Les nouveaux paramètres de GPO pour Windows 8

Evidemment avec Windows Server 8 nous pouvons voir apparaitre de nouveaux paramètres de GPO spécialement conçus pour Windows 8. A moins que j’en ai loupé (et c’est possible) en voici la loooooooongue liste avec leurs descriptions (en anglais vu que même les adml francais sont en anglais pour les nouveaux paramètres) classés par fichier admx :

AppxPackageManager.admx

Classe Nom du parametre Explication du parametre
Machine Allow all trusted apps to install This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a certificate chain that can be successfully validated by the local computer. This can include line-of-business app packages signed by the enterprise in addition to app packages that originate from the Windows Store. If you disable or do not configure this policy setting, you can only install trusted app packages that come from the Windows Store.
Machine Allow deployment operations in special profiles This policy setting allows you to manage the deployment operations of app packages when the user is logged in under special profiles. Deployment operation refers to adding, registering, staging, updating or removing an app package. Special profiles refer to profiles with the following types: mandatory, super-mandatory, temporary or system. Local and roaming profiles are not special profiles. When the user is logged in to a guest account, the profile type is temporary. If you enable this policy setting, the system allows deployment operations when the user is using a special profile. If you disable or do not configure this policy setting, the system blocks deployment operations when the user is using a special profile.

AppXRuntime.admx

Classe Nom du parametre Explication du parametre
Both Block launching desktop programs associated with a file. This policy setting allows you to minimize the risk involved when an app launches the default program for a file. Because desktop programs run at a higher integrity level than apps, there is a risk that an app could compromise the system by launching a file in a desktop program. If you enable this policy setting, Windows prevents apps from launching files that would open in a desktop program. When you enable this policy setting, apps may only launch files that can be opened by another app. If you disable or do not configure this policy setting, apps could launch files that would open in a desktop program.
Both Block launching desktop programs associated with a protocol This policy setting allows you to minimize the risk involved when an app launches the default program for a protocol. Because desktop programs run at a higher integrity level than apps, there is a risk that a protocol launched by an app could compromise the system by launching a desktop program. If you enable this policy setting, Windows prevents apps from launching protocols that would be passed to a desktop program. When you enable this policy setting, apps may only launch protocols that can be passed to another app. If you disable or do not configure this policy setting, apps could launch protocols that would be passed to a desktop program. Note: Enabling this policy setting will not block apps from launching http, https, and mailto protocols that would be passed to a desktop program. The handlers for these protocols are accustomed to handling data from untrusted sources and are therefore hardened against protocol based vulnerabilities. The risk of allowing these protocols to be passed to a desktop program is minimal.

CredentialProviders.admx

Classe Nom du parametre Explication du parametre
Machine Turn off PIN logon and picture password logon This policy setting allows you to control whether a user can sign in using a PIN or a picture password. If you enable this policy setting, a user can’t set up and use a PIN or a picture password. If you disable or don’t configure this policy setting, a user can set up and sign in with a PIN or a picture password.

CredUI.admx

Classe Nom du parametre Explication du parametre
Machine Do not display the password reveal button This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password entry text box. If you disable or do not configure this policy setting, the password reveal button will be displayed after a user types a password in the password entry text box. By default, the password reveal button is displayed after a user types a password in the password entry text box. To display the password, click the password reveal button. The policy applies to all Windows components and applications that use the Windows system controls, including Metro style apps as well as Internet Explorer 10 and later.

dam.admx

Classe Nom du parametre Explication du parametre
Machine Enable Desktop Activity Moderator This policy setting enables the Desktop Activity Moderator. If you enable this policy setting, Desktop Activity Moderator will suspend some processes during the Connected Standby state. Hardware capabilities are ignored. If you disable this policy setting, Desktop Activity Moderator will not suspend any processes. Hardware capabilities are ignored. If you do not configure this policy setting, Desktop Activity Moderator will suspend some processes only on AOAC-capable hardware during the Connected Standby state. Note: You will need to restart your computer for a change to this policy setting to take effect.

DnsClient.admx

Classe Nom du parametre Explication du parametre
Machine Turn off smart multi-homed name resolution Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations. DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.
Machine Turn off smart protocol reordering Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks. If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks. Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
Machine Allow NetBT queries for fully qualified domain names Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as « www.example.com » in addition to single-label names. If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names such as « example » and not for multi-label and fully qualified domain names.
Machine Prefer link local responses over DNS when received over a network with higher precedence Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the binding order. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, responses from link local protocols will be preferred over DNS responses if the local responses are from a network with a higher binding order. If you disable this policy setting, or if you do not configure this policy setting, then DNS responses from networks lower in the binding order will be preferred over responses from link local protocols received from networks higher in the binding order. Note: This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.
Machine Turn off IDN encoding Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
Machine IDN mapping Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form.

DWM.admx

Classe Nom du parametre Explication du parametre
User Use solid color for Start background This policy setting controls the Start background visuals. If you enable this policy setting, the Start background will use a solid color. If you disable or do not configure this policy setting, the Start background will use the default visuals. Note: If this policy setting is enabled, users can continue to select a color in Start Personalization. However, setting the accent will have no effect.

