Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
_OE-C-MSSCT-PaT-LDA-merge-2004
Data collected on: 04.10.2021 18:22:51
General
Details
Domainkit.edu
OwnerKIT\Domain Admins
Created28.09.2021 13:41:08
Modified28.09.2021 13:41:08
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions1 (AD), 1 (SYSVOL)
Unique ID{808AB44A-1EE3-4E63-945C-AB58747C9EEA}
GPO StatusUser settings disabled
Links
LocationEnforcedLink StatusPath
BSI-TestNoEnabledkit.edu/KIT/Staff/SCC/Betrieb/CMK/Rechnerkonten/BSI-Test
TCS_GPO_TestNoEnabledkit.edu/KIT/Staff/SCC/Dienste/FMC/Rechnerkonten/TCS_GPO_Test

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
KIT\Domain AdminsEdit settings, delete, modify securityNo
KIT\Domain ComputersReadNo
KIT\Enterprise AdminsEdit settings, delete, modify securityNo
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkBUILTIN\Administrators, BUILTIN\Remote Desktop Users
Act as part of the operating system
Allow log on locallyBUILTIN\Administrators, BUILTIN\Users
Back up files and directoriesBUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsBUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Create permanent shared objects
Debug programsBUILTIN\Administrators
Deny access to this computer from the networkNT AUTHORITY\Local account
Deny log on through Terminal ServicesNT AUTHORITY\Local account
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote systemBUILTIN\Administrators
Impersonate a client after authenticationBUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Manage auditing and security logBUILTIN\Administrators
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Restore files and directoriesBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Interactive Logon
PolicySetting
Interactive logon: Do not require CTRL+ALT+DELDisabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)2 logons
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsNegotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
System Objects
PolicySetting
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
User Account Control
PolicySetting
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard usersPrompt for credentials on the secure desktop
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Other
PolicySetting
Accounts: Block Microsoft accountsUsers can't add or log on with Microsoft accounts
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Maximum machine account password age30 days
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive logon: Machine inactivity limit900 seconds
Microsoft network server: Digitally sign communications (always)Enabled
Network access: Restrict clients allowed to make remote calls to SAM"O:BAG:BAD:(A;;RC;;;BA)"
Network security: Allow LocalSystem NULL session fallbackDisabled
System Services
Connected User Experiences and Telemetry (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
MrxSmb10 (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
Remote Registry (Startup Mode: Automatic)
Permissions
No permissions specified
Auditing
No auditing specified
Microsoft Account Sign-in Assistant (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XblAuthManager (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XblGameSave (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XboxGipSvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
XboxNetApiSvc (Startup Mode: Disabled)
Permissions
No permissions specified
Auditing
No auditing specified
File System
%SystemDrive%\
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowEveryoneRead and ExecuteThis folder only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
AllowBUILTIN\UsersRead and ExecuteThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsEnabled
Auditing
No auditing specified
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell_ise.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe
Configure this file or folder then: Propagate inheritable permissions to all subfolders and files
Owner
Permissions
TypeNamePermissionApply To
AllowAPPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGESRead and ExecuteThis folder, subfolders and files
AllowCREATOR OWNERFull ControlSubfolders and files only
AllowNT AUTHORITY\SYSTEMFull ControlThis folder, subfolders and files
AllowBUILTIN\AdministratorsFull ControlThis folder, subfolders and files
Allow inheritable permissions from the parent to propagate to this object and all child objectsDisabled
Auditing
No auditing specified
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationSuccess, Failure
Account Management
PolicySetting
Audit Security Group ManagementSuccess
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit PNP ActivitySuccess
Audit Process CreationSuccess
Logon/Logoff
PolicySetting
Audit Account LockoutFailure
Audit Group MembershipSuccess
Audit LogonSuccess, Failure
Audit Other Logon/Logoff EventsSuccess, Failure
Audit Special LogonSuccess
Object Access
PolicySetting
Audit Detailed File ShareFailure
Audit File ShareSuccess, Failure
Audit Other Object Access EventsSuccess, Failure
Audit Removable StorageSuccess, Failure
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess
Audit Authentication Policy ChangeSuccess
Audit MPSSVC Rule-Level Policy ChangeSuccess, Failure
Audit Other Policy Change EventsFailure
Privilege Use
PolicySetting
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit Other System EventsSuccess, Failure
Audit Security State ChangeSuccess
Audit Security System ExtensionSuccess
Audit System IntegritySuccess, Failure
Administrative Templates
Policy definitions (ADMX files) retrieved from the central store.
