deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Acrolinx topology

Browse Source
This commit is contained in:
Siddarth Mandalika 2022-03-11 17:05:34 +05:30
parent 04e5d29e61
commit d55df1c825
10 changed files with 236 additions and 237 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

226
windows/client-management/mdm/policy-csp-admx-grouppolicy.md
View File

@ -189,18 +189,18 @@ manager: dansimp
<!--Description-->
This policy setting allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests.
This policy setting affects all user accounts that interactively log on to a computer in a different forest when a trust across forests or a two-way forest trust exists.
This policy setting affects all user accounts that interactively sign in to a computer in a different forest when a trust across forests or a two-way forest trust exists.
If you do not configure this policy setting:
If you don't configure this policy setting:
- No user-based policy settings are applied from the user's forest.
- Users do not receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
- Users don't receive their roaming profiles; they receive a local profile on the computer from the local forest. A warning message appears to the user, and an event log message (1529) is posted.
- Loopback Group Policy processing is applied, using the Group Policy Objects (GPOs) that are scoped to the computer.
- An event log message (1109) is posted, stating that loopback was invoked in Replace mode.
If you enable this policy setting, the behavior is exactly the same as in Windows 2000: user policy is applied, and a roaming user profile is allowed from the trusted forest.
If you disable this policy setting, the behavior is the same as if it is not configured.
If you disable this policy setting, the behavior is the same as if it isn't configured.
<!--/Description-->
@ -248,11 +248,11 @@ This policy setting affects all policy settings that use the software installati
This policy setting overrides customized settings that the program implementing the software installation policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy setting implementations specify that they are updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policies in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy setting implementations specify that they're updated only when changed. However, you might want to update unchanged policy settings, such as reapplying a desired policy in case a user has changed it.
<!--/Description-->
@ -296,17 +296,17 @@ ADMX Info:
<!--Description-->
This policy setting determines when disk quota policies are updated.
This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas.
This policy setting affects all policies that use the disk quota component of Group Policy, such as those policies in Computer Configuration\Administrative Templates\System\Disk Quotas.
This policy setting overrides customized settings that the program implementing the disk quota policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
<!--/Description-->
@ -354,13 +354,13 @@ This policy setting affects all policies that use the encryption component of Gr
It overrides customized settings that the program implementing the encryption policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
<!--/Description-->
@ -404,15 +404,15 @@ ADMX Info:
<!--Description-->
This policy setting determines when folder redirection policies are updated.
This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer.
This policy setting affects all policies that use the folder redirection component of Group Policy, such as those policies in WindowsSettings\Folder Redirection. You can only set folder redirection policy for Group Policy objects, stored in Active Directory, not for Group Policy objects on the local computer.
This policy setting overrides customized settings that the program implementing the folder redirection policy setting set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
<!--/Description-->
@ -456,17 +456,17 @@ ADMX Info:
<!--Description-->
This policy setting determines when Internet Explorer Maintenance policies are updated.
This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Internet Explorer Maintenance.
This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those policies in Windows Settings\Internet Explorer Maintenance.
This policy setting overrides customized settings that the program implementing the Internet Explorer Maintenance policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
<!--/Description-->
@ -514,13 +514,13 @@ This policy setting affects all policies that use the IP security component of G
This policy setting overrides customized settings that the program implementing the IP security policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
<!--/Description-->
@ -566,11 +566,11 @@ This policy setting determines when registry policies are updated.
This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
<!--/Description-->
@ -614,15 +614,15 @@ ADMX Info:
<!--Description-->
This policy setting determines when policies that assign shared scripts are updated.
This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed.
This policy setting affects all policies that use the scripts component of Group Policy, such as those policies in WindowsSettings\Scripts. It overrides customized settings that the program implementing the scripts policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this setting, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
<!--/Description-->
@ -666,15 +666,15 @@ ADMX Info:
<!--Description-->
This policy setting determines when security policies are updated.
This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings.
This policy setting affects all policies that use the security component of Group Policy, such as those policies in Windows Settings\Security Settings.
This policy setting overrides customized settings that the program implementing the security policy set when it was installed.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system.
If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or don't configure this policy setting, it has no effect on the system.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they be updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
<!--/Description-->
@ -718,19 +718,19 @@ ADMX Info:
<!--Description-->
This policy setting determines when policies that assign wired network settings are updated.
This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies.
This policy setting affects all policies that use the wired network component of Group Policy, such as those policies in Windows Settings\Wired Network Policies.
It overrides customized settings that the program implementing the wired network set when it was installed.
If you enable this policy, you can use the check boxes provided to change the options.
If you disable this setting or do not configure it, it has no effect on the system.
If you disable this setting or don't configure it, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
<!--/Description-->
@ -774,19 +774,19 @@ ADMX Info:
<!--Description-->
This policy setting determines when policies that assign wireless network settings are updated.
This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies.
This policy setting affects all policies that use the wireless network component of Group Policy, such as those policies in WindowsSettings\Wireless Network Policies.
It overrides customized settings that the program implementing the wireless network set when it was installed.
If you enable this policy, you can use the check boxes provided to change the options.
If you disable this setting or do not configure it, it has no effect on the system.
If you disable this setting or don't configure it, it has no effect on the system.
The "Allow processing across a slow network connection" option updates the policies even when the update is being transmitted across a slow network connection, such as a telephone line. Updates across slow connections can cause significant delays.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart.
The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes won't take effect until the next user sign in or system restart.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies haven't changed. Many policy implementations specify that they're updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired setting in case a user has changed it.
<!--/Description-->
@ -828,11 +828,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer isn't blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time.
If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.
If you disable or don't configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.
<!--/Description-->
@ -878,12 +878,12 @@ This policy setting controls the ability of users to view their Resultant Set of
By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.
If you enable this policy setting, interactive users cannot generate RSoP data.
If you enable this policy setting, interactive users can't generate RSoP data.
If you disable or do not configure this policy setting, interactive users can generate RSoP.
If you disable or don't configure this policy setting, interactive users can generate RSoP.
> [!NOTE]
> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data.
> This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data.
>
> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc.
>
@ -933,12 +933,12 @@ This policy setting controls the ability of users to view their Resultant Set of
By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data.
If you enable this policy setting, interactive users cannot generate RSoP data.
If you enable this policy setting, interactive users can't generate RSoP data.
If you disable or do not configure this policy setting, interactive users can generate RSoP
If you disable or don't configure this policy setting, interactive users can generate RSoP
> [!NOTE]
> This policy setting does not affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data.
> This policy setting doesn't affect administrators. If you enable or disable this policy setting, by default administrators can view RSoP data.
>
> To view RSoP data on a client computer, use the RSoP snap-in for the Microsoft Management Console. You can launch the RSoP snap-in from the command line by typing RSOP.msc.
>
@ -1028,11 +1028,11 @@ ADMX Info:
<!--Description-->
Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor.
Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC.
Administrators might want to use this option if they're concerned about the amount of space used on the system volume of a DC.
By default, when you start the Group Policy Object Editor, a timestamp comparison is performed on the source files in the local %SYSTEMROOT%\inf directory and the source files stored in the GPO.
If the local files are newer, they are copied into the GPO.
If the local files are newer, they're copied into the GPO.
Changing the status of this setting to Enabled will keep any source files from copying to the GPO.
@ -1085,9 +1085,9 @@ ADMX Info:
<!--Description-->
This policy setting prevents Group Policy from being updated while the computer is in use. This policy setting applies to Group Policy for computers, users, and domain controllers.
If you enable this policy setting, the system waits until the current user logs off the system before updating the computer and user settings.
If you enable this policy setting, the system waits until the current user signs out the system before updating the computer and user settings.
If you disable or do not configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings.
If you disable or don't configure this policy setting, updates can be applied while users are working. The frequency of updates is determined by the "Set Group Policy refresh interval for computers" and "Set Group Policy refresh interval for users" policy settings.
> [!NOTE]
> If you make changes to this policy setting, you must restart your computer for it to take effect.
@ -1136,12 +1136,12 @@ This policy setting prevents Local Group Policy Objects (Local GPOs) from being
By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local computer. You can disable the processing and application of all Local GPOs to ensure that only domain-based GPOs are applied.
If you enable this policy setting, the system does not process and apply any Local GPOs.
If you enable this policy setting, the system doesn't process and apply any Local GPOs.
If you disable or do not configure this policy setting, Local GPOs continue to be applied.
If you disable or don't configure this policy setting, Local GPOs continue to be applied.
> [!NOTE]
> For computers joined to a domain, it is strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