EAIME.admx

Classe Nom du parametre Explication du parametre
User Turn on misconversion logging for misconversion report This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. If you disable or do not configure this policy setting, misconversion logging is turned off. This policy setting applies to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
User Turn off saving auto-tuning data to file This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy setting, the auto-tuning data is not saved to file. If you disable or do not configure this policy setting, auto-tuning data is saved to file by default. This policy setting applies to Japanese Microsoft IME only.
User Turn off history-based predictive input This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. If you disable or do not configure this policy setting, history-based predictive input is on by default. This policy setting applies to Japanese Microsoft IME only. Note: Changes to this setting will not take effect until the user logs off.
User Turn off Open Extended Dictionary This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. For Japanese Microsoft IME, an Open Extended Dictionary that is added before enabling this policy setting is not used for conversion. For Simplified Chinese Microsoft Pinyin, an Open Extended Dictionary that is added before enabling this policy setting is still used for conversion. If you disable or do not configure this policy setting, Open Extended Dictionary can be added and used by default. This policy setting is applied to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
User Turn off Internet search integration This policy setting allows you to turn off Internet search integration. If you enable this policy setting, you cannot add a new search integration configuration file. A search integration configuration file that was installed before enabling this policy setting is not used. If you disable or do not configure this policy setting, the search integration function can be used by default. This policy setting applies to Japanese Microsoft IME, Simplified Chinese Microsoft Pinyin, and Traditional Chinese New Phonetic.
User Turn off custom dictionary This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabling this policy setting is not used for conversion. If you disable or do not configure this policy setting, the custom dictionary can be used by default. For Japanese Microsoft IME, [Clear auto-tuning information] works, even if this policy setting is enabled, and it clears self-tuned words from the custom dictionary. This policy setting is applied to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
User Restrict character code range of conversion This policy setting allows you to restrict character code range of conversion by setting character filter. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can specify multiple ranges by setting a value combined with a bitwise OR of following values: 0x0001 // JIS208 area 0x0002 // NEC special char code 0x0004 // NEC selected IBM extended code 0x0008 // IBM extended code 0x0010 // Half width katakana code 0x0100 // EUDC(GAIJI) 0x0200 // S-JIS unmapped area 0x0400 // Unicode char 0x0800 // surrogate char 0x1000 // IVS char 0xFFFF // no definition. If you disable or do not configure this policy setting, no range of characters are filtered by default. This policy setting applies to Japanese Microsoft IME only. Note: Changes to this setting will not take effect until the user logs off.
User Do not include Non-Publishing Standard Glyph in the candidate list This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not included in the candidate list when Publishing Standard Glyph for the word exists. If you disable or do not configure this policy setting, both Publishing Standard Glyph and Non-Publishing Standard Glyph are included in the candidate list. This policy setting applies to Japanese Microsoft IME only. Note: Changes to this setting will not take effect until the user logs off.

EarlyLaunchAM.admx

Classe Nom du parametre Explication du parametre
Machine Boot-Start Driver Initialization Policy This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: – Good: The driver has been signed and has not been tampered with. – Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. – Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. – Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If you disable or do not configure this policy setting both Unknown and Good boot-start drivers are initialized. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

EdgeUI.admx

Classe Nom du parametre Explication du parametre
User Turn off Backstack If you enable this setting, apps will not be tracked in the Backstack. The Backstack settings in the Modern settings page will be disabled as well. If you disable or do not configure this policy setting, apps will be tracked in the Backstack as configured.
User Turn off tracking of app usage This policy setting prevents Windows from keeping track of the apps that are used and searched most frequently. If you enable this policy setting, apps will be sorted alphabetically in: – search results – the Search and Share panes – the drop-down app list in the Picker If you disable or don’t configure this policy setting, Windows will keep track of the apps that are used and searched most frequently. Most frequently used apps will appear at the top.

ExternalBoot.admx

Classe Nom du parametre Explication du parametre
Machine Windows To Go Default Startup Options This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item. If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration. If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item.
Machine Allow hibernate (S4) when starting from a Windows To Go workspace Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. If you disable or don’t configure this setting, Windows, when started from a Windows To Go workspace, can’t hibernate the PC.
Machine Allow standby sleep states (S1-S3) when starting from a Windows to Go workspace Specifies whether the PC can use standby sleep states (S1-S3) when started from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can use standby states to make the PC sleep. If you disable or don’t configure this setting, Windows, when started from a Windows To Go workspace, can’t use standby states to make the PC sleep.

FileHistory.admx

Classe Nom du parametre Explication du parametre
Machine Turn off File History This policy setting allows you to turn off File History. If you enable this policy setting, File History cannot be activated to create regular, automatic backups. If you disable or do not configure this policy setting, File History can be activated to create regular, automatic backups.

FolderRedirection.admx

Classe Nom du parametre Explication du parametre
User Do not automatically make specific redirected folders available offline This policy setting allows you to control whether redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, the folder GUIDs for the specific folders that should not be made available offline must be specified. The folder name to folder GUID mapping is as follows: AppData(Roaming): {3EB685DB-65F9-4CF6-A03A-E3EF65729F3D} Desktop: {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} Start Menu:{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19} Documents: {FDD39AD0-238F-46AF-ADB4-6C85480369C7} Pictures: {33E28130-4E1E-4676-835A-98395C3BC3BB} Music: {4BD8D571-6D19-48D3-BE97-422220080E43} Videos: {18989B1D-99B5-455B-841C-AB7C74E4DDFC} Favorites: {1777F761-68AD-4D8A-87BD-30B759FA33DD} Contacts: {56784854-C6CB-462b-8169-88E350ACB882} Downloads: {374DE290-123F-4565-9164-39C4925E467B} Links: {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968} Searches: {7D1D3A04-DEBB-4115-95CF-2F29DA2920DA} Saved Games: {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4} For the folders affected by this setting, users must manually select the files they wish to make available offline. If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline. Note: This policy setting does not prevent files from being automatically cached if the network share is configured for « Automatic Caching », nor does it affect the availability of the « Always available offline » menu option in the user interface. Note: The configuration of any valid folder GUIDs in this policy will override the configured value of « Do not automatically make all redirected folders available offline ».
User Enable optimized move of contents in Offline Files cache on Folder Redirection server path change This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location.
User Redirect folders on primary computers only This policy setting controls whether folders are redirected on a user’s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user’s primary computers, an administrator must use management software or a script to add primary computer attributes to the user’s account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 8 Beta version of the Active Directory schema to function. If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user’s primary computer only. If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence.
User Redirect folders on primary computers only This policy setting controls whether folders are redirected on a user’s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user’s primary computers, an administrator must use management software or a script to add primary computer attributes to the user’s account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 8 Beta version of the Active Directory schema to function. If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user’s primary computer only. If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence.

