Tag: Computer Configuration
Turn off Autoplay
This policy setting allows you to turn off the Autoplay feature. Autoplay begins reading from a drive as soon as you insert media in the drive. As a result the setup file of programs and the music on audio media start immediately. Prior to Windows XP SP2 Autoplay is disabled by default on removable drives such as the floppy disk drive (but not the CD-ROM drive) and on network drives. Starting with Windows XP SP2 Autoplay is enabled for removable drives as well including Zip drives and some USB mass storage devices. If you enable this policy setting Autoplay is disabled on CD-ROM and removable media drives or disabled on all drives. This policy setting disables Autoplay on additional types of drives. You cannot use this setting to enable Autoplay on drives on which it is disabled by default. If you disable or do not configure this policy setting AutoPlay is enabled. Note: This policy setting appears in both the Computer Configuration and User Configuration folders. If the policy settings conflict the policy setting in Computer Configuration takes precedence over the policy setting in User Configuration.
Prevent AutoPlay from remembering user choices.
This policy setting allows you to prevent AutoPlay from remembering user’s choice of what to do when a device is connected. If you enable this policy setting AutoPlay prompts the user to choose what to do when a device is connected. If you disable or do not configure this policy setting AutoPlay remembers user’s choice of what to do when a device is connected.
Set the default behavior for AutoRun
This policy setting sets the default behavior for Autorun commands. Autorun commands are generally stored in autorun. inf files. They often launch the installation program or other routines. Prior to Windows Vista when media containing an autorun command is inserted the system will automatically execute the program without user intervention. This creates a major security concern as code may be executed without user’s knowledge. The default behavior starting with Windows Vista is to prompt the user whether autorun command is to be run. The autorun command is represented as a handler in the Autoplay dialog. If you enable this policy setting an Administrator can change the default Windows Vista or later behavior for autorun to: a) Completely disable autorun commands or b) Revert back to pre-Windows Vista behavior of automatically executing the autorun command. If you disable or not configure this policy setting Windows Vista or later will prompt the user whether autorun command is to be run.
Allow domain users to log on using biometrics
This policy setting determines whether users with a domain account can log on or elevate User Account Control (UAC) permissions using biometrics. By default domain users cannot use biometrics to log on. If you enable this policy setting domain users can log on to a Windows-based domain-joined computer using biometrics. Depending on the biometrics you use enabling this policy setting can reduce the security of users who use biometrics to log on. If you disable or do not configure this policy setting domain users are not able to log on to a Windows-based computer using biometrics. Note: Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Allow users to log on using biometrics
This policy setting determines whether users can log on or elevate User Account Control (UAC) permissions using biometrics. By default local users will be able to log on to the local computer but the “Allow domain users to log on using biometrics” policy setting will need to be enabled for domain users to log on to the domain. If you enable or do not configure this policy setting all users can log on to a local Windows-based computer and can elevate permissions with UAC using biometrics. If you disable this policy setting biometrics cannot be used by any users to log on to a local Windows-based computer. Note: Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Allow the use of biometrics
This policy setting allows or prevents the Windows Biometric Service to run on this computer. If you enable or do not configure this policy setting the Windows Biometric Service is available and users can run applications that use biometrics on Windows. If you want to enable the ability to log on with biometrics you must also configure the “Allow users to log on using biometrics” policy setting. If you disable this policy setting the Windows Biometric Service is unavailable and users cannot use any biometric feature in Windows. Note: Users who log on using biometrics should create a password recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.
Include command line in process creation events
This policy setting determines what information is logged in security audit events when a new process has been created. This setting only applies when the Audit Process Creation policy is enabled. If you enable this policy setting the command line information for every process will be logged in plain text in the security event log as part of the Audit Process Creation event 4688 “a new process has been created” on the workstations and servers on which this policy setting is applied. If you disable or do not configure this policy setting the process’s command line information will not be included in Audit Process Creation events. Default: Not configuredNote: When this policy setting is enabled any user with access to read the security events will be able to read the command line arguments for any successfully created process. Command line arguments can contain sensitive or private information such as passwords or user data.
Turn on dynamic Content URI Rules for Windows store apps
This policy setting lets you turn on Content URI Rules to supplement the static Content URI Rules that were defined as part of the app manifest and apply to all Windows Store apps that use the enterpriseAuthentication capability on a computer. If you enable this policy setting you can define additional Content URI Rules that all Windows Store apps that use the enterpriseAuthentication capability on a computer can use. If you disable or don’t set this policy setting Windows Store apps will only use the static Content URI Rules.
Allow Microsoft accounts to be optional
This policy setting lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it. If you enable this policy setting Windows Store apps that typically require a Microsoft account to sign in will allow users to sign in with an enterprise account instead. If you disable or do not configure this policy setting users will need to sign in with a Microsoft account.
Turn off SwitchBack Compatibility Engine
The policy controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. Switchback is on by default. If you enable this policy setting Switchback will be turned off. Turning Switchback off may degrade the compatibility of older applications. This option is useful for server administrators who require performance and are aware of compatibility of the applications they are using. If you disable or do not configure this policy setting the Switchback will be turned on. Please reboot the system after changing the setting to ensure that your system accurately reflects those changes.