Group Policy

Applies To: Windows Server 2008

What does Group Policy do?

Group Policy provides an infrastructure for centralized configuration management of the operating system and applications that run on the operating system.

Who will be interested in this feature?

Group Policy is designed to benefit the following types of IT professionals:

  • IT professionals who need to manage users and computers in a domain environment

  • Dedicated Group Policy administrators

  • IT generalists

  • Support personnel

What new functionality does this feature provide?

Expanding on the foundation established in previous versions of the operating system, Group Policy in Windows Server® 2008 includes new features:

  • New categories of policy management

  • New format and functionality of Administrative template files (ADMX)

  • Starter Group Policy objects

  • Comments for GPOs and policy settings

  • Network Location Awareness

  • Preferences

Additionally, Windows Server 2008 provides enhancements to Group Policy:

  • Group Policy service

  • Events and logging

  • Multiple local Group Policy objects

  • Finding specific Administrative template policy settings

Finally, see:

Which policy settings are added or changed?

Are there any special considerations?

Group Policy is included in domain-based versions of Windows Server 2008. Although Group Policy is distributed with the operating system, you must install it as a feature through Server Manager.

Do I need to change any existing code?

If you have created custom Administrative templates specific to your environment using the ADM format, you can continue to use them in Windows Server 2008 without changing them to the ADMX format. However, you must change custom Administrative templates to the ADMX format if you want to use the multilanguage features.

If you have developed components to work with the Local Group Policy Editor or the Group Policy Management Console (GPMC), you might need to modify the components to work with new features in Windows Server 2008. For more information, see the Group Policy Software Development Kit (https://go.microsoft.com/fwlink/?LinkId=144).

How do I prepare to deploy this feature?

For information about deploying Group Policy, see the Group Policy TechCenter (https://go.microsoft.com/fwlink/?linkid=31191).

What new functionality does this feature provide?

Windows Server 2008 includes new categories of policy management, a new format for Administrative template files (ADMX) with increased functionality, Starter Group Policy objects, comments for GPOs and policy settings, Network Location Awareness, and preferences.

New categories of policy management

Group Policy in Windows Server 2008 provides new ways to manage your organization. The examples in this section demonstrate how you can use policy settings introduced in Windows Server 2008 to manage your resources in an enterprise.

Why are new categories of policy management important?

The new categories of policy management provide cost savings through power options, the ability to block device installation, improved security settings, expanded Internet Explorer settings management, the ability to assign printers based on location, and the ability to delegate printer driver installation to users.

Cost savings through power options

In Windows Server 2008, all power options have been Group Policy enabled, providing a potentially significant cost savings. Controlling power options through Group Policy could save organizations a significant amount of money. You can modify specific power options through individual Group Policy settings or build a custom power plan that is deployable by using Group Policy.

Ability to block device installation

In Windows Server 2008, you can centrally restrict devices from being installed on computers in your organization. You will now be able to create policy settings to control access to devices such as USB drives, CD-RW drives, DVD-RW drives, and other removable media.

Improved security settings

In Windows Server 2008, the firewall and IPsec Group Policy settings are combined to allow you to leverage the advantages of both technologies, while eliminating the need to create and maintain duplicate functionality. Some scenarios supported by these combined firewall and IPsec policy settings are secure server-to-server communications over the Internet, limiting access to domain resources based on trust relationships or health of a computer, and protecting data communication to a specific server to meet regulatory requirements for data privacy and security.

Expanded Internet Explorer settings management

In Windows Server 2008, you can open and edit Internet Explorer Group Policy settings without the risk of inadvertently altering the state of the policy setting based on the configuration of the administrative workstation. This change replaces earlier behavior in which some Internet Explorer policy settings would change based on the policy settings enabled on the administrative workstation used to view the settings.

Printer assignment based on location

The ability to assign printers based on location in the organization or a geographic location is a new feature in Windows Server 2008. In Windows Server 2008, you can assign printers based on site location. When mobile users move to a different location, Group Policy can update their printers for the new location. Mobile users returning to their primary locations see their usual default printers.

