6to4 Relay Name

chocolatehookSecurity

Nov 30, 2013 (3 years and 6 months ago)

705 views

6to4 Relay Name



This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is
used as a default gateway for IPv6 network traffic sent by the 6to4 host.
The 6to4 relay name
setting has no effect if 6to4 connectivity is not available on the host.


If you enable this policy setting, you can specify a relay name for a 6to4 host.


If you disable or do not configure this policy setting, the local host setting i
s used, and you
cannot specify a relay name for a 6to4 host.




=== Detailed values: ===

text: Id: RouterNameBox; ValueName: 6to4_RouterName



Go to GPS

6to4 Relay Name Resolution Interval



This policy setting allows you to specify the interval at which the relay name is resolved. The
6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not
available
on the host.


If you enable this policy setting, you can specify the value for the duration at which the relay
name is resolved periodically.


If you disable or do not configure this policy setting, the local host setting is used.




=== Detailed

values: ===

decimal: Id: RouterNameResolutionIntervalBox; ValueName:
6to4_RouterNameResolutionInterval



Go to GPS

6to4
State



This policy setting allows you to configure 6to4, an address assignment and router
-
to
-
router
automatic tunneling technology that is used to provide unicast IPv6 connectivity between
IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the glob
al address prefix:
2002:WWXX:YYZZ::/48 in which the letters are a hexadecimal representation of the global
IPv4 address (w.x.y.z) assigned to a site.


If you disable or do not configure this policy setting, the local host setting is used.


If you enable th
is policy setting, you will be able to configure 6to4 with one of the following
settings:


Policy Default State: 6to4 is enabled if the host has only link
-
local IPv6 connectivity and a
public IPv4 address. If no global IPv6 address is present and no global

IPv4 address is
present, the host will not have a 6to4 interface. If no global IPv6 address is present and a
global IPv4 address is present, the host will have a 6to4 interface.


Policy Enabled State: If a global IPv4 address is present, the host will hav
e a 6to4 interface. If
no global IPv4 address is present, the host will not have a 6to4 interface.


Policy Disabled State: 6to4 is turned off and connectivity with 6to4 will not be available.




=== Detailed values: ===

enum: Id: StateSelect; ValueName: 6
to4_State

item: value


item: value


item: value




Go to GPS

Add Search Internet link to Start Menu




If you enable this

policy, a "Search the Internet" link is shown when the user performs a
search in the start menu search box. This button launches the default browser with the search
terms.


If you disable this policy, there will not be a "Search the Internet" link when th
e user performs
a search in the start menu search box.


If you do not configure this policy (default), there will not be a "Search the Internet" link on
the start menu.


Go to GPS

Allow access to BitLocker
-
protected fixed data drives from
earlier versions of Windows



This policy setting configures whether or not fixed data drives formatted with the FAT file
system can be un
locked and viewed on computers running Windows Server 2008, Windows
Vista, Windows XP with Service Pack 3 (SP3), or Windows XP with Service Pack 2 (SP2)
operating systems.


If this policy setting is enabled or not configured, fixed data drives formatted wi
th the FAT
file system can be unlocked on computers running Windows Server 2008, Windows Vista,
Windows XP with SP3, or Windows XP with SP2, and their content can be viewed. These
operating systems have read
-
only access to BitLocker
-
protected drives.


When

this policy setting is enabled, select the "Do not install BitLocker To Go Reader on
FAT formatted fixed drives" check box to help prevent users from running BitLocker To Go
Reader from their fixed drives. If BitLocker To Go Reader (bitlockertogo.exe) is
present on a
drive that does not have an identification field specified, or if the drive has the same
identification field as specified in the "Provide unique identifiers for your organization"
policy setting, the user will be prompted to update BitLocker
and BitLocker To Go Reader
will be deleted from the drive. In this situation, for the fixed drive to be unlocked on
computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or
Windows XP with SP2, BitLocker To Go Reader must be installed
on the computer. If this
check box is not selected, BitLocker To Go Reader will be installed on the fixed drive to
enable users to unlock the drive on computers running Windows Server 2008, Windows
Vista, Windows XP with SP3, or Windows XP with SP2 that do

not have BitLocker To Go
Reader installed.


If this policy setting is disabled, fixed data drives formatted with the FAT file system that are
BitLocker
-
protected cannot be unlocked on computers running Windows Server 2008,
Windows Vista, Windows XP with S
P3, or Windows XP with SP2. Bitlockertogo.exe will not
be installed.


Note: This policy setting does not apply to drives that are formatted with the NTFS file
system.




=== Detailed values: ===

boolean: Id: FDVNoBitLockerToGoReader_Name; ValueName:
FDVNo
BitLockerToGoReader

trueValue: decimal: 1


falseValue: decimal: 0




Go to GPS

Allow access to BitLocker
-
protected
removable data drives
from earlier versions of Windows



This policy setting configures whether or not removable data drives formatted with the FAT
file system can be unlocked and viewed on computers running Windows Server 2008,
Windows Vista, Windows XP
with Service Pack 3 (SP3), or Windows XP with Service Pack
2 (SP2) operating systems.


If this policy setting is enabled or not configured, removable data drives formatted with the
FAT file system can be unlocked on computers running Windows Server 2008, W
indows
Vista, Windows XP with SP3, or Windows XP with SP2, and their content can be viewed.
These operating systems have read
-
only access to BitLocker
-
protected drives.


When this policy setting is enabled, select the "Do not install BitLocker To Go Reader

on
FAT formatted removable drives" check box to help prevent users from running BitLocker To
Go Reader from their removable drives. If BitLocker To Go Reader (bitlockertogo.exe) is
present on a drive that does not have an identification field specified, o
r if the drive has the
same identification field as specified in the "Provide unique identifiers for your organization"
policy setting, the user will be prompted to update BitLocker and BitLocker To Go Reader
will be deleted from the drive. In this situati
on, for the removable drive to be unlocked on
computers running Windows Server 2008, Windows Vista, Windows XP with SP3, or
Windows XP with SP2, BitLocker To Go Reader must be installed on the computer. If this
check box is not selected, BitLocker To Go Re
ader will be installed on the removable drive to
enable users to unlock the drive on computers running Windows Server 2008, Windows
Vista, Windows XP with SP3, or Windows XP with SP2 that do not have BitLocker To Go
Reader installed.


If this policy settin
g is disabled, removable data drives formatted with the FAT file system
that are BitLocker
-
protected cannot be unlocked on computers running Windows Server
2008, Windows Vista, Windows XP with SP3, or Windows XP with SP2. Bitlockertogo.exe
will not be inst
alled.


Note: This policy setting does not apply to drives that are formatted with the NTFS file
system.