> For computers joined to a domain, it's strongly recommended that you only configure this policy setting in domain-based GPOs. This policy setting will be ignored on computers that are joined to a workgroup.
<!--/Description-->
@ -1185,9 +1185,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to control a user's ability to invoke a computer policy refresh.
If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs.
If you enable this policy setting, users aren't able to invoke a refresh of computer policy. Computer policy will still be applied at startup or when an official policy refresh occurs.
If you disable or do not configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user.
If you disable or don't configure this policy setting, the default behavior applies. By default, computer policy is applied when the computer starts up. It also applies at a specified refresh interval or when manually invoked by the user.
> [!NOTE]
> This policy setting applies only to non-administrators. Administrators can still invoke a refresh of computer policy at any time, no matter how this policy setting is configured.
@ -1241,9 +1241,9 @@ This policy setting determines whether the Windows device is allowed to particip
If you enable this policy setting, the Windows device is discoverable by other Windows devices that belong to the same user, and can participate in cross-device experiences.
If you disable this policy setting, the Windows device is not discoverable by other devices, and cannot participate in cross-device experiences.
If you disable this policy setting, the Windows device isn't discoverable by other devices, and can't participate in cross-device experiences.
If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
<!--/Description-->
@ -1287,13 +1287,13 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure Group Policy caching behavior.
If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
If you enable or don't configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and the settings contained within them. When Group Policy runs in synchronous foreground mode, it refers to this cache, which enables it to run faster. When the cache is read, Group Policy attempts to contact a logon domain controller to determine the link speed. When Group Policy runs in background mode or asynchronous foreground mode, it continues to download the latest version of the policy information, and it uses a bandwidth estimate to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds.
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds.
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there's no network connectivity. This waiting period stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or sign in. The default is 5000 milliseconds.
If you disable this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
If you disable this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
<!--/Description-->
@ -1341,9 +1341,9 @@ If you enable this policy setting, Group Policy caches policy information after
The slow link value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before reporting the link speed as slow. The default is 500 milliseconds.
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there is no network connectivity. This stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or logon. The default is 5000 milliseconds.
The timeout value that is defined in this policy setting determines how long Group Policy will wait for a response from the domain controller before determining that there's no network connectivity. This waiting period stops the current Group Policy processing. Group Policy will run in the background the next time a connection to a domain controller is established. Setting this value too high might result in longer waits for the user at boot or sign in. The default is 5000 milliseconds.
If you disable or do not configure this policy setting, the Group Policy client will not cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
If you disable or don't configure this policy setting, the Group Policy client won't cache applicable GPOs or settings that are contained within the GPOs. When Group Policy runs synchronously, it downloads the latest version of the policy from the network and uses bandwidth estimates to determine slow link thresholds. (See the “Configure Group Policy Slow Link Detection” policy setting to configure asynchronous foreground behavior.)
<!--/Description-->
@ -1385,13 +1385,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that requires linking between Phone and PC.
This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue reading, emailing and other tasks that require linking between Phone and PC.
If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in Continue on PC experiences.
If you disable this policy setting, the Windows device is not allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and cannot participate in Continue on PC experiences.
If you disable this policy setting, the Windows device isn't allowed to be linked to Phones, will remove itself from the device list of any linked Phones, and can't participate in Continue on PC experiences.
If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
If you don't configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
<!--/Description-->
@ -1435,11 +1435,11 @@ ADMX Info:
<!--Description-->
This policy setting prevents administrators from viewing or using Group Policy preferences.
A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which are not fully supported, use registry entries in other subkeys.
A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in the Software\Policies or Software\Microsoft\Windows\CurrentVersion\Policies registry subkeys. Preferences, which aren't fully supported, use registry entries in other subkeys.
If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators cannot turn it off. As a result, Group Policy Object Editor displays only true settings; preferences do not appear.
If you enable this policy setting, the "Show Policies Only" command is turned on, and administrators can't turn it off. As a result, Group Policy Object Editor displays only true settings; preferences don't appear.
If you disable or do not configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command.
If you disable or don't configure this policy setting, the "Show Policies Only" command is turned on by default, but administrators can view preferences by turning off the "Show Policies Only" command.
> [!NOTE]
> To find the "Show Policies Only" command, in Group Policy Object Editor, click the Administrative Templates folder (either one), right-click the same folder, and then point to "View."
@ -1488,7 +1488,7 @@ ADMX Info:
<!--Description-->
This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir%\Fonts directory.
This feature can be configured to be in 3 modes: On, Off, and Audit. By default, it is Off and no fonts are blocked. If you aren't quite ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
This feature can be configured to be in three modes: On, Off, and Audit. By default, it's Off and no fonts are blocked. If you aren't ready to deploy this feature into your organization, you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.
<!--/Description-->
@ -1532,7 +1532,7 @@ ADMX Info:
<!--Description-->
This policy setting determines which domain controller the Group Policy Object Editor snap-in uses.
If you enable this setting, you can which domain controller is used according to these options:
If you enable this setting, you can know which domain controller is used according to these options:
"Use the Primary Domain Controller" indicates that the Group Policy Object Editor snap-in reads and writes changes to the domain controller designated as the PDC Operations Master for the domain.
@ -1540,7 +1540,7 @@ If you enable this setting, you can which domain controller is used according to
"Use any available domain controller" indicates that the Group Policy Object Editor snap-in can read and write changes to any available domain controller.
If you disable this setting or do not configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.
If you disable this setting or don't configure it, the Group Policy Object Editor snap-in uses the domain controller designated as the PDC Operations Master for the domain.
> [!NOTE]
> To change the PDC Operations Master for a domain, in Active Directory Users and Computers, right-click a domain, and then click "Operations Masters."
@ -1589,18 +1589,18 @@ This policy setting defines a slow connection for purposes of applying and updat
If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links.
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder let you override the programs' specified responses to slow links.
If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.
If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.
If you disable this setting or don't configure it, the system uses the default value of 500 kilobits per second.
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
> [!NOTE]
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server doesn't have IP connectivity, the SMB timing is used.
<!--/Description-->
@ -1646,18 +1646,18 @@ This policy setting defines a slow connection for purposes of applying and updat
If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specified by this setting, the system considers the connection to be slow.
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder lets you override the programs' specified responses to slow links.
The system's response to a slow policy connection varies among policies. The program implementing the policy can specify the response to a slow link. Also, the policy processing settings in this folder let you override the programs' specified responses to slow links.
If you enable this setting, you can, in the "Connection speed" box, type a decimal number between 0 and 4,294,967,200, indicating a transfer rate in kilobits per second. Any connection slower than this rate is considered to be slow. If you type 0, all connections are considered to be fast.
If you disable this setting or do not configure it, the system uses the default value of 500 kilobits per second.
If you disable this setting or don't configure it, the system uses the default value of 500 kilobits per second.
This setting appears in the Computer Configuration and User Configuration folders. The setting in Computer Configuration defines a slow link for policies in the Computer Configuration folder. The setting in User Configuration defines a slow link for settings in the User Configuration folder.
Also, see the "Do not detect slow network connections" and related policies in Computer Configuration\Administrative Templates\System\User Profile.
> [!NOTE]
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server does not have IP connectivity, the SMB timing is used.
> If the profile server has IP connectivity, the connection speed setting is used. If the profile server doesn't have IP connectivity, the SMB timing is used.
<!--/Description-->
@ -1705,7 +1705,7 @@ In addition to background updates, Group Policy for the computer is always updat
By default, computer Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations.
If you disable this setting, Group Policy is updated every 90 minutes (the default). To specify that Group Policy should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" policy.
@ -1713,7 +1713,7 @@ The Set Group Policy refresh interval for computers policy also lets you specify
This setting establishes the update rate for computer Group Policy. To set an update rate for user policies, use the "Set Group Policy refresh interval for users" setting (located in User Configuration\Administrative Templates\System\Group Policy).
This setting is only used when the "Turn off background refresh of Group Policy" setting is not enabled.
This setting is only used when the "Turn off background refresh of Group Policy" setting isn't enabled.
> [!NOTE]
> Consider notifying users that their policy is updated periodically so that they recognize the signs of a policy update. When Group Policy is updated, the Windows desktop is refreshed; it flickers briefly and closes open menus. Also, restrictions imposed by Group Policies, such as those that limit the programs users can run, might interfere with tasks in progress.
@ -1758,13 +1758,13 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.
This policy setting specifies how often Group Policy is updated on domain controllers while they're running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts.
By default, Group Policy on the domain controllers is updated every five minutes.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the domain controller tries to update Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations.
If you disable or do not configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
