[Forgot Password]
Login  Register Subscribe

23631

 
 

126941

 
 

98250

 
 

909

 
 

79281

 
 

109

Paid content will be excluded from the download.


Download | Alert*


CCE-33166-0
Prevent memory overwrite on restart This policy setting controls computer restart performance at the risk of exposing BitLocker secrets. This policy setting is applied when you turn on BitLocker. BitLocker secrets include key material used to encrypt data. This policy setting applies only when BitL ...

CCE-34569-4
Do not allow pinning items in Jump Lists This policy setting allows you to control pinning items in Jump Lists. If you enable this policy setting, users cannot pin files, folders, websites, or other items to their Jump Lists in the Start Menu and Taskbar. Users also cannot unpin existing items p ...

CCE-34885-4
Prevent Video Smoothing Prevents video smoothing from occurring. This policy prevents video smoothing, which can improve video playback on computers with limited resources, from occurring. In addition, the Use Video Smoothing check box in the Video Acceleration Settings dialog box in the Player is ...

CCE-33625-5
Folder Redirection This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, t ...

CCE-35576-8
Set BranchCache Distributed Cache mode This policy setting specifies whether the client computer should use the Distributed Cache mode. This BranchCache mode enables a client computer to retrieve content that has been downloaded and cached by other client computers in the branch office. To access c ...

CCE-33878-0
Configure time out for detections in recently remediated state This policy setting configures the time in minutes before a detection in the 'completed' state moves to the 'cleared' state.

CCE-35323-5
Prevent customization of indexed locations in Control Panel If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can be opened. Disabled by default.

CCE-34053-9
Turn off location scripting This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run.

CCE-34512-4
Do not allow the computer to act as a BITS Peercaching client This setting specifies whether the computer will act as a BITS peercaching client. By default, when BITS peercaching is enabled, the computer acts as both a peercaching server (offering files to its peers) and a peercaching client (downl ...

CCE-33362-5
Turn off Multicast Bootstrap This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the link local cloud. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. One ...

CCE-34689-0
WPD Devices: Deny write access This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not ...

CCE-35007-4
System cryptography: Force strong key protection for user keys stored on the computer This policy setting determines whether users' private keys (such as their S-MIME keys) require a password to be used. If you configure this policy setting so that users must provide a password?distinct from their ...

CCE-33821-0
Always send compound authentication first This policy setting controls whether a device always sends a compound authentication request when the resource domain requests compound identity. Note: For a domain controller to request compound authentication, the policies 'KDC support for claims, comp ...

CCE-33998-6
Detect application installers that need to be run as administrator This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose failures with application installers that are not detected to run as administrator. If you enable this policy setting, the PCA is confi ...

CCE-35652-7
Inclusion list for high risk file types This policy setting allows you to configure the list of high-risk file types. If the file attachment is in the list of high-risk file types and is from the restricted zone, Windows blocks the user from accessing the file. If the file is from the Internet zone ...

CCE-33745-1
Turn off heap termination on corruption Disabling heap termination on corruption can allow certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still terminate unexpectedly later.

CCE-35706-1
Deny write access to fixed drives not protected by BitLocker This policy setting determines whether BitLocker protection is required for fixed data drives to be writable on a computer. This policy setting is applied when you turn on BitLocker. If you enable this policy setting, all fixed data dr ...

CCE-33495-3
Do not search Internet If you enable this policy the start menu search box will not search for internet history or favorites. If you disable or do not configure this policy, the start menu will search for for internet history or favorites, unless the user chooses not to in the start menu control ...

CCE-34765-8
License server security group This policy setting allows you to specify the RD Session Host servers to which a Remote Desktop license server will offer Remote Desktop Services client access licenses (RDS CALs). You can use this policy setting to control which RD Session Host servers are issued RDS ...

CCE-33941-6
Automatically send memory dumps for OS-generated error reports This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other tha ...

CCE-35456-3
Do not display the Welcome Center at user logon This policy setting prevents the display of the Welcome Center at user logon. If you enable this policy setting, the Welcome Center is not displayed at user logon. The user can access the Welcome Center using the Control Panel or Start menu. If ...

CCE-33612-3
Hide Settings tab Removes the Settings tab from Display in Control Panel. This setting prevents users from using Control Panel to add, configure, or change the display settings on the computer.

CCE-35127-0
ADSI Edit This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap-i ...

CCE-35589-1
Turn off Help Ratings This policy setting specifies whether users can provide ratings for Help content. If you enable this policy setting, ratings controls are not added to Help content. If you disable or do not configure this policy setting, ratings controls are added to Help topics. User ...

CCE-33122-3
Set PNRP cloud to resolve only This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) cloud. This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client computer can detect other ...

CCE-33669-3
Use final DC discovery retry setting for background callers This policy setting determines when retries are no longer allowed for applications that perform periodic searches for domain controllers (DC) are unable to find a DC. For example, retires may be set to occur according to the Use maximum DC ...

CCE-35114-8
Specify sites covered by the application directory partition DC Locator DNS SRV records This policy setting specifies the sites for which the domain controllers (DC) that host the application directory partition should register the site-specific, application directory partition-specific DC Locator ...

CCE-34778-1
Disallow Digest authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Digest authentication. If you enable this policy setting, the WinRM client will not use Digest authentication. If you disable or do not configure this policy s ...

CCE-34107-3
Remove Downloads link from Start Menu If you enable this policy the start menu will not show a link to the Downloads folder.

CCE-33375-7
Add the Run command to the Start Menu If you enable this setting, the Run command is added to the Start menu. If you disable or do not configure this setting, the Run command is not visible on the Start menu by default, but it can be added from the Taskbar and Start menu properties. If the Remove ...

CCE-34841-7
AppleTalk Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, th ...

CCE-35785-5
Turn off hardware buttons Turns off Tablet PC hardware buttons. If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. If you disable this policy, user and OEM defined button actions will occur when the button ...

CCE-34160-2
Allow cryptography algorithms compatible with Windows NT 4.0 This setting controls whether the Net Logon service will allow the use of older cryptography algorithms that are used in Windows NT 4.0. The cryptography algorithms used in Windows NT 4.0 and earlier are not as secure as newer algorithms ...

CCE-33732-9
Configure scripts policy processing This policy setting determines when policies that assign shared scripts are updated. This policy setting affects all policies that use the scripts component of Group Policy, such as those in WindowsSettings\Scripts. It overrides customized settings that the pr ...

CCE-34974-6
ActiveX Control Permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the 'Restrict users to the explicitly permitted list of snap-ins' setting de ...

CCE-34329-3
Configure Corporate Windows Error Reporting This setting determines the corporate server to which Windows Error Reporting will send reports (instead of sending reports to Microsoft). Server port indicates the port to use on the target server. Connect using SSL determines whether Windows will send r ...

CCE-33002-7
Registration Refresh Interval Specifies the Registration Refresh Interval of A and PTR resource records for computers to which this setting is applied. This setting may be applied to computers using dynamic update only. Computers running Windows 2000 Professional and Windows XP Professional, and c ...

CCE-34186-7
Event logging level Determines which events the Offline Files feature records in the event log. Offline Files records events in the Application log in Event Viewer when it detects errors. By default, Offline Files records an event only when the offline files storage cache is corrupted. However, ...

CCE-35234-4
Set RD Gateway authentication method Specifies the authentication method that clients must use when attempting to connect to an RD Session Host server through an RD Gateway server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enab ...

CCE-33865-7
Turn on behavior monitoring This policy setting allows you to configure behavior monitoring. If you enable or do not configure this setting, behavior monitoring will be enabled. If you disable this setting, behavior monitoring will be disabled.

CCE-34382-2
Display Shutdown Event Tracker The Shutdown Event Tracker can be displayed when you shut down a workstation or server. This is an extra set of questions that is displayed when you invoke a shutdown to collect information related to why you are shutting down the computer. If you enable this settin ...

CCE-35563-6
Run these programs at user logon Specifies additional programs or documents that Windows starts automatically when a user logs on to the system. To specify values for this setting, click Show. In the Show Contents dialog box in the Value column, type the name of the executable program (.exe) file ...

CCE-34097-6
Turn Off user-installed desktop gadgets This policy setting allows you to turn off desktop gadgets that have been installed by the user. If you enable this setting, Windows will not run any user-installed gadgets. If you disable or do not configure this setting, Windows will run user-installe ...

CCE-35443-1
Disable detection of slow network connections This policy setting disables the detection of slow network connections. Slow link detection measures the speed of the connection between a user's computer and the remote server that stores the roaming user profile. When the system detects a slow lin ...

CCE-34449-9
Prohibit Task Deletion Prevents users from deleting tasks from the Scheduled Tasks folder. This setting removes the Delete command from the Edit menu in the Scheduled Tasks folder and from the menu that appears when you right-click a task. Also, the system does not respond when users try to cut ...

CCE-35247-6
Prevent Music File Media Information Retrieval This policy setting allows you to prevent media information for music files from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information for music files such as Win ...

CCE-33852-5
Configure local setting override for turn on behavior monitoring This policy setting configures a local override for the configuration of behavior monitoring. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Poli ...

CCE-34658-5
Prevent receiving Video Prevents users from receiving video. Users will still be able to send video provided they have the hardware.'

CCE-35310-2
Send data when on connected to a restricted/costed network This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost ...

CCE-33656-0
Specify workplace connectivity wait time for policy processing This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connecti ...

CCE-33388-0
Allow Automatic Sleep with Open Network Files (Plugged In) Allow Automatic Sleep with Open Network Files. If you enable this policy setting, the computer will automatically sleep when network files are open. If you disable this policy setting, the computer will not automatically sleep whe ...

CCE-34854-0
Network control service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies ...

CCE-33255-1
Turn off Windows Customer Experience Improvement Program The Windows Customer Experience Improvement Program will collect information about your hardware configuration and how you use our software and services to identify trends and usage patterns. We will not collect your name, address, or any oth ...

CCE-35719-4
Permit use of Start Menu preference extension This policy setting allows you to permit or prohibit use of the Start Menu preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting ...

CCE-35425-8
Turn off Event Viewer 'Events.asp' links Specifies whether 'Events.asp' hyperlinks are available for events within the Event Viewer application. The Event Viewer normally makes all HTTP(S) URLs into hot links that activate the Internet browser when clicked. In addition, 'More Information' is place ...

CCE-34734-4
Prevent changing color scheme This setting forces the theme color scheme to be the default color scheme. If you enable this setting, a user cannot change the color scheme of the current desktop theme. If you disable or do not configure this setting, a user may change the color scheme of the c ...

CCE-33919-2
Define the order of sources for downloading definition updates This policy setting allows you to define the order in which different definition update sources should be contacted. The value of this setting should be entered as a pipe-separated string enumerating the definition update sources in ord ...

CCE-35678-2
Customize consent settings This policy setting determines the consent behavior of Windows Error Reporting for specific event types. If you enable this policy setting, you can add specific event types to a list by clicking Show, and typing event types in the Value Name column of the Show Contents ...

CCE-33331-0
Do not use the search-based method when resolving shell shortcuts Prevents the system from conducting a comprehensive search of the target drive to resolve a shortcut. By default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcu ...

CCE-33268-4
Turn on Security Center (Domain PCs only) This policy setting specifies whether Security Center is turned on or off for computers that are joined to an Active Directory domain. When Security Center is turned on, it monitors essential security settings and notifies the user when the computer might b ...

CCE-35282-3
Limit profile size This policy setting sets the maximum size of each user profile and determines the system's response when a user profile reaches the maximum size. This policy setting affects both local and roaming profiles. If you disable this policy setting or do not configure it, the system ...

CCE-34275-8
Remove Documents icon from Start Menu Removes the Documents icon from the Start menu and its submenus. This setting only removes the icon. It does not prevent the user from using other methods to gain access to the contents of the Documents folder. Note: To make changes to this setting effect ...

CCE-35741-8
Do not allow window animations This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this policy setting, window animations are turned off. If you disable or do not configure this policy setting ...

CCE-34471-3
Routing and Remote Access This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy set ...

CCE-35109-8
Do not sync desktop personalization Prevent the 'desktop personalization' group from syncing to and from this PC. This turns off and disables the 'desktop personalization' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'desktop personalization' gro ...

CCE-34155-2
Remove Recorded TV link from Start Menu If you enable this policy the start menu will not show a link to the Recorded TV library.

CCE-34930-8
Do not turn off system power after a Windows system shutdown has occurred. This setting allows you to configure whether power is automatically turned off when Windows shutdown completes. This setting does not effect Windows shutdown behavior when shutdown is manually selected using the Start menu ...

CCE-35162-7
Removable Storage This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, th ...

CCE-35798-8
Force a specific Start background This setting allows you to configure the Start screen to use one of the available backgrounds, 1 through 20, and prevents the user from changing it. If this setting is set to zero or not configured, then Start uses the default background, and users can change it ...

CCE-34418-4
Do not allow pinning programs to the Taskbar This policy setting allows you to control pinning programs to the Taskbar. If you enable this policy setting, users cannot change the programs currently pinned to the Taskbar. If any programs are already pinned to the Taskbar, these programs continue ...

CCE-33643-8
NAP Client Configuration This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy sett ...

CCE-34395-4
Configure Security Policy for Scripted Diagnostics Determines whether scripted diagnostics will execute diagnostic packages that are signed by untrusted publishers. If you enable this policy setting, the scripted diagnostics execution engine will validate the signer of any diagnostic package and o ...

CCE-32952-4
Choose drive encryption method and cipher strength This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encryp ...

CCE-33148-8
Always use automatic language detection when indexing content and properties This policy setting determines when Windows uses automatic language detection results, and when it relies on indexing history. If you enable this policy setting, Windows will always use automatic language detection to inde ...

CCE-34405-1
Controlled load service type Specifies an alternate link layer (Layer-2) priority value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you ...

CCE-35558-6
Restrict system locales This policy restricts the permitted system locales to the specified list. If the list is empty, it locks the system locale to its current value. This policy does not change the existing system locale; however, the next time that an admin attempts to change the machine's syst ...

CCE-35305-2
Display highly detailed status messages This policy setting directs the system to display highly detailed status messages. This policy setting is designed for advanced users who require this information. If you enable this policy setting, the system displays status messages that reflect each ...

CCE-33896-2
Allow Windows Runtime apps to revoke enterprise data Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID), but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is prot ...

CCE-33211-4
Turn off PNRP cloud creation This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution protocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolve the name, retrieve th ...

CCE-34538-9
Download missing COM components Directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot perform all of their ...

CCE-34810-2
Do not preserve zone information in file attachments This policy setting allows you to manage whether Windows marks file attachments from Internet Explorer or Microsoft Outlook? Express with information about their zone of origin (such as restricted, Internet, intranet, or local). This policy setti ...

CCE-33344-3
Remove user folder link from Start Menu If you enable this policy the start menu will not show a link to the user's storage folder. If you disable or do not configure this policy, the start menu will display a link, unless the user chooses to remove it in the start menu control panel.

CCE-33510-9
Configure log access This policy setting specifies to use the security descriptor for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. If you disable or do not conf ...

CCE-33224-7
Turn off the ability to back up data files This setting lets you disable the data file backup functionality. If this setting is enabled, users cannot back up data files. If this setting is disabled or not configured, users can back up data files.

CCE-33477-1
Turn off the ability to create a system image This setting lets you disable the creation of system images. If this setting is enabled, users cannot create system images. If this setting is disabled or not configured, users can create system images.

CCE-34231-1
Deny Delegating Default Credentials This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). If you enable this policy setting you can specify the servers to which the user's default credentials can NOT be delegated (default credentials are those tha ...

CCE-33763-4
Request credentials for network installations Prompts users for alternate logon credentials during network-based installations. This setting displays the 'Install Program As Other User' dialog box even when a program is being installed from files on a network computer across a local area network ...

CCE-35073-6
Do not allow Windows Messenger to be run This policy setting allows you to prevent Windows Messenger from running. If you enable this policy setting, Windows Messenger does not run. If you disable or do not configure this policy setting, Windows Messenger can be used. Note: If you enable t ...

CCE-32978-9
Prohibit User from manually redirecting Profile Folders Prevents users from changing the path to their profile folders. By default, a user can change the location of their individual profile folders like Documents, Music etc. by typing a new path in the Locations tab of the folder's Properties d ...

CCE-33567-9
Do not automatically make specific redirected folders available offline This policy setting allows you to control whether redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you ...

CCE-33906-9
Turn on e-mail scanning This policy setting allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments. Several e-mail formats are currently suppo ...

CCE-34066-1
Turn off Windows Mobility Center This policy setting turns off Windows Mobility Center. If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. If you disab ...

CCE-34484-6
Share and Storage Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy s ...

CCE-34943-1
Prevent Control Prevents users from allowing others in a conference to control what they have shared. This enforces a read-only mode; the other participants cannot change the data in the shared application.

CCE-34288-1
Send additional data when on battery power This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data unti ...

CCE-33630-5
Active Directory Sites and Services This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-34747-6
Century interpretation for Year 2000 This policy setting determines how programs interpret two-digit years. This policy setting affects only the programs that use this Windows feature to interpret two-digit years. If a program does not interpret two-digit years correctly, consult the documentati ...

CCE-35336-7
Set the schedule for background upload of a roaming user profile's registry file while user is logged on This policy setting sets the schedule for background uploading of a roaming user profile's registry file (ntuser.dat). This policy setting controls only the uploading of a roaming user profile's ...

CCE-35349-0
Microsoft Support Diagnostic Tool: Restrict tool download Restricts the tool download policy for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. For some problems, MSDT may prompt the user to download addit ...

CCE-34351-7
Always render print jobs on the server When printing through a print server, determines whether the print spooler on the client will process print jobs itself, or pass them on to the server to do the work. This policy setting only effects printing to a Windows print server. If you enable this pol ...

CCE-35193-2
Enabling Windows Update Power Management to automatically wake up the system to install scheduled updates Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from hibernation, if there are updates scheduled for installation. Windo ...

CCE-33357-5
SSL Cipher Suite Order Determines the cipher suites used by the Secure Socket Layer (SSL). If this setting is enabled, SSL cipher suites will be prioritized in the order specified. If this setting is disabled or not configured, the factory default cipher suite order will be used. SSL2, SSL3, TLS ...

CCE-34142-0
Turn on certificate propagation from smart card This policy setting allows you to manage the certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then certificate propagation will occur when you insert your smart card. If you dis ...

CCE-34823-5
Prevent access to feed list This policy setting prevents the user from using Internet Explorer as a feed reader. This policy setting has no impact on the Windows RSS Platform. If you enable this policy setting, the user cannot access the feed list in the Favorites Center. If you disable or do ...

CCE-33104-1
Use enhanced Boot Configuration Data validation profile This policy setting allows you to choose specific Boot Configuration Data (BCD) settings to verify during platform validation. If you enable this policy setting, you will be able to add additional settings, remove the default settings, or b ...

CCE-33883-0
Create a system restore point This policy setting allows you to create a system restore point on the computer on a daily basis prior to cleaning. If you enable this setting, a system restore point will be created. If you disable or do not configure this setting, a system restore point will n ...

CCE-34079-4
Update Security Level Specifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update for registration of DNS records. To enable this setting, click Enable, and then choose one of the following values. Unsecure followed by secure - if this opt ...

CCE-34956-3
Create new Group Policy Object links disabled by default This policy setting allows you to create new Group Policy object links in the disabled state. If you enable this setting, you can create all new Group Policy object links in the disabled state by default. After you configure and test the n ...

CCE-33750-1
Remove CD Burning features This policy setting allows you to remove CD Burning features. File Explorer allows you to create and modify re-writable CDs if you have a CD writer connected to your PC. If you enable this policy setting, all features in the File Explorer that allow you to use your CD ...

CCE-35216-1
Prevent Media Sharing Prevents media sharing from Windows Media Player. This policy prevents any user on this computer from sharing digital media content from Windows Media Player with other computers and devices that are on the same network. When this policy is disabled or not configured, anyone ...

CCE-33081-1
Configure TPM platform validation profile for BIOS-based firmware configurations This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a co ...

CCE-32965-6
Do not display the password reveal button This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password en ...

CCE-35545-3
Remove Logoff This policy setting disables or removes all menu items and buttons that log the user off the system. If you enable this policy setting, users will not see the Log off menu item when they press Ctrl+Alt+Del. This will prevent them from logging off unless they restart or shutdown the ...

CCE-33433-4
Do not throttle additional data This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not t ...

CCE-34049-7
Turn off access to the performance center core section This policy setting removes access to the performance center control panel page. If you enable this policy setting, some settings within the performance control panel page are not displayed. The administrative tools will not be affected. ...

CCE-34508-2
Do not allow smart card device redirection This policy setting allows you to control the redirection of smart card devices in a Remote Desktop Services session. If you enable this policy setting, Remote Desktop Services users cannot use a smart card to log on to a Remote Desktop Services session. ...

CCE-34561-1
Check published state Directs the system to periodically verify that the printers published by this computer still appear in Active Directory. This setting also specifies how often the system repeats the verification. By default, the system only verifies published printers at startup. This settin ...

CCE-35131-2
User Interface Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon. Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and ...

CCE-32995-3
Permit use of Printers preference extension This policy setting allows you to permit or prohibit use of the Printers preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, yo ...

CCE-33870-7
Allow users to pause scan This policy setting allows you to manage whether or not end users can pause a scan in progress. If you enable or do not configure this setting, a new context menu will be added to the task tray icon to allow the user to pause a scan. If you disable this setting, user ...

CCE-33674-3
Force the reading of all certificates from the smart card This policy setting allows you to manage the reading of all certificates from the smart card for logon. During logon Windows will by default only read the default certificate from the smart card unless it supports retrieval of all certifica ...

CCE-34957-1
Enforce Removal of Remote Desktop Wallpaper Specifies whether desktop wallpaper is displayed to remote clients connecting via Remote Desktop Services. You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. By default, Windows XP Professional displays ...

CCE-35580-0
Set percentage of disk space used for client computer cache This policy setting changes the default percentage of total disk space to dedicate to caching retrieved content with BranchCache. This content is made available to other requesting client computers if they are authorized by the server to a ...

CCE-35251-8
Limit the maximum network bandwidth for BITS background transfers This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers. (This policy setting does not affect foreground transfers.) You can specify a limit to u ...

CCE-35710-3
Hide Add New Programs page Removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting ...

CCE-35068-6
Do not allow passwords to be saved Controls whether a user can save passwords using Remote Desktop Connection. If you enable this setting the credential saving checkbox in Remote Desktop Connection will be disabled and users will no longer be able to save passwords. When a user opens an RDP file ...

CCE-34681-7
Prevent Back-ESC mapping Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. If you enable this policy, a button assigned to Back will not map to ESC. If you disable this policy, Back->ESC mapping will occur. If y ...

CCE-34485-3
Turn off Windows presentation settings This policy setting turns off Windows presentation settings. If you enable this policy setting, Windows presentation settings cannot be invoked. If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings i ...

CCE-33937-4
Show Start on the display the user is using when they press the Windows logo key This policy setting allows the Start screen to appear on the display the user is using when they press the Windows logo key. This setting only applies to users who are using multiple displays. If you enable this pol ...

CCE-35407-6
Specify intranet Microsoft update service location This policy setting allows you to specify an intranet server to host updates from the Microsoft Update Web site. You can then use this update service location to automatically update computers on your network. The Automatic Updates client will sear ...

CCE-35264-1
Do not display the Getting Started welcome screen at logon This policy setting hides the welcome screen that is displayed on Windows 2000 Professional each time the user logs on. If you enable this policy setting, the welcome screen is hidden from the user logging on to a computer where this pol ...

CCE-34694-0
Automatic Maintenance Random Delay This policy setting allows you to configure Automatic Maintenance activation random delay. The maintenance random delay is the amount of time up to which Automatic Maintenance will delay starting from its Activation Boundary. This settings is useful f ...

CCE-35460-5
Do not process the legacy run list This policy setting ignores the customized run list. You can create a customized list of additional programs and documents that the system starts automatically when it runs on Windows Vista, Windows XP Professional, and Windows 2000 Professional. These programs ...

CCE-33990-3
Deny Delegating Saved Credentials This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). If you enable this policy setting you can specify the servers to which the user's saved credentials can NOT be delegated (saved credentials are those that you ...

CCE-33794-9
Set and Lock Skin This policy setting allows you to set and lock Windows Media Player in skin mode, using a specified skin. If you enable this policy setting, the Player displays only in skin mode using the skin specified in the Skin box on the Setting tab. You must use the complete file name ...

CCE-34900-1
Interactive logon: Machine inactivity limit Windows notices inactivity of a logon session, and if the amount of inactive time exceeds the inactivity limit, then the screen saver will run, locking the session.

CCE-33313-8
Prevent access to the command prompt This policy setting prevents users from running the interactive command prompt, Cmd.exe. This policy setting also determines whether batch files (.cmd and .bat) can run on the computer. If you enable this policy setting and the user tries to open a command w ...

CCE-35767-3
Turn off Active Help Specifies whether active content links in trusted assistance content are rendered. By default, the Help viewer renders trusted assistance content with active elements such as ShellExecute links and Guided Help links. If you enable this policy, such links are not rendered. The ...

CCE-33446-6
Ability to rename LAN connections or remote access connections available to all users Determines whether users can rename LAN or all user remote access connections. If you enable this setting, the Rename option is enabled for all users. Users can rename connections by clicking the icon represent ...

CCE-34704-7
Turn off tile notifications This policy setting turns off tile notifications. If you enable this policy setting, applications and system features will not be able to update their tiles and tile badges in the Start screen. If you disable or do not configure this policy sett ...

CCE-32982-1
Remove Properties from the Computer icon context menu This setting hides Properties on the context menu for Computer. If you enable this setting, the Properties option will not be present when the user right-clicks My Computer or clicks Computer and then goes to the File menu. Likewise, Alt-Ent ...

CCE-33598-4
Dynamic Update Determines if dynamic update is enabled. Computers configured for dynamic update automatically register and update their DNS resource records with a DNS server. If you enable this setting, the computers to which this setting is applied may use dynamic DNS registration on each of th ...

CCE-34289-9
Prohibit deletion of remote access connections Determines whether users can delete remote access connections. If you enable this setting (and enable the 'Enable Network Connections settings for Administrators' setting), users (including administrators) cannot delete any remote access connections ...

CCE-35188-2
FrontPage Server Extensions This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy s ...

CCE-34837-5
Turn off app notifications on the lock screen This policy setting allows you to prevent app notifications from appearing on the lock screen. If you enable this policy setting, no app notifications are displayed on the lock screen. If you disable or do not configure this policy setting, users ...

CCE-33117-3
Require strict target SPN match on remote procedure calls When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN), computers running Windows 7 will attempt to use Kerberos by generating an SPN. This policy setting allo ...

CCE-35491-0
Audit account logon events This policy setting determines whether to audit each instance of a user who logs on to or off from another computer that validates the account. Authentication of a domain user account on a domain controller generates an account logon event that is logged in the domain con ...

CCE-34770-8
Limit the maximum network bandwidth used for Peercaching This setting limits the network bandwidth that BITS uses for peercache transfers (this setting does not affect transfers from the origin server). To prevent any negative impact to a computer caused by serving other peers, by default BITS will ...

CCE-33183-5
Set BranchCache Hosted Cache mode This policy setting specifies whether the client computer should use the Hosted Cache mode, and if so, what the address of the BranchCache server is. The Hosted Cache mode enables a client computer to retrieve content from a BranchCache server that acts as the cent ...

CCE-35634-5
Turn off Windows Update device driver search prompt Specifies whether the administrator will be prompted about going to Windows Update to search for device drivers using the Internet. Note: This setting only has effect if 'Turn off Windows Update device driver searching' in 'Administrative Templ ...

CCE-33661-0
Enable Windows NTP Client Specifies whether the Windows NTP Client is enabled. Enabling the Windows NTP Client allows your computer to synchronize its computer clock with other NTP servers. You may want to disable this service if you decide to use a third-party time provider.

CCE-34258-4
Best effort service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to pac ...

CCE-34036-4
Set IP-HTTPS State This policy setting allows you to configure IP-HTTPS, a tunneling technology that uses the HTTPS protocol to provide IP connectivity to a remote network. If you disable or do not configure this policy setting, the local host settings are used. If you enable this policy sett ...

CCE-35295-5
Support compound authentication This policy setting controls configuring the device's Active Directory account for compound authentication. Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to sup ...

CCE-33326-0
Remove Favorites menu from Start Menu Prevents users from adding the Favorites menu to the Start menu or classic Start menu. If you enable this setting, the Display Favorites item does not appear in the Advanced Start menu options box. If you disable or do not configure this setting, the Disp ...

CCE-33804-6
Do not sync other Windows settings Prevent the 'Other Windows settings' group from syncing to and from this PC. This turns off and disables the 'Other Windows settings' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'Other Windows settings' group w ...

CCE-34454-9
Hide 'Windows Marketplace' This setting prevents users from access the 'Get new programs from Windows Marketplace' task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. Windows Marketplace allows users to purchase and/or download various ...

CCE-33459-9
Use solid color for Start background This policy setting controls the Start background visuals. If you enable this policy setting, the Start background will use a solid color. If you disable or do not configure this policy setting, the Start background will use the default visuals. Note: I ...

CCE-35723-6
Require secure RPC communication Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication. You can use this setting to strengthen the security of RPC communication with clients by allowing only authenticated and enc ...

CCE-33050-6
Check for missing Windows Updates This configuration item is a PowerShell-based script that checks to see if all required updates are installed. It is designed to be exported within DCM Management Packs. To function it requires that the PowerShell execution policy be set to RemoteSigned. Y ...

CCE-34441-6
Initial reminder balloon lifetime Determines how long the first reminder balloon for a network status change is displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event ...

CCE-34574-4
Tape Drives: Deny read access This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this remo ...

CCE-35042-1
Hide the Video page Hides the Video page of the Tools Options dialog. Users will not then be able to change video settings.

CCE-33781-6
MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) This entry appears as MSS: (AutoShareWks) Enable Administrative Shares (recommended except for highly secure environments) in the SCE. By default, when Windows networking is active on a server, Wind ...

CCE-34112-3
Prevent Input Panel tab from appearing Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. If you enable ...

CCE-35318-5
Do not allow web search Enabling this policy removes the option of searching the Web from Windows Desktop Search. When this policy is disabled or not configured, the Web option is available and users can search the Web via their default browser search engine.

CCE-35371-4
System settings: Use Certificate Rules on Windows Executables for Software Restriction Policies This policy setting determines whether digital certificates are processed when software restriction policies are enabled and a user or process attempts to run software with an .exe file name extension. I ...

CCE-33392-2
Allow Cross-Forest User Policy and Roaming User Profiles Allows user-based policy processing, roaming user profiles, and user object logon scripts for interactive logons across forests. This setting affects all user accounts that interactively log on to a computer in a different forest when a trus ...

CCE-33911-9
Allow definition updates when running on battery power This policy setting allows you to configure definition updates when the computer is running on battery power. If you enable or do not configure this setting, definition updates will occur as usual regardless of power state. If you disable ...

CCE-33339-3
Remove user's folders from the Start Menu Hides all folders on the user-specific (top) section of the Start menu. Other items appear, but folders are hidden. This setting is designed for use with redirected folders. Redirected folders appear on the main (bottom) section of the Start menu. Howeve ...

CCE-34926-6
Do not allow sessions without one way CHAP If enabled then only those sessions that are configured for one-way CHAP may be established. If disabled then sessions that are configured for one-way CHAP or sessions not configured for one-way CHAP may be established. Note that if the 'Do not allow sessi ...

CCE-35486-0
Apply UAC restrictions to local accounts on network logons This setting controls whether local accounts can be used for remote administration via network logon (e.g., NET USE, connecting to C$, etc.). Local accounts are at high risk for credential theft when the same account and password is configu ...

CCE-33076-1
Control use of BitLocker on removable drives This policy setting controls the use of BitLocker on removable data drives. This policy setting is applied when you turn on BitLocker. When this policy setting is enabled you can select property settings that control how users can configure BitLocker. ...

CCE-34467-1
Run logon scripts synchronously This policy setting directs the system to wait for logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop. If you enable this policy setting, Windows Explorer does not start until the logon scripts have fini ...

CCE-35812-7
Enable LSA Protection Use this setting to configure additional protection for the Local Security Authority (LSA) process to prevent code injection that could compromise credentials. On x86-based or x64-based devices that use Secure Boot and UEFI, a UEFI variable is set in the UEFI firmware when ...

CCE-35682-4
Specify a default color This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color will be used in glass window frames, if the user has not specified a color. If you disable or ...

CCE-33848-3
Configure local setting override for monitoring for incoming and outgoing file activity This policy setting configures a local override for the configuration of monitoring for incoming and outgoing file activity. This setting can only be set by Group Policy. If you enable this setting, the local ...

CCE-33572-9
Critical Battery Notification Level Specifies the percentage of battery capacity remaining that triggers the critical battery notification action. If you enable this policy, you must enter a numeric value (percentage) to set the battery level that triggers the critical notification. To set the ac ...

CCE-34783-1
Prevent press and hold Prevents press and hold actions on hardware buttons, so that only one action is available per button. If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: 'Some settings are controlled by G ...

CCE-33196-7
Specify the Display Dim Brightness (On Battery) Specify the brightness of the display when Windows automatically reduces brightness of the display. If you enable this policy setting, you must provide a value, in percentage, indicating the display brightness when Windows automatically reduces ...

CCE-35353-2
Public Key Policies This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, ...

CCE-35509-9
Audit Policy: Logon-Logoff: Network Policy Server This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Auditing this setting will result in a medium or high volum ...

CCE-34334-3
Configure list of IEEE 1667 silos usable on your computer This policy setting allows you to create a list of IEEE 1667 silos, compliant with the Institute of Electrical and Electronics Engineers, Inc. (IEEE) 1667 specification, that are usable on your computer. If you enable this policy setting, o ...

CCE-34587-6
Enable NTFS pagefile encryption Encrypting the page file prevents malicious users from reading data that has been paged to disk, but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.

CCE-33835-0
Define proxy server for connecting to the network This policy setting allows you to configure the named proxy that should be used when the client attempts to connect to the network for definition updates and MAPS reporting. If the named proxy fails or if there is no proxy specified, the following s ...

CCE-35100-7
Set scavenge interval This policy setting determines the interval at which Netlogon performs the following scavenging operations: - Checks if a password on a secure channel needs to be modified, and modifies it if necessary. - On the domain controllers (DC), discovers a DC that has not been d ...

CCE-33968-9
Turn off AutoComplete integration with Input Panel Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard ...

CCE-34806-0
Guaranteed service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packe ...

CCE-33639-6
Internet Authentication Service (IAS) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable thi ...

CCE-35233-6
Set IP Stateless Autoconfiguration Limits State This policy setting allows you to configure IP Stateless Autoconfiguration Limits. If you enable or do not configure this policy setting, IP Stateless Autoconfiguration Limits will be enabled and system will limit the number of autoconfigured addre ...

CCE-34663-5
Allow persisting automatic acceptance of Calls Make the automatic acceptance of incoming calls persistent.

CCE-33272-6
Shared Folders Ext This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, t ...

CCE-35562-8
Run logon scripts synchronously Directs the system to wait for the logon scripts to finish running before it starts the Windows Explorer interface program and creates the desktop. If you enable this setting, Windows Explorer does not start until the logon scripts have finished running. This settin ...

CCE-33955-6
Turn off storage and display of search history This policy setting prevents search queries from being stored in the registry. If you enable this policy setting, search suggestions based on previous searches won?t appear in the search pane. Search suggestions provided by apps or by Windows based on ...

CCE-35593-3
Set the Seed Server This setting sets the seed server for the link local cloud to a specified node in the enterprise. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol, in some cases, requires a seed server from wh ...

CCE-33285-8
Use the specified Remote Desktop license servers This policy setting allows you to specify the order in which an RD Session Host server attempts to locate Remote Desktop license severs. If you enable this policy setting, an RD Session Host server first attempts to locate the license servers that y ...

CCE-34676-7
Configure RD Connection Broker farm name This policy setting allows you to specify the name of a farm to join in RD Connection Broker. RD Connection Broker uses the farm name to determine which RD Session Host servers are in the same RD Session Host server farm. Therefore, you must use the same far ...

CCE-34423-4
Remove pinned programs from the Taskbar This policy setting allows you to remove pinned programs from the taskbar. If you enable this policy setting, pinned programs are prevented from being shown on the Taskbar. Users cannot pin programs to the Taskbar. If you disable or do not configure thi ...

CCE-33506-7
Allow time zone redirection This policy setting determines whether the client computer redirects its time zone settings to the Remote Desktop Services session. If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the server. The s ...

CCE-35705-3
Configure use of smart cards on removable data drives This policy setting specifies whether a password is required to unlock BitLocker-protected removable data drives. If you choose to allow use of a password, you can require a password to be used, enforce complexity requirements, and configure a m ...

CCE-35340-9
Stop indexing in the event of limited hard drive space Enabling this policy prevents indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. Select between 0 and 2147483647 MB. Enable this policy if computers in your enviro ...

CCE-35397-9
Turn off shell protocol protected mode This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this p ...

CCE-34280-8
Allow domain users to log on using biometrics This policy setting determines whether domain users can log on or elevate User Account Control (UAC) permissions using biometrics. By default, domain users cannot use biometrics to log on. If you enable this policy setting, domain users can log on to a ...

CCE-33152-0
Turn Off Hybrid Sleep (On Battery) Disables Hybrid Sleep. If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users can see and change this setting.

CCE-34138-8
Turn off password security in Input Panel Adjusts password security settings in Tablet PC Input Panel. These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped ...

CCE-34556-1
Disable text prediction Prevents the Tablet PC Input Panel from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter t ...

CCE-33759-2
Remove Search button from File Explorer This policy setting allows you to remove the Search button from the File Explorer toolbar. If you enable this policy setting, the Search button is removed from the Standard Buttons toolbar that appears in File Explorer and other programs that use the File ...

CCE-35024-9
Prevent backing up to local disks This setting lets you prevent users from selecting a local disk (internal or external) for storing backups. If you enable this policy setting, users are prevented from selecting a local disk as a backup location. If you disable or do not configure t ...

CCE-34543-9
Enable Persistent Time Stamp The Persistent System Timestamp allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this setting, the Persistent System Timestamp will be refreshed according ...

CCE-33165-2
Configure use of passwords for fixed data drives This policy setting specifies whether a password is required to unlock BitLocker-protected fixed data drives. If you choose to permit the use of a password, you can require that a password be used, enforce complexity requirements on the password, and ...

CCE-34752-6
Extend Point and Print connection to search Windows Update This policy setting allows you to manage where client computers search for Point and Printer drivers. If you enable this policy setting, the client computer will continue to search for compatible Point and Print drivers from Windows Update ...

CCE-35011-6
Enable connection through RD Gateway If you enable this policy setting, when Remote Desktop Connection cannot connect directly to a remote computer (an RD Session Host server or a computer with Remote Desktop enabled), the clients will attempt to connect to the remote computer through an RD Gateway ...

CCE-35220-3
Interactive logon: Display user information when the session is locked This policy setting determines whether the account name of the last user to log on to the client computers in your organization can display in each computer's respective Windows logon screen. If you enable this policy setting, i ...

CCE-35616-2
Set up a work schedule to limit the maximum network bandwidth used for BITS background transfers This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the work and non-work days and hours. The work schedule is defin ...

CCE-33879-8
Configure time out for detections requiring additional action This policy setting configures the time in minutes before a detection in the 'additional action' state moves to the 'cleared' state.

CCE-33626-3
Scripts (Startup/Shutdown) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy se ...

CCE-35277-3
Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers This policy setting allows you to deny or audit outgoing NTLM traffic from this Windows 7 or this Windows Server 2008 R2 computer to any Windows remote server. This policy is supported on at least Windows 7 or Windows Server 2 ...

CCE-33089-4
Set default download behavior for BITS jobs on costed networks This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit ...

CCE-35473-8
Default Action and Mitigation Settings This setting allows you to configure the default action after detection and advanced ROP mitigation settings. If you enable this setting, you can configure the default action to be taken once an exploit has been detected. If you disable or do not configu ...

CCE-34347-5
Allow logon scripts when NetBIOS or WINS is disabled This policy setting allows user logon scripts to run when the logon cross-forest, DNS suffixes are not configured and NetBIOS or WINS is disabled. This policy setting affects all user accounts interactively logging on to the computer. If you ena ...

CCE-33822-8
Do not display network selection UI This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting, the PC's network connectivity state cannot be changed without signing into Windows. If you disable or do ...

CCE-34071-1
Turn On Desktop Background Slideshow (Plugged In) Specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. If you disable this policy setting, the desktop background slideshow is disabled. if you do not c ...

CCE-33361-7
Default excluded paths Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths and include them in indexing. On a per-user basis, this policy setting will work only if a protocol handler referencing a SID-based user scope, su ...

CCE-34018-2
Disk Diagnostic: Configure execution level Determines the execution level for S.M.A.R.T.-based disk diagnostics. Self-Monitoring And Reporting Technology (S.M.A.R.T.) is a standard mechanism for storage devices to report faults to Windows. A disk that reports a S.M.A.R.T. fault may need to be rep ...

CCE-35139-5
Global Configuration Settings These settings control the Windows Time service (W32time) for domain controllers. Several of these values are scalar, which means that they only have meaning in relation to one another and are not defined by specific unit measurements. For settings regarding time sync ...

CCE-33953-1
Turn off creation of System Restore Checkpoints System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, the Windows Installer automatically creates a System Restore checkpoint each time an application is ...

CCE-35202-1
List of applications to be excluded This setting determines the behavior of the error reporting exclusion list. Windows will not send reports for any process added to this list. Click 'Show' to display the exclusion list. In the Show Contents dialog box in the Value column, type a process name t ...

CCE-35651-9
Default risk level for file attachments This policy setting allows you to manage the default risk level for file types. To fully customize the risk level for file attachments, you may also need to configure the trust logic for file attachments. High Risk: If the attachment is in the list of high ...

CCE-33350-0
Short name creation options These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility, but short names have a negative performance impact on the system. If you enable short names on all volumes then s ...

CCE-35192-4
Disallow user override of locale settings This policy setting prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the def ...

CCE-33504-2
Allow non-administrators to install drivers for these device setup classes Specifies a list of device setup class GUIDs describing device drivers that non-administrator members of the built-in Users group may install on the system. If you enable this setting, members of the Users group may install ...

CCE-34448-1
Prohibit New Task Creation Prevents users from creating new tasks. This setting removes the Add Scheduled Task item that starts the New Task Wizard. Also, the system does not respond when users try to move, paste, or drag programs or documents into the Scheduled Tasks folder. Note: This setti ...

CCE-34764-1
Join RD Connection Broker This policy setting allows you to specify whether the RD Session Host server should join a farm in RD Connection Broker. RD Connection Broker tracks user sessions and allows a user to reconnect to their existing session in a load-balanced RD Session Host server farm. To pa ...

CCE-33757-6
Do not move deleted files to the Recycle Bin When a file or folder is deleted in File Explorer, a copy of the file or folder is placed in the Recycle Bin. Using this setting, you can change this behavior. If you enable this setting, files and folders that are deleted using File Explorer will not ...

CCE-33483-9
Browse the network to find printers Allows users to use the Add Printer Wizard to search the network for shared printers. If you enable this setting or do not configure it, when users choose to add a network printer by selecting the 'A network printer, or a printer attached to another computer' ...

CCE-35771-5
Turn off automatic termination of applications that block or cancel shutdown This policy setting specifies whether Windows will allow console applications and GUI applications without visible top-level windows to block or cancel shutdown. By default, such applications are automatically terminated i ...

CCE-35455-5
Hide previous versions list for local files This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. If you enable this policy setting, users cannot list or restore pre ...

CCE-35259-1
Lock Enhanced Storage when the computer is locked This policy will enable the Enhanced Storage device to be locked when the computer is locked. This policy is supported in Windows Enterprise and Business SKUs only. If you enable this policy setting, the Enhanced Storage device will remain locked ...

CCE-35718-6
Permit use of Local Users and Groups preference extension This policy setting allows you to permit or prohibit use of the Local Users and Groups preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you en ...

CCE-35588-3
Set rules for remote control of Remote Desktop Services user sessions This policy setting allows you to specify the level of remote control permitted in a Remote Desktop Services session. You can use this policy setting to select one of two levels of remote control: View Session or Full Control. V ...

CCE-34777-3
Prevent users from adding files to the root of their Users Files folder. This policy setting allows administrators to prevent users from adding new items such as files or folders to the root of their Users Files folder in File Explorer. If you enable this policy setting, users will no longer be ...

CCE-35468-8
Configure disk quota policy processing This policy setting determines when disk quota policies are updated. This policy setting affects all policies that use the disk quota component of Group Policy, such as those in Computer Configuration\Administrative Templates\System\Disk Quotas. This pol ...

CCE-34568-6
Do not allow Snipping Tool to run Prevents the snipping tool from running. If you enable this policy setting, the Snipping Tool will not run. If you disable this policy setting, the Snipping Tool will run. If you do not configure this policy setting, the Snipping Tool will run.

CCE-33624-8
Administrative Templates (Computers) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-34840-9
Link to Web Address Permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the 'Restrict users to the explicitly permitted list of snap-ins' settin ...

CCE-32979-7
Hide Internet Explorer icon on desktop Removes the Internet Explorer icon from the desktop and from the Quick Launch bar on the taskbar. This setting does not prevent the user from starting Internet Explorer by using other methods.

CCE-33877-2
Configure time out for detections in non-critical failed state This policy setting configures the time in minutes before a detection in the 'non-critically failed' state moves to the 'cleared' state.

CCE-33167-8
Configure use of hardware-based encryption for operating system drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption ...

CCE-34511-6
Do not allow the BITS client to use Windows Branch Cache This setting affects whether the BITS client is allowed to use Windows Branch Cache. If the Windows Branch Cache component is installed and enabled on a computer, then BITS jobs on that computer can use Windows Branch Cache by default. ...

CCE-34973-8
Hash Version support for BranchCache This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCa ...

CCE-33820-2
Configure Logon Script Delay Enter ?0? to disable Logon Script Delay. This policy setting allows you to configure how long the Group Policy client waits after logon before running scripts. By default, the Group Policy client waits five minutes before running lo ...

CCE-35335-9
Prevent restoring remote previous versions This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. If you enable this policy setting, the Restore button is disabled when the user selects a p ...

CCE-33997-8
Detect application failures caused by deprecated COM objects This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose DLL load or COM object creation failures in programs. If you enable this policy setting, the PCA detects programs trying to create legacy COM ...

CCE-35807-7
Turn off Automatic Download and Install of updates Enables or disables the automatic download and installation of app updates. If you enable this setting, the automatic download and installation of app updates is turned off. If you disable this setting, the automatic download and installation ...

CCE-35695-6
Start a program on connection Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access to th ...

CCE-35442-3
Prevent indexing Microsoft Office Outlook Enable this policy to prevent indexing of any Microsoft Outlook items. The default is to automatically index Outlook items. If this policy is enabled then the user's Outlook items will not be added to the index and the user will not see them in search resul ...

CCE-34404-4
Controlled load service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies ...

CCE-34394-7
Configure Scenario Execution Level This policy setting determines whether Diagnostic Policy Service (DPS) will diagnose memory leak problems. If you disable this policy setting, the DPS will not be able to diagnose memory leak problems. If you do not configure this policy setting, the DPS will ena ...

CCE-35246-8
Prevent CD and DVD Media Information Retrieval This policy setting allows you to prevent media information for CDs and DVDs from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically obtaining media information from the Internet for CDs ...

CCE-33496-1
Force classic Start Menu This setting affects the presentation of the Start menu. The classic Start menu in Windows 2000 Professional allows users to begin common tasks, while the new Start menu consolidates common items onto one menu. When the classic Start menu is used, the following icons are ...

CCE-34657-7
Prevent changing DirectSound Audio setting Prevents user from changing the DirectSound audio setting. DirectSound provides much better audio quality, but older audio hardware may not support it.

CCE-35126-2
Group Policy Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setti ...

CCE-33940-8
Allow Microsoft accounts to be optional This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that ...

CCE-34261-8
Turn off Windows presentation settings This policy setting turns off Windows presentation settings. If you enable this policy setting, Windows presentation settings cannot be invoked. If you disable this policy setting, Windows presentation settings can be invoked. The presentation settings icon ...

CCE-33611-5
Disable the Display Control Panel Disables the Display Control Panel. If you enable this setting, the Display Control Panel does not run. When users try to start Display, a message appears explaining that a setting prevents the action. Also, see the 'Prohibit access to the Control Panel' (Use ...

CCE-33110-8
Enable filter in Find dialog box Displays the filter bar above the results of an Active Directory search. The filter bar consists of buttons for applying additional filters to search results. If you enable this setting, the filter bar appears when the Active Directory Find dialog box opens, but ...

CCE-35575-0
Do not allow Windows to activate Enhanced Storage devices This policy setting configures whether or not Windows will activate an Enhanced Storage device. If you enable this policy setting, Windows will not activate unactivated Enhanced Storage devices. If you disable or do not configure this ...

CCE-34733-6
Set the intranet support Web page Sets the URL NetMeeting will display when the user chooses the Help Online Support command.

CCE-33123-1
Set the Time interval in minutes for logging accounting data This setting directs the Accounting feature to log data on the accounting server at the specified time interval. If you enable this setting, Windows System Resource Manager (WSRM) will set the accounting time interval to the value specif ...

CCE-33668-5
Execute print drivers in isolated processes This policy setting determines whether the print spooler will execute print drivers in an isolated or separate process. When print drivers are loaded in an isolated process (or isolated processes), a print driver failure will not cause the print spooler s ...