Control Panel
PolicySettingComment
Allow Online TipsDisabled
Control Panel/Personalization
PolicySettingComment
Do not display the lock screenEnabled
Force a specific default lock screen and logon imageEnabled
Path to lock screen image:C:\windows\web\screen\lockscreen.jpg
Example: Using a local path: C:\windows\web\screen\lockscreen.jpg
Example: Using a UNC path: \\Server\Share\Corp.jpg
Turn off fun facts, tips, tricks, and more on lock screenEnabled
PolicySettingComment
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
Control Panel/Regional and Language Options/Handwriting personalization
PolicySettingComment
Turn off automatic learningEnabled
gp-Pack: Privacy and Telemetry
PolicySettingComment
23. Turn off sending data by MRTEnabled
LAPS
PolicySettingComment
Enable local admin password managementEnabled
Password SettingsEnabled
Password ComplexityLarge letters + small letters + numbers
Password Length20
Password Age (Days)180
MS Security Guide
PolicySettingComment
Configure SMB v1 client (extra setting needed for pre-Win8.1/2012R2)Enabled
Configure LanmanWorkstation dependenciesBowser
MRxSmb20
NSI
PolicySettingComment
Configure SMB v1 client driverEnabled
Configure MrxSmb10 driverDisable driver (recommended)
PolicySettingComment
Configure SMB v1 serverDisabled
Enable Structured Exception Handling Overwrite Protection (SEHOP)Enabled
MSS (Legacy)
PolicySettingComment
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingIPv6Highest protection, source routing is completely disabled
PolicySettingComment
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)Enabled
DisableIPSourceRoutingHighest protection, source routing is completely disabled
PolicySettingComment
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routesDisabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS serversEnabled
Network/Fonts
PolicySettingComment
Enable Font ProvidersDisabled
Network/Lanman Workstation
PolicySettingComment
Enable insecure guest logonsDisabled
Network/Network Connections
PolicySettingComment
Prohibit use of Internet Connection Sharing on your DNS domain networkEnabled
Network/Network Provider
PolicySettingComment
Hardened UNC PathsEnabled
Specify hardened network paths. In the name field, type a fully-qualified UNC path for each network resource. To secure all access to a share with a particular name, regardless of the server name, specify a server name of '*' (asterisk). For example, "\\*\NETLOGON". To secure all access to all shares hosted on a server, the share name portion of the UNC path may be omitted. For example, "\\SERVER". In the value field, specify one or more of the following options, separated by commas: 'RequireMutualAuthentication=1': Mutual authentication between the client and server is required to ensure the client connects to the correct server. 'RequireIntegrity=1': Communication between the client and server must employ an integrity mechanism to prevent data tampering. 'RequirePrivacy=1': Communication between the client and the server must be encrypted to prevent third parties from observing sensitive data.
Hardened UNC Paths: 
\\*\SYSVOLRequireMutualAuthentication=1,RequireIntegrity=1
\\*\NETLOGONRequireMutualAuthentication=1,RequireIntegrity=1
You should require both Integrity and Mutual Authentication for any UNC paths that host executable programs, script files, or files that control security policies. Consider hosting files that do not require Integrity or Privacy on separate shares from those that absolutely need such security for optimal performance. For additional details on configuring Windows computers to require additional security when accessing specific UNC paths, visit http://support.microsoft.com/kb/3000483.
