From db54ebf279106a70c0e655270956f82c5583a225 Mon Sep 17 00:00:00 2001
From: Liz Long <104389055+lizgt2000@users.noreply.github.com>
Date: Fri, 6 Jan 2023 08:45:01 -0500
Subject: [PATCH] nca ncsi netlogon
---
.../mdm/policy-csp-admx-nca.md | 712 ++--
.../mdm/policy-csp-admx-ncsi.md | 589 ++--
.../mdm/policy-csp-admx-netlogon.md | 3001 +++++++++--------
3 files changed, 2347 insertions(+), 1955 deletions(-)
diff --git a/windows/client-management/mdm/policy-csp-admx-nca.md b/windows/client-management/mdm/policy-csp-admx-nca.md
index a2a46c2c76..95602c2c77 100644
--- a/windows/client-management/mdm/policy-csp-admx-nca.md
+++ b/windows/client-management/mdm/policy-csp-admx-nca.md
@@ -1,446 +1,528 @@
---
-title: Policy CSP - ADMX_nca
-description: Policy CSP - ADMX_nca
+title: ADMX_nca Policy CSP
+description: Learn more about the ADMX_nca Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/06/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/14/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_nca
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_nca policies
+
+## CorporateResources
-
- -
- ADMX_nca/CorporateResources
-
- -
- ADMX_nca/CustomCommands
-
- -
- ADMX_nca/DTEs
-
- -
- ADMX_nca/FriendlyName
-
- -
- ADMX_nca/LocalNamesOn
-
- -
- ADMX_nca/PassiveMode
-
- -
- ADMX_nca/ShowUI
-
- -
- ADMX_nca/SupportEmail
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/CorporateResources
+```
+
-
-
-
-**ADMX_nca/CorporateResources**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
+
+
+Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
Each string can be one of the following types:
- A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1.
-> [!NOTE]
-> We recommend that you use FQDNs instead of IPv6 addresses wherever possible.
+Note
-> [!IMPORTANT]
-> At least one of the entries must be a PING: resource.
-> - A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page don't matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/.
-> - A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file don't matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
+We recommend that you use FQDNs instead of IPv6 addresses wherever possible.
+
+Important
+
+At least one of the entries must be a PING: resource.
+
+- A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP: or HTTP:https://2002:836b:1::1/.
+
+- A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Corporate Resources*
-- GP name: *CorporateResources*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_nca/CustomCommands**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | CorporateResources |
+| Friendly Name | Corporate Resources |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant |
+| ADMX File Name | nca.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## CustomCommands
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/CustomCommands
+```
+
-
-
-This policy setting specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
+
+
+Specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Custom Commands*
-- GP name: *CustomCommands*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_nca/DTEs**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | CustomCommands |
+| Friendly Name | Custom Commands |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\CustomCommands |
+| ADMX File Name | nca.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## DTEs
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/DTEs
+```
+
-
-
-This policy setting specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
+
+
+Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel.
Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example: PING:2002:836b:1::836b:1.
You must configure this setting to have complete NCA functionality.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *IPsec Tunnel Endpoints*
-- GP name: *DTEs*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_nca/FriendlyName**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | DTEs |
+| Friendly Name | IPsec Tunnel Endpoints |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant\DTEs |
+| ADMX File Name | nca.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## FriendlyName
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/FriendlyName
+```
+
-
-
-This policy setting specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
+
+
+Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.
-If this setting isn't configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
+If this setting is not configured, the string that appears for DirectAccess connectivity is “Corporate Connection”.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Friendly Name*
-- GP name: *FriendlyName*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_nca/LocalNamesOn**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | FriendlyName |
+| Friendly Name | Friendly Name |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant |
+| ADMX File Name | nca.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## LocalNamesOn
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/LocalNamesOn
+```
+
-
-
-This policy setting specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
+
+
+Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
-If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. NCA doesn't remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
+If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers.
-The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection hasn't correctly determined that the DirectAccess client computer is connected to its own intranet.
+**Note** that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
+
+The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet.
To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect.
-> [!NOTE]
-> If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT.
+Note
+If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT.
-If this setting isn't configured, users don't have Connect or Disconnect options.
+If this setting is not configured, users do not have Connect or Disconnect options.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Prefer Local Names Allowed*
-- GP name: *LocalNamesOn*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_nca/PassiveMode**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | LocalNamesOn |
+| Friendly Name | Prefer Local Names Allowed |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant |
+| Registry Value Name | NamePreferenceAllowed |
+| ADMX File Name | nca.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## PassiveMode
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/PassiveMode
+```
+
-
-
-This policy setting specifies whether NCA service runs in Passive Mode or not.
+
+
+Specifies whether NCA service runs in Passive Mode or not.
-Set this policy setting to Disabled to keep NCA probing actively all the time. If this setting isn't configured, NCA probing is in active mode by default.
-
+Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default.
+
+
+
+
-
-ADMX Info:
-- GP Friendly name: *DirectAccess Passive Mode*
-- GP name: *PassiveMode*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+
+**Description framework properties**:
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**ADMX_nca/ShowUI**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | PassiveMode |
+| Friendly Name | DirectAccess Passive Mode |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant |
+| Registry Value Name | PassiveMode |
+| ADMX File Name | nca.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## ShowUI
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
-This policy setting specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/ShowUI
+```
+
-Set this policy setting to Disabled to prevent user confusion when you're just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
+
+
+Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
-If this setting isn't configured, the entry for DirectAccess connectivity appears.
+Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.
-
+If this setting is not configured, the entry for DirectAccess connectivity appears.
+
+
+
+
-
-ADMX Info:
-- GP Friendly name: *User Interface*
-- GP name: *ShowUI*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+
+**Description framework properties**:
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**ADMX_nca/SupportEmail**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | ShowUI |
+| Friendly Name | User Interface |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant |
+| Registry Value Name | ShowUI |
+| ADMX File Name | nca.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## SupportEmail
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
-This policy setting specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_nca/SupportEmail
+```
+
+
+
+
+Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.
When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .html file. The user can review the message and add additional information before sending the message.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Support Email Address*
-- GP name: *SupportEmail*
-- GP path: *Network\DirectAccess Client Experience Settings*
-- GP ADMX file name: *nca.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-## Related topics
+| Name | Value |
+|:--|:--|
+| Name | SupportEmail |
+| Friendly Name | Support Email Address |
+| Location | Computer Configuration |
+| Path | Network > DirectAccess Client Experience Settings |
+| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\NetworkConnectivityAssistant |
+| ADMX File Name | nca.admx |
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
\ No newline at end of file
+
+
+
+
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-ncsi.md b/windows/client-management/mdm/policy-csp-admx-ncsi.md
index 852728fcd1..89b5cd6963 100644
--- a/windows/client-management/mdm/policy-csp-admx-ncsi.md
+++ b/windows/client-management/mdm/policy-csp-admx-ncsi.md
@@ -1,364 +1,423 @@
---
-title: Policy CSP - ADMX_NCSI
-description: Learn about Policy CSP - ADMX_NCSI.
