Ignore the default list of blocked TPM commands

This policy setting allows you to enforce or ignore the computer’s default list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting Windows will ignore the computer’s default list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the local list. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running “tpm. msc” navigating to the “Command Management” section and making visible the “On Default Block List” column. The local list of blocked TPM commands is configured outside of Group Policy by running “tpm. msc” or through scripting against the Win32_Tpm interface. See the related policy setting to configure the Group Policy list of blocked TPM commands. If you disable or do not configure this policy setting Windows will block the TPM commands in the default list in addition to commands in the Group Policy and local lists of blocked TPM commands.

Ignore the local list of blocked TPM commands

This policy setting allows you to enforce or ignore the computer’s local list of blocked Trusted Platform Module (TPM) commands. If you enable this policy setting Windows will ignore the computer’s local list of blocked TPM commands and will only block those TPM commands specified by Group Policy or the default list. The local list of blocked TPM commands is configured outside of Group Policy by running “tpm. msc” or through scripting against the Win32_Tpm interface. The default list of blocked TPM commands is pre-configured by Windows. See the related policy setting to configure the Group Policy list of blocked TPM commands. If you disable or do not configure this policy setting Windows will block the TPM commands found in the local list in addition to commands in the Group Policy and default lists of blocked TPM commands.

Turn on TPM backup to Active Directory Domain Services

This policy setting allows you to manage the Active Directory Domain Services (AD DS) backup of Trusted Platform Module (TPM) owner information. TPM owner information includes a cryptographic hash of the TPM owner password. Certain TPM commands can only be run by the TPM owner. This hash authorizes the TPM to run these commands. If you enable this policy setting TPM owner information will be automatically and silently backed up to AD DS when you use Windows to set or change a TPM owner password. By enabling this policy setting a TPM owner password cannot be set or changed unless the computer is connected to the domain and the AD DS backup succeeds. If you disable or do not configure this policy setting TPM owner information will not be backed up to AD DS. Note: You must first set up appropriate schema extensions and access control settings on the domain before AD DS backup can succeed. Consult online documentation for more information about setting up Active Directory Domain Services for TPM. Note: The TPM cannot be used to provide enhanced security features for BitLocker Drive Encryption and other applications without first setting an owner. To take ownership of the TPM with an owner password run “tpm. msc” and select the action to “Initialize TPM”. Note: If the TPM owner information is lost or is not available limited TPM management is possible by running “tpm. msc” on the local computer.

Configure the list of blocked TPM commands

This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands blocked by Windows. If you enable this policy setting Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example command number 129 is TPM_OwnerReadInternalPub and command number 170 is TPM_FieldUpgrade. To find the command number associated with each TPM command run “tpm. msc” and navigate to the “Command Management” section. If you disable or do not configure this policy setting only those TPM commands specified through the default or local lists may be blocked by Windows. The default list of blocked TPM commands is pre-configured by Windows. You can view the default list by running “tpm. msc” navigating to the “Command Management” section and making visible the “On Default Block List” column. The local list of blocked TPM commands is configured outside of Group Policy by running “tpm. msc” or through scripting against the Win32_Tpm interface. See related policy settings to enforce or ignore the default and local lists of blocked TPM commands.

Turn off the display of thumbnails and only display icons.

This policy setting allows you to configure how File Explorer displays thumbnail images or icons on the local computer. File Explorer displays thumbnail images by default. If you enable this policy setting File Explorer displays only icons and never displays thumbnail images. If you disable or do not configure this policy setting File Explorer displays only thumbnail images.

Turn off the display of thumbnails and only display icons on network folders

This policy setting allows you to configure how File Explorer displays thumbnail images or icons on network folders. File Explorer displays thumbnail images on network folders by default. If you enable this policy setting File Explorer displays only icons and never displays thumbnail images on network folders. If you disable or do not configure this policy setting File Explorer displays only thumbnail images on network folders.

Do not allow supported Plug and Play device redirection

This policy setting allows you to control the redirection of supported Plug and Play devices such as Windows Portable Devices to the remote computer in a Remote Desktop Services session. By default Remote Desktop Services allows redirection of supported Plug and Play devices. Users can use the More option on the Local Resources tab of Remote Desktop Connection to choose the supported Plug and Play devices to redirect to the remote computer. If you enable this policy setting users cannot redirect their supported Plug and Play devices to the remote computer. If you disable or do not configure this policy setting users can redirect their supported Plug and Play devices to the remote computer. Note: You can disable redirection of specific types of supported Plug and Play devices by using Computer Configuration -> Administrative Templates -> System -> Device Installation -> Device Installation Restrictions policy settings.

Require use of specific security layer for remote (RDP) connections

This policy setting specifies whether to require the use of a specific security layer to secure communications between clients and RD Session Host servers during Remote Desktop Protocol (RDP) connections. If you enable this policy setting all communications between clients and RD Session Host servers during remote connections must use the security method specified in this setting. The following security methods are available:* Negotiate: The Negotiate method enforces the most secure method that is supported by the client. If Transport Layer Security (TLS) version 1. 0 is supported it is used to authenticate the RD Session Host server. If TLS is not supported native Remote Desktop Protocol (RDP) encryption is used to secure communications but the RD Session Host server is not authenticated. * RDP: The RDP method uses native RDP encryption to secure communications between the client and RD Session Host server. If you select this setting the RD Session Host server is not authenticated. * SSL (TLS 1. 0): The SSL method requires the use of TLS 1. 0 to authenticate the RD Session Host server. If TLS is not supported the connection fails. If you disable or do not configure this policy setting the security method to be used for remote connections to RD Session Host servers is not specified at the Group Policy level.

Require user authentication for remote connections by using Network Level Authentication

This policy setting allows you to specify whether to require user authentication for remote connections to the RD Session Host server by using Network Level Authentication. This policy setting enhances security by requiring that user authentication occur earlier in the remote connection process. If you enable this policy setting only client computers that support Network Level Authentication can connect to the RD Session Host server. To determine whether a client computer supports Network Level Authentication start Remote Desktop Connection on the client computer click the icon in the upper-left corner of the Remote Desktop Connection dialog box and then click About. In the About Remote Desktop Connection dialog box look for the phrase Network Level Authentication supported. If you disable this policy setting Network Level Authentication is not required for user authentication before allowing remote connections to the RD Session Host server. If you do not configure this policy setting the local setting on the target computer will be enforced. On Windows Server 2012 and Windows 8 Network Level Authentication is enforced by default. Important: Disabling this policy setting provides less security because user authentication will occur later in the remote connection process.

Server authentication certificate template

This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate an RD Session Host server. A certificate is needed to authenticate an RD Session Host server when SSL (TLS 1. 0) is used to secure communication between a client and an RD Session Host server during RDP connections. If you enable this policy setting you need to specify a certificate template name. Only certificates created by using the specified certificate template will be considered when a certificate to authenticate the RD Session Host server is automatically selected. Automatic certificate selection only occurs when a specific certificate has not been selected. If no certificate can be found that was created with the specified certificate template the RD Session Host server will issue a certificate enrollment request and will use the current certificate until the request is completed. If more than one certificate is found that was created with the specified certificate template the certificate that will expire latest and that matches the current name of the RD Session Host server will be selected. If you disable or do not configure this policy the certificate template name is not specified at the Group Policy level. By default a self-signed certificate is used to authenticate the RD Session Host server. Note: If you select a specific certificate to be used to authenticate the RD Session Host server that certificate will take precedence over this policy setting.