CCE-33376-5
Remove Logoff on the Start Menu Removes the 'Log Off <username>' item from the Start menu and prevents users from restoring it. If you enable this setting, the Log Off <username> item does not appear in the Start menu. This setting also removes the Display Logoff item from Start Menu Options. As ...

CCE-35322-7
Prevent adding user-specified locations to the All Locations menu This policy setting allows you to enable or disable the Add/Remove location options on the All Locations menu as well as any defined locations that were made by a user. When this policy is not configured, the default behavior is to ...

CCE-35113-0
Set Weight in the DC Locator DNS SRV records This policy setting specifies the Weight field in the SRV resource records registered by the domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service, and they are used to locate the ...

CCE-34328-5
Configure Background Sync This is a machine-specific setting which applies to any user who logs onto the specified machine while this policy is in effect. This policy is in effect when a network folder is determined, as specified by the ?Configure slow-link mode? policy, to be in ?slow-link? mode. ...

CCE-35379-7
Configure how often a DFS client discovers domain controllers This policy setting allows you to configure how often a Distributed File System (DFS) client attempts to discover domain controllers on a network. By default, a DFS client attempts to discover domain controllers every 15 minutes. If y ...

CCE-34185-9
Non-default server disconnect actions Determines how computers respond when they are disconnected from particular offline file servers. This setting overrides the default response, a user-specified response, and the response specified in the 'Action on server disconnect' setting. To use this set ...

CCE-34381-4
Disallow selection of Custom Locales This policy prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that shipped with the operating system. Note that this does not affect the selection of replacement locales. To prevent th ...

CCE-35098-3
Configure IP security policy processing This policy setting determines when IP security policies are updated. This policy setting affects all policies that use the IP security component of Group Policy, such as policies in Computer Configuration\Windows Settings\Security Settings\IP Security Pol ...

CCE-32953-2
Use urgent mode when pinging domain controllers This policy setting configures whether the computers to which this setting is applied are more aggressive when trying to locate a domain controller (DC). When an environment has a large number of DCs running both old and new operating systems, the ...

CCE-35557-8
Restrict Remote Desktop Services users to a single Remote Desktop Services session This policy setting allows you to restrict users to a single remote Remote Desktop Services session. If you enable this policy setting, users who log on remotely using Remote Desktop Services will be restricted to a ...

CCE-33851-7
Configure local setting override for the time of day to run a scheduled full scan to complete remediation This policy setting configures a local override for the configuration of the time to run a scheduled full scan to complete remediation. This setting can only be set by Group Policy. If you e ...

CCE-35304-5
Specify DC Locator DNS records not registered by the DCs This policy setting determines which DC Locator DNS records are not registered by the Net Logon service. If you enable this policy setting, select Enabled and specify a list of space-delimited mnemonics (instructions) for the DC Locator DN ...

CCE-33655-2
Restrict user locales This policy setting restricts users on a computer to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy setting does not change existing user locale settings; however, the next time a user attempts to change ...

CCE-34034-9
Remove 'Work offline' command This policy setting removes the 'Work offline' command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the 'Work offline' command is not displayed in Windows Explorer. ...

CCE-34274-1
Remove See More Results / Search Everywhere link If you enable this policy, a 'See more results' / 'Search Everywhere' link will not be shown when the user performs a search in the start menu search box. If you disable or do not configure this policy, a 'See more results' link will be shown when ...

CCE-33918-4
Define the number of days before virus definitions are considered out of date This policy setting allows you to define the number of days that must pass before virus definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additional ac ...

CCE-34167-7
Disallow standby sleep states (S1-S3) when starting from a Windows to Go workspace Specifies whether the PC can use standby sleep states (S1-S3) when starting from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can't use standby state ...

CCE-35633-7
Code signing for device drivers Determines how the system responds when a user tries to install device driver files that are not digitally signed. This setting establishes the least secure response permitted on the systems of users in the group. Users can use System in Control Panel to select a ...

CCE-33332-8
Remove Run menu from Start Menu Allows you to remove the Run command from the Start menu, Internet Explorer, and Task Manager. If you enable this setting, the following changes occur: (1) The Run command is removed from the Start menu. (2) The New Task (Run) command is removed from Task Ma ...

CCE-33775-8
Configure Direct Access connections as a fast network connection This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. When Group Policy detects the bandwidth speed o ...

CCE-35797-0
Force a specific background and accent color This setting configures Windows to use the specified colors for the background and accent. The color values are specified in hex as #RGB. By default, users can change the background and accent colors. If you enable this setting, the background and ...

CCE-34470-5
QoS Admission Control This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting ...

CCE-34746-8
Turn off highlight misspelled words This policy turns off the highlight misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The highlight misspelled words option controls whether or next spelling errors in typed ...

CCE-35437-3
Domain controller: Refuse machine account password changes This security setting determines whether domain controllers will refuse requests from member computers to change computer account passwords. By default, member computers change their computer account passwords every 30 days. If enabled, the ...

CCE-33003-5
Removable Disks: Deny execute access This policy setting denies execute access to removable disks. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be allowed to this remov ...

CCE-35294-8
Devices: Restrict floppy access to locally logged-on user only This policy setting determines whether removable floppy media are accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable floppy m ...

CCE-34110-7
Change Start Menu power button Set the default action of the power button on the Start menu. If you enable this setting, the Start Menu will set the power button to the chosen action, and not let the user change this action. If you set the button to either Sleep or Hibernate, and that state i ...

CCE-33579-4
Configure Scenario Execution Level Determines the execution level for Windows Boot Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS) wi ...

CCE-34879-7
Prevent Input Panel tab from appearing Prevents Input Panel tab from appearing on the edge of the Tablet PC screen. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter text, symbols, numbers, or keyboard shortcuts. If you enable thi ...

CCE-35161-9
IPX RIP Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-34417-6
Turn off feature advertisement balloon notifications This policy setting allows you to turn off feature advertisement balloon notifications. If you enable this policy setting, certain notification balloons that are marked as feature advertisements are not shown. If you disable do not configur ...

CCE-32940-9
Hide the 'Add a program from CD-ROM or floppy disk' option Removes the 'Add a program from CD-ROM or floppy disk' section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configur ...

CCE-34822-7
Prevent downloading of enclosures This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. If you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A ...

CCE-35766-5
Turn off access to the performance center core section Removes access to the performance center control panel page. If you enable this setting, some settings within the performance control panel page will not be displayed. The administrative tools will not be affected. If you disable or do not ...

CCE-33895-4
Search, Share, Start, Devices, and Settings don't appear when the mouse is pointing to the upper-right corner of the screen This policy setting allows you to prevent Search, Share, Start, Devices, and Settings from appearing when the mouse is pointing to the upper-right corner of the screen. If ...

CCE-33149-6
Default indexed paths Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude them from indexing. On a per-user basis, this policy setting will work only if a protocol handler referencing a SID-based user scope, such as MAPI, is ...

CCE-33642-0
Prevent changing screen saver Prevents the Screen Saver dialog from opening in the Personalization or Display Control Panel. This setting prevents users from using Control Panel to add, configure, or change the screen saver on the computer. It does not prevent a screen saver from running.

CCE-34496-0
Do not allow COM port redirection Specifies whether to prevent the redirection of data to client COM ports from the remote computer in a Remote Desktop Services session. You can use this setting to prevent users from redirecting data to COM port peripherals or mapping local COM ports while they ar ...

CCE-35085-0
Specify corporate Website probe URL This policy setting enables you to specify the URL of the corporate website, against which an active probe is performed.

CCE-33699-0
Prevent access to registry editing tools This policy setting disables the Windows registry editors Regedit.exe and Regedt32.exe.

CCE-34078-6
Only use Package Point and print This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the dri ...

CCE-34955-5
Disallow selection of Custom Locales This policy setting prevents a user from selecting a supplemental custom locale as their user locale. The user is restricted to the set of locales that are installed with the operating system. This does not affect the selection of replacement locales. To prev ...

CCE-33345-0
Remove links and access to Windows Update Prevents users from connecting to the Windows Update Web site. This setting blocks user access to the Windows Update Web site at http://windowsupdate.microsoft.com. Also, the setting removes the Windows Update hyperlink from the Start menu and from the T ...

CCE-35215-3
Prevent Flicks Learning Mode Makes pen flicks learning mode unavailable. If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the p ...

CCE-33082-9
Configure TPM platform validation profile for native UEFI firmware configurations This policy setting allows you to configure how the computer's Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a c ...

CCE-35677-4
Turn off tracking of app usage This policy setting prevents Windows from keeping track of the apps that are used and searched most frequently. If you enable this policy setting, apps will be sorted alphabetically in: - search results - the Search and Share panes - the drop-down ...

CCE-34692-4
Group Policy Starter GPO Editor This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this polic ...

CCE-35281-5
Prevent the user from running the Backup Status and Configuration program This setting lets you prevent users from running the Backup Status and Configuration program, which links to the file backup, file restore, and Complete PC Backup applications, and shows backup status. If you enable t ...

CCE-33762-6
Turn off Windows+X hotkeys Turn off Windows+X hotkeys. Keyboards with a Windows key provide users with shortcuts to common shell features. For example, pressing the keyboard sequence Windows+R opens the Run dialog box; pressing Windows+E starts File Explorer. By using this setting, you can disab ...

CCE-35072-8
Prevent Radio Station Preset Retrieval This policy setting allows you to prevent radio station presets from being retrieved from the Internet. If you enable this policy setting, the Player is prevented from automatically retrieving radio station presets from the Internet and displaying them in M ...

CCE-33478-9
Turn off Windows Defender Turns off Windows Defender Real-Time Protection, and no more scans are scheduled. If you enable this policy setting, Windows Defender does not run, and computers will not be scanned for spyware or other potentially unwanted software. If you disable or do not configure th ...

CCE-35424-1
Use automated site coverage by the DC Locator DNS SRV Records This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes, then 20 ...

CCE-33566-1
Turn off File History This policy setting allows you to turn off File History. If you enable this policy setting, File History cannot be activated to create regular, automatic backups. If you disable or do not configure this policy setting, File History can be activated to create regular, aut ...

CCE-34483-8
DFS Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sn ...

CCE-35019-9
Allow time zone redirection This policy setting allows you to specify whether the client computer redirects its time zone settings to the Remote Desktop Services session. If you enable this policy setting, clients that are capable of time zone redirection send their time zone information to the ...

CCE-34287-3
Control the location of the log file This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this pol ...

CCE-33905-1
Turn on catch-up quick scan This policy setting allows you to configure catch-up scans for scheduled quick scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled ...

CCE-33421-9
Enable RemoteFX encoding for RemoteFX clients designed for Windows Server 2008 R2 SP1 This policy setting allows you to configure graphics encoding to use the RemoteFX Codec on the Remote Desktop Session Host server so that the sessions are compatible with non-Windows thin client devices designed f ...

CCE-34702-1
Do not allow Windows Journal to be run Prevents start of Windows Journal. If you enable this policy, the Windows Journal accessory will not run. If you disable this policy, the Windows Journal accessory will run. If you do not configure this policy, the Windows Journal accessory will run.

CCE-34154-5
Remove Network Connections from Start Menu Prevents users from running Network Connections. This setting prevents the Network Connections folder from opening. This setting also removes Network Connections from Settings on the Start menu. Network Connections still appears in Control Panel and ...

CCE-34835-9
Set maximum Kerberos SSPI context token buffer size This policy setting allows you to set the value returned to applications which request the maximum size of the SSPI context token buffer size. The size of the context token buffer determines the maximum size of SSPI context tokens an applicatio ...

CCE-34693-2
File Server Resource Manager This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy s ...

CCE-34124-8
Allow installation of devices that match any of these device IDs This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the 'Prevent installation of devices not described by ...

CCE-33105-8
Force specific screen saver This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen s ...

CCE-34377-2
Detect application install failures This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application installations. If you enable this policy setting, the PCA is configured to detect failures in the execution of application installers through heuristi ...

CCE-34440-8
Apply the default account picture to all users This policy setting allows an administrator to standardize the account pictures for all users on a system to the default account picture. One application for this policy setting is to standardize the account pictures to a company logo. Note: The def ...

CCE-33882-2
Configure WPP tracing level This policy allows you to configure tracing levels for Windows software trace preprocessor (WPP Software Tracing). Tracing levels are defined as: 1 - Error 2 - Warning 3 - Info 4 - Debug If you enable this setting, you can configure the WPP Software Tracing le ...

CCE-34573-6
CD and DVD: Deny write access This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this r ...

CCE-34703-9
Do not check for user ownership of Roaming Profile Folders This setting disables the more secure default setting for the user?s roaming user profile folder. Once an administrator has configured a users' roaming profile, the profile will be created at the user's next login. The profile is created a ...

CCE-35779-8
Turn off Data Execution Prevention for HTML Help Executible This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced DEP. DEP is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows. If you enab ...

CCE-33829-3
Do not sync start settings Prevent the 'Start layout' group from syncing to and from this PC. This turns off and disables the 'Start layout' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'Start layout' group will not be synced. U ...

CCE-34836-7
Turn off Windows Location Provider This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Loc ...

CCE-32983-9
Remove Properties from the Documents icon context menu This policy setting hides the Properties menu command on the shortcut menu for the My Documents icon. If you enable this policy setting, the Properties menu command will not be displayed when the user does any of the following: Right-clic ...

CCE-33434-2
Set the default source path for Update-Help This policy setting allows you to set the default value of the SourcePath parameter on the Update-Help cmdlet. If you enable this policy setting, the Update-Help cmdlet will use the specified value as the default value for the SourcePath parameter. Thi ...

CCE-35592-5
Set the Seed Server This setting sets the seed server for the global cloud to a specified node in the enterprise. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPv6 address and port number. The protocol, in some cases, requires a seed server from which t ...

CCE-34969-6
Low Battery Notification Level Specifies the percentage of battery capacity remaining that triggers the low battery notification action. If you enable this policy, you must enter a numeric value (percentage) to set the battery level that triggers the low notification. To set the action that is tr ...

CCE-34507-4
Do not allow sessions without mutual CHAP If enabled then only those sessions that are configured for mutual CHAP may be established. If disabled then sessions that are configured for mutual CHAP or sessions not configured for mutual CHAP may be established.

CCE-35539-6
Enforce drive encryption type on fixed data drives This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryp ...

CCE-34560-3
CD and DVD: Deny execute access This policy setting denies execute access to the CD and DVD removable storage class. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be all ...

CCE-35130-4
Specify the order in which Windows Installer searches for installation files This policy setting specifies the order in which Windows Installer searches for installation files. If you disable or do not configure this policy setting, by default, the Windows Installer searches the network first, t ...

CCE-33238-7
Turn off Autoplay This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result, the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2 ...

CCE-35396-1
Do not request alternate credentials Prevents users from submitting alternate logon credentials to install a program. This setting suppresses the 'Install Program As Other User' dialog box for local and network installations. This dialog box, which prompts the current user for the user name and ...

CCE-34497-8
Do not allow Digital Locker to run Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital Lo ...

CCE-33936-6
Search just apps from the Apps view This policy setting prevents the user from searching apps, files, settings (and the web if enabled) when the user searches from the Apps view. This policy setting is only applied when the Apps view is set as the default view for Start. If you enable this po ...

CCE-34333-5
Configure keep-alive connection interval This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. After an RD Session Host server client loses the connection to an RD Session Host server, the s ...

CCE-35054-6
Allow unencrypted traffic This policy setting allows you to manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you d ...

CCE-34168-5
Back up log automatically when full This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the 'Retain old events' policy setting is enabled. If you enable this policy setting and the 'Retain old events' policy setting is enabled, the ...

CCE-33793-1
Prevent Codec Download This policy setting allows you to prevent Windows Media Player from downloading codecs. If you enable this policy setting, the Player is prevented from automatically downloading codecs to your computer. In addition, the Download codecs automatically check box on the Player ...

CCE-33314-6
Don't run specified Windows applications Prevents Windows from running the programs you specify in this policy setting. If you enable this policy setting, users cannot run programs that you add to the list of disallowed applications. If you disable this policy setting or do not configure it, ...

CCE-34849-0
Remote Access This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sn ...

CCE-35646-9
Allow all trusted apps to install This policy setting allows you to manage the installation of app packages that do not originate from the Windows Store. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a certificate cha ...

CCE-33447-4
Prohibit viewing of status for an active connection Determines whether users can view the status for an active connection. Connection status is available from the connection status taskbar icon or from the Status dialog box. The Status dialog box displays information about the connection and its ...

CCE-34111-5
Show QuickLaunch on Taskbar This policy setting controls whether the QuickLaunch bar is displayed in the Taskbar. If you enable this policy setting, the QuickLaunch bar will be visible and cannot be turned off. If you disable this policy setting, the QuickLaunch bar will be hidden and cannot ...

CCE-33171-0
Prompt for credentials on the client computer This policy setting determines whether a user will be prompted on the client computer to provide credentials for a remote connection to an RD Session Host server. If you enable this policy setting, a user will be prompted on the client computer-instead ...

CCE-35735-0
Synchronize directory service data This security setting determines which users and groups have the authority to synchronize all directory service data.

CCE-35317-7
Disable indexer backoff If enabled, the search indexer backoff feature will be disabled. Indexing will continue at full speed even when system activity is high. If disabled, backoff logic will be used to throttle back indexing activity when system activity is high. Default is disabled.

CCE-35187-4
Group Policy Object Editor This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy se ...

CCE-33118-1
Restrict Internet communication Specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. If this setting is enabled, all of the the policy settings listed in the 'Internet Communication settings' section will be set such that their respective features ...

CCE-33184-3
Set PNRP cloud to resolve only This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) cloud. This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client computer can detect other ...

CCE-35383-9
Configure security policy processing This policy setting determines when security policies are updated. This policy setting affects all policies that use the security component of Group Policy, such as those in Windows Settings\Security Settings. This policy setting overrides customized setti ...

CCE-34048-9
Block clean-up of unused language packs This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used by any users on that machine. If you enable this policy setting, language packs that are installed as part of the s ...

CCE-34925-8
Do not allow compression on all NTFS volumes Compression can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of compressed files.

CCE-34257-6
Set 4G Cost This policy setting configures the cost of 4G connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 4G connections on ...

CCE-32996-1
Permit use of Registry preference extension This policy setting allows you to permit or prohibit use of the Registry preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, yo ...

CCE-33660-2
Set default name for new Group Policy objects This policy setting allows you to set the default display name for new Group Policy objects. This setting allows you to specify the default name for new Group Policy objects created from policy compliant Group Policy Management tools including the Gr ...

CCE-35174-2
Primary DNS Suffix Specifies the primary Domain Name System (DNS) suffix for all affected computers. The primary DNS suffix is used in DNS name registration and DNS name resolution. This setting lets you specify a primary DNS suffix for a group of computers and prevents users, including administra ...

CCE-34453-1
Hide 'Windows Features' This setting prevents users from accessing the 'Turn Windows features on or off' task from the Programs Control Panel in Category View, Programs and Features in Classic View, and Get Programs. As a result, users cannot view, enable, or disable various Windows features and s ...

CCE-35250-0
Specify the search server for device driver updates This policy setting allows you to specify the search server that Windows uses to find updates for device drivers. If you enable this policy setting, you can select whether Windows searches Windows Update (WU), searches a Managed Server, or a co ...

CCE-33380-7
Add Printer wizard - Network scan page (Managed network) This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on a managed network (when the computer is able to reach a domain controller, e.g. a domain-joined laptop on a corporate net ...

CCE-34729-4
Prevent Application Sharing in true color Prevents users from sharing applications in true color. True color sharing uses more bandwidth in a conference.

CCE-33803-8
Prevent users from using Windows Installer to install updates and upgrades This policy setting prevents users from using Windows Installer to install patches. If you enable this policy setting, users are prevented from using Windows Installer to install patches. Patches are updates or upgrades t ...

CCE-33327-8
Remove Games link from Start Menu If you enable this policy the start menu will not show a link to the Games folder. If you disable or do not configure this policy, the start menu will show a link to the Games folder, unless the user chooses to remove it in the start menu control panel.

CCE-35365-6
Maximum lifetime for user ticket This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used. When a user's TGT expires, a new one must be requested or the existing one must be 'renewed.' Default: 10 hours.

CCE-33584-4
Hide 'Set Program Access and Computer Defaults' page This setting removes the Set Program Access and Defaults page from the Programs Control Panel. As a result, users cannot view or change the associated page. The Set Program Access and Computer Defaults page allows administrators to specify de ...

CCE-35112-2
Verify old and new Folder Redirection targets point to the same share before redirecting This policy setting allows you to prevent data loss when you change the target location for Folder Redirection, and the new and old targets point to the same network share, but have different network paths. ...

CCE-33923-4
Specify the time to check for definition updates This policy setting allows you to specify the time of day at which to check for definition updates. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default this sett ...

CCE-34805-2
Events.asp program This is the program that will be invoked when the user clicks the events.asp link.

CCE-33403-7
Allow non-administrators to receive update notifications This policy setting allows you to control whether non-administrative users will receive update notifications based on the 'Configure Automatic Updates' policy setting. If you enable this policy setting, Windows Automatic Update and Mic ...

CCE-35049-6
Events.asp URL This is the URL that will be passed to the Description area in the Event Properties dialog box. Change this value if you want to use a different Web server to handle event information requests.

CCE-34662-7
Hide the Security page Hides the Security page of the Tools Options dialog. Users will not then be able to change call security and authentication settings.

CCE-34479-6
DFS Management Extension This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setti ...

CCE-33727-9
Turn off toast notifications on the lock screen This policy setting turns off toast notifications on the lock screen. If you enable this policy setting, applications will not be able to raise toast notifications on the lock screen. If you disable or do not configure this policy setting, toast ...

CCE-33393-0
Allow Delegating Default Credentials This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify t ...

CCE-33140-5
Turn off desktop gadgets This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop. If you enable this setting, desktop gadgets will be turned off. If you disable or do not configure this setting, desktop gadgets wi ...

CCE-35036-3
Allow Screen Saver This policy setting allows a screen saver to interrupt playback. If you enable this policy setting, a screen saver is displayed during playback of digital media according to the options selected on the Screen Saver tab in the Display Properties dialog box in Control Panel. The ...

CCE-34106-5
Prevent changes to Taskbar and Start Menu Settings Removes the Taskbar and Start Menu item from Settings on the Start menu. This setting also prevents the user from opening the Taskbar Properties dialog box. If the user right-clicks the taskbar and then clicks Properties, a message appears expla ...

CCE-33910-1
Allow definition updates from Microsoft Update This policy setting allows you to enable download of definition updates from Microsoft Update even if the Automatic Updates default server is configured to another download source such as Windows Update. If you enable this setting, definition update ...

CCE-35245-0
Do Not Show Anchor Prevents the anchor window from being displayed when Windows Media Player is in skin mode. This policy hides the anchor window when the Player is in skin mode. In addition, the option on the Player tab in the Player that enables users to choose whether the anchor window displa ...

CCE-35694-9
Specify Windows Service Pack installation file location Specifies an alternate location for Windows Service Pack installation files. To enable this setting, enter the fully qualified path to the new location in the 'Windows Service Pack Setup file path' box. If you disable this setting or do not ...

CCE-35441-5
Default indexed paths Enabling this policy allows you to specify a list of paths to index by default. The user may override these paths and exclude them from indexing.

CCE-34675-9
Specify permitted managers This policy setting determines the permitted list of hosts that can submit a query to the Simple Network Management (SNMP) agent running on the client computer. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a ...

CCE-34466-3
Run legacy logon scripts hidden This policy setting hides the instructions in logon scripts written for Windows NT 4.0 and earlier. Logon scripts are batch files of instructions that run when the user logs on. By default, Windows 2000 displays the instructions in logon scripts written for Windo ...

CCE-33197-5
Specify Windows installation file location Specifies an alternate location for Windows installation files. To enable this setting, and enter the fully qualified path to the new location in the 'Windows Setup file path' box. If you disable this setting or do not configure it, the Windows Setup sou ...

CCE-35811-9
Turn off the Store application Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. Access to the Store is required for installing app updates. If you disable or don't configure this setting, access to the Store application i ...

CCE-33847-5
Configure local setting override for monitoring file and program activity on your computer This policy setting configures a local override for the configuration of monitoring for file and program activity on your computer. This setting can only be set by Group Policy. If you enable this setting, ...

CCE-34096-8
Run only specified Windows applications Limits the Windows programs that users have permission to run on the computer. If you enable this policy setting, users can only run programs that you add to the list of allowed applications. If you disable this policy setting or do not configure it, us ...

CCE-35156-9
Microsoft Support Diagnostic Tool: Configure execution level Determines the execution level for Microsoft Support Diagnostic Tool. Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you enable this policy setting, administrators will be able ...

CCE-35615-4
Turn off Windows Online This policy setting specifies whether users can search and view content from Windows Online in Help and Support. Windows Online provides the most up-to-date Help content for Windows. If you enable this policy setting, users are prevented from accessing online assistance c ...

CCE-32970-6
Reduce Display Brightness (On Battery) Specify the period of inactivity before Windows automatically reduces brightness of the display. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically reduces ...

CCE-33834-3
Define addresses to bypass proxy server This policy, if defined, will prevent antimalware from using the configured proxy server when communicating with the specified IP addresses. The address value should be entered as a valid URL. If you enable this setting, the proxy server will be bypassed f ...

CCE-35419-1
Show first sign-in animation This policy setting allows you to control whether users see the first sign-in animation when signing in to the PC for the first time. If you enable this policy setting, users will see the animation. If you disable this policy setting, users will not see the animat ...

CCE-33967-1
Remove Pictures icon from Start Menu Removes the Pictures icon from the Start Menu.

CCE-33638-8
Failover Clusters Manager This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy set ...

CCE-34435-8
Define Activation Security Check exemptions Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists, one configured via Group Policy through this policy setting, and the other via the actions ...

CCE-33273-4
SNMP This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap-in is ...

CCE-34070-3
Turn on BranchCache This policy setting specifies whether BranchCache is enabled on the client computer. BranchCache reduces the utilization of the wide area network (WAN) links connecting branch offices to the data center or headquarters and increases access speeds for content that has already bee ...

CCE-35472-0
Application Configuration This setting helps prevent vulnerabilities in software from being successfully exploited for specific applications. You can use this setting to help reduce the potential for attacks on an application. If you enable this setting for a application, then the configured mit ...

CCE-34017-4
Disallow user override of locale settings This policy prevents the user from customizing their locale by changing their user overrides. Any existing overrides in place when this policy is enabled will be frozen. To remove existing user overrides, first reset the user(s) values to the defaults and ...

CCE-33954-9
Set 6to4 Relay Name Resolution Interval This policy setting allows you to specify the interval at which the relay name is resolved. The 6to4 relay name resolution interval setting has no effect if 6to4 connectivity is not available on the host. If you enable this policy setting, you can specify ...

CCE-33077-9
Deny write access to removable drives not protected by BitLocker This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protecte ...

CCE-34359-0
Subnet definitions are authoritative Turns off Windows Network Isolation's automatic discovery of private network hosts in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation's automatic discovery of private network hosts in the domain cor ...

CCE-33701-4
Prevent subscribing to or deleting a feed or a Web Slice This policy setting prevents the user from subscribing to or deleting a feed or a Web Slice. If you enable this policy setting, the menu command to subscribe to a feed and the menu command to delete a feed are disabled, and access to Web S ...

CCE-35485-2
System SEHOP This setting allows you to configure the EMET system-wide Structured Exception Handler Overwrite Protection (SEHOP) mitigation setting. This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided ...

CCE-35289-8
Disallow Autoplay for non-volume devices This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting ...

CCE-34422-6
Do not allow taskbars on more than one display This policy setting allows you to prevent taskbars from being displayed on more than one monitor. If you enable this policy setting, users are not able to show taskbars on more than one display. The multiple display section is not enabled in the tas ...

CCE-35704-6
Choose how BitLocker-protected removable drives can be recovered This policy setting allows you to control how BitLocker-protected removable data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The 'Allow data recovery a ...

CCE-33505-9
Allow signed updates from an intranet Microsoft update service location This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. If you enable this policy s ...

CCE-33758-4
Remove the Search the Internet 'Search again' link If you enable this policy, the 'Internet' 'Search again' link will not be shown when the user performs a search in the Explorer window. If you disable this policy, there will be an 'Internet' 'Search again' link when the user performs a search i ...

CCE-33429-2
Specify timeout for fast user switching events This policy setting specifies the number of seconds a pending fast user switch event will remain active before the switch is initiated. By default, a fast user switch event is active for 10 seconds before becoming inactive. If you enable this polic ...

CCE-35023-1
Standard User Total Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM). If the total number of authorization failures for all standard users within the duration for Standard User Locko ...

CCE-35681-6
Do not send additional data This policy setting controls whether additional data in support of error reports can be sent to Microsoft automatically. If you enable this policy setting, any additional data requests from Microsoft in response to a Windows Error Reporting report are automatically de ...

CCE-34688-2
Removable Disks: Deny read access This policy setting denies read access to removable disks. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this removable storage class ...

CCE-33482-1
SMTP Protocol This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sn ...

CCE-34226-1
DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax This policy setting determines which users or groups might access DCOM application remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. You can use ...

CCE-35352-4
IAS Logging This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap ...

CCE-34109-9
Remove access to the context menus for the taskbar Hides the menus that appear when you right-click the taskbar and items on the taskbar, such as the Start button, the clock, and the taskbar buttons. This setting does not prevent users from using other methods to issue the commands that appear o ...

CCE-33930-9
Automatically workplace join client computers This setting lets you configure how domain joined client computers become workplace joined with domain users at your organization. If this setting is enabled, domain-joined client computers will automatically become workplace-joined upon domain user ...

CCE-34425-9
Turn off taskbar thumbnails This policy setting allows you to turn off taskbar thumbnails. If you enable this policy setting, the taskbar thumbnails are not displayed and the system uses standard text for the tooltips. If you disable or do not configure this policy setting, the taskbar thumbn ...

CCE-34678-3
Configure server authentication for client This policy setting allows you to specify whether the client will establish a connection to the RD Session Host server when the client cannot authenticate the RD Session Host server. If you enable this policy setting, you must specify one of the following ...

CCE-33471-4
Turn off Windows Installer This policy setting restricts the use of Windows Installer. If you enable this policy setting, you can prevent users from installing software on their systems or permit users to install only those programs offered by a system administrator. You can use the options in t ...

CCE-35565-1
Windows Firewall: Block IP protocol number 41 Use this outbound rule to block IP protocol number 41.

CCE-34282-4
Allow Print Spooler to accept client connections This policy controls whether the print spooler will accept client connections. When the policy is unconfigured, the spooler will not accept client connections until a user shares out a local printer or opens the print queue on a printer connection, ...

CCE-34741-9
Disk Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-33275-9
Turn on Script Execution This policy setting lets you configure the script execution policy, controlling which scripts are allowed to run. If you enable this policy setting, the scripts selected in the drop-down list are allowed to run. The 'Allow only signed scripts' policy setting allows sc ...

CCE-35432-4
Indexer data location Store indexer database in this directory. This directory must be located on a local fixed drive.

CCE-34558-7
Set 3G Cost This policy setting configures the cost of 3G connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all 3G connections on the ...

CCE-33591-9
Do not allow local administrators to customize permissions Specifies whether to disable the administrator rights to customize security permissions in the Remote Desktop Session Host Configuration tool. You can use this setting to prevent administrators from making changes to the user groups on the ...

CCE-35236-9
Set time limit for disconnected sessions This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session remains active on the server. By default, Remote ...

CCE-33867-3
Turn on network protection against exploits of known vulnerabilities This policy setting allows you to configure network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, the network protection will be enabled. If you disable this setting, t ...

CCE-34099-2
Gray unavailable Windows Installer programs Start Menu shortcuts Displays Start menu shortcuts to partially installed programs in gray text. This setting makes it easier for users to distinguish between programs that are fully installed and those that are only partially installed. Partially i ...

CCE-35093-4
Turn off Steps Recorder This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The dat ...

CCE-34754-2
Guaranteed service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to packe ...

CCE-34545-4
Set Teredo Server Name This policy setting allows you to specify the name of the Teredo server. This server name will be used on the Teredo client computer where this policy setting is applied. If you enable this policy setting, you can specify a Teredo server name that applies to a Teredo clien ...

CCE-35445-6
Control slow network connection timeout for user profiles This policy setting defines a slow connection for roaming user profiles and establishes thresholds for two tests of network speed. To determine the network performance characteristics, a connection is made to the file share storing the u ...

CCE-35249-2
Report when logon server was not available during user logon This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be ...

CCE-33351-8
Turn off the 'Order Prints' picture task This policy setting specifies whether the 'Order Prints Online' task is available from Picture Tasks in Windows folders. The Order Prints Online Wizard is used to download a list of providers and allow users to order prints online. If you enable this p ...

CCE-33854-1
Configure local setting override to turn on real-time protection This policy setting configures a local override for the configuration to turn on real-time protection. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over G ...

CCE-35815-0
WDigest Authentication (disabling may require KB2871997) When WDigest authentication is enabled, Lsass.exe retains a copy of the user's plaintext password in memory, where it can be at risk of theft. Microsoft recommends disabling WDigest authentication unless it is needed. If this setting is no ...

CCE-33987-9
Delay Restart for scheduled installations Specifies the amount of time for Automatic Updates to wait before proceeding with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the installation is finished. If the status is set ...

CCE-33484-7
Isolate print drivers from applications Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash. Not all applications support d ...

CCE-34950-6
Computer Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, ...

CCE-33155-3
Check Administrator Group Membership This configuration item uses PowerShell to compare membership of the local Administrators group on the system with a list of approved accounts. It is designed to be exported within DCM Management Packs. To function it requires that the PowerShell execut ...

CCE-34349-1
Allow time invalid certificates This policy setting permits those certificates to be displayed for logon that are either expired or not yet valid. Under previous versions of Microsoft Windows, certificates were required to contain a valid time and not be expired. The certificate must still be acc ...

CCE-33658-6
Configure Group Policy domain controller selection This policy setting determines which domain controller the Group Policy Object Editor snap-in uses. If you enable this setting, you can which domain controller is used according to these options: 'Use the Primary Domain Controller' indicates ...

CCE-35312-8
Do not sync personalize Prevent the 'personalize' group from syncing to and from this PC. This turns off and disables the 'personalize' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'personalize' group will not be synced. Use the option 'Allow ...

CCE-34318-6
CD and DVD: Deny write access This policy setting denies write access to the CD and DVD removable storage class. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to ...

CCE-33974-7
Save copies of transform files in a secure location on workstation This policy setting saves copies of transform files in a secure location on the local computer. Transform files consist of instructions to modify or customize a program during installation. If you enable this policy setting, t ...

CCE-34175-0
Prevent the wizard from running. By default, Add features to Windows 8 is available for all administrators. If you enable this policy setting, the wizard will not run. If you disable this policy setting or set it to Not Configured, the wizard will run.

CCE-33721-2
System settings: Optional subsystems This policy setting determines which subsystems are used to support applications in your environment. Note: When you configure this setting you specify a list of one or more objects. The delimiter used when entering the list is a line feed or carriage return, th ...

CCE-34371-5
Do not automatically make all redirected folders available offline This policy setting allows you to control whether all redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you e ...

CCE-34887-0
Primary DNS Suffix Devolution Determines whether the DNS client performs primary DNS suffix devolution in a name resolution process. When a user submits a query for a single-label name, such as 'example', a local DNS client attaches a suffix, such as 'microsoft.com', resulting in the query 'exampl ...

CCE-35672-5
Do not include Non-Publishing Standard Glyph in the candidate list This policy setting allows you to include the Non-Publishing Standard Glyph in the candidate list when Publishing Standard Glyph for the word exists. If you enable this policy setting, Non-Publishing Standard Glyph is not include ...

CCE-34514-0
Do not allow window animations This policy setting controls the appearance of window animations such as those found when restoring, minimizing, and maximizing windows. If you enable this setting, window animations will be turned off. If you disable or do not configure this setting, window animati ...

CCE-33364-1
Turn Off the Hard Disk (Plugged In) Specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. If you disable this policy or do not ...

CCE-35476-1
Default Protections for Popular Software This setting allows you to apply the suggested EMET protections to other popular software (such as iTunes). If you enable this setting, the suggested EMET protections are applied to the other popular software. If you disable this setting, the suggested ...

CCE-33231-2
Boot-Start Driver Initialization Policy This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications f ...

CCE-35103-1
Specify startup policy processing wait time This policy setting specifies how long Group Policy should wait for network availability notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until the network is available or the default ...

CCE-33497-9
Remove user name from Start Menu Remove the user name label from the Start Menu in Windows XP and Windows Server 2003. To remove the user name folder on Windows Vista, set the 'Remove user folder link from Start Menu' policy.

CCE-34501-7
Set ISATAP Router Name This policy setting allows you to specify a router name or Internet Protocol version 4 (IPv4) address for an ISATAP router. If you enable this policy setting, you can specify a router name or IPv4 address for an ISATAP router. If you enter an IPv4 address of the ISATAP rou ...

CCE-33645-3
Prevent embedded UI This policy setting controls the ability to prevent embedded UI. If you enable this policy setting, no packages on the system can run embedded UI. If you disable or do not configure this policy setting, embedded UI is allowed to run.

CCE-34710-4
Set Teredo Default Qualified This policy setting allows you to set Teredo to be ready to communicate, a process referred to as qualification. By default, Teredo enters a dormant state when not in use. The qualification process brings it out of a dormant state. If you disable or do not configure ...

CCE-33244-5
Turn off Application Compatibility Engine This policy controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found i ...

CCE-35489-4
Add workstations to domain This policy setting specifies which users can add computer workstations to a specific domain. For this policy setting to take effect, it must be assigned to the user as part of the Default Domain Controller Policy for the domain. A user who has been assigned this right ca ...

CCE-33898-8
Specify the maximum percentage of CPU utilization during a scan This policy setting allows you to configure the maximum percentage CPU utilization permitted during a scan. Valid values for this setting are a percentage represented by the integers 5 to 100. A value of 0 indicates that there should b ...

CCE-35761-6
Time (in seconds) to force reboot when required for policy changes to take effect Set the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies. If you enable this setting, set the amount of seconds you want the sys ...

CCE-35708-7
Allow network unlock at startup This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system dr ...

CCE-33440-9
Ability to delete all user remote access connections Determines whether users can delete all user remote access connections. To create an all-user remote access connection, on the Connection Availability page in the New Connection Wizard, click the 'For all users' option. If you enable this s ...

CCE-34767-4
Limit number of connections Specifies whether Remote Desktop Services limits the number of simultaneous connections to the server. You can use this setting to restrict the number of Remote Desktop Services sessions that can be active on a server. If this number is exceeded, addtional users who try ...

CCE-35027-2
Turn off the ability to create a system image This setting lets you disable the creation of system images. If you enable this policy setting, users cannot create system images. If you disable or do not configure this policy setting, users can create system ...

CCE-33512-5
Devices: Restrict CD-ROM access to locally logged-on user only This policy setting determines whether a CD-ROM is accessible to both local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CD-ROM media. When this ...

CCE-33111-6
Desktop Wallpaper Specifies the desktop background ('wallpaper') displayed on all users' desktops. This setting lets you specify the wallpaper on users' desktops and prevents users from changing the image or its presentation. The wallpaper you specify can be stored in a bitmap (*.bmp) or JPEG (* ...

CCE-34438-2
Directory pruning interval Specifies how often the pruning service on a domain controller contacts computers to verify that their printers are operational. The pruning service periodically contacts computers that have published printers. If a computer does not respond to the contact message (optio ...

CCE-33765-9
Show lock in the user tile menu Shows or hides lock from the user tile menu. If you enable this policy setting, the lock option will be shown in the User Tile menu. If you disable this policy setting, the lock option will never be shown in the User Tile menu. If you do not configure this po ...

CCE-35075-1
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. If you enable this policy setting, the ...

CCE-34580-1
Do not allow manual configuration of iSNS servers If enabled then new iSNS servers may not be added and thus new targets discovered via those iSNS servers; existing iSNS servers may not be removed. If disabled then new iSNS servers may be added and thus new targets discovered via those iSNS servers ...

CCE-34843-3
Connection Sharing (NAT) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy sett ...

CCE-33377-3
Turn off password security in Input Panel Adjusts password security settings in Tablet PC Input Panel. These settings include using the on-screen keyboard by default, preventing users from switching to another Input Panel skin (the writing pad or character pad), and not showing what keys are tapped ...

CCE-33908-5
Turn on removal of items from scan history folder This policy setting defines the number of days items should be kept in the scan history folder before being permanently removed. The value represents the number of days to keep items in the folder. If set to zero, items will be kept forever and will ...

CCE-35787-1
.Net Framework Configuration This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33569-5
Redirect folders on primary computers only This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private ...

CCE-33632-1
Certificates This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sna ...

CCE-34976-1
RAS Dialin - User Node This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy settin ...

CCE-33961-4
Use mandatory profiles on the RD Session Host server This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session Host server. If you enable this policy setting, Remote Desktop Services uses the path specifie ...

CCE-33004-3
Removable Disks: Deny write access This policy setting denies write access to removable disks. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to this removable sto ...

CCE-33320-3
Clear history of recently opened documents on exit Clear history of recently opened documents on exit. If you enable this setting, the system deletes shortcuts to recently used document files when the user logs off. As a result, the Recent Items menu on the Start menu is always empty when the us ...

CCE-32941-7
Hide the 'Add programs from your network' option Prevents users from viewing or installing published programs. This setting removes the 'Add programs from your network' section from the Add New Programs page. The 'Add programs from your network' section lists published programs and provides an e ...

CCE-34011-7
Disable remote Desktop Sharing Disables the remote desktop sharing feature of NetMeeting. Users will not be able to set it up or use it for controlling their computers remotely.

CCE-33200-7
Turn Off Boot and Resume Optimizations Turns off the boot and resume optimizations for the hybrid hard disks in the system. If you enable this policy setting, the system does not use the non-volatile (NV) cache to optimize boot and resume. If you disable this policy setting, the system uses the N ...

CCE-35610-5
Permit use of Regional Options preference extension This policy setting allows you to permit or prohibit use of the Regional Options preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this po ...

CCE-34144-6
Location where all default Library definition files for users/machines reside. This policy setting allows you to specify a location where all default Library definition files for users/machines reside. If you enable this policy setting, administrators can specify a path where all default Library ...

CCE-32998-7
Permit use of Shortcuts preference extension This policy setting allows you to permit or prohibit use of the Shortcuts preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, ...

CCE-35195-7
Force Rediscovery Interval The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. When DC Locator finds a domain controller, it caches domain controllers to improve the efficiency of the location algorithm. As long as the ...

CCE-33453-2
Prefer link local responses over DNS when received over a network with higher precedence Specifies that responses from link local name resolution protocols received over a network interface that is higher in the binding order are preferred over DNS responses from network interfaces lower in the bin ...

CCE-34251-9
Disk Diagnostic: Configure custom alert text Substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. If you enable this policy setting, Windows will display custom alert text in the disk diagnostic message. The custom text may not exceed ...

CCE-33752-7
Remove DFS tab This policy setting allows you to remove the DFS tab from File Explorer. If you enable this policy setting, the DFS (Distributed File System) tab is removed from File Explorer and from other programs that use the File Explorer browser, such as My Computer. As a result, users canno ...

CCE-35414-2
Configure the level of TPM owner authorization information available to the operating system This policy setting configures how much of the TPM owner authorization information is stored in the registry of the local computer. Depending on the amount of TPM owner authorization information stored loc ...

CCE-33257-7
Turn off Windows HotStart This policy setting allows you to manage whether HotStart buttons can be used to launch applications. If you enable this policy setting, applications cannot be launched using the HotStart buttons. If you disable or do not configure this policy setting, applications can b ...

CCE-35547-9
Remove the Desktop Cleanup Wizard Prevents users from using the Desktop Cleanup Wizard. If you enable this setting, the Desktop Cleanup wizard does not automatically run on a users workstation every 60 days. The user will also not be able to access the Desktop Cleanup Wizard. If you disable t ...

CCE-33885-5
Scan archive files This policy setting allows you to configure scans for malicious software and unwanted software in archive files such as .ZIP or .CAB files. If you enable or do not configure this setting, archive files will be scanned. If you disable this setting, archive files will not be ...

CCE-35325-0
Prevent indexing files in offline files cache If enabled, files on network shares made available offline are not indexed. Otherwise they are indexed. Disabled by default.

CCE-34989-4
Maximum lifetime for user ticket renewal This policy setting determines the period of time (in days) during which a user's ticket-granting ticket (TGT) can be renewed. To prevent 'replay attacks,' the Kerberos authentication protocol uses time stamps as part of its protocol definition. For time sta ...

CCE-34736-9
NAP Client Configuration This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy sett ...

CCE-33333-6
Remove Search Computer link If you enable this policy, the 'See all results' link will not be shown when the user performs a search in the start menu search box. If you disable or do not configure this policy, the 'See all results' link will be shown when the user performs a search in the start ...

CCE-33819-4
Configure Group Policy Caching This policy setting allows you to configure Group Policy caching behavior. If you enable or do not configure this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and ...

CCE-35743-4
Disable Windows Error Reporting This policy setting turns off Windows Error Reporting, so that reports are not collected or sent to either Microsoft or internal servers within your organization when software unexpectedly stops working or fails. If you enable this policy setting, Windows Error Re ...

CCE-35578-4
Set client connection encryption level This policy setting specifies whether the computer that is about to host the remote connection will enforce an encryption level for all data sent between it and the client computer for the remote session.

CCE-34277-4
Do not allow printing to Journal Note Writer Prevents printing to Journal Note Writer. If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. If you dis ...

CCE-33872-3
Configure local setting override for schedule scan day This policy setting configures a local override for the configuration of scheduled scan day. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. If y ...

CCE-33466-4
Timeout for hung logon sessions during shutdown The number of minutes the system will wait for the hung logon sessions before proceeding with the system shutdown. If this settings is enabled, the system will wait for the hung logon sessions for the amount of minutes specified. If this setting is ...

CCE-35062-9
Prevent Roaming Profile changes from propagating to the server This setting determines if the changes a user makes to their roaming profile are merged with the server copy of their profile. By default, when a roaming profile user logs on to a computer, their roaming profile is copied down to the l ...

CCE-33676-8
Guaranteed service type Specifies an alternate link layer (Layer-2) priority value for packets with the Guaranteed service type (ServiceTypeGuaranteed). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change th ...

CCE-34340-0
Disable text prediction Prevents the Tablet PC Input Panel from providing text prediction suggestions. This policy applies for both the on-screen keyboard and the handwriting tab. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to enter ...

CCE-33137-1
Use positive periodic DC cache refresh for background callers This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that periodically attempt to locate DCs, and it is applied before returning the DC information to the caller ...

CCE-34932-4
Enable disk quotas Enables and disables disk quota management on all NTFS volumes of the computer, and prevents users from changing the setting. If you enable this setting, disk quota management is enabled, and users cannot disable it. If you disable the setting, disk quota management is disabled ...

CCE-34473-9
Services This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap-in ...

CCE-34055-4
Turn off Multicast Name Resolution Local Link Multicast Name Resolution (LLMNR) is a secondary name resolution protocol. Queries are sent over the Local Link, a single subnet, from a client machine using Multicast to which another client on the same link, which also has LLMNR enabled, can respond. ...

CCE-33939-0
Start Screen Layout Specifies the Start screen layout for users. This setting lets you specify the Start screen layout for users and prevents them from changing its configuration. The Start screen layout you specify must be stored in an XML file that was generated by the Export-StartLayout Power ...

CCE-34460-6
Custom Classes: Deny read access This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access is denied to these removable storage classes. If you disable or do not configure this policy setting, read access is allowed to these rem ...

CCE-32954-0
Prohibit Flyweight Patching This setting controls the ability to turn off all patch optimizations. If you turn on this policy setting (set to 1), all Patch Optimization options are turned off during the installation. If you turn off this policy setting, it enables faster application of patches b ...

CCE-33796-4
Allow users to use media source while elevated This policy setting allows users to install programs from removable media during privileged installations. If you enable this policy setting, all users are permitted to install programs from removable media, such as floppy disks and CD-ROMs, even wh ...

CCE-34397-0
Configure the list of blocked TPM commands This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM comma ...

CCE-34869-8
Only allow local user profiles This setting determines if roaming user profiles are available on a particular computer. By default, when roaming profile users log on to a computer, their roaming profile is copied down to the local computer. If they have already logged on to this computer in the pas ...

CCE-34264-2
Turn on Module Logging This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy sett ...

CCE-35129-6
FAX Service This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap ...

CCE-35730-1
Set the SMTP Server used to send notifications This setting assigns the address of the SMTP server that sends out notifications. If you enable this setting, Windows System Resource Manager (WSRM) will set the SMTP server to the value specified. If you disable this setting, no SMTP server (default ...

CCE-33346-8
Remove the 'Undock PC' button from the Start Menu If you enable this setting, the 'Undock PC' button is removed from the simple Start Menu, and your PC cannot be undocked. If you disable this setting or do not configure it, the 'Undock PC' button remains on the simple Start menu, and your PC can ...

CCE-33663-6
Enforce disk quota limit Determines whether disk quota limits are enforced and prevents users from changing the setting. If you enable this setting, disk quota limits are enforced. If you disable this setting, disk quota limits are not enforced. When you enable or disable the setting, the system d ...

CCE-35240-1
Turn off restore functionality This setting lets you disable file restore functionality. If you enable this policy setting, the file restore program is disabled. If you disable or do not configure this policy setting, the file restore program is enabled and users can restore files.

