How to make users ask for permission to access folders the Windows 8/Server 2012 way

-“I can’t access this folder”
-“What’s the name of the folder you are trying to access”?
-“I don’t know… G something”
-“…Ok… can you tell me the name of  a colleague who’s got access to the folder”?
-“Yes! There’s Peter, but I don’t know his last name”
And thus the interrogation continues…

But wait! With Windows 8 and Server 2012 we configure Access Denied Assistance Message and let the user click a button to provide us with the information we need when managing access to folders.
How neat isn’t this:

The configured message on the Windows 8 Client
What the mail function looks like on the client

 So basically, the user can request permission, you have configured a folder owner e-mail adress, what information the mail will contain (such as folder path etc) for a shared folder, and voila, no communication needed from either side 🙂

Where to configure Request Assistance message for a share

The customized message specified for a share

And of course you can configure this with Group Policy to apply if for all files and folders.
Computer configuration\Policies\Administrative Templates\System\Access-Denied Assistance 


Anyway, there are a LOT of more (and I dare say it) awesome features that makes it easier for both the user and the administrator when it comes to file and resource management, but that’s another day and another blog post. 🙂

Advertisements

Policies… och Windows 8?

I och med 2008, Vista, R2 och Windows 7 så är IPv6 installerat per default. Det finns väldigt många funktioner som Windows 7 använder sig av som kräver IPv6, bland annat DirectAccess men också HomeGroups samt OfflineFiles, det bör tänkas på.

En annan fluga som fastnat pĂĄ tapenen är Windows 8 leaken med versionsnr 6.2.7955. Det är väl inte sĂĄ mycket nytt i utseendet än sĂĄ länge, men nĂĄgot som har “glömts bort” i diskussionen tycker jag är de nya policies som verkar finnas i klienten om man kollar lokala policies.
Har sammanställt de nya som jag hittat, en del kanske försvinner efter 8:an kommer vem vet. Orkade inte sammanställa på annat sätt än denna lista:

Offline files Remove work online button
Prevents users from coming out of offline mode .
If you enable or do not configure this policy setting, Work Online/Offline button will be displayed.
If you disable this policy setting, Work Online/Offline button will not be displayed.
Configure the level of TPM owner authorization information available to the OS
This policy configures how much of the TPM owner authorization
information is stored on the local computer in the registry.
Depending on the amount of TPM owner authorization information
stored locally, the OS and applications may be able to perform
certain TPM actions which require TPM owner authorization.
The pieces of TPM owner authorization the OS can store are
the full TPM owner authorization, the TPM administrative
delegation blob and the TPM user delegation blob.
The full TPM owner authorization value permits the OS
to perform all TPM actions which require TPM owner authorization.
An example is resetting the TPM’s anti-hammering logic designed
to prevent the guessing of short PIN values protecting the usage
of cryptographic keys. The TPM administrative delegation blob
allows administrators or applications with administrative
privileges to perform TPM actions like provisioning a system
to prove what software ran during the boot process.
The TPM administrative delegation blob is typically used
to create keys when TPM based applications are installed or
provisioned. The TPM user delegation blob allows an application
run by a standard user to create an identity key or a key which may
be migrated. The TPM administrative and user delegation blobs may
only be created with the full TPM owner authorization value.
OS Managed TMP auth level choices
TpmAuthFull
TMPAuthAdminPlusUser
TpmAuthNone
Configure passwords for operating system drives
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting “Password must meet complexity requirements” located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.

Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select “Require complexity”.
When set to “Require complexity” a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to “Allow complexity” a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to “Do not allow complexity”, no password complexity validation will be done.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the “Minimum password length” box.

