Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
SECNET Mandatory Policy v1.0
Data collected on: 5/20/2020 1:57:23 AM
General
Details
Domainsecnetwork.org
OwnerSECNET\Domain Admins
Created5/20/2020 1:07:44 AM
Modified5/20/2020 1:23:44 AM
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions23 (AD), 23 (SYSVOL)
Unique ID{D4F8E80B-62FE-4066-B041-1E6F396D55AB}
GPO StatusEnabled
Links
LocationEnforcedLink StatusPath
secnetworkNoEnabledsecnetwork.org

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
SECNET\Domain AdminsEdit settings, delete, modify securityNo
SECNET\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Account Policies/Account Lockout Policy
PolicySetting
Account lockout duration0 minutes
Account lockout threshold3 invalid logon attempts
Reset account lockout counter after10 minutes
Account Policies/Kerberos Policy
PolicySetting
Enforce user logon restrictionsEnabled
Maximum lifetime for service ticket600 minutes
Maximum lifetime for user ticket10 hours
Maximum lifetime for user ticket renewal10 days
Maximum tolerance for computer clock synchronization5 minutes
Local Policies/Audit Policy
PolicySetting
Audit account logon eventsSuccess, Failure
Audit account managementSuccess, Failure
Audit directory service accessSuccess, Failure
Audit logon eventsSuccess, Failure
Audit object accessFailure
Audit policy changeSuccess
Audit privilege useSuccess, Failure
Audit system eventsSuccess, Failure
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkNT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Act as part of the operating system
Allow log on locallyBUILTIN\Administrators
Allow log on through Terminal ServicesBUILTIN\Administrators
Back up files and directoriesBUILTIN\Administrators
Bypass traverse checkingWindow Manager\Window Manager Group, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\Authenticated Users, BUILTIN\Administrators
Change the system timeNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zoneNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsNT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Create permanent shared objects
Create symbolic linksBUILTIN\Administrators
Debug programsBUILTIN\Administrators
Deny access to this computer from the networkBUILTIN\Guests
Deny log on as a batch jobBUILTIN\Guests
Deny log on as a serviceBUILTIN\Guests
Deny log on locallyBUILTIN\Guests
Deny log on through Terminal ServicesBUILTIN\Guests
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote systemBUILTIN\Administrators
Generate security auditsNT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Impersonate a client after authenticationNT AUTHORITY\SERVICE, NT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Increase scheduling priorityBUILTIN\Administrators
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Log on as a serviceNT SERVICE\ALL SERVICES
Manage auditing and security logBUILTIN\Administrators
Modify an object label
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Replace a process level tokenNT AUTHORITY\NETWORK SERVICE, NT AUTHORITY\LOCAL SERVICE
Restore files and directoriesBUILTIN\Administrators
Shut down the systemBUILTIN\Administrators
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Administrator account statusEnabled
Accounts: Guest account statusDisabled
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Accounts: Rename administrator account"ladmin"
Accounts: Rename guest account"lguest"
Audit
PolicySetting
Audit: Audit the access of global system objectsDisabled
Audit: Audit the use of Backup and Restore privilegeEnabled
Audit: Shut down system immediately if unable to log security auditsEnabled
Devices
PolicySetting
Devices: Allowed to format and eject removable mediaAdministrators
Domain Member
PolicySetting
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Maximum machine account password age30 days
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive Logon
PolicySetting
Interactive logon: Do not require CTRL+ALT+DELDisabled
Interactive logon: Don't display last signed-inEnabled
Interactive logon: Message text for users attempting to log onIf you are not authorized to access this system, exit immediately. Unauthorized access to this system is forbidden by company policies, national, and international laws. Unauthorized users are subject to criminal and civil penalties as well as company initiated disciplinary proceedings. By entry into this system you acknowledge that you are authorized access and the level of privilege you subsequently execute on this system. You further acknowledge that by entry into this system you expect no privacy from monitoring.