=== Detailed values: ===

boolean: Id: RDVNoBitLockerToGoReader_Name; ValueName:
RDVNoBitLockerToGoReader

trueValue: decimal: 1


falseValue: decimal
: 0




Go to GPS

Allow Applications to Prevent Automatic Sleep (On
Battery)



Allow applications and services to prevent
automatic sleep.


If you enable this policy setting, any application, service or device driver may prevent
Windows from automatically transitioning to sleep after a period of user inactivity.


If you disable this policy setting, applications, services or d
rivers may not prevent Windows
from automatically transitioning to sleep. Only user input will be used to determine if
Windows should automatically sleep.


Go to GPS

Allow Applications to Prevent Automatic Sleep (Plugged
In)



Allow applications and services to prevent automatic sleep.


If you enable this policy setting, any application, service or device driver may prevent
Windows from automatically transitioning to sleep after a period of user inactivity.


If you disable this policy setting, applications, services or drivers may not prevent Windows
from automatically transitioning to sleep. Only user input will be used to d
etermine if
Windows should automatically sleep.


Go to GPS

Allow Automatic Sleep with Open Network Files (On
Battery)



Allow Automatic Sleep with Open Network Files.


If you enable this policy setting, the computer will automatically sleep when network files are
open.


If you disable this policy setting, the computer will not automatically sleep when network
files are ope
n.


Go to GPS

Allow Automatic Sleep with Open Network Files (Plugged
In)



Allow Automatic Sleep with Open Network Files.


If you enable this policy setting, the computer will automatically sleep when network files are
open.


If you disable this policy setting, the computer will not automatically sleep when network
files are open.


Go to GPS

Allow desktop composition for remote desktop sessions



This policy setting allows you to specify whether desktop composition is allowed for remote
deskt
op sessions. This policy setting does not apply to RemoteApp sessions.


Desktop composition provides the user interface elements of Windows Aero, such as
translucent windows, for remote desktop sessions. Because Windows Aero requires additional
system and
bandwidth resources, allowing desktop composition for remote desktop sessions
can reduce connection performance, particularly over slow links, and increase the load on the
remote computer.


If you enable this policy setting, desktop composition will be al
lowed for remote desktop
sessions. On the client computer, you can configure desktop composition on the Experience
tab in Remote Desktop Connection (RDC) or by using the "allow desktop composition"
setting in a Remote Desktop Protocol (.rdp) file. In addit
ion, the client computer must have
the necessary hardware to support Windows Aero features.


Note: Additional configuration might be necessary on the remote computer to make Windows
Aero features available for remote desktop sessions. For example, the Desk
top Experience
feature must be installed on the remote computer, and the maximum color depth on the
remote computer must be set to 32 bits per pixel. Also, the Themes service must be started on
the remote computer.


If you disable or do not configure this
policy setting, desktop composition is not allowed for
remote desktop sessions, even if desktop composition is enabled in RDC or in the .rdp file.



Go to GPS

Allow domain users to log on using biometrics



This policy setting determines whether domain users can log on or elevate User Account
Control (UAC) permissions using biometrics.


By default,
domain users cannot use biometrics to log on. If you enable this policy setting,
domain users can log on to a Windows
-
based computer using biometrics. Depending on the
biometrics you use, enabling this policy setting can reduce the security of users who us
e
biometrics to log on.


If you disable or do not configure this policy setting, domain users will not be able to log on
to a Windows
-
based computer using biometrics.


Note: Users who log on using biometrics should create a password
-
recovery disk; this wil
l
prevent data loss in the event that someone forgets their logon credentials.



Go to GPS

Allow ECC certificates to be used

for logon and
authentication



This policy setting allows you to control whether elliptic curve cryptography (ECC)
certificates on a smart card can be used to log on to a domain.


If you enable this policy setting, ECC certificates on a smart card can be

used to log on to a
domain.


If you disable or do not configure this policy setting, ECC certificates on a smart card cannot
be used to log on to a domain.


Note: This policy setting only affects a user´s ability to log on to a domain. ECC certificates
on a smart card that are used for other applications, such as document signing, are not affected
by this policy setting.

Note: If you use an ECDSA key to log on, you must also have an associated ECDH key to
permit logons when you are not connected to the
network.


Go to GPS

Allow enhanced PINs for startup



This policy setting allows you to configure whether or not enhanced

startup PINs are used
with BitLocker.


Enhanced startup PINs permit the use of characters including uppercase and lowercase letters,
symbols, numbers, and spaces. This policy setting is applied when you turn on BitLocker.


If you enable this policy settin
g, all new BitLocker startup PINs set will be enhanced PINs.


Note: Not all computers may support enhanced PINs in the pre
-
boot environment. It is
strongly recommended that users perform a system check during BitLocker setup.


If you disable or do not conf
igure this policy setting, enhanced PINs will not be used.




Go to GPS

Allow Enhanced Storage certificate provisioning



This policy setting configures whether or not users can provision certificates on Enhanced
Storage certificate silo devices.


If you enable this policy setting, users can provision certificates on Enhanced Storage
certificate silo devices.


If you disable
or do not configure this policy setting, users cannot provision certificates on
Enhanced Storage certificate silo devices.


Go to GPS

Allow only USB root hub connected Enhanced Storage
devices



This policy setting configures whether or not only USB root hub connected Enhanced Storage
devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes
the
risk of an unauthorized USB device reading data on an Enhanced Storage device.


If you enable this policy setting, only USB root hub connected Enhanced Storage devices are
allowed.


If you disable or do not configure this policy setting, USB Enhanced Stora
ge devices
connected to both USB root hubs and non
-
root hubs will be allowed.


Go to GPS

Allow OpenSearch queries in
Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Searc
h results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented f
rom performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy setting, users can perform OpenSearch queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in

Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Search results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform Open
Search queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented from performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy setting, users can perform OpenSearc
h queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy s
etting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Search results will be returned in
Wind
ows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented from performing OpenSearch queries
in
this zone using Search Connectors.


If you do not configure this policy setting, users can perform OpenSearch queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer.

Search Connectors allow rich
searching of remote sources from within Windows Explorer. Search results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in
this zone using
Search Connectors.


If you disable this policy setting, users are prevented from performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy setting, users can perform OpenSearch queries in this
zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you
to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Search results will be returned in
Windows Explorer and c
an be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented from performing OpenSearch queries in
this zone using

Search Connectors.


If you do not configure this policy setting, users cannot perform OpenSearch queries in this
zone using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
s
earching of remote sources from within Windows Explorer. Search results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connecto
rs.