GroupPolicy.admx

Classe Nom du parametre Explication du parametre
Machine Turn off Group Policy Client Service AOAC optimization This policy setting prevents the Group Policy Client Service from stopping when idle.
Machine Specify workplace connectivity wait time for policy processing This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.

ICM.admx

Classe Nom du parametre Explication du parametre
User Turn off access to the Store This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting, the « Look for an app in the Store » item in the Open With dialog is removed. If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.
User Turn off access to the Store This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting, the « Look for an app in the Store » item in the Open With dialog is removed. If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.

kdc.admx

Classe Nom du parametre Explication du parametre
Machine Support Dynamic Access Control and Kerberos armoring This policy setting allows you to configure a domain controller to support Dynamic Access Control (DAC) and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers in the domain that are DAC and Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. However, to ensure this feature is effective depends on deploying enough DAC and Kerberos armor-aware domain controllers to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever DAC or Kerberos armoring is required. If you configure « Supported », the domain controller supports claims, compound identity and Kerberos armoring. The domain controller advertises to client computers that the domain is capable of Dynamic Access Control and Kerberos armoring. For the following options, when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the « Supported » option is selected until the domain functional level is set to Windows Server 8. When the domain functional level is set to Windows Server 8 then: If you set the « Always provide claims » option, then domain controllers will also always return claims for accounts and support the RFC behavior for advertising the flexible authentication secure tunneling (FAST). If you set the « Fail unarmored authentication requests » option, then domain controllers will also reject unarmored Kerberos messages. Warning: When « Fail unarmored authentication requests » is set, then client computers which do not support Kerberos armoring will fail to authenticate. Impact on domain controller performance when this policy setting is enabled: Secure domain capability discovery is required resulting in additional message exchanges. Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time. If you disable or do not configure this policy setting, or enable this setting and configure the « Not supported » option, the domain controller does not support claims, compound identity or armoring.
Machine Warning for large Kerberos tickets This policy setting allows you to monitor tickets issued during Kerberos authentication whose size is close to or greater than a configured threshold value. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit above which warnings will be reported. If set too high, then warnings related to authentication failures might be missed. If set too low, then you might see too many ticket warnings in the log to be useful for analysis. If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.

Kerberos.admx

Classe Nom du parametre Explication du parametre
Machine Specify KDC proxy servers for Kerberos clients This policy setting allows you to specify KDC proxy servers for DNS suffix names. If you enable this policy setting, you can view and change the list of proxy servers configured for DNS suffix names as defined by Group Policy. To view the list of mappings, enable the policy setting and then click the Show button. To add a mapping, enable the policy setting, note the syntax, and then click Show. In the Show Contents dialog box in the Value Name column, type a DNS suffix name. In the Value column, type the list of proxy servers using the appropriate syntax format. To remove a mapping from the list, click the mapping entry to be removed, and then press the DELETE key. To edit a mapping, remove the current entry from the list and add a new one with different parameters. If you disable or do not configure this policy setting, the Kerberos client does not have KDC proxy servers settings defined by Group Policy.
Machine Disable revocation checking for the SSL certificate of KDC proxy servers This policy setting allows you to disable revocation check for the SSL certificate of the KDC proxy server being connected to. If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. When revocation check is ignored, the server represented by the certificate is not guaranteed valid. If you disable or do not configure this policy setting, the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.
Machine Fail authentication requests when Kerberos armoring is not available This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. Warning: When a domain does not support Kerberos armoring by enabling « Support Dynamic Access Control and Kerberos armoring », then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting, the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
Machine Support authorization with client device information This policy setting allows you to set support for Kerberos to provide client device authorization data also known as compound identity when the client provides it to the domain controller. Support for providing client device information to be used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy « Domain Controller support for Dynamic Access Control and Kerberos armoring » on all the domain controllers to support this policy. If you enable this policy setting, client device authorization information will be determined by the domain controller during Kerberos authentication, as configured by the following options: Never: Client device authorization data is never provided for this computer account. Automatic: Client device authorization data is provided to this computer account when one or more applications are configured for Dynamic Access Control. Always: Client device authorization data is always provided to this computer account. If you disable this policy setting, Never will be used. If you do not configure this policy setting, Automatic will be used.
Machine Set maximum Kerberos SSPI context token buffer size This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an application expects and allocates. Depending upon authentication request processing and group memberships, the buffer might be smaller than the actual size of the SSPI context token. If you enable this policy setting, the Kerberos client or server uses the configured value, or the locally allowed maximum value, whichever is smaller. If you disable or do not configure this policy setting, the Kerberos client or server use the locally configured value or the default value. Default: All supported versions: 48,000 bytes All other versions: 12,000 bytes.

LanmanServer.admx

Classe Nom du parametre Explication du parametre
Machine Hash Version support for BranchCache This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported, content information for that version is the only type that is generated by BranchCache, and it is the only type of content information that can be retrieved by client computers. For example, if you enable support for V1 hashes, BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. Policy configuration Select one of the following: – Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. In this circumstance, which is the default, both V1 and V2 hash generation and retrieval are supported. – Enabled. With this selection, the policy setting is applied and the hash version(s) that are specified in « Hash version supported » are generated and retrieved. – Disabled. With this selection, both V1 and V2 hash generation and retrieval are supported. In circumstances where this setting is enabled, you can also select and configure the following option: Hash version supported: – To support V1 content information only, configure « Hash version supported » with the value of 1. – To support V2 content information only, configure « Hash version supported » with the value of 2. – To support both V1 and V2 content information, configure « Hash version supported » with the value of 3.