If you disable or don't configure this setting, the domain controller updates Group Policy every 5 minutes (the default). To specify that Group Policies for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
This setting also lets you specify how much the actual update interval varies. To prevent domain controllers with the same update interval from requesting updates simultaneously, the system varies the update interval for each controller by a random number of minutes. The number you type in the random time box sets the upper limit for the range of variance. For example, if you type 30 minutes, the system selects a variance of 0 to 30 minutes. Typing a large number establishes a broad range and makes it less likely that update requests overlap. However, updates might be delayed significantly.
@ -1813,11 +1813,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder.
In addition to background updates, Group Policy for users is always updated when users log on.
In addition to background updates, Group Policy for users is always updated when users sign in.
By default, user Group Policy is updated in the background every 90 minutes, with a random offset of 0 to 30 minutes.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals are not appropriate for most installations.
If you enable this setting, you can specify an update rate from 0 to 64,800 minutes (45 days). If you select 0 minutes, the computer tries to update user Group Policy every 7 seconds. However, because updates might interfere with users' work and increase network traffic, very short update intervals aren't appropriate for most installations.
If you disable this setting, user Group Policy is updated every 90 minutes (the default). To specify that Group Policy for users should never be updated while the computer is in use, select the "Turn off background refresh of Group Policy" setting.
@ -1874,15 +1874,15 @@ ADMX Info:
<!--Description-->
Enter “0” to disable Logon Script Delay.
This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts.
This policy setting allows you to configure how long the Group Policy client waits after a sign in before running scripts.
By default, the Group Policy client waits five minutes before running logon scripts. This helps create a responsive desktop environment by preventing disk contention.
By default, the Group Policy client waits 5 minutes before running logon scripts. This 5-minute wait helps create a responsive desktop environment by preventing disk contention.
If you enable this policy setting, Group Policy will wait for the specified amount of time before running logon scripts.
If you disable this policy setting, Group Policy will run scripts immediately after logon.
If you disable this policy setting, Group Policy will run scripts immediately after a sign in.
If you do not configure this policy setting, Group Policy will wait five minutes before running logon scripts.
If you don't configure this policy setting, Group Policy will wait five minutes before running logon scripts.
<!--/Description-->
@ -1976,7 +1976,7 @@ This policy setting allows you to create new Group Policy object links in the di
If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the new object links by using a policy compliant Group Policy management tool such as Active Directory Users and Computers or Active Directory Sites and Services, you can enable the object links for use on the system.
If you disable this setting or do not configure it, new Group Policy object links are created in the enabled state. If you do not want them to be effective until they are configured and tested, you must disable the object link.
If you disable this setting or don't configure it, new Group Policy object links are created in the enabled state. If you don't want them to be effective until they're configured and tested, you must disable the object link.
<!--/Description-->
@ -2020,9 +2020,9 @@ ADMX Info:
<!--Description-->
This policy setting lets you always use local ADM files for the Group Policy snap-in.
By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO.
By default, when you edit a Group Policy Object (GPO) using the Group Policy Object Editor snap-in, the ADM files are loaded from that GPO into the Group Policy Object Editor snap-in. This edit-option allows you to use the same version of the ADM files that were used to create the GPO while editing this GPO.
This leads to the following behavior:
This edit-option leads to the following behavior:
- If you originally created the GPO with, for example, an English system, the GPO contains English ADM files.
@ -2032,14 +2032,14 @@ You can change this behavior by using this setting.
If you enable this setting, the Group Policy Object Editor snap-in always uses local ADM files in your %windir%\inf directory when editing GPOs.
This leads to the following behavior:
This pattern leads to the following behavior:
- If you had originally created the GPO with an English system, and then you edit the GPO with a Japanese system, the Group Policy Object Editor snap-in uses the local Japanese ADM files, and you see the text in Japanese under Administrative Templates.
If you disable or do not configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO.
If you disable or don't configure this setting, the Group Policy Object Editor snap-in always loads all ADM files from the actual GPO.
> [!NOTE]
> If the ADMs that you require are not all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing.
> If the ADMs that you require aren't all available locally in your %windir%\inf directory, you might not be able to see all the settings that have been configured in the GPO that you are editing.
<!--/Description-->
@ -2082,7 +2082,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This security feature provides a means to override individual process MitigationOptions settings. This can be used to enforce a number of security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are:
This security feature provides a means to override individual process MitigationOptions settings. This security feature can be used to enforce many security policies specific to applications. The application name is specified as the Value name, including extension. The Value is specified as a bit field with a series of flags in particular positions. Bits can be set to either 0 (setting is forced off), 1 (setting is forced on), or ? (setting retains its existing value prior to GPO evaluation). The recognized bit locations are:
PROCESS_CREATION_MITIGATION_POLICY_DEP_ENABLE (0x00000001)
Enables data execution prevention (DEP) for the child process
@ -2094,7 +2094,7 @@ PROCESS_CREATION_MITIGATION_POLICY_SEHOP_ENABLE (0x00000004)
Enables structured exception handler overwrite protection (SEHOP) for the child process. SEHOP blocks exploits that use the structured exception handler (SEH) overwrite technique.
PROCESS_CREATION_MITIGATION_POLICY_FORCE_RELOCATE_IMAGES_ALWAYS_ON (0x00000100)
The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that are not dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that do not have a base relocation section will not be loaded.
The force Address Space Layout Randomization (ASLR) policy forcibly rebases images that aren't dynamic base compatible by acting as though an image base collision happened at load time. If relocations are required, images that don't have a base relocation section won't be loaded.
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_ON (0x00010000)
PROCESS_CREATION_MITIGATION_POLICY_BOTTOM_UP_ASLR_ALWAYS_OFF (0x00020000)
@ -2151,7 +2151,7 @@ RSoP logs information on Group Policy settings that have been applied to the cli
If you enable this setting, RSoP logging is turned off.
If you disable or do not configure this setting, RSoP logging is turned on. By default, RSoP logging is always on.
If you disable or don't configure this setting, RSoP logging is turned on. By default, RSoP logging is always on.
> [!NOTE]
> To view the RSoP information logged on a client computer, you can use the RSoP snap-in in the Microsoft Management Console (MMC).
@ -2245,9 +2245,9 @@ When Group Policy detects the bandwidth speed of a Direct Access connection, the
> [!NOTE]
> When Group Policy detects a slow network connection, Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection).
If you enable this policy, when Group Policy cannot determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions.
If you enable this policy, when Group Policy can't determine the bandwidth speed across Direct Access, Group Policy will evaluate the network connection as a fast link and process all client side extensions.
If you disable this setting or do not configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link.
If you disable this setting or don't configure it, Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link.
<!--/Description-->
@ -2289,13 +2289,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user logon) when a slow network connection is detected.
This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized during computer startup and user sign in) when a slow network connection is detected.
If you enable this policy setting, when a slow network connection is detected, Group Policy processing will always run in an asynchronous manner.
Client computers will not wait for the network to be fully initialized at startup and logon. Existing users will be logged on using cached credentials,
which will result in shorter logon times. Group Policy will be applied in the background after the network becomes available.
Note that because this is a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection
and Drive Maps preference extension will not be applied.
Client computers won't wait for the network to be fully initialized at startup and sign in. Existing users will be signed in using cached credentials, which will result in shorter sign-in times. Group Policy will be applied in the background after the network becomes available.
Because this policy setting enables a background refresh, extensions requiring synchronous processing such as Software Installation, Folder Redirection and Drive Maps preference extension won't be applied.
> [!NOTE]
> There are two conditions that will cause Group Policy to be processed synchronously even if this policy setting is enabled:
@ -2303,7 +2301,7 @@ and Drive Maps preference extension will not be applied.
> - 1 - At the first computer startup after the client computer has joined the domain.
> - 2 - If the policy setting "Always wait for the network at computer startup and logon" is enabled.
If you disable or do not configure this policy setting, detecting a slow network connection will not affect whether Group Policy processing will be synchronous or asynchronous.
If you disable or don't configure this policy setting, detecting a slow network connection won't affect whether Group Policy processing will be synchronous or asynchronous.
<!--/Description-->
@ -2345,11 +2343,11 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default wait time is reached. If the startup policy processing is asynchronous, the computer isn't blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times.
If you enable this policy setting, Group Policy will use this administratively configured maximum wait time and override any default or system-computed wait time.
If you disable or do not configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system.
If you disable or don't configure this policy setting, Group Policy will use the default wait time of 30 seconds on computers running Windows Vista operating system.
<!--/Description-->
@ -2391,9 +2389,9 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who signs in to a computer affected by this setting. It's intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used.
By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user logs on to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
By default, the user's Group Policy Objects determine which user settings apply. If this setting is enabled, then, when a user signs in to this computer, the computer's Group Policy Objects determine which set of Group Policy Objects applies.
If you enable this setting, you can select one of the following modes from the Mode box:
@ -2401,7 +2399,7 @@ If you enable this setting, you can select one of the following modes from the M
"Merge" indicates that the user settings defined in the computer's Group Policy Objects and the user settings normally applied to the user are combined. If the settings conflict, the user settings in the computer's Group Policy Objects take precedence over the user's normal settings.
If you disable this setting or do not configure it, the user's Group Policy Objects determines which user settings apply.
If you disable this setting or don't configure it, the user's Group Policy Objects determines which user settings apply.
> [!NOTE]
> This setting is effective only when both the computer account and the user account are in at least Windows 2000 domains.