Printer driver installation delegated to users

In Windows Server 2008, administrators can now delegate to users the ability to install printer drivers by using Group Policy. This feature helps to maintain security by limiting distribution of administrative credentials.

What works differently?

In Windows Server 2008, there are changes to deploying power options, blocking device installation, security settings, Internet Explorer settings management, and printer settings management.

Deploying power options

For details, edit a Group Policy object (GPO) in the Group Policy Management Console (GPMC), and see the power options settings located under:

Computer Configuration

   └ Administrative Templates

      └ System

         └ Power Management

Blocking device installation

For details, edit a GPO in the GPMC, and see the device installation settings located under:

Computer Configuration

   └ Administrative Templates

      └ System

         └ Device Installation

Security settings

For details, edit a GPO in the GPMC, and see the security protection settings located under:

Computer Configuration

   └ Windows Settings

      └ Security Settings

         └ Windows Firewall with Advance Security

Internet Explorer settings management

For details, edit a GPO in the GPMC, and see the policy settings for Internet Explorer located under:

Computer Configuration

   └ Administrative Templates

      └ Windows Components

         └ Internet Explorer

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Internet Explorer

Assigning printers based on location

For details, edit a GPO in the GPMC, and see the deployed printer connections policy settings located under:

Computer Configuration

   └ Windows Settings

      └ Deployed Printers

User Configuration

   └ Windows Settings

      └ Deployed Printers

Note

Group Policy will not automatically refresh the printer policy settings when a computer moves to a new site location. New printer assignments will be available after a Group Policy refresh following the site location change.

Delegating printer driver installation to users

For details, edit a GPO in the GPMC, and see the "Allow non-administrators to install drivers for these device classes" policy setting located under:

Computer Configuration

   └ Administrative Templates

      └ System

         └ Driver Installation

New format and functionality of Administrative template files (ADMX)

Administrative template files contain markup language that is used to describe registry-based Group Policy. First released in the Microsoft® Windows NT Server® 4.0 operating system, Administrative template files used a unique file format known as ADM files. In Windows Server 2008, these files are replaced by an XML-based file format known as ADMX files. These new Administrative template files make it easier to manage registry-based policy settings in Windows Vista and Windows Server 2008.

Why is the new format and functionality of Administrative template files important?

The new format includes multilanguage support, an optional centralized datastore, and version control capabilities. In Windows Server 2008, ADMX files are divided into language-neutral and language-specific resources, available to all Group Policy administrators. These factors allow Group Policy tools to adjust their user interface according to the administrator's configured language. Adding a new language to a set of policy definitions is achieved by ensuring that the language-specific resource file is available.

For example, a Group Policy administrator creates a Group Policy object (GPO) from a Windows Server 2008 administrative workstation configured for English. He saves the GPO and links it to the domain deployed across geographic boundaries. A colleague in Paris browses the same domain using GPMC and selects the GPO created in English. She can view and edit the policy settings in French. The original Group Policy administrator who created this GPO will still see all the settings in his native language of English, including the changes from the French administrator.

This table summarizes the new features of ADMX files.

Feature Description Benefit

XML-based policy definition files

Administrative template files are replaced by an XML-based file format that incorporates multilanguage support and strong versioning.

  • Eases management of multilingual administrative environments, ensuring that Group Policy tools are displayed in the administrator's operating system language

  • Improves the administrative experience associated with managing registry-based policy settings while accommodating automated or fully manual change management processes

Central store of ADMX files

The central store is a domain-wide directory created in the Sysvol.

Reduces the need for additional storage and greater replication traffic resulting from increasing numbers of GPOs

Group Policy administrative tools read both ADMX and ADM files

Group Policy administrative tools use the core operating system ADMX files from the local computer before the creation of the central store. In addition, the administrative tools can read any other ADM file stored locally or in a GPO. This ensures interoperability between administration from a Windows Vista or Windows Server 2008 and Windows 2000 or Windows Server 2003 platforms. Any policy settings that exist only in the ADMX files will be available only from the Windows Vista or Windows Server 2008.