+title: ADMX_NCSI Policy CSP
+description: Learn more about the ADMX_NCSI Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/06/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/14/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_NCSI
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_NCSI policies
+
+## NCSI_CorpDnsProbeContent
-
- -
- ADMX_NCSI/NCSI_CorpDnsProbeContent
-
- -
- ADMX_NCSI/NCSI_CorpDnsProbeHost
-
- -
- ADMX_NCSI/NCSI_CorpSitePrefixes
-
- -
- ADMX_NCSI/NCSI_CorpWebProbeUrl
-
- -
- ADMX_NCSI/NCSI_DomainLocationDeterminationUrl
-
- -
- ADMX_NCSI/NCSI_GlobalDns
-
- -
- ADMX_NCSI/NCSI_PassivePolling
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpDnsProbeContent
+```
+
-
-
-
-**ADMX_NCSI/NCSI_CorpDnsProbeContent**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Specify corporate DNS probe host address*
-- GP name: *NCSI_CorpDnsProbeContent*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+
+**Description framework properties**:
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**ADMX_NCSI/NCSI_CorpDnsProbeHost**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | NCSI_CorpDnsProbeContent |
+| Friendly Name | Specify corporate DNS probe host address |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity |
+| ADMX File Name | NCSI.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## NCSI_CorpDnsProbeHost
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpDnsProbeHost
+```
+
+
+
+
This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify corporate DNS probe host name*
-- GP name: *NCSI_CorpDnsProbeHost*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_NCSI/NCSI_CorpSitePrefixes**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | NCSI_CorpDnsProbeHost |
+| Friendly Name | Specify corporate DNS probe host name |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity |
+| ADMX File Name | NCSI.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## NCSI_CorpSitePrefixes
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpSitePrefixes
+```
+
-
-
-This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of the prefixes indicates corporate connectivity.
+
+
+This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify corporate site prefix list*
-- GP name: *NCSI_CorpSitePrefixes*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_NCSI/NCSI_CorpWebProbeUrl**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | NCSI_CorpSitePrefixes |
+| Friendly Name | Specify corporate site prefix list |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity |
+| ADMX File Name | NCSI.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## NCSI_CorpWebProbeUrl
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_CorpWebProbeUrl
+```
+
-
-
+
+
This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify corporate Website probe URL*
-- GP name: *NCSI_CorpWebProbeUrl*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
+**ADMX mapping**:
-
-**ADMX_NCSI/NCSI_DomainLocationDeterminationUrl**
+| Name | Value |
+|:--|:--|
+| Name | NCSI_CorpWebProbeUrl |
+| Friendly Name | Specify corporate Website probe URL |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity |
+| ADMX File Name | NCSI.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## NCSI_DomainLocationDeterminationUrl
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_DomainLocationDeterminationUrl
+```
+
-
+
+
+This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
+
-
-
-This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (that is, whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates that the client location is inside corporate network; otherwise it is outside the network.
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Specify domain location determination URL*
-- GP name: *NCSI_DomainLocationDeterminationUrl*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
+**ADMX mapping**:
-
-**ADMX_NCSI/NCSI_GlobalDns**
+| Name | Value |
+|:--|:--|
+| Name | NCSI_DomainLocationDeterminationUrl |
+| Friendly Name | Specify domain location determination URL |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator\CorporateConnectivity |
+| ADMX File Name | NCSI.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## NCSI_GlobalDns
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_GlobalDns
+```
+
-
+
+
+This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it is currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
+
-
-
-This policy setting enables you to specify DNS binding behavior. NCSI by default will restrict DNS lookups to the interface it's currently probing on. If you enable this setting, NCSI will allow the DNS lookups to happen on any interface.
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Specify global DNS*
-- GP name: *NCSI_GlobalDns*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
+**ADMX mapping**:
-
-**ADMX_NCSI/NCSI_PassivePolling**
+| Name | Value |
+|:--|:--|
+| Name | NCSI_GlobalDns |
+| Friendly Name | Specify global DNS |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator |
+| ADMX File Name | NCSI.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## NCSI_PassivePolling
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_NCSI/NCSI_PassivePolling
+```
+
-
+
+
+This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
+
-
-
-This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Specify passive polling*
-- GP name: *NCSI_PassivePolling*
-- GP path: *Network\Network Connectivity Status Indicator*
-- GP ADMX file name: *NCSI.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
+**ADMX mapping**:
+| Name | Value |
+|:--|:--|
+| Name | NCSI_PassivePolling |
+| Friendly Name | Specify passive polling |
+| Location | Computer Configuration |
+| Path | Network > Network Connectivity Status Indicator |
+| Registry Key Name | Software\Policies\Microsoft\Windows\NetworkConnectivityStatusIndicator |
+| ADMX File Name | NCSI.admx |
+
-
+
+
+
-## Related topics
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
\ No newline at end of file
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)
diff --git a/windows/client-management/mdm/policy-csp-admx-netlogon.md b/windows/client-management/mdm/policy-csp-admx-netlogon.md
index 22d8f1fe5a..80c36f00cc 100644
--- a/windows/client-management/mdm/policy-csp-admx-netlogon.md
+++ b/windows/client-management/mdm/policy-csp-admx-netlogon.md
@@ -1,800 +1,802 @@
---
-title: Policy CSP - ADMX_Netlogon
-description: Learn about Policy CSP - ADMX_Netlogon.
+title: ADMX_Netlogon Policy CSP
+description: Learn more about the ADMX_Netlogon Area in Policy CSP
+author: vinaypamnani-msft
+manager: aaroncz
ms.author: vinpa
+ms.date: 01/05/2023
ms.localizationpriority: medium
-ms.topic: article
ms.prod: windows-client
ms.technology: itpro-manage
-author: vinaypamnani-msft
-ms.date: 09/15/2020
-ms.reviewer:
-manager: aaroncz
+ms.topic: reference
---
+
+
+
# Policy CSP - ADMX_Netlogon
->[!TIP]
-> These are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](../understanding-admx-backed-policies.md).
+> [!TIP]
+> Some of these are ADMX-backed policies and require a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
>
-> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](../understanding-admx-backed-policies.md#enabling-a-policy).
+> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
>
-> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
+> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
-
+
+
+
-
-## ADMX_Netlogon policies
+
+## Netlogon_AddressLookupOnPingBehavior
-
- -
- ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior
-
- -
- ADMX_Netlogon/Netlogon_AddressTypeReturned
-
- -
- ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch
-
- -
- ADMX_Netlogon/Netlogon_AllowNT4Crypto
-
- -
- ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain
-
- -
- ADMX_Netlogon/Netlogon_AutoSiteCoverage
-
- -
- ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery
-
- -
- ADMX_Netlogon/Netlogon_AvoidPdcOnWan
-
- -
- ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod
-
- -
- ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod
-
- -
- ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime
-
- -
- ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod
-
- -
- ADMX_Netlogon/Netlogon_DebugFlag
-
- -
- ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords
-
- -
- ADMX_Netlogon/Netlogon_DnsRefreshInterval
-
- -
- ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames
-
- -
- ADMX_Netlogon/Netlogon_DnsTtl
-
- -
- ADMX_Netlogon/Netlogon_ExpectedDialupDelay
-
- -
- ADMX_Netlogon/Netlogon_ForceRediscoveryInterval
-
- -
- ADMX_Netlogon/Netlogon_GcSiteCoverage
-
- -
- ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages
-
- -
- ADMX_Netlogon/Netlogon_LdapSrvPriority
-
- -
- ADMX_Netlogon/Netlogon_LdapSrvWeight
-
- -
- ADMX_Netlogon/Netlogon_MaximumLogFileSize
-
- -
- ADMX_Netlogon/Netlogon_NdncSiteCoverage
-
- -
- ADMX_Netlogon/Netlogon_NegativeCachePeriod
-
- -
- ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode
-
- -
- ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod
-
- -
- ADMX_Netlogon/Netlogon_PingUrgencyMode
-
- -
- ADMX_Netlogon/Netlogon_ScavengeInterval
-
- -
- ADMX_Netlogon/Netlogon_SiteCoverage
-
- -
- ADMX_Netlogon/Netlogon_SiteName
-
- -
- ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode
-
- -
- ADMX_Netlogon/Netlogon_TryNextClosestSite
-
- -
- ADMX_Netlogon/Netlogon_UseDynamicDns
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior
+```
+
-
+
+
+This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site.
-
-**ADMX_Netlogon/Netlogon_AddressLookupOnPingBehavior**
-
-
-
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address doesn't map to any configured site.
-
-Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses that may then be used to compute a matching site for the client.
+Domain controllers use the client IP address during a DC locator ping request to compute which Active Directory site the client belongs to. If no site mapping can be computed, the DC may do an address lookup on the client network name to discover other IP addresses which may then be used to compute a matching site for the client.
The allowable values for this setting result in the following behaviors:
-- 0 - DCs will never perform address lookups.
-- 1 - DCs will perform an exhaustive address lookup to discover more client IP addresses.
-- 2 - DCs will perform a fast, DNS-only address lookup to discover more client IP addresses.
+0 - DCs will never perform address lookups.
+1 - DCs will perform an exhaustive address lookup to discover additional client IP addresses.
+2 - DCs will perform a fast, DNS-only address lookup to discover additional client IP addresses.
To specify this behavior in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 2.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify address lookup behavior for DC locator ping*
-- GP name: *Netlogon_AddressLookupOnPingBehavior*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Netlogon/Netlogon_AddressTypeReturned**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AddressLookupOnPingBehavior |
+| Friendly Name | Specify address lookup behavior for DC locator ping |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Netlogon_AddressTypeReturned
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AddressTypeReturned
+```
+
-
-
-This policy setting determines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios.
+
+
+This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with the support of IPv6, the DC Locator APIs can return IPv6 DC address. The returned IPv6 DC address may not be correctly handled by some of the existing applications. So this policy is provided to support such scenarios.
By default, DC Locator APIs can return IPv4/IPv6 DC address. But if some applications are broken due to the returned IPv6 DC address, this policy can be used to disable the default behavior and enforce to return only IPv4 DC address. Once applications are fixed, this policy can be used to enable the default behavior.
-If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator.
+If you enable this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
If you disable this policy setting, DC Locator APIs will ONLY return IPv4 DC address if any. So if the domain controller supports both IPv4 and IPv6 addresses, DC Locator APIs will return IPv4 address. But if the domain controller supports only IPv6 address, then DC Locator APIs will fail.
-If you don't configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This behavior is the default behavior of the DC Locator.
+If you do not configure this policy setting, DC Locator APIs can return IPv4/IPv6 DC address. This is the default behavior of the DC Locator.
+
-
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Return domain controller address type*
-- GP name: *Netlogon_AddressTypeReturned*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+
+**Description framework properties**:
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AddressTypeReturned |
+| Friendly Name | Return domain controller address type |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AddressTypeReturned |
+| ADMX File Name | Netlogon.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Netlogon_AllowDnsSuffixSearch
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowDnsSuffixSearch
+```
+
-
-
-This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, isn't used if the `AllowSingleLabelDnsDomain` policy setting is enabled.
+
+
+This policy setting specifies whether the computers to which this setting is applied attemps DNS name resolution of single-lablel domain names, by appending different registered DNS suffixes, and uses NetBIOS name resolution only if DNS name resolution fails. This policy, including the specified default behavior, is not used if the AllowSingleLabelDnsDomain policy setting is enabled.
-By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the `AllowSingleLabelDnsDomain` policy setting is enabled.
+By default, when no setting is specified for this policy, the behavior is the same as explicitly enabling this policy, unless the AllowSingleLabelDnsDomain policy setting is enabled.
-If you enable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name isn't used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, if DNS resolution fails.
+If you enable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will locate a domain controller hosting an Active Directory domain specified with a single-label name, by appending different registered DNS suffixes to perform DNS name resolution. The single-label name is not used without appending DNS suffixes unless the computer is joined to a domain that has a single-label DNS name in the Active Directory forest. NetBIOS name resolution is performed on the single-label name only, in the event that DNS resolution fails.
-If you disable this policy setting, when the `AllowSingleLabelDnsDomain` policy isn't enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers won't attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
+If you disable this policy setting, when the AllowSingleLabelDnsDomain policy is not enabled, computers to which this policy is applied, will only use NetBIOS name resolution to attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name. The computers will not attempt DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name to which this computer is joined, in the Active Directory forest.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled.*
-- GP name: *Netlogon_AllowDnsSuffixSearch*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_AllowNT4Crypto**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AllowDnsSuffixSearch |
+| Friendly Name | Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled. |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AllowDnsSuffixSearch |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_AllowNT4Crypto
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowNT4Crypto
+```
+
-
+
+
+This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
-
-
-This policy setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier aren't as secure as newer algorithms used in Windows 2000 or later, including this version of Windows.
-
-By default, Net Logon won't allow the older cryptography algorithms to be used and won't include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 won't be able to establish a connection to this domain controller.
+By default, Net Logon will not allow the older cryptography algorithms to be used and will not include them in the negotiation of cryptography algorithms. Therefore, computers running Windows NT 4.0 will not be able to establish a connection to this domain controller.
If you enable this policy setting, Net Logon will allow the negotiation and use of older cryptography algorithms compatible with Windows NT 4.0. However, using the older algorithms represents a potential security risk.
-If you disable this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms.
+If you disable this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
-If you don't configure this policy setting, Net Logon won't allow the negotiation and use of older cryptography algorithms.
+If you do not configure this policy setting, Net Logon will not allow the negotiation and use of older cryptography algorithms.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Allow cryptography algorithms compatible with Windows NT 4.0*
-- GP name: *Netlogon_AllowNT4Crypto*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AllowNT4Crypto |
+| Friendly Name | Allow cryptography algorithms compatible with Windows NT 4.0 |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AllowNT4Crypto |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_AllowSingleLabelDnsDomain
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AllowSingleLabelDnsDomain
+```
+
-
+
+
+This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names.
-
-
-This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain name.
-
-By default, the behavior specified in the `AllowDnsSuffixSearch` is used. If the `AllowDnsSuffixSearch` policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
+By default, the behavior specified in the AllowDnsSuffixSearch is used. If the AllowDnsSuffixSearch policy is disabled, then NetBIOS name resolution is used exclusively, to locate a domain controller hosting an Active Directory domain specified with a single-label name.