LocationProviderAdm.admx

Classe Nom du parametre Explication du parametre
Machine Turn off Windows Location Provider This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature. If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature.

Logon.admx

Classe Nom du parametre Explication du parametre
User Do not enumerate connected users on domain-joined computers This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers.
User Enumerate local users on domain-joined computers This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, the Logon UI will not enumerate local users on domain-joined computers.
User Turn off app notifications on the lock screen This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users can choose which apps display notifications on the lock screen.

NCSI.admx

Classe Nom du parametre Explication du parametre
Machine Specify passive polling This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.

Netlogon.admx

Classe Nom du parametre Explication du parametre
Machine Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based discovery fails and the NetBIOS domain name is known, the algorithm then uses NetBIOS-based discovery as a fallback mechanism. NetBIOS-based discovery uses a WINS server and mailslot messages but does not use site information. Hence it does not ensure that clients will discover the closest DC. It also allows a hub-site client to discover a branch-site DC even if the branch-site DC only registers site-specific DNS records (as recommended). For these reasons, NetBIOS-based discovery is not recommended. Note that this policy setting does not affect NetBIOS-based discovery for DC location if only the NetBIOS domain name is known. If you enable or do not configure this policy setting, the DC location algorithm does not use NetBIOS-based discovery as a fallback mechanism when DNS-based discovery fails. This is the default behavior. If you disable this policy setting, the DC location algorithm can use NetBIOS-based discovery as a fallback mechanism when DNS based discovery fails.

NetworkIsolation.admx

Classe Nom du parametre Explication du parametre
Machine Internet proxy servers for Metro style apps A semicolon-separated list of Internet proxy server IP addresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to Metro style apps that have the Internet Client or Internet Client/Server capabilities. If you enable this policy setting, apps on proxied networks can access the Internet without relying on the Private Network capability. However, in most situations Windows Network Isolation will be able to correctly discover proxies. By default, any proxies configured with this setting are merged with proxies that are auto-discovered. To make this policy configuration the sole list of allowed proxies, enable the « Proxy definitions are authoritative » setting. If you disable or do not configure this policy setting, apps will use the Internet proxies auto-discovered by Windows Network Isolation. Example: [3efe:3022::1000];18.0.0.1;18.0.0.2
Machine Intranet proxy servers for Metro style apps A semicolon-separated list of intranet proxy server IP addresses. These addresses are categorized as private by Windows Network Isolation and are accessible to Metro style apps that have the Home/Work Networking capability. If you enable this policy setting, it allows an administrator to configure a set of proxies that provide access to intranet resources. If you disable or do not configure this policy setting, Windows Network Isolation attempts to discover proxies and configures them as Internet nodes. This setting should NOT be used to configure Internet proxies. Example: [3efe:3022::1000]; 18.0.0.1; 18.0.0.2
Machine Private network ranges for Metro style apps A comma-separated list of IP address ranges that are in your corporate network. If you enable this policy setting, it ensures that Metro style apps with the Home/Work Networking capability have appropriate access to your corporate network. These addresses are only accessible to Metro style apps if and only if the app has declared the Home/Work Networking capability. Windows Network Isolation attempts to automatically discover private network hosts. By default, the addresses configured with this policy setting are merged with the hosts that are declared as private through automatic discovery. To ensure that these addresses are the only addresses ever classified as private, enable the « Subnet definitions are authoritative » policy setting. If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts. Example: 3efe:1092::/96,18.1.1.1/10
Machine Proxy definitions are authoritative Turns off Windows Network Isolation’s automatic proxy discovery in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation’s automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies. If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses.
Machine Subnet definitions are authoritative Turns off Windows Network Isolation’s automatic discovery of private network hosts in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation’s automatic discovery of private network hosts in the domain corporate environment. Only network hosts within the address ranges configured via Group Policy will be classified as private. If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your private network hosts in the domain corporate environment.

OfflineFiles.admx

Classe Nom du parametre Explication du parametre
Machine Remove « Work offline » command This policy setting removes the « Work offline » command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the « Work offline » command is not displayed in Windows Explorer. If you disable or do not configure this policy setting, the « Work offline » command is displayed in Windows Explorer.
Machine Remove « Work offline » command This policy setting removes the « Work offline » command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the « Work offline » command is not displayed in Windows Explorer. If you disable or do not configure this policy setting, the « Work offline » command is displayed in Windows Explorer.
Machine Enable file synchronization on costed networks This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user’s network is roaming, near, or over the plan’s data limit. This may result in extra charges on cell phone or broadband plans. If this setting is disabled or not configured, synchronization will not run in the background on network folders when the user’s network is roaming, near, or over the plan’s data limit. The network folder must also be in « slow-link » mode, as specified by the « Configure slow-link mode » policy to avoid network usage.

pca.admx

Classe Nom du parametre Explication du parametre
Machine Detect compatibility issues for applications and drivers This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. Note: This policy setting has no effect if the « Turn off Program Compatibility Assistant » policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.

