }". The list is empty by default.
If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you enable this setting, the specified sources will be contacted for security intelligence updates. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
If you disable or do not configure this setting, the list will remain empty by default and no sources will be contacted.
If you disable or don't configure this setting, the list will remain empty by default and no sources will be contacted.
<!--/Description-->
@ -3831,11 +3831,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure the automatic scan which starts after a security intelligence update has occurred.
This policy setting allows you to configure the automatic scan that starts after a security intelligence update has occurred.
If you enable or do not configure this setting, a scan will start following a security intelligence update.
If you enable or don't configure this setting, a scan will start following a security intelligence update.
If you disable this setting, a scan will not start following a security intelligence update.
If you disable this setting, a scan won't start following a security intelligence update.
<!--/Description-->
@ -3879,7 +3879,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure security intelligence updates when the computer is running on battery power.
If you enable or do not configure this setting, security intelligence updates will occur as usual regardless of power state.
If you enable or don't configure this setting, security intelligence updates will occur as usual regardless of power state.
If you disable this setting, security intelligence updates will be turned off while the computer is running on battery power.
@ -3923,11 +3923,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure security intelligence updates on startup when there is no antimalware engine present.
This policy setting allows you to configure security intelligence updates on startup when there's no antimalware engine present.
If you enable or do not configure this setting, security intelligence updates will be initiated on startup when there is no antimalware engine present.
If you enable or don't configure this setting, security intelligence updates will be initiated on startup when there's no antimalware engine present.
If you disable this setting, security intelligence updates will not be initiated on startup when there is no antimalware engine present.
If you disable this setting, security intelligence updates won't be initiated on startup when there's no antimalware engine present.
<!--/Description-->
@ -3973,9 +3973,9 @@ This policy setting allows you to define the order in which different security i
For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC }
If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted.
If you enable this setting, security intelligence update sources will be contacted in the order specified. Once security intelligence updates have been successfully downloaded from one specified source, the remaining sources in the list won't be contacted.
If you disable or do not configure this setting, security intelligence update sources will be contacted in a default order.
If you disable or don't configure this setting, security intelligence update sources will be contacted in a default order.
<!--/Description-->
@ -4021,7 +4021,7 @@ This policy setting allows you to enable download of security intelligence updat
If you enable this setting, security intelligence updates will be downloaded from Microsoft Update.
If you disable or do not configure this setting, security intelligence updates will be downloaded from the configured download source.
If you disable or don't configure this setting, security intelligence updates will be downloaded from the configured download source.
<!--/Description-->
@ -4065,9 +4065,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to enable real-time security intelligence updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest security intelligence update has security intelligence for a threat involving that file, the service will receive all of the latest security intelligence for that threat immediately. You must have configured your computer to join Microsoft MAPS for this functionality to work.
If you enable or do not configure this setting, real-time security intelligence updates will be enabled.
If you enable or don't configure this setting, real-time security intelligence updates will be enabled.
If you disable this setting, real-time security intelligence updates will disabled.
If you disable this setting, real-time security intelligence updates will be disabled.
<!--/Description-->
@ -4125,7 +4125,7 @@ This setting can be configured with the following ordinal number values:
If you enable this setting, the check for security intelligence updates will occur at the frequency specified.
If you disable or do not configure this setting, the check for security intelligence updates will occur at a default frequency.
If you disable or don't configure this setting, the check for security intelligence updates will occur at a default frequency.
<!--/Description-->
@ -4171,7 +4171,7 @@ This policy setting allows you to specify the time of day at which to check for
If you enable this setting, the check for security intelligence updates will occur at the time of day specified.
If you disable or do not configure this setting, the check for security intelligence updates will occur at the default time.
If you disable or don't configure this setting, the check for security intelligence updates will occur at the default time.
<!--/Description-->
@ -4215,7 +4215,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to define the security intelligence location for VDI-configured computers.
If you disable or do not configure this setting, security intelligence will be referred from the default local source.
If you disable or don't configure this setting, security intelligence will be referred from the default local source.
<!--/Description-->