If you enable this policy setting, computers to which this policy is applied will attempt to locate a domain controller hosting an Active Directory domain specified with a single-label name using DNS name resolution.
-If you disable this policy setting, computers to which this setting is applied will use the `AllowDnsSuffixSearch` policy, if it isn't disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. The computers won't use the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
+If you disable this policy setting, computers to which this setting is applied will use the AllowDnsSuffixSearch policy, if it is not disabled or perform NetBIOS name resolution otherwise, to attempt to locate a domain controller that hosts an Active Directory domain specified with a single-label name. the computers will not the DNS name resolution in this case, unless the computer is searching for a domain with a single label DNS name that exists in the Active Directory forest to which this computer is joined.
-If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
+If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC*
-- GP name: *Netlogon_AllowSingleLabelDnsDomain*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_AutoSiteCoverage**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AllowSingleLabelDnsDomain |
+| Friendly Name | Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AllowSingleLabelDnsDomain |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_AutoSiteCoverage
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AutoSiteCoverage
+```
+
-
-
-
-
-This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC.
+
+
+This policy setting determines whether domain controllers (DC) will dynamically register DC Locator site-specific SRV records for the closest sites where no DC for the same domain exists (or no Global Catalog for the same forest exists). These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
If you enable this policy setting, the DCs to which this setting is applied dynamically register DC Locator site-specific DNS SRV records for the closest sites where no DC for the same domain, or no Global Catalog for the same forest, exists.
-If you disable this policy setting, the DCs won't register site-specific DC Locator DNS SRV records for any other sites but their own.
+If you disable this policy setting, the DCs will not register site-specific DC Locator DNS SRV records for any other sites but their own.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use automated site coverage by the DC Locator DNS SRV Records*
-- GP name: *Netlogon_AutoSiteCoverage*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AutoSiteCoverage |
+| Friendly Name | Use automated site coverage by the DC Locator DNS SRV Records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AutoSiteCoverage |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_AvoidFallbackNetbiosDiscovery
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AvoidFallbackNetbiosDiscovery
+```
+
-
-
-
-
+
+
This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism.
-NetBIOS-based discovery uses a WINS server and mailslot messages but doesn't use site information. Hence it doesn't ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery isn't recommended.
+NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended.
-> [!NOTE]
-> This policy setting doesn't affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
+Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known.
-If you disable or don't configure this policy setting, the DC location algorithm doesn't use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This behavior is the default behavior.
+If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior.
If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails*
-- GP name: *Netlogon_AvoidFallbackNetbiosDiscovery*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_AvoidPdcOnWan**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AvoidFallbackNetbiosDiscovery |
+| Friendly Name | Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AvoidFallbackNetbiosDiscovery |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_AvoidPdcOnWan
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_AvoidPdcOnWan
+```
+
-
-
-
-
+
+
This policy setting defines whether a domain controller (DC) should attempt to verify the password provided by a client with the PDC emulator if the DC failed to validate the password.
Contacting the PDC emulator is useful in case the client’s password was recently changed and did not propagate to the DC yet. Users may want to disable this feature if the PDC emulator is located over a slow WAN connection.
If you enable this policy setting, the DCs to which this policy setting applies will attempt to verify a password with the PDC emulator if the DC fails to validate the password.
-If you disable this policy setting, the DCs won't attempt to verify any passwords with the PDC emulator.
+If you disable this policy setting, the DCs will not attempt to verify any passwords with the PDC emulator.
-If you don't configure this policy setting, it isn't applied to any DCs.
+If you do not configure this policy setting, it is not applied to any DCs.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Contact PDC on logon failure*
-- GP name: *Netlogon_AvoidPdcOnWan*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_AvoidPdcOnWan |
+| Friendly Name | Contact PDC on logon failure |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AvoidPdcOnWan |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_BackgroundRetryInitialPeriod
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryInitialPeriod
+```
+
-
-
-
-
+
+
This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC.
-The default value for this setting is 10 minutes (10*60).
-
-The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
+The default value for this setting is 10 minutes (10*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
This setting is relevant only to those callers of DsGetDcName that have specified the DS_BACKGROUND_ONLY flag.
If the value of this setting is less than the value specified in the NegativeCachePeriod subkey, the value in the NegativeCachePeriod subkey is used.
-> [!WARNING]
-> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC isn't available, the traffic caused by periodic DC discoveries may be excessive.
+Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value set in this setting is very small and the DC is not available, the traffic caused by periodic DC discoveries may be excessive.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use initial DC discovery retry setting for background callers*
-- GP name: *Netlogon_BackgroundRetryInitialPeriod*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_BackgroundRetryInitialPeriod |
+| Friendly Name | Use initial DC discovery retry setting for background callers |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_BackgroundRetryMaximumPeriod
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryMaximumPeriod
+```
+
-
-
-
-
-This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC.
+
+
+This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC.
For example, the retry intervals may be set at 10 minutes, then 20 minutes and then 40 minutes, but when the interval reaches the value set in this setting, that value becomes the retry interval for all subsequent retries until the value set in Final DC Discovery Retry Setting is reached.
-The default value for this setting is 60 minutes (60*60).
-
-The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
+The default value for this setting is 60 minutes (60*60). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
If the value for this setting is smaller than the value specified for the Initial DC Discovery Retry Setting, the Initial DC Discovery Retry Setting is used.
-> [!WARNING]
-> If the value for this setting is too large, a client may take very long periods to try to find a DC.
+Warning: If the value for this setting is too large, a client may take very long periods to try to find a DC.
-If the value for this setting is too small and the DC isn't available, the frequent retries may produce excessive network traffic.
+If the value for this setting is too small and the DC is not available, the frequent retries may produce excessive network traffic.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use maximum DC discovery retry interval setting for background callers*
-- GP name: *Netlogon_BackgroundRetryMaximumPeriod*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_BackgroundRetryMaximumPeriod |
+| Friendly Name | Use maximum DC discovery retry interval setting for background callers |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_BackgroundRetryQuitTime
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundRetryQuitTime
+```
+
-
-
-
-
+
+
This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC discovery retry interval policy setting, but when the value set in this policy setting is reached, no more retries occur. If a value for this policy setting is smaller than the value in the Use maximum DC discovery retry interval policy setting, the value for Use maximum DC discovery retry interval policy setting is used.
The default value for this setting is to not quit retrying (0). The maximum value for this setting is 49 days (0x49*24*60*60=4233600). The minimum value for this setting is 0.
-> [!WARNING]
-> If the value for this setting is too small, a client will stop trying to find a DC too soon.
+Warning: If the value for this setting is too small, a client will stop trying to find a DC too soon.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use final DC discovery retry setting for background callers*
-- GP name: *Netlogon_BackgroundRetryQuitTime*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_BackgroundRetryQuitTime |
+| Friendly Name | Use final DC discovery retry setting for background callers |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_BackgroundSuccessfulRefreshPeriod
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_BackgroundSuccessfulRefreshPeriod
+```
+
-
+
+
+This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
+
-
-
-This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it's applied before returning the DC information to the caller program. The default value for this setting is infinite (4294967200). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value is treated as infinity. The minimum value for this setting is to always refresh (0).