If you disable or do not configure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.
Note: Passwords cannot be used if FIPS-compliance is enabled. The “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing” policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
Intranet Resources
Specifies resources on your intranet that are normally accessible to DirectAccess clients. Each entry is a string that identifies the type of resource and the location of the resource.
Each string can be one of the following types:
–  A DNS name or IPv6 address that NCA pings. The syntax is “PING:” followed by a fully qualified domain name (FQDN) that resolves to an IPv6 address, or an IPv6 address. Examples: PING:myserver.corp.contoso.com or PING:2002:836b:1::1.
Note We recommend that you use FQDNs instead of IPv6 addresses wherever possible.
Important  At least one of the entries must be a PING: resource.
–                           A Uniform Resource Locator (URL) that NCA queries with a Hypertext Transfer Protocol (HTTP) request. The contents of the web page do not matter. The syntax is “HTTP:” followed by a URL. The host portion of the URL must resolve to an IPv6 address of a Web server or contain an IPv6 address. Examples: HTTP:http://myserver.corp.contoso.com/ or HTTP:http://2002:836b:1::1/.
–                           A Universal Naming Convention (UNC) path to a file that NCA checks for existence. The contents of the file do not matter. The syntax is “FILE:” followed by a UNC path. The ComputerName portion of the UNC path must resolve to an IPv6 address or contain an IPv6 address. Examples: FILE:\\myserver\myshare\test.txt or FILE:\\2002:836b:1::1\myshare\test.txt.
You must configure this setting to have complete NCA functionality.
Ipsec tunnel Endpoints
Specifies the IPv6 addresses of the endpoints of the Internet Protocol security (IPsec) tunnels that enable DirectAccess. NCA attempts to access the resources that are specified in the Corporate Resources setting through these configured tunnel endpoints.
By default, NCA uses the same DirectAccess server that the DirectAccess client computer connection is using. In default configurations of DirectAccess, there are typically two IPsec tunnel endpoints: one for the infrastructure tunnel and one for the intranet tunnel. You should configure one endpoint for each tunnel.                       
Each entry consists of the text PING: followed by the IPv6 address of an IPsec tunnel endpoint. Example: PING:2002:836b:1::836b:1.

You must configure this setting to have complete NCA functionality.

DirectAccess connectivity assistant
Specifies the string that appears for DirectAccess connectivity when the user clicks the Networking notification area icon. For example, you can specify “Contoso Intranet Access” for the DirectAccess clients of the Contoso Corporation.

If this setting is not configured, the string that appears for DirectAccess connectivity is “DirectAccess”.

Local Names ON
Specifies whether the user has Connect and Disconnect options for the DirectAccess entry when the user clicks the Networking notification area icon.
If the user clicks the Disconnect option, NCA removes the DirectAccess rules from the Name Resolution Policy Table (NRPT) and the DirectAccess client computer uses whatever normal name resolution is available to the client computer in its current network configuration, including sending all DNS queries to the local intranet or Internet DNS servers. Note that NCA does not remove the existing IPsec tunnels and users can still access intranet resources across the DirectAccess server by specifying IPv6 addresses rather than names.
The ability to disconnect allows users to specify single-label, unqualified names (such as “PRINTSVR”) for local resources when connected to a different intranet and for temporary access to intranet resources when network location detection has not correctly determined that the DirectAccess client computer is connected to its own intranet.
To restore the DirectAccess rules to the NRPT and resume normal DirectAccess functionality, the user clicks Connect.
Note
If the DirectAccess client computer is on the intranet and has correctly determined its network location, the Disconnect option has no effect because the rules for DirectAccess are already removed from the NRPT.

If this setting is not configured, users do not have Connect or Disconnect options.

Show DirectAccess Connectivity
Specifies whether an entry for DirectAccess connectivity appears when the user clicks the Networking notification area icon.
Set this to Disabled to prevent user confusion when you are just using DirectAccess to remotely manage DirectAccess client computers from your intranet and not providing seamless intranet access.

If this setting is not configured, the entry for DirectAccess connectivity appears.

Support Email Address
Specifies the e-mail address to be used when sending the log files that are generated by NCA to the network administrator.