PeerToPeerCaching.admx

Classe Nom du parametre Explication du parametre
Machine Enable Automatic Hosted Cache Discovery by Service Connection Point This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client’s current Active Directory site. If you enable this policy setting, client computers to which the policy setting is applied search for hosted cache servers using Active Directory, and will prefer both these servers and hosted cache mode rather than manual BranchCache configuration or BranchCache configuration by other group policies. If you enable this policy setting in addition to the « Turn on BranchCache » policy setting, BranchCache clients attempt to discover hosted cache servers in the local branch office. If client computers detect hosted cache servers, hosted cache mode is turned on. If they do not detect hosted cache servers, hosted cache mode is not turned on, and the client uses any other configuration that is specified manually or by Group Policy. When this policy setting is applied, the client computer performs or does not perform automatic hosted cache server discovery under the following circumstances: If no other BranchCache mode-based policy settings are applied, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers is found, the client computer self-configures for hosted cache mode. If the policy setting « Set BranchCache Distributed Cache Mode » is applied in addition to this policy, the client computer performs automatic hosted cache server discovery. If one or more hosted cache servers are found, the client computer self-configures for hosted cache mode only. If the policy setting « Set BranchCache Hosted Cache Mode » is applied, the client computer does not perform automatic hosted cache discovery. This is also true in cases where the policy setting « Configure Hosted Cache Servers » is applied. This policy setting can only be applied to client computers that are running Windows 8 or later. This policy has no effect on computers that are running Windows 7 or Windows Vista. If you disable, or do not configure this setting, a client will not attempt to discover hosted cache servers by service connection point. Policy configuration Select one of the following: – Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting, and client computers do not perform hosted cache server discovery. – Enabled. With this selection, the policy setting is applied to client computers, which perform automatic hosted cache server discovery and which are configured as hosted cache mode clients. – Disabled. With this selection, this policy is not applied to client computers.
Machine Configure Client BranchCache Version Support This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficiency might be reduced because client computers that are using different versions of BranchCache might store cache data in incompatible formats. If you enable this policy setting, all clients use the version of BranchCache that you specify in « Select from the following versions. » If you do not configure this setting, all clients will use the version of BranchCache that matches their operating system. Policy configuration Select one of the following: – Not Configured. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system. – Enabled. With this selection, this policy setting is applied to client computers based on the value of the option setting « Select from the following versions » that you specify. – Disabled. With this selection, this policy setting is not applied to client computers, and the clients run the version of BranchCache that is included with their operating system. In circumstances where this setting is enabled, you can also select and configure the following option: Select from the following versions – Windows Vista with BITS 4.0 installed, Windows 7, or Windows Server 2008 R2. If you select this version, later versions of Windows run the version of BranchCache that is included in these operating systems rather than later versions of BranchCache. – Windows 8. If you select this version, Windows 8 will run the version of BranchCache that is included in the operating system.
Machine Configure Hosted Cache Servers This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retrieve content from one or more hosted cache servers that are installed in the same office location. You can use this setting to automatically configure client computers that are configured for hosted cache mode with the computer names of the hosted cache servers in the branch office. If you enable this policy setting and specify valid computer names of hosted cache servers, hosted cache mode is enabled for all client computers to which the policy setting is applied. For this policy setting to take effect, you must also enable the « Turn on BranchCache » policy setting. This policy setting can only be applied to client computers that are running Windows 8 or later. This policy has no effect on computers that are running Windows 7 or Windows Vista. Client computers to which this policy setting is applied, in addition to the « Set BranchCache Hosted Cache mode » policy setting, use the hosted cache servers that are specified in this policy setting and do not use the hosted cache server that is configured in the policy setting « Set BranchCache Hosted Cache Mode. » If you do not configure this policy setting, or if you disable this policy setting, client computers that are configured with hosted cache mode still function correctly. Policy configuration Select one of the following: – Not Configured. With this selection, BranchCache settings are not applied to client computers by this policy setting. – Enabled. With this selection, the policy setting is applied to client computers, which are configured as hosted cache mode clients that use the hosted cache servers that you specify in « Hosted cache servers. » – Disabled. With this selection, this policy is not applied to client computers. In circumstances where this setting is enabled, you can also select and configure the following option: – Hosted cache servers. To add hosted cache server computer names to this policy setting, click Enabled, and then click Show. The Show Contents dialog box opens. Click Value, and then type the computer names of the hosted cache servers.
Machine Set age for segments in the data cache This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. If you disable or do not configure this policy setting, the age is set to 28 days. Policy configuration Select one of the following: – Not Configured. With this selection, BranchCache client computer cache age settings are not applied to client computers by this policy. In the circumstance where client computers are domain members but you do not want to configure a BranchCache client computer cache age setting on all client computers, you can specify Not Configured for this domain Group Policy setting, and then configure local computer policy to enable BranchCache client computer cache age settings on individual client computers. Because the domain Group Policy setting is not configured, it will not over-write the client computer cache age setting that you use on individual client computers. – Enabled. With this selection, the BranchCache client computer cache age setting is enabled for all client computers where the policy is applied. For example, if this policy setting is enabled in domain Group Policy, the BranchCache client computer cache age that you specify in the policy is turned on for all domain member client computers to which the policy is applied. – Disabled. With this selection, BranchCache client computers use the default client computer cache age setting of 28 days on the client computer. In circumstances where this setting is enabled, you can also select and configure the following option: – Specify the age in days for which segments in the data cache are valid.

ProximityCommon.admx

Classe Nom du parametre Explication du parametre
Machine Turn off the Windows Proximity Service This policy allows you to disable Windows support for proximity experiences. If you enable this policy setting, Windows components will not respond to proximity events and applications cannot use Windows APIs to communicate over proximity devices. If you disable or do not configure this policy setting, the Windows Proximity Service will be enabled and applications can use Windows APIs to communicate over proximity devices.