If you disable this policy setting, users are prevented from performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy setting, users can perform OpenSearch queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you to manage whether OpenSearch
queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Search results will be returned in
Windows Explorer and can be acted upon like local f
iles.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented from performing OpenSearch queries in
this zone using Search Connectors.


If you d
o not configure this policy setting, users can perform OpenSearch queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from
within Windows Explorer. Search results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy
setting, users are prevented from performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy setting, users can perform OpenSearch queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
perfor
med using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Search results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy s
etting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented from performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy settin
g, users can perform OpenSearch queries in this zone
using Search Connectors.



Go to GPS

Allow OpenSearch queries in
Windows Explorer




This policy setting allows you to manage whether OpenSearch queries in this zone can be
performed using Search Connectors in Windows Explorer. Search Connectors allow rich
searching of remote sources from within Windows Explorer. Searc
h results will be returned in
Windows Explorer and can be acted upon like local files.


If you enable this policy setting, users can perform OpenSearch queries in this zone using
Search Connectors.


If you disable this policy setting, users are prevented f
rom performing OpenSearch queries in
this zone using Search Connectors.


If you do not configure this policy setting, users cannot perform OpenSearch queries in this
zone using Search Connectors.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item
from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources from within the Win
dows Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will b
e affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the z
one of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnails from
OpenSear
ch query results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do not configure t
his policy setting, users can preview items and get custom thumbnails
from OpenSearch query results in this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting all
ows you to manage whether a user may preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow

rich searching of remote sources from within the Windows Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is

the zone of the
thumbnail that is checked, not the zone of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If you enable this policy setting, users can
preview items and get custom thumbnails from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zo
ne using Windows Explorer.


If you do not configure this policy setting, users can preview items and get custom thumbnails
from OpenSearch query results in this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs of
f from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search
Connectors
(which allow rich searching of remote sources from within the Windows Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Application Programming Int
erface) items that are
returned as search results in Windows Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of c
ustom thumbnails, it is the zone of the
thumbnail that is checked, not the zone of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If you enable this pol
icy setting, users can preview items and get custom thumbnails from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch q
uery results in this zone using Windows Explorer.


If you do not configure this policy setting, users can preview items and get custom thumbnails
from OpenSearch query results in this zone using Windows Explorer.


Changes to this setting may not be applied

until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in W
indows Explorer




This policy setting allows you to manage whether a user may preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch q
ueries using Search Connectors
(which allow rich searching of remote sources from within the Windows Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Applica
tion Programming Interface) items that are
returned as search results in Windows Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explore
r. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the zone of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If

you enable this policy setting, users can preview items and get custom thumbnails from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnai
ls from OpenSearch query results in this zone using Windows Explorer.


If you do not configure this policy setting, users can preview items and get custom thumbnails
from OpenSearch query results in this zone using Windows Explorer.


Changes to this settin
g may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of
OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to i
tems returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources from within the Windows Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items su
ch as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
t
hese items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the zone of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than
the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnails from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing
items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do not configure this policy setting, users cannot preview items or get custom
thumbnails from OpenSearch query results in this zone using Windows Ex
plorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and

custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources from within the Windows Explorer), it might
affect other items as well that are marked from this zone. For example, some a
pplication
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will

prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the zone of item. Typically these are the same but a source is
able to define a specific location of a thumb
nail that is different than the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnails from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy setting, users will b
e prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do not configure this policy setting, users can preview items and get custom thumbnails
from OpenSearch query results in
this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer
. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources from within the Windows Explorer), it might
affect other items as well that are marked from this zone.

For example, some application
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for th
e Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the zone of item. Typically these are the same but a source is
able to define a specific

location of a thumbnail that is different than the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnails from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy s
etting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do not configure this policy setting, users can preview items and get custom thumbnails
from OpenSear
ch query results in this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item from this zone
or displa
y custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources from within the Windows Explorer), it might

affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will be affected. MAPI items r
eside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the zone of item. Typically t
hese are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnails from
OpenSearch query results in this

zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do not configure this policy setting, user
s can preview items and get custom thumbnails
from OpenSearch query results in this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may preview an item from

this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources from within the Windows

Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows Explorer will be af
fected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is checked, not the zone
of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnails from
OpenSearch q
uery results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do not configure this
policy setting, users can preview items and get custom thumbnails
from OpenSearch query results in this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow previewing and custom thumbnails of OpenSearch
query results in Windows Explorer




This policy setting allows you to manage whether a user may
preview an item from this zone
or display custom thumbnails in the preview pane in Windows Explorer. While this policy
setting usually applies to items returned by OpenSearch queries using Search Connectors
(which allow rich searching of remote sources fro
m within the Windows Explorer), it might
affect other items as well that are marked from this zone. For example, some application
-
specific items such as MAPI (Messaging Application Programming Interface) items that are
returned as search results in Windows

Explorer will be affected. MAPI items reside in the
Internet zone, so disabling this policy for the Internet zone will prevent the previewing of
these items in Windows Explorer. For the case of custom thumbnails, it is the zone of the
thumbnail that is ch
ecked, not the zone of item. Typically these are the same but a source is
able to define a specific location of a thumbnail that is different than the location of the item.


If you enable this policy setting, users can preview items and get custom thumbnai
ls from
OpenSearch query results in this zone using Windows Explorer.


If you disable this policy setting, users will be prevented from previewing items and get
custom thumbnails from OpenSearch query results in this zone using Windows Explorer.


If you do

not configure this policy setting, users cannot preview items or get custom
thumbnails from OpenSearch query results in this zone using Windows Explorer.


Changes to this setting may not be applied until the user logs off from Windows.



Go to GPS

Allow restore of system to default state



Requirements: At least Windows 7

Description: This policy setting controls whether
users can access the options in Recovery (in
Control Panel) to restore the computer to the original state or from a user
-
created system
image.


If you enable or do not configure this policy setting, the items "Use a system image you
created earlier to reco
ver your computer" and "Reinstall Windows" (or "Return your computer
to factory condition") appears on the "Advanced recovery methods" page of Recovery (in
Control Panel) and will allow the user to restore the computer to the original state or from a
user
-
created system image. This is the default setting.


If you disable this policy setting, the items "Use a system image you created earlier to recover
your computer" and "Reinstall Windows" (or "Return your computer to factory condition") in
Recovery (in Con
trol Panel) will be unavailable. However, with this policy setting disabled,
users can still restore the computer to the original state or from a user
-
created system image
by restarting the computer and accessing the System Recovery Options menu, if it is
available.


Go to GPS

Allow the use of biometrics



If you enable (or do not configure) this policy setting, the Windows Bi
ometric Service will be
available, and users will be able to run applications that use biometrics on Windows. If you
want to enable the ability to log on with biometrics, you must also configure the "Allow users
to log on using biometrics" policy setting.