Network/TCPIP Settings/IPv6 Transition Technologies
PolicySettingComment
Set Teredo StateDisabled
Network/Windows Connection Manager
PolicySettingComment
Prohibit connection to non-domain networks when connected to domain authenticated networkEnabled
Network/WLAN Service/WLAN Settings
PolicySettingComment
Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid servicesDisabled
SCM: Pass the Hash Mitigations
PolicySettingComment
Apply UAC restrictions to local accounts on network logonsEnabled
WDigest Authentication (disabling may require KB2871997)Disabled
Start Menu and Taskbar/Notifications
PolicySettingComment
Turn off notifications network usageEnabled
System/Credentials Delegation
PolicySettingComment
Encryption Oracle RemediationEnabled
Protection Level:Force Updated Clients
PolicySettingComment
Remote host allows delegation of non-exportable credentialsEnabled
System/Device Installation
PolicySettingComment
Prevent device metadata retrieval from the InternetEnabled
System/Device Installation/Device Installation Restrictions
PolicySettingComment
Prevent installation of devices that match any of these device IDsEnabled
Prevent installation of devices that match any of these Device IDs:
PCI\CC_0C0A
To create a list of devices, click Show. In the Show Contents dialog box, in the Value column,
type a Plug and Play hardware ID or compatible ID
(for example, gendisk, USB\COMPOSITE, USB\Class_ff).
Also apply to matching devices that are already installed.Enabled
PolicySettingComment
Prevent installation of devices using drivers that match these device setup classesEnabled
Prevent installation of devices using drivers for these device setup classes:
{d48179be-ec20-11d1-b6b8-00c04fa372a7}
To create a list of device classes, click Show. In the Show Contents dialog box, in the Value column,
type a GUID that represents a device setup class
(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).
Also apply to matching devices that are already installed.Enabled
System/Early Launch Antimalware
PolicySettingComment
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized:Good, unknown and bad but critical
System/Group Policy
PolicySettingComment
Configure web-to-app linking with app URI handlersDisabled
Continue experiences on this deviceDisabled
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off access to the StoreEnabled
Turn off downloading of print drivers over HTTPEnabled
Turn off Internet download for Web publishing and online ordering wizardsEnabled
Turn off Windows Customer Experience Improvement ProgramEnabled
Turn off Windows Error ReportingEnabled
Turn off Windows Network Connectivity Status Indicator active testsEnabled
System/Kernel DMA Protection
PolicySettingComment
Enumeration policy for external devices incompatible with Kernel DMA ProtectionEnabled
Enumeration policyBlock all
System/Logon
PolicySettingComment
Enumerate local users on domain-joined computersDisabled
Turn on convenience PIN sign-inDisabled
System/OS Policies
PolicySettingComment
Allow publishing of User ActivitiesDisabled
Allow upload of User ActivitiesDisabled
Enables Activity FeedDisabled
System/Power Management/Sleep Settings
PolicySettingComment
Allow standby states (S1-S3) when sleeping (on battery)Disabled
Allow standby states (S1-S3) when sleeping (plugged in)Disabled
Require a password when a computer wakes (on battery)Enabled
Require a password when a computer wakes (plugged in)Enabled
System/Remote Assistance
PolicySettingComment
Configure Solicited Remote AssistanceDisabled
System/Remote Procedure Call
PolicySettingComment
Restrict Unauthenticated RPC clientsEnabled
RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
System/Storage Health
PolicySettingComment
Allow downloading updates to the Disk Failure Prediction ModelDisabled
System/User Profiles
PolicySettingComment
Turn off the advertising IDEnabled
Windows Components/App Package Deployment
PolicySettingComment
Allow a Windows app to share application data between usersDisabled
Windows Components/App Privacy
PolicySettingComment
Let Windows apps access account informationEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access an eye tracker deviceEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access call historyEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access contactsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access diagnostic information about other appsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access emailEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access locationEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access messagingEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access motionEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access notificationsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access TasksEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access the calendarEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access the cameraEnabled
