Tag: Computer Configuration
Allow administrators to override Device Installation Restriction policies
This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device regardless of other policy settings. If you enable this policy setting members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting members of the Administrators group are subject to all policy settings that restrict device installation.
Allow remote access to the Plug and Play interface
This policy setting allows you to allow or deny remote access to the Plug and Play interface. If you enable this policy setting remote connections to the Plug and Play interface are allowed. If you disable or do not configure this policy setting remote connections to the Plug and Play interface are not allowed.
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore point
This policy setting allows you to prevent Windows from creating a system restore point during device activity that would normally prompt Windows to create a system restore point. Windows normally creates restore points for certain driver activity such as the installation of an unsigned driver. A system restore point enables you to more easily restore your system to its state before the activity. If you enable this policy setting Windows does not create a system restore point when one would normally be created. If you disable or do not configure this policy setting Windows creates a system restore point as it normally would.
Configure device installation time-out
This policy setting allows you to configure the number of seconds Windows waits for a device installation task to complete. If you enable this policy setting Windows waits for the number of seconds you specify before terminating the installation. If you disable or do not configure this policy setting Windows waits 300 seconds for a device installation task to complete before terminating the installation.
Prioritize all digitally signed drivers equally during the driver ranking and selection process
This policy setting allows you to determine how drivers signed by a Microsoft Windows Publisher certificate are ranked with drivers signed by other valid Authenticode signatures during the driver selection and installation process. Regardless of this policy setting a signed driver is still preferred over a driver that is not signed at all. If you enable or do not configure this policy setting drivers that are signed by a Microsoft Windows Publisher certificate and drivers that are signed by other Authenticode certificates are prioritized equally during the driver selection process. Selection is based on other criteria such as version number or when the driver was created. If you disable this policy setting drivers that are signed by a Microsoft Windows Publisher certificate are selected for installation over drivers that are signed by other Authenticode certificates.
Driver compatibility settings
Changes behavior of 3rd-party drivers to work around incompatibilities introduced between OS versions.
Device compatibility settings
Changes behavior of Microsoft bus drivers to work with specific devices.
Define Activation Security Check exemptions
Allows you to view and change a list of DCOM server application ids (appids) which are exempted from the DCOM Activation security check. DCOM uses two such lists one configured via Group Policy through this policy setting and the other via the actions of local computer administrators. DCOM ignores the second list when this policy setting is configured unless the “Allow local activation security check exemptions” policy is enabled. DCOM server appids added to this policy must be listed in curly-brace format. For example: {b5dcb061-cefb-42e0-a1be-e6a6438133fe}. If you enter a non-existent or improperly formatted appid DCOM will add it to the list without checking for errors. If you enable this policy setting you can view and change the list of DCOM activation security check exemptions defined by Group Policy settings. If you add an appid to this list and set its value to 1 DCOM will not enforce the Activation security check for that DCOM server. If you add an appid to this list and set its value to 0 DCOM will always enforce the Activation security check for that DCOM server regardless of local settings. If you disable this policy setting the appid exemption list defined by Group Policy is deleted and the one defined by local computer administrators is used. If you do not configure this policy setting the appid exemption list defined by local computer administrators is used. Notes:The DCOM Activation security check is done after a DCOM server process is started but before an object activation request is dispatched to the server process. This access check is done against the DCOM server’s custom launch permission security descriptor if it exists or otherwise against the configured defaults. If the DCOM server’s custom launch permission contains explicit DENY entries this may mean that object activations that would have previously succeeded for such specified users once the DCOM server process was up and running might now fail instead. The proper action in this situation is to re-configure the DCOM server’s custom launch permission settings for correct security settings but this policy setting may be used in the short-term as an application compatibility deployment aid. DCOM servers added to this exemption list are only exempted if their custom launch permissions do not contain specific LocalLaunch RemoteLaunch LocalActivate or RemoteActivate grant or deny entries for any users or groups. Also note exemptions for DCOM Server Appids added to this list will apply to both 32-bit and 64-bit versions of the server if present.
Allow local activation security check exemptions
Allows you to specify that local computer administrators can supplement the “Define Activation Security Check exemptions” list. If you enable this policy setting and DCOM does not find an explicit entry for a DCOM server application id (appid) in the “Define Activation Security Check exemptions” policy (if enabled) DCOM will look for an entry in the locally configured list. If you disable this policy setting DCOM will not look in the locally configured DCOM activation security check exemption list. If you do not configure this policy setting DCOM will only look in the locally configured exemption list if the “Define Activation Security Check exemptions” policy is not configured.
Deny delegating fresh credentials
This policy setting applies to applications using the Cred SSP component (for example: Remote Desktop Connection). If you enable this policy setting you can specify the servers to which the user’s fresh credentials cannot be delegated (fresh credentials are those that you are prompted for when executing the application). If you disable or do not configure (by default) this policy setting this policy setting does not specify any server. Note: The “Deny delegating fresh credentials” policy setting can be set to one or more Service Principal Names (SPNs). The SPN represents the target server to which the user credentials cannot be delegated. The use of a single wildcard character is permitted when specifying the SPN. For Example:TERMSRV/host. humanresources. fabrikam. com Remote Desktop Session Host running on host. humanresources. fabrikam. com machineTERMSRV/* Remote Desktop Session Host running on all machines. TERMSRV/*. humanresources. fabrikam. com Remote Desktop Session Host running on all machines in . humanresources. fabrikam. comThis policy setting can be used in combination with the “Allow delegating fresh credentials” policy setting to define exceptions for specific servers that are otherwise permitted when using wildcard characters in the “Allow delegating fresh credentials” server list.