CCE-35636-0
Turn off IDN encoding Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is ...

CCE-34101-6
Remove common program groups from Start Menu Removes items in the All Users profile from the Programs menu on the Start menu. By default, the Programs menu contains items from the All Users profile and items from the user's profile. If you enable this setting, only items in the user's profile ap ...

CCE-34670-0
Limit the size of sent files Limits the size of files users can send to others in a conference.

CCE-34221-2
Use localized subfolder names when redirecting Start Menu and My Documents This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Me ...

CCE-33422-7
Allow RDP redirection of other supported RemoteFX USB devices from this computer This policy setting allows you to permit RDP redirection of other supported RemoteFX USB devices from this computer. Redirected RemoteFX USB devices will not be available for local usage on this computer. If you ena ...

CCE-35297-1
Enable AD/DFS domain controller synchronization during policy refresh Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.

CCE-33806-1
Return domain controller address type This policy setting detremines the type of IP address that is returned for a domain controller. The DC Locator APIs return the IP address of the DC with the other parts of information. Before the support of IPv6, the returned DC IP address was IPv4. But with th ...

CCE-35120-5
Internet proxy servers for apps This setting does not apply to desktop apps. A semicolon-separated list of Internet proxy server IP addresses. These addresses are categorized as Internet by Windows Network Isolation and are accessible to apps that have the Internet Client or Internet Client ...

CCE-33587-7
Server Manager This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the s ...

CCE-32971-4
Hide Active Directory folder Hides the Active Directory folder in Network Locations. The Active Directory folder displays Active Directory objects in a browse window. If you enable this setting, the Active Directory folder does not appear in the Network Locations folder. If you disable thi ...

CCE-33359-1
Turn off access to the OEM and Microsoft branding section Removes access to the performance center control panel OEM and Microsoft branding links. If you enable this setting, the OEM and Microsoft web links within the performance control panel page will not be displayed. The administrative tools w ...

CCE-34946-4
Prevent receiving files Prevents users from receiving files from others in a conference.

CCE-33926-7
Turn on scan after signature update This policy setting allows you to configure the automatic scan which starts after a definition update has occurred. If you enable or do not configure this setting, a scan will start following a definition update. If you disable this setting, a scan will not ...

CCE-34114-9
Add Printer wizard - Network scan page (Unmanaged network) This policy sets the maximum number of printers (of each type) that the Add Printer wizard will display on a computer on an unmanaged network (when the computer is not able to reach a domain controller, e.g. a domain-joined laptop on a home ...

CCE-33083-7
Disallow standard users from changing the PIN or password This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first. This policy setting is applied when you turn on BitLocker. ...

CCE-35044-7
Scripts (Logon/Logoff) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy settin ...

CCE-34474-7
Shared Folders This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the s ...

CCE-35373-0
Do not allow Clipboard redirection This policy setting specifies whether to prevent the sharing of Clipboard contents (Clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting Clipb ...

CCE-33650-3
Hide the geographic location option This policy setting removes the option to change the user's geographical location (GeoID) from the Region settings control panel. This policy setting is used only to simplify the Regional Options control panel. If you enable this policy setting, the user do ...

CCE-33913-5
Allow real-time definition updates based on reports to Microsoft MAPS This policy setting allows you to enable real-time definition updates in response to reports sent to Microsoft MAPS. If the service reports a file as an unknown and Microsoft MAPS finds that the latest definition update has defin ...

CCE-33435-9
MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) This entry appears as MSS: (AutoReboot) Allow Windows to automatically restart after a system crash (recommended except for highly secure environments) in the SCE. This ...

CCE-35427-4
Prevent access to drives from My Computer Prevents users from using My Computer to gain access to the content of selected drives. If you enable this setting, users can browse the directory structure of the selected drives in My Computer or File Explorer, but they cannot open folders and access t ...

CCE-34563-7
Configure device installation time-out This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting, Windows waits for the number of seconds you specify before terminating the installation. If you di ...

CCE-35031-4
Prohibit connection to roaming Mobile Broadband networks This policy setting prevents clients from connecting to Mobile Broadband networks when the client is registered on a roaming provider network. If this policy setting is enabled, all automatic and manual connection attempts to roamin ...

CCE-34145-3
Point and Print Restrictions This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. If you enab ...

CCE-35284-9
Remove access to use all Windows Update features This setting allows you to remove access to Windows Update. If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows U ...

CCE-32997-9
Permit use of Scheduled Tasks preference extension This policy setting allows you to permit or prohibit use of the Scheduled Tasks preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this poli ...

CCE-34310-3
Specify log file debug output level This policy setting specifies the level of debug output for the Net Logon service. The Net Logon service outputs debug information to the log file netlogon.log in the directory %windir%\debug. By default, no debug information is logged. If you enable this p ...

CCE-35480-3
EMET Agent Custom Message This setting allows you to configure a custom Tray Icon Message for EMET Agent to notify users when EMET detects an attack. The Tray Icon reporting setting must be turned on to display this message. If you enable this setting, you can define a customized message that wi ...

CCE-34683-3
Lock all taskbar settings This policy setting allows you to lock all taskbar settings. If you enable this policy setting, the user cannot access the taskbar control panel. The user is also unable to resize, move or rearrange toolbars on their taskbar. If you disable or do not configure this p ...

CCE-33770-9
Prevent restoring remote previous versions This setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a file on a file share. If you enable this policy setting, the Restore button is disabled when the user selects a p ...

CCE-34959-7
Turn off non-volatile cache feature This policy setting turns off all support for the non-volatile (NV) cache on all hybrid hard disks in the system. To check if you have hybrid hard disks in the system, from Device Manager, right-click the disk drive and select Properties. The NV cache can be used ...

CCE-33239-5
Log event when quota warning level is exceeded This policy setting determines whether the system records an event in the Application log when users reach their disk quota warning level on a volume. If you enable this policy setting, the system records an event. If you disable this policy setting ...

CCE-33574-5
Customize consent settings This policy setting determines the consent behavior of Windows Error Reporting for specific event types. If this policy setting is enabled and the consent level is set to '0' (Disable), Windows Error Reporting will not send any data to Microsoft for this event. If the c ...

CCE-35712-9
Load a specific theme Specifies which theme file is applied to the computer the first time a user logs on. If you enable this setting, the theme that you specify will be applied when a new user logs on for the first time. This policy does not prevent the user from changing the theme or any of t ...

CCE-33890-5
Specify the interval to run quick scans per day This policy setting allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day). If set to zero, interval qui ...

CCE-33837-6
Display additional text to clients when they need to perform an action This policy setting allows you to configure whether or not to display additional text to clients when they need to perform an action. The text displayed is a custom administrator-defined string. For example, the phone number to ...

CCE-33315-3
Disable binding directly to IPropertySetStorage without intermediate layers. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This b ...

CCE-34696-5
Do not allow color changes This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. If you disable or do not configure this policy setting, you allow users to change the defaul ...

CCE-35769-9
Turn off Application Telemetry The policy controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. Turning Application Telemetry off by selecting 'enable' will stop ...

CCE-35307-8
Specify corporate DNS probe host address This policy setting enables you to specify the expected address of the host name used for the DNS probe. Successful resolution of the host name to this address indicates corporate connectivity.

CCE-34025-7
Do not throttle additional data This policy setting determines whether Windows Error Reporting (WER) sends additional, second-level report data even if a CAB file containing data about the same event types has already been uploaded to the server. If you enable this policy setting, WER does not t ...

CCE-34487-9
Automatic Maintenance WakeUp Policy This policy setting allows you to configure Automatic Maintenance wake up policy. The maintenance wakeup policy specifies if Automatic Maintenance should make a wake request to the OS for the daily scheduled maintenance. Note, that if the OS power wa ...

CCE-35360-7
Prevent installation of devices that match any of these device IDs This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows ...

CCE-33448-2
Specify administratively assigned Offline Files This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter ...

CCE-33172-8
Do not display the password reveal button This policy setting allows you to configure the display of the password reveal button in password entry user experiences. If you enable this policy setting, the password reveal button will not be displayed after a user types a password in the password en ...

CCE-34892-0
Domain member: Digitally encrypt or sign secure channel data (always) This policy setting determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. If a system is set to always encrypt or sign secure channel data, it cannot establish a secure ...

CCE-34706-2
Do Not Show First Use Dialog Boxes Do Not Show First Use Dialog Boxes This policy prevents the Privacy Options and Installation Options dialog boxes from being displayed the first time a user starts Windows Media Player. This policy prevents the dialog boxes which allow users to select privacy, f ...

CCE-35088-4
Suspend user sign-in to complete app registration This policy setting allows you to specify whether the app registration is completed before showing the Start screen to the user. By default, when a new user signs in to a computer, the Start screen is shown and apps are registered in the backgro ...

CCE-34158-6
Allow .rdp files from unknown publishers This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. If you enable or do not configure this policy setting, users can run unsigned .rdp f ...

CCE-33119-9
Restrict user locales This policy restricts users on a machine to the specified list of user locales. If the list is empty, it locks all user locales to their current values. This policy does not change existing user locale settings; however, the next time a user attempts to change their user local ...

CCE-34839-1
Do not allow Windows Media Center to run This policy setting allows or prevents Windows Media Center to run. Windows Media Center is a digital media player and video recorder that allows users to organize and play music and videos, and to view and record live television. If you enable this po ...

CCE-32984-7
Remove Recycle Bin icon from desktop Removes most occurrences of the Recycle Bin icon. This setting removes the Recycle Bin icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box. This setting does not prevent t ...

CCE-35342-5
Display instructions in startup scripts as they run This policy setting displays the instructions in startup scripts as they run. Startup scripts are batch files of instructions that run before the user is invited to log on. By default, the system does not display the instructions in the startup ...

CCE-33704-8
Run these programs at user logon This policy setting specifies additional programs or documents that Windows starts automatically when a user logs on to the system. If you enable this policy setting, you can specify which programs can run at the time the user logs on to this computer that has th ...

CCE-33185-0
Set the Email IDs to which notifications are to be sent This setting assigns the email address(es) to which notifications will be sent. Use a semicolon (;) to separate multiple email addresses. If you enable this setting, Windows System Resource Manager (WSRM) will send notifications to the addres ...

CCE-34772-4
Customize message for Access Denied errors This policy setting specifies the message that users see when they are denied access to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to requ ...

CCE-34007-5
Directory pruning priority Sets the priority of the pruning thread. The pruning thread, which runs only on domain controllers, deletes printer objects from Active Directory if the printer that published the object does not respond to contact attempts. This process keeps printer information in Acti ...

CCE-34060-4
Turn off sensors This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature will be turned off, and all programs on this computer will not be able to use the sensor feature. If you disable or do not configure this poli ...

CCE-33508-3
Always show desktop on connection This policy setting determines whether the desktop is always displayed after a client connects to a remote computer or an initial program can run. It can be used to require that the desktop be displayed after a client connects to a remote computer, even if an initi ...

CCE-34180-0
Prohibit access to properties of components of a LAN connection Determines whether Administrators and Network Configuration Operators can change the properties of components used by a LAN connection. This setting determines whether the Properties button for components of a LAN connection is enab ...

CCE-33381-5
Add the Administrators security group to roaming user profiles This setting adds the Administrator security group to the roaming user profile share. Once an administrator has configured a users' roaming profile, the profile will be created at the user's next login. The profile is created at the lo ...

CCE-33900-2
Specify the scan type to use for a scheduled scan This policy setting allows you to specify the scan type to use during a scheduled scan. Scan type options are: 1 = Quick Scan (default) 2 = Full Scan If you enable this setting, the scan type will be set to the specified value. If you disabl ...

CCE-35026-4
Turn off the ability to back up data files This setting lets you disable the data file backup functionality. If you enable this policy setting, users cannot back up data files. If you disable or do not configure this policy setting, users can back up data files.

CCE-33328-6
Remove All Programs list from the Start menu If you enable this setting, the 'All Programs' item is removed from the simple Start menu. If you disable this setting or do not configure it, the 'All Programs' item remains on the simple Start menu.

CCE-33681-8
Ignore the default list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's default list of blocked TPM commands and will onl ...

CCE-35013-2
Turn Off UDP On Client This policy setting specifies whether the UDP protocol will be used to access servers via Remote Desktop Protocol. If you enable this policy setting, Remote Desktop Protocol traffic will only use the TCP protocol. If you disable or do not configure this policy setting, ...

CCE-35671-7
Do not allow Flip3D invocation This policy setting allows you to configure the accessibility of the Flip 3D feature. Flip 3D allows the user to view items on the Windows desktop as they are being flipped through in three dimensions. If you enable this policy setting, Flip 3D is inaccessible. ...

CCE-34652-8
Disable application Sharing Disables the application sharing feature of NetMeeting completely. Users will not be able to host or view shared applications.

CCE-35725-1
Restrict these programs from being launched from Help Allows you to restrict programs from being run from online Help. If you enable this setting, you can prevent programs that you specify from being allowed to be run from Help. When you enable this setting, enter the list of the programs you want ...

CCE-33404-5
Allow or Disallow use of the Offline Files feature Determines whether the Offline Files feature is enabled. This setting also disables the 'Enable Offline Files' option on the Offline Files tab. This prevents users from trying to change the option while a setting controls it. Offline Files saves ...

CCE-33628-9
Software Installation (Users) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-34576-9
Telephony This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap-i ...

CCE-35475-3
Default Protections for Internet Explorer This setting allows you to apply the recommended EMET protections to Internet Explorer. If you enable this setting, the recommended EMET protections are applied to Internet Explorer. If you disable this setting, the recommended EMET protections are no ...

CCE-33824-4
Allow development of Windows Store apps without installing a developer license Allows or denies development of Windows Store applications without installing a developer license. If you enable this setting and enable the 'Allow all trusted apps to install' Group Policy, you can develop Wi ...

CCE-35279-9
Set rules for remote control of Remote Desktop Services user sessions This policy setting allows you to specify the level of remote control permitted in a Remote Desktop Services session. You can use this policy setting to select one of two levels of remote control: View Session or Full Control. ...

CCE-34247-7
Disable Windows Error Reporting If this setting is enabled, Windows Error Reporting will not send any problem information to Microsoft. Additionally, solution information will not be available in the Action Center control panel.

CCE-35146-0
Limit audio playback quality This policy setting allows you to limit the audio playback quality for a Remote Desktop Services session. Limiting the quality of audio playback can improve connection performance, particularly over slow links. If you enable this policy setting, you must select one of ...

CCE-35133-8
Disallow changing of geographic location This policy setting prevents users from changing their user geographical location (GeoID). If you enable this policy setting, users cannot change their GeoID. If you disable or do not configure this policy setting, users may select any GeoID. If you ...

CCE-33748-5
Start File Explorer with ribbon minimized This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever t ...

CCE-33078-7
Provide the unique identifiers for your organization This policy setting allows you to associate unique organizational identifiers to a new drive that is enabled with BitLocker. These identifiers are stored as the identification field and allowed identification field. The identification field allow ...

CCE-34469-7
DNS Suffix Search List Determines the DNS suffixes to attach to an unqualified single-label name before submission of a DNS query for that name. An unqualified single-label name contains no dots, such as 'example'. This is different from a fully qualified domain name, such as 'example.microsoft.co ...

CCE-34928-2
Turn off notifications network usage This policy setting blocks applications from using the network to send notifications to update tiles, tile badges, toast, or raw notifications. This policy setting turns off the connection between Windows and the Windows Push Notification Service (WNS). This pol ...

CCE-34216-2
Turn off the Store application Denies or allows access to the Store application. If you enable this setting, access to the Store application is denied. If you disable or do not configure this setting, access to the Store application is allowed.

CCE-33394-8
Allow Delegating Fresh Credentials with NTLM-only Server Authentication This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify ...

CCE-34981-1
Package Point and print - Approved servers Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the 'Point a ...

CCE-35386-2
Specify sites covered by the GC Locator DNS SRV Records This policy setting specifies the sites for which the global catalogs (GC) should register site-specific GC locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site whe ...

CCE-33811-1
Remove Security tab Removes the Security tab from File Explorer. If you enable this setting, users opening the Properties dialog box for all file system objects, including folders, files, shortcuts, and drives, will not be able to access the Security tab. As a result, users will be able to neith ...

CCE-35814-3
Check for the latest virus and spyware definitions before running a scheduled scan This policy setting allows you to manage whether a check for new virus and spyware definitions will occur before running a scan. This setting applies to scheduled scans as well as the command line 'mpcmdrun -SigU ...

CCE-33198-3
Tape Drives: Deny execute access This policy setting denies execute access to the Tape Drive removable storage class. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy setting, execute access will be al ...

CCE-35582-6
Permit use of Preferences tab This policy setting allows you to permit or prohibit use of the Preferences tab. When prohibited, the Preferences tab does not appear when you view a preference extension in the Group Policy Management Editor window of the GPMC. The Extended and Standard tabs are unaff ...

CCE-33021-7
Require strict KDC validation This policy setting controls the Kerberos client's behavior in validating the KDC certificate. If you enable this policy setting, the Kerberos client requires that the KDC's X.509 certificate contains the KDC key purpose object identifier in the Extended Key U ...

CCE-33944-0
Set the time Quiet Hours ends each day This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to end each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours settings. If ...

CCE-35253-4
Allow users to browse for source while elevated This policy setting allows users to search for installation files during privileged installations. If you enable this policy setting, the Browse button in the 'Use feature from' dialog box is enabled. As a result, users can search for installation ...

CCE-34412-7
Prevent launch an application Prevents the user from launching an application from a Tablet PC hardware button. If you enable this policy, applications cannot be launched from a hardware button, and 'Launch an application' is removed from the drop down menu for configuring button actions (in the ...

CCE-33615-6
Prevent changing start menu background Prevents users from changing the look of their start menu background, such as its color or accent. By default, users can change the look of their start menu background, such as its color or accent. If you enable this setting, the user will not be able to ...

CCE-35529-7
Audit process tracking This policy setting determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so typically it is set to ...

CCE-34336-8
Configure MSI Corrupted File Recovery Behavior This policy setting allows you to configure the recovery behavior for corrupted MSI files to one of three states: Prompt for Resolution: Detection, troubleshooting, and recovery of corrupted MSI applications will be enabled. Windows will prompt the us ...

CCE-33931-7
Force automatic setup for all users This policy setting specifies whether Work Folders should be set up automatically for all users of the affected computer. If you enable this policy setting, Work Folders will be set up automatically for all users of the affected computer. This prevents u ...

CCE-34127-1
Allow only USB root hub connected Enhanced Storage devices This policy setting configures whether or not only USB root hub connected Enhanced Storage devices are allowed. Allowing only root hub connected Enhanced Storage devices minimizes the risk of an unauthorized USB device reading data on an En ...

CCE-33470-6
Online Responder This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-35791-3
Request compound authentication This policy setting allows you to configure a domain controller to request compound authentication. Note: For a domain controller to request compound authentication, the policy 'KDC support for claims, compound authentication, and Kerberos armoring' must be config ...

CCE-35605-5
Set Cost This policy setting configures the cost of Wireless LAN (WLAN) connections on the local machine. If this policy setting is enabled, a drop-down list box presenting possible cost values will be active. Selecting one of the following values from the list will set the cost of all WLAN conn ...

CCE-33735-2
Display Error Notification This policy setting controls whether users are shown an error dialog box that lets them report an error. If you enable this policy setting, users are notified in a dialog box that an error has occurred, and can display more details about the error. If the Configure Err ...

CCE-34665-0
Enable Automatic Configuration Configures NetMeeting to download settings for users each time it starts. The settings are downloaded from the URL listed in the 'Configuration URL:' text box. Group Policy based settings have precedence over any conflicting settings set by downloading them from ...

CCE-33592-7
Do not allow non-Enhanced Storage removable devices This policy setting configures whether or not non-Enhanced Storage removable devices are allowed on your computer. If you enable this policy setting, non-Enhanced Storage removable devices are not allowed on your computer. If you disable or do n ...

CCE-33274-2
Prompt for password on resume from hibernate/suspend This settings allows you to configure client computers to always lock when resuming from a hibernate or suspend. If you enable this setting, the client computer is locked when it is resumed from a suspend or hibernate state. If you disable ...

CCE-33868-1
Turn on process scanning whenever real-time protection is enabled This policy setting allows you to configure process scanning when real-time protection is turned on. This helps to catch malware which could start when real-time protection is turned off. If you enable or do not configure this set ...

CCE-35738-4
Prevent AutoPlay from remembering user choices. This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected. If you enable this policy setting, AutoPlay prompts the user to choose what to do when a device is connected. ...

CCE-34753-4
Force selected system UI language to overwrite the user UI language This is a setting for computers with more than one UI language installed. If you enable this setting, the UI language of Windows menus and dialogs language for systems with more than one language will follow the language specified ...

CCE-33746-9
Hide previous versions list for local files This policy setting lets you hide the list of previous versions of files that are on local disks. The previous versions could come from the on-disk restore points or from backup media. If you enable this policy setting, users cannot list or restore pre ...

CCE-35444-9
Specify dynamic registration of the DC Locator DNS Records This policy setting determines if dynamic registration of the domain controller (DC) locator DNS resource records is enabled. These DNS records are dynamically registered by the Net Logon service and are used by the Locator algorithm to loc ...

CCE-34500-9
Do not allow Flip3D invocation Flip3D is a 3D window switcher. If you enable this setting, Flip3D will be inaccessible. If you disable or do not configure this policy setting, Flip3D will be accessible, if desktop composition is turned on. Changing this setting will require a logoff for it to be ...

CCE-35248-4
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is displayed in the Shut Down Windows dialog box. If you enable this policy setting, 'Install Updates and Shut Down' w ...

CCE-34041-4
Check for New Signatures Before Scheduled Scans Checks for new signatures before running scheduled scans. If you enable this policy setting, the scheduled scan checks for new signatures before it scans the computer. If you disable or do not configure this policy setting, the scheduled scan begins ...

CCE-35760-8
Tape Drives: Deny write access This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy setting, write access will be allowed to ...

CCE-35311-0
Do not sync browser settings Prevent the 'browser' group from syncing to and from this PC. This turns off and disables the 'browser' group on the 'sync your settings' page in PC settings. The 'browser' group contains settings and info like history and favorites. If you enable this policy setti ...

CCE-35707-9
Validate smart card certificate usage rule compliance This policy setting allows you to associate an object identifier from a smart card certificate to a BitLocker-protected drive. This policy setting is applied when you turn on BitLocker. The object identifier is specified in the enhanced key u ...

CCE-35128-8
Distributed File System This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setti ...

CCE-33942-4
Specify Work Folders settings This policy setting specifies the Work Folders server for affected users, as well as whether or not users are allowed to change settings when setting up Work Folders on a domain-joined computer. If you enable this policy setting, affected users user receive Work Fol ...

CCE-33613-1
Prevent changing theme This setting disables the theme gallery in the Personalization Control Panel. If you enable this setting, users cannot change or save a theme. Elements of a theme such as the desktop background, window color, sounds, and screen saver can still be changed (unless policies ...

CCE-35115-5
Use DNS name resolution with a single-label domain name instead of NetBIOS name resolution to locate the DC This policy setting specifies whether the computers to which this setting is applied attempt DNS name resolution of a single-label domain names. By default, when a computer (or the DC Loca ...

CCE-34886-2
Prevent Windows Media DRM Internet Access Prevents Windows Media Digital Rights Management (DRM) from accessing the Internet (or intranet). When enabled, Windows Media DRM is prevented from accessing the Internet (or intranet) for license acquisition and security upgrades. When this policy is ena ...

CCE-33472-2
Turn Off Hybrid Sleep (Plugged In) Disables Hybrid Sleep. If you enable this policy setting, a hiberfile is not generated when the system transitions to sleep (Stand By). If you do not configure this policy setting, users can see and change this setting.

CCE-34424-2
Prevent users from moving taskbar to another screen dock location This policy setting allows you to prevent users from moving taskbar to another screen dock location. If you enable this policy setting, users are not able to drag their taskbar to another area of the monitor(s). If you disable ...

CCE-35324-3
Prevent indexing e-mail attachments Enable this policy setting to prevent the indexing of the content of e-mail attachments. If enabled, indexing service components (including non-Microsoft components) are expected not to index e-mail attachments. Consider enabling this policy if you are concerned ...

CCE-34054-7
Turn Off Low Battery User Notification Disables a user notification when the battery capacity remaining equals the low battery notification level. If you enable this policy, Windows will not show a notification when the battery capacity remaining equals the low battery notification level. To conf ...

CCE-34281-6
Allow Integrated Unblock screen to be displayed at the time of logon This policy setting lets you determine whether the integrated unblock feature will be available in the logon User Interface (UI). In order to use the integrated unblock feature your smart card must support this feature. Please c ...

CCE-33733-7
Do not sync app settings Prevent the 'app settings' group from syncing to and from this PC. This turns off and disables the 'app settings' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'app settings' group will not be synced. Use the option 'Al ...

CCE-33276-7
Set a default associations configuration file This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool. For example: Dism.exe /Online /Expor ...

CCE-34557-9
User State Management Client Side Extension Enable or disable the Client Side Extension for User State Management. This setting is managed by System Center Configuration Manager

CCE-33866-5
Turn on Information Protection Control This policy setting allows you to configure Information Protection Control (IPC). If you enable this setting, IPC will be enabled. If you disable or do not configure this setting, IPC will be disabled.

CCE-34228-7
Delete cached copies of roaming profiles Determines whether the system saves a copy of a user?s roaming profile on the local computer's hard drive when the user logs off. This setting, and related settings in this folder, together describe a strategy for managing user profiles residing on remote s ...

CCE-35520-6
Audit Policy: Object Access: Removable Storage This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested. If you configure this policy setting, an audi ...

CCE-34250-1
Disallow optical media as backup target This policy setting allows you to manage whether backups of a machine can run to an optical media or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to an optical media. If you di ...

CCE-35551-1
Windows Firewall: Block UDP port 3544 Use this outbound rule to block UDP port 3544.

CCE-33036-5
Audit logon events The prescribed GPOs from Microsoft include settings that configure the audit categories present in previous versions of Windows. If you use the script and the GPOs included with this security guidance, these settings will not apply to computers running Windows Vista. The GPOs int ...

CCE-35092-6
Prevent AutoPlay from remembering user choices. This policy setting allows you to prevent AutoPlay from remembering user's choice of what to do when a device is connected. If you enable this policy setting, AutoPlay prompts the user to choose what to do when a device is connected. ...

CCE-33352-6
Hide Add/Remove Windows Components page Removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Compone ...

CCE-33853-3
Configure local setting override to turn off Intrusion Prevention System This policy setting configures a local override for the configuration of network protection against exploits of known vulnerabilities. This setting can only be set by Group Policy. If you enable this setting, the local pref ...

CCE-34766-6
Limit maximum color depth This policy setting allows you to specify the maximum color resolution (color depth) for Remote Desktop Services connections. You can use this policy setting to set a limit on the color depth of any connection using RDP. Limiting the color depth can improve connection per ...

CCE-33156-1
Check if Windows Updates are missing (Only returns Compliant/Not Compliant) This configuration item is a PowerShell-based script that checks to see if all required updates are installed. It is designed to be exported within DCM Management Packs. To function it requires that the PowerShell exec ...

CCE-33657-8
Turn off Group Policy Client Service AOAC optimization This policy setting prevents the Group Policy Client Service from stopping when idle.

CCE-33986-1
Define host name-to-Kerberos realm mappings This policy setting allows you to specify which DNS host names and which DNS suffixes are mapped to a Kerberos realm. If you enable this policy setting, you can view and change the list of DNS host names and DNS suffixes mapped to a Kerberos realm as def ...

CCE-34899-5
Interactive logon: Machine account lockout threshold The machine lockout policy is enforced only on those machines that have Bitlocker enabled for protecting OS volumes. Please ensure that appropriate recovery password backup policies are enabled. This security setting determines the number of fai ...

CCE-34317-8
CD and DVD: Deny read access This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to this ...

CCE-35159-3
Restrict the user from entering author mode Prevents users from entering author mode. This setting prevents users from opening the Microsoft Management Console (MMC) in author mode, explicitly opening console files in author mode, and opening any console files that open in author mode by default ...

CCE-34779-9
Allow Basic authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client. If you enable this policy setting, the WinRM service will accept Basic authentication from a remote client. If you disable o ...

CCE-34108-1
Prevent grouping of taskbar items This setting affects the taskbar buttons used to switch between running programs. Taskbar grouping consolidates similar applications when there is no room on the taskbar. It kicks in when the user's taskbar is full. If you enable this setting, it prevents the ...

CCE-33720-4
Remove computer from docking station This policy setting allows the user of a portable computer to click Eject PC on the Start menu to undock the computer. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory ...

CCE-34174-3
Turn off handwriting personalization data sharing Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. ...

CCE-34370-7
Disable Known Folders This policy setting allows you to specify a list of known folders that should be disabled. Disabling a known folder will prevent the underlying file or directory from being created via the known folder API. If the folder exists before the policy is applied, the folder must b ...

CCE-34842-5
Certification Authority Policy Settings This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable t ...

CCE-34975-3
IGMP Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sna ...

CCE-34513-2
Do not allow the computer to act as a BITS Peercaching server This setting specifies whether the computer will act as a BITS peercaching server. By default, when BITS peercaching is enabled, the computer acts as both a peercaching server (offering files to its peers) and a peercaching client (downl ...

CCE-35235-1
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. If you enable this policy setting, any c ...

CCE-33365-8
Turn off Windows SideShow This policy setting turns off Windows SideShow. If you enable this policy setting, the Windows SideShow Control Panel will be disabled and data from Windows SideShow-compatible gadgets (applications) will not be sent to connected devices. If you disable or do not config ...

CCE-35564-4
Run Windows PowerShell scripts first at computer startup, shutdown This policy setting determines whether Windows PowerShell scripts will run before non-PowerShell scripts during computer startup and shutdown. By default, PowerShell scripts run after non-PowerShell scripts. If you enable this po ...

CCE-35102-3
Kerberos client support for claims, compound authentication and Kerberos armoring This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. ...

CCE-34098-4
Delete data from devices running Microsoft firmware when a user logs off from the computer. This policy setting deletes all data stored on Windows SideShow-compatible devices (running Microsoft firmware) when a user logs off from the computer. This is a security precaution but it significantly limi ...

CCE-33498-7
Include rarely used Chinese, Kanji, or Hanja characters Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This ...

CCE-33644-6
Network Policy Server (NPS) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy s ...

CCE-35809-3
Turn off the offer to update to the latest version of Windows Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this sett ...

CCE-34143-8
Turn on Script Execution This settings lets you configure the script execution policy, controlling what scripts are allowed to run. If you enable this setting, the scripts selected in the drop down list will be allowed to run. The 'Allow only signed scripts' setting allows script to execute only ...

CCE-34396-2
Configure slow-link mode This policy setting enables computers running Windows Vista or Windows Server 2008 to use the slow-link mode of Offline Files (it is enabled by default for computers running Windows 7 or Windows Server 2008 R2). This policy also controls when client computers running Window ...

CCE-32999-5
Permit use of Control Panel Settings (Users) This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all preference extensions listed in the Group Policy Management Editor window of the GPMC under User Configuration\Preferences\Control Panel Settings. When th ...

CCE-34659-3
Prevent sending Video Prevents users from sending video if they have the hardware. Users will still be able to receive video from others.

CCE-35150-2
Limit the maximum number of ranges that can be added to the file in a BITS job This policy setting limits the number of ranges that can be added to a file in a BITS job. By default, files in a BITS job are limited to 500 ranges per file. You can use this setting to raise or lower the maximum number ...

CCE-33897-0
Specify the maximum depth to scan archive files This policy setting allows you to configure the maximum directory depth level into which archive files such as .ZIP or .CAB are unpacked during scanning. The default directory depth level is 0. If you enable this setting, archive files will be scan ...

CCE-34263-4
Turn on the Ability for Applications to Prevent Sleep Transitions (On Battery) Enables applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you di ...

CCE-33840-0
IP address range Exclusions This policy, if defined, will prevent network protection against exploits of known vulnerabilities from inspecting the specified IP addresses. IP addresses should be added under the Options for this setting. Each entry must be listed as a name value pair, where the name ...

CCE-33441-7
Turn off notifications when a connection has only limited or no connectivity This policy setting allows you to manage whether notifications are shown to the user when a DHCP-configured connection is unable to retrieve an IP address from a DHCP server. This is often signified by the assignment of an ...

CCE-35087-6
Send additional data when on battery power This policy setting determines whether Windows Error Reporting (WER) checks if the computer is running on battery power. By default, when a computer is running on battery power, WER only checks for solutions, but does not upload additional report data unti ...

CCE-34539-7
Specify negative DC Discovery cache setting This policy setting specifies the amount of time (in seconds) the DC locator remembers that a domain controller (DC) could not be found in a domain. When a subsequent attempt to locate the DC occurs within the time set in this setting, DC Discovery immedi ...

CCE-35413-4
Allow .rdp files from unknown publishers This policy setting allows you to specify whether users can run unsigned Remote Desktop Protocol (.rdp) files and .rdp files from unknown publishers on the client computer. If you enable or do not configure this policy setting, users can run unsigned .rdp ...

CCE-33511-7
Accounts: Administrator account status This policy setting enables or disables the Administrator account during normal operation. When a computer is booted into safe mode, the Administrator account is always enabled, regardless of how this setting is configured. Note that this setting will have no ...

CCE-33112-4
Permit use of Drive Maps preference extension This policy setting allows you to permit or prohibit use of the Drive Maps preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting ...

CCE-35217-9
Primary DNS Suffix Devolution Level This policy setting determines the Domain Name System (DNS) suffix devolution level that DNS clients will use, if the clients perform primary DNS suffix devolution in a name resolution process. When DNS suffix devolution is enabled, the leftmost label of a primar ...

CCE-35546-1
Enable Active Desktop Enables Active Desktop and prevents users from disabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can e ...

CCE-34023-2
Timeout for inactive BITS jobs This policy setting specifies the number of days a pending BITS job can remain inactive before the job is considered abandoned. By default BITS will wait 90 days before considering an inactive job abandoned. After a job is determined to be abandoned, the job is delete ...

CCE-35283-1
Hide Network Tab This policy setting allows you to hide the Network tab. If you enable this policy setting, the Network tab in Windows Media Player is hidden. The default network settings are used unless the user has previously defined network settings for the Player. If you disable or do not ...

CCE-34735-1
Prevent changing desktop background Prevents users from adding or changing the background design of the desktop. By default, users can use the Desktop Background page in the Personalization or Display Control Panel to add a background design (wallpaper) to their desktop. If you enable this se ...

CCE-35679-0
Ignore custom consent settings This policy setting determines the behavior of the Configure Default Consent setting in relation to custom consent settings. If you enable this policy setting, the default consent levels of Windows Error Reporting always override any other consent policy setting. ...

CCE-35426-6
No Entire Network in Network Locations Removes all computers outside of the user's workgroup or local domain from lists of network resources in File Explorer and Network Locations. If you enable this setting, the system removes the Entire Network option and the icons representing networked compu ...

CCE-35074-4
Windows Automatic Updates This setting controls automatic updates to a user's computer. Whenever a user connects to the Internet, Windows searches for updates available for the software and hardware on their computer and automatically downloads them. This happens in the background, and the user ...

CCE-33378-1
Turn off tolerant and Z-shaped scratch-out gestures Turns off both the more tolerant scratch-out gestures that were added in Windows Vista and the Z-shaped scratch-out gesture that was available in Microsoft Windows XP Tablet PC Edition. The tolerant gestures let users scratch out ink in ...

CCE-33568-7
Enable optimized move of contents in Offline Files cache on Folder Redirection server path change This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a ...

CCE-33907-7
Turn on heuristics This policy setting allows you to configure heuristics. Suspicious detections will be suppressed right before reporting to the engine client. Turning off heuristics will reduce the capability to flag new threats. It is recommended that you do not turn off heuristics. If you en ...

CCE-35786-3
Network Security: Configure encryption types allowed for Kerberos This policy setting allows you to set the encryption types that Kerberos is allowed to use. This policy is supported on at least Windows 7 or Windows Server 2008 R2.

CCE-33125-6
Restrict Internet communication This policy setting specifies whether Windows can access the Internet to accomplish tasks that require Internet resources. If you enable this setting, all of the the policy settings listed in the 'Internet Communication settings' section are set such that their re ...

CCE-33631-3
Certification Authority This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setti ...

CCE-33049-8
Check if AppLocker is Enabled This configuration item uses PowerShell to check whether or not AppLocker policies are enabled on the system either locally or through Group Policy. It is designed to be exported within DCM packs. To function it requires that the PowerShell execution policy be set ...

CCE-33321-1
Clear the recent programs list for new users If you enable this policy setting, the recent programs list in the start menu will be blank for each new user. If you disable or do not configure this policy, the start menu recent programs list will be pre-populated with programs for each new user.

CCE-34187-5
Assign a default domain for logon This policy setting specifies a default logon domain which may be a different domain than the machine joined domain. Without this policy, at logon, if a user does not specify a domain for logon, the domain to which the machine belongs is assumed as the default doma ...

CCE-32986-2
Prevent adding, dragging, dropping and closing the Taskbar's toolbars Prevents users from manipulating desktop toolbars. If you enable this setting, users cannot add or remove toolbars from the desktop. Also, users cannot drag toolbars on to or off of docked toolbars. Note: If users have adde ...

CCE-34156-0
Prevent users from uninstalling applications from Start If you enable this setting, users cannot uninstall apps from Start. If you disable this setting or do not configure it, users can access the uninstall command from Start

CCE-34383-0
Send data when on connected to a restricted/costed network This policy setting determines whether Windows Error Reporting (WER) checks for a network cost policy that restricts the amount of data that is sent over the network. If you enable this policy setting, WER does not check for network cost ...

CCE-33201-5
Turn off game updates Manages download of game update information from Windows Metadata Services. If you enable this setting, game update information will not be downloaded. If you disable or do not configure this setting, game update information will be downloaded from Windows Metadata Services ...

CCE-35653-5
Inclusion list for moderate risk file types This policy setting allows you to configure the list of moderate-risk file types. If the attachment is in the list of moderate-risk file types and is from the restricted or Internet zone, Windows prompts the user before accessing the file. This inclusion ...

CCE-34352-5
Configure image quality for RemoteFX Adaptive Graphics This policy setting allows you to specify the visual quality for remote users when connecting to this computer by using Remote Desktop Connection. You can use this policy setting to balance the network bandwidth usage with the visual quality th ...

CCE-35204-7
Turn off background synchronization for feeds and Web Slices This policy setting controls whether to have background synchronization for feeds and Web Slices. If you enable this policy setting, the ability to synchronize feeds and Web Slices in the background is turned off. If you disable or ...

CCE-34868-0
Non-conforming packets Specifies an alternate link layer (Layer-2) priority value for packets that do not conform to the flow specification. The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change the default pr ...

CCE-33751-9
Remove UI to change menu animation setting This policy setting allows you to prevent users from enabling or disabling minor animations in the operating system for the movement of windows, menus, and lists. If you enable this policy setting, the 'Use transition effects for menus and tooltips' opt ...

CCE-33258-5
Turn off Windows Mail application Denies or allows access to the Windows Mail application. If you enable this setting, access to the Windows Mail application is denied. If you disable or do not configure this setting, access to the Windows Mail application is allowed.

CCE-35457-1
Access Credential Manager as a trusted caller This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities. ...

CCE-34811-0
Limit the size of the entire roaming user profile cache This policy setting allows you to limit the size of the entire roaming user profile cache on the local drive. This policy setting only applies to a computer on which the Remote Desktop Session Host role service is installed. Note: If you wa ...

CCE-33884-8
Run full scan on mapped network drives This policy setting allows you to configure scanning mapped network drives. If you enable this setting, mapped network drives will be scanned. If you disable or do not configure this setting, mapped network drives will not be scanned.

CCE-34067-9
Turn off Windows Network Connectivity Status Indicator active tests This policy setting turns off the active tests performed by the Windows Network Connectivity Status Indicator (NCSI) to determine whether your computer is connected to the Internet or to a more limited network. As part of determin ...

CCE-34944-9
Disable full duplex Audio Disables full duplex mode audio. Users will not be able to listen to incoming audio while speaking into the microphone. Older audio hardware does not perform well when in full duplex mode.

CCE-33334-4
Do not search for files If you enable this policy setting the Start menu search box will not search for files. If you disable or do not configure this policy setting, the Start menu will search for files, unless the user chooses not to do so directly in Control Panel. If you enable this policy, ...

CCE-33871-5
Configure local setting override for maximum percentage of CPU utilization This policy setting configures a local override for the configuration of maximum percentage of CPU utilization during scan. This setting can only be set by Group Policy. If you enable this setting, the local preference se ...

CCE-35742-6
Configure Report Queue This policy setting determines the behavior of the Windows Error Reporting report queue. If you enable this policy setting, you can configure report queue behavior by using the controls in the policy setting. When the Queuing behavior pull-down list is set to Default, Wind ...

CCE-34276-6
Show 'Run as different user' command on Start This policy setting shows or hides the 'Run as different user' command on the Start application bar. If you enable this setting, users can access the 'Run as different user' command from Start for applications which support this functionality. If ...

CCE-34472-1
Security Templates This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, t ...

CCE-35061-1
Notify blocked drivers This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose drivers blocked due to compatibility issues. If you enable this policy setting, the PCA will notify the user of blocked driver issues with an option to check the Microsoft Web sit ...

CCE-33467-2
Turn off AutoComplete integration with Input Panel Turns off the integration of application auto complete lists with Tablet PC Input Panel in applications where this behavior is available. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard t ...

CCE-34748-4
Set Group Policy refresh interval for users This policy setting specifies how often Group Policy for users is updated while the computer is in use (in the background). This setting specifies a background update rate only for the Group Policies in the User Configuration folder. In addition to bac ...

CCE-33138-9
Turn Off Adaptive Display Timeout (On Battery) Manages how Windows controls the setting that specifies how long a computer must be inactive before Windows turns off the computer?s display. When this policy is enabled, Windows automatically adjusts the setting based on what users do with their ke ...

CCE-35390-4
Allow only Windows Vista or later connections This policy setting enables Remote Assistance invitations to be generated with improved encryption so that only computers running this version (or later versions) of the operating system can connect. This policy setting does not affect Remote Assistance ...

CCE-35337-5
Configure Scheduled Maintenance Behavior Determines whether scheduled diagnostics will run to proactively detect and resolve system problems. If you enable this policy setting, you must choose an execution level. If you choose detection and troubleshooting only, Windows will periodically detect ...

CCE-35799-6
Prevent enabling lock screen camera Disables the lock screen camera toggle switch in PC Settings and prevents a camera from being invoked on the lock screen. By default, users can enable invocation of an available camera on the lock screen. If you enable this setting, users will no longer be ...

CCE-34010-9
Disable or enable software Secure Attention Sequence This policy setting controls whether or not software can simulate the Secure Attention Sequence (SAS). If you enable this policy setting, you have one of four options: If you set this policy setting to 'None,' user mode software cannot simulate ...

CCE-32942-5
Remove Add or Remove Programs Prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and com ...

CCE-34419-2
Turn off automatic promotion of notification icons to the taskbar This policy setting allows you to turn off automatic promotion of notification icons to the taskbar. If you enable this policy setting, newly added notification icons are not temporarily promoted to the Taskbar. Users can still co ...

CCE-33938-2
Show the Apps view automatically when the user goes to Start This policy setting allows the Apps view to be opened by default when the user goes to Start. If you enable this policy setting, the Apps view will appear whenever the user goes to Start. Users will still be able to switch between the ...

CCE-34486-1
Automatic Maintenance Activation Boundary This policy setting allows you to configure Automatic Maintenance activation boundary. The maintenance activation boundary is the daily schduled time at which Automatic Maintenance starts If you enable this policy setting, this wil ...

CCE-33795-6
Turn off 'Found New Hardware' balloons during device installation This policy setting allows you to turn off 'Found New Hardware' balloons during device installation. If you enable this policy setting, 'Found New Hardware' balloons do not appear while a device is being installed. If you disable o ...

CCE-32972-2
Disable Active Desktop Disables Active Desktop and prevents users from enabling it. This setting prevents users from trying to enable or disable Active Desktop while a policy controls it. If you disable this setting or do not configure it, Active Desktop is disabled by default, but users can ...

CCE-34945-6
Prevent adding Directory servers Prevents users from adding directory (ILS) servers to the list of those they can use for placing calls.

CCE-35768-1
Turn Off Adaptive Display Timeout (Plugged In) Manages how Windows controls the setting that specifies how long a computer must be inactive before Windows turns off the computer?s display. When this policy is enabled, Windows automatically adjusts the setting based on what users do with their ke ...

CCE-35648-5
Block launching desktop programs associated with a protocol This policy setting allows you to minimize the risk involved when an app launches the default program for a protocol. Because desktop programs run at a higher integrity level than apps, there is a risk that a protocol launched by an app co ...

CCE-33818-6
Restrict delegation of credentials to remote servers When running in restricted mode, participating apps do not expose credentials to remote computers (regardless of the delegation method). Restricted mode may limit access to resources located on other servers or networks beyond the target computer ...

CCE-34749-2
Encrypt the Offline Files cache This setting determines whether offline files are encrypted. Offline files reside on a user's hard drive, not the network, and they are stored in a local cache on the computer. Encrypting this cache enhances security on a local computer. If the cache on the local co ...

CCE-33214-8
Turn off Program Compatibility Assistant This policy controls the state of the Program Compatibility Assistant in the system. The PCA monitors user initiated programs for known compatibility issues at run time. Whenever a potential issue with an application is detected, the PCA will prompt t ...

CCE-33347-6
Select an Active Power Plan Specifies the active power plan from a list of default Windows power plans. To specify a custom power plan, use the Custom Active Power Plan setting. If you enable this policy setting, you must specify a power plan from the Active Power Plan list. If you disable this p ...

CCE-33084-5
Enforce drive encryption type on operating system drives This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if ...

CCE-34113-1
Do not allow Inkball to run Prevents start of InkBall game. If you enable this policy, the InkBall game will not run. If you disable this policy, the InkBall game will run. If you do not configure this policy, the InkBall game will run.

CCE-35372-2
Configure RemoteFX Adaptive Graphics This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. If you ...

CCE-35189-0
Local Users and Groups This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy settin ...

CCE-33662-8
Enable/Disable PerfTrack This policy setting specifies whether to enable or disable tracking of responsiveness events. If you enable this policy setting, responsiveness events are processed and aggregated. The aggregated data will be transmitted to Microsoft through SQM. if you disable this polic ...

CCE-33227-0
Remove Task Manager This policy setting prevents users from starting Task Manager. Task Manager (taskmgr.exe) lets users start and stop programs; monitor the performance of their computers; view and monitor all programs running on their computers, including system services; find the executable n ...

CCE-33018-3
Require a PIN to access data on devices running Microsoft firmware This policy setting requires users to enter a default personal identification number (PIN) to unlock and access data on the device after a specified period of inactivity (time-out period). This setting applies to Windows SideShow-co ...

CCE-34353-3
Back up log automatically when full This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the 'Retain old events' policy setting is enabled. If you enable this policy setting and the 'Retain old events' policy setting is enabled, the ...

CCE-33280-9
Package Point and print - Approved servers Restricts package point and print to approved servers. This policy setting restricts package point and print connections to approved servers. This setting only applies to Package Point and Print connections, and is completely independent from the 'Point ...

CCE-33071-2
Allow access to BitLocker-protected removable data drives from earlier versions of Windows This policy setting configures whether or not removable data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Servi ...

CCE-35385-4
Remove 'Make Available Offline' command This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of fil ...

CCE-35581-8
Prohibit adjusting desktop toolbars Prevents users from adjusting the length of desktop toolbars. Also, users cannot reposition items or toolbars on docked toolbars. This setting does not prevent users from adding or removing toolbars on the desktop. Note: If users have adjusted their toolbar ...

CCE-34220-4
Enable / disable TXF deprecated features TXF deprecated features included savepoints, secondary RM, miniversion and roll forward. Please enable it if you want to use the APIs.

CCE-33423-5
Make Family Safety control panel visible on a Domain This policy setting allows you to configure the Family Safety feature. If you enable this policy setting, the Family Safety control panel is visible on a domain joined computer. If you disable or do not configure this policy setting, the Fa ...

CCE-34682-5
Remove the battery meter This policy setting allows you to remove the battery meter from the system control area. If you enable this policy setting, the battery meter is not displayed in the system notification area. If you disable or do not configure this policy setting, the battery meter is ...

CCE-33609-9
Prevent Desktop Sharing Prevents users from sharing the whole desktop. They will still be able to share individual applications.

CCE-34958-9
Floppy Drives: Deny execute access This policy setting denies execute access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, execute access will be denied to this removable storage class. If you disable or do not configure this policy ...

CCE-33805-3
Prevent indexing certain paths If you enable this policy setting, you specify a list of paths to exclude from indexing. The user cannot enter any path that starts with one of the paths you specified. If you enable and then disable this policy setting, users can index any path not restricted by oth ...

CCE-35528-9
Audit privilege use This policy setting determines whether to audit each instance of a user exercising a user right. If you configure this value to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure this value to Failure, an audit entry is g ...

CCE-34024-0
Block launching desktop apps associated with a protocol This policy setting allows you to minimize the risk involved when a packaged app launches the default app for a protocol. Because desktop apps run at a higher integrity level than packaged apps, there is a risk that a protocol launched by a pa ...