Interactive logon: Message title for users attempting to log on"SECNET Policy Statement"
Interactive logon: Number of previous logons to cache (in case domain controller is not available)3 logons
Interactive logon: Prompt user to change password before expiration14 days
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Digitally sign communications (if server agrees)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Microsoft Network Server
PolicySetting
Microsoft network server: Amount of idle time required before suspending session15 minutes
Microsoft network server: Digitally sign communications (always)Enabled
Microsoft network server: Digitally sign communications (if client agrees)Enabled
Microsoft network server: Disconnect clients when logon hours expireEnabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Do not allow storage of passwords and credentials for network authenticationEnabled
Network access: Let Everyone permissions apply to anonymous usersDisabled
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry pathsSystem\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accountsClassic - local users authenticate as themselves
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: Force logoff when logon hours expireEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsRequire signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Shutdown
PolicySetting
Shutdown: Allow system to be shut down without having to log onDisabled
System Cryptography
PolicySetting
System cryptography: Force strong key protection for user keys stored on the computerUser must enter a password each time they use a key
System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signingDisabled
System Objects
PolicySetting
System objects: Require case insensitivity for non-Windows subsystemsEnabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
System Settings
PolicySetting
System settings: Optional subsystems
User Account Control
PolicySetting
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopDisabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard usersPrompt for credentials on the secure desktop
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate executables that are signed and validatedDisabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Switch to the secure desktop when prompting for elevationEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Other
PolicySetting
Accounts: Block Microsoft accountsUsers can't add or log on with Microsoft accounts
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Interactive logon: Display user information when the session is lockedUser display name, domain and user names
Interactive logon: Machine inactivity limit900 seconds
Microsoft network server: Server SPN target name validation levelOff
Network security: Allow Local System to use computer identity for NTLMEnabled
Network security: Allow LocalSystem NULL session fallbackDisabled
Network security: Allow PKU2U authentication requests to this computer to use online identities. Disabled
Network security: Configure encryption types allowed for KerberosEnabled
DES_CBC_CRCDisabled
DES_CBC_MD5Disabled
RC4_HMAC_MD5Enabled
AES128_HMAC_SHA1Enabled
AES256_HMAC_SHA1Enabled
Future encryption typesEnabled
Event Log
PolicySetting
Maximum application log size99968 kilobytes
Maximum security log size99968 kilobytes
Maximum system log size99968 kilobytes
Retain application log90 days
Retain security log90 days
Retain system log90 days
Retention method for application logBy days
Retention method for security logBy days
Retention method for system logBy days
Public Key Policies/Certificate Services Client - Auto-Enrollment Settings
PolicySetting
Automatic certificate managementEnabled
OptionSetting
Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificatesEnabled
Update and manage certificates that use certificate templates from Active DirectoryEnabled
Public Key Policies/Certificate Path Validation Settings/Stores
PolicySetting
Allow user trusted root Certificate Authorities (CAs) to be used to validate certificatesEnabled
Allow users to trust peer trust certificatesEnabled
Peer trust certificate purposes:Client Authentication; Secure Email; Encrypting File System
Root CAs that client computers can trust:Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
For certificate-based authentication of users and computers, along with CAs that are registered in Active Directory, the client computer must use should also use user principal name (UPN) constraint compliant CAsDisabled
