Tag: Computer Configuration
Do not forcefully unload the users registry at user logoff
This policy setting controls whether Windows forcefully unloads the user’s registry at logoff even if there are open handles to the per-user registry keys. Note: This policy setting should only be used for cases where you may be running into application compatibility issues due to this specific Windows behavior. It is not recommended to enable this policy by default as it may prevent users from getting an updated version of their roaming user profile. If you enable this policy setting Windows will not forcefully unload the users registry at logoff but will unload the registry when all open handles to the per-user registry keys are closed. If you disable or do not configure this policy setting Windows will always unload the users registry at logoff even if there are any open handles to the per-user registry keys at user logoff.
Set maximum wait time for the network if a user has a roaming user profile or remote home directory
This policy setting controls how long Windows waits for a response from the network before logging on a user without a remote home directory and withou synchronizing roaming user profiles. This policy setting is useful for the cases in which a network might take typically longer to initialize such as with a wireless network. Note: Windows doesn’t wait for the network if the physical network connection is not available on the computer (if the media is disconnected or the network adapter is not available). If you enable this policy setting Windows waits for the network to become available up to the maximum wait time specified in this policy setting. Setting the value to zero causes Windows to proceed without waiting for the network. If you disable or do not configure this policy setting Windows waits for the network for a maximum of 30 seconds.
Set roaming profile path for all users logging onto this computer
This policy setting specifies whether Windows should use the specified network path as the roaming user profile path for all users logging onto this computer. To use this policy setting type the path to the network share in the form -> -> Computername -> Sharename -> . It is recommended to use a path such as -> -> Computername -> Sharename -> %USERNAME% to give each user an individual profile folder. If not specified all users logging onto this computer will use the same roaming profile folder as specified by this policy. You need to ensure that you have set the appropriate security on the folder to allow all users to access the profile. If you enable this policy setting all users logging on this computer will use the roaming profile path specified in this policy. If you disable or do not configure this policy setting users logging on this computer will use their local profile or standard roaming user profile. Note: There are four ways to configure a roaming profile for a user. Windows reads profile configuration in the following order and uses the first configured policy setting it reads. 1. Terminal Services roaming profile path specified by Terminal Services policy2. Terminal Services roaming profile path specified by the user object3. A per-computer roaming profile path specified in this policy4. A per-user roaming profile path specified in the user object
Set the schedule for background upload of a roaming user profile’s registry file while user is logged on
This policy setting sets the schedule for background uploading of a roaming user profile’s registry file (ntuser. dat). This policy setting controls only the uploading of a roaming user profile’s registry file (other user data and regular profiles are not be uploaded) and uploads it only if the user is logged on. This policy setting does not stop the roaming user profile’s registry file from being uploaded at user logoff. If “Run at set interval” is chosen then an interval must be set with a value of 1-720 hours. Once set Windows uploads the profile’s registry file at the specified interval after the user logs on. For example with a value of 6 hours the registry file of the roaming user profile is uploaded to the server every six hours while the user is logged on. If “Run at specified time of day” is chosen then a time of day must be specified. Once set Windows uploads the registry file at the same time every day as long as the user is logged on. For both scheduling options there is a random one hour delay attached per-trigger to avoid overloading the server with simultaneous uploads. For example if the settings dictate that the user’s registry file is to be uploaded at 6pm it will actually upload at a random time between 6pm and 7pm. Note: If “Run at set interval” is selected the “Time of day” option is disregarded. Likewise if “Run at set time of day” is chosen the “Interval (hours)” option is disregarded. If you enable this policy setting Windows uploads the registry file of the user’s roaming user profile in the background according to the schedule set here while the user is logged on. Regular profiles are not affected. If this setting is disabled or not configured the registry file for a roaming user profile will not be uploaded in the background while the user is logged on.
User management of sharing user name account picture and domain information with apps (not desktop apps)
This setting prevents users from managing the ability to allow apps to access the user name account picture and domain information. If you enable this policy setting sharing of user name picture and domain information may be controlled by setting one of the following options:”Always on” – users will not be able to change this setting and the user’s name and account picture will be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will also be able to retrieve the user’s UPN SIP/URI and DNS. “Always off” – users will not be able to change this setting and the user’s name and account picture will not be shared with apps (not desktop apps). In addition apps (not desktop apps) that have the enterprise authentication capability will not be able to retrieve the user’s UPN SIP/URI and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources. If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.
Turn off the advertising ID
This policy setting turns off the advertising ID preventing apps from using the ID for experiences across apps. If you enable this policy setting the advertising ID is turned off. Apps can’t use the ID for experiences across apps. If you disable or do not configure this policy setting users can control whether apps can use the advertising ID for experiences across apps.