Ensures interoperability with earlier platforms for administering Group Policy

How should I prepare for this change?

You can convert existing ADM files to the ADMX format using the ADMX Migrator Tool (https://go.microsoft.com/fwlink?LinkID=77409). You can also use this tool to edit ADMX files.

Starter Group Policy objects

Group Policy in Windows Server 2008 provides the ability to create Starter Group Policy objects. Using a Starter GPO, you can store a collection of Administrative template policy settings in a single object and incorporate those policy settings into new GPOs.

Why are Starter GPOs important?

You can import and export Starter GPOs, so you can distribute them to other environments. When you create a new GPO from a Starter GPO, the new GPO includes all of the Administrative template policy settings and their values defined in the Starter GPO.

What works differently?

Rather than recreate a configuration of common Administrative template policy settings in each new GPO, you can create a Starter GPO using the GPMC, configure Administrative template policy settings that you want to use in multiple GPOs, and then create GPOs from that Starter GPO. Any comments included in a Starter GPO are automatically included in GPOs created from that Starter GPO.

To use the Starter GPO in another environment, you export it by saving it as a cabinet file. After transferring it to the other environment, you import it by loading the cabinet file.

Comments for GPOs and policy settings

Group Policy in Windows Server 2008 provides the option to add comments at the GPO level and at the policy setting level for Administrative templates.

Why are comments important?

To support an enterprise organization, you may create many GPOs and configure complex combinations of policy settings. You can use comments to document the purpose of a GPO and the configuration of a particular policy setting.

What works differently?

The Comment tab is displayed when you edit a GPO and view the properties of the GPO or an Administrative template policy setting.

Network Location Awareness

Network Location Awareness allows Group Policy to respond better to changing network conditions. One benefit of the Network Location Awareness feature is the end of the reliance on the ICMP protocol (PING) for policy application.

Network Location Awareness ensures that client computers are both aware of and responsive to changing network conditions and resource availability. With Network Location Awareness, Group Policy has access to resource detection and event notification capabilities in the operating system, such as recovery from hibernation or standby, establishment of VPN sessions, and moving in or out of a wireless network.

Why is Network Location Awareness important?

Network Location Awareness provides these benefits:

  • Startup times for the workstation or server will improve. Network Location Awareness provides an accurate indicator to Group Policy of when the network is ready. Group Policy will also be able to determine if the adapter is disabled or disconnected, enabling Group Policy to shorten its wait time for those scenarios in which the network will not be available.

  • The Group Policy client will apply policy settings whenever domain controller availability returns. Examples of connection events that trigger Group Policy processing include establishing VPN sessions, recovering from hibernation or standby, and the docking of a laptop. This benefit can potentially increase the level of security on the workstation by more quickly applying Group Policy changes.

  • The Group Policy client will use Network Location Awareness for bandwidth determination and removing the reliance on the ICMP protocol (PING). This benefit allows organizations to secure their networks with firewalls, filter the ICMP protocol, and apply Group Policy.

  • New Group Policy settings provide administrators with more control over computer boot processing scenarios.

What works differently?

The following scenarios show how network location awareness can improve policy application and processing.

Connecting over Virtual Private Networks (VPN)

Network Location Awareness allows you to make changes to policy settings and ensure that they are applied efficiently to mobile users.

When mobile users connect to the corporate network, the Group Policy client will detect the availability of a domain controller. If the Group Policy refresh cycle has elapsed or the previous policy application has failed, Group Policy will initiate a background refresh over the VPN connection, updating both the computer and user policy. There is no need to reboot or log off before connecting to the corporate network over a VPN.

Ability to process Group Policy through a firewall filtering ICMP

Group Policy processes even if you have removed the ability for computers to respond to the ICMP protocol (PING). In the past, Group Policy settings would fail in this situation because slow link detection relied on ICMP. The Group Policy client in Windows Server 2008 now utilizes Network Location Awareness to determine the network bandwidth and successfully continues to process Group Policy.