20
windows/client-management/mdm/policy-csp-admx-help.md
View File

@ -73,9 +73,9 @@ This policy setting allows you to exclude HTML Help Executable from being monito
Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely.
If you enable this policy setting, DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable.
If you enable this policy setting, DEP for HTML Help Executable is turned off. This turn off will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable.
If you disable or do not configure this policy setting, DEP is turned on for HTML Help Executable. This provides an additional security benefit, but HTML Help stops if DEP detects system memory abnormalities.
If you disable or don't configure this policy setting, DEP is turned on for HTML Help Executable. This turn on provides one more security benefit, but HTML Help stops if DEP detects system memory abnormalities.
<!--/Description-->
@ -117,25 +117,25 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is strongly recommended that only folders requiring administrative privileges be added to this policy setting.
This policy setting allows you to restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It's recommended that only folders requiring administrative privileges be added to this policy setting.
If you enable this policy setting, the commands function only for .chm files in the specified folders and their subfolders.
To restrict the commands to one or more folders, enable the policy setting and enter the desired folders in the text box on the Settings tab of the Policy Properties dialog box. Use a semicolon to separate folders. For example, to restrict the commands to only .chm files in the %windir%\help folder and D:\somefolder, add the following string to the edit box: "%windir%\help;D:\somefolder".
> [!NOTE]
> An environment variable may be used, (for example, %windir%), as long as it is defined on the system. For example, %programfiles% is not defined on some early versions of Windows.
> An environment variable may be used, (for example, %windir%), as long as it's defined on the system. For example, %programfiles% is not defined on some early versions of Windows.
The "Shortcut" command is used to add a link to a Help topic, and runs executables that are external to the Help file. The "WinHelp" command is used to add a link to a Help topic, and runs a WinHLP32.exe Help (.hlp) file.
To disallow the "Shortcut" and "WinHelp" commands on the entire local system, enable the policy setting and leave the text box on the Settings tab of the Policy Properties dialog box blank.
If you disable or do not configure this policy setting, these commands are fully functional for all Help files.
If you disable or don't configure this policy setting, these commands are fully functional for all Help files.
> [!NOTE]
> Only folders on the local computer can be specified in this policy setting. You cannot use this policy setting to enable the "Shortcut" and "WinHelp" commands for .chm files that are stored on mapped drives or accessed using UNC paths.
For additional options, see the "Restrict these programs from being launched from Help" policy.
For more options, see the "Restrict these programs from being launched from Help" policy.
<!--/Description-->
@ -179,9 +179,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to restrict programs from being run from online Help.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names of the programs you want to restrict, separated by commas.
If you disable or do not configure this policy setting, users can run all applications from online Help.
If you disable or don't configure this policy setting, users can run all applications from online Help.
> [!NOTE]
> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.
@ -230,9 +230,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to restrict programs from being run from online Help.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names names of the programs you want to restrict, separated by commas.
If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter the file names of the programs you want to restrict, separated by commas.
If you disable or do not configure this policy setting, users can run all applications from online Help.
If you disable or don't configure this policy setting, users can run all applications from online Help.
> [!NOTE]
> You can also restrict users from running applications by using the Software Restriction Policy settings available in Computer Configuration\Security Settings.

