Category: At least Windows Server 2012, Windows 8 or Windows RT

This policy setting allows you to configure a domain controller to support claims and compound authentication for Dynamic Access Control and Kerberos armoring using Kerberos authentication. If you enable this policy setting client computers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. If you disable or do not configure this policy setting the domain controller does not support claims compound authentication or armoring. If you configure the “Not supported” option the domain controller does not support claims compound authentication or armoring which is the default behavior for domain controllers running Windows Server 2008 R2 or earlier operating systems. Note: For the following options of this KDC policy to be effective the Kerberos Group Policy “Kerberos client support for claims compound authentication and Kerberos armoring” must be enabled on supported systems. If the Kerberos policy setting is not enabled Kerberos authentication messages will not use these features. If you configure “Supported” the domain controller supports claims compound authentication and Kerberos armoring. The domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring. Domain functional level requirementsFor the options “Always provide claims” and “Fail unarmored authentication requests” when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the “Supported” option is selected. When the domain functional level is set to Windows Server 2012 then the domain controller advertises to Kerberos client computers that the domain is capable of claims and compound authentication for Dynamic Access Control and Kerberos armoring and: – If you set the “Always provide claims” option always returns claims for accounts and supports the RFC behavior for advertising the flexible authentication secure tunneling (FAST). – If you set the “Fail unarmored authentication requests” option rejects unarmored Kerberos messages. Warning: When “Fail unarmored authentication requests” is set then client computers which do not support Kerberos armoring will fail to authenticate to the domain controller. To ensure this feature is effective deploy enough domain controllers that support claims and compound authentication for Dynamic Access Control and are Kerberos armor-aware to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever Dynamic Access Control or Kerberos armoring is required (that is the “Supported” option is enabled). Impact on domain controller performance when this policy setting is enabled: – Secure Kerberos domain capability discovery is required resulting in additional message exchanges. – Claims and compound authentication for Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size. – Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time but does not change the service ticket size.

This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting the “Look for an app in the Store” item in the Open With dialog is removed. If you disable or do not configure this policy setting the user is allowed to use the Store service and the Store item is available in the Open With dialog.

This policy setting defines whether Wi-Fi hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support. If a Wi-Fi hotspot supports the WISPr protocol users can submit credentials when manually connecting to the network. If authentication is successful users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. If you enable this policy setting or if you do not configure this policy setting Wi-Fi hotspots are automatically probed for WISPR protocol support. If you disable this policy setting Wi-Fi hotspots are not probed for WISPr protocol support and users can only authenticate with Wi-Fi hotspots using a web browser.

This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous the computer is not blocked and policy processing will occur in the background. In either case configuring this policy setting overrides any system-computed wait times. If you enable this policy setting Group Policy uses this administratively configured maximum wait time for workplace connectivity and overrides any default or system-computed wait time. If you disable or do not configure this policy setting Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.

This policy setting allows an administrator to define the Direct Access connection to be considered a fast network connection for the purposes of applying and updating Group Policy. When Group Policy detects the bandwidth speed of a Direct Access connection the detection can sometimes fail to provide any bandwidth speed information. If Group Policy detects a bandwidth speed Group Policy will follow the normal rules for evaluating if the Direct Access connection is a fast or slow network connection. If no bandwidth speed is detected Group Policy will default to a slow network connection. This policy setting allows the administrator the option to override the default to slow network connection and instead default to using a fast network connection in the case that no network bandwidth speed is determined. Note: When Group Policy detects a slow network connection Group Policy will only process those client side extensions configured for processing across a slow link (slow network connection). If you enable this policy when Group Policy cannot determine the bandwidth speed across Direct Access Group Policy will evaluate the network connection as a fast link and process all client side extensions. If you disable this setting or do not configure it Group Policy will evaluate the network connection as a slow link and process only those client side extensions configured to process over a slow link.

This policy setting prevents the Group Policy Client Service from stopping when idle.

Enabling this setting will cause the Group Policy Client to connect to the same domain controller for DFS shares as is being used for Active Directory.

This policy setting controls whether the LPRemove task will run to clean up language packs installed on a machine but are not used by any users on that machine. If you enable this policy setting language packs that are installed as part of the system image will remain installed even if they are not used by any user on that system. If you disable or do not configure this policy setting language packs that are installed as part of the system image but are not used by any user on that system will be removed as part of a scheduled clean up task.

This policy prevents automatic copying of user input methods to the system account for use on the sign-in screen. The user is restricted to the set of input methods that are enabled in the system account. Note this does not affect the availability of user input methods on the lock screen or with the UAC prompt. If the policy is Enabled then the user will get input methods enabled for the system account on the sign-in page. If the policy is Disabled or Not Configured then the user will be able to use input methods enabled for their user account on the sign-in page.