Preferences

Preferences provide more than twenty Group Policy extensions that expand the range of configurable preference settings within a Group Policy object. Group Policy preferences allow you to manage drive mappings, registry settings, local users and groups, services, files, and folders without the need to learn a scripting language.

Why are preferences important?

You can use preference items to reduce scripting and system imaging, standardize management, and better secure your networks. Using preference targeting, you can streamline desktop management by reducing the number of Group Policy objects needed.

What works differently?

Domain-based Group Policy for Windows Server 2008 includes a Preferences node under the Computer Configuration and User Configuration nodes. The user interface for most preference items is similar to the Windows settings and Control Panel settings they configure, making configuration intuitive for Group Policy administrators.

Unlike policy settings, preference items do not exist until a Group Policy administrator creates them, and each preference item contains multiple properties. You can create and modify multiple preference items within each GPO, and you can filter each preference item to target only specific computers or users.

Preference Extension Effect of Preference Item Scope of Preference Item

Applications

Configures settings for a specific version of an application

Users to whom the preference item applies

Data Sources

Configures an ODBC system or other user data source

Computers or users to whom the preference item applies

Devices

Enables or disables a class or type of hardware device

Computers or users to whom the preference item applies

Drive Maps

Creates, configures, or deletes dynamic drive mapping

Users to whom the preference item applies

Environment

Creates, modifies, or deletes a persistent user or system environment variable

Computers or users to whom the preference item applies

Files

Copies or replaces files and configures their attributes, or deletes files

Computers or users to whom the preference item applies

Folder Options

Modifies Folder Options in Windows Explorer, associates a file name extension with a particular program, or associates a file name extension with a particular class of files

Computers (File Type items only) or users (Folder Options and Open With items only) to whom the preference item applies

Folders

Creates folders and configures their attributes, or deletes folders and their contents

Computers or users to whom the preference item applies

Ini Files

Creates or changes a property/value pair in an .ini or .inf file, or deletes part or all of an .ini or .inf file

Computers or users to whom the preference item applies

Internet Settings

Modifies Internet settings

Computers or users to whom the preference item applies

Local Users and Groups

Creates, modifies or deletes local users (performing tasks such as setting passwords) or local security groups (performing tasks such as creating restricted groups and modifying the list of members).

Computers or users to whom the preference item applies

Network Options

Creates, modifies, or deletes a virtual private network (VPN) or dial-up network connection

Computers or users to whom the preference item applies

Network Shares

Creates, modifies, or deletes a share. Can configure Access-Based Enumeration

Computers to which the preference item applies

Power Options

Configures power options, either modifying power options or creating, modifying, or deleting a power scheme

Computers or users to whom the preference item applies

Printers

Creates, modifies, or deletes a local, shared, or TCP/IP printer connection

Computers (local or TCP/IP printers only) or users to whom the preference item applies

Regional Options

Configures how most programs format numbers, currencies, dates, and times for end users

Users to whom the preference item applies

Registry

Creates, modifies, or deletes a setting in the Windows registry

Computers or users to whom the preference item applies

Scheduled Tasks

Creates, modifies, or deletes a scheduled task or an immediate task in the Control Panel

Computers or users to whom the preference item applies

Services

Modifies an operating system service

Computers to which the preference item applies

Shortcuts

Creates, modifies, or deletes a shortcut to a file system object (such as a file, folder, drive, share, or computer), a shell object (such as a printer, Desktop item, or Control Panel item), or a URL (such as a Web page or an FTP site)

Computers or users to whom the preference item applies

Start Menu

Modifies the look and feel of the Start menu

Users to whom the preference item applies

You can use item-level targeting to change the scope of individual preference items, so they apply only to selected users or computers. Within a single GPO, you can include multiple preference items, each customized for selected users or computers and each targeted to apply settings only to the relevant users or computers. You can apply the following targeting items to preference items:

  • Battery Present

  • Computer Name

  • CPU Speed

  • Date Match

  • Dial-Up Connection

  • Disk Space

  • Domain

  • Environment Variable

  • File Match

  • IP Address Range

  • Language

  • LDAP Query

  • MAC Address Range

  • MSI Query

  • Operating System

  • Organizational Unit

  • PCMCIA Present

  • Portable Computer

  • Processing Mode

  • RAM

  • Registry Match

  • Security Group

  • Site

  • Terminal Session

  • Time Range

  • User

  • WMI Query

Additionally, you can apply multiple targeting items to a preference item and select the logical operation (AND or OR) by which to combine each targeting item with the preceding one. Using targeting collections, you can also create parenthetical expressions.

What existing functionality is changing?

Windows Server 2008 includes improvements to the GPMC, Group Policy service, events and logging, multiple local Group Policy objects, and more options for finding Administrative template policy settings.

Group Policy service

The Group Policy infrastructure is improved with complete isolation from Winlogon, delivering a new architecture for how Group Policy performs notification and processing.

Why is this change important?

The new Group Policy service provides better reliability for Windows and Group Policy, and includes these additional benefits:

  • Microsoft can deliver new Group Policy files, which can be updated without requiring a restart of the operating system.

  • The application of policy is more efficient because of the reduction of resources used for background processing.

  • A performance increase and a reduction in memory usage are results of the new design. These changes eliminate the need to load Group Policy functionality in multiple services.

Events and logging

The Group Policy infrastructure has changed significantly in Windows Server 2008. Group Policy processing no longer exists within the Winlogon process but is hosted as its own service. Additionally, the Group Policy engine no longer relies on the trace logging found in userenv.dll.

Why is this change important?

Much of the troubleshooting for Group Policy in earlier versions of Windows relied on logging being enabled inside the component userenv.dll. This created a log file named userenv.log in the %WINDIR%\Debug\Usermode folder. This log file contained function trace statements with supporting data. In addition, profile load and unload functions shared this log file, making the log sometimes difficult to diagnose. This log file, used in conjunction with the Resultant Set of Policy Microsoft Management Console (RSoP MMC) was the primary way to diagnose and resolve Group Policy problems.

In Windows Server 2008, Group Policy is treated as its own component with a new Group Policy Service, a stand-alone service that runs under the Svchost process for the purpose of reading and applying Group Policy. The new service includes changes with event reporting. Group Policy event messages, previously appearing in the application log, now appear in the system log. The event viewer lists these new messages with an event source of Microsoft-Windows-GroupPolicy. The Group Policy Operational log replaces previous userenv logging. The operational event log provides improved event messages specific to Group Policy processing.

Multiple local Group Policy objects

Windows Server 2008 introduces greater flexibility in administering local Group Policy objects (LGPOs), providing the means to manage multiple LGPOs on a single computer. This increased flexibility eases managing environments that involve shared computing on a single computer, such as libraries or computer labs. In addition, in a workgroup each computer maintains its own policy settings. Multiple LGPOs may be assigned to local users or built-in groups. This feature will work with domain-based Group Policy or can be disabled through a Group Policy setting.

Why is this change important?

Multiple Local Group Policy gives you the flexibility to manage Group Policy based on built-in groups. For example, if you wanted to set up kiosk computers in a library, you could create tightly managed policy settings for built-in User groups and lightly managed policy settings for the built-in Administrator accounts. This approach allows patrons to use the Internet kiosk in a secure environment. Local administrators no longer have to explicitly disable or remove Group Policy settings that interfere with their ability to manage the workstation before performing administrative tasks. In addition, Windows Server 2008 administrators can turn off local Group Policy settings without having to explicitly enable domain-based Group Policy.

Finding specific Administrative template policy settings

Administrative templates are registry-based policy settings listed under the Administrative Templates node of both the Computer Configuration and User Configuration nodes when you edit a GPO in the GPMC. Windows Server 2008 provides a comprehensive list of Administrative template policy settings and new options for filtering and sorting the list of settings.

