18 - Admin Templates (Computer)#
18#
18#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen camera
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml
that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
18.1#
18.1.1.2#
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Control Panel\Personalization\Prevent enabling lock screen slide show
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanelDisplay.admx/adml
that is included with the Microsoft Windows 8.1 & 2012 R2 Administrative Templates (or newer).
18.1.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow input personalization, but it was renamed to Allow users to enable online speech recognition services starting with the Windows 10 R1809 & Server 2019 Administrative Templates.
18.1.3#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Control Panel\Allow Online Tips
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ControlPanel.admx/adml
that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).
18.2#
18.2#
In order to utilize LAPS, a minor Active Directory Schema update is required, and a Group Policy Client Side Extension (CSE) must be installed on each managed computer. When LAPS is installed, the file AdmPwd.dll
must be present in the following location and registered in Windows (the LAPS AdmPwd GPO Extension / CSE installation does this for you): C:\Program Files\LAPS\CSE\AdmPwd.dll
18.2.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\LAPS\Do not allow password expiration time longer than required by policy
Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml
) is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
18.2.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\LAPS\Enable Local Admin Password Management
Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml
) is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
18.2.4#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and configure the Password Complexity
option to Large letters + small letters + numbers + special characters
: Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings
Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml
) is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
18.2.5#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and configure the Password Length
option to 15 or more
: Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings
Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml
) is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
18.2.6#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and configure the Password Age (Days)
option to 30 or fewer
: Computer Configuration\Policies\Administrative Templates\LAPS\Password Settings
Note: This Group Policy path does not exist by default. An additional Group Policy template (AdmPwd.admx/adml
) is required - it is included with Microsoft Local Administrator Password Solution (LAPS).
18.3#
18.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Apply UAC restrictions to local accounts on network logons
Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml
) is required - it is available from Microsoft at this link.
18.3.2#
To establish the recommended configuration via GP, set the following UI path to Enabled: Disable driver (recommended)
: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 client driver
Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml
) is required - it is available from Microsoft at this link.
18.3.3#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Configure SMB v1 server
Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml
) is required - it is available from Microsoft at this link.
18.3.4#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\MS Security Guide\Enable Structured Exception Handling Overwrite Protection (SEHOP)
Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml
) is required - it is available from Microsoft at this link. More information is available at MSKB 956607: How to enable Structured Exception Handling Overwrite Protection (SEHOP) in Windows operating systems
18.3.5#
To establish the recommended configuration via GP, set the following UI path to Enabled
. Computer Configuration\Policies\Administrative Templates\MS Security Guide\Limits print driver installation to Administrators
Note: This Group Policy path does not exist by default. An additional Group Policy template SecGuide.admx/adml
is required - it is available from Microsoft at this link.
18.3.6#
To establish the recommended configuration via GP, set the following UI path to Enabled: P-node (recommended)
: Computer Configuration\Policies\Administrative Templates\MS Security Guide\NetBT NodeType configuration
Note: This change does not take effect until the computer has been restarted. Note #2: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml
) is required - it is available from Microsoft at this link. Please note that this setting is only available in the Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 (or newer) release of SecGuide.admx/adml
, so if you previously downloaded this template, you may need to update it from a newer Microsoft baseline to get this new NetBT NodeType configuration setting.
18.3.7#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\MS Security Guide\WDigest Authentication (disabling may require KB2871997)
Note: This Group Policy path does not exist by default. An additional Group Policy template (SecGuide.admx/adml
) is required - it is available from Microsoft at this link.
18.4#
18.5#
18.5.4#
To establish the recommended configuration via GP, set the following UI path to Enabled: Allow DoH
(configuring to Enabled: Require DoH
also conforms to the benchmark): Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Configure DNS over HTTPS (DoH) name resolution
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml
that is included with the Microsoft Windows 10 Release 21H2 Administrative Templates (or newer).
18.5.4.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\DNS Client\Turn off multicast name resolution
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DnsClient.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.5.5#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Network\Fonts\Enable Font Providers
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
18.5.8#
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\Network\Lanman Workstation\Enable insecure guest logons
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template LanmanWorkstation.admx/adml
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
18.5.9#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Mapper I/O (LLTDIO) driver
Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.5.9.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Network\Link-Layer Topology Discovery\Turn on Responder (RSPNDR) driver
Note: This Group Policy path is provided by the Group Policy template LinkLayerTopologyDiscovery.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.5.10#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\Microsoft Peer-to-Peer Networking Services\Turn off Microsoft Peer-to-Peer Networking Services
Note: This Group Policy path is provided by the Group Policy template P2P-pnrp.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.5.11#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit installation and configuration of Network Bridge on your DNS domain network
Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.5.11.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Prohibit use of Internet Connection Sharing on your DNS domain network
Note: This Group Policy path is provided by the Group Policy template NetworkConnections.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.5.11.4#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\Network Connections\Require domain users to elevate when setting a network's location
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template NetworkConnections.admx/adml
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
18.5.14#
To establish the recommended configuration via GP, set the following UI path to Enabled
with the following paths configured, at a minimum: \\*\NETLOGON RequireMutualAuthentication=1, RequireIntegrity=1
\\*\SYSVOL RequireMutualAuthentication=1, RequireIntegrity=1
Computer Configuration\Policies\Administrative Templates\Network\Network Provider\Hardened UNC Paths
Note: This Group Policy path does not exist by default. An additional Group Policy template (NetworkProvider.admx/adml
) is required - it is included with the MS15-011 / MSKB 3000483 security update or with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
18.5.19.2#
To establish the recommended configuration, set the following Registry value to 0xff (255) (DWORD)
: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TCPIP6\Parameters:DisabledComponents
Note: This change does not take effect until the computer has been restarted. Note #2: Although Microsoft does not provide an ADMX template to configure this registry value, a custom .ADM template (Disable-IPv6-Components-KB929852.adm
) is provided in the CIS Benchmark Remediation Kit to facilitate its configuration. Be aware though that simply turning off the group policy setting in the .ADM template will not “undo” the change once applied. Instead, the opposite setting must be applied to change the registry value to the opposite state.