SettingSync.admx

Classe Nom du parametre Explication du parametre
Machine Do not synchronize user settings Prevent user settings roaming for this computer. If you enable this policy setting, user settings will not be synchronized with other computers. If you disable or do not configure this policy setting, user settings will be synchronized with other computers.
Machine Do not synchronize user application settings Prevent user application settings roaming for this computer. If you enable this policy setting, user application settings will not be synchronized with other computers. If you disable or do not configure this policy setting, user application settings will be synchronized with other computers.
Machine Do not synchronize user credentials Prevent user credentials roaming for this computer. If you enable this policy setting, user credentials will not be synchronized with other computers. If you disable or do not configure this policy setting, user credentials will be synchronized with other computers.
Machine Do not synchronize user personalization settings Prevent user personalization settings roaming for this computer. If you enable this policy setting, user personalization settings will not be synchronized with other computers. If you disable or do not configure this policy setting, user personalization settings will be synchronized with other computers.
Machine Do not synchronize user Windows settings Prevent user Windows settings roaming for this computer. If you enable this policy setting, user Windows settings will not be synchronized with other computers. If you disable or do not configure this policy setting, user Windows settings will be synchronized with other computers.
Machine Do not synchronize user desktop themes Prevent user desktop themes roaming for this computer. If you enable this policy setting, user desktop themes will not be synchronized with other computers. If you disable or do not configure this policy setting, user desktop themes will be synchronized with other computers.
Machine Do not synchronize user web browser settings Prevent user web browser settings roaming for this computer. If you enable this policy setting, user web browser settings will not be synchronized with other computers. If you disable or do not configure this policy setting, user web browser settings will be synchronized with other computers.

StartMenu.admx

Classe Nom du parametre Explication du parametre
User Clear history of tile notifications on exit If you enable this setting, the system deletes tile notifications when the user logs off. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will be cleared when the user logs off. If you disable or do not configure this setting, the system retains notifications, and when a user logs on, the tiles appear just as they did when the user logged off, including the history of previous notifications for each tile. This setting does not prevent new notifications from appearing. See the « Turn off Application Notifications » setting to prevent new notifications.
User Prevent users from uninstalling applications from Start If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not configure it, users can access the uninstall command from Start
User Do not show the Start Menu when the user logs in This group policy only applies to the Windows Server 8 Beta with the Desktop Experience Pack installed. If you enable this setting, the user will see the desktop after logging in to a new session, instead of seeing the Start menu. The Start Menu will continue to function as normal, except that it will not show automatically after login. If you disable this setting or do not configure it, the Start Menu will appear after the user logs in to a new session.
User Show « Run as different user » command on Start This policy setting shows or hides the « Run as different user » command on the Start application bar. If you enable this setting, users can access the « Run as different user » command from Start for applications which support this functionality. If you disable this setting or do not configure it, users cannot access the « Run as different user » command from Start for any applications. Note: This setting does not prevent users from using other methods, such as the shift right-click menu on application’s jumplists in the taskbar to issue the « Run as different user » command.

Taskbar.admx

Classe Nom du parametre Explication du parametre
User Do not allow taskbars on more than one display This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the taskbar properties dialog. If you disable or do not configure this policy setting, users can show taskbars on more than one display.

TPM.admx

Classe Nom du parametre Explication du parametre
Machine Configure the level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored locally, the operating system and TPM-based applications can perform certain TPM actions which require TPM owner authorization without requiring the user to enter the TPM owner password. You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation blob, or none. If you enable this policy setting, Windows will store the TPM owner authorization in the registry of the local computer according to the operating system managed TPM authentication setting you choose. Choose the operating system managed TPM authentication setting of « Full » to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without requiring remote or external storage of the TPM owner authorization value. This setting is appropriate for scenarios which do not depend on preventing reset of the TPM’anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM’anti-hammering logic can be used. Choose the operating system managed TPM authentication setting of « Delegated » to store only the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is appropriate for use with TPM-based applications that depend on the TPM anti-hammering logic. External or remote storage of the full TPM owner authorization value, for example by backing up the value to Active Directory Domain Services (AD DS), is recommended when using this setting. Choose the operating system managed TPM authentication setting of « None » for compatibility with previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally. Using this setting might cause issues with some TPM-based applications. If this policy setting is disabled or not configured and the « Turn on TPM backup to Active Directory Domain Services » policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured and the « Turn on TPM backup to Active Directory Domain Services » group policy setting is enabled, then only the administrative delegation and the user delegation blobs are stored in the local registry. Note: If the operating system managed TPM authentication setting is changed from « Full » to « Delegated » the full TPM owner authorization value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed up to AD DS when it is changed.
Machine Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equals a threshold, a standard user is prevented from sending commands requiring authorization to the TPM. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than this duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Lockout Threshold Individual value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured, a default value of 480 minutes (8 hours) is used.
Machine Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration equals this value, the standard user is prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. This value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. The Standard User Lockout Total Threshold value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured, a default value of 4 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.
Machine Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization. This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored. For each standard user two thresholds apply. Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM. The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value. When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption. The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer. Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures. Some TPMs may require a system restart to exit the lockout mode. Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode. An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately. If this value is not configured, a default value of 9 is used. A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.

UserProfiles.admx

Classe Nom du parametre Explication du parametre
Machine User management of sharing user name, account picture, and domain information with metro-styled apps This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options: « Always on » – users will not be able to change this setting and the user’s name and account picture will be shared with metro-style apps. In addition metro-style apps that have the enterprise authentication capability will also be able to retrieve the user’s UPN, SIP/URI, and DNS. « Always off » – users will not be able to change this setting and the user’s name and account picture will not be shared with metro-style apps. In addition metro-style apps that have the enterprise authentication capability will not be able to retrieve the user’s UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.
Machine Download roaming profiles on primary computers only This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user’s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user’s primary computers, an administrator must use management software or a script to add primary computer attributes to the user’s account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 8 Beta version of the Active Directory schema to function. If you enable this policy setting and the user has a roaming profile, the roaming profile is downloaded on the user’s primary computer only. If you disable or do not configure this policy setting and the user has a roaming profile, the roaming profile is downloaded on every computer that the user logs on to.