@ -4259,9 +4259,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure the antimalware service to receive notifications to disable individual security intelligence in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to disable security intelligence that are causing false positive reports. You must have configured your computer to join Microsoft MAPS for this functionality to work.
If you enable this setting or do not configure, the antimalware service will receive notifications to disable security intelligence.
If you enable this setting or don't configure, the antimalware service will receive notifications to disable security intelligence.
If you disable this setting, the antimalware service will not receive notifications to disable security intelligence.
If you disable this setting, the antimalware service won't receive notifications to disable security intelligence.
<!--/Description-->
@ -4307,7 +4307,7 @@ This policy setting allows you to define the number of days after which a catch-
If you enable this setting, a catch-up security intelligence update will occur after the specified number of days.
If you disable or do not configure this setting, a catch-up security intelligence update will be required after the default number of days.
If you disable or don't configure this setting, a catch-up security intelligence update will be required after the default number of days.
<!--/Description-->
@ -4353,7 +4353,7 @@ This policy setting allows you to manage whether a check for new virus and spywa
If you enable this setting, a check for new security intelligence will occur after service startup.
If you disable this setting or do not configure this setting, a check for new security intelligence will not occur after service startup.
If you disable this setting or don't configure this setting, a check for new security intelligence won't occur after service startup.
<!--/Description-->
@ -4397,7 +4397,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft will not use this information to identify you or contact you.
You can choose to send basic or additional information about detected software. Additional information helps Microsoft create new security intelligence and help it to protect your computer. This information can include things like location of detected items on your computer if harmful software was removed. The information will be automatically collected and sent. In some instances, personal information might unintentionally be sent to Microsoft. However, Microsoft won't use this information to identify you or contact you.
Possible options are:
@ -4409,9 +4409,9 @@ Basic membership will send basic information to Microsoft about software that ha
Advanced membership, in addition to basic information, will send more information to Microsoft about malicious software, spyware, and potentially unwanted software, including the location of the software, file names, how the software operates, and how it has impacted your computer.
If you enable this setting, you will join Microsoft MAPS with the membership specified.
If you enable this setting, you'll join Microsoft MAPS with the membership specified.
If you disable or do not configure this setting, you will not join Microsoft MAPS.
If you disable or don't configure this setting, you won't join Microsoft MAPS.
In Windows 10, Basic membership is no longer available, so setting the value to 1 or 2 enrolls the device into Advanced membership.
@ -4459,7 +4459,7 @@ ADMX Info:
If you enable this setting, the local preference setting will take priority over Policy.
If you disable or do not configure this setting, Policy will take priority over the local preference setting.
If you disable or don't configure this setting, Policy will take priority over the local preference setting.
<!--/Description-->
@ -4502,7 +4502,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting customize which remediation action will be taken for each listed Threat ID when it is detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
This policy setting customizes which remediation action will be taken for each listed Threat ID when it's detected during a scan. Threats should be added under the Options for this setting. Each entry must be listed as a name value pair. The name defines a valid Threat ID, while the value contains the action ID for the remediation action that should be taken.
Valid remediation action values are:
@ -4550,11 +4550,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
This policy setting allows you to configure whether or not to display more text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to call the company help desk. The client interface will only display a maximum of 1024 characters. Longer strings will be truncated before display.
If you enable this setting, the additional text specified will be displayed.
If you enable this setting, the extra text specified will be displayed.
If you disable or do not configure this setting, there will be no additional text displayed.
If you disable or don't configure this setting, there will be no extra text displayed.
<!--/Description-->
@ -4598,9 +4598,9 @@ ADMX Info:
<!--Description-->
Use this policy setting to specify if you want Microsoft Defender Antivirus notifications to display on clients.
If you disable or do not configure this setting, Microsoft Defender Antivirus notifications will display on clients.
If you disable or don't configure this setting, Microsoft Defender Antivirus notifications will display on clients.
If you enable this setting, Microsoft Defender Antivirus notifications will not display on clients.
If you enable this setting, Microsoft Defender Antivirus notifications won't display on clients.
<!--/Description-->
@ -4644,7 +4644,7 @@ ADMX Info:
<!--Description-->
This policy setting allows user to suppress reboot notifications in UI only mode (for cases where UI can't be in lockdown mode).
If you enable this setting AM UI won't show reboot notifications.
If you enable this setting, AM UI won't show reboot notifications.
<!--/Description-->
@ -4688,7 +4688,7 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure whether or not to display AM UI to the users.
If you enable this setting AM UI won't be available to users.
If you enable this setting, AM UI won't be available to users.
<!--/Description-->