Default for all apps:User is in control
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access the microphoneEnabled
Default for all apps:User is in control
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps access trusted devicesEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps activate with voiceEnabled
Default for all apps:User is in control
PolicySettingComment
Let Windows apps activate with voice while the system is lockedEnabled
Default for all apps:User is in control
PolicySettingComment
Let Windows apps communicate with unpaired devicesEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps control radiosEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps make phone callsEnabled
Default for all apps:Force Deny
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
PolicySettingComment
Let Windows apps run in the backgroundEnabled
Default for all apps:User is in control
Put user in control of these specific apps (use Package Family Names):
Force allow these specific apps (use Package Family Names):
Force deny these specific apps (use Package Family Names):
Windows Components/App runtime
PolicySettingComment
Allow Microsoft accounts to be optionalEnabled
Windows Components/Application Compatibility
PolicySettingComment
Turn off Application TelemetryEnabled
Turn off Inventory CollectorEnabled
Turn off Steps RecorderEnabled
Windows Components/AutoPlay Policies
PolicySettingComment
Disallow Autoplay for non-volume devicesEnabled
Set the default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/Biometrics/Facial Features
PolicySettingComment
Configure enhanced anti-spoofingEnabled
Windows Components/BitLocker Drive Encryption
PolicySettingComment
Disable new DMA devices when this computer is lockedEnabled
Windows Components/BitLocker Drive Encryption/Operating System Drives
PolicySettingComment
Allow enhanced PINs for startupEnabled
Choose how BitLocker-protected operating system drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardDisabled
Save BitLocker recovery information to AD DS for operating system drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drivesEnabled
PolicySettingComment
Configure use of hardware-based encryption for operating system drivesDisabled
Enforce drive encryption type on operating system drivesEnabled
Select the encryption type:Used Space Only encryption
PolicySettingComment
Require additional authentication at startupEnabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)Enabled
Settings for computers with a TPM:
Configure TPM startup:Allow TPM
Configure TPM startup PIN:Allow startup PIN with TPM
Configure TPM startup key:Allow startup key with TPM
Configure TPM startup key and PIN:Allow startup key and PIN with TPM
Windows Components/BitLocker Drive Encryption/Removable Data Drives
PolicySettingComment
Deny write access to removable drives not protected by BitLockerEnabled
Do not allow write access to devices configured in another organizationDisabled
Windows Components/Cloud Content
PolicySettingComment
Do not show Windows tipsEnabled
Turn off Microsoft consumer experiencesEnabled
Windows Components/Credential User Interface
PolicySettingComment
Enumerate administrator accounts on elevationDisabled
Windows Components/Data Collection and Preview Builds
PolicySettingComment
Allow TelemetryEnabled
0 - Security [Enterprise Only]
PolicySettingComment
Configure the Commercial IDDisabled
Do not show feedback notificationsEnabled
Toggle user control over Insider buildsDisabled
Windows Components/Delivery Optimization
PolicySettingComment
Download ModeEnabled
Download Mode:Group (2)
Windows Components/Event Log Service/Application
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/Event Log Service/System
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/File Explorer
PolicySettingComment
Turn off Data Execution Prevention for ExplorerDisabled
Turn off heap termination on corruptionDisabled
Windows Components/Find My Device
PolicySettingComment
Turn On/Off Find My DeviceDisabled
Windows Components/Internet Explorer
PolicySettingComment
Allow Microsoft services to provide enhanced suggestions as the user types in the Address barDisabledBSI
Disable Periodic Check for Internet Explorer software updatesEnabledBSI
Prevent bypassing SmartScreen Filter warningsEnabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the InternetEnabled
Prevent managing SmartScreen FilterEnabled
Select SmartScreen Filter modeOff
PolicySettingComment
Prevent per-user installation of ActiveX controlsEnabled
Security Zones: Do not allow users to add/delete sitesEnabled
Security Zones: Do not allow users to change policiesEnabled
Specify use of ActiveX Installer Service for installation of ActiveX controlsEnabled