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Use positive periodic DC cache refresh for background callers*
-- GP name: *Netlogon_BackgroundSuccessfulRefreshPeriod*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_BackgroundSuccessfulRefreshPeriod |
+| Friendly Name | Use positive periodic DC cache refresh for background callers |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
-**ADMX_Netlogon/Netlogon_DebugFlag**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## Netlogon_DebugFlag
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DebugFlag
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting specifies the level of debug output for the Net Logon service.
The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged.
@@ -803,182 +805,210 @@ If you enable this policy setting and specify a non-zero value, debug informatio
If you specify zero for this policy setting, the default behavior occurs as described above.
-If you disable this policy setting or don't configure it, the default behavior occurs as described above.
+If you disable this policy setting or do not configure it, the default behavior occurs as described above.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify log file debug output level*
-- GP name: *Netlogon_DebugFlag*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_DebugFlag |
+| Friendly Name | Specify log file debug output level |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_DnsAvoidRegisterRecords
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsAvoidRegisterRecords
+```
+
-
+
+
+This policy setting determines which DC Locator DNS records are not registered by the Net Logon service.
-
-
-This policy setting determines which DC Locator DNS records aren't registered by the Net Logon service.
+If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that will not be registered by the DCs to which this setting is applied.
-If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DNS records that won't be registered by the DCs to which this setting is applied.
+Select the mnemonics from the following list:
-Select the mnemonics from the following table:
+Mnemonic Type DNS Record
-|Mnemonic|Type|DNS Record|
-|--------|---------|-----------|
-|LdapIpAddress|A|``|
-|Ldap|SRV|_ldap._tcp.``|
-|LdapAtSite|SRV|_ldap._tcp.``._sites.``|
-|Pdc|SRV|_ldap._tcp.pdc._msdcs.``|
-|Gc|SRV|_ldap._tcp.gc._msdcs.``|
-|GcAtSite|SRV|_ldap._tcp.``._sites.gc._msdcs.``|
-|DcByGuid|SRV|_ldap._tcp.``.domains._msdcs.``|
-|GcIpAddress|A|gc._msdcs.``|
-|DsaCname|CNAME|``._msdcs.``|
-|Kdc|SRV|_kerberos._tcp.dc._msdcs.``|
-|KdcAtSite|SRV|_kerberos._tcp.``._sites.dc._msdcs.|
-|KdcAtSite|SRV|_kerberos._tcp.``._sites.dc._msdcs.``|
-|Dc|SRV|_ldap._tcp.dc._msdcs.``|
-|DcAtSite|SRV|_ldap._tcp.``._sites.dc._msdcs.``|
-|Rfc1510Kdc|SRV|_kerberos._tcp.``|
-|Rfc1510KdcAtSite|SRV|_kerberos._tcp.``._sites.``|
-|GenericGc|SRV|_gc._tcp.``|
-|GenericGcAtSite|SRV|_gc._tcp.``._sites.``|
-|Rfc1510UdpKdc|SRV|_kerberos._udp.``|
-|Rfc1510Kpwd|SRV|_kpasswd._tcp.``|
-|Rfc1510UdpKpwd|SRV|_kpasswd._udp.``|
+LdapIpAddress A ``
+Ldap SRV _ldap._tcp.``
+LdapAtSite SRV _ldap._tcp.``._sites.``
+Pdc SRV _ldap._tcp.pdc._msdcs.``
+Gc SRV _ldap._tcp.gc._msdcs.``
+GcAtSite SRV _ldap._tcp.``._sites.gc._msdcs.``
+DcByGuid SRV _ldap._tcp.``.domains._msdcs.``
+GcIpAddress A gc._msdcs.``
+DsaCname CNAME ``._msdcs.``
+Kdc SRV _kerberos._tcp.dc._msdcs.``
+KdcAtSite SRV _kerberos._tcp.``._sites.dc._msdcs.``
+Dc SRV _ldap._tcp.dc._msdcs.``
+DcAtSite SRV _ldap._tcp.``._sites.dc._msdcs.``
+Rfc1510Kdc SRV _kerberos._tcp.``
+Rfc1510KdcAtSite SRV _kerberos._tcp.``._sites.``
+GenericGc SRV _gc._tcp.``
+GenericGcAtSite SRV _gc._tcp.``._sites.``
+Rfc1510UdpKdc SRV _kerberos._udp.``
+Rfc1510Kpwd SRV _kpasswd._tcp.``
+Rfc1510UdpKpwd SRV _kpasswd._udp.``
If you disable this policy setting, DCs configured to perform dynamic registration of DC Locator DNS records register all DC Locator DNS resource records.
-If you don't configure this policy setting, DCs use their local configuration.
+If you do not configure this policy setting, DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify DC Locator DNS records not registered by the DCs*
-- GP name: *Netlogon_DnsAvoidRegisterRecords*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_DnsRefreshInterval**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_DnsAvoidRegisterRecords |
+| Friendly Name | Specify DC Locator DNS records not registered by the DCs |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_DnsRefreshInterval
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsRefreshInterval
+```
+
-
-
-
-
+
+
This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm to locate the DC. This setting may be applied only to DCs using dynamic update.
-DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data hasn't changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
+DCs configured to perform dynamic registration of the DC Locator DNS resource records periodically reregister their records with DNS servers, even if their records’ data has not changed. If authoritative DNS servers are configured to perform scavenging of the stale records, this reregistration is required to instruct the DNS servers configured to automatically remove (scavenge) stale records that these records are current and should be preserved in the database.
-> [!WARNING]
-> If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
+Warning: If the DNS resource records are registered in zones with scavenging enabled, the value of this setting should never be longer than the Refresh Interval configured for these zones. Setting the Refresh Interval of the DC Locator DNS records to longer than the Refresh Interval of the DNS zones may result in the undesired deletion of DNS resource records.
To specify the Refresh Interval of the DC records, click Enabled, and then enter a value larger than 1800. This value specifies the Refresh Interval of the DC records in seconds (for example, the value 3600 is 60 minutes).
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify Refresh Interval of the DC Locator DNS records*
-- GP name: *Netlogon_DnsRefreshInterval*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_DnsRefreshInterval |
+| Friendly Name | Specify Refresh Interval of the DC Locator DNS records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_DnsSrvRecordUseLowerCaseHostNames
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsSrvRecordUseLowerCaseHostNames
+```
+
-
-
-
-
+
+
This policy setting configures whether the domain controllers to which this setting is applied will lowercase their DNS host name when registering SRV records.
If enabled, domain controllers will lowercase their DNS host name when registering domain controller SRV records. A best-effort attempt will be made to delete any previously registered SRV records that contain mixed-case DNS host names. For more information and potential manual cleanup procedures, see the link below.
@@ -989,873 +1019,1047 @@ If not configured, domain controllers will default to using their local configur
The default local configuration is enabled.
-A reboot isn't required for changes to this setting to take effect.
-
+A reboot is not required for changes to this setting to take effect.