50
windows/client-management/mdm/policy-csp-admx-mmc.md
View File

@ -76,17 +76,17 @@ This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted.
To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.
To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited.
To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted.
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
<!--/Description-->
@ -132,17 +132,17 @@ This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted.
To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.
To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited.
To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted.
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
<!--/Description-->
@ -188,17 +188,17 @@ This policy setting permits or prohibits use of this snap-in.
If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited.
If this setting is not configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
If this setting isn't configured, the setting of the "Restrict users to the explicitly permitted list of snap-ins" setting determines whether this snap-in is permitted or prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users cannot use any snap-in except those explicitly permitted.
- If "Restrict users to the explicitly permitted list of snap-ins" is enabled, users can't use any snap-in except those snap-ins explicitly permitted.
To explicitly permit use of this snap-in, enable this setting. If this setting is not configured (or disabled), this snap-in is prohibited.
To explicitly permit use of this snap-in, enable this setting. If this setting isn't configured (or disabled), this snap-in is prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those explicitly prohibited.
- If "Restrict users to the explicitly permitted list of snap-ins" is disabled or not configured, users can use any snap-in except those snap-ins explicitly prohibited.
To explicitly prohibit use of this snap-in, disable this setting. If this setting is not configured (or enabled), the snap-in is permitted.
To explicitly prohibit use of this snap-in, disable this setting. If this setting isn't configured (or enabled), the snap-in is permitted.
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
<!--/Description-->
@ -244,11 +244,11 @@ This policy setting prevents users from entering author mode.
This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default.
As a result, users cannot create console files or add or remove snap-ins. Also, because they cannot open author-mode console files, they cannot use the tools that the files contain.
As a result, users can't create console files or add or remove snap-ins. Also, because they can't open author-mode console files, they can't use the tools that the files contain.
This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users cannot open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also cannot open a blank MMC console window from a command prompt.
This setting permits users to open MMC user-mode console files, such as those on the Administrative Tools menu in Windows 2000 Server family or Windows Server 2003 family. However, users can't open a blank MMC console window on the Start menu. (To open the MMC, click Start, click Run, and type mmc.) Users also can't open a blank MMC console window from a command prompt.
If you disable this setting or do not configure it, users can enter author mode and open author-mode console files.
If you disable this setting or don't configure it, users can enter author mode and open author-mode console files.
<!--/Description-->
@ -292,18 +292,18 @@ ADMX Info:
<!--Description-->
This policy setting lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins.
- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
- If you enable this setting, all snap-ins are prohibited, except those snap-ins that you explicitly permit. Use this setting if you plan to prohibit use of most snap-ins.
To explicitly permit a snap-in, open the Restricted/Permitted snap-ins setting folder and enable the settings representing the snap-in you want to permit. If a snap-in setting in the folder is disabled or not configured, the snap-in is prohibited.
- If you disable this setting or do not configure it, all snap-ins are permitted, except those that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.
- If you disable this setting or don't configure it, all snap-ins are permitted, except those snap-ins that you explicitly prohibit. Use this setting if you plan to permit use of most snap-ins.
To explicitly prohibit a snap-in, open the Restricted/Permitted snap-ins setting folder and then disable the settings representing the snap-ins you want to prohibit. If a snap-in setting in the folder is enabled or not configured, the snap-in is permitted.
When a snap-in is prohibited, it does not appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in does not appear.
When a snap-in is prohibited, it doesn't appear in the Add/Remove Snap-in window in MMC. Also, when a user opens a console file that includes a prohibited snap-in, the console file opens, but the prohibited snap-in doesn't appear.
> [!NOTE]
> If you enable this setting, and you do not enable any settings in the Restricted/Permitted snap-ins folder, users cannot use any MMC snap-ins.
> If you enable this setting, and you don't enable any settings in the Restricted/Permitted snap-ins folder, users can't use any MMC snap-ins.
<!--/Description-->

6
windows/client-management/mdm/policy-csp-admx-msapolicy.md
View File

@ -62,11 +62,11 @@ manager: dansimp
<!--Description-->
This policy setting controls whether users can provide Microsoft accounts for authentication for applications or services. If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication.
This applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires.
This functionality applies both to existing users of a device and new users who may be added. However, any application or service that has already authenticated a user won't be affected by enabling this setting until the authentication cache expires.
It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
It's recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication.
By default, this setting is Disabled. This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
By default, this setting is Disabled. This setting doesn't affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications.
<!--/Description-->

6
windows/client-management/mdm/policy-csp-admx-msched.md
View File

@ -65,9 +65,9 @@ manager: dansimp
<!--Description-->
This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily scheduled time at which Automatic Maintenance starts.
If you enable this policy setting, this will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel.
If you enable this policy setting, this scheduled time will override the default daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel.
If you disable or do not configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
If you disable or don't configure this policy setting, the daily scheduled time as specified in Security and Maintenance/Automatic Maintenance Control Panel will apply.
<!--/Description-->
@ -115,7 +115,7 @@ The maintenance random delay is the amount of time up to which Automatic Mainten
If you enable this policy setting, Automatic Maintenance will delay starting from its Activation Boundary, by up to this time.
If you do not configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance.
If you don't configure this policy setting, 4 hour random delay will be applied to Automatic Maintenance.
If you disable this policy setting, no random delay will be applied to Automatic Maintenance.