Public Key Policies/Certificate Path Validation Settings/Revocation
PolicySetting
Always prefer Certificate Revocation Lists (CRLs) over Online Certificate Status Protocol (OCSP) responsesDisabled
Allow CRLs and OCSP responses to be valid longer than their lifetimeDisabled
Windows Firewall with Advanced Security
Global Settings
PolicySetting
Policy version2.26
Disable stateful FTPNot Configured
Disable stateful PPTPNot Configured
IPsec exemptNot Configured
IPsec through NATNot Configured
Preshared key encodingNot Configured
SA idle timeNot Configured
Strong CRL checkNot Configured
Domain Profile Settings
PolicySetting
Firewall stateOff
Inbound connectionsNot Configured
Outbound connectionsNot Configured
Apply local firewall rulesNot Configured
Apply local connection security rulesNot Configured
Display notificationsYes
Allow unicast responsesYes
Log dropped packetsNot Configured
Log successful connectionsNot Configured
Log file pathNot Configured
Log file maximum size (KB)Not Configured
Private Profile Settings
PolicySetting
Firewall stateOff
Inbound connectionsNot Configured
Outbound connectionsNot Configured
Apply local firewall rulesNot Configured
Apply local connection security rulesNot Configured
Display notificationsNot Configured
Allow unicast responsesNot Configured
Log dropped packetsNot Configured
Log successful connectionsNot Configured
Log file pathNot Configured
Log file maximum size (KB)Not Configured
Public Profile Settings
PolicySetting
Firewall stateOff
Inbound connectionsNot Configured
Outbound connectionsNot Configured
Apply local firewall rulesNot Configured
Apply local connection security rulesNot Configured
Display notificationsNot Configured
Allow unicast responsesNot Configured
Log dropped packetsNot Configured
Log successful connectionsNot Configured
Log file pathNot Configured
Log file maximum size (KB)Not Configured
Connection Security Settings
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationSuccess, Failure
Account Management
PolicySetting
Audit Computer Account ManagementSuccess, Failure
Audit Other Account Management EventsSuccess, Failure
Audit Security Group ManagementSuccess, Failure
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit Process CreationSuccess
Logon/Logoff
PolicySetting
Audit LogoffSuccess
Audit LogonSuccess, Failure
Audit Special LogonSuccess
Object Access
PolicySetting
Audit Removable StorageSuccess, Failure
Audit Central Access Policy StagingSuccess, Failure
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess, Failure
Audit Authentication Policy ChangeSuccess
Audit Authorization Policy ChangeSuccess, Failure
Privilege Use
PolicySetting
Audit Non Sensitive Privilege UseSuccess, Failure
Audit Other Privilege Use EventsSuccess, Failure
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit IPsec DriverSuccess, Failure
Audit Security State ChangeSuccess, Failure
Audit Security System ExtensionSuccess, Failure
Audit System IntegritySuccess, Failure
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
PolicySettingComment
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
Control Panel/User Accounts
PolicySettingComment
Apply the default account picture to all usersEnabled
Network/Link-Layer Topology Discovery
PolicySettingComment
Turn on Mapper I/O (LLTDIO) driverDisabled
Turn on Responder (RSPNDR) driverDisabled
Network/Microsoft Peer-to-Peer Networking Services
PolicySettingComment
Turn off Microsoft Peer-to-Peer Networking ServicesEnabled
Network/Network Connections
PolicySettingComment
Do not show the "local access only" network iconEnabled
Prohibit installation and configuration of Network Bridge on your DNS domain networkEnabled
Require domain users to elevate when setting a network's locationEnabled
Route all traffic through the internal networkEnabled
Select from the following states:Enabled State
Network/Network Connections/Windows Defender Firewall/Domain Profile
PolicySettingComment
Windows Defender Firewall: Prohibit notificationsDisabled
Windows Defender Firewall: Prohibit unicast response to multicast or broadcast requestsDisabled
Windows Defender Firewall: Protect all network connectionsDisabled
Network/Network Connectivity Status Indicator
PolicySettingComment
Specify corporate DNS probe host addressEnabled
Corporate DNS Probe Address:10.0.31.11
Specify the expected DNS address for the
corporate host name to probe.
Example:
2001:4898:28:3:38a1:c31:7b3d:bf0
PolicySettingComment
Specify corporate DNS probe host nameEnabled
Corporate DNS Probe Hostname:secnetwork.org
Specify a corporate host name to resolve
to probe for corporate connectivity.