+More information is available at
+
-
-ADMX Info:
-- GP Friendly name: *Use lowercase DNS host names when registering domain controller SRV records*
-- GP name: *Netlogon_DnsSrvRecordUseLowerCaseHostNames*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+
+
+
-
-
-
+
+**Description framework properties**:
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-**ADMX_Netlogon/Netlogon_DnsTtl**
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_DnsSrvRecordUseLowerCaseHostNames |
+| Friendly Name | Use lowercase DNS host names when registering domain controller SRV records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | DnsSrvRecordUseLowerCaseHostNames |
+| ADMX File Name | Netlogon.admx |
+
-
-
+
+
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
-> [!div class = "checklist"]
-> * Device
+
+## Netlogon_DnsTtl
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-
-This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they're used to locate the domain controller (DC).
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_DnsTtl
+```
+
+
+
+
+This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC).
To specify the TTL for DC Locator DNS records, click Enabled, and then enter a value in seconds (for example, the value "900" is 15 minutes).
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
-
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
+
+
+
-
-ADMX Info:
-- GP Friendly name: *Set TTL in the DC Locator DNS Records*
-- GP name: *Netlogon_DnsTtl*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+
+**Description framework properties**:
-
-
-
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-**ADMX_Netlogon/Netlogon_ExpectedDialupDelay**
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_DnsTtl |
+| Friendly Name | Set TTL in the DC Locator DNS Records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+
+
-
-
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+## Netlogon_ExpectedDialupDelay
-> [!div class = "checklist"]
-> * Device
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ExpectedDialupDelay
+```
+
-
-
-This policy setting specifies the extra time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
+
+
+This policy setting specifies the additional time for the computer to wait for the domain controller’s (DC) response when logging on to the network.
-To specify the expected dial-up delay at sign-in, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
+To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds (for example, the value "60" is 1 minute).
-If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
+If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify expected dial-up delay on logon*
-- GP name: *Netlogon_ExpectedDialupDelay*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_ForceRediscoveryInterval**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_ExpectedDialupDelay |
+| Friendly Name | Specify expected dial-up delay on logon |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_ForceRediscoveryInterval
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ForceRediscoveryInterval
+```
+
-
-
-
-
+
+
This policy setting determines the interval for when a Force Rediscovery is carried out by DC Locator.
-The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions, DC Locator will, by default, carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
+The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the cached domain controller meets the requirements and is running, DC Locator will continue to return it. If a new domain controller is introduced, existing clients will only discover it when a Force Rediscovery is carried out by DC Locator. To adapt to changes in network conditions DC Locator will by default carry out a Force Rediscovery according to a specific time interval and maintain efficient load-balancing of clients across all available domain controllers in all domains or forests. The default time interval for Force Rediscovery by DC Locator is 12 hours. Force Rediscovery can also be triggered if a call to DC Locator uses the DS_FORCE_REDISCOVERY flag. Rediscovery resets the timer on the cached domain controller entries.
-If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4,294,967,200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
+If you enable this policy setting, DC Locator on the machine will carry out Force Rediscovery periodically according to the configured time interval. The minimum time interval is 3600 seconds (1 hour) to avoid excessive network traffic from rediscovery. The maximum allowed time interval is 4294967200 seconds, while any value greater than 4294967 seconds (~49 days) will be treated as infinity.
If you disable this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval.
-If you don't configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
+If you do not configure this policy setting, Force Rediscovery will be used by default for the machine at every 12 hour interval, unless the local machine setting in the registry is a different value.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Force Rediscovery Interval*
-- GP name: *Netlogon_ForceRediscoveryInterval*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_GcSiteCoverage**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_ForceRediscoveryInterval |
+| Friendly Name | Force Rediscovery Interval |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_GcSiteCoverage
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_GcSiteCoverage
+```
+
-
+
+
+This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
-
-
-This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. The records are registered in addition to the site-specific SRV records registered for the site where the GC resides, and records registered by a GC configured to register GC Locator DNS SRV records for those sites without a GC that are closest to it.
-
-The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
+The GC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the GC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. A GC is a domain controller that contains a partial replica of every domain in Active Directory.
To specify the sites covered by the GC Locator DNS SRV records, click Enabled, and enter the sites' names in a space-delimited format.
-If you don't configure this policy setting, it isn't applied to any GCs, and GCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any GCs, and GCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify sites covered by the GC Locator DNS SRV Records*
-- GP name: *Netlogon_GcSiteCoverage*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_GcSiteCoverage |
+| Friendly Name | Specify sites covered by the GC Locator DNS SRV Records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_IgnoreIncomingMailslotMessages
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_IgnoreIncomingMailslotMessages
+```
+
-
-
-
-
+
+
This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC).
-> [!NOTE]
-> To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
+Note: To locate a remote DC based on its NetBIOS (single-label) domain name, DC Locator first gets the list of DCs from a WINS server that is configured in its local client settings. DC Locator then sends a mailslot message to each remote DC to get more information. DC location succeeds only if a remote DC responds to the mailslot message.
-This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name isn't required. This policy setting doesn't affect DC location based on DNS names.
+This policy setting is recommended to reduce the attack surface on a DC, and can be used in an environment without WINS, in an IPv6-only environment, and whenever DC location based on a NetBIOS domain name is not required. This policy setting does not affect DC location based on DNS names.
-If you enable this policy setting, this DC doesn't process incoming mailslot messages that are used for NetBIOS domain name based DC location.
+If you enable this policy setting, this DC does not process incoming mailslot messages that are used for NetBIOS domain name based DC location.
-If you disable or don't configure this policy setting, this DC processes incoming mailslot messages. This hevaior is the default behavior of DC Locator.
+If you disable or do not configure this policy setting, this DC processes incoming mailslot messages. This is the default behavior of DC Locator.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names*
-- GP name: *Netlogon_IgnoreIncomingMailslotMessages*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_LdapSrvPriority**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_IgnoreIncomingMailslotMessages |
+| Friendly Name | Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | IgnoreIncomingMailslotMessages |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_LdapSrvPriority
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_LdapSrvPriority
+```
+
-
-
-
-
+
+
This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC.
The Priority field in the SRV record sets the preference for target hosts (specified in the SRV record’s Target field). DNS clients that query for SRV resource records attempt to contact the first reachable host with the lowest priority number listed.
To specify the Priority in the DC Locator DNS SRV resource records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Priority in the DC Locator DNS SRV records*
-- GP name: *Netlogon_LdapSrvPriority*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_LdapSrvWeight**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_LdapSrvPriority |
+| Friendly Name | Set Priority in the DC Locator DNS SRV records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_LdapSrvWeight
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_LdapSrvWeight
+```
+
-
-
-
-
-This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC.
+
+
+This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC.
The Weight field in the SRV record can be used in addition to the Priority value to provide a load-balancing mechanism where multiple servers are specified in the SRV records Target field and are all set to the same priority. The probability with which the DNS client randomly selects the target host to be contacted is proportional to the Weight field value in the SRV record.
To specify the Weight in the DC Locator DNS SRV records, click Enabled, and then enter a value. The range of values is from 0 to 65535.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Weight in the DC Locator DNS SRV records*
-- GP name: *Netlogon_LdapSrvWeight*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_MaximumLogFileSize**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_LdapSrvWeight |
+| Friendly Name | Set Weight in the DC Locator DNS SRV records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_MaximumLogFileSize
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_MaximumLogFileSize
+```
+
-
-
-
-
+
+
This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled.