118
windows/client-management/mdm/policy-csp-admx-icm.md
View File

@ -135,13 +135,13 @@ manager: dansimp
<!--/Scope-->
<!--Description-->
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft will not collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It is simple and user-friendly.
This policy setting turns off the Windows Customer Experience Improvement Program. The Windows Customer Experience Improvement Program collects information about your hardware configuration and how you use our software and services to identify trends and usage patterns. Microsoft won't collect your name, address, or any other personally identifiable information. There are no surveys to complete, no salesperson will call, and you can continue working without interruption. It's simple and user-friendly.
If you enable this policy setting, all users are opted out of the Windows Customer Experience Improvement Program.
If you disable this policy setting, all users are opted into the Windows Customer Experience Improvement Program.
If you do not configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users.
If you don't configure this policy setting, the administrator can use the Problem Reports and Solutions component in Control Panel to enable Windows Customer Experience Improvement Program for all users.
<!--/Description-->
@ -187,9 +187,9 @@ This policy setting specifies whether to automatically update root certificates
Typically, a certificate is used when you use a secure website or when you send and receive secure email. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.
If you enable this policy setting, when you are presented with a certificate issued by an untrusted root authority, your computer will not contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.
If you enable this policy setting, when you're presented with a certificate issued by an untrusted root authority, your computer won't contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities.
If you disable or do not configure this policy setting, your computer will contact the Windows Update website.
If you disable or don't configure this policy setting, your computer will contact the Windows Update website.
<!--/Description-->
@ -233,14 +233,14 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether to allow printing over HTTP from this client.
Printing over HTTP allows a client to print to printers on the intranet as well as the Internet.
Printing over HTTP allows a client to print to printers on the intranet and the Internet.
> [!NOTE]
> This policy setting affects the client side of Internet printing only. It does not prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
> This policy setting affects the client side of Internet printing only. It doesn't prevent this computer from acting as an Internet Printing server and making its shared printers available via HTTP.
If you enable this policy setting, it prevents this client from printing to Internet printers over HTTP.
If you disable or do not configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
If you disable or don't configure this policy setting, users can choose to print to Internet printers over HTTP. Also, see the "Web-based printing" policy setting in Computer Configuration/Administrative Templates/Printers.
<!--/Description-->
@ -287,13 +287,13 @@ This policy setting specifies whether to allow this client to download print dri
To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP.
> [!NOTE]
> This policy setting does not prevent the client from printing to printers on the Intranet or the Internet over HTTP.
> This policy setting doesn't prevent the client from printing to printers on the Intranet or the Internet over HTTP.
It only prohibits downloading drivers that are not already installed locally.
It only prohibits downloading drivers that aren't already installed locally.
If you enable this policy setting, print drivers cannot be downloaded over HTTP.
If you enable this policy setting, print drivers can't be downloaded over HTTP.
If you disable or do not configure this policy setting, users can download print drivers over HTTP.
If you disable or don't configure this policy setting, users can download print drivers over HTTP.
<!--/Description-->
@ -337,13 +337,13 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether Windows searches Windows Update for device drivers when no local drivers for a device are present.
If you enable this policy setting, Windows Update is not searched when a new device is installed.
If you enable this policy setting, Windows Update isn't searched when a new device is installed.
If you disable this policy setting, Windows Update is always searched for drivers when no local drivers are present.
If you do not configure this policy setting, searching Windows Update is optional when installing a device.
If you don't configure this policy setting, searching Windows Update is optional when installing a device.
Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver is not found locally.
Also see "Turn off Windows Update device driver search prompt" in "Administrative Templates/System," which governs whether an administrator is prompted before searching Windows Update for device drivers if a driver isn't found locally.
> [!NOTE]
> This policy setting is replaced by "Specify Driver Source Search Order" in "Administrative Templates/System/Device Installation" on newer versions of Windows.
@ -392,9 +392,9 @@ This policy setting specifies whether "Events.asp" hyperlinks are available for
The Event Viewer normally makes all HTTP(S) URLs into hyperlinks that activate the Internet browser when clicked. In addition, "More Information" is placed at the end of the description text if the event is created by a Microsoft component. This text contains a link (URL) that, if clicked, sends information about the event to Microsoft, and allows users to learn more about why that event occurred.
If you enable this policy setting, event description hyperlinks are not activated and the text "More Information" is not displayed at the end of the description.
If you enable this policy setting, event description hyperlinks aren't activated and the text "More Information" isn't displayed at the end of the description.
If you disable or do not configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft.
If you disable or don't configure this policy setting, the user can click the hyperlink, which prompts the user and then sends information about the event over the Internet to Microsoft.
Also, see "Events.asp URL", "Events.asp program", and "Events.asp Program Command Line Parameters" settings in "Administrative Templates/Windows Components/Event Viewer".
@ -444,9 +444,9 @@ This content is dynamically updated when users who are connected to the Internet
If you enable this policy setting, the Help and Support Center no longer retrieves nor displays "Did you know?" content.
If you disable or do not configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content.
If you disable or don't configure this policy setting, the Help and Support Center retrieves and displays "Did you know?" content.
You might want to enable this policy setting for users who do not have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection.
You might want to enable this policy setting for users who don't have Internet access, because the content in the "Did you know?" section will remain static indefinitely without an Internet connection.
<!--/Description-->
@ -494,7 +494,7 @@ The Knowledge Base is an online source of technical support information and self
If you enable this policy setting, it removes the Knowledge Base section from the Help and Support Center "Set search options" page, and only Help content on the local computer is searched.
If you disable or do not configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and has not disabled the Knowledge Base search from the Search Options page.
If you disable or don't configure this policy setting, the Knowledge Base is searched if the user has a connection to the Internet and hasn't disabled the Knowledge Base search from the Search Options page.
<!--/Description-->
@ -538,11 +538,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can't access the Internet.
If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
If you don't configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured.
<!--/Description-->
@ -586,11 +586,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources.
If you enable this setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features cannot access the Internet.
If you enable this setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can't access the Internet.
If you disable this policy setting, all of the the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
If you disable this policy setting, all of the policy settings listed in the "Internet Communication settings" section are set such that their respective features can access the Internet.
If you do not configure this policy setting, all of the the policy settings in the "Internet Communication settings" section are set to not configured.
If you don't configure this policy setting, all of the policy settings in the "Internet Communication settings" section are set to not configured.
<!--/Description-->
@ -633,9 +633,9 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs).
If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This prevents users from retrieving the list of ISPs, which resides on Microsoft servers.
If you enable this policy setting, the "Choose a list of Internet Service Providers" path in the Internet Connection Wizard causes the wizard to exit. This exit prevents users from retrieving the list of ISPs, which resides on Microsoft servers.
If you disable or do not configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area.
If you disable or don't configure this policy setting, users can connect to Microsoft to download a list of ISPs for their area.
<!--/Description-->
@ -679,11 +679,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration.
If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register their copy of Windows online.