Why is this change important?

Windows Server 2008 provides many Administrative template policy settings. Filtering or sorting these settings can enable you to find a specific policy setting more quickly.

What works differently?

In Windows Server 2008, an All Settings node is displayed under the Administrative Templates node, providing a comprehensive list of all Administrative template policy settings, including both those in ADMX and ADM formats. You can sort this list alphabetically by setting name, state, comment, or path.

Additionally, you can filter the list of Administrative template settings using the options available when you right-click the All Settings node. When filtered, the list includes only policy settings in the ADMX format, and you can further restrict the list to include only policy settings:

  • That have been configured (or that have not been configured).

  • To which comments have been added (or to which comments have not been added).

  • That include specified keywords in the setting title, Explain text, or comments.

  • That are managed (or unmanaged).

Which policy settings are added or changed?

In Windows Server 2008, you can use Group Policy to centrally manage a greater number of features and component behaviors. The number of Group Policy settings has increased from approximately 1,700 in Windows Server 2003 with Service Pack 1 (SP1) to approximately 2,400 in Windows Server 2008.

This table summarizes new or expanded categories of Group Policy settings.

Group Policy Category Description Location of Group Policy Setting

Antivirus

Manages behavior for evaluating high-risk attachments.

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Attachment Manager

Background Intelligent Transfer Service (BITS)

Configures the BITS Neighbor Casting feature (new in Windows Vista and Windows Server 2008) to facilitate peer-to-peer file transfer within a domain.

Computer Configuration

   └ Administrative Templates

      └ Network

         └ Background Intelligent Transfer Service

Client Help

Determines where your users access Help systems that may include untrusted content. You can direct your users to Help or to local offline Help.

Computer Configuration

   └ Administrative Templates

      └ Online Assistance

User Configuration

   └ Administrative Templates

      └ Online Assistance

Deployed Printer Connections

Deploys a printer connection to a computer. This is useful when the computer is shared in a locked-down environment, such as a school or when a user roams to a different location and needs to have a printer connected automatically.

Computer Configuration

   └ Windows Settings

      └ Deployed Printers

User Configuration

   └ Windows Settings

      └ Deployed Printers

Device Installation

Allows or denies a device installation, based upon the device class or ID.

Computer Configuration

   └ Administrative Templates

      └ System

         └ Device Installation

Disk Failure Diagnostic

Controls the level of information displayed by the disk failure diagnostic.

Computer Configuration

   └ Administrative Templates

      └ System

         └ Troubleshooting and Diagnostics

            └ Disk Diagnostic

DVD Video Burning

Customizes the video disc authoring experience.

Computer Configuration

   └ Administrative Templates

      └ Windows Components

         └ Import Video

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Import Video

Enterprise Quality of Service (QoS)

Alleviates network congestion issues by enabling central management of Windows Server 2008 network traffic. Without requiring changes to applications, you can define flexible policies to prioritize the Differentiated Services Code Point (DSCP) marking and throttle rate.

Computer Configuration

   └ Windows Settings

      └ Policy-based QoS

Hybrid Hard Disk

Configures the hybrid hard disk (with non-volatile cache) properties, allowing you to manage:

  • Use of non-volatile cache.

  • Startup and resume optimizations.

  • Solid state mode.

  • Power savings mode.

Computer Configuration

   └ Administrative Templates

      └ System

         └ Disk NV Cache

Internet Explorer 7

Replaces and expands the current settings in the Internet Explorer Maintenance extension to allow administrators the ability to read the current settings without affecting values.

Computer Configuration

   └ Administrative Templates

      └ Windows Components

         └ Internet Explorer

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Internet Explorer

Networking: Quarantine

Manages three components:

  • Health Registration Authority (HRA)

  • Internet Authentication Service (IAS)

  • Network Access Protection (NAP)

Computer Configuration

   └ Windows Settings

      └ Security Settings

         └ Network Access Protection

Networking: Wired Wireless

Applies a generic architecture for centrally managing existing and future media types.