When the user sends the log files to the Administrator, NCA uses the default e-mail client to open a new message with the support email address in the To: field of the message, then attaches the generated log files as a .cab file. The user can review the message and add additional information before sending the message.
Allow multiple simultaneous connections to the Internet or a Windows Domain
This policy restricts simultaneous connections to the Internet or Domain network. If there is at least one active connection to the Internet, new connection (automatic) to the Internet will not be made. This is the same for Domain network. Manual connection will not affected by this policy. If there are multiple simultaneous connections to the Internet or Domain (i.e., plug-in Ethernet while already connected to WiFi), the less preferred connection (i.e., WiFi) will be disconnected after the OS detects that it is no longer actively being used (i.e., network traffic over the less preferred connection drops below a certain threshold).
Prohibit Connection to nondomain networks when connected to domain authenticated network
This policy restricts connection to non-domain networks when it is connected to a domain authenticated network. If this policy is enabled, all automatic or manual connections to non-domain networks will be blocked when there is at least one active connection to the domain network. Similarly, when a non-domain connection exists, auto-connect to a domain connection will be blocked. For manual connection, if the manual connection violates this policy, the existing connection will be disconnected to allow the manual connection to succeed except when the existing connection is over Ethernet. In this situation, the manual connection will be blocked.

Prohibit Connection to roaming Mobile Broadband networks
This policy restricts connection to Mobile Broadband networks when the client is registered on a roaming provider’s network. If this policy setting is enabled, all automatic and manual connection to the roaming network will be blocked until the client registers to the home provider network.

Wlan Media Cost
Set Cost
This policy setting configures the cost of wlan connections on your local machine.
If you enable this policy setting, a drop-down list box presenting three cost values (e.g., Unrestricted, Fixed, Variable) will be active. You can choose one of the values to set the cost of wlan connections on your machine. The meaning of three cost values is as follows:
– Unrestricted: Connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints;
– Fixed: the use of connection is unrestricted up to a certain cap;
– Variable: connection is costed on a per byte base.

WWAN Media Cost
Set 3G Cost
This policy setting configures the cost of 3G connections on your local machine.

If you enable this policy setting, a drop-down list box presenting three cost values (e.g., Unrestricted, Fixed, Variable) will be active. You can choose one of the values to set the cost of 3G connections on your machine.
The meaning of three cost values is as follows:
– Unrestricted: Connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints;
– Fixed: the use of connection is unrestricted up to a certain cap;
– Variable: connection is costed on a per byte base.
Set 4G Cost
This policy setting configures the cost of 4G connections on your local machine.
If you enable this policy setting, a drop-down list box presenting three cost values (e.g., Unrestricted, Fixed, Variable) will be active. You can choose one of the values to set the cost of 4G connections on your machine.
The meaning of three cost values is as follows:
– Unrestricted: Connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints;
– Fixed: the use of connection is unrestricted up to a certain cap;
– Variable: connection is costed on a per byte base.
Isolate print drivers from applications
Determines whether print driver components that are normally loaded into applications are isolated from applications instead. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.
     
        Not all applications support driver isolation. By default, Office, IE, and certain other applications are opted in. Other applications may also be isolated from drivers, depending on whether they have opted in.
If you enable or do not configure this policy setting, the then certain applications, as specified above, will be isolated from print drivers.
If you disable this policy setting, print drivers will be loaded within application processes.
Notes:  -This policy setting applies only to applications opted into isolation.
        -This policy setting applies only to print drivers loaded by applications. Print drivers loaded by the print spooler are not affected.

        -This policy setting is only checked once during the lifetime of a process. After changing the policy, a running application must be relaunched before settings take effect.

System Shutdown
Require use of hybrid boot
This policy controls the use of hybrid boot. 
If this setting is enabled, the system will require hibernate be enabled.

If this setting is disabled or not configured, the local setting will be used.          

Troubleshooting Application Compatibility Diagnositcs
Detect control panel applet failure
This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose problems with legacy control panels that require running under administrative privileges.
If you enable this policy setting, the PCA will trigger after the first run of a legacy control panel running as a standard user with options to re-run the control panel under administrative privileges.
If you disable this policy setting, the PCA will not trigger for the legacy control panels which may require running under administrative privileges.
If you do not configure this policy setting, the PCA will be configured to trigger for the legacy control panels.

Note: Disabling the “Turn off Program Compatibility Assistant” policy setting will cause this policy setting to have no effect. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to execute. These services can be configured using the Services snap-in to the Microsoft Management Console.