Example:
ncsi.corp.microsoft.com
Network/TCPIP Settings/IPv6 Transition Technologies
PolicySettingComment
Set 6to4 StateEnabled
Select from the following states:Disabled State
PolicySettingComment
Set IP-HTTPS StateEnabled
Enter the IPHTTPS Url:about:blank
Select Interface state from the following options:Disabled State
PolicySettingComment
Set ISATAP StateEnabled
Select from the following states:Disabled State
PolicySettingComment
Set Teredo StateEnabled
Select from the following states:Disabled State
Network/TCPIP Settings/Parameters
PolicySettingComment
Set IP Stateless Autoconfiguration Limits StateEnabled
Network/Windows Connect Now
PolicySettingComment
Configuration of wireless settings using Windows Connect NowDisabled
Prohibit access of the Windows Connect Now wizardsEnabled
Printers
PolicySettingComment
Extend Point and Print connection to search Windows UpdateDisabled
System/Audit Process Creation
PolicySettingComment
Include command line in process creation eventsDisabled
System/Device Installation
PolicySettingComment
Allow remote access to the Plug and Play interfaceDisabled
Do not send a Windows error report when a generic driver is installed on a deviceEnabled
Prevent creation of a system restore point during device activity that would normally prompt creation of a restore pointDisabled
Prevent device metadata retrieval from the InternetEnabled
Prevent Windows from sending an error report when a device driver requests additional software during installationEnabled
Specify search order for device driver source locationsEnabled
Select search order:Do not search Windows Update
PolicySettingComment
Specify the search server for device driver updatesEnabled
Select update server:Search Managed Server
System/Early Launch Antimalware
PolicySettingComment
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized: 
System/Group Policy
PolicySettingComment
Configure Group Policy CachingDisabled
Configure registry policy processingEnabled
Do not apply during periodic background processingDisabled
Process even if the Group Policy objects have not changedEnabled
PolicySettingComment
Configure user Group Policy loopback processing modeEnabled
Mode:Merge
PolicySettingComment
Set Group Policy refresh interval for computersEnabled
This setting allows you to customize how often Group Policy is applied
to computers. The range is 0 to 44640 minutes (31 days).
Minutes:10
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes:30
PolicySettingComment
Set Group Policy refresh interval for domain controllersEnabled
This setting allows you to customize how often Group Policy is applied
to domain controllers. The range is 0 to 44640 minutes (31 days).
Minutes:5
This is a random time added to the refresh interval to prevent
all clients from requesting Group Policy at the same time.
The range is 0 to 1440 minutes (24 hours)
Minutes:0
PolicySettingComment
Turn off background refresh of Group PolicyDisabled
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off downloading of print drivers over HTTPEnabled
Turn off Event Viewer "Events.asp" linksEnabled
Turn off handwriting recognition error reportingEnabled
Turn off Internet File Association serviceEnabled
Turn off printing over HTTPEnabled
Turn off Search Companion content file updatesEnabled
Turn off Windows Customer Experience Improvement ProgramEnabled
Turn off Windows Error ReportingEnabled
Turn off Windows Update device driver searchingEnabled
System/Locale Services
PolicySettingComment
Disallow copying of user input methods to the system account for sign-inEnabled
System/Logon
PolicySettingComment
Always use classic logonEnabled
Assign a default domain for logonEnabled
Default Logon domain:SECNET
Enter the name of the domain
PolicySettingComment
Do not display network selection UIEnabled
Do not display the Getting Started welcome screen at logonEnabled
Do not enumerate connected users on domain-joined computersDisabled
Show first sign-in animation Disabled
Turn off app notifications on the lock screenEnabled
Turn off picture password sign-inEnabled
Turn on convenience PIN sign-inDisabled
System/Power Management/Sleep Settings
PolicySettingComment
Require a password when a computer wakes (on battery)Enabled
Require a password when a computer wakes (plugged in)Enabled
System/Remote Assistance
PolicySettingComment
Configure Offer Remote AssistanceDisabled
Configure Solicited Remote AssistanceDisabled