Turn off browser geolocationEnabledBSI
Turn off Crash DetectionEnabled
Turn off the auto-complete feature for web addressesEnabledBSI
Turn off the Security Settings Check featureDisabled
Turn on Suggested SitesDisabledBSI
Windows Components/Internet Explorer/Compatibility View
PolicySettingComment
Turn off Compatibility ViewEnabled
Windows Components/Internet Explorer/Internet Control Panel/Advanced Page
PolicySettingComment
Allow software to run or install even if the signature is invalidDisabled
Check for server certificate revocationEnabled
Check for signatures on downloaded programsEnabled
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabledEnabled
Turn off encryption supportEnabled
Secure Protocol combinationsUse TLS 1.1 and TLS 1.2
PolicySettingComment
Turn off the flip ahead with page prediction featureEnabled
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of WindowsEnabled
Turn on Enhanced Protected ModeEnabled
Windows Components/Internet Explorer/Internet Control Panel/Security Page
PolicySettingComment
Intranet Sites: Include all network paths (UNCs)Enabled
Turn on certificate address mismatch warningEnabled
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone
PolicySettingComment
Access data sources across domainsEnabled
Access data sources across domainsDisable
PolicySettingComment
Allow cut, copy or paste operations from the clipboard via scriptEnabled
Allow paste operations via scriptDisable
PolicySettingComment
Allow drag and drop or copy and paste filesEnabled
Allow drag and drop or copy and paste filesDisable
PolicySettingComment
Allow loading of XAML filesEnabled
XAML FilesDisable
PolicySettingComment
Allow only approved domains to use ActiveX controls without promptEnabled
Only allow approved domains to use ActiveX controls without promptEnable
PolicySettingComment
Allow only approved domains to use the TDC ActiveX controlEnabled
Only allow approved domains to use the TDC ActiveX controlEnable
PolicySettingComment
Allow scripting of Internet Explorer WebBrowser controlsEnabled
Internet Explorer web browser controlDisable
PolicySettingComment
Allow script-initiated windows without size or position constraintsEnabled
Allow script-initiated windows without size or position constraintsDisable
PolicySettingComment
Allow scriptletsEnabled
ScriptletsDisable
PolicySettingComment
Allow updates to status bar via scriptEnabled
Status bar updates via scriptDisable
PolicySettingComment
Allow VBScript to run in Internet ExplorerEnabled
Allow VBScript to run in Internet ExplorerDisable
PolicySettingComment
Automatic prompting for file downloadsEnabled
Automatic prompting for file downloadsDisable
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Download signed ActiveX controlsEnabled
Download signed ActiveX controlsDisable
PolicySettingComment
Download unsigned ActiveX controlsEnabled
Download unsigned ActiveX controlsDisable
PolicySettingComment
Enable dragging of content from different domains across windowsEnabled
Enable dragging of content from different domains across windowsDisable
PolicySettingComment
Enable dragging of content from different domains within a windowEnabled
Enable dragging of content from different domains within a windowDisable
PolicySettingComment
Include local path when user is uploading files to a serverEnabled
Include local directory path when uploading files to a serverDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
PolicySettingComment
Launching applications and files in an IFRAMEEnabled
Launching applications and files in an IFRAMEDisable
PolicySettingComment
Logon optionsEnabled
Logon optionsPrompt for user name and password
PolicySettingComment
Navigate windows and frames across different domainsEnabled
Navigate windows and frames across different domainsDisable
PolicySettingComment
Run .NET Framework-reliant components not signed with AuthenticodeEnabled
Run .NET Framework-reliant components not signed with AuthenticodeDisable
PolicySettingComment
Run .NET Framework-reliant components signed with AuthenticodeEnabled
Run .NET Framework-reliant components signed with AuthenticodeDisable
PolicySettingComment
Show security warning for potentially unsafe filesEnabled
Launching programs and unsafe filesPrompt
PolicySettingComment
Turn on Cross-Site Scripting FilterEnabled
Turn on Cross-Site Scripting (XSS) FilterEnable
PolicySettingComment
Turn on Protected ModeEnabled
Protected ModeEnable
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
PolicySettingComment
Use Pop-up BlockerEnabled
Use Pop-up BlockerEnable
PolicySettingComment
Userdata persistenceEnabled
Userdata persistenceDisable
PolicySettingComment
Web sites in less privileged Web content zones can navigate into this zoneEnabled
Web sites in less privileged Web content zones can navigate into this zoneDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Intranet Zone