If you disable this policy setting, the Windows Biometric Service will not be available, and
users will be unable to use any biometric features in Windows.


Note: Users who log on using biometrics should create a password
-
recovery disk; this will
prevent
data loss in the event that someone forgets their logon credentials.



Go to GPS

Allow users to log on using biometrics



This policy setting determines whether users can log on or elevate User Account Control
(UAC) permissions using biometrics. By default, local users will be able to log on to the local
computer, but the "Allow domain users to log on using biometrics" policy

setting will need to
be enabled for domain users to log on to the domain.


If you enable or do not configure this policy setting, all users can log on to a local Windows
-
based computer and will be able to elevate permissions with UAC using biometrics.


If

you disable this policy setting, biometrics cannot be used by any users to log on to a local
Windows
-
based computer.


Note: Users who log on using biometrics should create a password
-
recovery disk; this will
prevent data loss in the event that someone for
gets their logon credentials.



Go to GPS

Always use custom logon background



Ignores Windows Logon Background.


This policy setting may be used to make Windows give preference to a custom logon
background.


If you enable this policy setting, the logon screen will always attempt to load a custom
background instead of the Windows
-
branded logon background.


If you di
sable or do not configure this policy setting, Windows will use the default Windows
logon background or custom background.


Go to GPS

Background upload of a roaming user profile´s registry
file while user is logged on



Sets the schedule for background uploading of a roaming user profile´s registry file
(ntuser.dat). This setting will only upload the user profile´s regist
ry file (other user data will
not be uploaded) and will only upload it if the user is logged on. Only the registry file of a
roaming user profile will be uploaded
--
regular profiles will not be affected. This policy does
not stop the roaming user profile´s

registry file from being uploaded at user logoff.


If this setting is disabled or not configured, the registry file for a roaming user profile will not
be uploaded in the background while the user is logged on.


To use this setting, first choose which sch
eduling method to use.


If "Run at set interval" is chosen, then an interval must be set, with a value of 1
-
720 hours.
Once set, the profile´s registry file will be uploaded at the specified interval after the user
logs on. For example, with a value of 6
hours, if a user logs on at 6:00am and is still logged in
at 12:00pm, their registry file will be uploaded at that time. Further, if they are still logged in
at 6pm, it will upload then, as well, and again every 6 hours until logoff. The next time the
user

logs on, the timer will start again, so the registry file will upload 6 hours later (in our
example.)


If "Run at specified time of day" is chosen, then a time of day must be specified. Once set, the
registry hive will be uploaded at that same time every
day, assuming the user is logged on at
that time.


For both scheduling options, there is a random one hour delay attached per
-
trigger to avoid
overloading the server with simultaneous uploads. For example, if the settings dictate that the
user´s registry
file is to be uploaded at 6pm, it will actually upload at a random time
between 6pm and 7pm.


Note: If "Run at set interval" is selected, the "Time of day" option is disregarded. Likewise, if
"Run at set time of day" is chosen, the "Interval (hours)" optio
n is disregarded.

=== Presentation information ===

Scheduling method:

The following settings are only required and applicable

if "Run at set interval" is selected.

Interval (hours):

The following settings are only required and applicable

if "Run at
specified time of day" is selected.

Time of day:



=== Detailed values: ===

enum: Id: UploadHiveMethod; ValueName: UploadHiveMethod

item: decimal: 1 => Run at set interval


item: decimal: 2 => Run at specified time of day


decimal: Id: UploadHiveInter
val; ValueName: UploadHiveInterval

enum: Id: UploadHiveTime; ValueName: UploadHiveTime

item: decimal: 0 => 00:00


item: decimal: 1 => 01:00


item: decimal: 2 => 02:00


item: decimal: 3 => 03:00


item: decimal: 4 => 04:00


item: decimal: 5 => 05:00


i
tem: decimal: 6 => 06:00


item: decimal: 7 => 07:00


item: decimal: 8 => 08:00


item: decimal: 9 => 09:00


item: decimal: 10 => 10:00


item: decimal: 11 => 11:00


item: decimal: 12 => 12:00


item: decimal: 13 => 13:00


item: decimal: 14 => 14:00


item: decimal: 15 => 15:00


item: decimal: 16 => 16:00


item: decimal: 17 => 17:00


item: decimal: 18 => 18:00


item: decimal: 19 => 19:00


item: decimal: 20 => 20:00


item: decimal: 21 => 21:00


item: decimal: 22 => 22:00


item: decimal: 23 => 23:
00




Go to GPS

CD and DVD: Deny execute access



This policy setting denies execute access to the CD and DVD removable
storage class.


If you enable this policy setting, execute access will be denied to this removable storage class.


If you disable or do not configure this policy setting, execute access will be allowed to this
removable storage class.


Go to GPS

Change Start Menu power button



Set the default action of the power button on the Start menu.


If you enable this setting, the
Start Menu will set the power button to the chosen action, and
not let the user change this action.


If you set the button to either Sleep or Hibernate, and that state is not supported on a
computer, then the button will fall back to Shut Down.


If you dis
able or do not configure this setting, the Start Menu power button will be set to Shut
Down by default, and the user can change this setting to another action.


=== Detailed values: ===

enum: Id: PowerButtonActionDropdown; ValueName: PowerButtonAction

it
em: decimal: 2 => Shut Down


item: decimal: 16 => Sleep


item: decimal: 1 => Log off


item: decimal: 512 => Lock


item: decimal: 4 => Restart


item: decimal: 256 => Switch User


item: decimal: 64 => Hibernate




Go to GPS

Choose how BitLocker
-
protected fixed drives can be
recovered



This policy setting allows you to control how BitLocker
-
protected fixed data drives
are
recovered in the absence of the required credentials. This policy setting is applied when you
turn on BitLocker.


The "Allow data recovery agent" check box is used to specify whether a data recovery agent
can be used with BitLocker
-
protected fixed data

drives. Before a data recovery agent can be
used it must be added from the Public Key Policies item in either the Group Policy
Management Console or the Local Group Policy Editor. Consult the BitLocker Drive
Encryption Deployment Guide on Microsoft TechNe
t for more information about adding data
recovery agents.


In "Configure user storage of BitLocker recovery information" select whether users are
allowed, required, or not allowed to generate a 48
-
digit recovery password or a 256
-
bit
recovery key.


Select
"Omit recovery options from the BitLocker setup wizard" to prevent users from
specifying recovery options when they enable BitLocker on a drive. This means that you will
not be able to specify which recovery option to use when you enable BitLocker, instead

BitLocker recovery options for the drive are determined by the policy setting.