20
windows/client-management/mdm/policy-csp-admx-msdt.md
View File

@ -72,9 +72,9 @@ If you enable this policy setting, users can use MSDT to collect and send diagno
By default, the support provider is set to Microsoft Corporation.
If you disable this policy setting, MSDT cannot run in support mode, and no data can be collected or sent to the support provider.
If you disable this policy setting, MSDT can't run in support mode, and no data can be collected or sent to the support provider.
If you do not configure this policy setting, MSDT support mode is enabled by default.
If you don't configure this policy setting, MSDT support mode is enabled by default.
No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
@ -122,23 +122,23 @@ This policy setting restricts the tool download policy for Microsoft Support Dia
Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals.
For some problems, MSDT may prompt the user to download additional tools for troubleshooting. These tools are required to completely troubleshoot the problem.
For some problems, MSDT may prompt the user to download more tools for troubleshooting. These tools are required to completely troubleshoot the problem.
If tool download is restricted, it may not be possible to find the root cause of the problem.
If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download additional tools to diagnose problems on remote computers only.
If you enable this policy setting for remote troubleshooting, MSDT prompts the user to download more tools to diagnose problems on remote computers only.
If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for additional tool downloading.
If you enable this policy setting for local and remote troubleshooting, MSDT always prompts for more tool downloading.
If you disable this policy setting, MSDT never downloads tools, and is unable to diagnose problems on remote computers.
If you do not configure this policy setting, MSDT prompts the user before downloading any additional tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
If you don't configure this policy setting, MSDT prompts the user before downloading any extra tools. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
This policy setting will take effect only when MSDT is enabled.
This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state.
When the service is stopped or disabled, diagnostic scenarios are not executed.
When the service is stopped or disabled, diagnostic scenarios aren't executed.
The DPS can be configured with the Services snap-in to the Microsoft Management Console.
@ -186,13 +186,13 @@ This policy setting determines the execution level for Microsoft Support Diagnos
Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators can use MSDT to collect and send diagnostic data to a support professional to resolve a problem.
If you disable this policy setting, MSDT cannot gather diagnostic data. If you do not configure this policy setting, MSDT is turned on by default.
If you disable this policy setting, MSDT can't gather diagnostic data. If you don't configure this policy setting, MSDT is turned on by default.
This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured.
This policy setting takes effect only if the diagnostics-wide scenario execution policy isn't configured.
No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.
This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios will not be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
This policy setting will only take effect when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios won't be executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console.
<!--/Description-->