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsHigh safety
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Local Machine Zone
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Internet Zone
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Intranet Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Local Machine Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Restricted Sites Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Locked-Down Trusted Sites Zone
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Restricted Sites Zone
PolicySettingComment
Access data sources across domainsEnabled
Access data sources across domainsDisable
PolicySettingComment
Allow active scriptingEnabled
Allow active scriptingDisable
PolicySettingComment
Allow binary and script behaviorsEnabled
Allow Binary and Script BehaviorsDisable
PolicySettingComment
Allow cut, copy or paste operations from the clipboard via scriptEnabled
Allow paste operations via scriptDisable
PolicySettingComment
Allow drag and drop or copy and paste filesEnabled
Allow drag and drop or copy and paste filesDisable
PolicySettingComment
Allow file downloadsEnabled
Allow file downloadsDisable
PolicySettingComment
Allow loading of XAML filesEnabled
XAML FilesDisable
PolicySettingComment
Allow META REFRESHEnabled
Allow META REFRESHDisable
PolicySettingComment
Allow only approved domains to use ActiveX controls without promptEnabled
Only allow approved domains to use ActiveX controls without promptEnable
PolicySettingComment
Allow only approved domains to use the TDC ActiveX controlEnabled
Only allow approved domains to use the TDC ActiveX controlEnable
PolicySettingComment
Allow scripting of Internet Explorer WebBrowser controlsEnabled
Internet Explorer web browser controlDisable
PolicySettingComment
Allow script-initiated windows without size or position constraintsEnabled
Allow script-initiated windows without size or position constraintsDisable
PolicySettingComment
Allow scriptletsEnabled
ScriptletsDisable
PolicySettingComment
Allow updates to status bar via scriptEnabled
Status bar updates via scriptDisable
PolicySettingComment
Allow VBScript to run in Internet ExplorerEnabled
Allow VBScript to run in Internet ExplorerDisable
PolicySettingComment
Automatic prompting for file downloadsEnabled
Automatic prompting for file downloadsDisable
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Download signed ActiveX controlsEnabled
Download signed ActiveX controlsDisable
PolicySettingComment
Download unsigned ActiveX controlsEnabled
Download unsigned ActiveX controlsDisable
PolicySettingComment
Enable dragging of content from different domains across windowsEnabled
Enable dragging of content from different domains across windowsDisable
PolicySettingComment
Enable dragging of content from different domains within a windowEnabled
Enable dragging of content from different domains within a windowDisable
PolicySettingComment
Include local path when user is uploading files to a serverEnabled
Include local directory path when uploading files to a serverDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsDisable Java
PolicySettingComment
Launching applications and files in an IFRAMEEnabled
Launching applications and files in an IFRAMEDisable
PolicySettingComment
Logon optionsEnabled
Logon optionsAnonymous logon
PolicySettingComment
Navigate windows and frames across different domainsEnabled
Navigate windows and frames across different domainsDisable
PolicySettingComment
Run .NET Framework-reliant components not signed with AuthenticodeEnabled
Run .NET Framework-reliant components not signed with AuthenticodeDisable
PolicySettingComment
Run .NET Framework-reliant components signed with AuthenticodeEnabled
Run .NET Framework-reliant components signed with AuthenticodeDisable
PolicySettingComment
Run ActiveX controls and pluginsEnabled
Run ActiveX controls and pluginsDisable
PolicySettingComment
Script ActiveX controls marked safe for scriptingEnabled
Script ActiveX controls marked safe for scriptingDisable
PolicySettingComment
Scripting of Java appletsEnabled
Scripting of Java appletsDisable
PolicySettingComment
Show security warning for potentially unsafe filesEnabled
Launching programs and unsafe filesDisable
PolicySettingComment
Turn on Cross-Site Scripting FilterEnabled
Turn on Cross-Site Scripting (XSS) FilterEnable
PolicySettingComment
Turn on Protected ModeEnabled
Protected ModeEnable
PolicySettingComment
Turn on SmartScreen Filter scanEnabled
Use SmartScreen FilterEnable
PolicySettingComment
Use Pop-up BlockerEnabled
Use Pop-up BlockerEnable
PolicySettingComment
Userdata persistenceEnabled
Userdata persistenceDisable
PolicySettingComment
Web sites in less privileged Web content zones can navigate into this zoneEnabled
Web sites in less privileged Web content zones can navigate into this zoneDisable