-By default, the maximum size of the log file is 20 MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached, the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
+By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is set to the specified size. Once this size is reached the log file is saved to netlogon.bak and netlogon.log is truncated. A reasonable value based on available storage should be specified.
-If you disable or don't configure this policy setting, the default behavior occurs as indicated above.
+If you disable or do not configure this policy setting, the default behavior occurs as indicated above.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify maximum log file size*
-- GP name: *Netlogon_MaximumLogFileSize*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_NdncSiteCoverage**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_MaximumLogFileSize |
+| Friendly Name | Specify maximum log file size |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_NdncSiteCoverage
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NdncSiteCoverage
+```
+
-
-
-
-
+
+
This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
-The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they're used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
+The application directory partition DC Locator DNS records and the site-specific SRV records are dynamically registered by the Net Logon service, and they are used to locate the application directory partition-specific DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
To specify the sites covered by the DC Locator application directory partition-specific DNS SRV records, click Enabled, and then enter the site names in a space-delimited format.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify sites covered by the application directory partition DC Locator DNS SRV records*
-- GP name: *Netlogon_NdncSiteCoverage*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_NegativeCachePeriod**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_NdncSiteCoverage |
+| Friendly Name | Specify sites covered by the application directory partition DC Locator DNS SRV records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_NegativeCachePeriod
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NegativeCachePeriod
+```
+
-
+
+
+This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
-
-
-This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) couldn't be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immediately fails, without attempting to find the DC.
+The default value for this setting is 45 seconds. The maximum value for this setting is 7 days (7*24*60*60). The minimum value for this setting is 0.
-The default value for this setting is 45 seconds. The maximum value for this setting is seven days (7*24*60*60). The minimum value for this setting is 0.
+Warning: If the value for this setting is too large, a client will not attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
+
-> [!WARNING]
-> If the value for this setting is too large, a client won't attempt to find any DCs that were initially unavailable. If the value for this setting is too small, clients will attempt to find DCs even when none are available.
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Specify negative DC Discovery cache setting*
-- GP name: *Netlogon_NegativeCachePeriod*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_NegativeCachePeriod |
+| Friendly Name | Specify negative DC Discovery cache setting |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
-**ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## Netlogon_NetlogonShareCompatibilityMode
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NetlogonShareCompatibilityMode
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
If you enable this policy setting, the Netlogon share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
-If you disable or don't configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
+If you disable or do not configure this policy setting, the Netlogon share will grant shared read access to files on the share when exclusive access is requested and the caller has only read permission.
By default, the Netlogon share will grant shared read access to files on the share when exclusive access is requested.
-> [!NOTE]
-> The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
+Note: The Netlogon share is a share created by the Net Logon service for use by client machines in the domain. The default behavior of the Netlogon share ensures that no application with only read permission to files on the Netlogon share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the Netlogon share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the Netlogon share on the domain will be decreased.
-If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator.
+If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set Netlogon share compatibility*
-- GP name: *Netlogon_NetlogonShareCompatibilityMode*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_NetlogonShareCompatibilityMode |
+| Friendly Name | Set Netlogon share compatibility |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AllowExclusiveScriptsShareAccess |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_NonBackgroundSuccessfulRefreshPeriod
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_NonBackgroundSuccessfulRefreshPeriod
+```
+
-
+
+
+This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that have not specified the DS_BACKGROUND_ONLY flag.
-
-
-This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that don't periodically attempt to locate DCs, and it's applied before the returning the DC information to the caller program. This policy setting is relevant to only those callers of DsGetDcName that haven't specified the DS_BACKGROUND_ONLY flag.
+The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that is not treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
+
-The default value for this setting is 30 minutes (1800). The maximum value for this setting is (4294967200), while the maximum that isn't treated as infinity is 49 days (49*24*60*60=4233600). Any larger value will be treated as infinity. The minimum value for this setting is to always refresh (0).
+
+
+
-
+
+**Description framework properties**:
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-ADMX Info:
-- GP Friendly name: *Specify positive periodic DC Cache refresh for non-background callers*
-- GP name: *Netlogon_NonBackgroundSuccessfulRefreshPeriod*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
-
-
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_NonBackgroundSuccessfulRefreshPeriod |
+| Friendly Name | Specify positive periodic DC Cache refresh for non-background callers |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
-**ADMX_Netlogon/Netlogon_PingUrgencyMode**
+
+
+
-
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
+## Netlogon_PingUrgencyMode
-
-
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_PingUrgencyMode
+```
+
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
+
+
This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC).
-When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in more network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version.
+When an environment has a large number of DCs running both old and new operating systems, the default DC locator discovery behavior may be insufficient to find DCs running a newer operating system. This policy setting can be enabled to configure DC locator to be more aggressive about trying to locate a DC in such an environment, by pinging DCs at a higher frequency. Enabling this setting may result in additional network traffic and increased load on DCs. You should disable this setting once all DCs are running the same OS version.
The allowable values for this setting result in the following behaviors:
-- 1 - Computers will ping DCs at the normal frequency.
-- 2 - Computers will ping DCs at the higher frequency.
+1 - Computers will ping DCs at the normal frequency.
+2 - Computers will ping DCs at the higher frequency.
To specify this behavior, click Enabled and then enter a value. The range of values is from 1 to 2.
-If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
+If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Use urgent mode when pinging domain controllers*
-- GP name: *Netlogon_PingUrgencyMode*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_ScavengeInterval**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_PingUrgencyMode |
+| Friendly Name | Use urgent mode when pinging domain controllers |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_ScavengeInterval
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_ScavengeInterval
+```
+
-
-
-
-
+
+
This policy setting determines the interval at which Netlogon performs the following scavenging operations:
- Checks if a password on a secure channel needs to be modified, and modifies it if necessary.
-- On the domain controllers (DC), discovers a DC that hasn't been discovered.
+- On the domain controllers (DC), discovers a DC that has not been discovered.
- On the PDC, attempts to add the ``[1B] NetBIOS name if it hasn’t already been successfully added.
-None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (for example, ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.
+None of these operations are critical. 15 minutes is optimal in all but extreme cases. For instance, if a DC is separated from a trusted domain by an expensive (e.g., ISDN) line, this parameter might be adjusted upward to avoid frequent automatic discovery of DCs in a trusted domain.
To enable the setting, click Enabled, and then specify the interval in seconds.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set scavenge interval*
-- GP name: *Netlogon_ScavengeInterval*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_SiteCoverage**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_ScavengeInterval |
+| Friendly Name | Set scavenge interval |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_SiteCoverage
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SiteCoverage
+```
+
-
-
-
-
+
+
This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site where the DC resides, and records registered by a DC configured to register DC Locator DNS SRV records for those sites without a DC that are closest to it.