In "Save BitLocker recovery information to Active Directory Doman Services" choose which
BitLocker recovery information to store in AD DS for fixed data drives. If you select
"Backup
recovery password and key package", both the BitLocker recovery password and key package
are stored in AD DS. Storing the key package supports recovering data from a drive that has
been physically corrupted. If you select "Backup recovery password
only," only the recovery
password is stored in AD DS.


Select the "Do not enable BitLocker until recovery information is stored in AD DS for fixed
data drives" check box if you want to prevent users from enabling BitLocker unless the
computer is connected
to the domain and the backup of BitLocker recovery information to
AD DS succeeds.


Note: If the "Do not enable BitLocker until recovery information is stored in AD DS for fixed
data drives" check box is selected, a recovery password is automatically genera
ted.


If you enable this policy setting, you can control the methods available to users to recover
data from BitLocker
-
protected fixed data drives.


If this policy setting is not configured or disabled, the default recovery options are supported
for BitLoc
ker recovery. By default a DRA is allowed, the recovery options can be specified
by the user including the recovery password and recovery key, and recovery information is
not backed up to AD DS



=== Presentation information ===

Allow data recovery agent

Configure user storage of BitLocker recovery information:



Omit recovery options from the BitLocker setup wizard

Save BitLocker recovery information to AD DS for fixed data drives

Configure storage of BitLocker recovery information to AD DS:

Do not e
nable BitLocker until recovery information is stored to AD DS for fixed data drives



=== Detailed values: ===

enum: Id: FDVRecoveryPasswordUsageDropDown_Name; ValueName:
FDVRecoveryPassword

item: decimal: 2 => Allow 48
-
digit recovery password


item: de
cimal: 1 => Require 48
-
digit recovery password


item: decimal: 0 => Do not allow 48
-
digit recovery password


enum: Id: FDVRecoveryKeyUsageDropDown_Name; ValueName: FDVRecoveryKey

item: decimal: 2 => Allow 256
-
bit recovery key


item: decimal: 1 => Requir
e 256
-
bit recovery key


item: decimal: 0 => Do not allow 256
-
bit recovery key


boolean: Id: FDVAllowDRA_Name; ValueName: FDVManageDRA

trueValue: decimal: 1


falseValue: decimal: 0


boolean: Id: FDVHideRecoveryPage_Name; ValueName: FDVHideRecoveryPage

tru
eValue: decimal: 1


falseValue: decimal: 0


boolean: Id: FDVActiveDirectoryBackup_Name; ValueName: FDVActiveDirectoryBackup

trueValue: decimal: 1


falseValue: decimal: 0


boolean: Id: FDVRequireActiveDirectoryBackup_Name; ValueName:
FDVRequireActiveDirecto
ryBackup

trueValue: decimal: 1


falseValue: decimal: 0


enum: Id: FDVActiveDirectoryBackupDropDown_Name; ValueName:
FDVActiveDirectoryInfoToStore

item: decimal: 1 => Backup recovery passwords and key packages


item: decimal: 2 => Backup recovery passwords

only




Go to GPS

Choose how BitLocker
-
protected operating system drives
can be recovered



This policy setting allows
you to control how BitLocker
-
protected operating system drives are
recovered in the absence of the required startup key information. This policy setting is applied
when you turn on BitLocker.


The "Allow certificate
-
based data recovery agent" check box is
used to specify whether a data
recovery agent can be used with BitLocker
-
protected operating system drives. Before a data
recovery agent can be used it must be added from the Public Key Policies item in either the
Group Policy Management Console or the Loc
al Group Policy Editor. Consult the BitLocker
Drive Encryption Deployment Guide on Microsoft TechNet for more information about
adding data recovery agents.


In "Configure user storage of BitLocker recovery information" select whether users are
allowed, re
quired, or not allowed to generate a 48
-
digit recovery password or a 256
-
bit
recovery key.


Select "Omit recovery options from the BitLocker setup wizard" to prevent users from
specifying recovery options when they enable BitLocker on a drive. This means t
hat you will
not be able to specify which recovery option to use when you enable BitLocker, instead
BitLocker recovery options for the drive are determined by the policy setting.


In "Save BitLocker recovery information to Active Directory Domain Services"
, choose
which BitLocker recovery information to store in AD DS for operating system drives. If you
select "Backup recovery password and key package", both the BitLocker recovery password
and key package are stored in AD DS. Storing the key package support
s recovering data from
a drive that has been physically corrupted. If you select "Backup recovery password only,"
only the recovery password is stored in AD DS.


Select the "Do not enable BitLocker until recovery information is stored in AD DS for
operatin
g system drives" check box if you want to prevent users from enabling BitLocker
unless the computer is connected to the domain and the backup of BitLocker recovery
information to AD DS succeeds.


Note: If the "Do not enable BitLocker until recovery informa
tion is stored in AD DS for
operating system drives" check box is selected, a recovery password is automatically
generated.


If you enable this policy setting, you can control the methods available to users to recover
data from BitLocker
-
protected operatin
g system drives.


If this policy setting is disabled or not configured, the default recovery options are supported
for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified
by the user including the recovery password and re
covery key, and recovery information is
not backed up to AD DS.



=== Presentation information ===

Allow data recovery agent

Configure user storage of BitLocker recovery information:



Omit recovery options from the BitLocker setup wizard

Save BitLocke
r recovery information to AD DS for operating system drives

Configure storage of BitLocker recovery information to AD DS:

Do not enable BitLocker until recovery information is stored to AD DS for operating system
drives



=== Detailed values: ===

boole
an: Id: OSAllowDRA_Name; ValueName: OSManageDRA

trueValue: decimal: 1


falseValue: decimal: 0


enum: Id: OSRecoveryPasswordUsageDropDown_Name; ValueName: OSRecoveryPassword

item: decimal: 2 => Allow 48
-
digit recovery password


item: decimal: 1 => Require
48
-
digit recovery password


item: decimal: 0 => Do not allow 48
-
digit recovery password


enum: Id: OSRecoveryKeyUsageDropDown_Name; ValueName: OSRecoveryKey

item: decimal: 2 => Allow 256
-
bit recovery key


item: decimal: 1 => Require 256
-
bit recovery key



item: decimal: 0 => Do not allow 256
-
bit recovery key


boolean: Id: OSHideRecoveryPage_Name; ValueName: OSHideRecoveryPage

trueValue: decimal: 1


falseValue: decimal: 0


boolean: Id: OSActiveDirectoryBackup_Name; ValueName: OSActiveDirectoryBackup

true
Value: decimal: 1


falseValue: decimal: 0


boolean: Id: OSRequireActiveDirectoryBackup_Name; ValueName:
OSRequireActiveDirectoryBackup

trueValue: decimal: 1


falseValue: decimal: 0


enum: Id: OSActiveDirectoryBackupDropDown_Name; ValueName:
OSActiveDirecto
ryInfoToStore

item: decimal: 1 => Store recovery passwords and key packages


item: decimal: 2 => Store recovery passwords only




Go to GPS

Choose how BitLocker
-
protected removable drives can be
recovered



This policy setting allows you to control how BitLocker
-
protected removable data drives are
recovered in the absence of the required credentials. This policy setting is

applied when you
turn on BitLocker.