Download roaming profiles on primary computers only
This policy setting controls on a per-computer basis whether roaming profiles are downloaded on a user’s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data such as on a meeting room computer or on a computer in a remote office. To designate a user’s primary computers an administrator must use management software or a script to add primary computer attributes to the user’s account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 2012 version of the Active Directory schema to function. If you enable this policy setting and the user has a roaming profile the roaming profile is downloaded on the user’s primary computer only. If you disable or do not configure this policy setting and the user has a roaming profile the roaming profile is downloaded on every computer that the user logs on to.
Set user home folder
This policy setting allows you to specify the location and root (file share or local path) of a user’s home folder for a logon session. If you enable this policy setting the user’s home folder is configured to the specified local or network location creating a new folder for each user name. To use this policy setting in the Location list choose the location for the home folder. If you choose “On the network” enter the path to a file share in the Path box (for example -> -> ComputerName -> ShareName) and then choose the drive letter to assign to the file share. If you choose “On the local computer” enter a local path (for example C: -> HomeFolder) in the Path box. Do not specify environment variables or ellipses in the path. Also do not specify a placeholder for the user name because the user name will be appended at logon. Note: The Drive letter box is ignored if you choose “On the local computer” from the Location list. If you choose “On the local computer” and enter a file share the user’s home folder will be placed in the network location without mapping the file share to a drive letter. If you disable or do not configure this policy setting the user’s home folder is configured as specified in the user’s Active Directory Domain Services account. If the “Set Remote Desktop Services User Home Directory” policy setting is enabled the “Set user home folder” policy setting has no effect.
Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)
This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of BitLocker Drive Encryption recovery information. This provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. This policy setting is only applicable to computers running Windows Server 2008 or Windows Vista. If you enable this policy setting BitLocker recovery information is automatically and silently backed up to AD DS when BitLocker is turned on for a computer. This policy setting is applied when you turn on BitLocker. Note: You might need to set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. More information about setting up AD DS backup for BitLocker is available on Microsoft TechNet. BitLocker recovery information includes the recovery password and some unique identifier data. You can also include a package that contains a BitLocker-protected drive’s encryption key. This key package is secured by one or more recovery passwords and may help perform specialized recovery when the disk is damaged or corrupted. If you select the option to “Require BitLocker backup to AD DS” BitLocker cannot be turned on unless the computer is connected to the domain and the backup of BitLocker recovery information to AD DS succeeds. This option is selected by default to help ensure that BitLocker recovery is possible. If this option is not selected AD DS backup is attempted but network or other backup failures do not prevent BitLocker setup. Backup is not automatically retried and the recovery password may not have been stored in AD DS during BitLocker setup. If you disable or do not configure this policy setting BitLocker recovery information is not backed up to AD DS. Note: Trusted Platform Module (TPM) initialization might occur during BitLocker setup. Enable the “Turn on TPM backup to Active Directory Domain Services” policy setting in System -> Trusted Platform Module Services to ensure that TPM information is also backed up.
Choose how users can recover BitLocker-protected drives (Windows Server 2008 and Windows Vista)
This policy setting allows you to control whether the BitLocker Drive Encryption setup wizard can display and specify BitLocker recovery options. This policy is only applicable to computers running Windows Server 2008 or Windows Vista. This policy setting is applied when you turn on BitLocker. Two recovery options can be used to unlock BitLocker-encrypted data in the absence of the required startup key information. The user either can type a 48-digit numerical recovery password or insert a USB flash drive containing a 256-bit recovery key. If you enable this policy setting you can configure the options that the setup wizard displays to users for recovering BitLocker encrypted data. Saving to a USB flash drive will store the 48-digit recovery password as a text file and the 256-bit recovery key as a hidden file. Saving to a folder will store the 48-digit recovery password as a text file. Printing will send the 48-digit recovery password to the default printer. For example not allowing the 48-digit recovery password will prevent users from being able to print or save recovery information to a folder. If you disable or do not configure this policy setting the BitLocker setup wizard will present users with ways to store recovery options. Note: If Trusted Platform Module (TPM) initialization is needed during the BitLocker setup TPM owner information will be saved or printed with the BitLocker recovery information. Note: The 48-digit recovery password will not be available in FIPS-compliance mode. Important: This policy setting provides an administrative method of recovering data encrypted by BitLocker to prevent data loss due to lack of key information. If you do not allow both user recovery options you must enable the “Store BitLocker recovery information in Active Directory Domain Services (Windows Server 2008 and Windows Vista)” policy setting to prevent a policy error.