Detect unhandled user mode exceptions
This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures in legacy applications due to certain unhandled user mode exceptions.
If you enable this policy setting, the PCA detects programs that fail because of not handling certain exceptions and will apply compatibility modes which enable programs to launch without the exceptions on the next run.
If you disable this policy setting, the PCA will not detect applications that may fail due to unhandled exceptions.
If you do not configure this policy setting, the PCA detects programs that may fail due to certain unhandled exceptions.
Note: Disabling the “Turn off Program Compatibility Assistant” policy setting will cause this policy setting to have no effect. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to execute. These services can be configured using the Services snap-in to the Microsoft Management Console.

Montior application health and detect application problems
This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose application problems using the health monitoring system.

If you enable this policy setting, the PCA detects programs that appear to depend on features of previous versions of Windows.
If you disable this policy setting, the PCA does not detect program dependencies on features of previous versions of Windows.
If you do not configure this policy setting, the PCA detects programs that appear to depend on features of previous versions of Windows.
Note: Disabling the “Turn off Program Compatibility Assistant” policy setting will cause this policy setting to have no effect. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to execute. These services can be configured using the Services snap-in to the Microsoft Management Console.

Minotor applications for denied access to delete files
        This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose application problems arising from denied access to delete files.

        If you enable this policy setting, the PCA detects denied access to delete files.
        If you disable this policy setting, the PCA does not detect denied access to delete files.
        If you do not configure this policy setting, the PCA detects denied access to delete files.
        Note: Disabling the “Turn off Program Compatibility Assistant” policy setting will cause this policy setting to have no effect. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to execute. These services can be configured using the Services snap-in to the Microsoft Management Console.

Montiror applications for WRP file access failures
This policy setting determines whether the Program Compatibility Assistant (PCA) will diagnose application problems arising from unauthorized system file access.

If you enable this policy setting, the PCA detects unauthorized access to system files by applications.
If you disable this policy setting, the PCA does not detect unauthorized access to system files by applications.
If you do not configure this policy setting, the PCA detects unauthorized access to system files by applications.
Note: Disabling the “Turn off Program Compatibility Assistant” policy setting will cause this policy setting to have no effect. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to execute. These services can be configured using the Services snap-in to the Microsoft Management Console.
Allow use of the trusped platform module
This policy setting allows you to control use of the TPM.
If you enable or do not configure this policy setting, Windows will allow use of the TPM for any command that is not blocked.
If you disable this policy setting, Windows will disallow all TPM commands except the command for querying the state of the TPM (TPM_GetCapability).
     
Windows procimity service
Do not allow application acquisition trought the app store with proximity
This policy allows you to disable Windows support for initiating the acquisition of new applications with proximity.
If you enable this policy setting, the Windows Proximity Service will not respond to requests to acquire applications from remote proximity devices.
If you disable or do not configure this policy setting, the Windows Proximity Service can respond to requests to acquire applications from remote proximity devices.

Do not allow application launching with proximity
This policy allows you to disable Windows support for launching applications with proximity.

If you enable this policy setting, the Windows Proximity Service will not respond to requests to launch applications from remote proximity devices.
If you disable or do not configure this policy setting, the Windows Proximity Service can respond to requests to launch applications from remote proximity devices.

Do not allow device pairing with proximity
This policy allows you to disable Windows support for initiating device pairing with proximity.

If you enable this policy setting, the Windows Proximity Service will not respond to pairing requests from remote proximity devices.
If you disable or do not configure this policy setting, the Windows Proximity Service can respond to requests to pair with remote proximity devices.

Turn off the windows proximity service
This policy allows you to disable Windows support for proximity experiences.

If you enable this policy setting, Windows components will not respond to proximity events and applications cannot use Windows APIs to communicate over proximity devices.
If you disable or do not configure this policy setting, the Windows Proximity Service will be enabled and applications can use Windows APIs to communicate over proximity devices.

Windows components
Biometrics
Prevent automatic logon using boottime biometric authentication

This policy setting determines whether a user will be automatically logged on after providing a boot-time biometric sample.

Some biometric sensors are capable of authenticating a user before the Windows operating system bootstraps. If you have such a device, by default your pre-boot authentication identity will be used to automatically log you in once Windows is running.
If you disable this policy setting, you will have to provide a second biometric sample (or some other credential) at the logon screen.
Note: Users who log on using biometrics should create a password-recovery disk; this will prevent data loss in the event that someone forgets their logon credentials.