18.5.20#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Configuration of wireless settings using Windows Connect Now
Note: This Group Policy path is provided by the Group Policy template WindowsConnectNow.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.5.20.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\Windows Connect Now\Prohibit access of the Windows Connect Now wizards
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WindowsConnectNow.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.5.21#
To establish the recommended configuration via GP, set the following UI path to Enabled: 3 = Prevent Wi-Fi when on Ethernet
: Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager\Minimize the number of simultaneous connections to the Internet or a Windows Domain
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates. It was updated with a new Minimize Policy Options sub-setting starting with the Windows 10 Release 1903 Administrative Templates.
18.5.21.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Network\Windows Connection Manager\Prohibit connection to non-domain networks when connected to domain authenticated network
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WCM.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.5.23.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template wlansvc.admx/adml
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
18.6#
18.6#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\Printers\Allow Print Spooler to accept client connections
Note: This Group Policy path is provided by the Group Policy template printing2.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.6.2#
To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt
: Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When installing drivers for a new connection
Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.6.3#
To establish the recommended configuration via GP, set the following UI path to Enabled: Show warning and elevation prompt
: Computer Configuration\Policies\Administrative Templates\Printers\Point and Print Restrictions: When updating drivers for an existing connection
Note: This Group Policy path is provided by the Group Policy template Printing.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.7#
18.7#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\Start Menu and Taskbar\Turn off notifications network usage
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template WPN.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8#
18.8.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Audit Process Creation\Include command line in process creation events
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AuditSettings.admx/adml
that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
18.8.4#
To establish the recommended configuration via GP, set the following UI path to Enabled: Force Updated Clients
: Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Encryption Oracle Remediation
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml
that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer).
18.8.4.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Credentials Delegation\Remote host allows delegation of non-exportable credentials
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredSsp.admx/adml
that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
18.8.5#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
18.8.5.2#
To establish the recommended configuration via GP, set the following UI path to Secure Boot and DMA Protection
: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Select Platform Security Level
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
18.8.5.3#
To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock
: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Virtualization Based Protection of Code Integrity
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
18.8.5.4#
To establish the recommended configuration via GP, set the following UI path to TRUE
: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Require UEFI Memory Attributes Table
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml
that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
18.8.5.5#
To establish the recommended configuration via GP, set the following UI path to Enabled with UEFI lock
: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Credential Guard Configuration
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml
that is included with the Microsoft Windows 10 Release 1511 Administrative Templates (or newer).
18.8.5.6#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Secure Launch Configuration
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DeviceGuard.admx/adml
that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).
18.8.7.1.1#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of these device IDs
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.7.1.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and add PCI\CC_0C0A
to the Device IDs list: Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of these device IDs
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.7.1.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and check the Also apply to matching devices that are already installed.
checkbox: Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices that match any of these device IDs
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.7.1.4#
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.7.1.5#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and add {d48179be-ec20-11d1-b6b8-00c04fa372a7}
, {7ebefbc0-3200-11d2-b4c2-00a0C9697d07}
, {c06ff265-ae09-48f0-812c-16753d7cba83}
, and {6bdd1fc1-810f-11d0-bec7-08002be2092f}
to the device setup classes list: Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.7.1.6#
To establish the recommended configuration via GP, set the following UI path to Enabled
, and check the Also apply to matching devices that are already installed.