CCE-34379-8
Start File Explorer with ribbon minimized This policy setting allows you to specify whether the ribbon appears minimized or in full when new File Explorer windows are opened. If you enable this policy setting, you can set how the ribbon appears the first time users open File Explorer and whenever t ...

CCE-35724-4
Require user authentication for remote connections by using Network Level Authentication This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security ...

CCE-33586-9
Performance Logs and Alerts This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy s ...

CCE-34695-7
Do not allow adding new targets via manual configuration If enabled then new targets may not be manually configured by entering the target name and target portal; already discovered targets may be manually configured. If disabled then new and already discovered targets may be manually configured. ...

CCE-35559-4
Restrict unpacking and installation of gadgets that are not digitally signed. This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, gadgets that have no ...

CCE-34157-8
Switch to the Simplified Chinese (PRC) gestures Switches the gesture set used for editing from the common handheld computer gestures to the Simplified Chinese (PRC) standard gestures. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to e ...

CCE-34891-2
Domain controller: Allow server operators to schedule tasks This policy setting determines whether members of the Server Operators group are allowed to submit jobs by means of the AT schedule facility. The impact of this policy setting configuration should be small for most organizations. Users, in ...

CCE-32985-4
Don't save settings at exit Prevents users from saving certain changes to the desktop. If you enable this setting, users can change the desktop, but some changes, such as the position of open windows or the size and position of the taskbar, are not saved when users log off. However, shortcuts pl ...

CCE-35043-9
Prohibit access to Control Panel and PC settings Disables all Control Panel programs and the PC settings app. This setting prevents Control.exe and SystemSettings.exe, the program files for Control Panel and PC settings, from starting. As a result, users cannot start Control Panel or PC settings ...

CCE-34575-1
Security Configuration and Analysis This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-34246-9
Disable password strength validation for Peer Grouping By default, when a Peer Group is created that allows for password-authentication (or the password for such a Group is changed), Peer Grouping validates that the password meets the password complexity requirements for the local system. Thus, it ...

CCE-34838-3
Enumerate local users on domain-joined computers This policy setting allows local users to be enumerated on domain-joined computers. If you enable this policy setting, Logon UI will enumerate all local users on domain-joined computers. If you disable or do not configure this policy setting, ...

CCE-33912-7
Allow notifications to disable definitions based reports to Microsoft MAPS This policy setting allows you to configure the antimalware service to receive notifications to disable individual definitions in response to reports it sends to Microsoft MAPS. Microsoft MAPS uses these notifications to dis ...

CCE-35030-6
Disable power management in connected standby mode This policy setting specifies that power management is disabled when the machine enters connected standby mode. If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when ...

CCE-35635-2
Allow NetBT queries for fully qualified domain names Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as 'www.example.com' in addi ...

CCE-34509-0
Do not allow Snipping Tool to run Prevents the snipping tool from running. If you enable this policy setting, the Snipping Tool will not run. If you disable this policy setting, the Snipping Tool will run. If you do not configure this policy setting, the Snipping Tool will run.

CCE-34100-8
Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands This policy setting prevents users from performing the following commands from the Start menu or Windows Security screen: Shut Down, Restart, Sleep, and Hibernate. This policy setting does not prevent users from runn ...

CCE-35296-3
KDC support for claims, compound authentication and Kerberos armoring This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting, c ...

CCE-33573-7
Custom Classes: Deny read access This policy setting denies read access to custom removable storage classes. If you enable this policy setting, read access will be denied to these removable storage classes. If you disable or do not configure this policy setting, read access will be allowed to the ...

CCE-33849-1
Configure local setting override for scanning all downloaded files and attachments This policy setting configures a local override for the configuration of scanning for all downloaded files and attachments. This setting can only be set by Group Policy. If you enable this setting, the local prefe ...

CCE-35670-9
Do not allow color changes This policy setting controls the ability to change the color of window frames. If you enable this policy setting, you prevent users from changing the default window frame color. If you disable or do not configure this policy setting, you allow users to change the ...

CCE-33316-1
Restrict unpacking and installation of gadgets that are not digitally signed. This policy setting allows you to restrict the installation of unsigned gadgets. Desktop gadgets can be deployed as compressed files, either digitally signed or unsigned. If you enable this setting, gadgets that have n ...

CCE-33836-8
Define the rate of detection events for logging This policy setting limits the rate at which detection events for network protection against exploits of known vulnerabilities will be logged. Logging will be limited to not more often than one event per the defined interval. The interval value is def ...

CCE-33449-0
Always use custom logon background Ignores Windows Logon Background. This policy setting may be used to make Windows give preference to a custom logon background. If you enable this policy setting, the logon screen will always attempt to load a custom background instead of the Windows-branded lo ...

CCE-35101-5
Disallow copying of user input methods to the system account for sign-in This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this ...

CCE-33173-6
Maximum size of Active Directory searches Specifies the maximum number of objects the system displays in response to a command to browse or search Active Directory. This setting affects all browse displays associated with Active Directory, such as those in Local Users and Groups, Active Directory U ...

CCE-33969-7
All Removable Storage classes: Deny all access Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. If you enable this policy s ...

CCE-35790-5
Enable Group Policy Caching for Servers This policy setting allows you to configure Group Policy caching behavior on Windows Server machines. If you enable this policy setting, Group Policy caches policy information after every background processing session. This cache saves applicable GPOs and ...

CCE-35474-6
Default Protections for Internet Explorer This setting allows you to apply the recommended EMET protections to Internet Explorer. If you enable this setting, the recommended EMET protections are applied to Internet Explorer. If you disable this setting, the recommended EMET protections are no ...

CCE-34072-9
Turn on economical application of administratively assigned Offline Files This policy setting allows you to turn on economical application of administratively assigned Offline Files. If you enable or do not configure this policy setting, only new files and folders in administratively assigned fold ...

CCE-34019-0
Display a custom message title when device installation is prevented by a policy setting This policy setting allows you to display a custom message title in the notification balloon when a device installation is attempted and a policy setting prevents the installation. If you enable this pol ...

CCE-35550-3
Permit use of Services preference extension This policy setting allows you to permit or prohibit use of the Services preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, yo ...

CCE-33956-4
Turn off Multicast Bootstrap This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the global cloud. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. One of ...

CCE-35800-2
Prevent enabling lock screen slide show Disables the lock screen slide show settings in PC Settings and prevents a slide show from playing on the lock screen. By default, users can enable a slide show that will run after they lock the machine. If you enable this setting, users will no longer ...

CCE-35487-8
Accounts: Block Microsoft accounts This policy setting prevents users from adding new Microsoft accounts on this computer. If you select the 'Users can?t add Microsoft accounts' option, users will not be able to create new Microsoft accounts on this computer, switch a local account to a Microsoft ...

CCE-33560-4
Automatic reconnection Specifies whether to allow Remote Desktop Connection clients to automatically reconnect to sessions on an RD Session Host server if their network link is temporarily lost. By default, a maximum of twenty reconnection attempts are made at five second intervals. If the status ...

CCE-32990-4
Permit use of Environment preference extension This policy setting allows you to permit or prohibit use of the Environment preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setti ...

CCE-33186-8
Set up a maintenance schedule to limit the maximum network bandwidth used for BITS background transfers This policy setting limits the network bandwidth that Background Intelligent Transfer Service (BITS) uses for background transfers during the maintenance days and hours. Maintenance schedules fur ...

CCE-32937-5
Configure use of passwords for operating system drives This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements ...

CCE-34259-2
Turn Off the Hard Disk (On Battery) Specifies the period of inactivity before Windows turns off the hard disk. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the hard disk. If you disable this policy or do not ...

CCE-34784-9
Prohibit Browse Limits newly scheduled to items on the user's Start menu, and prevents the user from changing the scheduled program for existing tasks. This setting removes the Browse button from the Schedule Task Wizard and from the Task tab of the properties dialog box for a task. Also, users ...

CCE-35683-2
Specify idle Timeout Configures maximum time in milliseconds remote shell will stay open without any user activity until it is automatically deleted. Any value from 0 to 0x7FFFFFFF can be set. A minimum of 60000 milliseconds (1 minute) is used for smaller values. If you enable this policy setting ...

CCE-35025-6
Prevent backing up to optical media (CD/DVD) This policy setting lets you prevent users from selecting optical media (CD/DVD) for storing backups. If you enable this policy setting, users are blocked from selecting optical media as a backup location. If you disable or do not configu ...

CCE-35354-0
Network control service type Specifies an alternate link layer (Layer-2) priority value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you ...

CCE-33329-4
Remove pinned programs list from the Start Menu If you enable this setting, the 'Pinned Programs' list is removed from the Start menu. Users cannot pin programs to the Start menu. In Windows XP and Windows Vista, the Internet and email checkboxes are removed from the 'Customize Start Menu' dial ...

CCE-34544-7
Enable Transparent Caching Enabling this policy optimizes subsequent reads to network files by a user or an application. This is done by caching reads to remote files over a slow network in the Offline Files cache. Subsequent reads to the same file are then satisfied from the client after verifying ...

CCE-33209-8
Turn off Multicast Bootstrap This setting disables PNRP protocol from advertising the computer or from searching other computers on the local subnet in the site local cloud. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. One ...

CCE-33262-7
Turn on bandwidth optimization This policy setting allows you to improve performance in low bandwidth scenarios. This setting is incrementally scaled from 'No optimization' to 'Full optimization'. Each incremental setting includes the previous optimization setting. For example: 'Turn off backgr ...

CCE-35012-4
Allow .rdp files from valid publishers and user's default .rdp settings This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one issued by an authority recognized b ...

CCE-34126-3
Allow only system backup This policy setting allows you to manage whether backups of only system volumes is allowed or both OS and data volumes can be backed up. If you enable this policy setting, machine administrator/backup operator can backup only volumes hosting OS components and no data only ...

CCE-35265-8
Event Viewer This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sna ...

CCE-33627-1
Security Settings This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, th ...

CCE-33680-0
Ignore Delegation Failure Directs the RPC Runtime to ignore delegation failures if delegation was asked for. Windows Server 2003 family includes a new delegation model - constrained delegation. In this model the security system does not report that delegation was enabled on a security context when ...

CCE-35604-8
Enable use of BitLocker authentication requiring preboot keyboard input on slates This policy setting allows users to enable authentication options that require user input from the pre-boot environment even if the platform indicates lack of pre-boot input capability. The Windows on-screen touch ...

CCE-33405-2
Allow printers to be published Determines whether the computer's shared printers can be published in Active Directory. If you enable this setting or do not configure it, users can use the 'List in directory' option in the Printer's Properties' Sharing tab to publish shared printers in Active Direc ...

CCE-34348-3
Allow signature keys valid for Logon This policy setting lets you allow signature key-based certificates to be enumerated and available for logon. If you enable this policy setting then any certificates available on the smart card with a signature only key will be listed on the logon screen. If y ...

CCE-33823-6
Turn off the advertising ID This policy setting turns off the advertising ID, preventing apps from using the ID for experiences across apps. If you enable this policy setting, the advertising ID is turned off. Apps can't use the ID for experiences across apps. If you disable or do not configu ...

CCE-34664-3
Disable Whiteboard Disables the T.126 whiteboard feature of NetMeeting.

CCE-33142-1
Enable file screens This policy setting enables administrators to block certain file types from being created in the folders that have been made available offline. If you enable this policy setting, a user will be unable to create files with the specified file extensions in any of the folders th ...

CCE-33747-7
Prevent restoring local previous versions This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. If you enable this policy setting, the Restore button is disabled when the user selects a previ ...

CCE-35594-1
Turn off printing over HTTP This policy setting specifies whether to allow printing over HTTP from this client. Printing over HTTP allows a client to print to printers on the intranet as well as the Internet. Note: This policy setting affects the client side of Internet printing only. It does ...

CCE-33395-5
Allow Delegating Saved Credentials with NTLM-only Server Authentication This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via NTLM. If you enable this policy setting you can specify ...

CCE-34468-9
Display instructions in logon scripts as they run This policy setting displays the instructions in logon scripts as they run. Logon scripts are batch files of instructions that run when the user logs on. By default, the system does not display the instructions in logon scripts. If you enable ...

CCE-34677-5
Configure Scenario Execution Level Determines the execution level for Windows Standby/Resume Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Servic ...

CCE-34006-7
Diagnostics: Configure scenario retention Determines the data retention limit for Diagnostic Policy Service (DPS) scenario data. If you enable this policy setting, you must enter the maximum size of scenario data that should be retained in megabytes. Detailed troubleshooting data related to scena ...

CCE-35132-0
Restricts the UI languages Windows should use for the selected user This policy setting restricts the Windows UI language for specific users. This policy setting applies to computers with more than one UI language installed. If you enable this policy setting, the UI language of Windows menus ...

CCE-33810-3
Do not show the 'new application installed' notification This policy removes the end-user notification for new application associations. These associations are based on file types (e.g. *.txt) or protocols (e.g. http:) If this group policy is enabled, no notifications will be shown. If the group ...

CCE-35341-7
Configure EFS recovery policy processing This policy setting determines when encryption policies are updated. This policy setting affects all policies that use the encryption component of Group Policy, such as policies related to encryption in Windows Settings\Security Settings. It overrides ...

CCE-35398-7
Hide previous versions list for remote files This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. If you enable this policy setting, users cannot list or restore previous ve ...

CCE-33199-1
Try Next Closest Site The Domain Controller Locator (DC Locator) service is used by clients to find domain controllers for their Active Directory domain. The default behavior for DC Locator is to find a DC in the same site. If none are found in the same site, a DC in another site, which might be se ...

CCE-34873-0
Pre-populate printer search location text Enables the physical Location Tracking setting for Windows printers. Use Location Tracking to design a location scheme for your enterprise and assign computers and printers to locations in the scheme. Location Tracking overrides the standard method used to ...

CCE-35813-5
Lsass.exe audit mode You can configure this setting to enable the auditing of Lsass.exe so that you can evaluate feasibility of enabling LSA protection. You can use the audit mode to identify LSA plug-ins and drivers that will fail to load in LSA Protection mode. While in the audit mode, the syste ...

CCE-33943-2
Set the time Quiet Hours begins each day This policy setting specifies the number of minutes after midnight (local time) that Quiet Hours is to begin each day. If you enable this policy setting, the specified time will be used, and users will not be able to customize any Quiet Hours sett ...

CCE-34411-9
Turn off pen feedback Disables visual pen action feedback, except for press and hold feedback. If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. If you disable or do ...

CCE-33614-9
Prevent changing visual style for windows and buttons Prevents users or applications from changing the visual style of the windows and buttons displayed on their screens. When enabled on Windows XP, this setting disables the 'Windows and buttons' drop-down list on the Appearance tab in Display P ...

CCE-35069-4
Standard User Lockout Duration This policy setting allows you to manage the duration in minutes for counting standard user authorization failures for Trusted Platform Module (TPM) commands requiring authorization. If the number of TPM commands with an authorization failure within the duration equa ...

CCE-34740-1
Certificate Templates This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting ...

CCE-34730-2
Disable the Advanced Calling button Disables the Advanced Calling button on the General Options page. Users will not then be able to change the call placement method and the servers used.

CCE-34271-7
Turn off Windows SideShow This policy setting turns off Windows SideShow. If you enable this policy setting, the Windows SideShow Control Panel will be disabled and data from Windows SideShow-compatible gadgets (applications) will not be sent to connected devices. If you disable or do not co ...

CCE-32969-8
Remove Lock Computer This policy setting prevents users from locking the system. While locked, the desktop is hidden and the system cannot be used. Only the user who locked the system or the system administrator can unlock it. If you enable this policy setting, users cannot lock the computer ...

CCE-33723-8
Turn off Touch Panning Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. If you ...

CCE-33011-8
Remove Program Compatibility Property Page This policy controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of op ...

CCE-33580-2
Contact PDC on logon failure Defines whether a domain controller (DC) should attempt to verify with the PDC the password provided by a client if the DC failed to validate the password. Contacting the PDC is useful in case the client?s password was recently changed and did not propagate to the DC y ...

CCE-34218-8
Allow hibernate (S4) when starting from a Windows To Go workspace Specifies whether the PC can use the hibernation sleep state (S4) when started from a Windows To Go workspace. If you enable this setting, Windows, when started from a Windows To Go workspace, can hibernate the PC. If you disab ...

CCE-35674-1
Turn off Internet search integration This policy setting allows you to turn off Internet search integration. If you enable this policy setting, you cannot add a new search integration configuration file. A search integration configuration file that was installed before enabling this policy sett ...

CCE-33264-3
Turn On Desktop Background Slideshow (On Battery) Specify if Windows should enable the desktop background slideshow. If you enable this policy setting, desktop background slideshow is enabled. If you disable this policy setting, the desktop background slideshow is disabled. if you do not c ...

CCE-35105-6
Configure wireless policy processing This policy setting determines when policies that assign wireless network settings are updated. This policy setting affects all policies that use the wireless network component of Group Policy, such as those in WindowsSettings\Wireless Network Policies. It ...

CCE-33460-7
List of applications to be excluded This policy setting limits Windows Error Reporting behavior for errors in general applications when Windows Error Reporting is turned on. If you enable this policy setting, you can create a list of applications that are never included in error reports. To crea ...

CCE-34787-2
Wireless Monitor This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-35478-7
Default Protections for Recommended Software This setting allows you to apply the recommended EMET protections to recommended software (such as WordPad, Microsoft Office, Adobe Acrobat, Adobe Acrobat Reader, and Oracle Java). If you enable this setting, the suggested EMET protections are applied ...

CCE-34414-3
Prevent flicks Makes pen flicks and all related features unavailable. If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the ...

CCE-34151-1
Turn off sensors This policy setting turns off the sensor feature for this computer. If you enable this policy setting, the sensor feature is turned off, and all programs on this computer cannot use the sensor feature. If you disable or do not configure this policy setting, al ...

CCE-35794-7
Don't search the web or display web results in Search This policy setting allows you to control whether or not Search can perform queries on the web, and if the web results are displayed in Search. If you enable this policy setting, queries won't be performed on the web and web results won't be ...

CCE-35301-1
Prevent the display of advanced indexing options for Windows Search in the Control Panel This policy setting hides or displays the Advanced Options dialog for Search and Indexing Options in the Control Panel. If you enable this policy setting, the Advanced Options dialog for Search and Indexing ...

CCE-33397-1
Allow installation of devices using drivers that match these device setup classes This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the 'Prevent installa ...

CCE-34338-4
Configure Reliability WMI Providers This policy controls the Windows Management Instrumentation (WMI) providers Win32_ReliabilityStabilityMetrics and Win32_ReliabilityRecords. If this setting is disabled, the Reliability Monitor will not display system reliability information nor will WMI capa ...

CCE-35804-4
Turn on dynamic Content URI Rules for Windows store apps This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer ...

CCE-33647-9
Prefer Local Names Allowed Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon. If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT ...

CCE-34391-3
Configure root certificate clean up This policy setting allows you to manage the clean up behavior of root certificates. If you enable this policy setting then root certificate cleanup will occur according to the option selected. If you disable or do not configure this setting then root certificat ...

CCE-32956-5
Prohibit installing or uninstalling color profiles This policy setting affects the ability of users to install or uninstall color profiles. If you enable this policy setting, users will not be able to install new color profiles or uninstall previously installed color profiles. If you disable or d ...

CCE-35358-1
Prevent access to 16-bit applications Specifies whether to prevent the MS-DOS subsystem (ntvdm.exe) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. By default, the MS-DOS subsystem runs for all users on this computer. You can use th ...

CCE-34996-9
Network Security: Restrict NTLM: Add server exceptions in this domain This policy setting allows you to create an exception list of servers in this domain to which clients are allowed to use NTLM pass-through authentication if the 'Network Security: Restrict NTLM: Deny NTLM authentication in this d ...

CCE-35082-7
Log event when quota limit is exceeded This policy setting determines whether the system records an event in the local Application log when users reach their disk quota limit on a volume, and prevents users from changing the logging setting. If you enable this policy setting, the system records ...

CCE-33340-1
Remove Videos link from Start Menu If you enable this policy the start menu will not show a link to the Videos library.

CCE-35687-3
Specify maximum number of remote shells per user Configures maximum number of concurrent shells any user can remotely open on the same system. Any number from 0 to 0x7FFFFFFF cand be set, where 0 means unlimited number of shells. If you enable this policy setting, the user will not be able to ope ...

CCE-34667-6
Disable Directory services Disables the directory feature of NetMeeting. Users will not logon to a directory (ILS) server when NetMeeting starts. Users will also not be able to view or place calls via a NetMeeting directory. This policy is for deployers who have their own location or calling ...

CCE-33514-1
Enable Windows 2000 Network Connections settings for Administrators Determines whether settings that existed in Windows 2000 Server family will apply to Administrators. The set of Network Connections group settings that existed in Windows 2000 Professional also exists in Windows XP Professional. ...

CCE-33843-4
Randomize scheduled task times This policy setting allows you to enable or disable randomization of the scheduled scan start time and the scheduled definition update start time. This setting is used to distribute the resource impact of scanning. For example, it could be used in guest virtual machin ...

CCE-35029-8
Download roaming profiles on primary computers only This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where t ...

CCE-34031-5
Synchronize all offline files when logging on Determines whether offline files are fully synchronized when users log on. This setting also disables the 'Synchronize all offline files before logging on' option on the Offline Files tab. This prevents users from trying to change the option while a ...

CCE-34480-4
Disk Management Extension This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy sett ...

CCE-33220-5
Turn Off Solid State Mode Turns off the solid state mode for the hybrid hard disks. If you enable this policy setting, frequently written files such as the file system metadata and registry may not be stored in the NV cache. If you disable this policy setting, the system will store frequently wr ...

CCE-33767-5
Pin Internet search sites to the 'Search again' links and the Start menu This policy setting allows you to add Internet or intranet sites to the 'Search again' links located at the bottom of search results in File Explorer and the Start menu links. The 'Search again' links at the bottom of the Sear ...

CCE-35269-0
Only use Package Point and print This policy restricts clients computers to use package point and print only. If this setting is enabled, users will only be able to point and print to printers that use package-aware drivers. When using package point and print, client computers will check the drive ...

CCE-35465-4
Hides the Manage item on the File Explorer context menu Removes the Manage item from the File Explorer context menu. This context menu appears when you right-click File Explorer or My Computer. The Manage item opens Computer Management (Compmgmt.msc), a console tool that includes many of the pri ...

CCE-34427-5
Prevent Task Run or End Prevents users from starting and stopping tasks manually. This setting removes the Run and End Task items from the context menu that appears when you right-click a task. As a result, users cannot start tasks manually or force tasks to end before they are finished. Note ...

CCE-35016-5
End session when time limits are reached This policy setting Sspecifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is ...

CCE-35608-9
Disable all items Removes Active Desktop content and prevents users from adding Active Desktop content. This setting removes all Active Desktop items from the desktop. It also removes the Web tab from Display in Control Panel. As a result, users cannot add Web pages or pictures from the Intern ...

CCE-34009-1
Disable delete notifications on all volumes Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0, the default, will enable delete notifications for all volumes. A value of 1 will disable delete notific ...

CCE-33830-1
Allow antimalware service to remain running always This policy setting allows you to configure whether or not the antimalware service remains running when antivirus and antispyware definitions are disabled. It is recommended that this setting remain disabled. If you enable this setting, the anti ...

CCE-33473-0
Turn off Local Group Policy objects processing This policy setting prevents Local Group Policy objects (Local GPOs) from being applied. By default, the policy settings in Local GPOs are applied before any domain-based GPO policy settings. These policy settings can apply to both users and the local ...

CCE-35149-4
Customize Warning Messages The 'Display warning message before sharing control' policy setting allows you to specify a custom message to display before a user shares control of his or her computer. The 'Display warning message before connecting' policy setting allows you to specify a custom messag ...

CCE-34284-0
Allow users to log on using biometrics This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics. By default, local users will be able to log on to the local computer, but the 'Allow domain users to log on using biometrics' policy se ...

CCE-34743-5
Prevent changing mouse pointers Prevents users from changing the mouse pointers. By default, users can use the Pointers tab in the Mouse Control Panel to add, remove, or change the mouse pointers. If you enable this setting, none of the mouse pointer scheme settings can be changed by the user ...

CCE-33634-7
Device Manager This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the s ...

CCE-33277-5
Location where all default Library definition files for users/machines reside. This policy setting allows you to specify a location where all default Library definition files for users/machines reside. If you enable this policy setting, administrators can specify a path where all default Library ...

CCE-35332-6
Set TTL in the DC Locator DNS Records This policy setting specifies the value for the Time-To-Live (TTL) field in SRV resource records that are registered by the Net Logon service. These DNS records are dynamically registered, and they are used to locate the domain controller (DC). To specify t ...

CCE-35598-2
Set time limit for active Remote Desktop Services sessions This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit in ...

CCE-33353-4
Trust logic for file attachments This policy setting allows you to configure the logic that Windows uses to determine the risk for file attachments. Preferring the file handler instructs Windows to use the file handler data over the file type data. For example, trust notepad.exe, but don't trust ...

CCE-33501-8
Allow Automatic Sleep with Open Network Files (On Battery) Allow Automatic Sleep with Open Network Files. If you enable this policy setting, the computer will automatically sleep when network files are open. If you disable this policy setting, the computer will not automatically sleep whe ...

CCE-33100-9
Allow enhanced PINs for startup This policy setting allows you to configure whether or not enhanced startup PINs are used with BitLocker. Enhanced startup PINs permit the use of characters including uppercase and lowercase letters, symbols, numbers, and spaces. This policy setting is applied whe ...

CCE-35541-2
Hide the 'Add programs from Microsoft' option Removes the 'Add programs from Microsoft' section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, 'Add programs from Micro ...

CCE-34952-2
Prevent changing sounds Prevents users from changing the sound scheme. By default, users can use the Sounds tab in the Sound Control Panel to add, remove, or change the system Sound Scheme. If you enable this setting, none of the Sound Scheme settings can be changed by the user.

CCE-33754-3
Remove File menu from File Explorer Removes the File menu from My Computer and File Explorer. This setting does not prevent users from using other methods to perform tasks available on the File menu.

CCE-34075-2
Turn on the Ability for Applications to Prevent Sleep Transitions (Plugged In) Enables applications and services to prevent the system from sleeping. If you enable this policy setting, an application or service may prevent the system from sleeping (Hybrid Sleep, Stand By, or Hibernate). If you di ...

CCE-33887-1
Scan packed executables This policy setting allows you to configure scanning for packed executables. It is recommended that this type of scanning remain enabled. If you enable or do not configure this setting, packed executables will be scanned. If you disable this setting, packed executable ...

CCE-34120-6
Allow CredSSP authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts CredSSP authentication from a remote client. If you enable this policy setting, the WinRM service will accept CredSSP authentication from a remote client. ...

CCE-34373-1
Custom Classes: Deny write access This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access will be denied to these removable storage classes. If you disable or do not configure this policy setting, write access will be allowed to ...

CCE-33874-9
Configure local setting override for scheduled scan time This policy setting configures a local override for the configuration of scheduled scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Policy. I ...

CCE-35327-6
User management of sharing user name, account picture, and domain information with apps (not desktop apps) This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information. If you enable this policy setting, sharing of user name ...

CCE-35380-5
Intranet proxy servers for apps This setting does not apply to desktop apps. A semicolon-separated list of intranet proxy server IP addresses. These addresses are categorized as private by Windows Network Isolation and are accessible to apps that have the Home/Work Networking capability. ...

CCE-34889-6
Devices: Allow undock without having to log on This policy setting determines whether a portable computer can be undocked if the user does not log on to the system. Enable this policy setting to eliminate a Logon requirement and allow use of an external hardware eject button to undock the computer. ...

CCE-33621-4
Software Installation (Computers) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this po ...

CCE-33233-8
Support Email Address Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator. When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the ...

CCE-33678-4
Hide previous versions list for remote files This policy setting lets you hide the list of previous versions of files that are on file shares. The previous versions come from the on-disk restore points on the file share. If you enable this policy setting, users cannot list or restore previous ve ...

CCE-35064-5
Interactive logon: Message text for users attempting to log on Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting specifies a text message that displays to users wh ...

CCE-34516-5
Do not automatically encrypt files moved to encrypted folders Prevents Windows Explorer from encrypting files that are moved to an encrypted folder. If you disable this setting or do not configure it, Windows Explorer automatically encrypts files that are moved to an encrypted folder. This settin ...

CCE-32987-0
Permit use of Applications preference extension This policy setting allows you to permit or prohibit use of the Applications preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy set ...

CCE-34832-6
Fail authentication requests when Kerberos armoring is not available This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. Warning: When a domain does not support Kerberos armoring by enabling 'Support Dyn ...

CCE-34503-3
Do not allow manual configuration of discovered targets If enabled then discovered targets may not be manually configured. If disabled then discovered targets may be manually configured. Note: if enabled there may be cases where this will break VDS.

CCE-35656-8
Disallow Autoplay for non-volume devices This policy setting disallows AutoPlay for MTP devices like cameras or phones. If you enable this policy setting, AutoPlay is not allowed for MTP devices like cameras or phones. If you disable or do not configure this policy setting ...

CCE-33741-0
MSS: (NtfsDisable8dot3NameCreation) Enable the computer to stop generating 8.3 style filenames Windows Server operating systems support 8.3 file name formats for backward compatibility with16-bit applications. The 8.3 file name convention is a naming format that allows file names up to eight charac ...

CCE-33798-0
Set SYSVOL share compatibility This policy setting controls whether or not the SYSVOL share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. When this setting is enabled, the SYSVOL share will honor fil ...

CCE-35207-0
Do not enumerate connected users on domain-joined computers This policy setting prevents connected users from being enumerated on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do n ...

CCE-34769-0
Limit the maximum BITS job download time This policy setting limits the amount of time that Background Intelligent Transfer Service (BITS) will take to download the files in a BITS job. The time limit applies only to the time that BITS is actively downloading files. When the cumulative download ti ...

CCE-34493-7
Do not allow client printer redirection This policy setting allows you to specify whether to prevent the mapping of client printers in Remote Desktop Services sessions. You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer attached to th ...

CCE-34307-9
Diagnostics: Configure scenario execution level Determines the execution level for Diagnostic Policy Service (DPS) scenarios. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the DPS will detect ...

CCE-33442-5
Prohibit access to properties of a LAN connection Determines whether users can change the properties of a LAN connection. This setting determines whether the Properties menu item is enabled, and thus, whether the Local Area Connection Properties dialog box is available to users. If you enable ...

CCE-35184-1
Prevent changing color and appearance Disables the Color (or Window Color) page in the Personalization Control Panel, or the Color Scheme dialog in the Display Control Panel on systems where the Personalization feature is not available. This setting prevents users from using Control Panel to cha ...

CCE-33113-2
Permit use of Folder Options preference extension This policy setting allows you to permit or prohibit use of the Folder Options preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy ...

CCE-33665-1
Enforce upgrade component rules This setting causes the Windows Installer to enforce strict rules for component upgrades - setting this may cause some updates to fail. If you enable this policy setting strict upgrade rules will be enforced by the Windows Installer. Upgrades can fail if they attemp ...

CCE-33808-7
Propagate extended error information This policy setting controls whether the RPC runtime generates extended error information when an error occurs. Extended error information includes the local time that the error occurred, the RPC version, and the name of the computer on which the error occurr ...

CCE-34529-8
Do not show the 'local access only' network icon Specifies whether or not the 'local access only' network icon will be shown. When enabled, the icon for Internet access will be shown in the system tray even when a user is connected to a network with local access only. If you disable this setting ...

CCE-35118-9
TTL value for A and PTR records Specifies the value of the time to live (TTL) field in A and PTR resource records that are registered by computers to which this policy setting is applied. To specify the TTL, click Enabled and then enter a value in seconds (for example, 900 is 15 minutes). If ...

CCE-34582-7
Do not allow Windows Messenger to be run Allows you to disable Windows Messenger. If you enable this setting, Windows Messenger will not run. If you disable or do not configure this setting, Windows Messenger can be used. Note: If you enable this setting, Remote Assistance also cannot use Window ...

CCE-35789-7
Start Screen Layout Specifies the Start screen layout for users. This setting lets you specify the Start screen layout for users and prevents them from changing its configuration. The Start screen layout you specify must be stored in an XML file that was generated by the Export-StartLayout Power ...

CCE-35630-3
Turn off the 'Publish to Web' task for files and folders This policy setting specifies whether the tasks 'Publish this file to the Web,' 'Publish this folder to the Web,' and 'Publish the selected items to the Web' are available from File and Folder Tasks in Windows folders. The Web Publishing W ...

CCE-34845-8
Event Viewer (Windows Vista) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33126-4
Do not allow Digital Locker to run Specifies whether Digital Locker can run. Digital Locker is a dedicated download manager associated with Windows Marketplace and a feature of Windows that can be used to manage and download products acquired and stored in the user's Windows Marketplace Digital ...

CCE-33379-9
Do not allow Windows Journal to be run Prevents start of Windows Journal. If you enable this policy, the Windows Journal accessory will not run. If you disable this policy, the Windows Journal accessory will run. If you do not configure this policy, the Windows Journal accessory will run.

CCE-35291-4
Turn off picture password sign-in This policy setting allows you to control whether a domain user can sign in using a picture password. If you enable this policy setting, a domain user can't set up or sign in with a picture password. If you disable or don't configure this policy setting, a d ...

CCE-33006-8
Remove browse dialog box for new source Prevents users from searching for installation files when they add features or components to an installed program. This setting disables the Browse button beside the 'Use feature from' list in the Windows Installer dialog box. As a result, users must select ...

CCE-33322-9
Add Logoff to the Start Menu This policy only applies to the classic version of the start menu and does not affect the new style start menu. Adds the 'Log Off <username>' item to the Start menu and prevents users from removing it. If you enable this setting, the Log Off <username> item appear ...

CCE-32943-3
Hide the Set Program Access and Defaults page Removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain ...

CCE-35434-0
Turn on or off details pane This policy setting shows or hides the Details Pane in File Explorer. If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. If you enable this policy setting and configu ...

CCE-35238-5
Always show desktop on connection This policy setting allows you to specify whether the desktop is always displayed after a client connects to a remote computer or whether an initial program can run. It can require that the desktop be displayed after a client connects to a remote computer, even if ...

CCE-33861-6
Scan all downloaded files and attachments This policy setting allows you to configure scanning for all downloaded files and attachments. If you enable or do not configure this setting, scanning for all downloaded files and attachments will be enabled. If you disable this setting, scanning for ...

CCE-35567-7
Select the Power Button Action (On Battery) Specifies the action that Windows takes when a user presses the power button. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable this policy set ...

CCE-34253-5
Allow access to BitLocker-protected fixed data drives from earlier versions of Windows This policy setting configures whether or not fixed data drives formatted with the FAT file system can be unlocked and viewed on computers running Windows Server 2008, Windows Vista, Windows XP with Service Pack ...

CCE-33455-7
Block launching desktop programs associated with a file. This policy setting allows you to minimize the risk involved when an app launches the default program for a file. Because desktop programs run at a higher integrity level than apps, there is a risk that an app could compromise the system by l ...

CCE-33202-3
Turn off access to the OEM and Microsoft branding section This policy setting removes access to the performance center control panel OEM and Microsoft branding links. If you enable this policy setting, the OEM and Microsoft web links within the performance control panel page are not displaye ...

CCE-35095-9
Turn on PIN sign-in This policy setting allows you to control whether a domain user can sign in using a PIN. If you enable this policy setting, a domain user can set up and sign in with a PIN. If you disable or don't configure this policy setting, a domain user can't set up and use a PIN. ...

CCE-34921-7
Removable Storage Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33928-3
Always automatically restart at the scheduled time If you enable this policy, a restart timer will always begin immediately after Windows Update installs important updates, instead of first notifying users on the login screen for at least two days. The restart timer can be configured to start wi ...

CCE-33652-9
Restrict selection of Windows menus and dialogs language This policy setting restricts users to the specified language by disabling the menus and dialog box controls in the Region settings control panel. If the specified language is not installed on the target computer, the language selection defau ...

CCE-33259-3
Turn off Windows Startup Sound Turn off the Windows Startup sound and prevent its customization in the Sound item of Control Panel. The Microsoft Windows Startup sound is heard during system startup and cold startup and can be turned on or off in the Sound item of Control Panel. Enabling or disab ...

CCE-35776-4
Turn off background refresh of Group Policy Prevents Group Policy from being updated while the computer is in use. This setting applies to Group Policy for computers, users, and domain controllers. If you enable this setting, the system waits until the current user logs off the system before updat ...

CCE-35314-4
Allow indexing of encrypted files This policy setting allows encrypted items to be indexed. If you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting, the search service components (including ...

CCE-33915-0
Define file shares for downloading definition updates This policy setting allows you to configure UNC file share sources for downloading definition updates. Sources will be contacted in the order specified. The value of this setting should be entered as a pipe-separated string enumerating the defin ...

CCE-34463-0
Removable Disks: Deny write access This policy setting denies write access to removable disks. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this removable storage c ...

CCE-35033-0
Turn off the communities features Windows Mail will not check your newsgroup servers for Communities support.

CCE-35286-4
Specify corporate DNS probe host name This policy setting enables you to specify the host name of a computer known to be on the corporate network. Successful resolution of this host name to the expected address indicates corporate connectivity.

CCE-35482-9
Reporting This setting allows you to configure the EMET reporting configuration for the Windows Event Log, the Tray Icon, and the Early Warning Program. If you enable or do not configure this setting, you can configure EMET reporting for the Windows Event Log, the Tray Icon, and the Early Warnin ...

CCE-35745-9
Switch to the Simplified Chinese (PRC) gestures Switches the gesture set used for editing from the common handheld computer gestures to the Simplified Chinese (PRC) standard gestures. Tablet PC Input Panel is a Tablet PC accessory that enables you to use handwriting or an on-screen keyboard to ent ...

CCE-33335-1
Do not search programs and Control Panel items If you enable this policy setting the Start menu search box will not search for programs or Control Panel items. If you disable or do not configure this policy setting, the Start menu search box will search for programs and Control Panel items, unle ...

CCE-34922-5
System Information This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, t ...

CCE-33072-0
Choose how BitLocker-protected fixed drives can be recovered This policy setting allows you to control how BitLocker-protected fixed data drives are recovered in the absence of the required credentials. This policy setting is applied when you turn on BitLocker. The 'Allow data recovery agent' ch ...

CCE-33576-0
Configure BranchCache for network files This policy setting changes the default round trip network latency value above which network files are cached by client computers in the branch. BranchCache for network files enables computers in a branch office to cache data from Intranet servers on which Br ...

CCE-33772-5
Hide the common dialog places bar Removes the shortcut bar from the Open dialog box. This setting, and others in this folder, lets you remove new features added in Windows 2000 Professional, so that the Open dialog box looks like it did in Windows NT 4.0 and earlier. These policies only affect p ...

CCE-32960-7
Prompt user when a slow network connection is detected This policy setting provides users with the ability to download their roaming profile, even when a slow network connection with their roaming profile server is detected. If you enable this policy setting, users will be allowed to define whethe ...

CCE-33139-7
Turn off automatic wake This policy setting turns off the option to periodically wake the computer to update information on Windows SideShow-compatible devices. If you enable this policy setting, the option to automatically wake the computer will not be available in the Windows SideShow Control Pa ...

CCE-33892-1
Disable help tips Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user.

CCE-34739-3
Group Policy tab for Active Directory Tools Permits or prohibits use of the Group Policy tab in property sheets for the Active Directory Users and Computers and Active Directory Sites and Services snap-ins. If you enable this setting, the Group Policy tab is displayed in the property sheet for a ...

CCE-34330-1
Configure Default consent This setting determines the consent behavior of Windows Error Reporting. If Consent level is set to 'Always ask before sending data', Windows will prompt the user for consent to send reports. If Consent level is set to 'Send parameters', the minimum data required to che ...

CCE-34080-2
Update Top Level Domain Zones Specifies whether the computers to which this setting is applied may send dynamic updates to the zones named with a single label name, also known as top-level domain zones, for example, 'com'. By default, a DNS client configured to perform dynamic DNS update sends dyn ...

CCE-35309-4
Allow users to patch elevated products This policy setting allows users to patch elevated products. If you enable this policy setting, all users are permitted to install patches, even when the installation program is running with elevated system privileges. Patches are updates or upgrades that r ...

CCE-35153-6
MaxConcurrentUsers Configures the maximum number of users able to concurrently perform remote shell operations on the system. The value can be any number from 1 to 100. If you enable this policy setting, the new shell connections will be rejected if they exceed the specified limit. If you disab ...

CCE-34027-3
Action on server disconnect Determines whether network files remain available if the computer is suddenly disconnected from the server hosting the files. This setting also disables the 'When a network connection is lost' option on the Offline Files tab. This prevents users from trying to change ...

CCE-34802-9
Internet Information Services This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33706-3
OSPF Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sna ...

CCE-33228-8
Hide and disable all items on the desktop Removes icons, shortcuts, and other default and user-defined items from the desktop, including Briefcase, Recycle Bin, Computer, and Network Locations. Removing icons and shortcuts does not prevent the user from using another method to start the programs ...

CCE-33281-7
Default Active Directory path when searching for printers Specifies the Active Directory location where searches for printers begin. The Add Printer Wizard gives users the option of searching Active Directory for a shared printer. If you enable this policy setting, these s ...

CCE-35077-7
Set action to take when logon hours expire This policy controls which action will be taken when the logon hours expire for the logged on user. The actions include lock the workstation, disconnect the user, or log the user off completely. If you choose to lock or disconnect a session, the user ca ...

CCE-34672-6
Always open All Control Panel Items when opening Control Panel This policy setting controls the default Control Panel view, whether by category or icons. If this policy setting is enabled, the Control Panel opens to the icon view. If this policy setting is disabled, the Control Panel opens t ...

CCE-33902-8
Specify the time of day to run a scheduled scan This policy setting allows you to specify the time of day at which to perform a scheduled scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting ...

CCE-33424-3
Back up log automatically when full This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the 'Retain old events' policy setting is enabled. If you enable this policy setting and the 'Retain old events' policy setting is enabled, the ...

CCE-35669-1
Specify a default color This policy setting controls the default color for window frames when the user does not specify a color. If you enable this policy setting and specify a default color, this color is used in glass window frames, if the user does not specify a color. If you disable or ...

CCE-35020-7
Redirect only the default client printer This policy setting allows you to specify whether the default client printer is the only printer redirected in Remote Desktop Services sessions. If you enable this policy setting, only the default client printer is redirected in Remote Desktop Services se ...

CCE-34134-7
Printer browsing Announces the presence of shared printers to print browse master servers for the domain. On domains with Active Directory, shared printer resources are available in Active Directory and are not announced. If you enable this setting, the print spooler announces shared printers to ...

CCE-35393-8
Allow Secure Boot for integrity validation This policy setting allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secure Boot ensures that the PC's pre-boot environment only loads firmware that is digitally signed ...

CCE-33826-9
Prevent the usage of OneDrive for file storage This policy setting lets you prevent apps and features from working with files on OneDrive. If you enable this policy setting: * Users can?t access OneDrive from the OneDrive app and file picker. * Windows Store apps can?t access OneDrive using th ...

CCE-32973-0
Add/Delete items Adds and deletes specified Web content items. You can use the 'Add' box in this setting to add particular Web-based items or shortcuts to users' desktops. Users can close or delete the items (if settings allow), but the items are added again each time the setting is refreshed. ...

CCE-34948-0
Wireless Network (IEEE 802.11) Policies This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable t ...

CCE-35197-3
Include rarely used Chinese, Kanji, or Hanja characters Includes rarely used Chinese, Kanji, and Hanja characters when handwriting is converted to typed text. This policy applies only to the use of the Microsoft recognizers for Chinese (Simplified), Chinese (Traditional), Japanese, and Korean. This ...

CCE-33108-2
Prohibit rollback Prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. This setting prevents Windows Installer from recording the original state of the system and sequence of changes it makes during installation. It also ...

CCE-34014-1
Disallow Negotiate authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not accept Negotiate authentication from a remote client. If you enable this policy setting, the WinRM service will not accept Negotiate authentication from a remot ...

CCE-34476-2
TPM Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the s ...

CCE-35416-7
Disallow WinRM from storing RunAs credentials This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins. If you enable this policy setting, the WinRM service will not allow the RunAsUser or RunAsP ...

CCE-35273-2
Domain member: Digitally encrypt secure channel data (when possible) This policy setting determines whether a domain member should attempt to negotiate encryption for all secure channel traffic that it initiates. If you enable this policy setting, the domain member will request encryption of all se ...

CCE-34343-4
Allow audio recording redirection This policy setting allows you to specify whether users can record audio to the remote computer in a Remote Desktop Services session. Users can specify whether to record audio to the remote computer by configuring the remote audio settings on the Local Resources t ...

CCE-35549-5
Permit use of Ini Files preference extension This policy setting allows you to permit or prohibit use of the Ini Files preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, ...

CCE-33085-2
Reset platform validation data after BitLocker recovery This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery. If you enable this policy setting, platform validation data will be refreshed when Windows ...

CCE-35140-3
Hide notifications about RD Licensing problems that affect the RD Session Host server This policy setting determines whether notifications are displayed on an RD Session Host server when there are problems with RD Licensing that affect the RD Session Host server. By default, notifications are disp ...

CCE-35388-8
Enable indexing of online delegate mailboxes Enabling this policy allows indexing of items for online delegate mailboxes on a Microsoft Exchange server. This policy affects only delegate mailboxes that are online. Microsoft Outlook 2007 allows users to cache portions of delegate mailboxes locally ( ...

CCE-32991-2
Permit use of Internet Settings preference extension This policy setting allows you to permit or prohibit use of the Internet Settings preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this ...

CCE-34565-2
Configure Scenario Execution Level Determines the execution level for Windows Shutdown Performance Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DPS ...

CCE-34312-9
Remove 'Make Available Offline' command This policy setting prevents users from making network files and folders available offline. If you enable this policy setting, users cannot designate files to be saved on their computer for offline use. However, Windows will still cache local copies of fil ...

CCE-35135-3
Enable Windows NTP Server Specifies whether the Windows NTP Server is enabled. Enabling the Windows NTP Server allows your computer to service NTP requests from other machines.

CCE-33490-4
Prevent users from sharing files within their profile. This policy setting specifies whether users can share files within their profile. By default users are allowed to share files within their profile to other users on their network after an administrator opts in the computer. An administrator ca ...

CCE-33946-5
Turn off Quiet Hours This policy setting turns off Quiet Hours functionality. If you enable this policy setting, toast notifications will not be suppressed and some background tasks will not be deferred during the designated Quiet Hours time window each day. If you disable thi ...

CCE-35584-2
Set PNRP cloud to resolve only This policy setting limits a node to resolving, but not publishing, names in a specific Peer Name Resolution Protocol (PNRP) cloud. This policy setting forces computers to act as clients in peer-to-peer (P2P) scenarios. For example, a client computer can detect other ...

CCE-33294-0
Disable binding directly to IPropertySetStorage without intermediate layers. Changes the behavior of IShellFolder::BindToObject for IID_IPropertySetStorage to not bind directly to the IPropertySetStorage implementation, and to include the intermediate layers provided by the Property System. This b ...

CCE-35451-4
Do not allow Folder Options to be opened from the Options button on the View tab of the ribbon This policy setting allows you to prevent users from accessing Folder Options through the View tab on the ribbon in File Explorer. Folder Options allows users to change the way files and folders open, ...

CCE-35255-9
Allow users to connect remotely by using Remote Desktop Services This policy setting allows you to configure remote access to computers by using Remote Desktop Services. If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer can connect ...

CCE-33617-2
Administrative Templates (Computers) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-33670-1
Filter duplicate logon certificates This policy settings lets you configure if all your valid logon certificates are displayed. During the certificate renewal period, a user can have multiple valid logon certificates issued from the same certificate template. This can cause confusion as to which ...

CCE-35714-5
Reduce Display Brightness (Plugged In) Specify the period of inactivity before Windows automatically reduces brightness of the display. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows automatically reduces ...

CCE-35464-7
Turn off the display of snippets in Content view mode This policy setting allows you to turn off the display of snippets in Content view mode. If you enable this policy setting, File Explorer will not display snippets in Content view mode. If you disable or do not configure this policy settin ...

CCE-33933-3
List desktop apps first in the Apps view This policy setting allows desktop apps to be listed first in the Apps view in Start. If you enable this policy setting, desktop apps would be listed first when the apps are sorted by category in the Apps view. The other sorting options would continue to ...

CCE-34698-1
Do not allow LPT port redirection Specifies whether to prevent the redirection of data to client LPT ports during a Remote Desktop Services session. You can use this setting to prevent users from mapping local LPT ports and redirecting data from the remote computer to local LPT port peripherals. B ...

CCE-33317-9
Turn off automatic wake This policy setting turns off the option to periodically wake the computer to update information on Windows SideShow-compatible devices. If you enable this policy setting, the option to automatically wake the computer will not be available in the Windows SideShow Control ...

CCE-34489-5
Prohibit rollback This policy setting prohibits Windows Installer from generating and saving the files it needs to reverse an interrupted or unsuccessful installation. If you enable this policy setting, Windows Installer is prevented from recording the original state of the system and sequence o ...

CCE-33737-8
Prevent indexing of certain file types Enabling this policy allows you to edit the list of file types to exclude from indexing. The end user cannot modify this list. You should separate each extension type with a semicolon. Note that limitations of Group Policy Object Editor require this list to b ...

CCE-33174-4
Prohibit closing items Prevents users from removing Web content from their Active Desktop. In Active Desktop, you can add items to the desktop but close them so they are not displayed. If you enable this setting, items added to the desktop cannot be closed; they always appear on the desktop. ...