The "Allow data recovery agent" check box is used to specify whether a data recovery agent
can be used with BitLocker
-
protected removable data drives. Before a data recovery agent can
be used it must be added from the
Public Key Policies item in either the Group Policy
Management Console or the Local Group Policy Editor. Consult the BitLocker Drive
Encryption Deployment Guide on Microsoft TechNet for more information about adding data
recovery agents.


In "Configure use
r storage of BitLocker recovery information" select whether users are
allowed, required, or not allowed to generate a 48
-
digit recovery password or a 256
-
bit
recovery key.


Select "Omit recovery options from the BitLocker setup wizard" to prevent users fro
m
specifying recovery options when they enable BitLocker on a drive. This means that you will
not be able to specify which recovery option to use when you enable BitLocker, instead
BitLocker recovery options for the drive are determined by the policy setti
ng.


In "Save BitLocker recovery information to Active Directory Domain Services" choose which
BitLocker recovery information to store in AD DS for removable data drives. If you select
"Backup recovery password and key package", both the BitLocker recovery

password and key
package are stored in AD DS. If you select "Backup recovery password only" only the
recovery password is stored in AD DS.


Select the "Do not enable BitLocker until recovery information is stored in AD DS for
removable data drives" check
box if you want to prevent users from enabling BitLocker
unless the computer is connected to the domain and the backup of BitLocker recovery
information to AD DS succeeds.


Note: If the "Do not enable BitLocker until recovery information is stored in AD DS

for fixed
data drives" check box is selected, a recovery password is automatically generated.


If you enable this policy setting, you can control the methods available to users to recover
data from BitLocker
-
protected removable data drives.


If this polic
y setting is not configured or disabled, the default recovery options are supported
for BitLocker recovery. By default a DRA is allowed, the recovery options can be specified
by the user including the recovery password and recovery key, and recovery inform
ation is
not backed up to AD DS


=== Presentation information ===

Allow data recovery agent

Configure user storage of BitLocker recovery information:



Omit recovery options from the BitLocker setup wizard

Save BitLocker recovery information to AD DS f
or removable data drives

Configure storage of BitLocker recovery information to AD DS:

Do not enable BitLocker until recovery information is stored to AD DS for removable data
drives



=== Detailed values: ===

enum: Id: RDVRecoveryPasswordUsageDropDown
_Name; ValueName:
RDVRecoveryPassword

item: decimal: 2 => Allow 48
-
digit recovery password


item: decimal: 1 => Require 48
-
digit recovery password


item: decimal: 0 => Do not allow 48
-
digit recovery password


enum: Id: RDVRecoveryKeyUsageDropDown_Name;
ValueName: RDVRecoveryKey

item: decimal: 2 => Allow 256
-
bit recovery key


item: decimal: 1 => Require 256
-
bit recovery key


item: decimal: 0 => Do not allow 256
-
bit recovery key


boolean: Id: RDVAllowDRA_Name; ValueName: RDVManageDRA

trueValue: decimal:

1


falseValue: decimal: 0


boolean: Id: RDVHideRecoveryPage_Name; ValueName: RDVHideRecoveryPage

trueValue: decimal: 1


falseValue: decimal: 0


boolean: Id: RDVActiveDirectoryBackup_Name; ValueName: RDVActiveDirectoryBackup

trueValue: decimal: 1


falseVal
ue: decimal: 0


boolean: Id: RDVRequireActiveDirectoryBackup_Name; ValueName:
RDVRequireActiveDirectoryBackup

trueValue: decimal: 1


falseValue: decimal: 0


enum: Id: RDVActiveDirectoryBackupDropDown_Name; ValueName:
RDVActiveDirectoryInfoToStore

item: dec
imal: 1 => Backup recovery passwords and key packages


item: decimal: 2 => Backup recovery passwords only




Go to GPS

C
onfigure Background Sync



This is a machine
-
specific setting which applies to any user who logs onto the specified
machine while this policy is in effect.


This policy is in effect when a network folder is determined, as specified by the
“Configure slo
w
-
link modeâ€


policy, to be in “slow
-
linkâ€


mode.


For network folders in "slow
-
link" mode, a sync will be initiated in the background on a
regular basis, according to these settings, to synchronize the files in those shares/folders
between the client
and server.


By default, network folders in the "slow
-
link" mode will be synchronized with the server
every 360 minutes with the start of the sync varying between 0 and 60 additional minutes.


You can override the default sync interval and variance by sett
ing ´Sync Interval´ and
´Sync Variance´ values. You can also set a period of time where background sync is
disabled by setting ´Blockout Start Time´ and ´Blockout Duration´. To ensure that all
the network folders on the machine are synchronized wit
h the server on a regular basis, you
may also set the ´Maximum Allowed Time Without A Sync´.


You may also configure Background Sync for network shares that are in user selected "Work
Offline" mode. This mode is in effect when a user selects the "Work Of
fline" button for a
specific share. When selected, all configured settings will apply to shares in user selected
"Work Offline" mode as well.


If you disable this setting or do not configure it, the default behavior for Background Sync
will apply.

=== Pre
sentation information ===

Configure background sync:


Sync Interval (minutes)

Sync Variance (minutes)

Maximum Allowed Time Without A Sync (minutes)

Blockout Start Time (HHMM)

HHMM is a value where

HH must be between 0 and 24, and

MM must be between

0 and 59.

Blockout Duration (minutes)

Enable Background Sync for shares in user selected "Work Offline" mode



=== Detailed values: ===

decimal: Id: Lbl_BackgroundSyncDefaultSyncTime; ValueName:
BackgroundSyncPeriodMin

decimal: Id: Lbl_BackgroundSyncV
ariance; ValueName: BackgroundSyncMaxStartMin

decimal: Id: Lbl_BackgroundSyncIgnoreBlockOutTime; ValueName:
BackgroundSyncIgnoreBlockOutAfterMin

decimal: Id: Lbl_BackgroundSyncBlockOutPeriodStartTime; ValueName:
BackgroundSyncBlockOutStartTime

decimal: Id:

Lbl_BackgroundSyncBlockOutPeriodDuration; ValueName:
BackgroundSyncBlockOutDurationMin

boolean: Id: Lbl_BackgroundSyncInForcedOffline; ValueName:
BackgroundSyncEnabledForForcedOffline

trueValue: decimal: 1


falseValue: decimal: 0




Go to GPS

Configure BranchCache for network files



This policy setting changes the default round trip network latency value above which
network
files are cached by client computers in the branch. BranchCache for network files enables
computers in a branch office to cache data from Intranet servers on which BranchCache is
enabled, and then securely share the files with other computers in th
e branch. One of the
content types that can be cached in a branch office is network files using the Server Message
Block (SMB) protocol.