Timeout for preboot autologon authentication

This policy setting specifies the number of seconds after system startup that a pre-boot biometric authentication will be used for auto-logon before being discarded.  By default, a pre-boot biometric authentication is valid for 30 seconds before becoming invalid.
If you enable this policy setting, you can configure the pre-boot authentication timeout to specify the number of seconds the authentication remains valid. This value cannot exceed 60 seconds.
If you disable or do not configure this policy setting, the default value of 30 seconds will be used for pre-boot authentication timeouts.

Bitlocker drive encryption
Fixed data drives
Configure use of hardwarebased encryption for fixed data drives
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on fixed data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

If you enable this policy setting, you can specify additional options that control whether hardware-based encryption is used on computers managed by this policy, whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption, and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted.
If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive, If hardware-based encryption is not available BitLocker software-based encryption will be used instead.
Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID). For example:
– AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2
– AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

Enforce drive encryption type on fixed data drives
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose data only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
Operating system drives
Choose boot application options to exclude from platform validation
This policy setting allows you to choose specific boot application options to ignore during platform validation.
If you enable this policy setting you will be able to specify boot application options to ignore during platform validation.
If you disable this policy setting, the computer will measure all default boot application options.
If you do not configure this policy setting, the computer will measure all default boot application options.
The setting that controls boot debugging (0x16000010) may not be excluded and will have no effect if it is included in the provided fields.
Configure use of hardwarebased encryption for operating system drives
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
If you enable this policy setting, you can specify additional options that control whether hardware-based encryption is used on computers managed by this policy, whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption, and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted.
If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive, If hardware-based encryption is not available BitLocker software-based encryption will be used instead.
Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID). For example:
– AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2
– AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
     
 Configure use of passwords for operating system drives
This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting “Password must meet complexity requirements” located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled.
       
Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.
If you enable this policy setting, users can configure a password that meets the requirements you define. To enforce complexity requirements on the password, select “Require complexity”.
When set to “Require complexity” a connection to a domain controller is necessary when BitLocker is enabled to validate the complexity the password. When set to “Allow complexity” a connection to a domain controller will be attempted to validate the complexity adheres to the rules set by the policy, but if no domain controllers are found the password will still be accepted regardless of actual password complexity and the drive will be encrypted using that password as a protector. When set to “Do not allow complexity”, no password complexity validation will be done.
Passwords must be at least 8 characters. To configure a greater minimum length for the password, enter the desired number of characters in the “Minimum password length” box.
If you disable or do not configure this policy setting, the default length constraint of 8 characters will apply to operating system drive passwords and no complexity checks will occur.
Note: Passwords cannot be used if FIPS-compliance is enabled. The “System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing” policy setting in Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options specifies whether FIPS-compliance is enabled.
Disallow standard users from changing the PIN
This policy setting allows you to configure whether or not standard users are allowed to change BitLocker volume PINs, provided they are able to provide the existing PIN first.
This policy setting is applied when you turn on BitLocker.
If you enable this policy setting, standard users will not be allowed to change BitLocker PINs.
If you disable or do not configure this policy setting, standard users will be permitted to change BitLocker PINs.
Enforce drive encryption type on operating system drives
This policy setting allows you to configure the encryption type used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose data only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.
If you enable this policy setting the encryption type that BitLocker will use to encrypt drives is defined by this policy and the encryption type option will not be presented in the BitLocker setup wizard.
If you disable or do not configure this policy setting, the BitLocker setup wizard will ask the user to select the encryption type before turning on BitLocker.
Reset platform validation data after Bitlocker Recovery
This policy setting allows you to control whether or not platform validation data is refreshed when Windows is started following BitLocker recovery.
If you enable this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery.
If you disable this policy setting, platform validation data will not  be refreshed when Windows is started following BitLocker recovery.
If you do not configure this policy setting, platform validation data will be refreshed when Windows is started following BitLocker recovery.
Removable Data drives
Configure use of hardwarebased encryption for removable data drives
This policy setting allows you to manage BitLocker’s use of hardware-based encryption on removable data drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.
If you enable this policy setting, you can specify additional options that control whether hardware-based encryption is used on computers managed by this policy, whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption, and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.
If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted.
If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive, If hardware-based encryption is not available BitLocker software-based encryption will be used instead.
Note: The “Choose drive encryption method and cipher strength” policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The “Restrict encryption algorithms and cipher suites allowed for hardware-based encryption” option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption.
Encryption algorithms are specified by object identifiers (OID). For example:
– AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2
– AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42
     
 Device and driver compatibility
Device compatibility settings
is empty

External Boot
Portable workspace default startup options
Note: This policy does not affect computers that use Unified Extensible Firmware Interface (UEFI).

