Author: admin

At least Windows Server 2008 R2 or Windows 7

Short name creation options

These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.

At least Windows Vista

Selectively allow the evaluation of a symbolic link

Symbolic links can introduce vulnerabilities in certain applications. To mitigate this issue you can selectively enable or disable the evaluation of these types of symbolic links:Local Link to a Local TargetLocal Link to a Remote TargetRemote Link to Remote TargetRemote Link to Local TargetFor further information please refer to the Windows Help sectionNOTE: If this policy is Disabled or Not Configured local administrators may select the types of symbolic links to be evaluated.

At least Windows Server 2012, Windows 8 or Windows RT

Allow or Disallow use of encryption to protect the RPC protocol messages between File Share Shadow Copy Provider running on application server and File Share Shadow Copy Agent running on the file servers.

Determines whether the RPC protocol messagese used by VSS for SMB2 File Shares feature is enabled. VSS for SMB2 File Shares feature enables VSS aware backup applications to perform application consistent backup and restore of VSS aware applications storing data on SMB2 File Shares. By default the RPC protocol message between File Server VSS provider and File Server VSS Agent is signed but not encrypted. Note: To make changes to this setting effective you must restart Volume Shadow Copy (VSS) Service .

At least Windows Server 2012, Windows 8 or Windows RT

Configure maximum age of file server shadow copies

This policy setting configures the maximum age of a file share shadow copy. File share shadow copies that are older than this age will be deleted by the File Share Shadow Copy Agent. Both the exposed shadow copy share and the corresponding volume shadow copy will be deleted. If you enable this policy setting the value specified determines the maximum age of a file share shadow copy. If you disable or do not configure this policy setting file share shadow copies older than 24 hours will be deleted.

At least Windows Server 2012 R2, Windows 8.1 or Windows RT 8.1

Allow Windows Runtime apps to revoke enterprise data

Windows Runtime applications can protect content which has been associated with an enterprise identifier (EID) but can only revoke access to content it protected. To allow an application to revoke access to all content on the device that is protected by a particular enterprise add an entry to the list on a new line that contains the enterprise identifier separated by a comma and the Package Family Name of the application. The EID must be an internet domain belonging to the enterprise in standard international domain name format. Example value: Contoso. comContosoIT. HumanResourcesApp_m5g0r7arhahqy If you enable this policy setting the application identified by the Package Family Name will be permitted to revoke access to all content protected using the specified EID on the device. If you disable or do not configure this policy setting the only Windows Runtime applications that can revoke access to all enterprise-protected content on the device are Windows Mail and the user-selected mailto protocol handler app. Any other Windows Runtime application will only be able to revoke access to content it protected. Note: File revocation applies to all content protected under the same second level domain as the provided enterprise identifier. So revoking an enterprise ID of mail. contoso. com will revoke the user’s access to all content protected under the contoso. com hierarchy.

At least Windows Vista

Configure Corrupted File Recovery behavior

This policy setting allows you to configure the recovery behavior for corrupted files to one of three states:Regular: Detection troubleshooting and recovery of corrupted files will automatically start with a minimal UI display. Windows will attempt to present you with a dialog box when a system restart is required. This is the default recovery behavior for corrupted files. Silent: Detection troubleshooting and recovery of corrupted files will automatically start with no UI. Windows will log an administrator event when a system restart is required. This behavior is recommended for headless operation. Troubleshooting Only: Detection and troubleshooting of corrupted files will automatically start with no UI. Recovery is not attempted automatically. Windows will log an administrator event with instructions if manual recovery is possible. If you enable this setting the recovery behavior for corrupted files will be set to either the regular (default) silent or troubleshooting only state. If you disable this setting the recovery behavior for corrupted files will be disabled. No troubleshooting or resolution will be attempted. If you do not configure this setting the recovery behavior for corrupted files will be set to the regular recovery behavior. No system or service restarts are required for changes to this policy to take immediate effect after a Group Policy refresh. Note: This policy setting will take effect only when the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled system file recovery will not be attempted. The DPS can be configured with the Services snap-in to the Microsoft Management Console.