By default, network files are cached in the branch office when the round trip network latency
of the wide area network

(WAN) link is above 80 ms. To always cache network files
downloaded to computers in the branch office, set the network latency value to 0. To disable
branch caching for network files, set the latency value to a very high value.


If you enable this policy
setting, you can configure the round trip network latency above
which network files should be cached by client computers in the branch office.


If you disable or do not configure this policy setting, the client computer will cache network
files if the roun
d trip network latency of the wide area network (WAN) link is above 80 ms.



=== Detailed values: ===

decimal: Id: WBC_SMBLatency_DecimalTextBox; ValueName:
PeerCachingLatencyThreshold



G
o to GPS

Configure list of Enhanced Storage devices usable on your
computer



This policy setting allows you to configure a list of Enhanced Storage devices by
manufacturer and product ID t
hat are usable on your computer.


This policy setting only applies to Enhanced Storage devices that support a Certificate
Authentication Silo.


If you enable this policy setting, only Enhanced Storage devices that contain a manufacturer
and product ID spec
ified in this policy are usable on your computer.


If you disable or do not configure this policy setting, all Enhanced Storage devices are usable
on your computer.

=== Presentation information ===

Usable Enhanced Storage Devices:

The device identifier
should be entered in the form "Vendor ID
-
Product ID" where "Vendor
ID" is the Institute of Electrical and Electronics Engineers, Inc. (IEEE) issued
organizationally unique identifier (OUI) of the manufacturer and "Product ID" is a string
assigned by the ma
nufacturer.

For more information on how to obtain the manufacturer and product ID from the device
search for "Enhanced Storage Access" on Microsoft TechNet.



=== Detailed values: ===

list: Id: ApprovedEnStorDevices_List



Go to GPS

Configure list of IEEE 1667 silos usable on your computer



This policy setting allows you to create a list of IEEE 1667 silos, compliant with
the Institute
of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on
your computer.


If you enable this policy setting, only IEEE 1667 silos that match a silo type identifier
specified in this policy are usable on your
computer.


If you disable or do not configure this policy setting, all IEEE 1667 silos on Enhanced Storage
devices are usable on your computer.

=== Presentation information ===

Usable IEEE 1667 Silo Type Identifiers:

Each silo type identifier must be a
separate entry.

For more information on how to set a silo type identifier for this policy search for "Enhanced
Storage Access" on Microsoft TechNet.



=== Detailed values: ===

list: Id: ApprovedSilos_List



Go to GPS

Configure minimum PIN length for startup



This policy setting allows you to configure a minimum length for a Trusted Platform Module
(TPM) startup PIN. This
policy setting is applied when you turn on BitLocker. The startup
PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.


If you enable this policy setting, you can require a minimum number of digits to be used when
setting
the startup PIN.


If you disable or do not configure this policy setting, users can configure a startup PIN of any
length between 4 and 20 digits.




=== Detailed values: ===

decimal: Id: MinPINLength; ValueName: MinimumPIN



Go to GPS

Configure Reliability WMI Providers



This policy controls the Windows Management Instrumentation (WMI) providers

Win32_ReliabilityStabilityMetrics and Win32_ReliabilityRecords.


If this setting is disabled, the Reliability Monitor will not display system reliability
information nor will WMI capable applications have access to reliability information.


Go to GPS

Configure Scenario Execution Level



If you enable this policy setting, the Diagnostic Policy Service (DPS) will detect,
troubleshoot
and attempt to resolve automatically any heap corruption problems.


If you disable this policy setting, Windows will not be able to detect, troubleshoot and attempt
to resolve automatically any heap corruption problems that are handled by the
DPS.


If you do not configure this policy setting, the DPS will enable Fault Tolerant Heap for
resolution by default.


This policy setting takes effect only if the diagnostics
-
wide scenario execution policy is not
configured.


No system restart or service
restart is required for this policy to take effect: changes take
effect immediately.


This policy setting will only take effect when the Diagnostic Policy Service is in the running
state. When the service is stopped or disabled, diagnostic scenarios will n
ot be executed. The
DPS can be configured with the Services snap
-
in to the Microsoft Management Console.


Go to GPS

Config
ure Scheduled Maintenance Behavior



Determines whether scheduled diagnostics will run to proactively detect and resolve system
problems.


If you enable this policy setting, you must choose an execution level. If you choose detection
and troubleshooting o
nly, Windows will periodically detect and troubleshoot problems. The
user will be notified of the problem for interactive resolution.


If you choose detection, troubleshooting and resolution, Windows will resolve some of these
problems silently without re
quiring user input.


If you disable this policy setting, Windows will not be able to detect, troubleshoot or resolve
problems on a scheduled basis.


If you do not configure this policy setting, local troubleshooting preferences will take
precedence, as con
figured in the control panel. If no local troubleshooting preference is
configured, scheduled diagnostics are enabled for detection, troubleshooting and resolution by
default.


No reboots or service restarts are required for this policy to take effect: cha
nges take effect
immediately.


This policy setting will only take effect when the Task Scheduler service is in the running
state. When the service is stopped or disabled, scheduled diagnostics will not be executed.
The Task Scheduler service can be configu
red with the Services snap
-
in to the Microsoft
Management Console.

=== Presentation information ===

Execution Level



=== Detailed values: ===

enum: Id: ScheduledDiagnosticsExecutionPolicyLevel; ValueName: EnabledExecutionLevel

item: decimal: 1 => Trou
bleshooting Only


item: decimal: 2 => Regular




Go to GPS

Configure Security Policy for Scripted Diagnostics



Determines whether scripted diagnostics will execute diagnostic packages that are signed by
untrusted publishers.


If you enable this policy setting, the scripted diagnostics execution engine will validate the
signer of any diagnostic package and only run
those signed by trusted publishers.


If you disable this policy setting, the scripted diagnostics execution engine will run all
digitally signed packages.