VolumeEncryption.admx

Classe Nom du parametre Explication du parametre
Machine Choose drive encryption method and cipher strength This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to computers running Windows 8 Consumer Preview and later. If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the « Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7) » policy setting, if it is set. If neither policy is set, BitLocker will use the default encryption method of AES 128-bit or the encryption method specified by the setup script.
Machine Configure use of passwords for operating system drives This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting « Password must meet complexity requirements » located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive. If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select « Require complexity ». When set to « Require complexity » a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to « Allow complexity » a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to « Do not allow complexity », no password complexity validation will be done. Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the « Minimum password length » box. If you disable or do not configure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur. Note: Passwords cannot be used if FIPS-compliance is enabled. The « System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing » policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
Machine Reset platform validation data after BitLocker recovery This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery. If you disable this policy setting, platform validation data will not be refreshed when Windows is started following BitLocker recovery. If you do not configure this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery.
Machine Disallow standard users from changing the PIN or password This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, standard users will not be allowed to change BitLocker PINs or passwords. If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs and passwords.
Machine Enforce drive encryption type on operating system drives This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
Machine Allow network unlock at startup This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started. If you enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors. To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer. You can use the group policy setting « Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate » on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock. If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors. Note: For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.
Machine Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with BIOS configurations or to computers with UEFI firmware with a Compatibility Service Module (CSM) enabled. Computers using a native UEFI firmware configuration store different values into the Platform Configuration Registers (PCRs). Use the « Configure TPM platform validation profile for native UEFI firmware configurations » group policy setting to configure the TPM PCR profile for computers using native UEFI firmware. If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM), BIOS, and Platform Extensions (PCR 0), the Option ROM Code (PCR 2), the Master Boot Record (MBR) Code (PCR 4), the NTFS Boot Sector (PCR 8), the NTFS Boot Block (PCR 9), the Boot Manager (PCR 10), and the BitLocker Access Control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.
Machine Configure TPM platform validation profile for native UEFI firmware configurations This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. Important: This group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Use the « Configure TPM platform validation profile for BIOS-based firmware configurations » group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with a CSM enabled. If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11). Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR 7 omitted, will override the « Allow Secured Boot for integrity validation » group policy, preventing BitLocker from using Secured Boot for platform or Boot Configuration Data (BCD) integrity validation.
Machine Configure use of hardware-based encryption for operating system drives This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead. Note: The « Choose drive encryption method and cipher strength » policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The « Restrict encryption algorithms and cipher suites allowed for hardware-based encryption » option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Machine Enable use of BitLocker authentication requiring preboot keyboard input on slates This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch keyboard (such as used by slates) is not available in the pre-boot environment where BitLocker requires additional information such as a PIN or Password. It is recommended that administrators enable this policy only for devices that are verified to have an alternative means of pre-boot input (such as by attaching a USB keyboard). Note that if this option is not enabled, options in the « Require additional authentication at startup » policy may not be available on such devices. These options include: – Configure TPM startup PIN: Required/Allowed – Configure TPM startup key and PIN: Required/Allowed – Configure use of passwords for operating system drives.
Machine Allow Secured Boot for integrity validation This policy setting allows you to configure whether Secured Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secured Boot ensures that the PC’s pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secured Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks. If you enable or do not configure this policy setting, BitLocker will use Secured Boot for platform integrity if the platform is capable of Secured Boot-based integrity validation. If you disable this policy setting, BitLocker will use legacy platform integrity validation, even on systems capable of Secured Boot-based integrity validation. When this policy is enabled and the hardware is capable of using Secured Boot for BitLocker scenarios, the « Use enhanced Boot Configuration Data validation profile » group policy setting is ignored and Secured Boot verifies BCD settings according to the Secured Boot policy setting, which is configured separately from BitLocker. Note: If the group policy setting « Configure TPM platform validation profile for native UEFI firmware configurations » is enabled and has PCR 7 omitted, Bitlocker will be prevented from using Secured Boot for platform or Boot Configuration Data (BCD) integrity validation.
Machine Enforce drive encryption type on fixed data drives This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
Machine Configure use of hardware-based encryption for fixed data drives This policy setting allows you to manage BitLocker’s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead. Note: The « Choose drive encryption method and cipher strength » policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The « Restrict encryption algorithms and cipher suites allowed for hardware-based encryption » option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2- AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
Machine Enforce drive encryption type on removable data drives This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on. If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard. If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
Machine Configure use of hardware-based encryption for removable data drives This policy setting allows you to manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive. If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption. If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted. If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead. Note: The « Choose drive encryption method and cipher strength » policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The « Restrict encryption algorithms and cipher suites allowed for hardware-based encryption » option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption. Encryption algorithms are specified by object identifiers (OID). For example:- AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2 – AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

WCM.admx

Classe Nom du parametre Explication du parametre
Machine Prohibit connection to non-domain networks when connected to domain authenticated network This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances: Automatic connection attempts – When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked. – When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked. Manual connection attempts – When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed. – When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked. If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.
Machine Minimize the number of simultaneous connections to the Internet or a Windows Domain This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. If this policy setting is enabled, when the computer has at least one active connection to the Internet, a new automatic connection attempt to the Internet is blocked. When the computer has at least one active connection to a Windows domain, a new automatic connection to the same Windows domain is also blocked. Additional manual connection attempts by users to the Internet or to a Windows domain are not blocked by this policy setting. In circumstances where there are multiple simultaneous connections to either the Internet or to a Windows domain, Windows disconnects the less preferred connection when the amount of network traffic over the less preferred connection drops below a certain threshold. For example, when a computer is connected to Internet using a WiFi connection and the user plugs in to an Ethernet network, network traffic is routed through the faster Ethernet connection, and the WiFi traffic diminishes. Windows detects this circumstance and responds by disconnecting the WiFi connection. If this policy setting is not configured or is disabled, multiple simultaneous connections to the Internet or to a Windows domain are allowed.
Machine Prohibit connection to roaming Mobile Broadband networks This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network. If this policy setting is enabled, all automatic and manual connection attempts to roaming provider networks are blocked until the client registers with the home provider network. If this policy setting is not configured or is disabled, clients are allowed to connect to roaming provider Mobile Broadband networks.
Machine Disable power management in connected standby mode This policy setting specifies that power management is disabled when the machine enters connected standby mode. If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode. If this policy setting is not configured or is disabled, power management is enabled when the machine enters connected standby mode.