-The DC Locator DNS records are dynamically registered by the Net Logon service, and they're used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
+The DC Locator DNS records are dynamically registered by the Net Logon service, and they are used to locate the DC. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
To specify the sites covered by the DC Locator DNS SRV records, click Enabled, and then enter the sites names in a space-delimited format.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify sites covered by the DC Locator DNS SRV records*
-- GP name: *Netlogon_SiteCoverage*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_SiteName**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_SiteCoverage |
+| Friendly Name | Specify sites covered by the DC Locator DNS SRV records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_SiteName
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SiteName
+```
+
-
-
-
-
+
+
This policy setting specifies the Active Directory site to which computers belong.
An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication.
-To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs isn't specified, the computer automatically discovers its site from Active Directory.
+To specify the site name for this setting, click Enabled, and then enter the site name. When the site to which a computer belongs is not specified, the computer automatically discovers its site from Active Directory.
-If you don't configure this policy setting, it isn't applied to any computers, and computers use their local configuration.
+If you do not configure this policy setting, it is not applied to any computers, and computers use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify site name*
-- GP name: *Netlogon_SiteName*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_SiteName |
+| Friendly Name | Specify site name |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_SysvolShareCompatibilityMode
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_SysvolShareCompatibilityMode
+```
+
-
-
-
-
+
+
This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications.
When this setting is enabled, the SYSVOL share will honor file sharing semantics that grant requests for exclusive read access to files on the share even when the caller has only read permission.
@@ -1864,132 +2068,179 @@ When this setting is disabled or not configured, the SYSVOL share will grant sha
By default, the SYSVOL share will grant shared read access to files on the share when exclusive access is requested.
-> [!NOTE]
-> The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
+Note: The SYSVOL share is a share created by the Net Logon service for use by Group Policy clients in the domain. The default behavior of the SYSVOL share ensures that no application with only read permission to files on the sysvol share can lock the files by requesting exclusive read access, which might prevent Group Policy settings from being updated on clients in the domain. When this setting is enabled, an application that relies on the ability to lock files on the SYSVOL share with only read permission will be able to deny Group Policy clients from reading the files, and in general the availability of the SYSVOL share on the domain will be decreased.
-If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those applications approved by the administrator.
+If you enable this policy setting, domain administrators should ensure that the only applications using the exclusive read capability in the domain are those approved by the administrator.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Set SYSVOL share compatibility*
-- GP name: *Netlogon_SysvolShareCompatibilityMode*
-- GP path: *System\Net Logon*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_TryNextClosestSite**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_SysvolShareCompatibilityMode |
+| Friendly Name | Set SYSVOL share compatibility |
+| Location | Computer Configuration |
+| Path | System > Net Logon |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | AllowExclusiveSysvolShareAccess |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_TryNextClosestSite
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_TryNextClosestSite
+```
+
-
+
+
+This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site is not found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
-
-
-This policy setting enables DC Locator to attempt to locate a DC in the nearest site based on the site link cost if a DC in same the site isn't found. In scenarios with multiple sites, failing over to the try next closest site during DC Location streamlines network traffic more effectively.
-
-The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none is found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
+The DC Locator service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be several site-hops away, could be returned by DC Locator. Site proximity between two sites is determined by the total site-link cost between them. A site is closer if it has a lower site link cost than another site with a higher site link cost.
If you enable this policy setting, Try Next Closest Site DC Location will be turned on for the computer.
-If you disable this policy setting, Try Next Closest Site DC Location won't be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
+If you disable this policy setting, Try Next Closest Site DC Location will not be used by default for the computer. However, if a DC Locator call is made using the DS_TRY_NEXTCLOSEST_SITE flag explicitly, the Try Next Closest Site behavior is honored.
-If you don't configure this policy setting, Try Next Closest Site DC Location won't be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
+If you do not configure this policy setting, Try Next Closest Site DC Location will not be used by default for the machine. If the DS_TRY_NEXTCLOSEST_SITE flag is used explicitly, the Next Closest Site behavior will be used.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Try Next Closest Site*
-- GP name: *Netlogon_TryNextClosestSite*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
-
+**ADMX mapping**:
-
-**ADMX_Netlogon/Netlogon_UseDynamicDns**
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_TryNextClosestSite |
+| Friendly Name | Try Next Closest Site |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | TryNextClosestSite |
+| ADMX File Name | Netlogon.admx |
+
-
+
+
+
-|Edition|Windows 10|Windows 11|
-|--- |--- |--- |
-|Home|No|No|
-|Pro|Yes|Yes|
-|Windows SE|No|Yes|
-|Business|Yes|Yes|
-|Enterprise|Yes|Yes|
-|Education|Yes|Yes|
+
-
-
+
+## Netlogon_UseDynamicDns
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
+
+| Scope | Editions | Applicable OS |
+|:--|:--|:--|
+| :heavy_check_mark: Device
:x: User | :x: Home
:heavy_check_mark: Pro
:heavy_check_mark: Enterprise
:heavy_check_mark: Education
:heavy_check_mark: Windows SE | :heavy_check_mark: Windows 10, version 2004 [10.0.19041.1202] and later
:heavy_check_mark: Windows 10, version 2009 [10.0.19042.1202] and later
:heavy_check_mark: Windows 10, version 21H1 [10.0.19043.1202] and later
:heavy_check_mark: Windows 11, version 21H2 [10.0.22000] and later |
+
-> [!div class = "checklist"]
-> * Device
+
+```Device
+./Device/Vendor/MSFT/Policy/Config/ADMX_Netlogon/Netlogon_UseDynamicDns
+```
+
-
-
-
-
+
+
This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to locate the DC.
If you enable this policy setting, DCs to which this setting is applied dynamically register DC Locator DNS resource records through dynamic DNS update-enabled network connections.
-If you disable this policy setting, DCs won't register DC Locator DNS resource records.
+If you disable this policy setting, DCs will not register DC Locator DNS resource records.
-If you don't configure this policy setting, it isn't applied to any DCs, and DCs use their local configuration.
+If you do not configure this policy setting, it is not applied to any DCs, and DCs use their local configuration.
+
-
+
+
+
+
+**Description framework properties**:
-
-ADMX Info:
-- GP Friendly name: *Specify dynamic registration of the DC Locator DNS Records*
-- GP name: *Netlogon_UseDynamicDns*
-- GP path: *System\Net Logon\DC Locator DNS Records*
-- GP ADMX file name: *Netlogon.admx*
+| Property name | Property value |
+|:--|:--|
+| Format | chr (string) |
+| Access Type | Add, Delete, Get, Replace |
+
-
-
-
+
+> [!TIP]
+> This is an ADMX-backed policy and requires SyncML format for configuration. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
+**ADMX mapping**:
-
+| Name | Value |
+|:--|:--|
+| Name | Netlogon_UseDynamicDns |
+| Friendly Name | Specify dynamic registration of the DC Locator DNS Records |
+| Location | Computer Configuration |
+| Path | System > Net Logon > DC Locator DNS Records |
+| Registry Key Name | Software\Policies\Microsoft\Netlogon\Parameters |
+| Registry Value Name | UseDynamicDns |
+| ADMX File Name | Netlogon.admx |
+
-## Related topics
+
+
+
-[ADMX-backed policies in Policy CSP](./policies-in-policy-csp-admx-backed.md)
+
+
+
+
+
+
+
+
+## Related articles
+
+[Policy configuration service provider](policy-configuration-service-provider.md)