CCE-35638-6
Hide Change or Remove Programs page Removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. I ...

CCE-34521-5
Use initial DC discovery retry setting for background callers This policy setting determines the amount of time (in seconds) to wait before the first retry for applications that perform periodic searches for domain controllers (DC) that are unable to find a DC. The default value for this setting ...

CCE-35495-1
Audit Policy: Account Logon: Kerberos Authentication Service This subcategory reports events generated by the Kerberos Authentication Server. These events occur on the computer that is authoritative for the credentials. Events for this subcategory include: ? 4768: A Kerberos authentication ticket ( ...

CCE-34103-2
Do not use the tracking-based method when resolving shell shortcuts Prevents the system from using NTFS tracking features to resolve a shortcut. By default, when the system cannot find the target file for a shortcut (.lnk), it searches all paths associated with the shortcut. If the target file i ...

CCE-35803-6
Allow Microsoft accounts to be optional This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting, Windows Store apps that ...

CCE-35691-5
Specify the System Hibernate Timeout (Plugged In) Specifies the period of inactivity before Windows transitions the system to hibernate. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. If ...

CCE-35242-7
Minimize the number of simultaneous connections to the Internet or a Windows Domain This policy setting prevents computers from establishing multiple simultaneous connections to either the Internet or to a Windows domain. If this policy setting is enabled, when the computer has at le ...

CCE-33857-4
Define the maximum size of downloaded files and attachments to be scanned This policy setting defines the maximum size (in kilobytes) of downloaded files and attachments that will be scanned. If you enable this setting, downloaded files and attachments smaller than the size specified will be sca ...

CCE-35179-1
Interactive logon: Message title for users attempting to log on Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting allows text to be specified in the title bar of t ...

CCE-34774-0
Require use of fast startup This policy setting controls the use of fast startup. If you enable this policy setting, the system requires hibernate to be enabled. If you disable or do not configure this policy setting, the local setting is used.

CCE-34325-1
Computer location Specifies the default location criteria used when searching for printers. This setting is a component of the Location Tracking feature of Windows printers. To use this setting, enable Location Tracking by enabling the 'Pre-populate printer search location text' setting. When Loc ...

CCE-34182-6
Prohibit connecting and disconnecting a remote access connection Determines whether users can connect and disconnect remote access connections. If you enable this setting (and enable the 'Enable Network Connections settings for Administrators' setting), double-clicking the icon has no effect, an ...

CCE-34917-5
Always rasterize content to be printed using a software rasterizer Determines whether the XPS Rasterization Service or the XPS-to-GDI conversion (XGC) is forced to use a software rasterizer instead of a Graphics Processing Unit (GPU) to rasterize pages. On machines with an ARM processor, this po ...

CCE-35299-7
Microsoft network server: Server SPN target name validation level This policy setting controls the level of validation a computer with shared folders or printers (the server) performs on the service principal name (SPN) that is provided by the client computer when it establishes a session using the ...

CCE-34458-0
Allow unencrypted traffic This policy setting allows you to manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network. If you enable this policy setting, the WinRM client sends and receives unencrypted messages over the network. If you di ...

CCE-35122-1
Prohibit selection of visual style font size Prevents users from changing the size of the font in the windows and buttons displayed on their screens. If this setting is enabled, the 'Font size' drop-down list on the Appearance tab in Display Properties is disabled. If you disable or do not c ...

CCE-33800-4
Configure folder redirection policy processing This policy setting determines when folder redirection policies are updated. This policy setting affects all policies that use the folder redirection component of Group Policy, such as those in WindowsSettings\Folder Redirection. You can only set fo ...

CCE-35780-6
Turn off downloading of game information Manages download of game box art and ratings from the Windows Metadata Services. If you enable this setting, game information including box art and ratings will not be downloaded. If you disable or do not configure this setting, game information will be d ...

CCE-33724-6
Exclude directories in roaming profile This policy setting lets you exclude folders that are normally included in the user's profile. As a result, these folders do not need to be stored by the network server on which the profile resides and do not follow users to other computers. Note: When excl ...

CCE-33977-0
Approved Installation Sites for ActiveX Controls The ActiveX Installer Service is the solution to delegate the install of per-machine ActiveX controls to a Standard User in the enterprise. The list of Approved ActiveX Install sites contains the host URL and the policy settings for each host URL. W ...

CCE-33581-0
Remove the Action Center icon This policy setting allows you to remove the Action Center from the system control area. If you enable this policy setting, the Action Center icon is not displayed in the system notification area. If you disable or do not configure this policy setting, the Action ...

CCE-33054-8
DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax This policy setting determines which users or groups might launch or activate DCOM applications remotely or locally. This setting is used to control the attack surface of the computer for DCOM applications. ...

CCE-34654-4
Prevent Sharing Command Prompts Prevents users from sharing command prompts. This prevents users from inadvertently sharing out applications, since command prompts can be used to launch other applications.

CCE-33263-5
Turn On Compatibility HTTP Listener This policy setting enables or disables an HTTP listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. When certain port 80 listeners are migrated to WinRM 2.0, the listener port number changes ...

CCE-35727-7
Audit account management This policy setting determines whether to audit each account management event on a computer. Examples of account management events include: - A user account or group is created, changed, or deleted. - A user account is renamed, disabled, or enabled. - A password is set or c ...

CCE-35571-9
Server Authentication Certificate Template This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SS ...

CCE-33406-0
Allow pruning of published printers Determines whether the domain controller can prune (delete from Active Directory) the printers published by this computer. By default, the pruning service on the domain controller prunes printer objects from Active Directory if the computer that published them d ...

CCE-35046-2
Indexing Service This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-34116-4
Allow administrators to override Device Installation Restriction policies This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings. If you enable this policy setting, members of th ...

CCE-33920-0
Initiate definition update on startup This policy setting allows you to configure definition updates on startup when there is no antimalware engine present. If you enable or do not configure this setting, definition updates will be initiated on startup when there is no antimalware engine present ...

CCE-34578-5
Do not allow changes to initiator iqn name If enabled then do not allow the initiator iqn name to be changed. If disabled then the initiator iqn name may be changed.

CCE-34850-8
Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap-in ...

CCE-34249-3
Disallow Negotiate authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Negotiate authentication. If you enable this policy setting, the WinRM client will not use Negotiate authentication. If you disable or do not configure this ...

CCE-35375-5
Prohibit connection to non-domain networks when connected to domain authenticated network This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time. If this policy setting is enabled, the computer responds to ...

CCE-35094-2
Establish ActiveX installation policy for sites in Trusted zones This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. If ...

CCE-33189-2
Remove Support Information Removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a 'Click here for support information' hyperlink. When clicked, the hyperlink opens a dialog box that dis ...

CCE-34799-7
Hide the General page Hides the General page of the Tools Options dialog. Users will not then be able to change personal identification and bandwidth settings.

CCE-33855-8
Configure monitoring for incoming and outgoing file and program activity This policy setting allows you to configure monitoring for incoming and outgoing files, without having to turn off monitoring entirely. It is recommended for use on servers where there is a lot of incoming and outgoing file ac ...

CCE-34995-1
Network Security: Restrict NTLM: Add remote server exceptions for NTLM authentication This policy setting allows you to create an exception list of remote servers to which clients are allowed to use NTLM authentication if the 'Network Security: Restrict NTLM: Outgoing NTLM traffic to remote server ...

CCE-33988-7
Delete data from devices running Microsoft firmware when a user logs off from the computer. This policy setting deletes all data stored on Windows SideShow-compatible devices (running Microsoft firmware) when a user logs off from the computer. This is a security precaution but it significantly limi ...

CCE-33659-4
Configure Group Policy slow link detection This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specif ...

CCE-35816-8
Prevent installation of removable devices This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) d ...

CCE-35686-5
Specify maximum amount of memory in MB per Shell Configures maximum total amount of memory in megabytes that can be allocated by any active remote shell and all its child processes. Any value from 0 to 0x7FFFFFFF can be set, where 0 equals unlimited memory, which means the ability of remote operat ...

CCE-33385-6
Allow .rdp files from valid publishers and user's default .rdp settings This policy setting allows you to specify whether users can run Remote Desktop Protocol (.rdp) files from a publisher that signed the file with a valid certificate. A valid certificate is one that is issued by an authority reco ...

CCE-34666-8
Prevent automatic acceptance of Calls Prevents users from turning on automatic acceptance of incoming calls. This ensures that others cannot call and connect to NetMeeting when the user is not present. This policy is recommended when deploying NetMeeting to run always.

CCE-34030-7
Reminder balloon lifetime Determines how long updated reminder balloons are displayed. Reminder balloons appear when the user's connection to a network file is lost or reconnected, and they are updated periodically. By default, the first reminder for an event is displayed for 30 seconds. Then, u ...

CCE-34270-9
WPD Devices: Deny read access This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not co ...

CCE-33722-0
Set RD Gateway server address Specifies the address of the RD Gateway server that clients must use when attempting to connect to an RD Session Host server. You can enforce this policy setting or you can allow users to overwrite this policy setting. By default, when you enable this policy setting, i ...

CCE-33265-0
Turn on logging This policy setting turns on logging. If you enable or do not configure this policy setting, then events can be written to this log. If the policy setting is disabled, then no new events can be logged. Events can always be read from the log, regardless of this policy setting.

CCE-34217-0
Change Group Policy processing to run asynchronously when a slow network connection is detected. This policy directs Group Policy processing to skip processing any client side extension that requires synchronous processing (that is, whether computers wait for the network to be fully initialized dur ...

CCE-33132-2
Turn on misconversion logging for misconversion report This policy setting allows you to turn on logging of misconversion for the misconversion report. If you enable this policy setting, misconversion logging is turned on. If you disable or do not configure this policy setting, misconversion ...

CCE-34742-7
Health Registration Authority (HRA) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-35104-9
Set Group Policy refresh interval for computers This policy setting specifies how often Group Policy for computers is updated while the computer is in use (in the background). This setting specifies a background update rate only for Group Policies in the Computer Configuration folder. In additio ...

CCE-35290-6
Set Netlogon share compatibility This policy setting controls whether or not the Netlogon share created by the Net Logon service on a domain controller (DC) should support compatibility in file sharing semantics with earlier applications. If you enable this policy setting, the Netlogon share wil ...

CCE-33408-6
Allow restore of system to default state Requirements: At least Windows 7 Description: This policy setting controls whether users can access the options in Recovery (in Control Panel) to restore the computer to the original state or from a user-created system image. If you enable or do not ...

CCE-35433-2
Configure Group Policy slow link detection This policy setting defines a slow connection for purposes of applying and updating Group Policy. If the rate at which data is transferred from the domain controller providing a policy update to the computers in this group is slower than the rate specif ...

CCE-34413-5
Prevent Flicks Learning Mode Makes pen flicks learning mode unavailable. If you enable this policy, pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide, but cannot be restricted to learning mode applications. This means that the ...

CCE-32944-1
Set 6to4 Relay Name This policy setting allows you to specify a 6to4 relay name for a 6to4 host. A 6to4 relay is used as a default gateway for IPv6 network traffic sent by the 6to4 host. The 6to4 relay name setting has no effect if 6to4 connectivity is not available on the host. If you enable th ...

CCE-35237-7
Remove remote desktop wallpaper This policy setting allows you to specify whether desktop wallpaper is displayed to clients when they are connected to a remote server using RDP. You can use this setting to enforce the removal of wallpaper during a Remote Desktop Services session. If you ena ...

CCE-34875-5
Prevent backing up to network location This setting lets you prevent users from selecting a network location for storing backups. If this setting is enabled, users will be blocked from selecting a network location as a backup location. If this setting is disabled or not configured, users can sele ...

CCE-35793-9
Do not allow locations on removable drives to be added to libraries This policy setting configures whether or not locations on removable drives can be added to libraries. If you enable this policy setting, locations on removable drives cannot be added to libraries. In addition, locations ...

CCE-33461-5
Configure Default consent This policy setting determines the default consent behavior of Windows Error Reporting. If you enable this policy setting, you can set the default consent handling for error reports. The following list describes the Consent level settings that are available in the pull- ...

CCE-35566-9
Select the Lid Switch Action (Plugged In) Specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable this policy s ...

CCE-35344-1
Set Minimum Idle Connection Timeout for RPC/HTTP connections This policy setting controls the idle connection timeout for RPC/HTTP connections. This policy setting is useful in cases where a network agent like an HTTP proxy or a router uses a lower idle connection timeout than the IIS server r ...

CCE-33646-1
IPsec Tunnel Endpoints Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints. By default, NCA ...

CCE-34755-9
Ignore the local list of blocked TPM commands This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting, Windows will ignore the computer's local list of blocked TPM commands and will only bloc ...

CCE-33899-6
Specify the maximum size of archive files to be scanned This policy setting allows you to configure the maximum size of archive files such as .ZIP or .CAB that will be scanned. The value represents file size in kilobytes (KB). The default value is 0 and represents no limit to archive size for scann ...

CCE-35709-5
Turn off automatic learning This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabula ...

CCE-35762-4
Troubleshooting: Allow users to access and run Troubleshooting Wizards This policy setting allows users to access and run the troubleshooting tools that are available in the Troubleshooting Control Panel and to run the troubleshooting wizard to troubleshoot problems on their computers. If you enab ...

CCE-33145-4
Detect compatibility issues for applications and drivers This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application instal ...

CCE-33398-9
Allow local activation security check exemptions Allows you to specify that local computer administrators can supplement the 'Define Activation Security Check exemptions' list. If you enable this policy setting, and DCOM does not find an explicit entry for a DCOM server application id (appid) in t ...

CCE-35540-4
Configure use of hardware-based encryption for removable data drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can ...

CCE-34951-4
Event Viewer (Windows Vista) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-35028-0
Specify network directories to sync at logon/logoff time only This policy setting allows you to specify which network directories will be synchronized only at logon and logoff via Offline Files. This policy setting is meant to be used in conjunction with Folder Redirection, to help resolve issues w ...

CCE-35081-9
DNS servers Defines the DNS servers to which a computer sends queries when it attempts to resolve names. This policy setting supersedes the list of DNS servers configured locally and those configured using DHCP. To use this policy setting, click Enabled, and then enter a space-delimited list of ...

CCE-33025-8
Require use of specific security layer for remote (RDP) connections Specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this setting, all communication ...

CCE-33341-9
Remove Clock from the system notification area Prevents the clock in the system notification area from being displayed. If you enable this setting, the clock will not be displayed in the system notification area. If you disable or do not configure this setting, the default behavior of the clo ...

CCE-34492-9
Do not allow additional session logins If enabled then only those sessions that are established via a persistent login will be established and no new persistent logins may be created. If disabled then additional persistent and non persistent logins may be established.

CCE-34439-0
Disallow locally attached storage as backup target This policy setting allows you to manage whether backups of a machine can run to locally attached storage or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to a locally ...

CCE-34074-5
System Properties This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, th ...

CCE-33474-8
Turn off PNRP cloud creation This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution protocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolve the name, retrieve th ...

CCE-33766-7
Pin Libraries or Search Connectors to the 'Search again' links and the Start menu This policy setting allows up to five Libraries or Search Connectors to be pinned to the 'Search again' links and the Start menu links. The 'Search again' links at the bottom of the Search Results view allow the user ...

CCE-35420-9
Do not sync on metered connections Prevent syncing to and from this PC when on metered Internet connections. This turns off and disables 'sync your settings on metered connections' switch on the 'sync your settings' page in PC Settings. If you enable this policy setting, syncing on metered conn ...

CCE-35015-7
Start a program on connection Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default, Remote Desktop Services sessions provide access t ...

CCE-34426-7
Prohibit Drag-and-Drop Prevents users from adding or removing tasks by moving or copying programs in the Scheduled Tasks folder. This setting disables the Cut, Copy, Paste, and Paste Shortcut items on the context menu and the Edit menu in Scheduled Tasks. It also disables the drag-and-drop featu ...

CCE-35673-3
Turn off custom dictionary This policy setting allows you to turn off the ability to use a custom dictionary. If you enable this policy setting, you cannot add, edit, and delete words in the custom dictionary either with GUI tools or APIs. A word registered in the custom dictionary before enabli ...

CCE-33221-3
Turn off System Restore Allows you to disable System Restore. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. By default, System Restore is turned on for the boot volume. If you enable this setting, System ...

CCE-33909-3
Turn on reparse point scanning This policy setting allows you to configure reparse point scanning. If you allow reparse points to be scanned, there is a possible risk of recursion. However, the engine supports following reparse points to a maximum depth so at worst scanning could be slowed. Reparse ...

CCE-35148-6
Prevent redirection of USB devices This policy setting prevents redirection of USB devices. If you enable this setting, an alternate driver for USB devices cannot be loaded. If you disable or do not configure this setting, an alternate driver for USB devices can be loaded.

CCE-33278-3
Browse a common web site to find printers Adds a link to an Internet or intranet Web page to the Add Printer Wizard. You can use this setting to direct users to a Web page from which they can install printers. If you enable this setting and type an Internet or intranet add ...

CCE-35477-9
Default Protections for Popular Software This setting allows you to apply the suggested EMET protections to other popular software (such as iTunes). If you enable this setting, the suggested EMET protections are applied to the other popular software. If you disable this setting, the suggested ...

CCE-33962-2
Wait for remote user profile Directs the system to wait for the remote copy of the roaming user profile to load, even when loading is slow. Also, the system waits for the remote copy when the user is notified about a slow connection, but does not respond in the time allowed. This setting and relat ...

CCE-33633-9
Component Services This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, t ...

CCE-34559-5
Prevent use of Offline Files folder Disables the Offline Files folder. This setting disables the 'View Files' button on the Offline Files tab. As a result, users cannot use the Offline Files folder to view or open copies of network files stored on their computer. Also, they cannot use the folder ...

CCE-34964-7
Leave Windows Installer and Group Policy Software Installation Data Determines whether the system retains a roaming user?s Windows Installer and Group Policy based software installation data on their profile deletion. By default User profile deletes all information related to a roaming user (which ...

CCE-35402-7
Do not process the run once list This policy setting ignores customized run-once lists. You can create a customized list of additional programs and documents that are started automatically the next time the system starts (but not thereafter). These programs are added to the standard list of prog ...

CCE-35206-2
Warning for large Kerberos tickets This policy setting allows you to monitor tickets issued during Kerberos authentication whose size is close to or greater than a configured threshold value. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set th ...

CCE-35196-5
Specify maximum log file size This policy setting specifies the maximum size in bytes of the log file netlogon.log in the directory %windir%\debug when logging is enabled. By default, the maximum size of the log file is 20MB. If you enable this policy setting, the maximum size of the log file is ...

CCE-33101-7
Choose how BitLocker-protected operating system drives can be recovered This policy setting allows you to control how BitLocker-protected operating system drives are recovered in the absence of the required startup key information. This policy setting is applied when you turn on BitLocker. The ' ...

CCE-34252-7
Display information about previous logons during user logon This policy setting controls whether or not the system displays information about previous logons and logon failures to the user. For local user accounts and domain user accounts in Microsoft Windows Server 2008 functional level domains, ...

CCE-34768-2
Limit the age of files in the BITS Peercache This policy setting limits the maximum age of files in the Background Intelligent Transfer Service (BITS) Peercache. In order to make the most efficient use of disk space, by default BITS removes any files in the Peercache that have not been accessed in ...

CCE-33753-5
Hide these specified drives in My Computer This policy setting allows you to hide these specified drives in My Computer. This policy setting allows you to remove the icons representing selected hard drives from My Computer and File Explorer. Also, the drive letters representing the selected driv ...

CCE-34132-1
Specify the types of events Windows Installer records in its transaction log Specifies the types of events that Windows Installer records in its transaction log for each installation. The log, Msi.log, appears in the Temp directory of the system volume. When you enable this policy settin ...

CCE-33886-3
Scan network files This policy setting allows you to configure scanning for network files. It is recommended that you do not enable this setting. If you enable this setting, network files will be scanned. If you disable or do not configure this setting, network files will not be scanned.

CCE-34069-5
Turn on Accounting for WSRM This setting turns the Accounting feature On or Off. If you enable this setting, Windows System Resource Manager (WSRM) will start accounting various usage statistics of the processes. If you disable this setting, WSRM will stop logging usage statistics of processes. ...

CCE-34844-1
DHCP Relay Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting ...

CCE-34372-3
Critical Battery Notification Action Specifies the action that Windows takes when battery capacity reaches the critical battery notification level. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If yo ...

CCE-33620-6
Scripts (Startup/Shutdown) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy se ...

CCE-33873-1
Configure local setting override for scheduled quick scan time This policy setting configures a local override for the configuration of scheduled quick scan time. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group ...

CCE-32975-5
Prohibit deleting items Prevents users from deleting Web content from their Active Desktop. This setting removes the Delete button from the Web tab in Display in Control Panel. As a result, users can temporarily remove, but not delete, Web content from their Active Desktop. This setting does ...

CCE-33430-0
Turn off Windows Libraries features that rely on indexed file data This policy setting allows you to turn off Windows Libraries features that need indexed file metadata to function properly. If you enable this policy, some Windows Libraries features will be turned off to better handle included fol ...

CCE-33234-6
Set the Seed Server This setting sets the seed server for the site local cloud to a specified node in the enterprise. The Peer Name Resolution Protocol (PNRP) allows for distributed resolution of a name to an IPV6 address and port number. The protocol, in some cases, requires a seed server from wh ...

CCE-33677-6
Hash Publication for BranchCache This policy enables a hash generation service to generate hashes for data stored in shared folders, and then provide these hashes to client computers on which BranchCache is enabled. Hashes are mathematically-derived digital fingerprints of files that uniquely ident ...

CCE-35063-7
Domain controller: LDAP server signing requirements This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing.

CCE-34977-9
Network control service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Network Control service type (ServiceTypeNetworkControl). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies ...

CCE-34515-7
Do not allow Windows Media Center to run Specifies whether Windows Media Center can run. If you enable this setting, Windows Media Center will not run. If you disable or do not configure this setting, Windows Media Center can be run.

CCE-35668-3
Turn off smart protocol reordering Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolu ...

CCE-33367-4
Turn on Module Logging This policy setting allows you to turn on logging for Windows PowerShell modules. If you enable this policy setting, pipeline execution events for members of the specified modules are recorded in the Windows PowerShell log in Event Viewer. Enabling this policy sett ...

CCE-35339-1
Prevent unwanted iFilters and protocol handlers Enabling this policy prevents Windows Desktop Search from using iFilters and protocol handlers unless they are specified in the allow list. However, This policy will not prevent iFilters or protocol handlers from being installed, nor will it prevent t ...

CCE-33247-8
Turn off Help and Support Center Microsoft Knowledge Base search Specifies whether users can perform a Microsoft Knowledge Base search from the Help and Support Center. The Knowledge Base is an online source of technical support information and self-help tools for Microsoft products and is searche ...

CCE-34461-4
Custom Classes: Deny write access This policy setting denies write access to custom removable storage classes. If you enable this policy setting, write access is denied to these removable storage classes. If you disable or do not configure this policy setting, write access is allowed to these ...

CCE-35446-4
Set large or small icon view in desktop search results Enabling this policy allows you to specify whether you want large icon or small icon view for your Desktop Search results. The two options are: - Large Icon - Small Icon. If you have disabled the preview pane because your organization does no ...

CCE-35050-4
Hide entry points for Fast User Switching By enabling the policy, Administrators hide the Switch user button in the Logon UI, the Start menu and the Task Manager.

CCE-33797-2
Select network detection on the server This policy setting allows you to specify how the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). You can choose to disable Connect Time Detect, Continuous Network Detect, or both Connect Time Detect and Continuous Ne ...

CCE-34920-9
All Removable Storage classes: Deny all access Configure access to all removable storage classes. This policy setting takes precedence over any individual removable storage policy settings. To manage individual classes, use the policy settings available for each class. If you enable this poli ...

CCE-33310-4
Run Windows PowerShell scripts first at user logon, logoff This policy setting determines whether Windows PowerShell scripts are run before non-Windows PowerShell scripts during user logon and logoff. By default, Windows PowerShell scripts run after non-Windows PowerShell scripts. If you enabl ...

CCE-33443-3
Ability to change properties of an all user remote access connection Determines whether a user can view and change the properties of remote access connections that are available to all users of the computer. To create an all-user remote access connection, on the Connection Availability page in t ...

CCE-34265-9
Use forest search order This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the KDC will search the forests in this list if it is unable to re ...

CCE-35313-6
Prevent automatically adding shared folders to the Windows Search index This policy setting configures how Windows Search adds shared folders to the search index. If you enable this policy setting, Windows Search is prevented from automatically adding shared folders to the index. Windows Search ...

CCE-33180-1
Reserve Battery Notification Level Specify the percentage of battery capacity remaining that triggers the reserve power mode. If you enable this policy setting, you must enter a numeric value (percentage) to set the battery level that triggers the reserve power notification. If you disable ...

CCE-34737-7
Windows Firewall with Advanced Security This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable t ...

CCE-35788-9
Set what information is shared in Search This policy setting allows you to control what information is shared with Bing in Search. If you enable this policy setting, you can specify one of four settings, which users won't be able to change: -User info and location: Share a user's search h ...

CCE-35170-0
Prevent Back-ESC mapping Removes the Back->ESC mapping that normally occurs when menus are visible, and for applications that subscribe to this behavior. If you enable this policy, a button assigned to Back will not map to ESC. If you disable this policy, Back->ESC mapping will occur. If you do ...

CCE-35326-8
Prevent indexing public folders Enable this policy to prevent indexing public folders in Microsoft Office Outlook. When this policy is disabled or not configured, the user has the option to index cached public folders in Outlook. Public folders are only indexed when using Outlook 2003 or later. The ...

CCE-33127-2
Turn off Program Compatibility Assistant This setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templa ...

CCE-34790-6
Do not allow supported Plug and Play device redirection This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows Portable Devices, to the remote computer in a Remote Desktop Services session. By default, Remote Desktop Services allows redirectio ...

CCE-32931-8
Audit directory service access This policy setting determines whether to audit user access to an Active Directory object that has its own specified system access control list (SACL). If you define the Audit directory service access setting, you can specify whether to audit successes, failures, or n ...

CCE-35579-2
Set maximum wait time for the network if a user has a roaming user profile or remote home directory If the user has a roaming user profile or remote home directory and the network is currently unavailable, Microsoft Windows waits 30 seconds for the network when the user logs on to the computer. Usi ...

CCE-34800-3
Hide specified Control Panel items This setting allows you to display or hide specified Control Panel items, such as Mouse, System, or Personalization, from the Control Panel window and the Start screen. The setting affects the Start screen and Control Panel window, as well as other ways to access ...

CCE-33323-7
Turn off personalized menus Disables personalized menus. Windows personalizes long menus by moving recently used items to the top of the menu and hiding items that have not been used recently. Users can display the hidden items by clicking an arrow to extend the menu. If you enable this setti ...

CCE-34385-5
Enable file synchronization on costed networks This policy setting determines whether offline files are synchronized in the background when it could result in extra charges on cell phone or broadband plans. If you enable this setting, synchronization can occur in the background when the user's n ...

CCE-32988-8
Permit use of Data Sources preference extension This policy setting allows you to permit or prohibit use of the Data Sources preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy set ...

CCE-34056-2
Turn off PNRP cloud creation This policy setting enables or disables PNRP cloud creation. PNRP is a distributed name resolution protocol allowing Internet hosts to publish peer names with a corresponding Internet Protocol version 6 (IPv6) address. Other hosts can then resolve the name, retrieve th ...

CCE-34279-0
Allow BITS Peercaching This policy setting determines if the Background Intelligent Transfer Service (BITS) Peercaching feature is enabled on a specific computer. By default, the files in a BITS job are downloaded only from the origin server specified by the job's owner. If BITS Peercaching is ...

CCE-34738-5
Scripts (Logon/Logoff) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy settin ...

CCE-33588-5
File Server Resource Manager Extension This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable thi ...

CCE-35308-6
Specify domain location determination URL This policy setting enables you to specify the HTTPS URL of the corporate website that clients use to determine the current domain location (i.e. whether the computer is inside or outside the corporate network). Reachability of the URL destination indicates ...

CCE-34791-4
Do not log users on with temporary profiles This policy will automatically log off a user when Windows cannot load their profile. If Windows cannot access the user profile folder or the profile contains errors that prevent it from loading, Windows logs on the user with a temporary profile. This p ...

CCE-34026-5
Configure Windows SmartScreen This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run ...

CCE-33927-5
Automatically send memory dumps for OS-generated error reports This policy setting controls whether memory dumps in support of OS-generated error reports can be sent to Microsoft automatically. This policy does not apply to error reports generated by 3rd-party products, or additional data other tha ...

CCE-34801-1
Active Directory Domains and Trusts This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-35045-4
Active Directory Users and Computers This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-34159-4
Allow audio and video playback redirection This policy setting allows you to specify whether users can redirect the remote computer's audio and video output in a Remote Desktop Services session. Users can specify where to play the remote computer's audio output by configuring the remote audio sett ...

CCE-34475-4
Remote Desktop Services Configuration This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable thi ...

CCE-33651-1
Hide user locale selection and customization options This policy setting removes the regional formats interface from the Region settings control panel. This policy setting is used only to simplify the Regional and Language Options control panel. If you enable this policy setting, the user doe ...

CCE-35637-8
IDN mapping Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form. If this policy setting is disabled, or if this ...

CCE-33914-3
Check for the latest virus and spyware definitions on startup This policy setting allows you to manage whether a check for new virus and spyware definitions will occur immediately after service startup. If you enable this setting, a check for new definitions will occur after service startup. ...

CCE-34462-2
Floppy Drives: Deny write access This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting ...

CCE-34102-4
Turn off user tracking If you disable or do not configure this setting, the system tracks the programs that the user runs. The system uses this information to customize Windows features, such as showing frequently used programs in the Start Menu. If you enable this setting, the system does not t ...

CCE-35032-2
Prohibit installing or uninstalling color profiles This policy setting affects the ability of users to install or uninstall color profiles. If you enable this policy setting, users cannot install new color profiles or uninstall previously installed color profiles. If you disable or do not con ...

CCE-35241-9
Connect home directory to root of the share This policy setting restores the definitions of the %HOMESHARE% and %HOMEPATH% environment variables to those used in Windows NT 4.0 and earlier. Along with %HOMEDRIVE%, these variables define the home directory of a user profile. The home directory is a ...

CCE-35690-7
Specify the System Hibernate Timeout (On Battery) Specifies the period of inactivity before Windows transitions the system to hibernate. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to hibernate. If ...

CCE-34671-8
Set Call Security options Sets the level of security for both outgoing and incoming NetMeeting calls.

CCE-35744-2
Specify the System Sleep Timeout (Plugged In) Specifies the period of inactivity before Windows transitions the system to sleep. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. If you disable ...

CCE-34409-3
Configure forwarder resource usage This policy setting controls resource usage for the forwarder (source computer) by controlling the events/per second sent to the Event Collector. If you enable this policy setting, you can control the volume of events sent to the Event Collector by the source c ...

CCE-33336-9
Remove Default Programs link from the Start menu. Removes the Default Programs link from the Start menu. Clicking the Default Programs link from the Start menu opens the Default Programs control panel and provides administrators the ability to specify default programs for certain activities, suc ...

CCE-33193-4
Turn off smart multi-homed name resolution Specifies that a multi-homed DNS client should optimize name resolution across networks. The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In ...

CCE-33771-7
Hide the common dialog back button Hide the Back button in the Open dialog box. This policy setting lets you remove new features added in Microsoft Windows 2000 Professional, so the Open dialog box appears as it did in Windows NT 4.0 and earlier. This policy setting affects only programs that us ...

CCE-35298-9
Configure user Group Policy loopback processing mode This policy setting directs the system to apply the set of Group Policy objects for the computer to any user who logs on to a computer affected by this setting. It is intended for special-use computers, such as those in public places, laboratorie ...

CCE-33891-3
Sign-in last interactive user automatically after a system-initiated restart This policy setting controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system. If you enable or do not configure this policy setting, the device securely sav ...

CCE-33412-8
Allow user name hint This policy setting lets you determine whether an optional field will be displayed during logon and elevation that allows a user to enter his or her user name or user name and domain, thereby associating a certificate with that user. If you enable this policy setting then an o ...

CCE-33838-4
Display notifications to clients when they need to perform actions This policy setting allows you to configure whether or not to display notifications to clients when they need to perform the following actions: Run a full scan Download the latest virus and spyware definitions Download Standalon ...

CCE-34947-2
Administrative Templates (Users) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this pol ...

CCE-32974-8
Prohibit adding items Prevents users from adding Web content to their Active Desktop. This setting removes the 'New' button from Web tab in Display in Control Panel. As a result, users cannot add Web pages or pictures from the Internet or an intranet to the desktop. This setting does not remove ...

CCE-34488-7
Prevent removable media source for any installation This policy setting prevents users from installing any programs from removable media. If you enable this policy setting, if a user tries to install a program from removable media, such as CD-ROMs, floppy disks, and DVDs, a message appears stati ...

CCE-34013-3
Disallow Kerberos authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not accept Kerberos credentials over the network. If you enable this policy setting, the WinRM service will not accept Kerberos credentials over the network. If you ...

CCE-35415-9
Turn off Windows Mail application Denies or allows access to the Windows Mail application. If you enable this setting, access to the Windows Mail application is denied. If you disable or do not configure this setting, access to the Windows Mail application is allowed.

CCE-35089-2
Configure log access This policy setting specifies to use the security descriptor for the log using the Security Descriptor Definition Language (SDDL) string. You cannot configure write permissions for this log. If you enable this policy setting, only those users whose security descriptor matche ...

CCE-33349-2
Turn off Help Experience Improvement Program This policy setting specifies whether users can participate in the Help Experience Improvement program. The Help Experience Improvement program collects information about how customers use Windows Help so that Microsoft can improve it. If you enable t ...

CCE-33086-0
Prevent changing lock screen image Prevents users from changing the background image shown when the machine is locked. By default, users can change the background image shown when the machine is locked. If you enable this setting, the user will not be able to change their lock screen image, a ...

CCE-35548-7
Do not add shares of recently opened documents to Network Locations Remote shared folders are not added to Network Locations whenever you open a document in the shared folder. If you disable this setting or do not configure it, when you open a document in a remote shared folder, the system adds ...

CCE-33705-5
Authorization Manager This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting ...

CCE-35428-2
Hide the dropdown list of recent files Removes the list of most recently used files from the Open dialog box. If you disable this setting or do not configure it, the 'File name' field includes a drop-down list of recently used files. If you enable this setting, the 'File name' field is a simple ...

CCE-33958-0
Devices: Prevent users from installing printer drivers It is feasible for a attacker to disguise a Trojan horse program as a printer driver. The program may appear to users as if they must use it to print, but such a program could unleash malicious code on your computer network. To reduce the possi ...

CCE-34880-5
Prevent launch an application Prevents the user from launching an application from a Tablet PC hardware button. If you enable this policy, applications cannot be launched from a hardware button, and 'Launch an application' is removed from the drop down menu for configuring button actions (in the T ...

CCE-35285-6
Turn off toast notifications This policy setting turns off toast notifications. If you enable this policy setting, applications and system features will not be able to raise toast notifications. Note that this policy does not affect taskbar notification balloons. If you disable or do not ...

CCE-33229-6
Permit use of Files preference extension This policy setting allows you to permit or prohibit use of the Files preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, you perm ...

CCE-33562-0
Remove 'Make Available Offline' for these files and folders This policy setting allows you to manage a list of files and folders for which you want to block the 'Make Available Offline' command. If you enable this policy setting, the 'Make Available Offline' command is not available for the file ...

CCE-35700-4
Always wait for the network at computer startup and logon This policy setting determines whether Group Policy processing is synchronous (that is, whether computers wait for the network to be fully initialized during computer startup and user logon). By default, on client computers, Group Policy pro ...

CCE-33282-5
Turn on TPM backup to Active Directory Domain Services This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM comman ...

CCE-35076-9
Custom User Interface Specifies an alternate user interface. The Explorer program (%windir%\explorer.exe) creates the familiar Windows interface, but you can use this setting to specify an alternate interface. If you enable this setting, the system starts the interface you specify instead of Exp ...

CCE-35481-1
EMET Agent Visibility This setting allows you to configure if the EMET Agent icon is visible in the system tray area of the taskbar on startup. If you enable or do not configure this setting, the EMET Agent icon is visible in the system tray area of the taskbar on startup. If you disable this ...

CCE-33509-1
Select RDP transport protocols This policy setting allows you to specify which protocols can be used for Remote Desktop Protocol (RDP) access to this server. If you enable this policy setting, you must specify if you would like RDP to use UDP. You can select one of the following options: 'Use ...

CCE-34222-0
Redirect folders on primary computers only This policy setting controls whether folders are redirected on a user's primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private ...

CCE-33425-0
Configure log access This policy setting specifies to use the security descriptor for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only users whose security descriptor matches the configured value can access the log. If you disabl ...

CCE-34684-1
Prevent users from resizing the taskbar This policy setting allows you to prevent users from resizing the taskbar. If you enable this policy setting, users are not be able to resize their taskbar. If you disable or do not configure this policy setting, users are able to resize their taskbar u ...

CCE-33901-0
Specify the time for a daily quick scan This policy setting allows you to specify the time of day at which to perform a daily quick scan. The time value is represented as the number of minutes past midnight (00:00). For example, 120 (0x78) is equivalent to 02:00 AM. By default, this setting is set ...

CCE-35624-6
Turn off Internet File Association service This policy setting specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. When a user opens a file that has an extension that is not associated with any applications on the compu ...

CCE-32961-5
Provide information about previous logons to client computers This policy setting controls whether the domain controller provides information about previous logons to client computers. If you enable this policy setting, the domain controller provides the information message about previous logons. ...

CCE-35757-4
Tag Windows Customer Experience Improvement data with Study Identifier This policy setting will enable tagging of Windows Customer Experience Improvement data when a study is being conducted. If you enable this setting then Windows CEIP data uploaded will be tagged. If you do not configure this s ...

CCE-34444-0
Configure Report Archive This setting controls the behavior of the Windows Error Reporting archive. If Archive behavior is set to 'Store all', all data collected for each report will be stored in the appropriate location. If Archive behavior is set to 'Store parameters only', only the minimum inf ...

CCE-35014-0
Use Remote Desktop Easy Print printer driver first This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. If you enable or do not configure this policy setting, the RD Session Host server first tries to use th ...

CCE-35463-9
Turn on Classic Shell This setting allows an administrator to revert specific Windows Shell behavior to classic Shell behavior. If you enable this setting, users cannot configure their system to open items by single-clicking (such as in Mouse in Control Panel). As a result, the user interface lo ...

CCE-33629-7
Resultant Set of Policy snap-in This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this poli ...

CCE-33099-3
Windows Firewall: Public: Apply local connection security rules This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.

CCE-35267-4
Network Projector Port Setting This policy setting allows you to select the TCP port the Network Projector will use to send packets. If you leave the 0, the operating system will select a port. If you select a TCP port that is already in use by a system, the Network Projector will fail to initializ ...

CCE-35726-9
Run startup scripts asynchronously Lets the system run startup scripts simultaneously. Startup scripts are batch files that run before the user is invited to log on. By default, the system waits for each startup script to complete before it runs the next startup script. If you enable this setting ...

CCE-33109-0
Remove Change Password This policy setting prevents users from changing their Windows password on demand. If you enable this policy setting, the 'Change Password' button on the Windows Security dialog box will not appear when you press Ctrl+Alt+Del. However, users are still able to change th ...

CCE-35330-0
Display instructions in shutdown scripts as they run This policy setting displays the instructions in shutdown scripts as they run. Shutdown scripts are batch files of instructions that run when the user restarts the system or shuts it down. By default, the system does not display the instructio ...

CCE-35147-8
Limit reservable bandwidth Determines the percentage of connection bandwidth that the system can reserve. This value limits the combined bandwidth reservations of all programs running on the system. By default, the Packet Scheduler limits the system to 20 percent of the bandwidth of a connection, ...

CCE-34707-0
Specify site name This policy setting specifies the Active Directory site to which computers belong. An Active Directory site is one or more well-connected TCP/IP subnets that allow administrators to configure Active Directory access and replication. To specify the site name for this setting, ...

CCE-34577-7
Turn off Windows Mobility Center This policy setting turns off Windows Mobility Center. If you enable this policy setting, the user is unable to invoke Windows Mobility Center. The Windows Mobility Center UI is removed from all shell entry points and the .exe file does not launch it. If you d ...

CCE-34248-5
Disallow changing of geographic location This policy prevents users from changing their user geographical location (GeoID). If this policy is Enabled, then the user cannot change their geographical location (GeoID) If the policy is Disabled or Not Configured, then the user may select any GeoID. ...

CCE-33825-1
Prevent OneDrive files from syncing over metered connections This policy setting allows configuration of OneDrive file sync behavior on metered connections. If you enable this setting, OneDrive will not sync files over metered connections If you disable or do not configure this setting, One ...

CCE-35343-3
Maintain RPC Troubleshooting State Information This policy setting determines whether the RPC Runtime maintains RPC state information for the system, and how much information it maintains. Basic state information, which consists only of the most commonly needed state data, is required for troublesh ...

CCE-35134-6
Enforce Show Policies Only This policy setting prevents administrators from viewing or using Group Policy preferences. A Group Policy administration (.adm) file can contain both true settings and preferences. True settings, which are fully supported by Group Policy, must use registry entries in ...

CCE-33749-3
Maximum number of recent documents 'This policy setting allows you to set the maximum number of shortcuts the system can display in the Recent Items menu on the Start menu. The Recent Items menu contains shortcuts to the nonprogram files the user has most recently opened. If you enable this p ...

CCE-33438-3
Prohibit adding and removing components for a LAN or remote access connection Determines whether administrators can add and remove network components for a LAN or remote access connection. This setting has no effect on nonadministrators. If you enable this setting (and enable the 'Enable Network ...

CCE-33812-9
Prevent restoring local previous versions This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file. If you enable this policy setting, the Restore button is disabled when the user selects a previ ...

CCE-34311-1
Prohibit user configuration of Offline Files Prevents users from enabling, disabling, or changing the configuration of Offline Files. This setting removes the Offline Files tab from the Folder Options dialog box. It also removes the Settings item from the Offline Files context menu and disables ...

CCE-34008-3
Directory pruning retry Specifies how many times the pruning service on a domain controller repeats its attempt to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the printers are still avail ...

CCE-34773-2
Specify communities This policy setting configures a list of the communities defined to the Simple Network Management Protocol (SNMP) service. SNMP is a protocol designed to give a user the capability to remotely manage a computer network, by polling and setting terminal values and monitoring ne ...

CCE-33491-2
Turn off desktop gadgets This policy setting allows you to turn off desktop gadgets. Gadgets are small applets that display information or utilities on the desktop. If you enable this setting, desktop gadgets will be turned off. If you disable or do not configure this setting, desktop gadget ...

CCE-35596-6
Turn off downloading of print drivers over HTTP This policy setting specifies whether to allow this client to download print driver packages over HTTP. To set up HTTP printing, non-inbox drivers need to be downloaded over HTTP. Note: This policy setting does not prevent the client from printi ...

CCE-33945-7
Turn off calls during Quiet Hours This policy setting blocks voice and video calls during Quiet Hours. If you enable this policy setting, voice and video calls will be blocked during the designated Quiet Hours time window each day, and users will not be able to customize any other Quiet Hours se ...

CCE-35210-4
RIP Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap ...

CCE-33616-4
Prevent changing desktop icons Prevents users from changing the desktop icons. By default, users can use the Desktop Icon Settings dialog in the Personalization or Display Control Panel to show, hide, or change the desktop icons. If you enable this setting, none of the desktop icons can be ch ...

CCE-35713-7
Qualitative service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to pa ...

CCE-33932-5
Go to the desktop instead of Start when signing in or when all the apps on a screen are closed This policy setting allows users to go to the desktop instead of the Start screen when they sign in, or when all the apps on a screen are closed. This policy setting applies to all versions of Windows, a ...

CCE-35570-1
Selectively allow the evaluation of a symbolic link Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue, you can selectively enable or disable the evaluation of these types of symbolic links: Local Link to a Local Target Local Link to a Remote Target Remote ...

CCE-33371-6
WPD Devices: Deny write access This policy setting denies write access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not ...

CCE-34337-6
Configure RD Connection Broker server name This policy setting allows you to specify the RD Connection Broker server that the RD Session Host server uses to track and redirect user sessions for a load-balanced RD Session Host server farm. The specified server must be running the Remote Desktop Conn ...

CCE-34653-6
Prevent Sharing Prevents users from sharing anything themselves. They will still be able to view shared applications/desktops from others.

CCE-34390-5
Configure list of Enhanced Storage devices usable on your computer This policy setting allows you to configure a list of Enhanced Storage devices by manufacturer and product ID that are usable on your computer. This policy setting only applies to Enhanced Storage devices that support a Certificate ...

CCE-35058-7
DCOM Configuration Extension This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33318-7
Do not allow Sound Recorder to run Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. If you enable this policy setting, So ...

CCE-33175-1
Turn off Aero Shake window minimizing mouse gesture Prevents windows from being minimized or restored when the active window is shaken back and forth with the mouse. If you enable this policy, application windows will not be minimized or restored when the active window is shaken back and f ...

CCE-35792-1
Use DNS name resolution when a single-label domain name is used, by appending different registered DNS suffixes, if the AllowSingleLabelDnsDomain setting is not enabled. This policy setting specifies whether the computers to which this setting is applied attempts DNS name resolution of single-label ...

CCE-35374-8
Prevent backing up to network location This policy setting lets you prevent users from selecting a network location for storing backups. If you enable this policy setting, users are blocked from selecting a network location as a backup location. If disable or do not configure this pol ...

CCE-34115-6
Turn off logging via package settings This policy setting controls Windows Installer's processing of the MsiLogging property. The MsiLogging property in an installation package can be used to enable automatic logging of all install operations for the package. If you enable this policy setting, y ...

CCE-33736-0
Add secondary intranet search locations Enabling this policy allows you to add intranet search locations in addition to the primary intranet search location defined in the Add Primary Intranet Search Location policy. The value of this text should be: name1,url1;name2,url2;...nameN,urlN For exampl ...

CCE-33593-5
Connection-specific DNS suffix Specifies a connection-specific DNS suffix. This policy setting supersedes local connection-specific DNS suffixes, and those configured using DHCP. To use this policy setting, click Enabled, and then enter a string value representing the DNS suffix. If you enabl ...

CCE-33869-9
Turn on raw volume write notifications This policy setting controls whether raw volume write notifications are sent to behavior monitoring. If you enable or do not configure this setting, raw write notifications will be enabled. If you disable this setting, raw write notifications be disabled ...

CCE-35001-7
Profile system performance This policy setting allows users to use tools to view the performance of different system processes, which could be abused to allow attackers to determine a system's active processes and provide insight into the potential attack surface of the computer. When configuring ...

CCE-35739-2
Set the default behavior for AutoRun This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing ...

CCE-32992-0
Permit use of Network Options preference extension This policy setting allows you to permit or prohibit use of the Network Options preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this poli ...

CCE-35802-8
Include command line in process creation events This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line ...

CCE-33856-6
Configure removal of items from Quarantine folder This policy setting defines the number of days items should be kept in the Quarantine folder before being removed. If you enable this setting, items will be removed from the Quarantine folder after the number of days specified. If you disable ...

CCE-32939-1
Specify default category for Add New Programs Specifies the category of programs that appears when users open the 'Add New Programs' page. If you enable this setting, only the programs in the category you specify are displayed when the 'Add New Programs' page opens. Users can use the Category bo ...

CCE-35387-0
Do not sync Prevent syncing to and from this PC. This turns off and disables the 'sync your settings' switch on the 'sync your settings' page in PC Settings. If you enable this policy setting, 'sync your settings' will be turned off, and none of the 'sync your setting' groups will be synced on ...

CCE-35583-4
Permit use of Application snap-ins This policy setting allows you to permit or prohibit use of Application snap-ins (Application preference item types). When prohibited, no Application preference item types appear when you attempt to create a new Application preference item, and you are unable to d ...

CCE-34786-4
Display instructions in logoff scripts as they run This policy setting displays the instructions in logoff scripts as they run. Logoff scripts are batch files of instructions that run when the user logs off. By default, the system does not display the instructions in the logoff script. If you ...

CCE-34181-8
Ability to Enable/Disable a LAN connection Determines whether users can enable/disable LAN connections. If you enable this setting, the Enable and Disable options for LAN connections are available to users (including nonadministrators). Users can enable/disable a LAN connection by double-clickin ...

CCE-35254-2
Limit number of monitors This policy setting allows you to limit the number of monitors that a user can use to display a Remote Desktop Services session. Limiting the number of monitors to display a Remote Desktop Services session can improve connection performance, particularly over slow links, an ...

CCE-35450-6
Remove UI to change keyboard navigation indicator setting Disables the 'Hide keyboard navigation indicators until I use the ALT key' option in Display in Control Panel. When this Display Properties option is selected, the underlining that indicates a keyboard shortcut character (hot key) does no ...

CCE-33384-9
All Removable Storage: Allow direct access in remote sessions This policy setting grants normal users direct access to removable storage devices in remote sessions. If you enable this policy setting, remote users will be able to open direct handles to removable storage devices in remote sessions. ...

CCE-35121-3
Private network ranges for apps This setting does not apply to desktop apps. A comma-separated list of IP address ranges that are in your corporate network. If you enable this policy setting, it ensures that apps with the Home/Work Networking capability have appropriate acce ...