Windows Components/Internet Explorer/Internet Control Panel/Security Page/Trusted Sites Zone
PolicySettingComment
Don't run antimalware programs against ActiveX controlsEnabled
Don't run antimalware programs against ActiveX controlsDisable
PolicySettingComment
Initialize and script ActiveX controls not marked as safeEnabled
Initialize and script ActiveX controls not marked as safeDisable
PolicySettingComment
Java permissionsEnabled
Java permissionsHigh safety
Windows Components/Internet Explorer/Security Features
PolicySettingComment
Allow fallback to SSL 3.0 (Internet Explorer)Enabled
Allow insecure fallback for:No Sites
Windows Components/Internet Explorer/Security Features/Add-on Management
PolicySettingComment
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer Enabled
Turn off blocking of outdated ActiveX controls for Internet ExplorerDisabled
Windows Components/Internet Explorer/Security Features/Consistent Mime Handling
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/Mime Sniffing Safety Feature
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/MK Protocol Security Restriction
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/Notification bar
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/Protection From Zone Elevation
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/Restrict ActiveX Install
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/Restrict File Download
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Internet Explorer/Security Features/Scripted Window Security Restrictions
PolicySettingComment
Internet Explorer ProcessesEnabled
Windows Components/Location and Sensors
PolicySettingComment
Turn off locationEnabled
Windows Components/Location and Sensors/Windows Location Provider
PolicySettingComment
Turn off Windows Location ProviderEnabled
Windows Components/Maps
PolicySettingComment
Turn off Automatic Download and Update of Map DataEnabled
Turn off unsolicited network traffic on the Offline Maps settings pageEnabled
Windows Components/Messaging
PolicySettingComment
Allow Message Service Cloud SyncDisabled
Windows Components/Microsoft Defender Antivirus
PolicySettingComment
Turn off Microsoft Defender AntivirusEnabled
Windows Components/Microsoft Defender Antivirus/Reporting
PolicySettingComment
Turn off enhanced notificationsEnabled
Windows Components/Microsoft Edge
PolicySettingComment
Allow Address bar drop-down list suggestionsDisabled
Allow configuration updates for the Books LibraryDisabled
Allow web content on New Tab pageDisabled
Configure AutofillDisabled
Configure Do Not TrackDisabled
Configure Password ManagerDisabled
Configure search suggestions in Address barDisabled
Configure Start pagesEnabled
Use this format: <support.contoso.com><https://support.microsoft.com/><about:blank/>
PolicySettingComment
Prevent bypassing Windows Defender SmartScreen prompts for filesEnabled
Windows Components/OneDrive
PolicySettingComment
Prevent OneDrive from generating network traffic until the user signs in to OneDriveEnabled
Prevent the usage of OneDrive for file storageEnabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
PolicySettingComment
Do not allow passwords to be savedEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Always prompt for password upon connectionEnabled
Require secure RPC communicationEnabled
Set client connection encryption levelEnabled
Encryption LevelHigh Level
Choose the encryption level from the drop-down list.
Windows Components/RSS Feeds
PolicySettingComment
Prevent downloading of enclosuresEnabled
Turn off background synchronization for feeds and Web SlicesEnabled
Windows Components/Search
PolicySettingComment
Allow CortanaDisabled
Allow Cortana above lock screenDisabled
Allow indexing of encrypted filesDisabled
Allow search and Cortana to use locationDisabled
Do not allow web searchEnabled
Don't search the web or display web results in SearchEnabled
Set what information is shared in SearchEnabled
Type of informationAnonymous info
Windows Components/Software Protection Platform
PolicySettingComment
Turn off KMS Client Online AVS ValidationEnabled
Windows Components/Speech
PolicySettingComment
Allow Automatic Update of Speech DataDisabled
Windows Components/Sync your settings
PolicySettingComment
Do not syncEnabledBSI
Allow users to turn syncing on.Disabled
PolicySettingComment
Do not sync app settingsEnabled
Allow users to turn "app settings" syncing on.Disabled
PolicySettingComment
Do not sync AppsEnabled
Allow users to turn "AppSync" syncing on.Disabled
PolicySettingComment
Do not sync browser settingsEnabled
Allow users to turn "browser" syncing on.Disabled
PolicySettingComment
Do not sync desktop personalizationEnabled
Allow users to turn "desktop personalization" syncing on.Disabled
PolicySettingComment
Do not sync on metered connectionsEnabled