86
windows/client-management/mdm/policy-csp-admx-msi.md
View File

@ -132,11 +132,11 @@ This policy setting allows users to search for installation files during privile
If you enable this policy setting, the Browse button in the "Use feature from" dialog box is enabled. As a result, users can search for installation files even when the installation program is running with elevated system privileges.
Because the installation is running with elevated system privileges, users can browse through directories that their own permissions would not allow.
Because the installation is running with elevated system privileges, users can browse through directories that their own permissions wouldn't allow.
This policy setting does not affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting.
This policy setting doesn't affect installations that run in the user's security context. Also, see the "Remove browse dialog box for new source" policy setting.
If you disable or do not configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
If you disable or don't configure this policy setting, by default, only system administrators can browse during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
<!--/Description-->
@ -183,9 +183,9 @@ This policy setting allows users to install programs from removable media during
If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even when the installation program is running with elevated system privileges.
This policy setting does not affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.
This policy setting doesn't affect installations that run in the user's security context. By default, users can install from removable media when the installation runs in their own security context.
If you disable or do not configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
If you disable or don't configure this policy setting, by default, users can install programs from removable media only when the installation runs in the user's security context. During privileged installations, such as those offered on the desktop or displayed in Add or Remove Programs, only system administrators can install from removable media.
Also, see the "Prevent removable media source for any install" policy setting.
@ -234,9 +234,9 @@ This policy setting allows users to patch elevated products.
If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that replace only those program files that have changed. Because patches can easily be vehicles for malicious programs, some installations prohibit their use.
If you disable or do not configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
If you disable or don't configure this policy setting, by default, only system administrators can apply patches during installations with elevated privileges, such as installations offered on the desktop or displayed in Add or Remove Programs.
This policy setting does not affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
This policy setting doesn't affect installations that run in the user's security context. By default, users can install patches to programs that run in their own security context. Also, see the "Prohibit patching" policy setting.
<!--/Description-->
@ -288,7 +288,7 @@ If you enable this policy setting, you can use the options in the Prohibit Use o
- The "Restart Manager Off for Legacy App Setup" option applies to packages that were created for Windows Installer versions lesser than 4.0. This option lets those packages display the legacy files in use UI while still using Restart Manager for detection.
If you disable or do not configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible.
If you disable or don't configure this policy setting, Windows Installer will use Restart Manager to detect files in use and mitigate a system restart, when possible.
<!--/Description-->
@ -337,9 +337,9 @@ If you enable this policy setting, the Browse button beside the "Use feature fro
This policy setting applies even when the installation is running in the user's security context.
If you disable or do not configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
If you disable or don't configure this policy setting, the Browse button is enabled when an installation is running in the user's security context. But only system administrators can browse when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
This policy setting affects Windows Installer only. It does not prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files.
This policy setting affects Windows Installer only. It doesn't prevent users from selecting other browsers, such as File Explorer or Network Locations, to search for installation files.
Also, see the "Enable user to browse for source while elevated" policy setting.
@ -388,7 +388,7 @@ This policy setting controls the ability to turn off all patch optimizations.
If you enable this policy setting, all Patch Optimization options are turned off during the installation.
If you disable or do not configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing.
If you disable or don't configure this policy setting, it enables faster application of patches by removing execution of unnecessary actions. The flyweight patching mode is primarily designed for patches that just update a few files or registry values. The Installer will analyze the patch for specific changes to determine if optimization is possible. If so, the patch will be applied using a minimal set of processing.
<!--/Description-->
@ -439,7 +439,7 @@ If you enable this policy setting, you can use the options in the Disable loggin
- The "Logging via package settings off" option turns off the automatic logging behavior when specified via the MsiLogging policy. Log files can still be generated using the logging command line switch or the Logging policy.
If you disable or do not configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property.
If you disable or don't configure this policy setting, Windows Installer will automatically generate log files for those packages that include the MsiLogging property.
<!--/Description-->
@ -488,11 +488,11 @@ If you enable this policy setting, you can prevent users from installing softwar
- The "Never" option indicates Windows Installer is fully enabled. Users can install and upgrade software.
- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This is the default behavior of Windows Installer on Windows Server 2003 family when the policy is not configured.
- The "For non-managed applications only" option permits users to install only those programs that a system administrator assigns (offers on the desktop) or publishes (adds them to Add or Remove Programs). This option's induced behavior is the default behavior of Windows Installer on Windows Server 2003 family when the policy isn't configured.
- The "Always" option indicates that Windows Installer is disabled.
This policy setting affects Windows Installer only. It does not prevent users from using other methods to install and upgrade programs.
This policy setting affects Windows Installer only. It doesn't prevent users from using other methods to install and upgrade programs.
<!--/Description-->
@ -537,11 +537,11 @@ ADMX Info:
<!--Description-->
This policy setting prevents users from installing any programs from removable media.
If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature cannot be found.
If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stating that the feature can't be found.
This policy setting applies even when the installation is running in the user's security context.
If you disable or do not configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
If you disable or don't configure this policy setting, users can install from removable media when the installation is running in their own security context, but only system administrators can use removable media when an installation is running with elevated system privileges, such as installations offered on the desktop or in Add or Remove Programs.
Also, see the "Enable user to use media source while elevated" and "Hide the 'Add a program from CD-ROM or floppy disk' option" policy settings.
@ -593,7 +593,7 @@ If you enable this policy setting, users are prevented from using Windows Instal
> [!NOTE]
> This policy setting applies only to installations that run in the user's security context.
If you disable or do not configure this policy setting, by default, users who are not system administrators cannot apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs.
If you disable or don't configure this policy setting, by default, users who aren't system administrators can't apply patches to installations that run with elevated system privileges, such as those offered on the desktop or in Add or Remove Programs.
Also, see the "Enable user to patch elevated products" policy setting.
@ -640,11 +640,11 @@ ADMX Info:
<!--Description-->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered to be enabled, even if it's explicitly disabled in the other folder.
<!--/Description-->
@ -688,11 +688,11 @@ ADMX Info:
<!--Description-->
This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer cannot restore the computer to its original state if the installation does not complete.
If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence of changes it makes during installation. It also prevents Windows Installer from retaining files it intends to delete later. As a result, Windows Installer can't restore the computer to its original state if the installation doesn't complete.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, do not use this policy setting unless it is essential.
This policy setting is designed to reduce the amount of temporary disk space required to install programs. Also, it prevents malicious users from interrupting an installation to gather data about the internal state of the computer or to search secure system files. However, because an incomplete installation can render the system or a program inoperable, don't use this policy setting unless it's essential.