System/Remote Procedure Call
PolicySettingComment
Restrict Unauthenticated RPC clientsEnabled
RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
System/Server Manager
PolicySettingComment
Configure the refresh interval for Server ManagerEnabled
Minutes:3
Range is 1 to 34560
PolicySettingComment
Do not display Server Manager automatically at logonEnabled
System/System Restore
PolicySettingComment
Turn off ConfigurationEnabled
Turn off System RestoreEnabled
System/Troubleshooting and Diagnostics/Application Compatibility Diagnostics
PolicySettingComment
Detect compatibility issues for applications and driversDisabled
System/Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool
PolicySettingComment
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support providerDisabled
System/Troubleshooting and Diagnostics/Scripted Diagnostics
PolicySettingComment
Troubleshooting: Allow users to access online troubleshooting content on Microsoft servers from the Troubleshooting Control Panel (via the Windows Online Troubleshooting Service - WOTS)Disabled
System/Troubleshooting and Diagnostics/Windows Performance PerfTrack
PolicySettingComment
Enable/Disable PerfTrackDisabled
System/Windows Time Service
PolicySettingComment
Global Configuration SettingsEnabled
Clock Discipline Parameters
FrequencyCorrectRate4
HoldPeriod5
LargePhaseOffset50000000
MaxAllowedPhaseOffset300
MaxNegPhaseCorrection172800
MaxPosPhaseCorrection172800
PhaseCorrectRate1
PollAdjustFactor5
SpikeWatchPeriod900
UpdateInterval100
General Parameters
AnnounceFlags10
EventLogFlags2
LocalClockDispersion10
MaxPollInterval10
MinPollInterval6
ClockHoldoverPeriod 
RequireSecureTimeSyncRequests0
UtilizeSslTimeData1
ClockAdjustmentAuditLimit 
ChainEntryTimeout16
ChainMaxEntries128
ChainMaxHostEntries4
ChainDisable0
ChainLoggingRate30
System/Windows Time Service/Time Providers
PolicySettingComment
Configure Windows NTP ClientEnabled
NtpServerntp.secnetwork.org,0x9
TypeNT5DS
CrossSiteSyncFlags2
ResolvePeerBackoffMinutes15
ResolvePeerBackoffMaxTimes7
SpecialPollInterval3600
EventLogFlags0
PolicySettingComment
Enable Windows NTP ClientEnabled
Windows Components/App Package Deployment
PolicySettingComment
Allow all trusted apps to installEnabled
Windows Components/App runtime
PolicySettingComment
Allow Microsoft accounts to be optionalEnabled
Windows Components/Application Compatibility
PolicySettingComment
Turn off Inventory CollectorEnabled
Windows Components/AutoPlay Policies
PolicySettingComment
Disallow Autoplay for non-volume devicesEnabled
Set the default behavior for AutoRunEnabled
Default AutoRun BehaviorDo not execute any autorun commands
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/Biometrics
PolicySettingComment
Allow the use of biometricsDisabled
Windows Components/Credential User Interface
PolicySettingComment
Do not display the password reveal buttonEnabled
Enumerate administrator accounts on elevationDisabled
Windows Components/Event Log Service/Application
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/Event Log Service/Setup
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/System
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/File Explorer
PolicySettingComment
Turn off Data Execution Prevention for ExplorerDisabled
Turn off heap termination on corruptionDisabled
Turn off shell protocol protected modeDisabled
Windows Components/Location and Sensors
PolicySettingComment
Turn off locationEnabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
PolicySettingComment
Do not allow passwords to be savedEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections
PolicySettingComment
Restrict Remote Desktop Services users to a single Remote Desktop Services sessionEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
PolicySettingComment
Do not allow COM port redirectionEnabled
Do not allow drive redirectionEnabled
Do not allow LPT port redirectionEnabled
Do not allow smart card device redirectionDisabled
Do not allow supported Plug and Play device redirectionEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection
PolicySettingComment
Redirect only the default client printerEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Always prompt for password upon connectionEnabled
Require secure RPC communicationEnabled
Require use of specific security layer for remote (RDP) connectionsEnabled
Security LayerNegotiate
Choose the security layer from the drop-down list.