CCE-35071-0
Hide Security Tab This policy setting allows you to hide the Security tab in Windows Media Player. If you enable this policy setting, the default security settings for the options on the Security tab are used unless the user changed the settings previously. Users can still change security and zo ...

CCE-34523-1
Do not process incoming mailslot messages used for domain controller location based on NetBIOS domain names This policy setting allows you to control the processing of incoming mailslot messages by a local domain controller (DC). Note: To locate a remote DC based on its NetBIOS (single-label) doma ...

CCE-33769-1
Prevent restoring previous versions from backups This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. If you enable this policy setting, ...

CCE-33373-2
Remove frequent programs list from the Start Menu If you enable this setting, the frequently used programs list is removed from the Start menu. If you disable this setting or do not configure it, the frequently used programs list remains on the simple Start menu.

CCE-35467-0
Turn off Preview Pane Hides the Preview Pane in File Explorer. If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by th ...

CCE-33832-7
Configure local administrator merge behavior for lists This policy setting controls whether or not complex list settings configured by a local administrator are merged with Group Policy settings. This setting applies to lists such as threats and Exclusions. If you enable or do not configure this ...

CCE-35018-1
Specify default connection URL This policy setting specifies the default connection URL for RemoteApp and Desktop Connections. The default connection URL is a specific connection that can only be configured by using Group Policy. In addition to the capabilities that are common to all connections, t ...

CCE-33120-7
Select the Power Button Action (Plugged In) Specifies the action that Windows takes when a user presses the power button. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable this policy set ...

CCE-35334-2
Specify sites covered by the DC Locator DNS SRV records This policy setting specifies the sites for which the domain controllers (DC) register the site-specific DC Locator DNS SRV resource records. These records are registered in addition to the site-specific SRV records registered for the site whe ...

CCE-33965-5
File Classification Infrastructure: Specify Classification Properties List This policy setting controls which set of properties is available for classifying files on affected computers. Administrators can define the properties for the organization by using Active Directory Domain Services (AD DS ...

CCE-33636-2
Enterprise PKI This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the s ...

CCE-34184-2
Proxy definitions are authoritative Turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation's automatic proxy discovery in the domain corporate environment. Only proxies configu ...

CCE-34919-1
CD and DVD: Deny read access This policy setting denies read access to the CD and DVD removable storage class. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, read access is allowed to this remov ...

CCE-33000-1
Register DNS records with connection-specific DNS suffix Determines if a computer performing dynamic registration may register A and PTR resource records with a concatenation of its Computer Name and a connection-specific DNS suffix, in addition to registering these records with a concatenation of ...

CCE-33177-7
Remove 'Disconnect' option from Shut Down dialog This policy setting allows you to remove the 'Disconnect' option from the Shut Down Windows dialog box in Remote Desktop Services sessions. You can use this policy setting to prevent users from using this familiar method to disconnect their client f ...

CCE-35138-7
Floppy Drives: Deny write access This policy setting denies write access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, write access will be denied to this removable storage class. If you disable or do not configure this policy settin ...

CCE-33952-3
Turn off access to the solutions to performance problems section Removes access to the performance center control panel solutions to performance problems. If you enable this setting, the solutions and issue section within the performance control panel page will not be displayed. The administrative ...

CCE-34140-4
Turn off tracking of last play time of games in the Games folder Tracks the last play time of games in the Games folder. If you enable this setting the last played time of games will not be recorded in Games folder. This setting only affects the Games folder. If you disable or do not configure t ...

CCE-35347-4
Turn off handwriting recognition error reporting Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over ...

CCE-35191-6
Turn off autocorrect misspelled words This policy turns off the autocorrect misspelled words option. This does not, however, prevent the user or an application from changing the setting programmatically. The autocorrect misspelled words option controls whether or not errors in typed text ...

CCE-34447-3
Hide Advanced Properties Checkbox in Add Scheduled Task Wizard This setting removes the 'Open advanced properties for this task when I click Finish' checkbox from the last page of the Scheduled Task Wizard. This policy is only designed to simplify task creation for beginning users. The checkbox ...

CCE-34656-9
Disable Audio Disables the audio feature of NetMeeting. Users will not be able to send or receive audio.

CCE-34077-8
Prevent addition of printers Prevents users from using familiar methods to add local and network printers. If this policy setting is enabled, it removes the Add Printer option from the Start menu. (To find the Add Printer option, click Start, click Printers, and then click Add Printer. ...

CCE-33756-8
Remove 'Map Network Drive' and 'Disconnect Network Drive' Prevents users from using File Explorer or Network Locations to map or disconnect network drives. If you enable this setting, the system removes the Map Network Drive and Disconnect Network Drive commands from the toolbar and Tools menus ...

CCE-33253-6
Turn off Touch Panning Turn off Panning Turns off touch panning, which allows users pan inside windows by touch. On a compatible PC with a touch digitizer, by default users are able to scroll or pan inside a scrolling area by dragging up or down directly on the scrolling content. If you en ...

CCE-34852-4
Maximum tolerance for computer clock synchronization Many security services, especially authentication, rely on an accurate computer clock to perform their jobs. You should ensure computer time is accurate and that all servers in your organization use the same time source. The Windows Server 2003 W ...

CCE-35214-6
Prevent backing up to local disks This setting lets you prevent users from selecting a local disk (internal or external) for storing backups. If this setting is enabled, the user will be blocked from selecting a local disk as a backup location. If this setting is disabled or not configured, users ...

CCE-33889-7
Specify the day of the week to run a scheduled scan This policy setting allows you to specify the day of the week on which to perform a scheduled scan. The scan can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal number values ...

CCE-35717-8
Remove Properties from the Recycle Bin context menu Removes the Properties option from the Recycle Bin context menu. If you enable this setting, the Properties option will not be present when the user right-clicks on Recycle Bin or opens Recycle Bin and then clicks File. Likewise, Alt-Enter does ...

CCE-35574-3
Set age for segments in the data cache This policy setting specifies the default age in days for which segments are valid in the BranchCache data cache on client computers. If you enable this policy setting, you can configure the age for segments in the data cache. If you disable or do not co ...

CCE-34273-3
Remove Search link from Start Menu Removes the Search link from the Start menu, and disables some Windows Explorer search elements. Note that this does not remove the search box from the new style Start menu. This setting removes the Search item from the Start menu and from the context menu tha ...

CCE-34732-8
Prevent changing Call placement method Prevents users from changing the way calls are placed, either directly or via a gatekeeper server.

CCE-33013-4
Re-prompt for restart with scheduled installations Specifies the amount of time for Automatic Updates to wait before prompting again with a scheduled restart. If the status is set to Enabled, a scheduled restart will occur the specified number of minutes after the previous prompt for restart was p ...

CCE-33266-8
Turn on recommended updates via Automatic Updates Specifies whether Automatic Updates will deliver both important as well as recommended updates from the Windows Update update service. When this policy is enabled, Automatic Updates will install recommended updates as well as important updates from ...

CCE-33876-4
Configure time out for detections in critically failed state This policy setting configures the time in minutes before a detection in the ?critically failed? state to moves to either the ?additional action? state or the ?cleared? state.

CCE-35321-9
Prevent adding UNC locations to index from Control Panel Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed. When this policy ...

CCE-33623-0
Wired Network (IEEE 802.3) Policies This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this ...

CCE-35796-2
Set the SafeSearch setting for Search This policy setting allows you to control the SafeSearch setting used when performing a query in Search. If you enable this policy setting, you can specify one of three SafeSearch settings, which users won't be able to change: -Strict: Filter out adu ...

CCE-35378-9
Remove logon hours expiration warnings This policy controls whether the logged on user should be notified when his logon hours are about to expire. By default, a user is notified before logon hours expire, if actions have been set to occur when the logon hours expire. If you enable this setting, ...

CCE-34789-8
Do not allow encryption on all NTFS volumes Encryption can add to the processing overhead of filesystem operations. Enabling this setting will prevent access to and creation of encrypted files

CCE-35201-3
Enable access-denied assistance on client for all file types This Group Policy Setting should be set on Windows clients to enable access-denied assistance for all file types

CCE-34051-3
Prevent adding UNC locations to index from Control Panel Enabling this policy prevents users from adding UNC locations to the index from the Search and Indexing Options in Control Panel. Any UNC locations that have already been added to the index by the user will not be removed. When this polic ...

CCE-33462-3
Specify search order for device driver source locations This policy setting allows you to specify the order in which Windows searches source locations for device drivers. If you enable this policy setting, you can select whether Windows searches Windows Update first, searches Windows Update last ...

CCE-34416-8
Remove the volume control icon This policy setting allows you to remove the volume control icon from the system control area. If you enable this policy setting, the volume control icon is not displayed in the system notification area. If you disable or do not configure this policy setting, th ...

CCE-33743-6
Turn off location This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature will be turned off, and all programs on this computer will not be able to use location information from the location feature. If you disa ...

CCE-34393-9
Configure Scenario Execution Level If you enable this policy setting, the Diagnostic Policy Service (DPS) will detect, troubleshoot and attempt to resolve automatically any heap corruption problems. If you disable this policy setting, Windows will not be able to detect, troubleshoot and attempt to ...

CCE-35650-1
Allow the use of biometrics If you enable (or do not configure) this policy setting, the Windows Biometric Service will be available, and users will be able to run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics, you must also configure the ' ...

CCE-33146-2
Allow remote server management through WinRM This policy setting allows you to manage whether the Windows Remote Management (WinRM) service automatically listens on the network for requests on the HTTP transport over the default HTTP port. If you enable this policy setting, the WinRM service aut ...

CCE-32958-1
Prohibit removal of updates This setting controls the ability for users or administrators to remove Windows Installer based updates. This setting should be used if you need to maintain a tight control over updates. One example is a lockdown environment where you want to ensure that updates once i ...

CCE-35125-4
Administrative Templates (Users) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this pol ...

CCE-34998-5
Network Security: Restrict NTLM: NTLM authentication in this domain This policy setting allows you to deny or allow NTLM authentication within a domain from this domain controller. This policy does not affect interactive logon to this domain controller.

CCE-35454-8
Show sleep in the power options menu Shows or hides sleep from the power options menu. If you enable this policy setting, the sleep option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). If you disable this policy setting, the sleep option will ...

CCE-34260-0
Turn off Windows Error Reporting Controls whether or not errors are reported to Microsoft. Error Reporting is used to report information about a system or application that has failed or has stopped responding and is used to improve the quality of the product. If you enable this setting, users wil ...

CCE-34669-2
Prevent viewing Web directory Prevents users from viewing directories as Web pages in a browser.

CCE-35258-3
Allow Basic authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication. If you enable this policy setting, the WinRM client will use Basic authentication. If WinRM is configured to use HTTP transport, then the user name an ...

CCE-35806-9
Use advanced RemoteFX graphics for RemoteApp This policy setting allows you to enable RemoteApp programs to use advanced graphics, including support for transparency, live thumbnails, and seamless application moves. This policy setting applies only to RemoteApp programs and does not apply to remote ...

CCE-33342-7
Do not display any custom toolbars in the taskbar This setting affects the taskbar. The taskbar includes the Start button, buttons for currently running tasks, custom toolbars, the notification area, and the system clock. Toolbars include Quick Launch, Address, Links, Desktop, and other custom t ...

CCE-33610-7
Disable Chat Disables the Chat feature of NetMeeting.

CCE-35587-5
Restrict these programs from being launched from Help This policy setting allows you to restrict programs from being run from online Help. If you enable this policy setting, you can prevent specified programs from being run from Help. When you enable this policy setting, enter th ...

CCE-34482-0
Group Policy Management Editor This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33475-5
Turn off Real-Time Monitoring Turns off Real-Time Protection prompts for known malware detection. Windows Defender alerts you when spyware or potentially unwanted software attempts to install itself or to run on your computer. If you enable this policy setting, Windows Defender will not prompt us ...

CCE-33667-7
Events.asp program command line parameters This specifies the command line parameters that will be passed to the events.asp program

CCE-34166-9
End session when time limits are reached This policy setting Sspecifies whether to end a Remote Desktop Services session that has timed out instead of disconnecting it. You can use this setting to direct Remote Desktop Services to end a session (that is, the user is logged off and the session is ...

CCE-35632-9
Device compatibility settings Device compatibility settings.

CCE-32976-3
Prohibit editing items Prevents users from changing the properties of Web content items on their Active Desktop. This setting disables the Properties button on the Web tab in Display in Control Panel. Also, it removes the Properties item from the menu for each item on the Active Desktop. As a re ...

CCE-34286-5
Back up log automatically when full This policy setting controls Event Log behavior when the log file reaches its maximum size and takes effect only if the 'Retain old events' policy setting is enabled. If you enable this policy setting and the 'Retain old events' policy setting is enabled, the ...

CCE-34745-0
Prevent customization of indexed locations in Control Panel If enabled, Search and Indexing Options in Control Panel does not allow opening the Modify Locations dialog. Otherwise it can be opened. Disabled by default.

CCE-35436-5
Do not process the legacy run list This policy setting causes the run list, which is a list of programs that Windows runs automatically when it starts, to be ignored. The customized run lists for Windows Vista are stored in the registry at the following locations: - HKEY_LOCAL_MACHINE\Software\Micr ...

CCE-33279-1
Prevent deletion of printers If this policy setting is enabled, it prevents users from deleting local and network printers. If a user tries to delete a printer, such as by using the Delete option in Printers in Control Panel, a message appears explaining that a setting prevents the act ...

CCE-33730-3
Remove users' ability to invoke machine policy refresh This policy setting allows you to control a user's ability to invoke a computer policy refresh. If you enable this policy setting, users are not able to invoke a refresh of computer policy. Computer policy will still be applied at startup or ...

CCE-35569-3
Select the Sleep Button Action (Plugged In) Specifies the action that Windows takes when a user presses the sleep button. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable this policy sett ...

CCE-34878-9
Prevent display of the user interface for critical errors This policy setting prevents the display of the user interface for critical errors. If you enable this policy setting, Windows Error Reporting prevents the display of the user interface for critical errors. If you disable or do not configu ...

CCE-33863-2
Specify the time of day to run a scheduled full scan to complete remediation This policy setting allows you to specify the time of day at which to perform a scheduled full scan in order to complete remediation. The time value is represented as the number of minutes past midnight (00:00). For examp ...

CCE-35449-8
Prevent restoring previous versions from backups This policy setting lets you suppress the Restore button in the previous versions property page when the user has selected a previous version of a local file, in which the previous version is stored on a backup. If you enable this policy setting, ...

CCE-35097-5
Configure wired policy processing This policy setting determines when policies that assign wired network settings are updated. This policy setting affects all policies that use the wired network component of Group Policy, such as those in Windows Settings\Wired Network Policies. It overrides ...

CCE-33355-9
Turn off history-based predictive input This policy setting allows you to turn off history-based predictive input. If you enable this policy setting, history-based predictive input is turned off. If you disable or do not configure this policy setting, history-based predictive input is on by ...

CCE-35512-3
Audit Policy: Object Access: Central Access Policy Staging This policy setting allows you to audit access requests where the permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting, an audit event is generat ...

CCE-33850-9
Configure local setting override for the removal of items from Quarantine folder This policy setting configures a local override for the configuration of the number of days items should be kept in the Quarantine folder before being removed. This setting can only be set by Group Policy. If you en ...

CCE-34821-9
Turn on Basic feed authentication over HTTP This policy setting allows users to have their feeds authenticated through the Basic authentication scheme over an unencrypted HTTP connection. If you enable this policy setting, the Windows RSS Platform authenticates feeds to servers by using the Basi ...

CCE-33102-5
Configure use of smart cards on fixed data drives This policy setting allows you to specify whether smart cards can be used to authenticate user access to the BitLocker-protected fixed data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user acces ...

CCE-34046-3
Set Window Scaling Heuristics State This policy setting allows you to configure Window Scaling Heuristics. Window Scaling Heuristics is an algorithm to identify connectivity and throughput problems caused by many Firewalls and other middle boxes that don't interpret Window Scaling option correctly. ...

CCE-33654-5
Turn off offer text predictions as I type This policy turns off the offer text predictions as I type option. This does not, however, prevent the user or an application from changing the setting programmatically. The offer text predictions as I type option controls whether or not text pre ...

CCE-34954-8
Hide the select language group options This policy setting removes the option to change the user's menus and dialogs (UI) language from the Language and Regional Options control panel. This policy setting is used only to simplify the Regional Options control panel. If you enable this policy s ...

CCE-33983-8
Hide Regional and Language Options administrative options This policy setting removes the Administrative options from the Region settings control panel. Administrative options include interfaces for setting system locale and copying settings to the default user. This policy setting does not, howev ...

CCE-35645-1
Allow deployment operations in special profiles This policy setting allows you to manage the deployment operations of app packages when the user is logged in under special profiles. Deployment operation refers to adding, registering, staging, updating or removing an app package. Special profi ...

CCE-35316-9
Default excluded paths Enabling this policy allows you to specify a list of paths to exclude from indexing by default. The user may override these paths and include them in indexing.

CCE-32963-1
Qualitative service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to pa ...

CCE-35280-7
Set time limit for active Remote Desktop Services sessions This policy setting allows you to specify the maximum amount of time that a Remote Desktop Services session can be active before it is automatically disconnected. If you enable this policy setting, you must select the desired time limit ...

CCE-34691-6
Storage Manager for SANS Extension This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this po ...

CCE-35423-3
Prevent indexing when running on battery power to conserve energy If enabled, the indexer pauses whenever the computer is running on battery. If disabled, the indexing follows the default behavior. Default is disabled.

CCE-34375-6
Deny Delegating Fresh Credentials This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). If you enable this policy setting you can specify the servers to which the user's fresh credentials can NOT be delegated (fresh credentials are those that you ...

CCE-33970-5
Allow CredSSP authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses CredSSP authentication. If you enable this policy setting, the WinRM client will use CredSSP authentication. If you disable or do not configure this pol ...

CCE-35676-6
Turn off saving auto-tuning data to file This policy setting allows you to turn off saving the auto-tuning result to file. If you enable this policy setting, the auto-tuning data is not saved to file. If you disable or do not configure this policy setting, auto-tuning data is saved to file b ...

CCE-34179-2
Prohibit Enabling/Disabling components of a LAN connection Determines whether administrators can enable and disable the components used by LAN connections. If you enable this setting (and enable the 'Enable Network Connections settings for Administrators' setting), the check boxes for enabling a ...

CCE-35227-8
Network Security: Restrict NTLM: Incoming NTLM traffic This policy setting allows you to deny or allow incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Block events are recorded on this computer in the 'Operational' Log located under the Applica ...

CCE-34020-8
Display string when smart card is blocked This policy setting allows you to manage the displayed message when a smart card is blocked. If you enable this policy setting, the specified message will be displayed to the user when the smart card is blocked. Note: The following policy setting must be ...

CCE-35107-2
Configure Internet Explorer Maintenance policy processing This policy setting determines when Internet Explorer Maintenance policies are updated. This policy setting affects all policies that use the Internet Explorer Maintenance component of Group Policy, such as those in Windows Settings\Inter ...

CCE-34701-3
Do not allow Sound Recorder to run Specifies whether Sound Recorder can run. Sound Recorder is a feature of Microsoft Windows Vista that can be used to record sound from an audio input device where the recorded sound is encoded and saved as an audio file. If you enable this policy setting, Sound ...

CCE-34153-7
Add 'Run in Separate Memory Space' check box to Run dialog box Lets users run a 16-bit program in a dedicated (not shared) Virtual DOS Machine (VDM) process. All DOS and 16-bit programs run on Windows 2000 Professional and Windows XP Professional in the Windows Virtual DOS Machine program. VDM s ...

CCE-33774-1
Display the menu bar in File Explorer This policy setting configures File Explorer to always display the menu bar. Note: By default, the menu bar is not displayed in File Explorer. If you enable this policy setting, the menu bar will be displayed in File Explorer. If you disable or do not ...

CCE-34571-0
Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps) Microsoft XPS Document Writer (MXDW) generates OpenXPS (*.oxps) files by default in Windows 8. If you enable this group policy setting, the default MXDW output format is the legacy Micros ...

CCE-35160-1
Device Manager This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the s ...

CCE-34834-2
Disable revocation checking for the SSL certificate of KDC proxy servers This policy setting allows you to disable revocation check for the SSL certificate of the KDC proxy server being connected to. If you enable this policy setting, revocation check for the SSL certificate of the KDC proxy ser ...

CCE-33578-6
Configure Scenario Execution Level Determines the execution level for Windows System Responsiveness Diagnostics. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy Service (DP ...

CCE-33368-2
Use IP Address Redirection This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Remote Desktop Services session in a load-balanced RD Session Host server farm. This setting applies to an RD Session Host server that is configured to u ...

CCE-32989-6
Permit use of Devices preference extension This policy setting allows you to permit or prohibit use of the Devices preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, you ...

CCE-33641-2
IP Security Monitor This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, ...

CCE-35556-0
Restrict potentially unsafe HTML Help functions to specified folders With this policy, you can restrict certain HTML Help commands to function only in HTML Help (.chm) files within specified folders and their subfolders. Alternatively, you can disable these commands on the entire system. It is st ...

CCE-34967-0
Limit the maximum number of BITS jobs for this computer This policy setting limits the number of BITS jobs that can be created for all users of the computer. By default, BITS limits the total number of jobs that can be created on the computer to 300 jobs. You can use this setting to raise or lower ...

CCE-34505-8
Do not allow password authentication of Enhanced Storage devices This policy setting configures whether or not a password can be used to unlock an Enhanced Storage device. If you enable this policy setting, a password cannot be used to unlock an Enhanced Storage device. If you disable or do not c ...

CCE-33248-6
Turn off pen feedback Disables visual pen action feedback, except for press and hold feedback. If you enable this policy, all visual pen action feedback is disabled except for press and hold feedback. Additionally, the mouse cursors are shown instead of the pen cursors. If you disable or do not ...

CCE-33311-2
Allow DFS roots to be published This policy setting determines whether the user can publish DFS roots in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the 'Publish in Active Directory' option to publish DFS roots as shared folders ...

CCE-35303-7
Set Priority in the DC Locator DNS SRV records This policy setting specifies the Priority field in the SRV resource records registered by domain controllers (DC) to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used to locate the DC. ...

CCE-33894-7
Prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see when they right-click the lower-left corner or press the Windows logo key+X This policy setting allows you to prevent users from replacing the Command Prompt with Windows PowerShell in the menu they see whe ...

CCE-34299-8
Automatic Updates detection frequency Specifies the hours that Windows will use to determine how long to wait before checking for available updates. The exact wait time is determined by using the hours specified here minus zero to twenty percent of the hours specified. For example, if this policy i ...

CCE-35765-7
Turn off access to all Windows Update features This setting allows you to remove access to Windows Update. If you enable this setting, all Windows Update features are removed. This includes blocking access to the Windows Update Web site at http://windowsupdate.microsoft.com, from the Windows Updat ...

CCE-33698-2
Specify administratively assigned Offline Files This policy setting lists network files and folders that are always available for offline use. This ensures that the specified files and folders are available offline to users of the computer. If you enable this policy setting, the files you enter ...

CCE-34309-5
Display a custom message when installation is prevented by a policy setting This policy setting allows you to display a custom message to users in the notification balloon when a device installation is attempted and a policy setting prevents the installation. If you enable this policy settin ...

CCE-33444-1
Prohibit access to properties of components of a remote access connection Determines whether users can view and change the properties of components used by a private or all-user remote access connection. This setting determines whether the Properties button for components used by a private or al ...

CCE-35689-9
Specify the Display Dim Brightness (Plugged In) Specify the brightness of the display when Windows automatically reduces brightness of the display. If you enable this policy setting, you must provide a value, in percentage, indicating the display brightness when Windows automatically reduces ...

CCE-35084-3
Enable Hotspot Authentication This policy setting defines whether Wi-Fi hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support. If a Wi-Fi hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. If authentica ...

CCE-33917-6
Define the number of days before spyware definitions are considered out of date This policy setting allows you to define the number of days that must pass before spyware definitions are considered out of date. If definitions are determined to be out of date, this state may trigger several additiona ...

CCE-34033-1
Remove 'Work offline' command This policy setting removes the 'Work offline' command from Explorer, preventing users from manually changing whether Offline Files is in online mode or offline mode. If you enable this policy setting, the 'Work offline' command is not displayed in Windows Explorer. ...

CCE-34910-0
Microsoft network server: Attempt S4U2Self to obtain claim information This security setting is to support clients running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to ...

CCE-35591-7
Set the Remote Desktop licensing mode This policy setting allows you to specify the type of Remote Desktop Services client access license (RDS CAL) that is required to connect to this RD Session Host server. You can use this policy setting to select one of two licensing modes: Per User or Per Devi ...

CCE-33181-9
Reverse the subject name stored in a certificate when displaying This policy setting lets you reverse the subject name from how it is stored in the certificate when displaying it during logon. By default the user principal name (UPN) is displayed in addition to the common name to help ...

CCE-35079-3
Specify settings for optional component installation and component repair This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. If you enable this policy se ...

CCE-33761-8
Remove File Explorer's default context menu Removes shortcut menus from the desktop and File Explorer. Shortcut menus appear when you right-click an item. If you enable this setting, menus do not appear when you right-click the desktop or when you right-click the items in File Explorer. This set ...

CCE-34968-8
Log directory pruning retry events Specifies whether or not to log events when the pruning service on a domain controller attempts to contact a computer before pruning the computer's printers. The pruning service periodically contacts computers that have published printers to verify that the print ...

CCE-35538-8
Choose default folder for recovery password This policy setting allows you to specify the default path that is displayed when the BitLocker Drive Encryption setup wizard prompts the user to enter the location of a folder in which to save the recovery password. This policy setting is applied when yo ...

CCE-33565-3
Allow the use of remote paths in file shortcut icons This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. If you disable or do not configure thi ...

CCE-34256-8
Turn off switching between recent apps If you enable this setting, users will not be allowed to switch between recent apps. The App Switching option in the PC settings app will be disabled as well. If you disable or do not configure this policy setting, users will be allowed to switch between re ...

CCE-33128-0
Inclusion list for low file types This policy setting allows you to configure the list of low-risk file types. If the attachment is in the list of low-risk file types, Windows will not prompt the user before accessing the file, regardless of the file's zone information. This inclusion list override ...

CCE-33904-4
Turn on catch-up full scan This policy setting allows you to configure catch-up scans for scheduled full scans. A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the computer was turned off at the scheduled t ...

CCE-34452-3
Hide 'Installed Updates' page This setting prevents users from accessing 'Installed Updates' page from the 'View installed updates' task. 'Installed Updates' allows users to view and uninstall updates currently installed on the computer. The updates are often downloaded directly from Windows Up ...

CCE-35022-3
Turn off Tablet PC touch input Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch g ...

CCE-34136-2
Do not delete temp folders upon exit This policy setting specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a ses ...

CCE-33324-5
Turn off notification area cleanup This setting affects the notification area, also called the 'system tray.' The notification area is located in the task bar, generally at the bottom of the screen, and it includes the clock and current notifications. This setting determines whether the items ar ...

CCE-35395-3
Remove Shared Documents from My Computer This policy setting allows you to remove the Shared Documents folder from My Computer. When a Windows client is in a workgroup, a Shared Documents icon appears in the File Explorer Web view under 'Other Places' and also under 'Files Stored on This Compute ...

CCE-35614-7
Select the Lid Switch Action (On Battery) Specifies the action that Windows takes when a user closes the lid on a mobile PC. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable this policy s ...

CCE-35721-0
Remove Windows Security item from Start menu Specifies whether to remove the Windows Security item from the Settings menu on Remote Desktop clients. You can use this setting to prevent inexperienced users from logging off from Remote Desktop Services inadvertently. If the status is set to Enabled, ...

CCE-34519-9
Do not delete temp folder upon exit Specifies whether Remote Desktop Services retains a user's per-session temporary folders at logoff. You can use this setting to maintain a user's session-specific temporary folders on a remote computer, even if the user logs off from a session. By default, Remot ...

CCE-34848-2
Logical and Mapped Drives This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy set ...

CCE-34572-8
Hide the Programs Control Panel This setting prevents users from using the Programs Control Panel in Category View and Programs and Features in Classic View. The Programs Control Panel allows users to uninstall, change, and repair programs, enable and disable Windows Features, set program defau ...

CCE-35418-3
Control the location of the log file This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this pol ...

CCE-33828-5
Do not sync Apps Prevent the 'AppSync' group from syncing to and from this PC. This turns off and disables the 'AppSync' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'AppSync' group will not be synced. Use the option 'Allow users to turn app s ...

CCE-35471-2
Audit Policy: Object Access: Detailed File Share This policy setting allows you to audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any conn ...

CCE-35778-0
Turn off Connect to a Network Projector Disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. If you enable this policy, users cannot use the Connect to a Network Projector wizard to connect to a projector. If you disable this policy or do not con ...

CCE-34016-6
Disallow run-once backups This policy setting allows you to manage whether run-once backups of a machine can be run or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run non-scheduled run-once backups. If you disable or do not con ...

CCE-33881-4
Configure Windows software trace preprocessor components This policy configures Windows software trace preprocessor (WPP Software Tracing) components. If you enable this setting, you can configure the Windows software trace preprocessor components. If you disable this setting, you cannot conf ...

CCE-33390-6
Allow certificates with no extended key usage certificate attribute This policy setting lets you allow certificates without an Extended Key Usage (EKU) set to be used for logon. In versions of Windows prior to Windows Vista, smart card certificates that are used for logon require an enhanced key u ...

CCE-33074-6
Specify default quota limit and warning level This policy setting specifies the default disk quota limit and warning level for new users of the volume. This policy setting determines how much disk space can be used by each user on each of the NTFS file system volumes on a computer. It also speci ...

CCE-35382-1
Prevent the wizard from running. By default, Add features to Windows 8 is available for all administrators. If you enable this policy setting, the wizard will not run. If you disable this policy setting or set it to Not Configured, the wizard will run.

CCE-34924-1
Do not allow changes to initiator CHAP secret If enabled then do not allow the initiator CHAP secret to be changed. If disabled then the initiator CHAP secret may be changed.

CCE-34465-5
WPD Devices: Deny read access This policy setting denies read access to removable disks, which may include media players, cellular phones, auxiliary displays, and CE devices. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not con ...

CCE-35329-2
Specify maximum wait time for Group Policy scripts This policy setting determines how long the system waits for scripts applied by Group Policy to run. This setting limits the total time allowed for all logon, logoff, startup, and shutdown scripts applied by Group Policy to finish running. If t ...

CCE-33337-7
Remove Network icon from Start Menu Removes the Network icon from the Start Menu.

CCE-33672-7
Specify positive periodic DC Cache refresh for non-background callers This policy setting determines when a successful DC cache entry is refreshed. This policy setting is applied to caller programs that do not periodically attempt to locate DCs, and it is applied before the returning the DC informa ...

CCE-35810-1
Turn off the offer to update to the latest version of Windows Enables or disables the Store offer to update to the latest version of Windows. If you enable this setting, the Store application will not offer updates to the latest version of Windows. If you disable or do not configure this sett ...

CCE-33194-2
Restrict character code range of conversion This policy setting allows you to restrict character code range of conversion by setting character filter. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME. You can ...

CCE-34728-6
Download missing COM components This policy setting directs the system to search Active Directory for missing Component Object Model (COM) components that a program requires. Many Windows programs, such as the MMC snap-ins, use the interfaces provided by the COM components. These programs cannot ...

CCE-32962-3
Prune printers that are not automatically republished Determines whether the pruning service on a domain controller prunes printer objects that are not automatically republished whenever the host computer does not respond,just as it does with Windows 2000 printers. This setting applies to printers ...

CCE-34781-5
Limit the maximum number of files allowed in a BITS job This policy setting limits the number of files that a BITS job can contain. By default, a BITS job is limited to 200 files. You can use this setting to raise or lower the maximum number of files a BITS jobs can contain. If you enable ...

CCE-33935-8
Prevent users from customizing their Start Screen This policy setting allows you to prevent users from changing their Start screen layout. If you enable this setting, you will prevent a user from selecting an app, resizing a tile, pinning/unpinning a tile or a secondary tile, entering the custom ...

CCE-35053-8
Limit outstanding packets Specifies the maximum number of outstanding packets permitted on the system. When the number of outstanding packets reaches this limit, the Packet Scheduler postpones all submissions to network adapters until the number falls below this limit. 'Outstanding packets' are pa ...

CCE-34332-7
Specify traps for public community This policy setting allows trap configuration for the Simple Network Management Protocol (SNMP) agent. Simple Network Management Protocol is a protocol designed to give a user the capability to remotely manage a computer network by polling and setting terminal ...

CCE-33619-8
Remote Installation Services This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-34123-0
Allow Enhanced Storage certificate provisioning This policy setting configures whether or not users can provision certificates on Enhanced Storage certificate silo devices. If you enable this policy setting, users can provision certificates on Enhanced Storage certificate silo devices. If you dis ...

CCE-34585-0
Set Teredo Client Port This policy setting allows you to select the UDP port the Teredo client will use to send packets. If you leave the default of 0, the operating system will select a port (recommended). If you select a UDP port that is already in use by a system, the Teredo client will fail to ...

CCE-35209-6
IPX SAP Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-33217-1
Turn off Routinely Taking Action Turns off Routinely Taking Action. This policy setting allows you to configure whether Windows Defender will automatically take action on all detected threats. The action to be taken on a particular threat will be determined by the combination of the policy-defined ...

CCE-33739-4
Preview pane location Enabling this policy allows you to set the location of the preview pane in the Desktop Search results. You can also turn off the preview pane. The four options are: - Auto - Right - Bottom - Off You should consider enabling this policy to turn off the preview pane if your en ...

CCE-34804-5
Determine if interactive users can generate Resultant Set of Policy data This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. If you enable this po ...

CCE-34389-7
Set ISATAP State This policy setting allows you to configure Intra-Site Automatic Tunnel Addressing Protocol (ISATAP), an address-to-router and host-to-host, host-to-router and router-to-host automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 hosts across ...

CCE-33596-8
Do not set default client printer to be default printer in a session This policy setting allows you to specify whether the client default printer is automatically set as the default printer in a session on an RD Session Host server. By default, Remote Desktop Services automatically designates the ...

CCE-34661-9
Hide the Audio page Hides the Audio page of the Tools Options dialog. Users will not then be able to change audio settings.

CCE-35734-3
Configure driver search locations This setting configures the location that Windows searches for drivers when a new piece of hardware is found. By default, Windows searches the following places for drivers: local installation, floppy drives, CD-ROM drives, Windows Update. Using this setting, ...

CCE-35186-6
Internet Explorer Maintenance This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33270-0
Turn on Smart Card Plug and Play service This policy setting allows you to control whether Smart Card Plug and Play is enabled. If you enable or do not configure this policy setting, Smart Card Plug and Play will be enabled and the system will attempt to install a Smart Card device driver when a c ...

CCE-34674-2
Configure Corrupted File Recovery Behavior This policy setting allows you to configure the recovery behavior for corrupted files to one of three states: Regular: Detection, troubleshooting, and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to ...

CCE-34358-2
Ability to rename LAN connections Determines whether nonadministrators can rename a LAN connection. If you enable this setting, the Rename option is enabled for LAN connections. Nonadministrators can rename LAN connections by clicking an icon representing the connection or by using the File menu ...

CCE-34105-7
Remove programs on Settings menu Prevents Control Panel, Printers, and Network Connections from running. This setting removes the Control Panel, Printers, and Network and Connection folders from Settings on the Start menu, and from Computer and Windows Explorer. It also prevents the programs rep ...

CCE-35440-7
Add primary intranet search location Enabling this policy allows you to add a primary intranet search location within Windows Desktop Search. The value of this text should be: name,url For example: Intranet,http://intranetsearch.aspx?k=$w You must provide the following: 1) A name for the scope ...

CCE-35244-3
Configure MMS Proxy This policy setting allows you to specify the MMS proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. ...

CCE-33283-3
Use forest search order This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting, the Kerberos client will search the forests in this list if it is unable to reso ...

CCE-35693-1
Specify the Unattended Sleep Timeout (Plugged In) Specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elaps ...

CCE-34421-8
Prevent users from rearranging toolbars This policy setting allows you to prevent users from rearranging toolbars. If you enable this policy setting, users are not able to drag or drop toolbars to the taskbar. If you disable or do not configure this policy setting, users are able to rearrange ...

CCE-35124-7
Security Settings This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, th ...

CCE-33150-4
Prevent indexing certain paths If you enable this policy setting, you specify a list of paths to exclude from indexing. The user cannot enter any path that starts with one of the paths you specified. On a per-user basis, this policy setting will work only if a protocol handler referencing a SID-bas ...

CCE-33426-8
Control the location of the log file This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this pol ...

CCE-34870-6
Override print driver execution compatibility setting reported by print driver This policy setting determines whether the print spooler will override the Driver Isolation compatibility reported by the print driver. This enables executing print drivers in an isolated process, even if the driver does ...

CCE-34095-0
Hide mechanisms to remove zone information This policy setting allows you to manage whether users can manually remove the zone information from saved file attachments. Typically, users can either click the Unblock button in the file?s Property sheet or select a check box in the Security Warning dia ...

CCE-35573-5
Configure Hosted Cache Servers This policy setting specifies whether client computers are configured to use hosted cache mode and provides the computer name of the hosted cache servers that are available to the client computers. Hosted cache mode enables client computers in branch offices to retri ...

CCE-35320-1
Enable throttling for online mail indexing When using Microsoft Office Outlook in online mode, you can enable this policy to control how fast online mail is indexed on a Microsoft Exchange server. The lower you set this policy, the lower the burden will be on the corresponding Microsoft Exchange se ...

CCE-33726-1
Do not automatically start Windows Messenger initially This policy setting prevents Windows Messenger from automatically running at logon. If you enable this policy setting, Windows Messenger is not loaded automatically when a user logs on. If you disable or do not configure this policy sett ...

CCE-33583-6
Hide Property Pages Prevents users from viewing and changing the properties of an existing task. This setting removes the Properties item from the File menu in Scheduled Tasks and from the context menu that appears when you right-click a task. As a result, users cannot change any properties of a ...

CCE-35111-4
Configure Automatic Updates This policy setting specifies whether computers in your environment will receive security updates from Windows Update or WSUS. If you configure this policy setting to Enabled, the operating system will recognize when a network connection is available and then use the net ...

CCE-33922-6
Specify the interval to check for definition updates This policy setting allows you to specify an interval at which to check for definition updates. The time value is represented as the number of hours between update checks. Valid values range from 1 (every hour) to 24 (once per day). If you ena ...

CCE-34345-9
Allow ECC certificates to be used for logon and authentication This policy setting allows you to control whether elliptic curve cryptography (ECC) certificates on a smart card can be used to log on to a domain. If you enable this policy setting, ECC certificates on a smart card can be used to log ...

CCE-33087-8
Do not display the lock screen This policy setting controls whether the lock screen appears for users. If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after locking their PC. If you disable or do not conf ...

CCE-34118-0
Allow Automatic Updates immediate installation Specifies whether Automatic Updates should automatically install certain updates that neither interrupt Windows services nor restart Windows. If the status is set to Enabled, Automatic Updates will immediately install these updates once they are downl ...

CCE-35048-8
Turn off automatic update of ADM files Prevents the system from updating the Administrative Templates source files automatically when you open the Group Policy Object Editor. Administrators might want to use this if they are concerned about the amount of space used on the system volume of a DC. ...

CCE-35377-1
Hide Privacy Tab This policy setting allows you to hide the Privacy tab in Windows Media Player. If you enable this policy setting, the 'Update my music files (WMA and MP3 files) by retrieving missing media information from the Internet' check box on the Media Library tab is available, even thou ...

CCE-34478-8
WMI Control This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap ...

CCE-34567-8
Controlled load service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Controlled Load service type (ServiceTypeControlledLoad). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies ...

CCE-33439-1
Prohibit TCP/IP advanced configuration Determines whether users can configure advanced TCP/IP settings. If you enable this setting (and enable the 'Enable Network Connections settings for Administrators' setting), the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box is dis ...

CCE-34314-5
Synchronize all offline files before logging off Determines whether offline files are fully synchronized when users log off. This setting also disables the 'Synchronize all offline files before logging off' option on the Offline Files tab. This prevents users from trying to change the option whi ...

CCE-34171-9
Configure target Subscription Manager This policy setting allows you to configure the server address, refresh interval, and issuer certificate authority (CA) of a target Subscription Manager. If you enable this policy setting, you can configure the Source Computer to contact a specific FQDN (Ful ...

CCE-35484-5
System DEP This setting allows you to configure the EMET system-wide Data Execution Prevention (DEP) mitigation setting. DEP marks areas of memory as either 'executable' or 'nonexecutable' and allows only data in an 'executable' area to be run by programs, services, and device drivers. If you e ...

CCE-34883-9
Prevent Quick Launch Toolbar Shortcut Creation This policy prevents a shortcut for the Player from being added to the Quick Launch bar. When this policy is not configured or disabled, the user can choose whether to add the shortcut for the Player to the Quick Launch bar.

CCE-35035-5
Configure Network Buffering This policy setting allows you to specify whether network buffering uses the default or a specified number of seconds. If you enable this policy setting, select one of the following options to specify the number of seconds streaming media is buffered before it is play ...

CCE-33492-0
Clear history of tile notifications on exit If you enable this setting, the system deletes tile notifications when the user logs off. As a result, the Tiles in the start view will always show their default content when the user logs on. In addition, any cached versions of these notifications will b ...

CCE-32993-8
Permit use of Network Shares preference extension This policy setting allows you to permit or prohibit use of the Network Shares preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy ...

CCE-33713-9
Prevent plaintext PINs from being returned by Credential Manager This policy setting prevents plaintext PINs from being returned by Credential Manager. If you enable this policy setting, Credential Manager does not return a plaintext PIN. If you disable or do not configure this policy setting, ...

CCE-35627-9
Turn off Internet download for Web publishing and online ordering wizards This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such ...

CCE-35168-4
Notify user of successful smart card driver installation This policy setting allows you to control whether a confirmation message is displayed when a smart card device driver is installed. If you enable or do not configure this policy setting, a confirmation message will be displayed when a smart ...

CCE-34906-8
Maximum lifetime for service ticket This security setting determines the maximum amount of time (in minutes) that a granted session ticket can be used to access a particular service. The setting must be greater than 10 minutes and less than or equal to the setting for Maximum lifetime for user tick ...

CCE-33570-3
Allow only per user or approved shell extensions This setting is designed to ensure that shell extensions can operate on a per-user basis. If you enable this setting, Windows is directed to only run those shell extensions that have either been approved by an administrator or that will not impact ot ...

CCE-33846-7
Turn on protocol recognition This policy setting allows you to configure protocol recognition for network protection against exploits of known vulnerabilities. If you enable or do not configure this setting, protocol recognition will be enabled. If you disable this setting, protocol recogniti ...

CCE-35716-0
Remove Computer icon on the desktop This setting hides Computer from the desktop and from the new Start menu. It also hides links to Computer in the Web view of all Explorer windows, and it hides Computer in the Explorer folder tree pane. If the user navigates into Computer via the 'Up' button whil ...

CCE-35680-8
Disable logging This policy setting controls whether Windows Error Reporting saves its own events and error messages to the system event log. If you enable this policy setting, Windows Error Reporting events are not recorded in the system event log. If you disable or do not configure this pol ...

CCE-34687-4
Floppy Drives: Deny read access This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access is denied to this removable storage class. If you disable or do not configure this policy setting, r ...

CCE-35351-6
Extended View (Web View) Permits or prohibits use of this snap-in. If you enable this setting, the snap-in is permitted. If you disable the setting, the snap-in is prohibited. If this setting is not configured, the setting of the 'Restrict users to the explicitly permitted list of snap-ins' s ...

CCE-35364-9
Interactive logon: Require smart card Microsoft recommends that you use this setting, if appropriate to your environment and your organization's business requirements, to help protect end user computers. This policy setting requires users to log on to a computer with a smart card. Note: This settin ...

CCE-33372-4
Require a PIN to access data on devices running Microsoft firmware This policy setting requires users to enter a default personal identification number (PIN) to unlock and access data on the device after a specified period of inactivity (time-out period). This setting applies to Windows SideShow-co ...

CCE-33833-5
Configure local setting override for reporting to Microsoft MAPS This policy setting configures a local override for the configuration to join Microsoft MAPS. This setting can only be set by Group Policy. If you enable this setting, the local preference setting will take priority over Group Poli ...

CCE-34029-9
Reminder balloon frequency Determines how often reminder balloon updates appear. If you enable this setting, you can select how often reminder balloons updates appear and also prevent users from changing this setting. Reminder balloons appear when the user's connection to a network file is lo ...

CCE-33319-5
File Classification Infrastructure: Display Classification tab in File Explorer This policy setting controls whether the Classification tab is displayed in the Properties dialog box in File Explorer. The Classification tab enables users to manually classify files by selecting properties from a l ...

CCE-34763-3
Prevent redirection of devices that match any of these device Ids This policy setting prevents redirection of specific USB devices. If you enable this setting, an alternate driver for the USB device cannot be loaded. If you disable or do not configure this setting, an alternate driver for the ...

CCE-33637-0
Event Viewer This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the sna ...

CCE-35560-2
Restricts the UI language Windows uses for all logged users This is a setting for computers with more than one UI language installed. If you enable this setting the UI language of Windows menus and dialogs language for systems with more than one language is restricted to the specific language. If t ...

CCE-34301-2
Set a support web page link Sets the target of the More Information link that will be displayed when the user attempts to run a program that is blocked by policy.

CCE-33966-3
Remove Help menu from Start Menu Removes the Help command from the Start menu. This setting only affects the Start menu. It does not remove the Help menu from Windows Explorer and does not prevent users from running Help.

CCE-34896-1
Enforce user logon restrictions Kerberos policy settings determine Kerberos-related attributes of domain user accounts, such as the Maximum lifetime for user ticket and Enforce user logon restrictions settings. However, these policy settings are not used for stand-alone client computers because the ...

CCE-32980-5
Remove My Documents icon on the desktop Removes most occurrences of the My Documents icon. This setting removes the My Documents icon from the desktop, from Windows Explorer, from programs that use the Windows Explorer windows, and from the standard Open dialog box. This setting does not prev ...

CCE-34434-1
Turn off automatic learning This policy setting turns off the automatic learning component of handwriting recognition personalization. Automatic learning enables the collection and storage of text and ink written by the user in order to help adapt handwriting recognition to the vocabula ...

CCE-33176-9
Permit use of Folders preference extension This policy setting allows you to permit or prohibit use of the Folders preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy setting, you ...

CCE-35805-1
Disable help tips Disables help tips that Windows shows to the user. By default, Windows will show the user help tips until the user has successfully completed the scenarios. If this setting is enabled, Windows will not show any help tips to the user. If this setting is disabled or not con ...

CCE-33494-6
Remove Recent Items menu from Start Menu Removes the Recent Items menu from the Start menu. Removes the Documents menu from the classic Start menu. The Recent Items menu contains links to the non-program files that users have most recently opened. It appears so that users can easily reopen thei ...

CCE-33648-7
Specify passive polling This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost. Use the options to control the passive polling behavior.

CCE-34339-2
Configure Report Queue This setting determines the behavior of the Windows Error Reporting queue. If Queuing behavior is set to 'Default', Windows will decide each time a problem occurs whether the report should be queued or the user should be prompted to send it immediately. If Queuing behavior ...

CCE-33241-1
Specify maximum number of processes per Shell Configures the maximum number of processes a remote shell is allowed to launch. Any number from 0 to 0x7FFFFFFF can be set, where 0 means unlimited number of processes. If you disable or do not configure this policy setting, the limit will be 5 proce ...

CCE-34655-1
Prevent Sharing Explorer windows Prevents users from sharing Explorer windows. This prevents users from inadvertently sharing out applications, since Explorer windows can be used to launch other applications.

CCE-34392-1
Configure Scenario Execution Level Determines the execution level for Windows Resource Exhaustion Detection and Resolution. If you enable this policy setting, you must select an execution level from the dropdown menu. If you select problem detection and troubleshooting only, the Diagnostic Policy ...

CCE-35346-6
Low Battery Notification Action Specifies the action that Windows takes when battery capacity reaches the low battery notification level. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable ...

CCE-34402-8
Configure Windows NTP Client Specifies a set of parameters for controlling the Windows NTP Client. NtpServer: The Domain Name System (DNS) name or IP address of an NTP time source. This value is in the form of 'dnsName,flags' where flags is a hexadecimal bitmask of the flags for that host. For mor ...

CCE-33711-3
Prevent backing up to optical media (CD/DVD) This setting lets you prevent users from selecting optical media (CD/DVD) for storing backups. If this setting is enabled, users will be blocked from selecting optical media as a backup location. If this setting is disabled or not configured, users can ...

CCE-34851-6
Service Dependencies This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, ...

CCE-34076-0
Display confirmation dialog when deleting files Allows you to have File Explorer display a confirmation dialog whenever a file is deleted or moved to the Recycle Bin. If you enable this setting, a confirmation dialog is displayed when a file is deleted or moved to the Recycle Bin by the user. ...

CCE-33515-8
Prohibit renaming private remote access connections Determines whether users can rename their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availability page in the New Connection Wizard, cl ...

CCE-35070-2
Configure HTTP Proxy This policy setting allows you to specify the HTTP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. ...

CCE-34522-3
Do not forcefully unload the users registry at user logoff Microsoft Windows will always unload the users registry, even if there are any open handles to the per-user registry keys at user logoff. Using this policy setting, an administrator can negate this behavior, preventing Windows from forceful ...