If you enable this policy setting, it blocks users from connecting to Microsoft.com for online registration and users can't register their copy of Windows online.
If you disable or do not configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration.
If you disable or don't configure this policy setting, users can connect to Microsoft.com to complete the online Windows Registration.
Note that registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but does not involve submitting any personal information (except the country/region you live in).
Registration is optional and involves submitting some personal information to Microsoft. However, Windows Product Activation is required but doesn't involve submitting any personal information (except the country/region you live in).
<!--/Description-->
@ -729,9 +729,9 @@ This policy setting controls whether or not errors are reported to Microsoft.
Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product.
If you enable this policy setting, users are not given the option to report errors.
If you enable this policy setting, users aren't given the option to report errors.
If you disable or do not configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share.
If you disable or don't configure this policy setting, the errors may be reported to Microsoft via the Internet or to a corporate file share.
This policy setting overrides any user setting made from the Control Panel for error reporting.
@ -779,9 +779,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to remove access to Windows Update.
If you enable this policy setting, all Windows Update features are removed. This includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you will neither be notified about nor will you receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
If you enable this policy setting, all Windows Update features are removed. This list of features includes blocking access to the Windows Update website at https://windowsupdate.microsoft.com, from the Windows Update hyperlink on the Start menu, and also on the Tools menu in Internet Explorer. Windows automatic updating is also disabled; you won't get notified or receive critical updates from Windows Update. This policy setting also prevents Device Manager from automatically installing driver updates from the Windows Update website.
If you disable or do not configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update.
If you disable or don't configure this policy setting, users can access the Windows Update website and enable automatic updating to receive notifications and critical updates from Windows Update.
> [!NOTE]
> This policy applies only when this PC is configured to connect to an intranet update service using the "Specify intranet Microsoft update service location" policy.
@ -828,11 +828,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.
When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and additional content files used to format and display results.
When users search the local computer or the Internet, Search Companion occasionally connects to Microsoft to download an updated privacy policy and more content files used to format and display results.
If you enable this policy setting, Search Companion does not download content updates during searches.
If you enable this policy setting, Search Companion doesn't download content updates during searches.
If you disable or do not configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search.
If you disable or don't configure this policy setting, Search Companion downloads content updates unless the user is using Classic Search.
> [!NOTE]
> Internet searches still send the search text and information about the search to Microsoft and the chosen search provider. Choosing Classic Search turns off the Search Companion feature completely.
@ -879,11 +879,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
When a user opens a file that has an extension that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed.
If you disable or do not configure this policy setting, the user is allowed to use the Web service.
If you disable or don't configure this policy setting, the user is allowed to use the Web service.
<!--/Description-->
@ -927,11 +927,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association.
When a user opens a file that has an extension that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
When a user opens a file that has an extension that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Web service to find an application.
If you enable this policy setting, the link and the dialog for using the Web service to open an unhandled file association are removed.
If you disable or do not configure this policy setting, the user is allowed to use the Web service.
If you disable or don't configure this policy setting, the user is allowed to use the Web service.
<!--/Description-->
@ -975,11 +975,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
When a user opens a file type or protocol that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed.
If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
If you disable or don't configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
<!--/Description-->
@ -1023,11 +1023,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association.
When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
When a user opens a file type or protocol that isn't associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application.
If you enable this policy setting, the "Look for an app in the Store" item in the Open With dialog is removed.
If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
If you disable or don't configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
<!--/Description-->
@ -1071,11 +1071,11 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
If you enable this policy setting, Windows does not download providers, and only the service providers that are cached in the local registry are displayed.
If you enable this policy setting, Windows doesn't download providers, and only the service providers that are cached in the local registry are displayed.
If you disable or do not configure this policy setting, a list of providers are downloaded when the user uses the web publishing or online ordering wizards.
If you disable or don't configure this policy setting, a list of providers is downloaded when the user uses the web publishing or online ordering wizards.
See the documentation for the web publishing and online ordering wizards for more information, including details on specifying service providers in the registry.
For more information, including details on specifying service providers in the registry, see the documentation for the web publishing and online ordering wizards.
<!--/Description-->
@ -1121,7 +1121,7 @@ This policy setting specifies whether the "Order Prints Online" task is availabl
The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.
If you disable or do not configure this policy setting, the task is displayed.
If you disable or don't configure this policy setting, the task is displayed.
<!--/Description-->
@ -1169,7 +1169,7 @@ The Order Prints Online Wizard is used to download a list of providers and allow
If you enable this policy setting, the task "Order Prints Online" is removed from Picture Tasks in File Explorer folders.
If you disable or do not configure this policy setting, the task is displayed.
If you disable or don't configure this policy setting, the task is displayed.
<!--/Description-->
@ -1215,7 +1215,7 @@ This policy setting specifies whether the tasks "Publish this file to the Web,"
The Web Publishing Wizard is used to download a list of providers and allow users to publish content to the web.
If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or do not configure this policy setting, the tasks are shown.
If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders. If you disable or don't configure this policy setting, the tasks are shown.
<!--/Description-->
@ -1263,7 +1263,7 @@ The Web Publishing Wizard is used to download a list of providers and allow user
If you enable this policy setting, these tasks are removed from the File and Folder tasks in Windows folders.
If you disable or do not configure this policy setting, the tasks are shown.
If you disable or don't configure this policy setting, the tasks are shown.
<!--/Description-->
@ -1305,15 +1305,15 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service are used.
With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.
This information is used to improve the product in future releases.
If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown.
If you enable this policy setting, Windows Messenger doesn't collect usage information, and the user settings to enable the collection of usage information aren't shown.
If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown. If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting isn't shown. If you don't configure this policy setting, users have the choice to opt in and allow information to be collected.
<!--/Description-->
@ -1355,17 +1355,17 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used.
This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service are used.
With the Customer Experience Improvement program, users can allow Microsoft to collect anonymous information about how the product is used.
This information is used to improve the product in future releases.
If you enable this policy setting, Windows Messenger does not collect usage information, and the user settings to enable the collection of usage information are not shown.
If you enable this policy setting, Windows Messenger doesn't collect usage information, and the user settings to enable the collection of usage information aren't shown.
If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting is not shown.
If you disable this policy setting, Windows Messenger collects anonymous usage information, and the setting isn't shown.
If you do not configure this policy setting, users have the choice to opt in and allow information to be collected.
If you don't configure this policy setting, users have the choice to opt in and allow information to be collected.
<!--/Description-->