WindowsExplorer.admx

Classe Nom du parametre Explication du parametre
User Location where all default Library definition files for users/machines reside. This policy setting allows you to specify a location where all default Library definition files for users/machines reside. If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined. If you disable or do not configure this policy setting, no changes are made to the location of the default Library definition files.
User Configure Windows SmartScreen This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the following options:• Require approval from an administrator before running downloaded unknown software• Give user a warning before running downloaded unknown software• Turn off SmartScreen If you disable or do not configure this policy setting, Windows SmartScreen behavior is managed by administrators on the PC by using Windows SmartScreen Settings in Action Center. Options:• Require approval from an administrator before running downloaded unknown software• Give user a warning before running downloaded unknown software• Turn off SmartScreen
User Show lock in the user tile menu Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be shown in the User Tile menu. If you disable this policy setting, the lock option will never be shown in the User Tile menu. If you do not configure this policy setting, users will be able to choose whether they want lock to show through the Power Options Control Panel.
User Show sleep in the power options menu Shows or hides sleep from the power options menu. If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine’s hardware). If you disable this policy setting, the sleep option will never be shown in the Power Options menu. If you do not configure this policy setting, users will be able to choose whether they want sleep to show through the Power Options Control Panel.
User Show hibernate in the power options menu Shows or hides hibernate from the power options menu. If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine’s hardware). If you disable this policy setting, the hibernate option will never be shown in the Power Options menu. If you do not configure this policy setting, users will be able to choose whether they want hibernate to show through the Power Options Control Panel.
User Do not show the ‘new application installed’ notification This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) If this group policy is enabled, no notifications will be shown. If the group policy is not configured or disabled, notifications will be shown to the end user if a new application has been installed that can handle the file type or protocol association that was invoked.
User Start Windows Explorer with ribbon minimized This policy setting allows you to specify whether the ribbon appears minimized or in full when new Windows Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open Windows Explorer and whenever they open new windows. If you disable or do not configure this policy setting, users can choose how the ribbon appears when they open new windows.
User Set a default associations configuration file This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool. For example: Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt For more information, refer to the DISM documentation on TechNet. If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time. If the group policy is not configured, disabled, or the client machine is not domain-joined, no default associations will be applied at logon time. If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.
User Allow the use of remote paths in file shortcut icons This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. Note: Allowing the use of remote paths in file shortcut icons can expose users’ computers to security risks.

WindowsUpdate.admx

Classe Nom du parametre Explication du parametre
User Let the service shut down when it is idle Controls how many minutes the Windows Update service will wait before shutting down when there are no scans, downloads, or installs in progress. Allowing the service to shut down will free memory to be used by other programs and services. If set to 0, the service will remain running at all times. If you disable or do not configure this policy setting, the service will shut down after 10 minutes of inactivity.

WinInit.admx

Classe Nom du parametre Explication du parametre
Machine Require use of hybrid boot This policy setting controls the use of hybrid boot. If you enable this policy setting, the system requires hibernate to be enabled. If you disable or do not configure this policy setting, the local setting is used.

wlansvc.admx

Classe Nom du parametre Explication du parametre
Machine Set Cost This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN connections on the local machine: – Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. – Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. – Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of Wireless LAN connections is Unrestricted by default.

WPN.admx

Classe Nom du parametre Explication du parametre
User Turn off all notifications This policy setting turns off notifications. If you enable this policy setting, applications and system features will not be able to raise toast notifications, update their tile, or receive notifications through the Windows Notification Service (WNS). If you disable or do not configure this policy setting, notifications are enabled and can be turned off by the administrator or user. Note that this policy does not affect taskbar notification balloons. No reboots or service restarts are required for this policy setting to take effect.
User Turn off toast notifications This policy setting turns off toast notifications. If you enable this policy setting, applications and system features will not be able to raise toast notifications. Note that this policy does not affect taskbar notification balloons. If you disable or do not configure this policy setting, toast notifications are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect.
User Turn off toast notifications on the lock screen This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast notifications on the lock screen are enabled and can be turned off by the administrator or user. No reboots or service restarts are required for this policy setting to take effect.

wwansvc.admx

Classe Nom du parametre Explication du parametre
Machine Set 3G Cost This policy setting configures the cost of 3G connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the local machine: – Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. – Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. – Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.
Machine Set 4G Cost This policy setting configures the cost of 4G connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on the local machine: – Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints. – Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit. – Variable: This connection is costed on a per byte basis. If this policy setting is disabled or is not configured, the cost of 4G connections is Fixed by default.
Publicités

Laisser un commentaire

Choisissez une méthode de connexion pour poster votre commentaire:

Logo WordPress.com

Vous commentez à l'aide de votre compte WordPress.com. Déconnexion / Changer )

Image Twitter

Vous commentez à l'aide de votre compte Twitter. Déconnexion / Changer )

Photo Facebook

Vous commentez à l'aide de votre compte Facebook. Déconnexion / Changer )

Photo Google+

Vous commentez à l'aide de votre compte Google+. Déconnexion / Changer )

Connexion à %s