CCE-33768-3
Hide previous versions of files on backup location This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. If you enable this pol ...

CCE-33374-0
Remove Music icon from Start Menu Removes the Music icon from the Start Menu.

CCE-35675-8
Turn off Open Extended Dictionary This policy setting allows you to turn off Open Extended Dictionary. If you enable this policy setting, Open Extended Dictionary is turned off. You cannot add a new Open Extended Dictionary. For Japanese Microsoft IME, an Open Extended Dictionary that is adde ...

CCE-35226-0
Network Security: Restrict NTLM: Audit Incoming NTLM Traffic This policy setting allows you to audit incoming NTLM traffic. This policy is supported on at least Windows 7 or Windows Server 2008 R2. Note: Audit events are recorded on this computer in the 'Operational' Log located under the Applicati ...

CCE-35422-5
Allow use of diacritics This policy setting allows words that contain diacritic characters to be treated as separate words. If you enable this policy setting, words that only differ in diacritics are treated as different words. If you disable this policy setting, words with diacritics and words wit ...

CCE-33831-9
Allow antimalware service to startup with normal priority This policy setting controls the load priority for the antimalware service. Increasing the load priority will allow for faster service startup, but may impact performance. If you enable or do not configure this setting, the antimalware se ...

CCE-35017-3
Set time limit for active but idle Remote Desktop Services sessions This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you ...

CCE-33121-5
Set path for Remote Desktop Services Roaming User Profile This policy setting allows you to specify the network path that Remote Desktop Services uses for roaming user profiles. By default, Remote Desktop Services stores all user profiles locally on the RD Session Host server. You can use this pol ...

CCE-34731-0
Disable NetMeeting 2.x Whiteboard Disables the 2.x whiteboard feature of NetMeeting. The 2.x whiteboard is available for compatibility with older versions of NetMeeting only. Deployers who do not need it can save bandwidth by disabling it.

CCE-34326-9
Configuration of wireless settings using Windows Connect Now This policy setting allows the configuration of wireless settings using Windows Connect Now (WCN). The WCN Registrar enables the discovery and configuration of devices over Ethernet (UPnP), over In-band 802.11 Wi-Fi, through the Windows P ...

CCE-33964-8
Turn off location This policy setting turns off the location feature for this computer. If you enable this policy setting, the location feature is turned off, and all programs on this computer are prevented from using location information from the location feature. If you disa ...

CCE-34788-0
Always install with elevated privileges This policy setting directs Windows Installer to use elevated permissions when it installs any program on the system. If you enable this policy setting, privileges are extended to all programs. These privileges are usually reserved for programs that have b ...

CCE-33635-4
Disk Defragmenter This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, th ...

CCE-33045-6
Audit: Audit the use of Backup and Restore privilege This policy setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use setting is in effect. If you enable both policies, an audit event will be generated for every file that is ...

CCE-34183-4
Ability to rename all user remote access connections Determines whether nonadministrators can rename all-user remote access connections. To create an all-user connection, on the Connection Availability page in the New Connection Wizard, click the 'For all users' option. If you enable this set ...

CCE-35479-5
Default Protections for Recommended Software This setting allows you to apply the recommended EMET protections to recommended software (such as WordPad, Microsoft Office, Adobe Acrobat, Adobe Acrobat Reader, and Oracle Java). If you enable this setting, the suggested EMET protections are applied ...

CCE-34152-9
Add Search Internet link to Start Menu If you enable this policy, a 'Search the Internet' link is shown when the user performs a search in the start menu search box. This button launches the default browser with the search terms. If you disable this policy, there will not be a 'Search the Interne ...

CCE-34459-8
Set time (in seconds) to force reboot This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want ...

CCE-35137-9
Exclude credential providers This policy setting allows the administrator to exclude the specified credential providers from use during authentication. Note: credential providers are used to process and validate user credentials during logon or when authentication is required. Windows Vista provid ...

CCE-33502-6
Allow Delegating Fresh Credentials This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the ...

CCE-35190-8
Corporate Resources Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource. Each string can be one of the following types: - A DNS name or IPv6 address that ...

CCE-32959-9
Prohibit Use of Restart Manager The Restart Manager API can eliminate or reduce the number of system restarts that are required to complete an installation or update. This setting controls Windows Installer's interaction with the Restart Manager. If you enable this setting, you can use the options ...

CCE-33387-2
Allow Applications to Prevent Automatic Sleep (Plugged In) Allow applications and services to prevent automatic sleep. If you enable this policy setting, any application, service or device driver may prevent Windows from automatically transitioning to sleep after a period of user inactivity. ...

CCE-33254-4
Turn Off user-installed desktop gadgets This policy setting allows you to turn off desktop gadgets that have been installed by the user. If you enable this setting, Windows will not run any user-installed gadgets. If you disable or do not configure this setting, Windows will run user-installed ga ...

CCE-34997-7
Network Security: Restrict NTLM: Audit NTLM authentication in this domain This policy setting allows you to audit NTLM authentication in a domain from this domain controller. This policy is supported on at least Windows Server 2008 R2. Note: Audit events are recorded on this computer in the 'Operat ...

CCE-33755-0
Remove Hardware tab Removes the Hardware tab. This setting removes the Hardware tab from Mouse, Keyboard, and Sounds and Audio Devices in Control Panel. It also removes the Hardware tab from the Properties dialog box for all local drives, including hard drives, floppy disk drives, and CD-ROM dri ...

CCE-34668-4
Prevent sending files Prevents users from sending files to others in a conference.

CCE-35257-5
Limit the BITS Peercache size This policy setting limits the maximum amount of disk space that can be used for the BITS Peercache, as a percentage of the total system disk size. BITS will add files to the Peercache and make those files available to peers until the cache content reaches the specifie ...

CCE-33888-9
Scan removable drives This policy setting allows you to manage whether or not to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan. If you enable this setting, removable drives will be scanned during any type ...

CCE-35453-0
No Computers Near Me in Network Locations This policy setting allows you to remove computers in the user's workgroup and domain from lists of network resources in File Explorer and Network Locations. If you enable this policy setting, the system removes the 'Computers Near Me' option and the ico ...

CCE-35586-7
Set roaming profile path for all users logging onto this computer Specifies whether Microsoft Windows should use the specified network path as the roaming user profile path for all users logging onto this computer. To use this setting, type the path to the network share in the form \\Computername ...

CCE-34272-5
Lock the Taskbar This setting affects the taskbar, which is used to switch between running applications. The taskbar includes the Start button, list of currently running tasks, and the notification area. By default, the taskbar is located at the bottom of the screen, but it can be dragged to any ...

CCE-33330-2
Do not keep history of recently opened documents Prevents the operating system and installed programs from creating and displaying shortcuts to recently opened documents. If you enable this setting, the system and Windows programs do not create shortcuts to documents opened while the setting is ...

CCE-33267-6
Turn on root certificate propagation from smart card This policy setting allows you to manage the root certificate propagation that occurs when a smart card is inserted. If you enable or do not configure this policy setting then root certificate propagation will occur when you insert your smart ca ...

CCE-35466-2
Maximum allowed Recycle Bin size Limits the percentage of a volume's disk space that can be used to store deleted files. If you enable this setting, the user has a maximum amount of disk space that may be used for the Recycle Bin on their workstation. If you disable or do not configure this s ...

CCE-34219-6
Windows To Go Default Startup Options This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. If you enable th ...

CCE-33875-6
Configure local setting override for the scan type to use for a scheduled scan This policy setting configures a local override for the configuration of the scan type to use during a scheduled scan. This setting can only be set by Group Policy. If you enable this setting, the local preference se ...

CCE-33622-2
Software Installation (Users) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-34063-8
Turn off the communities features Windows Mail will not check your newsgroup servers for Communities support.

CCE-33679-2
Ignore custom consent settings This setting determines the behavior of the default consent setting in relation to custom consent settings. If this setting is enabled, the default Consent level setting will always override any other consent setting. If this setting is disabled or not configured, ea ...

CCE-35609-7
Permit use of Control Panel Settings (Computers) This policy setting allows you to permit or prohibit use of the Control Panel Settings item and all preference extensions listed in the Group Policy Management Editor window of the GPMC under Computer Configuration\Preferences\Control Panel Settings. ...

CCE-34744-3
Custom Commands Specifies commands configured by the administrator for custom logging. These commands will run in addition to default log commands.

CCE-35200-5
Limit disk space used by offline files This policy limits the amount of the computer's disk space that can be used to store offline files. Using this setting you can configure how much total disk space (in Megabytes) is used for storing offline files. This includes the space used by automatically ...

CCE-33001-9
Register PTR Records Determines whether the registration of PTR resource records is enabled for the computers to which this policy is applied. By default, DNS clients configured to perform dynamic DNS registration attempt PTR resource record registration only if they successfully registered the co ...

CCE-34877-1
Prevent Desktop Shortcut Creation This policy prevents a shortcut icon for the Player from being added to the user's desktop. When this policy is not configured or disabled, users can choose whether to add the Player shortcut icon to their desktops.

CCE-34415-0
Remove the networking icon This policy setting allows you to remove the networking icon from the system control area. If you enable this policy setting, the networking icon is not displayed in the system notification area. If you disable or do not configure this policy setting, the networking ...

CCE-33463-1
Specify the System Sleep Timeout (On Battery) Specifies the period of inactivity before Windows transitions the system to sleep. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elapse before Windows transitions to sleep. If you disable ...

CCE-35795-4
Don't search the web or display web results in Search over metered connections This policy setting allows you to control whether or not Search can perform queries on the web over metered connections, and if the web results are displayed in Search. If you enable this policy setting, queries won't ...

CCE-33134-8
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers. If you enable this policy setting, any cer ...

CCE-35333-4
Specify address lookup behavior for DC locator ping This policy setting configures how a domain controller (DC) behaves when responding to a client whose IP address does not map to any configured site. Domain controllers use the client IP address during a DC locator ping request to compute which ...

CCE-34504-1
Do not allow manual configuration of target portals If enabled then new target portals may not be added and thus new targets discovered on those portals; existing target portals may not be removed. If disabled then new target portals may be added and thus new targets discovered on those portals; ex ...

CCE-33147-0
Turn off Tablet PC Pen Training Turns off Tablet PC Pen Training. If you enable this policy setting, users cannot open Tablet PC Pen Training. If you disable or do not configure this policy setting, users can open Tablet PC Pen Training.

CCE-33742-8
Point and Print Restrictions This policy setting controls the client Point and Print behavior, including the security prompts for Windows Vista computers. The policy setting applies only to non-Print Administrator clients, and only to computers that are members of a domain. When the policy setting ...

CCE-35764-0
Trusted Hosts This policy setting allows you to manage whether Windows Remote Management (WinRM) client uses the list specified in TrustedHostsList to determine if the destination host is a trusted entity. If you enable this policy setting, the WinRM client uses the list specified in TrustedHostsL ...

CCE-33799-8
Notify antivirus programs when opening attachments Antivirus programs are mandatory in many environments and provide a strong defense against attack. The Notify antivirus programs when opening attachments setting allows you to manage how registered antivirus programs are notified. When enabled, thi ...

CCE-34953-0
Turn off shared components This policy setting controls the ability to turn off shared components. If you enable this policy setting, no packages on the system get the shared component functionality enabled by the msidbComponentAttributesShared attribute in the Component Table. If you disable ...

CCE-33210-6
Use maximum DC discovery retry interval setting for background callers This policy setting determines the maximum retry interval allowed when applications performing periodic searches for Domain Controllers (DCs) are unable to find a DC. For example, the retry intervals may be set at 10 minutes ...

CCE-34494-5
Do not allow clipboard redirection Specifies whether to prevent the sharing of clipboard contents (clipboard redirection) between a remote computer and a client computer during a Remote Desktop Services session. You can use this setting to prevent users from redirecting clipboard data to and from ...

CCE-34308-7
Disallow Kerberos authentication This policy setting allows you to manage whether the Windows Remote Management (WinRM) client will not use Kerberos authentication directly. If you enable this policy setting, the Windows Remote Management (WinRM) client will not use Kerberos authentication directl ...

CCE-33343-5
Hide the notification area This setting affects the notification area (previously called the 'system tray') on the taskbar. Description: The notification area is located at the far right end of the task bar and includes the icons for current notifications and the system clock. If this setting ...

CCE-32964-9
Qualitative service type Specifies an alternate link layer (Layer-2) priority value for packets with the Qualitative service type (ServiceTypeQualitative). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change ...

CCE-35185-8
IP Security Policy Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33080-3
Configure use of hardware-based encryption for fixed data drives This policy setting allows you to manage BitLocker?s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve ...

CCE-35315-1
Control rich previews for attachments Enabling this policy defines a semicolon-delimited list of file extensions which will be allowed to have rich attachment previews. When this policy is disabled or not configured the default settings will be set to .bmp;.emf;.gif;.jpg;.jpeg;.png;.wmf;.wrn;.txt; ...

CCE-34481-2
Share and Storage Management Extension This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable thi ...

CCE-33476-3
Turn off Tablet PC touch input Turn off Tablet PC touch input Turns off touch input, which allows the user to interact with their computer using their finger. If you enable this setting, the user will not be able to produce input with touch. They will not be able to use touch input or touch gestu ...

CCE-34690-8
Remote Desktops This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the ...

CCE-33809-5
Turn off caching of thumbnail pictures This policy setting allows you to turn off caching of thumbnail pictures. If you enable this policy setting, thumbnail views are not cached. If you disable or do not configure this policy setting, thumbnail views are cached. Note: For shared corporate ...

CCE-35119-7
Specify corporate site prefix list This policy setting enables you to specify the list of IPv6 corporate site prefixes to monitor for corporate connectivity. Reachability of addresses with any of these prefixes indicates corporate connectivity.

CCE-34121-4
Allow Delegating Saved Credentials This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via a trusted X509 certificate or Kerberos. If you enable this policy setting you can specify the ...

CCE-35381-3
Configure compression for RemoteFX data This policy setting allows you to specify which Remote Desktop Protocol (RDP) compression algorithm to use. By default, servers use an RDP compression algorithm that is based on the server's hardware configuration. If you enable this policy setting, you ...

CCE-35328-4
Set user home folder This policy setting allows you to specify the location and root (file share or local path) of a user's home folder for a logon session. If you enable this policy setting, the user's home folder is configured to the specified local or network location, creating a new folder f ...

CCE-35172-6
Prevent license upgrade This policy setting allows you to specify which version of Remote Desktop Services client access license (RDS CAL) a Remote Desktop Services license server will issue to clients connecting to RD Session Host servers running other Windows-based operating systems. A license s ...

CCE-34428-3
Apply policy to removable media Extends the disk quota policies in this folder to NTFS file system volumes on removable media. If you disable this setting or do not configure it, the disk quota policies established in this folder apply to fixed-media NTFS volumes only. Note: When this setting is a ...

CCE-34058-8
Turn off restore functionality This setting lets you disable file restore functionality. If this setting is enabled, the file restore program is disabled. If this setting is disabled or not configured, the file restore program is enabled and users can restore files.

CCE-34700-5
Do not allow printing to Journal Note Writer Prevents printing to Journal Note Writer. If you enable this policy, the Journal Note Writer printer driver will not allow printing to it. It will remain displayed in the list of available printers, but attempts to print to it will fail. If you disable ...

CCE-33862-4
Specify the day of the week to run a scheduled full scan to complete remediation This policy setting allows you to specify the day of the week on which to perform a scheduled full scan in order to complete remediation. The scan can also be configured to run every day or to never run at all. This ...

CCE-34254-3
Prevent installation of devices using drivers that match these device setup classes This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any ...

CCE-34966-2
Turn off Inventory Collector This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility probl ...

CCE-35096-7
Set Group Policy refresh interval for domain controllers This policy setting specifies how often Group Policy is updated on domain controllers while they are running (in the background). The updates specified by this setting occur in addition to updates performed when the system starts. By defau ...

CCE-33356-7
Specify channel binding token hardening level This policy setting allows you to set the hardening level of the Windows Remote Management (WinRM) service with regard to channel binding tokens. If you enable this policy setting, the WinRM service uses the level specified in HardeningLevel to ...

CCE-35720-2
Removable Disks: Deny read access This policy setting denies read access to removable disks. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to this removable storage ...

CCE-33103-3
Require additional authentication at startup This policy setting allows you to configure whether BitLocker requires additional authentication each time the computer starts and whether you are using BitLocker with or without a Trusted Platform Module (TPM). This policy setting is applied when you tu ...

CCE-33929-1
Do not connect to any Windows Update Internet locations Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like ...

CCE-33653-7
Turn off insert a space after selecting a text prediction This policy turns off the insert a space after selecting a text prediction option. This does not, however, prevent the user or an application from changing the setting programmatically. The insert a space after selecting a text pr ...

CCE-35359-9
Prevent flicks Makes pen flicks and all related features unavailable. If you enable this policy, pen flicks and all related features are unavailable. This includes: pen flicks themselves, pen flicks training, pen flicks training triggers in Internet Explorer, the pen flicks notification and the pe ...

CCE-35688-1
Specify Shell Timeout This policy setting is deprecated.

CCE-33982-0
Best effort service type Specifies an alternate link layer (Layer-2) priority value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding priority value in the Layer-2 header of the packets. If you enable this setting, you can change ...

CCE-34450-7
Do not allow v4 printer drivers to show printer extensions This policy determines if v4 printer drivers are allowed to run printer extensions. V4 printer drivers may include an optional, customized user interface known as a printer extension. These extensions may provide access to more d ...

CCE-35777-2
Turn Off Cache Power Mode Turns off the power save mode on the hybrid hard disks in the system. If you enable this policy, the disks will not be put into NV cache power save mode and no power savings would be achieved. If you disable this policy setting, then the hard disks are put into a NV cach ...

CCE-34032-3
Synchronize offline files before suspend Determines whether offline files are synchonized before a computer is suspended. If you enable this setting, offline files are synchronized whenever the computer is suspended. Setting the synchronization action to 'Quick' ensures only that all files in th ...

CCE-34374-9
Delete user profiles older than a specified number of days on system restart This policy setting allows an administrator to automatically delete user profiles on system restart that have not been used within a specified number of days. Note: One day is interpreted as 24 hours after a specific user ...

CCE-34178-4
Prohibit access to the Advanced Settings item on the Advanced menu Determines whether the Advanced Settings item on the Advanced menu in Network Connections is enabled for administrators. The Advanced Settings item lets users view and change bindings and view and change the order in which the co ...

CCE-32977-1
Allow only bitmapped wallpaper Permits only bitmap images for wallpaper. This setting limits the desktop background ('wallpaper') to bitmap (.bmp) files. If users select files with other image formats, such as JPEG, GIF, PNG, or HTML, through the Browse button on the Desktop tab, the wallpaper does ...

CCE-35631-1
Turn off the Windows Messenger Customer Experience Improvement Program This policy setting specifies whether Windows Messenger collects anonymous information about how Windows Messenger software and service is used. With the Customer Experience Improvement program, users can allow Microsoft to c ...

CCE-34846-6
IP Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap- ...

CCE-35292-2
Determine if interactive users can generate Resultant Set of Policy data This policy setting controls the ability of users to view their Resultant Set of Policy (RSoP) data. By default, interactively logged on users can view their own Resultant Set of Policy (RSoP) data. If you enable this po ...

CCE-35106-4
Configure software Installation policy processing This policy setting determines when software installation policies are updated. This policy setting affects all policy settings that use the software installation component of Group Policy, such as policy settings in Software Settings\Software In ...

CCE-33236-1
Driver compatibility settings Driver compatibility settings.

CCE-35435-7
Show hibernate in the power options menu Shows or hides hibernate from the power options menu. If you enable this policy setting, the hibernate option will be shown in the Power Options menu (as long as it is supported by the machine's hardware). If you disable this policy setting, the hiber ...

CCE-34517-3
Do not automatically start Windows Messenger initially Windows Messenger is automatically loaded and running when a user logs on to a Windows XP computer. You can use this setting to stop Windows Messenger from automatically being run at logon. If you enable this setting, Windows Messenger will no ...

CCE-33773-3
Items displayed in Places Bar Configures the list of items displayed in the Places Bar in the Windows File/Open dialog. If enable this setting you can specify from 1 to 5 items to be displayed in the Places Bar. The valid items you may display in the Places Bar are: 1) Shortcuts to a local fo ...

CCE-34570-2
Turn off all balloon notifications This policy setting allows you to turn off all notification balloons. If you enable this policy setting, no notification balloons are shown to the user. If you disable or do not configure this policy setting, notification balloons are shown to the user.

CCE-35239-3
Standard User Individual Lockout Threshold This policy setting allows you to manage the maximum number of authorization failures for each standard user for the Trusted Platform Module (TPM). If the number of authorization failures for the user within the duration for Standard User Lockout Duration ...

CCE-35568-5
Select the Sleep Button Action (On Battery) Specifies the action that Windows takes when a user presses the sleep button. Possible actions include: -Take no action -Sleep -Hibernate -Shut down If you enable this policy setting, you must select the desired action. If you disable this policy sett ...

CCE-33577-8
Set Teredo State This policy setting allows you to configure Teredo, an address assignment and automatic tunneling technology that provides unicast IPv6 connectivity across the IPv4 Internet. If you disable or do not configure this policy setting, the local host settings are used. If you enab ...

CCE-33640-4
IP Security Policy Management This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33312-0
Allow shared folders to be published This policy setting determines whether the user can publish shared folders in Active Directory Domain Services (AD DS). If you enable or do not configure this policy setting, users can use the 'Publish in Active Directory' option in the Shared Folders snap-in ...

CCE-34331-9
Set Teredo Refresh Rate This policy setting allows you to configure the Teredo refresh rate. Note: On a periodic basis (by default, every 30 seconds), Teredo clients send a single Router Solicitation packet to the Teredo server. The Teredo server sends a Router Advertisement Packet in response. ...

CCE-33249-4
Turn off SwitchBack Compatibility Engine The policy controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new appl ...

CCE-34847-4
IPX Routing This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, the snap ...

CCE-33893-9
Do not show recent apps when the mouse is pointing to the upper-left corner of the screen This policy setting allows you to prevent the last app and the list of recent apps from appearing when the mouse is pointing to the upper-left corner of the screen. If you enable this policy setting, the us ...

CCE-33697-4
Limit maximum display resolution This policy setting allows you to specify the maximum display resolution that can be used by each monitor used to display a Remote Desktop Services session. Limiting the resolution used to display a remote session can improve connection performance, particularly ove ...

CCE-35417-5
Replace addresses in conflicts Specifies whether dynamic updates should overwrite existing resource records that contain conflicting IP addresses. This policy setting is designed for computers that register address (A) resource records in DNS zones that do not use Secure Dynamic Updates. Secure ...

CCE-33445-8
Prohibit changing properties of a private remote access connection Determines whether users can view and change the properties of their private remote access connections. Private connections are those that are available only to one user. To create a private connection, on the Connection Availabi ...

CCE-35733-5
Turn off access to the Store This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the u ...

CCE-35470-4
Require trusted path for credential entry If you enable this policy setting, users are required to enter Windows credentials on the Secure Desktop by means of the trusted path mechanism. This means that before entering account and password information to authorize an elevation request, a user first ...

CCE-33916-8
Define the number of days after which a catch-up definition update is required This policy setting allows you to define the number of days after which a catch-up definition update will be required. By default, the value of this setting is 1 day. If you enable this setting, a catch-up definition ...

CCE-34015-8
Disallow network as backup target This policy setting allows you to manage whether backups of a machine can run to a network share or not. If you enable this policy setting, machine administrator/backup operator cannot use Windows Server Backup to run backups to a network share. If you disable or ...

CCE-34255-0
Block launching desktop apps associated with a file. This policy setting allows you to minimize the risk involved when a packaged app launches the default app for a file. Because desktop apps run at a higher integrity level than packaged apps, there is a risk that a packaged app could compromise th ...

CCE-33707-1
Send Console Message This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, ...

CCE-33182-7
Run Windows PowerShell scripts first at user logon, logoff This policy setting determines whether Windows PowerShell scripts will run before non-PowerShell scripts during user logon and logoff. By default, PowerShell scripts run after non-PowerShell scripts. If you enable this policy setting, wi ...

CCE-35078-5
Custom Instant Search Internet search provider Set up the menu name and URL for the custom Internet search provider. If you enable this setting, the specified menu name and URL will be used for Internet searches. If you disable or not configure this setting, the default Internet search provid ...

CCE-35287-2
Configure log access This policy setting specifies to use the security descriptor for the log using the Security Descriptor Definition Language (SDDL) string. If you enable this policy setting, only those users matching the security descriptor can access the log. If you disable or do not conf ...

CCE-35483-7
System ASLR This setting allows you to configure the system-wide Address Space Layout Randomization (ASLR) EMET mitigation setting. If you enable this setting, the EMET system-wide ASLR mitigation is enabled. If you disable or do not configure, EMET the system-wide ASLR mitigation is disabled ...

CCE-33760-0
Turn off numerical sorting in File Explorer This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 ...

CCE-33564-6
Turn off display of recent search entries in the File Explorer search box Disables suggesting recent queries for the Search Box and prevents entries into the Search Box from being stored in the registry for future references. File Explorer shows suggestion pop-ups as users type into the Search B ...

CCE-34923-3
Storage Manager for SANs This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setti ...

CCE-32994-6
Permit use of Power Options preference extension This policy setting allows you to permit or prohibit use of the Power Options preference extension. When a preference extension is prohibited, it does not appear in the Group Policy Management Editor window of the GPMC. If you enable this policy s ...

CCE-33903-6
Start the scheduled scan only when computer is on but not in use This policy setting allows you to configure scheduled scans to start only when your computer is on but not in use. If you enable or do not configure this setting, scheduled scans will only run when the computer is on but not in use ...

CCE-34780-7
Limit the maximum number of BITS jobs for each user This policy setting limits the number of BITS jobs that can be created by a user. By default, BITS limits the total number of jobs that can be created by a user to 60 jobs. You can use this setting to raise or lower the maximum number of BITS jobs ...

CCE-34451-5
Hide 'Get Programs' page Prevents users from viewing or installing published programs from the network. This setting prevents users from accessing the 'Get Programs' page from the Programs Control Panel in Category View, Programs and Features in Classic View and the 'Install a program from the ...

CCE-35021-5
Set time limit for logoff of RemoteApp sessions This policy setting allows you to specify how long a user's RemoteApp session will remain in a disconnected state before the session is logged off from the RD Session Host server. By default, if a user closes a RemoteApp program, the session is dis ...

CCE-35626-1
Turn off access to the Store This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the u ...

CCE-33325-2
Remove drag-and-drop and context menus on the Start Menu Prevents users from using the drag-and-drop method to reorder or remove items on the Start menu. Also, it removes context menus from the Start menu. If you disable this setting or do not configure it, users can remove or reorder Start menu ...

CCE-35404-3
Deny log on as a service This security setting determines which service accounts are prevented from registering a process as a service. This policy setting supersedes the Log on as a service policy setting if an account is subject to both policies.Note: This security setting does not apply to the S ...

CCE-33205-6
Turn off legacy remote shutdown interface This policy controls the legacy remote shutdown interface (named pipe). The named pipe remote shutdown interface is needed in order to shutdown this system from a remote Windows XP or Windows Server 2003 system. If this setting is enabled, the system does ...

CCE-35261-7
Prevent automatic discovery of feeds and Web Slices This policy setting prevents users from having Internet Explorer automatically discover whether a feed or Web Slice is available for an associated webpage. If you enable this policy setting, the user does not receive a notification on the toolb ...

CCE-34122-2
Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries Specifies whether the computers to which this setting is applied may attach suffixes to an unqualified multi-label name before sending subsequent DNS queries, if the original name query fails. A name containing dots, but not dot-te ...

CCE-35208-8
Restrict users to the explicitly permitted list of snap-ins Lets you selectively permit or prohibit the use of Microsoft Management Console (MMC) snap-ins. -- If you enable this setting, all snap-ins are prohibited, except those that you explicitly permit. Use this setting if you plan to prohib ...

CCE-34803-7
Friendly Name Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify ?Contoso Intranet Access? for the DirectAccess clients of the Contoso Corporation. If this setting is not configured, the string ...

CCE-34477-0
Windows Firewall with Advanced Security This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable t ...

CCE-34059-6
Turn off Resultant Set of Policy logging This setting allows you to enable or disable Resultant Set of Policy (RSoP) logging on a client computer. RSoP logs information on Group Policy settings that have been applied to the client. This information includes details such as which Group Policy objec ...

CCE-34660-1
Limit the bandwidth of Audio and Video Limits the bandwidth audio and video will consume when in a conference. This setting will guide NetMeeting to choose the right formats and send rate so that the bandwidth is limited.

CCE-35600-6
Set timer resolution Determines the smallest unit of time that the Packet Scheduler uses when scheduling packets for transmission. The Packet Scheduler cannot schedule packets for transmission more frequently than permitted by the value of this entry. If you enable this setting, you can override t ...

CCE-34344-2
Allow Delegating Default Credentials with NTLM-only Server Authentication This policy setting applies to applications using the Cred SSP component (for example: Terminal Server). This policy applies when server authentication was achieved via NTLM. If you enable this policy setting you can specif ...

CCE-33827-7
Save documents and pictures to the local PC by default This policy setting lets you select the local PC as the default save location. It does not prevent apps and users from saving files on OneDrive. If you enable this policy setting, files will be saved locally by default. Users will still b ...

CCE-33880-6
Configure Watson events This policy setting allows you to configure whether or not Watson events are sent. If you enable or do not configure this setting, Watson events will be sent. If you disable this setting, Watson events will not be sent.

CCE-35590-9
Turn off Windows HotStart This policy setting allows you to manage whether HotStart buttons can be used to launch applications. If you enable this policy setting, applications cannot be launched using the HotStart buttons. If you disable or do not configure this policy setting, applications c ...

CCE-33391-4
Allow Corporate redirection of Customer Experience Improvement uploads If you enable this setting all Customer Experience Improvement Program uploads are redirected to Microsoft Operations Manager server. If you disable this setting uploads are not redirected to a Microsoft Operations Manager serv ...

CCE-34673-4
Show only specified Control Panel items This policy setting controls which Control Panel items such as Mouse, System, or Personalization, are displayed on the Control Panel window and the Start screen. The only items displayed in Control Panel are those you specify in this setting. This setting aff ...

CCE-33338-5
Remove Homegroup link from Start Menu If you enable this policy the Start menu will not show a link to Homegroup. It also removes the homegroup item from the Start Menu options. As a result, users cannot add the homegroup link to the Start Menu. If you disable or do not configure this poli ...

CCE-32950-8
Force a specific visual style file or force Windows Classic This setting allows you to force a specific visual style file by entering the path (location) of the visual style file. This can be a local computer visual style (aero.msstyles), or a file located on a remote server using a UNC path (\\ ...

CCE-34464-8
Tape Drives: Deny write access This policy setting denies write access to the Tape Drive removable storage class. If you enable this policy setting, write access is denied to this removable storage class. If you disable or do not configure this policy setting, write access is allowed to this ...

CCE-33671-9
Floppy Drives: Deny read access This policy setting denies read access to the Floppy Drives removable storage class, including USB Floppy Drives. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, ...

CCE-34949-8
Software Installation (Computers) This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this po ...

CCE-34135-4
Prioritize all digitally signed drivers equally during the driver ranking and selection process This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with drivers signed by other valid Authenticode signatures during the driver selecti ...

CCE-33618-0
Folder Redirection This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy setting, t ...

CCE-33195-9
Specify a Custom Active Power Plan Specifies the active power plan from a specified power plan?s GUID. The GUID for a custom power plan GUID can be retrieved by using powercfg, the power configuration command line tool. If you enable this policy setting, you must specify a power plan, specified ...

CCE-35394-6
Do not track Shell shortcuts during roaming This policy setting determines whether Windows traces shortcuts back to their sources when it cannot find the target on the user's system. Shortcut files typically include an absolute path to the original target file as well as the relative path to the ...

CCE-34290-7
Prohibit access to the New Connection Wizard Determines whether users can use the New Connection Wizard, which creates new network connections. If you enable this setting (and enable the 'Enable Network Connections settings for Administrators' setting), the Make New Connection icon does not appe ...

CCE-34237-8
Detect application failures caused by deprecated Windows DLLs This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose DLL load failures in programs. If you enable this policy setting, the PCA detects programs trying load legacy Microsoft Windows DLLs that ar ...

CCE-35572-7
Enable Automatic Hosted Cache Discovery by Service Connection Point This policy setting specifies whether client computers should attempt the automatic configuration of hosted cache mode by searching for hosted cache servers publishing service connection points that are associated with the client's ...

CCE-33738-6
Specify Refresh Interval of the DC Locator DNS records This policy setting specifies the Refresh Interval of the DC Locator DNS resource records for DCs to which this setting is applied. These DNS records are dynamically registered by the Net Logon service and are used by the DC Locator algorithm t ...

CCE-34300-4
Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers. Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enab ...

CCE-33088-6
Enforce drive encryption type on removable data drives This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if en ...

CCE-34117-2
Allow Applications to Prevent Automatic Sleep (On Battery) Allow applications and services to prevent automatic sleep. If you enable this policy setting, any application, service or device driver may prevent Windows from automatically transitioning to sleep after a period of user inactivity. ...

CCE-33271-8
Turn on Software Notifications This policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. Th ...

CCE-34433-3
Best effort service type Specifies an alternate Layer-3 Differentiated Services Code Point (DSCP) value for packets with the Best Effort service type (ServiceTypeBestEffort). The Packet Scheduler inserts the corresponding DSCP value in the IP header of the packets. This setting applies only to pac ...

CCE-35376-3
Streaming Media Protocols This policy setting allows you to specify that Windows Media Player can attempt to use selected protocols when receiving streaming media from a server running Windows Media Services. If you enable this policy setting, the protocols that are selected on the Network tab o ...

CCE-35389-6
Prevent clients from querying the index remotely If enabled, clients will be unable to query this computer's index remotely. Thus, when they are browsing network shares that are stored on this computer, they will not search them using the index. If disabled, client search requests will use this co ...

CCE-34420-0
Prevent users from adding or removing toolbars This policy setting allows you to prevent users from adding or removing toolbars. If you enable this policy setting, the user is not allowed to add or remove any toolbars to the taskbar. Applications are not able to add toolbars either. If you di ...

CCE-34357-4
Prohibit access to the Remote Access Preferences item on the Advanced menu Determines whether the Remote Acccess Preferences item on the Advanced menu in Network Connections folder is enabled. The Remote Access Preferences item lets users create and change connections before logon and configure ...

CCE-34882-1
Prevent press and hold Prevents press and hold actions on hardware buttons, so that only one action is available per button. If you enable this policy, press and hold actions are unavailable, and the button configuration dialog will display the following text: 'Some settings are controlled by Gro ...

CCE-33075-3
Configure use of passwords for removable data drives This policy setting allows you to specify whether smart cards can be used to authenticate user access to BitLocker-protected removable data drives on a computer. If you enable this policy setting smart cards can be used to authenticate user ac ...

CCE-34709-6
Enable client-side targeting Specifies the target group name or names that should be used to receive updates from an intranet Microsoft update service. If the status is set to Enabled, the specified target group information is sent to the intranet Microsoft update service which uses it to determin ...

CCE-33284-1
Use localized subfolder names when redirecting Start Menu and My Documents This policy setting allows the administrator to define whether Folder Redirection should use localized names for the All Programs, Startup, My Music, My Pictures, and My Videos subfolders when redirecting the parent Start Me ...

CCE-33858-2
Monitor file and program activity on your computer This policy setting allows you to configure monitoring for file and program activity. If you enable or do not configure this setting, monitoring for file and program activity will be enabled. If you disable this setting, monitoring for file a ...

CCE-33151-2
Turn off Help and Support Center 'Did you know?' content Specifies whether to show the 'Did you know?' section of Help and Support Center. This content is dynamically updated when users who are connected to the Internet open Help and Support Center, and provides up-to-date information about Window ...

CCE-34553-8
Detect applications unable to launch installers under UAC This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with programs under User Account Control (UAC). If you enable this policy setting, the PCA detects programs that failed to launch child processes ...

CCE-35123-9
Internet Explorer Maintenance This policy setting permits or prohibits the use of this snap-in. If you enable this policy setting, the snap-in is permitted and can be added into the Microsoft Management Console or run from the command line as a standalone console. If you disable this policy ...

CCE-33427-6
Control the location of the log file This policy setting controls the location of the log file. The location of the file must be writable by the Event Log service and should only be accessible to administrators. If you enable this policy setting, the Event Log uses the path specified in this pol ...

CCE-35256-7
Specify expected dial-up delay on logon This policy setting specifies the additional time for the computer to wait for the domain controller?s (DC) response when logging on to the network. To specify the expected dial-up delay at logon, click Enabled, and then enter the desired value in seconds ...

CCE-35452-2
Turn off numerical sorting in File Explorer This policy setting allows you to have file names sorted literally (as in Windows 2000 and earlier) rather than in numerical order. If you enable this policy setting, File Explorer will sort file names by each digit in a file name (for example, 111 < 22 ...

CCE-34686-6
Set time (in seconds) to force reboot This policy setting configures the amount of time (in seconds) that the operating system waits to reboot in order to enforce a change in access rights to removable storage devices. If you enable this policy setting, you can set the number of seconds you want ...

CCE-35585-9
Set Remote Desktop Services User Home Directory Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user's home directory for a Remote Desktop Services session. To use this setting, select the location for the home directory (networ ...

CCE-33480-5
Turn On Compatibility HTTPS Listener This policy setting enables or disables an HTTPS listener created for backward compatibility purposes in the Windows Remote Management (WinRM) service. When certain port 443 listeners are migrated to WinRM 2.0, the listener port number chang ...

CCE-34050-5
Turn off access to the solutions to performance problems section This policy setting removes access to the performance center control panel solutions to performance problems. If you enable this policy setting, the solutions and issue section within the performance control panel page are not ...

CCE-35759-0
Tape Drives: Deny read access This policy setting denies read access to the Tape Drive removable storage class. If you enable this policy setting, read access will be denied to this removable storage class. If you disable or do not configure this policy setting, read access will be allowed to thi ...

CCE-33725-3
Prohibit access of the Windows Connect Now wizards This policy setting prohibits access to Windows Connect Now (WCN) wizards. If you enable this policy setting, the wizards are turned off and users have no access to any of the wizard tasks. All the configuration related tasks, including 'Set up ...

CCE-34081-0
Use Remote Desktop Easy Print printer driver first This policy setting allows you to specify whether the Remote Desktop Easy Print printer driver is used first to install all client printers. If you enable or do not configure this policy setting, the RD Session Host server first tries to use the ...

CCE-33582-8
Do not display or track items in Jump Lists from remote locations This policy setting allows you to control displaying or tracking items in Jump Lists from remote locations. The Start Menu and Taskbar display Jump Lists off of programs. These menus include files, folders, websites and other rele ...

CCE-34446-5
Turn off hardware buttons Turns off Tablet PC hardware buttons. If you enable this policy, no actions will occur when the buttons are pressed, and the buttons tab in Tablet PC Control Panel will be removed. If you disable this policy, user and OEM defined button actions will occur when the bu ...

CCE-35728-5
Configure Client BranchCache Version Support This policy setting specifies whether BranchCache-capable client computers operate in a downgraded mode in order to maintain compatibility with previous versions of BranchCache. If client computers do not use the same BranchCache version, cache efficien ...

CCE-35110-6
Do not sync passwords Prevent the 'passwords' group from syncing to and from this PC. This turns off and disables the 'passwords' group on the 'sync your settings' page in PC settings. If you enable this policy setting, the 'passwords' group will not be synced. Use the option 'Allow users to ...

CCE-34028-1
Remove 'Make Available Offline' for these files and folders This policy setting allows you to manage a list of files and folders for which you want to block the 'Make Available Offline' command. If you enable this policy setting, the 'Make Available Offline' command is not available for the file ...

CCE-33921-8
Specify the day of the week to check for definition updates This policy setting allows you to specify the day of the week on which to check for definition updates. The check can also be configured to run every day or to never run at all. This setting can be configured with the following ordinal ...

CCE-35047-0
DirectAccess Passive Mode Specifies whether NCA service runs in Passive Mode or not. Set this to Disabled to keep NCA probing actively all the time. If this setting is not configured, NCA probing is in active mode by default.

CCE-34579-3
Do not allow connections without IPSec If enabled then only those connections that are configured for IPSec may be established. If disabled then connections that are configured for IPSec or connections not configured for IPSec may be established.

CCE-33044-9
Audit system events This policy setting is very important because it allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your en ...

CCE-33360-9
Turn off Configuration Allows you to disable System Restore configuration through System Protection. System Restore enables users, in the event of a problem, to restore their computers to a previous state without losing personal data files. The behavior of this setting depends on the 'Turn off Sys ...

CCE-32981-3
Hide Network Locations icon on desktop Removes the Network Locations icon from the desktop. This setting only affects the desktop icon. It does not prevent users from connecting to the network or browsing for shared computers on the network. Note: In operating systems earlier than Microsoft W ...

CCE-35639-4
Go directly to Components Wizard Prevents users from using Add or Remove Programs to configure installed services. This setting removes the 'Set up services' section of the Add/Remove Windows Components page. The 'Set up services' section lists system services that have not been configured and o ...

CCE-34775-7
Hide previous versions of files on backup location This policy setting lets you hide entries in the list of previous versions of a file in which the previous version is located on backup media. Previous versions can come from the on-disk restore points or the backup media. If you enable this pol ...

CCE-34170-1
Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ...

CCE-33493-8
Remove Balloon Tips on Start Menu items Hides pop-up text on the Start menu and in the notification area. When you hold the cursor over an item on the Start menu or in the notification area, the system displays pop-up text providing additional information about the object. If you enable this ...

CCE-33649-5
Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails This policy setting allows you to control the domain controller (DC) location algorithm. By default, the DC location algorithm prefers DNS-based discovery if the DNS domain name is known. If DNS-based d ...

CCE-35243-5
Turn off Windows Calendar Windows Calendar is a feature that allows users to manage appointments and tasks by creating personal calendars, publishing them, and subscribing to other users calendars. If you enable this setting, Windows Calendar will be turned off. If you disable or do not confi ...

CCE-34313-7
Turn off reminder balloons Hides or displays reminder balloons, and prevents users from changing the setting. Reminder balloons appear above the Offline Files icon in the notification area to notify users when they have lost the connection to a networked file and are working on a local copy of t ...

CCE-34104-0
Do not search communications If you enable this policy the start menu search box will not search for communications. If you disable or do not configure this policy, the start menu will search for communications, unless the user chooses not to in the start menu control panel.

CCE-33240-3
Configure Report Archive This policy setting controls the behavior of the Windows Error Reporting archive. If you enable this policy setting, you can configure Windows Error Reporting archiving behavior. If Archive behavior is set to Store all, all data collected for each error report is stored ...

CCE-35692-3
Specify the Unattended Sleep Timeout (On Battery) Specify the period of inactivity before Windows transitions to sleep automatically when a user is not present at the computer. If you enable this policy setting, you must provide a value, in seconds, indicating how much idle time should elaps ...

CCE-35034-8
Configure RTSP Proxy This policy setting allows you to specify the RTSP proxy settings for Windows Media Player. If you enable this policy setting, select one of the following proxy types: - Autodetect: the proxy settings are automatically detected. - Custom: unique proxy settings are used. ...

CCE-33712-1
Prevent installation of devices not described by other policy settings This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting. If you enable this policy setting, Windows is prevented from installing, or updating the dev ...

CCE-35715-2
Prohibit changes Prevents the user from enabling or disabling Active Desktop or changing the Active Desktop configuration. This is a comprehensive setting that locks down the configuration you establish by using other policies in this folder. This setting removes the Web tab from Display in Cont ...

CCE-33845-9
Turn on definition retirement This policy setting allows you to configure definition retirement for network protection against exploits of known vulnerabilities. Definition retirement checks to see if a computer has the required security updates necessary to protect it against a particular vulnerab ...

CCE-34918-3
Hide 'Programs and Features' page This setting prevents users from accessing 'Programs and Features' to view, uninstall, change, or repair programs that are currently installed on the computer. If this setting is disabled or not configured, 'Programs and Features' will be available to all users. ...

CCE-33516-6
Turn off Connect to a Network Projector This policy setting disables the Connect to a Network Projector wizard so that users cannot connect to a network projector. If you enable this policy setting, users cannot use the Connect to a Network Projector Wizard to connect to a projector. If you ...

CCE-34094-3
Turn off location scripting This policy setting turns off scripting for the location feature. If you enable this policy setting, scripts for the location feature will not run. If you disable or do not configure this policy setting, all location scripts will run.

CCE-33046-4
Audit: Shut down system immediately if unable to log security audits This policy setting determines whether the system shuts down if it is unable to log Security events. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent audit ...

CCE-34908-4
Microsoft network client: Digitally sign communications (if server agrees) This policy setting determines whether the SMB client will attempt to negotiate SMB packet signing. The implementation of digital signing in Windows?based networks helps to prevent sessions from being hijacked. If you enable ...

CCE-34898-7
Interactive logon: Do not display last user name This policy setting determines whether the account name of the last user to log on to the client computers in your organization will be displayed in each computer's respective Windows logon screen. Enable this policy setting to prevent intruders from ...

CCE-35367-2
Network access: Let Everyone permissions apply to anonymous users This policy setting determines what additional permissions are assigned for anonymous connections to the computer. If you enable this policy setting, anonymous Windows users are allowed to perform certain activities, such as enumerat ...

CCE-35430-8
Audit Policy: Privilege Use: Other Privilege Use Events This subcategory is not used.

CCE-35091-8
Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ...

CCE-33789-9
Minimum password length This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'pass phrase' is a better term than 'password.' In Mic ...

CCE-34022-4
MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) The registry value entry SafeDllSearchMode was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Control\Session Manager\ registry key. The entry appears as MSS: (SafeDllSearchMode) Enable Safe DLL searc ...

CCE-33972-1
Allow remote access to the Plug and Play interface This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting, remote connections to the Plug and Play interface are allowed. If you disable or do not configure this p ...

CCE-33776-6
Audit Policy: Policy Change: Filtering Platform Policy Change This subcategory reports the addition and removal of objects from WFP, including startup filters. These events can be very high in volume. Events for this subcategory include: ? 4709: IPsec Services was started. ? 4710: IPsec Services w ...

CCE-34614-8
MSS: (PerformRouterDiscovery) Allow IRDP to detect and configure Default Gateway addresses (could lead to DoS) The registry value entry PerformRouterDiscovery was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears ...

CCE-34262-6
Turn on Mapper I/O (LLTDIO) driver This policy setting changes the operational behavior of the Mapper I/O network protocol driver. LLTDIO allows a computer to discover the topology of a network it's connected to. It also allows a computer to initiate Quality-of-Service requests such as bandwidth e ...

CCE-35086-8
Prevent Internet Explorer security prompt for Windows Installer scripts This policy setting allows Web-based programs to install software on the computer without notifying the user. If you disable or do not configure this policy setting, by default, when a script hosted by an Internet browser tr ...

CCE-35501-6
Audit Policy: DS Access: Detailed Directory Service Replication This subcategory reports detailed information about the information replicating between domain controllers. These events can be very high in volume. Events for this subcategory include: ? 4928: An Active Directory replica source naming ...

CCE-35532-1
Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This service is used by Windows Firewall and by Microsoft OneCare. Events for this subcategory include: ? 4944: The following policy w ...

CCE-35469-6
MSS: (KeepAliveTime) How often keep-alive packets are sent in milliseconds The registry value entry KeepAliveTime was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (KeepAliveTime) How often keep-alive ...

CCE-34628-8
Shutdown: Allow system to be shut down without having to log on This policy setting determines whether a computer can be shut down when a user is not logged on. If this policy setting is enabled, the shutdown command is available on the Windows logon screen. Microsoft recommends to disable this pol ...

CCE-35527-1
Audit Policy: System: System Integrity This subcategory reports on violations of integrity of the security subsystem. Events for this subcategory include: ? 4612 : Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. ? 4615 : Inval ...

CCE-33817-8
Turn off Search Companion content file updates This policy setting specifies whether Search Companion should automatically download content updates during local and Internet searches.

CCE-35603-0
Audit Policy: Object Access: Filtering Platform Packet Drop This subcategory reports when packets are dropped by Windows Filtering Platform (WFP). These events can be very high in volume. Events for this subcategory include: ? 5152: The Windows Filtering Platform blocked a packet. ? 5153: A more r ...

CCE-32929-2
Accounts: Limit local account use of blank passwords to console logon only This policy setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If you enable this policy setting, local accounts that have ...

CCE-33608-1
Turn off Data Execution Prevention for Explorer Disabling data execution prevention can allow certain legacy plug-in applications to function without terminating Explorer.

CCE-33063-9
Windows Firewall: Domain: Inbound connections This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

CCE-35438-1
MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) The registry value entry AutoAdminLogon was added to the template file in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ registry key. The entry appears as MSS: (AutoAdminLogon) Enable Automatic Logon (not ...

CCE-35099-1
Interactive logon: Do not require CTRL+ALT+DEL This policy setting determines whether users must press CTRL+ALT+DEL before they log on. If you enable this policy setting, users can log on without this key combination. If you disable this policy setting, users must press CTRL+ALT+DEL before they log ...

CCE-33728-7
Account lockout threshold This policy setting determines the number of failed logon attempts before a lock occurs. Authorized users can lock themselves out of an account by mistyping their password or by remembering it incorrectly, or by changing their password on one computer while logged on to an ...

CCE-34169-3
Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ...