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it is considered be enabled, even if it is explicitly disabled in the other folder.
This policy setting appears in the Computer Configuration and User Configuration folders. If the policy setting is enabled in either folder, it's considered to be enabled, even if it's explicitly disabled in the other folder.
<!--/Description-->
@ -739,7 +739,7 @@ This policy setting controls the ability to turn off shared components.
If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table.
If you disable or do not configure this policy setting, by default, the shared component functionality is allowed.
If you disable or don't configure this policy setting, by default, the shared component functionality is allowed.
<!--/Description-->
@ -788,7 +788,7 @@ When you enable this policy setting, you can specify the types of events you wan
To disable logging, delete all of the letters from the box.
If you disable or do not configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
If you disable or don't configure this policy setting, Windows Installer logs the default event types, represented by the letters "iweap."
<!--/Description-->
@ -838,7 +838,7 @@ Non-administrator updates provide a mechanism for the author of an application t
If you enable this policy setting, only administrators or users with administrative privileges can apply updates to Windows Installer based applications.
If you disable or do not configure this policy setting, users without administrative privileges can install non-administrator updates.
If you disable or don't configure this policy setting, users without administrative privileges can install non-administrator updates.
<!--/Description-->
@ -884,11 +884,11 @@ ADMX Info:
<!--Description-->
This policy setting controls the ability for users or administrators to remove Windows Installer based updates.
This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed cannot be removed by users or administrators.
This policy setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once installed can't be removed by users or administrators.
If you enable this policy setting, updates cannot be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.
If you enable this policy setting, updates can't be removed from the computer by a user or an administrator. The Windows Installer can still remove an update that is no longer applicable to the product.
If you disable or do not configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context."
If you disable or don't configure this policy setting, a user can remove an update from the computer only if the user has been granted privileges to remove the update. This grant of privileges can depend on whether the user is an administrator, whether "Disable Windows Installer" and "Always install with elevated privileges" policy settings are set, and whether the update was installed in a per-user managed, per-user unmanaged, or per-machine context."
<!--/Description-->
@ -932,11 +932,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files.
This policy setting prevents Windows Installer from creating a System Restore checkpoint each time an application is installed. System Restore enables users - when a problem occurs - to restore their computers to a previous state without losing personal data files.
If you enable this policy setting, the Windows Installer does not generate System Restore checkpoints when installing applications.
If you enable this policy setting, the Windows Installer doesn't generate System Restore checkpoints when installing applications.
If you disable or do not configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
If you disable or don't configure this policy setting, by default, the Windows Installer automatically creates a System Restore checkpoint each time an application is installed, so that users can restore their computer to the state it was in before installing the application.
<!--/Description-->
@ -982,9 +982,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure user installs. To configure this policy setting, set it to enabled and use the drop-down list to select the behavior you want.
If you do not configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, this hides a per-computer installation of that same product.
If you don't configure this policy setting, or if the policy setting is enabled and "Allow User Installs" is selected, the installer allows and makes use of products that are installed per user, and products that are installed per computer. If the installer finds a per-user install of an application, the per-computer installation of that same product is hidden.
If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.
If you enable this policy setting and "Hide User Installs" is selected, the installer ignores per-user applications. This behavior of the installer causes a per-computer installed application to be visible to users, even if those users have a per-user install of the product registered in their user profile.
<!--/Description-->
@ -1030,15 +1030,15 @@ ADMX Info:
<!--Description-->
This policy setting causes the Windows Installer to enforce strict rules for component upgrades.
If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following:
If you enable this policy setting, strict upgrade rules will be enforced by the Windows Installer, which may cause some upgrades to fail. Upgrades can fail if they attempt to do one of the following steps:
(1) Remove a component from a feature.
This can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component.
This removal can also occur if you change the GUID of a component. The component identified by the original GUID appears to be removed and the component as identified by the new GUID appears as a new component.
(2) Add a new feature to the top or middle of an existing feature tree.
The new feature must be added as a new leaf feature to an existing feature tree.
If you disable or do not configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades.
If you disable or don't configure this policy setting, the Windows Installer will use less restrictive rules for component upgrades.
<!--/Description-->
@ -1085,13 +1085,13 @@ This policy controls the percentage of disk space available to the Windows Insta
The Windows Installer uses the baseline file cache to save baseline files modified by binary delta difference updates. The cache is used to retrieve the baseline file for future updates. The cache eliminates user prompts for source media when new updates are applied.
If you enable this policy setting you can modify the maximum size of the Windows Installer baseline file cache.
If you enable this policy setting, you can modify the maximum size of the Windows Installer baseline file cache.
If you set the baseline cache size to 0, the Windows Installer will stop populating the baseline cache for new updates. The existing cached files will remain on disk and will be deleted when the product is removed.
If you set the baseline cache to 100, the Windows Installer will use available free space for the baseline file cache.
If you disable or do not configure this policy setting, the Windows Installer will uses a default value of 10 percent for the baseline file cache maximum size.
If you disable or don't configure this policy setting, the Windows Installer will use a default value of 10 percent for the baseline file cache maximum size.
<!--/Description-->
@ -1138,7 +1138,7 @@ This policy setting controls the ability to prevent embedded UI.
If you enable this policy setting, no packages on the system can run embedded UI.
If you disable or do not configure this policy setting, embedded UI is allowed to run.
If you disable or don't configure this policy setting, embedded UI is allowed to run.
<!--/Description-->
@ -1183,7 +1183,7 @@ ADMX Info:
<!--Description-->
This policy setting allows Web-based programs to install software on the computer without notifying the user.
If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.
If you disable or don't configure this policy setting, by default, when a script hosted by an Internet browser tries to install a program on the system, the system warns users and allows them to select or refuse the installation.
If you enable this policy setting, the warning is suppressed and allows the installation to proceed.
@ -1232,7 +1232,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the order in which Windows Installer searches for installation files.
If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
If you disable or don't configure this policy setting, by default, the Windows Installer searches the network first, then removable media (floppy drive, CD-ROM, or DVD), and finally, the Internet (URL).
If you enable this policy setting, you can change the search order by specifying the letters representing each file source in the order that you want Windows Installer to search:
@ -1289,7 +1289,7 @@ Transform files consist of instructions to modify or customize a program during
If you enable this policy setting, the transform file is saved in a secure location on the user's computer.
If you do not configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation.
If you don't configure this policy setting on Windows Server 2003, Windows Installer requires the transform file in order to repeat an installation in which the transform file was used, therefore, the user must be using the same computer or be connected to the original or identical media to reinstall, remove, or repair the installation.
This policy setting is designed for enterprises to prevent unauthorized or malicious editing of transform files.

