Category: At least Windows Server 2008 R2 or Windows 7

This policy setting configures Microsoft Support Diagnostic Tool (MSDT) interactive communication with the support provider. MSDT gathers diagnostic data for analysis by support professionals. If you enable this policy setting users can use MSDT to collect and send diagnostic data to a support professional to resolve a problem. By default the support provider is set to Microsoft Corporation. If you disable this policy setting MSDT cannot run in support mode and no data can be collected or sent to the support provider. If you do not configure this policy setting MSDT support mode is enabled by default. No reboots or service restarts are required for this policy setting to take effect. Changes take effect immediately.

This policy setting specifies whether a hash generation service generates hashes also called content information for data that is stored in shared folders. This policy setting must be applied to server computers that have the File Services role and both the File Server and the BranchCache for Network Files role services installed. Policy configurationSelect one of the following:- Not Configured. With this selection hash publication settings are not applied to file servers. In the circumstance where file servers are domain members but you do not want to enable BranchCache on all file servers you can specify Not Configured for this domain Group Policy setting and then configure local machine policy to enable BranchCache on individual file servers. Because the domain Group Policy setting is not configured it will not over-write the enabled setting that you use on individual servers where you want to enable BranchCache. – Enabled. With this selection hash publication is turned on for all file servers where Group Policy is applied. For example if Hash Publication for BranchCache is enabled in domain Group Policy hash publication is turned on for all domain member file servers to which the policy is applied. The file servers are then able to create content information for all content that is stored in BranchCache-enabled file shares. – Disabled. With this selection hash publication is turned off for all file servers where Group Policy is applied. In circumstances where this policy setting is enabled you can also select the following configuration options:- Allow hash publication for all shared folders. With this option BranchCache generates content information for all content in all shares on the file server. – Allow hash publication only for shared folders on which BranchCache is enabled. With this option content information is generated only for shared folders on which BranchCache is enabled. If you use this setting you must enable BranchCache for individual shares in Share and Storage Management on the file server. – Disallow hash publication on all shared folders. With this option BranchCache does not generate content information for any shares on the computer and does not send content information to client computers that request content.

This policy setting allows you to configure this server so that Kerberos can decrypt a ticket that contains this system-generated SPN. When an application attempts to make a remote procedure call (RPC) to this server with a NULL value for the service principal name (SPN) computers running Windows 7 or later attempt to use Kerberos by generating an SPN. If you enable this policy setting only services running as LocalSystem or NetworkService are allowed to accept these connections. Services running as identities different from LocalSystem or NetworkService might fail to authenticate. If you disable or do not configure this policy setting any service is allowed to accept incoming connections by using this system-generated SPN.

This policy setting defines the list of trusting forests that the Kerberos client searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting the Kerberos client searches the forests in this list if it is unable to resolve a two-part SPN. If a match is found the Kerberos client requests a referral ticket to the appropriate domain. If you disable or do not configure this policy setting the Kerberos client does not search the listed forests to resolve the SPN. If the Kerberos client is unable to resolve the SPN because the name is not found NTLM authentication might be used.

This policy setting defines the list of trusting forests that the Key Distribution Center (KDC) searches when attempting to resolve two-part service principal names (SPNs). If you enable this policy setting the KDC will search the forests in this list if it is unable to resolve a two-part SPN in the local forest. The forest search is performed by using a global catalog or name suffix hints. If a match is found the KDC will return a referral ticket to the client for the appropriate domain. If you disable or do not configure this policy setting the KDC will not search the listed forests to resolve the SPN. If the KDC is unable to resolve the SPN because the name is not found NTLM authentication might be used. To ensure consistent behavior this policy setting must be supported and set identically on all domain controllers in the domain.

This policy setting allows you to exclude HTML Help Executable from being monitored by software-enforced Data Execution Prevention. Data Execution Prevention (DEP) is designed to block malicious code that takes advantage of exception-handling mechanisms in Windows by monitoring your programs to make sure that they use system memory safely. If you enable this policy setting DEP for HTML Help Executable is turned off. This will allow certain legacy ActiveX controls to function without DEP shutting down HTML Help Executable. If you disable or do not configure this policy setting DEP is turned on for HTML Help Executable. This provides an additional security benefit but HTLM Help stops if DEP detects system memory abnormalities.

This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. If you enable this policy setting the DPS detects troubleshoots and attempts to resolve automatically any heap corruption problems. If you disable this policy setting Windows cannot detect troubleshoot and attempt to resolve automatically any heap corruption problems that are handled by the DPS. If you do not configure this policy setting the DPS enables Fault Tolerant Heap for resolution by default. This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled diagnostic scenarios are not executed. The DPS can be configured with the Services snap-in to the Microsoft Management Console. No system restart or service restart is required for this policy setting to take effect: changes take effect immediately.

Delete notification is a feature that notifies the underlying storage device of clusters that are freed due to a file delete operation. A value of 0 the default will enable delete notifications for all volumes. A value of 1 will disable delete notifications for all volumes.

These settings provide control over whether or not short names are generated during file creation. Some applications require short names for compatibility but short names have a negative performance impact on the system. If you enable short names on all volumes then short names will always be generated. If you disable them on all volumes then they will never be generated. If you set short name creation to be configurable on a per volume basis then an on-disk flag will determine whether or not short names are created on a given volume. If you disable short name creation on all data volumes then short names will only be generated for files created on the system volume.

Encrypting the page file prevents malicious users from reading data that has been paged to disk but also adds processing overhead for filesystem operations. Enabling this setting will cause the page files to be encrypted.