Computer Configuration

   └ Windows Settings

      └ Security Settings

         └ Wired Network (IEEE 802.11) Policies

Computer Configuration

   └ Windows Settings

      └ Security Settings

         └ Wireless Network (IEEE 802.11) Policies

Power Options

Configures any power options in the Control Panel.

Computer Configuration

   └ Administrative Templates

      └ System

         └ Power Management

Removable Storage

Allows administrators to protect corporate data by limiting the data that can be read from and written to removable storage devices. Administrators can enforce restrictions on specific computers or users without relying on third party products or disabling the buses.

Computer Configuration

   └ Administrative Templates

      └ System

         └ Removable Storage Access

User Configuration

   └ Administrative Templates

      └ System

         └ Removable Storage Access

Security Protection

Combines the management of both the Windows Firewall and IPsec technologies to reduce the possibility of creating conflicting rules. Administrators can specify which applications or ports to open and whether or not connections to those resources must be secure.

Computer Configuration

   └ Windows Settings

      └ Security Settings

         └ Windows Firewall with Advanced Security

Shell Application Management

Manages access to the toolbar, taskbar, Start menu, and icon displays.

User Configuration

   └ Administrative Templates

      └ Start Menu and Taskbar

Shell First Experience, Logon, and Privileges

Configures the logon experience to include expanded Group Policy settings in:

  • Roaming User Profiles.

  • Redirected folders.

  • Logon dialog screens.

User Configuration

   └ Administrative Templates

      └ Windows Components

Shell Sharing, Sync, and Roaming

Customizes:

  • Autorun for different devices and media.

  • Creation and removal of partnerships.

  • Synchronization schedule and behavior.

  • Creation and access to workspaces.

User Configuration

   └ Administrative Templates

      └ Windows Components

Shell Visuals

Configures the desktop display to include:

  • AERO Glass display.

  • New screen saver behavior.

  • Search and views.

User Configuration

   └ Administrative Templates

      └ Windows Components

Tablet PC

Configures Tablet PC to include:

  • Tablet Ink Watson and Personalization features.

  • Tablet PC desktop features.

  • Input Panel features.

  • Tablet PC touch input.

Computer Configuration

   └ Administrative Templates

      └ Windows Components

         └ Tablet PC

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Tablet PC

Terminal Services

Configures the following features to enhance the security, ease-of-use, and manageability of Terminal Services remote connections. You can:

  • Allow or prevent redirection of additional supported devices to the remote computer in a Terminal Services session.

  • Require the use of Transport Layer Security (TLS) 1.0 or native Remote Desktop Protocol (RDP) encryption, or negotiate a security method.

  • Require the use of a specific encryption level (FIPS Compliant, High, Client Compatible, or Low).

Computer Configuration

   └ Administrative Templates

      └ Windows Components

         └ Terminal Services

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Terminal Services

Troubleshooting and Diagnostics

Controls the diagnostic level from automatically detecting and fixing problems to indicating to the user that assisted resolution is available for:

  • Application issues.

  • Leak detection.

  • Resource allocation.

Computer Configuration

   └ Administrative Templates

      └ System

         └ Troubleshooting and Diagnostics

User Account Protection

Configures the properties of user accounts to:

  • Determine behavior for the elevation prompt.

  • Elevate the user account during application installs.

  • Identify the least-privileged user accounts.

  • Virtualize file and registry write failures to per-user locations.

Computer Configuration

   └ Windows Settings

      └ Security Settings

         └ Local Policies

            └ Security Options

Windows Error Reporting

Disables Windows Feedback only for Windows or for all components. By default, Windows Feedback is turned on for all Windows components.

Computer Configuration

   └ Administrative Templates

      └ Windows Components

         └ Windows Error Reporting

User Configuration

   └ Administrative Templates

      └ Windows Components

         └ Windows Error Reporting