Category: Windows Server 2008, Windows 7 and Windows Vista

This policy setting allows you to control whether users see detailed enhanced notification messages about featured software from the Microsoft Update service. Enhanced notification messages convey the value and promote the installation and use of optional software. This policy setting is intended for use in loosely managed environments in which you allow the end user access to the Microsoft Update service. If you enable this policy setting a notification message will appear on the user’s computer when featured software is available. The user can click the notification to open the Windows Update Application and get more information about the software or install it. The user can also click “Close this message” or “Show me later” to defer the notification as appropriate. In Windows 7 this policy setting will only control detailed notifications for optional applications. In Windows Vista this policy setting controls detailed notifications for optional applications and updates. If you disable or do not configure this policy setting Windows 7 users will not be offered detailed notification messages for optional applications and Windows Vista users will not be offered detailed notification messages for optional applications or updates. By default this policy setting is disabled. If you are not using the Microsoft Update service then the Software Notifications policy setting has no effect. If the “Configure Automatic Updates” policy setting is disabled or is not configured then the Software Notifications policy setting has no effect.

Specifies whether the Windows Update will use the Windows Power Management features to automatically wake up the system from hibernation if there are updates scheduled for installation. Windows Update will only automatically wake up the system if Windows Update is configured to install updates automatically. If the system is in hibernation when the scheduled install time occurs and there are updates to be applied then Windows Update will use the Windows Power management features to automatically wake the system up to install the updates. Windows update will also wake the system up and install an update if an install deadline occurs. The system will not wake unless there are updates to be installed. If the system is on battery power when Windows Update wakes it up it will not install updates and the system will automatically return to hibernation in 2 minutes.

This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection. If you enable this policy setting before turning on BitLocker you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive. If you disable or do not configure this policy setting the TPM uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23 The default platform validation profile secures the encryption key against changes to the Core Root of Trust of Measurement (CRTM) BIOS and Platform Extensions (PCR 0) the Option ROM Code (PCR 2) the Master Boot Record (MBR) Code (PCR 4) the NTFS Boot Sector (PCR 8) the NTFS Boot Block (PCR 9) the Boot Manager (PCR 10) and the BitLocker Access Control (PCR 11). The descriptions of PCR settings for computers that use an Extensible Firmware Interface (EFI) are different than the PCR settings described for computers that use a standard BIOS. Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs.

This policy setting allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. Consult the BitLocker Drive Encryption Deployment Guide on Microsoft TechNet for more information about the encryption methods available. This policy is only applicable to computers running Windows Server 2008 Windows Vista Windows Server 2008 R2 or Windows 7. If you enable this policy setting you will be able to choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives. If you disable or do not configure this policy setting BitLocker will use the default encryption method of AES 128-bit with Diffuser or the encryption method specified by the setup script.

Turn off Tablet PC touch inputTurns off touch input which allows the user to interact with their computer using their finger. If you enable this setting the user will not be able to produce input with touch. They will not be able to use touch input or touch gestures such as tap and double tap the touch pointer and other touch-specific features. If you disable this setting the user can produce input with touch by using gestures the touch pointer and other-touch specific features. If you do not configure this setting touch input is on by default. Note: Changes to this setting will not take effect until the user logs off.

Makes pen flicks learning mode unavailable. If you enable this policy pen flicks are still available but learning mode is not. Pen flicks are off by default and can be turned on system-wide but cannot be restricted to learning mode applications. This means that the pen flicks training triggers in Internet Explorer are disabled and that the pen flicks notification will never be displayed. However pen flicks the pen flicks tray icon and pen flicks training (that can be accessed through CPL) are still available. Conceptually this policy is a subset of the Disable pen flicks policy. If you disable or do not configure this policy all the features described above will be available.

Makes pen flicks and all related features unavailable. If you enable this policy pen flicks and all related features are unavailable. This includes: pen flicks themselves pen flicks training pen flicks training triggers in Internet Explorer the pen flicks notification and the pen flicks tray icon. If you disable or do not configure this policy pen flicks and related features are available.