Go to GPS

Configure use of passwords for fixed data drives



This policy setting specifies whether a password is required to unlock BitLocker
-
protected
fixed data drives. If you choose to permit the use of a password, you can require that a
password be used, enforce complexity requirements on the password, and confi
gure a
minimum length for the password. For the complexity requirement setting to be effective the
Group Policy setting "Password must meet complexity requirements" located in Computer
Configuration
\
Windows Settings
\
Security Settings
\
Account Policies
\
Passw
ord Policy
\

must
be also enabled.


Note: These settings are enforced when turning on BitLocker, not when unlocking a volume.
BitLocker will allow unlocking a drive with any of the protectors available on the drive.


If you enable this policy setting, users

can configure a password that meets the requirements
you define. To require the use of a password, select "Require password for fixed data drive".
To enforce complexity requirements on the password, select "Require complexity".


When set to "Require compl
exity" a connection to a domain controller is necessary when
BitLocker is enabled to validate the complexity the password. When set to "Allow
complexity" a connection to a domain controller will be attempted to validate the complexity
adheres to the rules
set by the policy, but if no domain controllers are found the password will
still be accepted regardless of actual password complexity and the drive will be encrypted
using that password as a protector. When set to "Do not allow complexity", no password
co
mplexity validation will be done.


Passwords must be at least 8 characters. To configure a greater minimum length for the
password, enter the desired number of characters in the "Minimum password length" box.


If you disable this policy setting, the user i
s not allowed to use a password.


If you do not configure this policy setting, passwords will be supported with the default
settings, which do not include password complexity requirements and require only 8
characters.


Note: Passwords cannot be used if FI
PS
-
compliance is enabled. The "System cryptography:
Use FIPS
-
compliant algorithms for encryption, hashing, and signing" policy setting in
Computer Configuration
\
Windows Settings
\
Security Settings
\
Local Policies
\
Security Options
specifies whether FIPS
-
compl
iance is enabled.



=== Presentation information ===

Require password for fixed data drive

Configure password complexity for fixed data drives:

Minimum password length for fixed data drive:

Note: You must enable the "Password must meet complexity requi
rements" policy setting for
the password complexity setting to take effect.



=== Detailed values: ===

boolean: Id: FDVRequirePassphrase; ValueName: FDVEnforcePassphrase

trueValue: decimal: 1


falseValue: decimal: 0


enum: Id: FDVPassphraseComplexity; Va
lueName: FDVPassphraseComplexity

item: decimal: 2 => Allow password complexity


item: decimal: 0 => Do not allow password complexity


item: decimal: 1 => Require password complexity


decimal: Id: FDVMinPassphraseLength; ValueName: FDVPassphraseLength



Go to GPS

Configure use of passwords for removable data drives



This policy setting specifies whether a password is requ
ired to unlock BitLocker
-
protected
removable data drives. If you choose to allow use of a password, you can require a password
to be used, enforce complexity requirements, and configure a minimum length. For the
complexity requirement setting to be effecti
ve the Group Policy setting "Password must meet
complexity requirements" located in Computer Configuration
\
Windows Settings
\
Security
Settings
\
Account Policies
\
Password Policy
\

must be also enabled.


Note: These settings are enforced when turning on BitLock
er, not when unlocking a volume.
BitLocker will allow unlocking a drive with any of the protectors available on the drive.


If you enable this policy setting, users can configure a password that meets the requirements
that you define. To require the use of

a password, select "Require password for removable
data drive". To enforce complexity requirements on the password, select "Require
complexity".


When set to "Require complexity" a connection to a domain controller is necessary when
BitLocker is enabled t
o validate the complexity the password. When set to "Allow
complexity" a connection to a domain controller will be attempted to validate the complexity
adheres to the rules set by the policy, but if no domain controllers are found the password will
still b
e accepted regardless of actual password complexity and the drive will be encrypted
using that password as a protector. When set to "Do not allow complexity", no password
complexity validation will be done.


Passwords must be at least 8 characters. To conf
igure a greater minimum length for the
password, enter the desired number of characters in the "Minimum password length" box.


If you disable this policy setting, the user is not allowed to use a password.


If you do not configure this policy setting, pass
words will be supported with the default
settings, which do not include password complexity requirements and require only 8
characters.


Note: Passwords cannot be used if FIPS
-
compliance is enabled. The "System cryptography:
Use FIPS
-
compliant algorithms f
or encryption, hashing, and signing" policy setting in
Computer Configuration
\
Windows Settings
\
Security Settings
\
Local Policies
\
Security Options
specifies whether FIPS
-
compliance is enabled.



=== Presentation information ===

Require password for removabl
e data drive

Configure password complexity for removable data drives:

Minimum password length for removable data drive:

Note: You must enable the "Password must meet complexity requirements" policy setting for
the password complexity setting to take eff
ect.



=== Detailed values: ===

boolean: Id: RDVRequirePassphrase; ValueName: RDVEnforcePassphrase

trueValue: decimal: 1


falseValue: decimal: 0


enum: Id: RDVPassphraseComplexity; ValueName: RDVPassphraseComplexity

item: decimal: 2 => Allow password com
plexity


item: decimal: 0 => Do not allow password complexity


item: decimal: 1 => Require password complexity


decimal: Id: RDVMinPassphraseLength; ValueName: RDVPassphraseLength



Go t
o GPS

Configure use of smart cards on fixed data drives



This policy setting allows you to specify whether smart cards can be used to authenticate user
access to the BitLocker
-
protected
fixed data drives on a computer.


If you enable this policy setting smart cards can be used to authenticate user access to the
drive. You can require a smart card authentication by selecting the "Require use of smart
cards on fixed data drives" check box.


Note: These settings are enforced when turning on BitLocker, not when unlocking a drive.
BitLocker will allow unlocking a drive with any of the protectors available on the drive.


If you disable this policy setting, users are not allowed to use smart card
s to authenticate their
access to BitLocker
-
protected fixed data drives.


If you do not configure this policy setting, smart cards can be used to authenticate user access
to a BitLocker
-
protected drive.




=== Detailed values: ===

boolean: Id: FDVRequireS
martCard_Name; ValueName: FDVEnforceUserCert

trueValue: decimal: 1


falseValue: decimal: 0




Go to GPS

Configure use of s
mart cards on removable data drives



This policy setting allows you to specify whether smart cards can be used to authenticate user
access to BitLocker
-
protected removable data drives on a computer.


If you enable this policy setting smart cards can be
used to authenticate user access to the
drive. You can require a smart card authentication by selecting the "Require use of smart
cards on removable data drives" check box.


Note: These settings are enforced when turning on BitLocker, not when unlocking a
drive.
BitLocker will allow unlocking a drive with any of the protectors available on the drive.


If you disable this policy setting, users are not allowed to use smart cards to authenticate their