6
windows/client-management/mdm/policy-csp-admx-iis.md
View File

@ -62,11 +62,11 @@ manager: dansimp
<!--Description-->
This policy setting prevents installation of Internet Information Services (IIS) on this computer.
- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting.
- If you enable this policy setting, Internet Information Services (IIS) can't be installed, and you'll not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS can't be installed because of this Group Policy setting.
Enabling this setting will not have any effect on IIS if IIS is already installed on the computer.
Enabling this setting won't have any effect on IIS if IIS is already installed on the computer.
- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run."
- If you disable or don't configure this policy setting, IIS can be installed, and all the programs and applications that require IIS to run."
<!--/Description-->

2
windows/client-management/mdm/policy-csp-admx-iscsi.md
View File

@ -154,7 +154,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
If enabled then do not allow the initiator CHAP secret to be changed.
If enabled then don't allow the initiator CHAP secret to be changed.
If disabled then the initiator CHAP secret may be changed.

36
windows/client-management/mdm/policy-csp-admx-kdc.md
View File

@ -79,18 +79,18 @@ This policy setting allows you to configure a domain controller to support claim
If you enable this policy setting, client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
If you disable or do not configure this policy setting, the domain controller does not support claims, compound authentication or armoring.
If you disable or don't configure this policy setting, the domain controller doesn't support claims, compound authentication or armoring.
If you configure the "Not supported" option, the domain controller does not support claims, compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems.
If you configure the "Not supported" option, the domain controller doesn't support claims, compound authentication or armoring, which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems.
> [!NOTE]
> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting is not enabled, Kerberos authentication messages will not use these features.
> For the following options of this KDC policy to be effective, the Kerberos Group Policy "Kerberos client support for claims, compound authentication and Kerberos armoring" must be enabled on supported systems. If the Kerberos policy setting isn't enabled, Kerberos authentication messages won't use these features.
If you configure "Supported", the domain controller supports claims, compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring.
**Domain functional level requirements**
For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the "Supported" option is selected.
For the options "Always provide claims" and "Fail unarmored authentication requests", when the domain functional level is set to Windows Server 2008 R2 or earlier, then domain controllers behave as if the "Supported" option is selected.
When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring, and:
@ -98,15 +98,15 @@ When the domain functional level is set to Windows Server 2012 then the domain c
- If you set the "Fail unarmored authentication requests" option, rejects unarmored Kerberos messages.
> [!WARNING]
> When "Fail unarmored authentication requests" is set, then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller.
> When "Fail unarmored authentication requests" is set, then client computers which don't support Kerberos armoring will fail to authenticate to the domain controller.
To ensure this feature is effective, deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is, the "Supported" option is enabled).
Impact on domain controller performance when this policy setting is enabled:
- Secure Kerberos domain capability discovery is required resulting in additional message exchanges.
- Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time, but does not change the service ticket size.
- Secure Kerberos domain capability discovery is required, resulting in more message exchanges.
- Claims and compound authentication for Dynamic Access Control increase the size and complexity of the data in the message, which results in more processing time and greater Kerberos service ticket size.
- Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors, which results in increased processing time, but doesn't change the service ticket size.
<!--/Description-->
@ -150,9 +150,9 @@ ADMX Info:
<!--Description-->
This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs).
If you enable this policy setting, the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
If you enable this policy setting, the KDC will search the forests in this list if it's unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found, the KDC will return a referral ticket to the client for the appropriate domain.
If you disable or do not configure this policy setting, the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found, NTLM authentication might be used.
If you disable or don't configure this policy setting, the KDC won't search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name isn't found, NTLM authentication might be used.
To ensure consistent behavior, this policy setting must be supported and set identically on all domain controllers in the domain.
@ -196,7 +196,7 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controllers domain is not at Windows Server 2016 DFL or higher this policy will not be applied.
Support for PKInit Freshness Extension requires Windows Server 2016 domain functional level (DFL). If the domain controllers domain isn't at Windows Server 2016 DFL or higher, this policy won't be applied.
This policy setting allows you to configure a domain controller (DC) to support the PKInit Freshness Extension.
@ -204,7 +204,7 @@ If you enable this policy setting, the following options are supported:
Supported: PKInit Freshness Extension is supported on request. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.
Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients which do not support the PKInit Freshness Extension will always fail when using public key credentials.
Required: PKInit Freshness Extension is required for successful authentication. Kerberos clients that don't support the PKInit Freshness Extension will always fail when using public key credentials.
If you disable or not configure this policy setting, then the DC will never offer the PKInit Freshness Extension and accept valid authentication requests without checking for freshness. Users will never receive the fresh public key identity SID.
@ -255,7 +255,7 @@ This policy setting allows you to configure a domain controller to request compo
If you enable this policy setting, domain controllers will request compound authentication. The returned service ticket will contain compound authentication only when the account is explicitly configured. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain.
If you disable or do not configure this policy setting, domain controllers will return service tickets that contain compound authentication any time the client sends a compound authentication request regardless of the account configuration.
If you disable or don't configure this policy setting, domain controllers will return service tickets that contain compound authentication anytime the client sends a compound authentication request regardless of the account configuration.
<!--/Description-->
@ -299,9 +299,9 @@ ADMX Info:
<!--Description-->
This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log.
If you enable this policy setting, you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high, then authentication failures might be occurring even though warning events are not being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy.
If you enable this policy setting, you can set the threshold limit for Kerberos ticket, which triggers the warning events. If set too high, then authentication failures might be occurring even though warning events aren't being logged. If set too low, then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy "Set maximum Kerberos SSPI context token buffer size" or the smallest MaxTokenSize used in your environment if you aren't configuring using Group Policy.
If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
If you disable or don't configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.
<!--/Description-->
@ -347,12 +347,12 @@ This policy setting controls whether the domain controller provides information
If you enable this policy setting, the domain controller provides the information message about previous logons.
For Windows Logon to leverage this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled.
For Windows Logon to use this feature, the "Display information about previous logons during user logon" policy setting located in the Windows Logon Options node under Windows Components also needs to be enabled.
If you disable or do not configure this policy setting, the domain controller does not provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled.
If you disable or don't configure this policy setting, the domain controller doesn't provide information about previous logons unless the "Display information about previous logons during user logon" policy setting is enabled.
> [!NOTE]
> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting does not affect anything.
> Information about previous logons is provided only if the domain functional level is Windows Server 2008. In domains with a domain functional level of Windows Server 2003, Windows 2000 native, or Windows 2000 mixed, domain controllers cannot provide information about previous logons, and enabling this policy setting doesn't affect anything.
<!--/Description-->

29
windows/client-management/mdm/policy-csp-admx-kerberos.md
View File

@ -88,7 +88,7 @@ This policy setting controls whether a device always sends a compound authentica
If you enable this policy setting and the resource domain requests compound authentication, devices that support compound authentication always send a compound authentication request.
If you disable or do not configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
If you disable or don't configure this policy setting and the resource domain requests compound authentication, devices will send a non-compounded authentication request first then a compound authentication request when the service requests compound authentication.
<!--/Description-->
@ -130,18 +130,18 @@ ADMX Info:
<!--/Scope-->
<!--Description-->
Support for device authentication using certificate will require connectivity to a DC in the device account domain which supports certificate authentication for computer accounts.
Support for device authentication using certificate will require connectivity to a DC in the device account domain that supports certificate authentication for computer accounts.
This policy setting allows you to set support for Kerberos to attempt authentication using the certificate for the device to the domain.
If you enable this policy setting, the device's credentials will be selected based on the following options:
- Automatic: Device will attempt to authenticate using its certificate. If the DC does not support computer account authentication using certificates then authentication with password will be attempted.
- Force: Device will always authenticate using its certificate. If a DC cannot be found which support computer account authentication using certificates then authentication will fail.
- Automatic: Device will attempt to authenticate using its certificate. If the DC doesn't support computer account authentication using certificates, then authentication with password will be attempted.
- Force: Device will always authenticate using its certificate. If a DC can't be found which support computer account authentication using certificates, then authentication will fail.
If you disable this policy setting, certificates will never be used.
If you do not configure this policy setting, Automatic will be used.
If you don't configure this policy setting, Automatic will be used.
<!--/Description-->
@ -189,7 +189,7 @@ If you enable this policy setting, you can view and change the list of DNS host
If you disable this policy setting, the host name-to-Kerberos realm mappings list defined by Group Policy is deleted.
If you do not configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.
If you don't configure this policy setting, the system uses the host name-to-Kerberos realm mappings that are defined in the local registry, if they exist.
<!--/Description-->
@ -234,9 +234,10 @@ ADMX Info:
This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server.
If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections.
Warning: When revocation check is ignored, the server represented by the certificate is not guaranteed valid.
> [!WARNING]
> When revocation check is ignored, the server represented by the certificate isn't guaranteed valid.
If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
If you disable or don't configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server isn't established if the revocation check fails.
<!--/Description-->
@ -280,9 +281,9 @@ ADMX Info:
<!--Description-->
This policy setting configures the Kerberos client's mapping to KDC proxy servers for domains based on their DNS suffix names.
If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
If you enable this policy setting, the Kerberos client will use the KDC proxy server for a domain when a domain controller can't be located based on the configured mappings. To map a KDC proxy server to a domain, enable the policy setting, click Show, and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To view the list of mappings, enable the policy setting and then click the Show button. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters.
If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
If you disable or don't configure this policy setting, the Kerberos client doesn't have KDC proxy servers settings defined by Group Policy.
<!--/Description-->
@ -330,7 +331,7 @@ If you enable this policy setting, you can view and change the list of interoper
If you disable this policy setting, the interoperable Kerberos V5 realm settings defined by Group Policy are deleted.
If you do not configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.
If you don't configure this policy setting, the system uses the interoperable Kerberos V5 realm settings that are defined in the local registry, if they exist.
<!--/Description-->
@ -374,7 +375,7 @@ ADMX Info:
<!--Description-->
This policy setting controls configuring the device's Active Directory account for compound authentication.
Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.
Support for providing compound authentication that is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy "Support Dynamic Access Control and Kerberos armoring" on all the domain controllers to support this policy.
If you enable this policy setting, the device's Active Directory account will be configured for compound authentication by the following options:
@ -384,7 +385,7 @@ If you enable this policy setting, the device's Active Directory account will be
If you disable this policy setting, Never will be used.
If you do not configure this policy setting, Automatic will be used.
If you don't configure this policy setting, Automatic will be used.
<!--/Description-->
@ -430,7 +431,7 @@ This policy setting allows you to configure this server so that Kerberos can dec
If you enable this policy setting, only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate.
If you disable or do not configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN.
If you disable or don't configure this policy setting, any service is allowed to accept incoming connections by using this system-generated SPN.
<!--/Description-->