CCE-34245-1
Disable Logging If this setting is enabled Windows Error Reporting events will not be logged to the system event log.

CCE-35090-0
Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ...

CCE-35366-4
Minimum password age This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this sett ...

CCE-33428-4
Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ...

CCE-33481-3
Turn on session logging This policy setting allows you to turn logging on or off. Log files are located in the user's Documents folder under Remote Assistance. If you enable this policy setting, log files will be generated. If you disable this policy setting, log files will not be generated. If ...

CCE-35531-3
Audit Policy: Account Management: Distribution Group Management This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. If you enable this Audit policy ...

CCE-34172-7
Audit Policy: Object Access: File System This subcategory reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting will not cause auditing of ...

CCE-33744-4
Turn Off the Display (On Battery) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not config ...

CCE-35499-3
Audit Policy: Account Management: User Account Management This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. If you enable this Audit policy se ...

CCE-34986-0
Domain member: Disable machine account password changes This policy setting determines whether a domain member can periodically change its computer account password. If you enable this policy setting, the domain member will be prevented from changing its computer account password. If you disable th ...

CCE-35784-8
Turn off handwriting recognition error reporting Turns off the handwriting recognition error reporting tool. The handwriting recognition error reporting tool enables users to report errors encountered in Tablet PC Input Panel. The tool generates error reports and transmits them to Microsoft over a ...

CCE-32935-9
Audit Policy: Object Access: SAM This subcategory reports when SAM objects are accessed. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for the most recent information about this setting: http://support.microsoft.com/default ...

CCE-33788-1
User Account Control: Run all administrators in Admin Approval Mode This policy setting controls the behavior of all User Account Control (UAC) policy settings for the computer. If you change this policy setting, you must restart your computer. The options are: - Enabled: (Default) Admin Approval ...

CCE-35500-8
Audit Policy: Detailed Tracking: RPC Events This subcategory reports remote procedure call (RPC) connection events. Events for this subcategory include: ? 5712: A Remote Procedure Call (RPC) was attempted. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vist ...

CCE-35108-0
Network security: Minimum session security for NTLM SSP based (including secure RPC) servers This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services ...

CCE-34506-6
Do not allow passwords to be saved This policy setting helps prevent Terminal Services clients from saving passwords on a computer. Note If this policy setting was previously configured as Disabled or Not configured, any previously saved passwords will be deleted the first time a Terminal Service ...

CCE-34141-2
Turn off Windows Update device driver searching This policy setting specifies whether Windows will search Windows Update for device drivers when no local drivers for a device are present. Note See also Turn off Windows Update device driver search prompt in Administrative Templates/System, which ...

CCE-35411-8
Network Security: Allow PKU2U authentication requests to this computer to use online identities Windows 7 and Windows Server 2008 R2 introduce an extension to the Negotiate authentication package, Spnego.dll. In previous versions of Windows, Negotiate decides whether to use Kerberos or NTLM for aut ...

CCE-35228-6
Recovery console: Allow automatic administrative logon The recovery console is a command-line environment that is used to recover from system problems. If you enable this policy setting, the administrator account is automatically logged on to the recovery console when it is invoked during startup.

CCE-35406-8
MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning The registry value entry WarningLevel was added to the template file in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\Eventlog\Security\ registry key. The entry appears as MSS ...

CCE-35602-2
Audit Policy: Object Access: Application Generated This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs). Events for this subcategory include: ? 4665: An attempt was made to create an application client co ...

CCE-33816-0
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) The registry value entry DisableIPSourceRouting was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (D ...

CCE-35370-6
Store passwords using reversible encryption This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords th ...

CCE-35526-3
Audit Policy: System: Security System Extension This subcategory reports the loading of extension code such as authentication packages by the security subsystem. Events for this subcategory include: ? 4610: An authentication package has been loaded by the Local Security Authority. ? 4611: A truste ...

CCE-35561-0
Route all traffic through the internal network This policy setting determines whether a remote client computer routes Internet traffic through the internal network or whether the client accesses the Internet directly. When a remote client computer connects to an internal network using DirectAcces ...

CCE-35232-8
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) This policy setting determines the strength of the default discretionary access control list (DACL) for objects. The setting helps secure objects that can be located and shared among processes and its de ...

CCE-35508-1
Audit Policy: Logon-Logoff: Logon This subcategory reports when a user attempts to log on to the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, ...

CCE-35498-5
Audit Policy: Account Management: Security Group Management This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. If you enable this Audit policy setting, adminis ...

CCE-33064-7
Windows Firewall: Private: Apply local connection security rules This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.

CCE-34631-2
Network access: Do not allow anonymous enumeration of SAM accounts This policy setting controls the ability of anonymous users to enumerate the accounts in the Security Accounts Manager (SAM). If you enable this policy setting, users with anonymous connections cannot enumerate domain account user n ...

CCE-33153-8
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com Specifies whether the Internet Connection Wizard can connect to Microsoft to download a list of Internet Service Providers (ISPs). If you enable this setting, the 'Choose a list of Internet Service Providers' path ...

CCE-35116-3
Windows Firewall: Public: Logging: Log dropped packets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.

CCE-33734-5
Windows Firewall: Public: Logging: Log successful connections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.

CCE-34874-8
Prevent Automatic Updates Prevents users from being prompted to update Windows Media Player. This policy prevents the Player from being updated and prevents users with administrator rights from being prompted to update the Player if an updated version is available. The Check for Player Updates com ...

CCE-35698-0
Audit Policy: Policy Change: Other Policy Change Events This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers. Events for this subcategory include: ? 4909: The local policy settings for the TBS were chan ...

CCE-35641-0
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing This policy setting determines whether the Transport Layer Security/Secure Sockets Layer (TLS/SSL) Security Provider supports only the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher suite. Although this policy setting inc ...

CCE-32936-7
Audit Policy: System: Other System Events This subcategory reports on other system events. Events for this subcategory include: ? 5024 : The Windows Firewall Service has started successfully. ? 5025 : The Windows Firewall Service has been stopped. ? 5027 : The Windows Firewall Service was unable ...

CCE-33168-6
Screen saver timeout If the Screen Saver Timeout setting is enabled, then the screen saver will be launched when the specified amount of time has passed since the last user action. Valid values range from 1 to 89,400 seconds (24 hours). The setting has no effect if the wait time is set to zero or n ...

CCE-35080-1
Do not send a Windows error report when a generic driver is installed on a device This policy setting allows you to specify whether to send a Windows error report when a generic driver is installed on a device. If you enable this policy setting, a Windows error report is not sent when a generic dr ...

CCE-34491-1
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog box This policy setting allows you to manage whether the 'Install Updates and Shut Down' option is allowed to be the default choice in the Shut Down Windows dialog. Note that this policy setting has no impac ...

CCE-34527-2
Do not send additional data If this setting is enabled any additional data requests from Microsoft in response to a Windows Error Reporting event will be automatically declined without notice to the user.

CCE-35391-2
Restrict Unauthenticated RPC clients This policy setting controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers. This policy setting impacts all RPC applications. In a domain environment this policy setting should be used with caution as it can impact ...

CCE-35338-3
User Account Control: Admin Approval Mode for the Built-in Administrator account This policy setting controls the behavior of Admin Approval Mode for the built-in Administrator account. The options are: - Enabled: The built-in Administrator account uses Admin Approval Mode. By default, any operat ...

CCE-34723-7
Network access: Do not allow anonymous enumeration of SAM accounts and shares This policy setting controls the ability of anonymous users to enumerate SAM accounts as well as shares. If you enable this policy setting, anonymous users will not be able to enumerate domain account user names and netwo ...

CCE-33070-4
Windows Firewall: Public: Outbound connections This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connecti ...

CCE-35521-4
Audit Policy: Policy Change: Audit Policy Change This subcategory reports changes in audit policy including SACL changes. Events for this subcategory include: ? 4715: The audit policy (SACL) on an object was changed. ? 4719: System audit policy was changed. ? 4902: The Per-user audit policy table ...

CCE-35401-9
User Account Control: Only elevate UIAccess applications that are installed in secure locations This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations ...

CCE-35458-9
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop This policy setting controls whether User Interface Accessibility (UIAccess or UIA) programs can automatically disable the secure desktop for elevation prompts used by a standard user. - Enab ...

CCE-35182-5
Microsoft network server: Digitally sign communications (if client agrees) This policy setting determines if the server side SMB service is able to sign SMB packets if it is requested to do so by a client that attempts to establish a connection. If no signing request comes from the client, a connec ...

CCE-35493-6
Audit object access Earlier security GPOs from Microsoft include settings that configure the audit categories in previous versions of Windows. These earlier GPOs do not apply to computers running Windows Vista. The GPOs intended for use in enterprise environments have been designed to work with Win ...

CCE-34354-1
Audit Policy: Object Access: Registry This subcategory reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. By itself, this policy setting will not cause auditing of any even ...

CCE-35177-5
Domain member: Require strong (Windows 2000 or later) session key When this policy setting is enabled, a secure channel can only be established with domain controllers that are capable of encrypting secure channel data with a strong (128-bit) session key. To enable this policy setting, all domain c ...

CCE-35516-4
Audit Policy: Object Access: Handle Manipulation This subcategory reports when a handle to an object is opened or closed. Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL. Handle Manipulation events are only generated for object ...

CCE-33783-2
Turn off printing over HTTP This policy setting allows you to disable the client computer?s ability to print over HTTP, which allows the computer to print to printers on the intranet as well as the Internet.

CCE-33717-0
Microsoft network client: Send unencrypted password to third-party SMB servers Disable this policy setting to prevent the SMB redirector from sending plaintext passwords during authentication to third-party SMB servers that do not support password encryption. Microsoft recommends that you disable t ...

CCE-34902-7
Interactive logon: Require Domain Controller authentication to unlock workstation Logon information is required to unlock a locked computer. For domain accounts, the Interactive logon: Require Domain Controller authentication to unlock workstation setting determines whether it is necessary to conta ...

CCE-35503-2
Audit Policy: DS Access: Directory Service Replication This subcategory reports when replication between two domain controllers begins and ends. Events for this subcategory include: ? 4932: Synchronization of a replica of an Active Directory naming context has begun. ? 4933: Synchronization of a re ...

CCE-33957-2
Turn off the Windows Messenger Customer Experience Improvement Program This policy setting specifies whether Windows Messenger can collect anonymous information about how the Windows Messenger software and service is used.

CCE-35595-8
Set time limit for active but idle Remote Desktop Services sessions This policy setting allows you to specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before it is automatically disconnected. If you enable this policy setting, you m ...

CCE-35399-5
Audit Policy: Object Access: File Share This subcategory reports when a file share is accessed. By itself, this policy setting will not cause auditing of any events. It determines whether to audit the event of a user who accesses a file share object that has a specified system access control list ( ...

CCE-33065-4
Windows Firewall: Private: Display a notification Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft reco ...

CCE-33208-0
Turn off Microsoft Peer-to-Peer Networking Services This setting turns off Microsoft Peer-to-Peer Networking Services in its entirety, and will cause all dependent applications to stop working. Peer-to-Peer protocols allow for applications in the areas of RTC, collaboration, content distribution a ...

CCE-35222-9
Microsoft network client: Digitally sign communications (always) This policy setting determines whether packet signing is required by the SMB client component. If you enable this policy setting, the Microsoft network client computer cannot communicate with a Microsoft network server unless that ser ...

CCE-34073-7
Turn on Responder (RSPNDR) driver This policy setting changes the operational behavior of the Responder network protocol driver. The Responder allows a computer to participate in Link Layer Topology Discovery requests so that it can be discovered and located on the network. It also allows a comput ...

CCE-33141-3
Network security: Allow Local System to use computer identity for NTLM When enabled, this policy setting causes Local System services that use Negotiate to use the computer identity when NTLM authentication is selected by the negotiation. This policy is supported on at least Windows 7 or Windows Se ...

CCE-35462-1
Require a Password When a Computer Wakes (Plugged In) Specifies whether or not the user is prompted for a password when the system resumes from sleep.

CCE-33143-9
Turn off Internet download for Web publishing and online ordering wizards This policy setting controls whether Windows will download a list of providers for the Web publishing and online ordering wizards.

CCE-34909-2
Microsoft network server: Amount of idle time required before suspending session This policy setting allows you to specify the amount of continuous idle time that must pass in an SMB session before the session is suspended because of inactivity. Administrators can use this policy setting to control ...

CCE-33777-4
Password must meet complexity requirements This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords. When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's ...

CCE-33169-4
Allow Standby States (S1-S3) When Sleeping (On Battery) Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a compute ...

CCE-35431-6
Allow user control over installs This policy setting permits users to change installation options that typically are available only to system administrators. If you enable this policy setting, some of the security features of Windows Installer are bypassed. It permits installations to complete t ...

CCE-34988-6
Interactive logon: Smart card removal behavior This policy setting determines what happens when the smart card for a logged-on user is removed from the smart card reader.

CCE-33764-2
Turn off shell protocol protected mode This policy setting allows you to configure the amount of functionality that the shell protocol can have. When using the full functionality of this protocol, applications can open folders and launch files. The protected mode reduces the functionality of this p ...

CCE-33960-6
Always prompt for password upon connection This policy setting specifies whether Terminal Services always prompts the client computer for a password upon connection. You can use this policy setting to enforce a password prompt for users who log on to Terminal Services, even if they already provided ...

CCE-35400-1
Always install with elevated privileges Directs Windows Installer to use system permissions when it installs any program on the system. This setting extends elevated privileges to all programs. These privileges are usually reserved for programs that have been assigned to the user (offered on the d ...

CCE-35194-0
Enumerate administrator accounts on elevation By default, all administrator accounts are displayed when you attempt to elevate a running application.

CCE-34130-5
Allow Standby States (S1-S3) When Sleeping (Plugged In) Dictates whether or not Windows is allowed to use standby states when sleeping the computer. When this policy is enabled, Windows may use standby states to sleep the computer. If this policy is disabled, the only sleep state a compute ...

CCE-35533-9
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings This policy setting allows administrators to enable the more precise auditing capabilities present in Windows Vista. The Audit Policy settings available in Windows Server 2003 Active ...

CCE-35008-2
System objects: Require case insensitivity for non-Windows subsystems This policy setting determines whether case insensitivity is enforced for all subsystems. The Microsoft Win32? subsystem is case insensitive. However, the kernel supports case sensitivity for other subsystems, such as the Portabl ...

CCE-33410-2
Audit Policy: Account Management: Computer Account Management This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. Events for this subcategory include: ? 4741: A computer account was created. ...

CCE-35515-6
Audit Policy: Object Access: Filtering Platform Connection This subcategory reports when connections are allowed or blocked by WFP. These events can be high in volume. Events for this subcategory include: ? 5031: The Windows Firewall Service blocked an application from accepting incoming connection ...

CCE-35319-3
Enable indexing uncached Exchange folders Enabling this policy allows indexing of mail items on a Microsoft Exchange server when Microsoft Outlook is not running in cached mode. The default behavior for search is to not index uncached Exchange folders. Disabling this policy will block any indexing ...

CCE-35252-6
Windows Firewall: Domain: Logging: Log dropped packets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.

CCE-33729-5
Control Event Log behavior when the log file reaches its maximum size This policy setting controls Event Log behavior when the log file reaches its maximum size. If you enable this policy setting and a log file reaches its maximum size, new events are not written to the log and are lost. If y ...

CCE-33160-3
Windows Firewall: Domain: Firewall state Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rule ...

CCE-34901-9
Interactive logon: Number of previous logons to cache (in case domain controller is not available) This policy setting determines whether a user can log on to a Windows domain using cached account information. Logon information for domain accounts can be cached locally to allow users to log on even ...

CCE-35306-0
Windows Firewall: Domain: Logging: Log successful connections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.

CCE-33107-4
Prohibit installation and configuration of Network Bridge on your DNS domain network Determines whether a user can install and configure the Network Bridge. Important: This settings is location aware. It only applies when a computer is connected to the same DNS domain network it was connected to w ...

CCE-34705-4
Do not process the run once list This policy setting causes the run once list, which is the list of programs that Windows Vista runs automatically when it starts, to be ignored. This policy setting differs from the Do not process the legacy run list setting in that programs on this list will run on ...

CCE-33782-4
Require a Password When a Computer Wakes (On Battery) Specifies whether or not the user is prompted for a password when the system resumes from sleep.

CCE-33040-7
Audit Policy: Detailed Tracking: Process Creation This subcategory reports the creation of a process and the name of the program or user that created it. Events for this subcategory include: ? 4688: A new process has been created. ? 4696: A primary token was assigned to process. Refer to the Micros ...

CCE-35502-4
Audit Policy: DS Access: Directory Service Changes This subcategory reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate ...

CCE-34771-6
Set the default behavior for AutoRun This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun.inf files. They often launch the installation program or other routines. Prior to Windows Vista, when media containing ...

CCE-33436-7
Windows Firewall: Private: Logging: Log dropped packets Use this option to log when Windows Firewall with Advanced Security discards an inbound packet for any reason. The log records why and when the packet was dropped. Look for entries with the word DROP in the action column of the log.

CCE-35439-9
Configure Microsoft Active Protection Service Reporting This policy setting allows you to configure membership in Microsoft Active Protection Service. Microsoft Active Protection Service is the online community that helps you choose how to respond to potential threats. The community also helps s ...

CCE-34651-0
Network access: Shares that can be accessed anonymously This policy setting determines which network shares can be accessed by anonymous users. The default configuration for this policy setting has little effect because all users have to be authenticated before they can access shared resources on t ...

CCE-34531-4
Do not use temporary folders per session This policy setting allows you to prevent Remote Desktop Services from creating session-specific temporary folders. You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Remo ...

CCE-34993-6
Network security: Force logoff when logon hours expire This policy setting, which determines whether to disconnect users who are connected to the local computer outside their user account?s valid logon hours, affects the SMB component. If you enable this policy setting, client sessions with the SMB ...

CCE-33066-2
Windows Firewall: Private: Firewall state Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rul ...

CCE-33976-2
Network access: Remotely accessible registry paths This policy setting determines which registry paths will be accessible after referencing the WinReg key to determine access permissions to the paths. Note: This setting does not exist in Windows XP. There was a setting with that name in Windows XP, ...

CCE-35421-7
Windows Firewall: Public: Logging: Size limit (KB) Use this option to specify the size limit of the file in which Windows Firewall will write its log information.

CCE-35225-2
Network security: Do not store LAN Manager hash value on next password change This policy setting determines whether the LAN Manager (LM) hash value for the new password is stored when the password is changed. The LM hash is relatively weak and prone to attack compared to the cryptographically stro ...

CCE-35554-5
Require domain users to elevate when setting a network's location This policy setting determines whether to require domain users to elevate when setting a network's location. If you enable this policy setting, domain users must elevate when setting a network's location. If you disable or do not c ...

CCE-33068-8
Windows Firewall: Public: Display a notification Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recom ...

CCE-34876-3
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. ...

CCE-34623-9
MSS: (TcpMaxDataRetransmissions) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) The registry value entry TCPMaxDataRetransmissions was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip \Parameters\ registry key. The entry ...

CCE-34177-6
Windows Firewall: Private: Logging: Log successful connections Use this option to log when Windows Firewall with Advanced Security allows an inbound connection. The log records why and when the connection was formed. Look for entries with the word ALLOW in the action column of the log.

CCE-35523-0
Audit Policy: Privilege Use: Non Sensitive Privilege Use This subcategory reports when a user account or service uses a non-sensitive privilege. A non-sensitive privilege includes the following user rights: Access Credential Manager as a trusted caller, Access this computer from the network, Add w ...

CCE-34965-4
Network access: Named Pipes that can be accessed anonymously This policy setting determines which communication sessions, or pipes, will have attributes and permissions that allow anonymous access. Note: When you configure this setting you specify a list of one or more objects. The delimiter used w ...

CCE-35763-2
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS) This policy setting allows users who are connected to the Internet to access and search troubleshooting content t ...

CCE-33037-3
Audit Policy: Account Logon: Other Account Logon Events This subcategory reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets. These events occur on the computer that is authoritative for ...

CCE-33246-0
Turn off the 'Publish to Web' task for files and folders This policy setting specifies whether the tasks Publish this file to the Web, Publish this folder to the Web, and Publish the selected items to the Web are available from File and Folder Tasks in Windows folders.

CCE-33090-2
Audit Policy: Logon-Logoff: IPsec Extended Mode This subcategory reports the results of AuthIP during Extended Mode negotiations. Events for this subcategory include: ? 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate ...

CCE-35171-8
Prevent device metadata retrieval from the Internet This policy setting allows you to prevent Windows from retrieving device metadata from the Internet. If you enable this policy setting, Windows does not retrieve device metadata for installed devices from the Internet. This policy setti ...

CCE-35447-2
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients This policy setting determines which behaviors are allowed for applications using the NTLM Security Support Provider (SSP). The SSP Interface (SSPI) is used by applications that need authentication services ...

CCE-35510-7
Audit Policy: Logon-Logoff: Other Logon/Logoff Events This subcategory reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. Events for this subcategor ...

CCE-33785-7
User Account Control: Behavior of the elevation prompt for standard users This policy setting controls the behavior of the elevation prompt for standard users. The options are: - Prompt for credentials: When an operation requires elevation of privilege, the user is prompted to enter an administra ...

CCE-35429-0
User Account Control: Detect application installations and prompt for elevation This policy setting controls the behavior of application installation detection for the computer. The options are: - Enabled: (Default for home) When an application installation package is detected that requires eleva ...

CCE-33719-6
Network access: Sharing and security model for local accounts This policy setting determines how network logons that use local accounts are authenticated. The Classic option allows precise control over access to resources, including the ability to assign different types of access to different users ...

CCE-33215-5
Set 6to4 State This policy setting allows you to configure 6to4, an address assignment and router-to-router automatic tunneling technology that is used to provide unicast IPv6 connectivity between IPv6 sites and hosts across the IPv4 Internet. 6to4 uses the global address prefix: 2002:WWXX:YYZZ::/4 ...

CCE-35505-7
Audit Policy: Logon-Logoff: IPsec Main Mode This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. Events for this subcategory include: ? 4646: IKE DoS-prevention mode started. ? 4650: An IPsec Main Mo ...

CCE-34356-6
Windows Firewall: Private: Logging: Size limit (KB) Use this option to specify the size limit of the file in which Windows Firewall will write its log information.

CCE-35701-2
Windows Firewall: Domain: Apply local connection security rules This setting controls whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy.

CCE-33563-8
Network access: Restrict anonymous access to Named Pipes and Shares When enabled, this policy setting restricts anonymous access to only those shares and pipes that are named in the Network access: Named pipes that can be accessed anonymously and Network access: Shares that can be accessed anonymou ...

CCE-35536-2
Windows Firewall: Private: Allow unicast response This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.

CCE-34619-7
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) The registry value entry ScreenSaverGracePeriod was added to the template file in the HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\ Windows NT\CurrentVersion\Winlogon\ registry key. The en ...

CCE-33161-1
Windows Firewall: Private: Inbound connections This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

CCE-33437-5
Windows Firewall: Private: Logging: Name Use this option to specify the path and name of the file in which Windows Firewall will write its log information.

CCE-33813-7
No auto-restart with logged on users for scheduled automatic updates installations This policy setting specifies that Automatic Updates will wait for computers to be restarted by the users who are logged on to them to complete a scheduled installation. If you enable the No auto-restart for schedule ...

CCE-32938-3
Password protect the screen saver If the Password protect the screen saver setting is enabled, then all screen savers are password protected, if it is disabled then password protection cannot be set on any screen saver.

CCE-33790-7
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) This entry appears as MSS: (DisableIPSourceRouting) IPv6 source routing protection level (protects against packet spoofing) in the SCE. IP source routing is a mechanism that allows the sender to ...

CCE-33098-5
Windows Firewall: Domain: Outbound connections This setting determines the behavior for outbound connections that do not match an outbound firewall rule. In Windows Vista, the default behavior is to allow connections unless there are firewall rules that block the connection.

CCE-34894-6
Domain member: Maximum machine account password age This policy setting determines the maximum allowable age for a computer account password. By default, domain members automatically change their domain passwords every 30 days. If you increase this interval significantly or set it to 0 so that the ...

CCE-33041-5
Audit Policy: DS Access: Directory Service Access This subcategory reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access even ...

CCE-35331-8
Configure Solicited Remote Assistance This policy setting allows you to turn on or turn off Solicited (Ask for) Remote Assistance on this computer. If you enable this policy setting, users on this computer can use email or file transfer to ask someone for help. Also, users can use instant messag ...

CCE-33067-0
Windows Firewall: Public: Allow unicast response This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.

CCE-35518-0
Audit Policy: Object Access: Other Object Access Events This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects. Events for this subcategory include: ? 4671: An application attempted to access a blocked ordinal through the TBS. ? 4691: Indirect acce ...

CCE-35300-3
Network access: Remotely accessible registry paths and sub-paths This policy setting determines which registry paths and sub-paths will be accessible when an application or process references the WinReg key to determine access permissions. Note: In Windows XP this setting is called 'Network access: ...

CCE-32957-3
Prohibit non-administrators from applying vendor signed updates This setting controls the ability of non-administrators to install updates that have been digitally signed by the application vendor. Non-administrator updates provide a mechanism for the author of an application to create digitally s ...

CCE-33069-6
Windows Firewall: Public: Inbound connections This setting determines the behavior for inbound connections that do not match an inbound firewall rule. The default behavior is to block connections unless there are firewall rules to allow the connection.

CCE-33975-4
Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ...

CCE-33513-3
Always use classic logon This setting forces the user to log on to the computer using the classic logon screen. By default, a workgroup is set to use the simple logon screen. This setting only works when the computer is not on a domain.

CCE-34622-1
MSS: (TcpMaxDataRetransmissions IPv6) How many times unacknowledged data is retransmitted (3 recommended, 5 is default) The registry value entry TCPMaxDataRetransmissions for IPv6 was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip6 \Parameters\ registry ...

CCE-33012-6
Report when logon server was not available during user logon This policy controls whether the logged on user should be notified if the logon server could not be contacted during logon and he has been logged on using previously stored account information. If enabled, a notification popup will be di ...

CCE-33091-0
Audit Policy: Policy Change: Authentication Policy Change This subcategory reports changes in authentication policy. Events for this subcategory include: ? 4706: A new trust was created to a domain. ? 4707: A trust to a domain was removed. ? 4713: Kerberos policy was changed. ? 4716: Trusted doma ...

CCE-35459-7
User Account Control: Virtualize file and registry write failures to per-user locations This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-ti ...

CCE-34176-8
Windows Firewall: Domain: Logging: Name Use this option to specify the path and name of the file in which Windows Firewall will write its log information.

CCE-35392-0
Enable RPC Endpoint Mapper Client Authentication This policy setting controls whether RPC clients authenticate with the Endpoint Mapper Service when the call they are making contains authentication information. The Endpoint Mapper Service on computers running Windows NT4 (all service packs) canno ...

CCE-33740-2
Allow Remote Shell Access This policy setting allows you to manage configuration of remote access to all supported shells to execute scripts and commands.

CCE-35117-1
Windows Firewall: Public: Logging: Name Use this option to specify the path and name of the file in which Windows Firewall will write its log information.

CCE-35361-5
Prevent Windows from sending an error report when a device driver requests additional software during installation This policy allows you to prevent Windows from sending an error report when a device driver requests additional software during installation. If you enable this policy setting, Window ...

CCE-33784-0
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode This policy setting controls the behavior of the elevation prompt for administrators. The options are: - Elevate without prompting: Allows privileged accounts to perform an operation that requires ele ...

CCE-35504-0
Audit Policy: Logon-Logoff: Account Lockout This subcategory reports when a user's account is locked out as a result of too many failed logon attempts. Events for this subcategory include: ? 4625: An account failed to log on. Refer to the Microsoft Knowledgebase article ?Description of security ev ...

CCE-35494-4
Audit Policy: Account Logon: Credential Validation This subcategory reports the results of validation tests on credentials submitted for a user account logon request. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authorit ...

CCE-33060-5
Windows Firewall: Domain: Allow unicast response This option is useful if you need to control whether this computer receives unicast responses to its outgoing multicast or broadcast messages.

CCE-33718-8
Network access: Do not allow storage of passwords and credentials for network authentication This policy setting determines whether the Stored User Names and Passwords feature may save passwords or credentials for later use when it gains domain authentication. If you enable this policy setting, the ...

CCE-33216-3
Turn off Registration if URL connection is referring to Microsoft.com Specifies whether the Windows Registration Wizard connects to Microsoft.com for online registration. If you enable this setting, it blocks users from connecting to Microsoft.com for online registration and users cannot register ...

CCE-35219-5
Enforce password history This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwor ...

CCE-34355-8
Devices: Allowed to format and eject removable media This policy setting determines who is allowed to format and eject removable media. You can use this policy setting to prevent unauthorized users from removing data on one computer to access it on another computer on which they have local administ ...

CCE-33073-8
Configure minimum PIN length for startup This policy setting allows you to configure a minimum length for a Trusted Platform Module (TPM) startup PIN. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 2 ...

CCE-34697-3
Do not allow drive redirection This policy setting prevents users from sharing the local drives on their client computers to Terminal Servers that they access. Mapped drives appear in the session folder tree in Windows Explorer in the following format: \\TSClient\<driveletter>$ If local drives are ...

CCE-33162-9
Windows Firewall: Private: Outbound connections This setting determines the behavior for outbound connections that do not match an outbound firewall rule. The default behavior is to allow connections unless there are firewall rules that block the connection. Important If you set Outbound connect ...

CCE-35606-3
Prohibit Access of the Windows Connect Now wizards This policy setting prohibits access to Windows Connect Now (WCN) wizards. If this policy setting is enabled, the wizards are disabled and users will have no access to any of the wizard tasks. All the configuration related tasks, including ?Set up ...

CCE-34893-8
Domain member: Digitally sign secure channel data (when possible) This policy setting determines whether a domain member should attempt to negotiate whether all secure channel traffic that it initiates must be digitally signed. Digital signatures protect the traffic from being modified by anyone wh ...

CCE-33042-3
Audit Policy: Policy Change: Authorization Policy Change This subcategory reports changes in authorization policy including permissions (DACL) changes. Events for this subcategory include: ? 4704: A user right was assigned. ? 4705: A user right was removed. ? 4706: A new trust was created to a do ...

CCE-34061-2
Turn off the 'Order Prints' picture task Specifies whether the 'Order Prints Online' task is available from Picture Tasks in Windows folders. The 'Order Prints Online' Wizard is used to download a list of providers and allow users to order prints online. If you enable this setting, the task 'Orde ...

CCE-35517-2
Audit Policy: Object Access: Kernel Object This subcategory reports when kernel objects such as processes and mutexes are accessed. Only kernel objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. Typically kernel objects are only g ...

CCE-34520-7
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog box This policy setting allows you to manage whether the Install Updates and Shut Down option is displayed in the Shut Down Windows dialog box. This policy setting works in conjunction with the following Do not adjust ...

CCE-34776-5
Prevent the computer from joining a homegroup By default, users can add their computer to a homegroup on a home network. If you enable this policy setting, a user on this computer will not be able to add this computer to a homegroup. This setting does not affect other network sharing features. I ...

CCE-35530-5
Audit policy change This policy setting determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker att ...

CCE-32945-8
Turn off handwriting personalization data sharing Turns off data sharing from the handwriting recognition personalization tool. The handwriting recognition personalization tool tool enables Tablet PC users to adapt handwriting recognition to their own writing style by providing writing samples. ...

CCE-34972-0
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with Support Provider Microsoft Support Diagnostic Tool (MSDT) gathers diagnostic data for analysis by support professionals. If you leave this policy setting enabled, Users will be able to use MSDT to collect and send diagn ...

CCE-35410-0
Network security: Allow LocalSystem NULL session fallback Allow NTLM to fall back to NULL session when used with LocalSystem. The default is TRUE up to Windows Vista and FALSE in Windows 7.

CCE-35770-7
Turn off Automatic Root Certificates Update Specifies whether to automatically update root certificates using the Windows Update Web site. Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transac ...

CCE-35005-8
Shutdown: Clear virtual memory pagefile This policy setting determines whether the virtual memory pagefile is cleared when the system is shut down. When this policy setting is enabled, the system pagefile is cleared each time that the system shuts down properly. If you enable this security setting, ...

CCE-32932-6
Audit Policy: Account Management: Application Group Management This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application group. If you enable this A ...

CCE-33039-9
Audit Policy: Detailed Tracking: DPAPI Activity This subcategory reports encrypt or decrypt calls into the data protections application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. Events for this subcategory include: ? 4692: Backup of ...

CCE-34911-8
Microsoft network server: Disconnect clients when logon hours expire This policy setting determines whether to disconnect users who are connected to the local computer outside their user account?s valid logon hours. It affects the SMB component. If you enable this policy setting, client sessions wi ...

CCE-33061-3
Windows Firewall: Domain: Apply local firewall rules This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

CCE-33204-9
Turn off Internet File Association service Specifies whether to use the Microsoft Web service for finding an application to open a file with an unhandled file association. When a user opens a file that has an extension that is not associated with any applications on the machine, the user is given ...

CCE-33815-2
User Account Control: Switch to the secure desktop when prompting for elevation This policy setting controls whether the elevation request prompt is displayed on the interactive user's desktop or the secure desktop. The options are: - Enabled: (Default) All elevation requests go to the secure des ...

CCE-35525-5
Audit Policy: System: IPsec Driver This subcategory reports on the activities of the Internet Protocol security (IPsec) driver. Events for this subcategory include: ? 4960: IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or ...

CCE-35405-0
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers The registry value entry NoNameReleaseOnDemand was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\ Parameters\ registry key. The entry appea ...

CCE-33792-3
MSS: (NoDefaultExempt) Configure IPSec exemptions for various types of network traffic. The registry value entry NoDefaultExempt was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSEC\ registry key. The entry appears as MSS: (NoDefaultExempt) Configure IPSe ...

CCE-35601-4
Audit Policy: Detailed Tracking: Process Termination This subcategory reports when a process terminates. Events for this subcategory include: ? 4689: A process has exited. Refer to the Microsoft Knowledgebase article ?Description of security events in Windows Vista and in Windows Server 2008? for t ...

CCE-35497-7
Audit Policy: Account Management: Other Account Management Events This subcategory reports other account management events. Events for this subcategory include: ? 4782: The password hash an account was accessed. ? 4793: The Password Policy Checking API was called. Refer to the Microsoft Knowledgeba ...

CCE-35703-8
Windows Firewall: Public: Firewall state Select On (recommended) to have Windows Firewall with Advanced Security use the settings for this profile to filter network traffic. If you select Off, Windows Firewall with Advanced Security will not use any of the firewall rules or connection security rule ...

CCE-33802-0
Network security: LDAP client signing requirements This policy setting determines the level of data signing that is requested on behalf of clients that issue LDAP BIND requests, as follows: - None. The LDAP BIND request is issued with the caller-specified options. - Negotiate signing. If Transport ...

CCE-35288-0
Specify the maximum log file size (KB) This policy setting specifies the maximum size of the log file in kilobytes. If you enable this policy setting, you can configure the maximum log file size to be between 1 megabyte (1024 kilobytes) and 2 terabytes (2147483647 kilobytes) in kilobyte incremen ...

CCE-33043-1
Audit Policy: System: Security State Change This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops. Events for this subcategory include: ? 4608: Windows is starting up. ? 4609: Windows is shutting down. ? 4616: The system time was ch ...

CCE-35507-3
Audit Policy: Logon-Logoff: Logoff This subcategory reports when a user logs off from the system. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these ...

CCE-35599-0
Set time limit for disconnected sessions This policy setting allows you to configure a time limit for disconnected Remote Desktop Services sessions. You can use this policy setting to specify the maximum amount of time that a disconnected session is kept active on the server. By default, Remote De ...

CCE-35083-5
Windows Firewall: Domain: Logging: Size limit (KB) Use this option to specify the size limit of the file in which Windows Firewall will write its log information.

CCE-32933-4
Audit Policy: Object Access: Certification Services This subcategory reports when Certification Services operations are performed. Events for this subcategory include: ? 4868: The certificate manager denied a pending certificate request. ? 4869: Certificate Services received a resubmitted certific ...

CCE-34757-5
Recovery console: Allow floppy copy and access to all drives and all folders This policy setting makes the Recovery Console SET command available, which allows you to set the following recovery console environment variables: - AllowWildCards. Enables wildcard support for some commands (such as the ...

CCE-35448-0
Turn Off the Display (Plugged In) Specifies the period of inactivity before Windows turns off the display. If you enable this policy, you must provide a value, in seconds, indicating how much idle time should elapse before Windows turns off the display. If you disable this policy or do not config ...

CCE-35511-5
Audit Policy: Logon-Logoff: Special Logon This subcategory reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. Events for this subcategory include: ? 4964 : Special groups have been ass ...

CCE-33027-4
Reschedule Automatic Updates scheduled installations This policy setting determines the amount of time before previously scheduled Automatic Update installations will proceed after system startup. If you configure this policy setting to Enabled, a previously scheduled installation will begin after ...

CCE-35524-8
Audit Policy: Privilege Use: Sensitive Privilege Use This subcategory reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug progra ...

CCE-33093-6
Audit: Audit the access of global system objects This policy setting creates a default system access control list (SACL) for system objects such as mutexes (mutual exclusive), events, semaphores, and MS-DOS devices, and causes access to these system objects to be audited. If the Audit: Audit the ac ...

CCE-35302-9
Network security: LAN Manager authentication level LAN Manager (LM) is a family of early Microsoft client/server software that allows users to link personal computers together on a single network. Network capabilities include transparent file and print sharing, user security features, and network a ...

CCE-33786-5
User Account Control: Only elevate executables that are signed and validated This policy setting enforces public key infrastructure (PKI) signature checks for any interactive applications that request elevation of privilege. Enterprise administrators can control which applications are allowed to ru ...

CCE-35274-0
Interactive logon: Prompt user to change password before expiration This policy setting determines how far in advance users are warned that their password will expire. Microsoft recommends that you configure this policy setting to 14 days to sufficiently warn users when their passwords will expire.

CCE-33814-5
MSS: (Hidden) Hide Computer From the Browse List (not recommended except for highly secure environments) The registry value entry Hidden was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Lanmanserver\Parameters\ registry key. The entry appears as MSS: (Hidde ...

CCE-35537-0
Windows Firewall: Public: Apply local firewall rules This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

CCE-34597-5
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes The registry value entry EnableICMPRedirect was added to the template file in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\ registry key. The entry appears as MSS: (EnableICMPRedirect) Allo ...

CCE-35065-2
Microsoft network server: Digitally sign communications (always) This policy setting determines if the server side SMB service is required to perform SMB packet signing. Enable this policy setting in a mixed environment to prevent downstream clients from using the workstation as a network server.

CCE-33062-1
Windows Firewall: Domain: Display a notification Select this option to have Windows Firewall with Advanced Security display notifications to the user when a program is blocked from receiving inbound connections. Note When the Apply local firewall rules setting is configured to No, Microsoft recom ...

CCE-33791-5
Turn off Autoplay Autoplay starts to read from a drive as soon as you insert media in the drive, which causes the setup file for programs or audio media to start immediately. An attacker could use this feature to launch a program to damage the computer or data on the computer. You can enable the Tu ...

CCE-35702-0
Windows Firewall: Private: Apply local firewall rules This setting controls whether local administrators are allowed to create local firewall rules that apply together with firewall rules configured by Group Policy.

CCE-33801-2
Configure Offer Remote Assistance This policy setting allows you to turn on or turn off Offer (Unsolicited) Remote Assistance on this computer. If you enable this policy setting, users on this computer can get help from their corporate technical support staff using Offer (Unsolicited) Remote Ass ...

CCE-33164-5
Enable screen saver This policy setting allows you to manage whether or not screen savers run. If the Screen Saver setting is disabled screen savers do not run and the screen saver section of the Screen Saver tab in Display in Control Panel is disabled. If this setting is enabled a screen saver wil ...

CCE-35781-4
Turn off downloading of print drivers over HTTP This policy setting controls whether the computer can download print driver packages over HTTP. To set up HTTP printing, printer drivers that are not available in the standard operating system installation might need to be downloaded over HTTP.

CCE-35506-5
Audit Policy: Logon-Logoff: IPsec Quick Mode This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations. ? 4654: An IPsec Quick Mode negotiation failed. Events for this subcategory include: ? 4977: During Quick Mode negotiation, IPsec received an invalid negotiat ...

CCE-33949-9
Accounts: Guest account status This policy setting determines whether the Guest account is enabled or disabled. The Guest account allows unauthenticated network users to gain access to the system. Note that this setting will have no impact when applied to the domain controller organizational unit v ...

CCE-33034-0
Accounts: Rename administrator account The built-in local administrator account is a well-known account name that attackers will target. Microsoft recommends to choose another name for this account, and to avoid names that denote administrative or elevated access accounts. Be sure to also change th ...

CCE-35488-6
Accounts: Rename guest account The built-in local guest account is another well-known name to attackers. Microsoft recommends to rename this account to something that does not indicate its purpose. Even if you disable this account, which is recommended, ensure that you rename it for added security. ...

CCE-34021-6
Impersonate a client after authentication The policy setting allows programs that run on behalf of a user to impersonate that user (or another specified account) so that they can act on behalf of the user. If this user right is required for this kind of impersonation, an unauthorized user will not ...

CCE-33095-1
Create global objects This policy setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that ...

CCE-35067-8
Restore files and directories This policy setting determines which users can bypass file, directory, registry, and other persistent object permissions when restoring backed up files and directories on computers that run Windows Vista in your environment. This user right also determines which users ...

CCE-33035-7
Allow log on through Remote Desktop Services This policy setting determines which users or groups have the right to log on as a Terminal Services client. Remote desktop users require this user right. If your organization uses Remote Assistance as part of its help desk strategy, create a group and a ...

CCE-35178-3
Increase scheduling priority This policy setting determines whether users can increase the base priority class of a process. (It is not a privileged operation to increase relative priority within a priority class.) This user right is not required by administrative tools that are supplied with the o ...

CCE-33431-8
Change the time zone This setting determines which users can change the time zone of the computer. This ability holds no great danger for the computer and may be useful for mobile workers. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either loc ...

CCE-34173-5
Deny access to this computer from the network This policy setting prohibits users from connecting to a computer from across the network, which would allow users to access and potentially modify data remotely. In high security environments, there should be no need for remote users to access data on ...

CCE-34913-4
Modify an object label This privilege determines which user accounts can modify the integrity label of objects, such as files, registry keys, or processes owned by other users. Processes running under a user account can modify the label of an object owned by that user to a lower level without this ...

CCE-33715-4
Force shutdown from a remote system This policy setting allows users to shut down Windows Vista?based computers from remote locations on the network. Anyone who has been assigned this user right can cause a denial of service (DoS) condition, which would make the computer unavailable to service user ...

CCE-34897-9
Increase a process working set This privilege determines which user accounts can increase or decrease the size of a process?s working set. The working set of a process is the set of memory pages currently visible to the process in physical RAM memory. These pages are resident and available for an a ...

CCE-33047-2
Bypass traverse checking This policy setting allows users who do not have the Traverse Folder access permission to pass through folders when they browse an object path in the NTFS file system or the registry. This user right does not allow users to list the contents of a folder. When configuring a ...

CCE-33051-4
Create a pagefile This policy setting allows users to change the size of the pagefile. By making the pagefile extremely large or extremely small, an attacker could easily affect the performance of a compromised computer. When configuring a user right in the SCM enter a comma delimited list of acco ...

CCE-33780-8
Create permanent shared objects This user right is useful to kernel-mode components that extend the object namespace. However, components that run in kernel mode have this user right inherently. Therefore, it is typically not necessary to specifically assign this user right. When configuring a use ...

CCE-33778-2
Enable computer and user accounts to be trusted for delegation This policy setting allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network. When configuring ...

CCE-35009-0
Take ownership of files or other objects This policy setting allows users to take ownership of files, folders, registry keys, processes, or threads. This user right bypasses any permissions that are in place to protect objects to give ownership to the specified user. When configuring a user right ...

CCE-35000-9
Profile single process This policy setting determines which users can use tools to monitor the performance of non-system processes. Typically, you do not need to configure this user right to use the Microsoft Management Console (MMC) Performance snap-in. However, you do need this user right if Syst ...

CCE-35640-2
Allow log on locally This policy setting determines which users can interactively log on to computers in your environment. Logons that are initiated by pressing the CTRL+ALT+DEL key sequence on the client computer keyboard require this user right. Users who attempt to log on through Terminal Servic ...

CCE-33053-0
Create symbolic links This policy setting determines which users can create symbolic links. In Windows Vista, existing NTFS file system objects, such as files and folders, can be accessed by referring to a new kind of file system object called a symbolic link. A symbolic link is a pointer (much lik ...

CCE-35461-3
Deny log on as a batch job This policy setting determines which accounts will not be able to log on to the computer as a batch job. A batch job is not a batch (.bat) file, but rather a batch-queue facility. Accounts that use the Task Scheduler to schedule jobs need this user right. The Deny log on ...

CCE-33157-9
Debug programs This policy setting determines which user accounts will have the right to attach a debugger to any process or to the kernel, which provides complete access to sensitive and critical operating system components. Developers who are debugging their own applications do not need to be ass ...

CCE-35403-5
Act as part of the operating system This policy setting allows a process to assume the identity of any user and thus gain access to the resources that the user is authorized to access. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local o ...

CCE-35699-8
Back up files and directories This policy setting allows users to circumvent file and directory permissions to back up the system. This user right is enabled only when an application (such as NTBACKUP) attempts to access a file or directory through the NTFS file system backup application programmin ...

CCE-34903-5
Load and unload device drivers This policy setting allows users to dynamically load a new device driver on a system. An attacker could potentially use this capability to install malicious code that appears to be a device driver. This user right is required for users to add local printers or printer ...

CCE-33787-3
Deny log on through Remote Desktop Services This policy setting determines whether users can log on as Terminal Services clients. After the baseline member server is joined to a domain environment, there is no need to use local accounts to access the server from the network. Domain accounts can acc ...

CCE-35275-7
Manage auditing and security log This policy setting determines which users can change the auditing options for files and directories and clear the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Dir ...

CCE-35004-1
Shut down the system This policy setting determines which users who are logged on locally to the computers in your environment can shut down the operating system with the Shut Down command. Misuse of this user right can result in a denial of service condition. When configuring a user right in the ...

CCE-33432-6
Log on as a batch job This policy setting allows accounts to log on using the task scheduler service. Because the task scheduler is often used for administrative purposes, it may be needed in enterprise environments. However, its use should be restricted in high security environments to prevent mis ...

CCE-35003-3
Replace a process level token This policy setting allows one process or service to start another service or process with a different security access token, which can be used to modify the security access token of that sub-process and result in the escalation of privileges. When configuring a user ...

CCE-35363-1
Generate security audits This policy setting determines which users or processes can generate audit records in the Security log. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can be groups, user ...

CCE-32928-4
Access this computer from the network This policy setting allows other users on the network to connect to the computer and is required by various network protocols that include Server Message Block (SMB)?based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus ( ...

CCE-33094-4
Change the system time This policy setting determines which users and groups can change the time and date on the internal clock of the computers in your environment. Users who are assigned this user right can affect the appearance of event logs. When a computer?s time setting is changed, logged eve ...

CCE-33731-1
Log on as a service This policy setting allows accounts to launch network services or to register a process as a service running on the system. This user right should be restricted on any computer in a high security environment, but because many applications may require this privilege, it should be ...

CCE-35490-2
Adjust memory quotas for a process This policy setting allows a user to adjust the maximum amount of memory that is available to a process. The ability to adjust memory quotas is useful for system tuning, but it can be abused. In the wrong hands, it could be used to launch a denial of service (DoS) ...

CCE-35369-8
Perform volume maintenance tasks This policy setting allows users to manage the system's volume or disk configuration, which could allow a user to delete a volume and cause data loss as well as a denial-of-service condition. When configuring a user right in the SCM enter a comma delimited list of ...

CCE-33779-0
Create a token object This policy setting allows a process to create an access token, which may provide elevated rights to access sensitive data. When configuring a user right in the SCM enter a comma delimited list of accounts. Accounts can be either local or located in Active Directory, they can ...

CCE-35183-3
Modify firmware environment values This policy setting allows users to configure the system-wide environment variables that affect hardware configuration. This information is typically stored in the Last Known Good Configuration. Modification of these values and could lead to a hardware failure tha ...

CCE-33807-9
Lock pages in memory This policy setting allows a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. If this user right is assigned, significant degradation of system performance can occur. When configuring a user right in the SCM ent ...

CCE-35293-0
Deny log on locally This security setting determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.Important:If you apply this security policy to the Everyone group, no one ...

CCE-35409-2
Account lockout duration This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy sett ...

CCE-35408-4
Reset account lockout counter after This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value f ...

CCE-34907-6
Maximum password age This policy setting defines how long a user can use their password before it expires. Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire. The default value for this policy setting is 42 days. Because attackers can ...

CCE-35496-9
Audit Policy: Account Logon: Kerberos Service Ticket Operations This subcategory reports generated by Kerberos ticket request processes on the domain controller that is authoritative for the domain account. Events for this subcategory include: ? 4769: A Kerberos service ticket was requested. ? 4770 ...

CPE    1
cpe:/o:microsoft:windows_8.1
*XCCDF
xccdf_org.secpod_benchmark_general_Windows_8_1
OVAL    1667
oval:org.secpod.oval:def:29215
oval:org.secpod.oval:def:29216
oval:org.secpod.oval:def:29213
oval:org.secpod.oval:def:29214
...

© 2013 SecPod Technologies