Category: At least Windows Server 2012, Windows 8 or Windows RT

This policy setting allows you to control whether anyone can interact with available networks UI on the logon screen. If you enable this policy setting the PC’s network connectivity state cannot be changed without signing into Windows. If you disable or don’t configure this policy setting any user can disconnect the PC from the network or can connect the PC to other available networks without signing into Windows.

This policy setting allows you to control whether users see the first sign-in animation when signing in to the computer for the first time. This applies to both the first user of the computer who completes the initial setup and users who are added to the computer later. It also controls if Microsoft account users will be offered the opt-in prompt for services during their first sign-in. If you enable this policy setting Microsoft account users will see the opt-in prompt for services and users with other accounts will see the sign-in animation. If you disable this policy setting users will not see the animation and Microsoft account users will not see the opt-in prompt for services. If you do not configure this policy setting the user who completes the initial Windows setup will see the animation during their first sign-in. If the first user had already completed the initial setup and this policy setting is not configured users new to this computer will not see the animation. Note: The first sign-in animation will not be shown on Server so this policy will have no effect.

This policy setting turns off the Windows Location Provider feature for this computer. If you enable this policy setting the Windows Location Provider feature will be turned off and all programs on this computer will not be able to use the Windows Location Provider feature. If you disable or do not configure this policy setting all programs on this computer can use the Windows Location Provider feature.

This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes version 2 (V2) hashes or both V1 and V2 hashes. Hashes also called content information are created based on the data in shared folders where BranchCache is enabled. If you specify only one version that is supported content information for that version is the only type that is generated by BranchCache and it is the only type of content information that can be retrieved by client computers. For example if you enable support for V1 hashes BranchCache generates only V1 hashes and client computers can retrieve only V1 hashes. Policy configurationSelect one of the following:- Not Configured. With this selection BranchCache settings are not applied to client computers by this policy setting. In this circumstance which is the default both V1 and V2 hash generation and retrieval are supported. – Enabled. With this selection the policy setting is applied and the hash version(s) that are specified in “Hash version supported” are generated and retrieved. – Disabled. With this selection both V1 and V2 hash generation and retrieval are supported. In circumstances where this setting is enabled you can also select and configure the following option:Hash version supported:- To support V1 content information only configure “Hash version supported” with the value of 1. – To support V2 content information only configure “Hash version supported” with the value of 2. – To support both V1 and V2 content information configure “Hash version supported” with the value of 3.

This policy setting controls configuring the device’s Active Directory account for compound authentication. Support for providing compound authentication which is used for access control will require enough domain controllers in the resource account domains to support the requests. The Domain Administrator must configure the policy “Support Dynamic Access Control and Kerberos armoring” on all the domain controllers to support this policy. If you enable this policy setting the device’s Active Directory account will be configured for compound authentication by the following options:Never: Compound authentication is never provided for this computer account. Automatic: Compound authentication is provided for this computer account when one or more applications are configured for Dynamic Access Control. Always: Compound authentication is always provided for this computer account. If you disable this policy setting Never will be used. If you do not configure this policy setting Automatic will be used.

This policy setting controls whether a computer requires that Kerberos message exchanges be armored when communicating with a domain controller. Warning: When a domain does not support Kerberos armoring by enabling “Support Dynamic Access Control and Kerberos armoring” then all authentication for all its users will fail from computers with this policy setting enabled. If you enable this policy setting the client computers in the domain enforce the use of Kerberos armoring in only authentication service (AS) and ticket-granting service (TGS) message exchanges with the domain controllers. Note: The Kerberos Group Policy “Kerberos client support for claims compound authentication and Kerberos armoring” must also be enabled to support Kerberos armoring. If you disable or do not configure this policy setting the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.

This policy setting allows you to disable revocation check for the SSL certificate of the targeted KDC proxy server. If you enable this policy setting revocation check for the SSL certificate of the KDC proxy server is ignored by the Kerberos client. This policy setting should only be used in troubleshooting KDC proxy connections. Warning: When revocation check is ignored the server represented by the certificate is not guaranteed valid. If you disable or do not configure this policy setting the Kerberos client enforces the revocation check for the SSL certificate. The connection to the KDC proxy server is not established if the revocation check fails.

This policy setting configures the Kerberos client’s mapping to KDC proxy servers for domains based on their DNS suffix names. If you enable this policy setting the Kerberos client will use the KDC proxy server for a domain when a domain controller cannot be located based on the configured mappings. To map a KDC proxy server to a domain enable the policy setting click Show and then map the KDC proxy server name(s) to the DNS name for the domain using the syntax described in the options pane. In the Show Contents dialog box in the Value Name column type a DNS suffix name. In the Value column type the list of proxy servers using the appropriate syntax format. To view the list of mappings enable the policy setting and then click the Show button. To remove a mapping from the list click the mapping entry to be removed and then press the DELETE key. To edit a mapping remove the current entry from the list and add a new one with different parameters. If you disable or do not configure this policy setting the Kerberos client does not have KDC proxy servers settings defined by Group Policy.

This policy setting controls whether a device will request claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication with domains that support these features. If you enable this policy setting the client computers will request claims provide information required to create compounded authentication and armor Kerberos messages in domains which support claims and compound authentication for Dynamic Access Control and Kerberos armoring. If you disable or do not configure this policy setting the client devices will not request claims provide information required to create compounded authentication and armor Kerberos messages. Services hosted on the device will not be able to retrieve claims for clients using Kerberos protocol transition.

This policy setting allows you to configure at what size Kerberos tickets will trigger the warning event issued during Kerberos authentication. The ticket size warnings are logged in the System log. If you enable this policy setting you can set the threshold limit for Kerberos ticket which trigger the warning events. If set too high then authentication failures might be occurring even though warning events are not being logged. If set too low then there will be too many ticket warnings in the log to be useful for analysis. This value should be set to the same value as the Kerberos policy “Set maximum Kerberos SSPI context token buffer size” or the smallest MaxTokenSize used in your environment if you are not configuring using Group Policy. If you disable or do not configure this policy setting the threshold value defaults to 12000 bytes which is the default Kerberos MaxTokenSize for Windows 7 Windows Server 2008 R2 and prior versions.