16
windows/client-management/mdm/policy-csp-admx-lanmanserver.md
View File

@ -73,7 +73,7 @@ This policy setting determines the cipher suites used by the SMB server.
If you enable this policy setting, cipher suites are prioritized in the order specified.
If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used.
If you enable this policy setting and don't specify at least one supported cipher suite, or if you disable or don't configure this policy setting, the default cipher suite order is used.
SMB 3.11 cipher suites:
@ -139,9 +139,9 @@ This policy setting specifies whether a hash generation service generates hashes
Policy configuration
Select one of the following:
Select one of the following options:
- Not Configured. With this selection, hash publication settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting is not configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache.
- Not Configured. With this selection, hash publication settings aren't applied to file servers. In the circumstance where file servers are domain members but you don't want to enable BranchCache on all file servers, you can specify Not Configured for this domain Group Policy setting, and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting isn't configured, it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache.
- Enabled. With this selection, hash publication is turned on for all file servers where Group Policy is applied. For example, if Hash Publication for BranchCache is enabled in domain Group Policy, hash publication is turned on for all domain member file servers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file shares.
- Disabled. With this selection, hash publication is turned off for all file servers where Group Policy is applied.
@ -149,7 +149,7 @@ In circumstances where this policy setting is enabled, you can also select the f
- Allow hash publication for all shared folders. With this option, BranchCache generates content information for all content in all shares on the file server.
- Allow hash publication only for shared folders on which BranchCache is enabled. With this option, content information is generated only for shared folders on which BranchCache is enabled. If you use this setting, you must enable BranchCache for individual shares in Share and Storage Management on the file server.
- Disallow hash publication on all shared folders. With this option, BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content.
- Disallow hash publication on all shared folders. With this option, BranchCache doesn't generate content information for any shares on the computer and doesn't send content information to client computers that request content.
<!--/Description-->
@ -197,13 +197,13 @@ ADMX Info:
<!--Description-->
This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.
If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.
If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it's the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes.
Policy configuration
Select one of the following:
Select one of the following options:
- Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported.
- Not Configured. With this selection, BranchCache settings aren't applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported.
- Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in "Hash version supported" are generated and retrieved.
- Disabled. With this selection, both V1 and V2 hash generation and retrieval are supported.
@ -259,7 +259,7 @@ This policy setting determines how the SMB server selects a cipher suite when ne
If you enable this policy setting, the SMB server will select the cipher suite it most prefers from the list of client-supported cipher suites, ignoring the client's preferences.
If you disable or do not configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites.
If you disable or don't configure this policy setting, the SMB server will select the cipher suite the client most prefers from the list of server-supported cipher suites.
> [!NOTE]
> When configuring this security setting, changes will not take effect until you restart Windows.

12
windows/client-management/mdm/policy-csp-admx-lanmanworkstation.md
View File

@ -70,7 +70,7 @@ This policy setting determines the cipher suites used by the SMB client.
If you enable this policy setting, cipher suites are prioritized in the order specified.
If you enable this policy setting and do not specify at least one supported cipher suite, or if you disable or do not configure this policy setting, the default cipher suite order is used.
If you enable this policy setting and don't specify at least one supported cipher suite, or if you disable or don't configure this policy setting, the default cipher suite order is used.
SMB 3.11 cipher suites:
@ -135,12 +135,12 @@ ADMX Info:
<!--Description-->
This policy setting determines the behavior of SMB handle caching for clients connecting to an SMB share where the Continuous Availability (CA) flag is enabled.
If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files.
If you enable this policy setting, the SMB client will allow cached handles to files on CA shares. This provision may lead to better performance when repeatedly accessing a large number of unstructured data files on CA shares running in Microsoft Azure Files.
If you disable or do not configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares.
If you disable or don't configure this policy setting, Windows will prevent use of cached handles to files opened through CA shares.
> [!NOTE]
> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft does not recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage.
> This policy has no effect when connecting Scale-out File Server shares provided by a Windows Server. Microsoft doesn't recommend enabling this policy for clients that routinely connect to files hosted on a Windows Failover Cluster with the File Server for General Use role, as it can lead to adverse failover times and increased memory and CPU usage.
<!--/Description-->
@ -186,10 +186,10 @@ This policy setting determines the behavior of Offline Files on clients connecti
If you enable this policy setting, the "Always Available offline" option will appear in the File Explorer menu on a Windows computer when connecting to a CA-enabled share. Pinning of files on CA-enabled shares using client-side caching will also be possible.
If you disable or do not configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares.
If you disable or don't configure this policy setting, Windows will prevent use of Offline Files with CA-enabled shares.
> [!NOTE]
> Microsoft does not recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states.
> Microsoft doesn't recommend enabling this group policy. Use of CA with Offline Files will lead to very long transition times between the online and offline states.
<!--/Description-->

8
windows/client-management/mdm/policy-csp-admx-linklayertopologydiscovery.md
View File

@ -67,9 +67,9 @@ This policy setting changes the operational behavior of the Mapper I/O network p
LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth estimation and network health analysis.
If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.
If you enable this policy setting, more options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow LLTDIO to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.
If you disable or do not configure this policy setting, the default behavior of LLTDIO will apply.
If you disable or don't configure this policy setting, the default behavior of LLTDIO will apply.
<!--/Description-->
@ -115,9 +115,9 @@ This policy setting changes the operational behavior of the Responder network pr
The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a computer to participate in Quality-of-Service activities such as bandwidth estimation and network health analysis.
If you enable this policy setting, additional options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.
If you enable this policy setting, more options are available to fine-tune your selection. You may choose the "Allow operation while in domain" option to allow the Responder to operate on a network interface that's connected to a managed network. On the other hand, if a network interface is connected to an unmanaged network, you may choose the "Allow operation while in public network" and "Prohibit operation while in private network" options instead.
If you disable or do not configure this policy setting, the default behavior for the Responder will apply.
If you disable or don't configure this policy setting, the default behavior for the Responder will apply.
<!--/Description-->