checkbox: Computer Configuration\Policies\Administrative Templates\System\Device Installation\Device Installation Restrictions\Prevent installation of devices using drivers that match these device setup classes
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.7.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Device Installation\Prevent device metadata retrieval from the Internet
Note: This Group Policy path is provided by the Group Policy template DeviceInstallation.admx/adml
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates, or with the Group Policy template DeviceSetup.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.14#
To establish the recommended configuration via GP, set the following UI path to Enabled:
Good, unknown and bad but critical:
Computer Configuration\Policies\Administrative Templates\System\Early Launch Antimalware\Boot-Start Driver Initialization Policy
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template EarlyLaunchAM.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.21#
To establish the recommended configuration via GP, set the following UI path to Enabled
, then set the Do not apply during periodic background processing
option to FALSE
(unchecked): Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.21.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
, then set the Process even if the Group Policy objects have not changed
option to TRUE
(checked): Computer Configuration\Policies\Administrative Templates\System\Group Policy\Configure registry policy processing
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.21.4#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Group Policy\Continue experiences on this device
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template GroupPolicy.admx/adml
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
18.8.21.5#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Group Policy\Turn off background refresh of Group Policy
Note: This Group Policy path is provided by the Group Policy template GroupPolicy.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off access to the Store
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ICM.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.22.1.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off downloading of print drivers over HTTP
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.3#
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting personalization data sharing
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template ShapeCollector.admx/adml
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
18.8.22.1.4#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off handwriting recognition error reporting
Note: This Group Policy path is provided by the Group Policy template InkWatson.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.5#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.6#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Internet download for Web publishing and online ordering wizards
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.7#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off printing over HTTP
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.8#
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Registration if URL connection is referring to Microsoft.com
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.9#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Search Companion content file updates
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.10#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Order Prints" picture task
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.11#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the "Publish to Web" task for files and folders
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.12#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off the Windows Messenger Customer Experience Improvement Program
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.13#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Customer Experience Improvement Program
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.22.1.14#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Internet Communication Management\Internet Communication settings\Turn off Windows Error Reporting
Note: This Group Policy path is provided by the Group Policy template ICM.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.25#
To establish the recommended configuration via GP, set the following UI path to Enabled: Automatic
: Computer Configuration\Policies\Administrative Templates\System\Kerberos\Support device authentication using certificate
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Kerberos.admx/adml
that is included with the Microsoft Windows 10 RTM (Release 1507) Administrative Templates (or newer).
18.8.26#
To establish the recommended configuration via GP, set the following UI path to Enabled: Block All
: Computer Configuration\Policies\Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template DmaGuard.admx/adml
that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).
18.8.27#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Locale Services\Disallow copying of user input methods to the system account for sign-in
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Globalization.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.28#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Logon\Block user from showing account details on sign-in
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
18.8.28.2#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Logon\Do not display network selection UI
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml
that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
18.8.28.3#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Logon\Do not enumerate connected users on domain-joined computers
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.28.4#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Logon\Enumerate local users on domain-joined computers
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.28.5#
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off app notifications on the lock screen
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Logon.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.28.6#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Logon\Turn off picture password sign-in
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.28.7#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Logon\Turn on convenience PIN sign-in
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template CredentialProviders.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer). Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Turn on PIN sign-in, but it was renamed starting with the Windows 10 Release 1511 Administrative Templates.
18.8.31#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\OS Policies\Allow Clipboard synchronization across devices
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml
that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).
18.8.31.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\OS Policies\Allow upload of User Activities
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template OSPolicy.admx/adml
that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer).
18.8.34.6#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow network connectivity during connected-standby (on battery)
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
18.8.34.6.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow network connectivity during connected-standby (plugged in)
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml
that is included with the Microsoft Windows 10 Release 1607 & Server 2016 Administrative Templates (or newer).
18.8.34.6.3#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow standby states (S1-S3) when sleeping (on battery)
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.34.6.4#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Allow standby states (S1-S3) when sleeping (plugged in)
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.34.6.5#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Require a password when a computer wakes (on battery)
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.34.6.6#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Power Management\Sleep Settings\Require a password when a computer wakes (plugged in)
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template Power.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.36#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Offer Remote Assistance
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.36.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Remote Assistance\Configure Solicited Remote Assistance
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RemoteAssistance.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.37#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Remote Procedure Call\Enable RPC Endpoint Mapper Client Authentication
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.37.2#
To establish the recommended configuration via GP, set the following UI path to Enabled: Authenticated
: Computer Configuration\Policies\Administrative Templates\System\Remote Procedure Call\Restrict Unauthenticated RPC clients
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template RPC.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.48.5#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template MSDT.admx/adml
that is included with the Microsoft Windows 8.0 & Server 2012 (non-R2) Administrative Templates (or newer).
18.8.48.11#
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Administrative Templates\System\Troubleshooting and Diagnostics\Windows Performance PerfTrack\Enable/Disable PerfTrack
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template PerformancePerftrack.admx/adml
that is included with the Microsoft Windows 7 & Server 2008 R2 Administrative Templates (or newer).
18.8.50#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\User Profiles\Turn off the advertising ID
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template UserProfiles.admx/adml
that is included with the Microsoft Windows 8.1 & Server 2012 R2 Administrative Templates (or newer).
18.8.53#
To establish the recommended configuration via GP, set the following UI path to Enabled
: Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Client
Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.
18.8.53.1.2#
To establish the recommended configuration via GP, set the following UI path to Disabled
: Computer Configuration\Policies\Administrative Templates\System\Windows Time Service\Time Providers\Enable Windows NTP Server
Note: This Group Policy path is provided by the Group Policy template W32Time.admx/adml
that is included with all versions of the Microsoft Windows Administrative Templates.