8
windows/client-management/mdm/policy-csp-admx-msifilerecovery.md
View File

@ -63,18 +63,18 @@ manager: dansimp
This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states:
- Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be turned on. Windows will prompt the user with a dialog-box when application reinstallation is required.
This is the default recovery behavior on Windows client.
This behavior is the default recovery behavior on Windows client.
- Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be re-installed. This behavior is recommended for headless operation and is the default recovery behavior on Windows server.
- Silent: Detection, troubleshooting, and notification of MSI application to reinstall will occur with no UI. Windows will log an event when corruption is determined and will suggest the application that should be reinstalled. This behavior is recommended for headless operation and is the default recovery behavior on Windows server.
- Troubleshooting Only: Detection and verification of file corruption will be performed without UI.
Recovery is not attempted.
Recovery isn't attempted.
- If you enable this policy setting, the recovery behavior for corrupted files is set to either the Prompt For Resolution (default on Windows client), Silent (default on Windows server), or Troubleshooting Only.
- If you disable this policy setting, the troubleshooting and recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted.
If you do not configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh.
If you don't configure this policy setting, the recovery behavior for corrupted files will be set to the default recovery behavior. No system or service restarts are required for changes to this policy setting to take immediate effect after a Group Policy refresh.
> [!NOTE]
> This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.

18
windows/client-management/mdm/policy-csp-admx-nca.md
View File

@ -92,8 +92,8 @@ Each string can be one of the following types:
> [!IMPORTANT]
> At least one of the entries must be a PING: resource.
> - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/.
> - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
> - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/.
> - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
@ -229,7 +229,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
If this setting isn't configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
<!--/Description-->
@ -273,16 +273,16 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. NCA doesn't remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet.
The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection hasn't correctly determined that the DirectAccess client computer is connected to its own intranet.
To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect.
> [!NOTE]
> If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT.
If this setting is not configured, users do not have Connect or Disconnect options.
If this setting isn't configured, users don't have Connect or Disconnect options.
<!--/Description-->
@ -326,7 +326,7 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether NCA service runs in Passive Mode or not.
Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default.
Set this policy setting to Disabled to keep NCA probing actively all the time. If this setting isn't configured, NCA probing is in active mode by default.
<!--/Description-->
@ -369,9 +369,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
Set this policy setting to Disabled to prevent user confusion when you're just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
If this setting is not configured, the entry for DirectAccess connectivity appears.
If this setting isn't configured, the entry for DirectAccess connectivity appears.
<!--/Description-->