This policy setting controls whether the computer will boot to Portable Workspace if a USB device containing a Portable Workspace is connected, and controls whether users can make changes using the Portable Workspace Startup Options Control Panel item.
If you enable this setting, booting to Portable Workspace when a USB device is connected will be enabled, and users will not be able to make changes using the Portable Workspace Startup Options Control Panel item.
If you disable this setting, booting to Portable Workspace when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration.
If you do not configure this setting, users who are members of the Administrators group can make changes using the Portable Workspace Startup Options Control Panel item.

HistoryVault
Disable History Vault
This policy setting allows you to disable HistoryVault, machine-wide, from taking new backups.

Location and Sensors
Windows Location Provider
Turn off Windows Location Provider
        This policy setting turns off the Windows Location Provider feature for this computer.

        If you enable this policy setting, the Windows Location Provider feature will be turned off, and all programs on this computer will not be able to use the Windows Location Provider feature.
        If you disable or do not configure this policy setting, all programs on this computer can use the Windows Location Provider feature.

Maintenance Scheduler
Maintenance Activation Boundary
Maintenance WakeUp Policy

Windows Explorer
Do not run unknown programs downloaded from the internet
This policy setting controls whether programs downloaded from the Internet are allowed to run if they are not recognized by SmartScreen.

If you enable this policy setting, Windows will not run programs with the Mark of the Web unless they are recognized by SmartScreen.
 If you disable this policy setting, SmartScreen will prompt the user when a program is not recognized, but the user can dismiss the prompt and run the program.
If you do not configure this policy setting, the user can configure this policy setting.
Note: SmartScreen must be enabled on this computer for the policy to take effect.
   
Do not send data acquired from the local machine or corporate intranet to SmartScreen
This policy allows you to control whether data acquired from the local machine or corporate intranet gets sent to SmartScreen.

Location where all default library definition files for users and machines reside
Enabling this policy allows administrators to specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon the policy settings are verified and Libraries for the user is updated/changed according to one defined in the path.

Windows Installer
Disable embedded UI
This setting controls the ability to disable embedded UI.

If you enable this policy setting, no packages on the system can run embedded UI.
The default setting of this policy is disabled, which allows embedded UI to run.

Windows Update
Allow automatic updates to search for content from multiple services
Specifies whether Automatic Updates will search additional services for updates when the computer is talking to an intranet Microsoft update service location.

If set to Enabled, Automatic Updates will automatically search for updates from both the intranet Microsoft update service location as well as other registered locations.
If set to Disabled or Not Configured, Automatic Updates will only search for updates from the intranet Microsoft update service location.
If the machine is not configured to search for updates from an intranet Microsoft update service location, this setting has no effect and Automatic Updates will search for updates from all registered services.

USER CONFIGURATION
Network offline files

Remove Work Online Button
Prevents users from coming out of offline mode .
If you enable or do not configure this policy setting, Work Online/Offline button will be displayed.
If you disable this policy setting, Work Online/Offline button will not be displayed.
Start menu and taskbar
Do not allow taskbar on more than one display
        If you enable this setting, users will not be able to show taskbars on more than one display. The multiple display section will not be enabled in the taskbar properties dialog. 

Dont show the start menu when the user logs in
If you enable this setting, the user will see the desktop after logging in to a new session, instead of seeing the Start menu. The Start Menu will continue to function as normal, except that it will not show automatically after login.
If you disable this setting or do not configure it, the Start Menu will appear after the user logs in to a new session.   

Prevent users from uninstalling applications from Start
If you enable this setting, users cannot uninstall apps from Start.

If you disable this setting or do not configure it, users can access the uninstall command from Start