152
windows/client-management/mdm/policy-csp-admx-netlogon.md
View File

@ -162,19 +162,19 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site.
This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address doesn't map to any configured site.
Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client.
Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses that may then be used to compute a matching site for the client.
The allowable values for this setting result in the following behaviors:
- 0 - DCs will never perform address lookups.
- 1 - DCs will perform an exhaustive address lookup to discover additional client IP addresses.
- 2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP addresses.
- 1 - DCs will perform an exhaustive address lookup to discover more client IP addresses.
- 2 - DCs will perform a fast, DNS-only address lookup to discover more client IP addresses.
To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -220,11 +220,11 @@ This policy setting determines the type of IP address that is returned for a dom
By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior.
If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator.
If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.
If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
If you don't configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator.
<!--/Description-->
@ -268,13 +268,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled.
This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, isn't used if the AllowSingleLabelDnsDomain policy setting is enabled.
By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails.
If you enable this policy setting, when the AllowSingleLabelDnsDomain policy isn't enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name isn't used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, if DNS resolution fails.
If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
If you disable this policy setting, when the AllowSingleLabelDnsDomain policy isn't enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers won't attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
<!--/Description-->
@ -318,15 +318,15 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier aren't as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller.
By default, Net Logon won't allow the older cryptography algorithms to be used and won't include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 won't be able to establish a connection to this domain controller.
If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk.
If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
If you disable this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms.
If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
If you don't configure this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms.
<!--/Description-->
@ -370,15 +370,15 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.
This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain name.
By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it isn't disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers won't the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
<!--/Description-->
@ -422,13 +422,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC.
If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.
If you disable this policy setting, the DCs won't register site-specific DC Locator DNS SRV records for any other sites but their own.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -474,12 +474,12 @@ ADMX Info:
<!--Description-->
This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.
NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended.
NetBIOS-based discovery uses a WINS server and mailslot messages but doesn't use site information. Hence it doesn't ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery isn't recommended.
> [!NOTE]
> This policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
> This policy setting doesn't affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
If you disable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This behavior is the default behavior.
If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
@ -531,9 +531,9 @@ Contacting the PDC emulator is useful in case the clients password was recent
If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password.
If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator.
If you disable this policy setting, the DCs won't attempt to verify any passwords with the PDC emulator.
If you do not configure this policy setting, it is not applied to any DCs.
If you don't configure this policy setting, it isn't applied to any DCs.
<!--/Description-->
@ -588,7 +588,7 @@ This setting is relevant only to those callers of DsGetDcName that have specifie
If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used.
> [!WARNING]
> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC isn't available, the traffic caused by periodic DC discoveries may be excessive.
<!--/Description-->
@ -645,7 +645,7 @@ If the value for this setting is smaller than the value specified for the Initia
> [!WARNING]
> If the value for this setting is too large, a client may take very long periods to try to find a DC.
If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic.
If the value for this setting is too small and the DC isn't available, the frequent retries may produce excessive network traffic.
<!--/Description-->
@ -738,7 +738,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it's applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
<!--/Description-->
@ -790,7 +790,7 @@ If you enable this policy setting and specify a non-zero value, debug informatio
If you specify zero for this policy setting, the default behavior occurs as described above.
If you disable this policy setting or do not configure it, the default behavior occurs as described above.
If you disable this policy setting or don't configure it, the default behavior occurs as described above.
<!--/Description-->
@ -834,9 +834,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service.
If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied.
Select the mnemonics from the following table:
@ -866,7 +866,7 @@ Select the mnemonics from the following table:
If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
If you do not configure this policy setting, DCs use their local configuration.
If you don't configure this policy setting, DCs use their local configuration.
<!--/Description-->
@ -912,14 +912,14 @@ ADMX Info:
<!--Description-->
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records data hasn't changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
> [!WARNING]
> If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -973,7 +973,7 @@ If not configured, domain controllers will default to using their local configur
The default local configuration is enabled.
A reboot is not required for changes to this setting to take effect.
A reboot isn't required for changes to this setting to take effect.
<!--/Description-->
@ -1016,11 +1016,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC).
This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they're used to locate the domain controller (DC).
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -1063,11 +1063,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the additional time for the computer to wait for the domain controllers (DC) response when logging on to the network.
This policy setting specifies the extra time for the computer to wait for the domain controllers (DC) response when logging on to the network.
To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
To specify the expected dial-up delay at sign in, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
<!--/Description-->
@ -1113,13 +1113,13 @@ ADMX Info:
<!--Description-->
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions, DC Locator will, by default, carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4,294,967,200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.
If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
If you don't configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
<!--/Description-->
@ -1165,11 +1165,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.
If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any GCs, and GCs use their local configuration.
<!--/Description-->
@ -1218,11 +1218,11 @@ This policy setting allows you to control the processing of incoming mailslot me
> [!NOTE]
> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.
This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name isn't required. This policy setting doesn't affect DC location based on DNS names.
If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location.
If you enable this policy setting, this DC doesn't process incoming mailslot messages that are used for NetBIOS domain name based DC location.
If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
If you disable or don't configure this policy setting, this DC processes incoming mailslot messages. This hevaior is the default behavior of DC Locator.
<!--/Description-->
@ -1272,7 +1272,7 @@ The Priority field in the SRV record sets the preference for target hosts (speci
To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -1316,13 +1316,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC.
The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record.
To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -1368,9 +1368,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
By default, the maximum size of the log file is 20 MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached, the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
If you disable or don't configure this policy setting, the default behavior occurs as indicated above.
<!--/Description-->
@ -1416,11 +1416,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -1464,12 +1464,12 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) couldn't be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
> [!WARNING]
> If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
<!--/Description-->
@ -1517,14 +1517,14 @@ This policy setting controls whether or not the Netlogon share created by the Ne
If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
If you disable or don't configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested.
> [!NOTE]
> The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator.
<!--/Description-->
@ -1568,9 +1568,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.
This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that don't periodically attempt to locate DCs, and it's applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that haven't specified the DS_BACKGROUND_ONLY flag.
The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
<!--/Description-->
@ -1616,7 +1616,7 @@ ADMX Info:
<!--Description-->
This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC).
When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version.
When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in more network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version.
The allowable values for this setting result in the following behaviors:
@ -1625,7 +1625,7 @@ The allowable values for this setting result in the following behaviors:
To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
<!--/Description-->
@ -1673,11 +1673,11 @@ This policy setting determines the interval at which Netlogon performs the follo
- Checks if a password on a secure channel needs to be modified, and modifies it if necessary.
- On the domain controllers (DC), discovers a DC that has not been discovered.
- On the domain controllers (DC), discovers a DC that hasn't been discovered.
- On the PDC, attempts to add the `<DomainName>`[1B] NetBIOS name if it hasnt already been successfully added.
None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.
None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (for example, ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.
To enable the setting, click Enabled, and then specify the interval in seconds.
@ -1725,11 +1725,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
The DC Locator DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->
@ -1777,9 +1777,9 @@ This policy setting specifies the Active Directory site to which computers belon
An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.
To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs isn't specified, the computer automatically discovers its site from Active Directory.
If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
<!--/Description-->
@ -1834,7 +1834,7 @@ By default, the SYSVOL share will grant shared read access to files on the share
> [!NOTE]
> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator.
<!--/Description-->
@ -1878,15 +1878,15 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site isn't found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none is found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.
If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
If you disable this policy setting, Try Next Closest Site DC Location won't be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
If you don't configure this policy setting, Try Next Closest Site DC Location won't be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
<!--/Description-->
@ -1934,9 +1934,9 @@ This policy setting determines if dynamic registration of the domain controller
If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
If you disable this policy setting, DCs will not register DC Locator DNS resource records.
If you disable this policy setting, DCs won't register DC Locator DNS resource records.
If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
<!--/Description-->