PolicySettingComment
Server authentication certificate templateEnabled
Certificate Template NameSECNETComputerv1.0
PolicySettingComment
Set client connection encryption levelEnabled
Encryption LevelHigh Level
Choose the encryption level from the drop-down list.
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits
PolicySettingComment
End session when time limits are reachedEnabled
Set time limit for active but idle Remote Desktop Services sessionsEnabled
Idle session limit:2 hours
PolicySettingComment
Set time limit for disconnected sessionsEnabled
End a disconnected session8 hours
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary folders
PolicySettingComment
Do not delete temp folders upon exitDisabled
Windows Components/RSS Feeds
PolicySettingComment
Prevent downloading of enclosuresEnabled
Turn on Basic feed authentication over HTTPDisabled
Windows Components/Smart Card
PolicySettingComment
Allow ECC certificates to be used for logon and authenticationEnabled
Windows Components/Store
PolicySettingComment
Turn off Automatic Download and Install of updatesEnabled
Turn off the Store applicationEnabled
Windows Components/Windows Defender Antivirus
PolicySettingComment
Turn off Windows Defender AntivirusDisabled
Windows Components/Windows Defender Antivirus/MAPS
PolicySettingComment
Join Microsoft MAPSDisabled
Windows Components/Windows Defender Antivirus/Scan
PolicySettingComment
Scan removable drivesEnabled
Turn on e-mail scanningEnabled
Windows Components/Windows Defender Antivirus/Signature Updates
PolicySettingComment
Allow definition updates from Microsoft UpdateEnabled
Specify the day of the week to check for definition updatesEnabled
Specify the day of the week to check for definition updatesEvery Day
Windows Components/Windows Defender SmartScreen/Explorer
PolicySettingComment
Configure Windows Defender SmartScreenDisabled
Windows Components/Windows Error Reporting
PolicySettingComment
Disable Windows Error ReportingEnabled
Windows Components/Windows Installer
PolicySettingComment
Allow user control over installsDisabled
Always install with elevated privilegesDisabled
Prevent Internet Explorer security prompt for Windows Installer scriptsDisabled
Prohibit non-administrators from applying vendor signed updatesEnabled
Windows Components/Windows Logon Options
PolicySettingComment
Display information about previous logons during user logonEnabled
Report when logon server was not available during user logonEnabled
Sign-in last interactive user automatically after a system-initiated restartDisabled
Windows Components/Windows Media Digital Rights Management
PolicySettingComment
Prevent Windows Media DRM Internet AccessEnabled
Windows Components/Windows Media Player
PolicySettingComment
Do Not Show First Use Dialog BoxesEnabled
Prevent Automatic UpdatesDisabled
Windows Components/Windows PowerShell
PolicySettingComment
Turn on Script ExecutionEnabled
Execution PolicyAllow local scripts and remote signed scripts
Extra Registry Settings
Display names for some settings cannot be found. You might be able to resolve this issue by updating the .ADM files used by Group Policy Management.

SettingState
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\{F829F35A-2391-456E-A421-F2C5E7806593}
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\AuthFlags2
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Cost2147483645
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\Flags20
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\FriendlyNameActive Directory Enrollment Policy
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\PolicyID{F829F35A-2391-456E-A421-F2C5E7806593}
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\37c9dc30f207f27f61a2f7c3aed598a6e2920b54\URLLDAP:
SOFTWARE\Policies\Microsoft\Cryptography\PolicyServers\Flags0
SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\010103000F0000F0A00000000F0000F0E90161C52A211CCB184BB01CBC4626534FAF3917EC0DF36C642BDF1323BC7C05\NameReadOnly1
SOFTWARE\Policies\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\010103000F0000F0A00000000F0000F0E90161C52A211CCB184BB01CBC4626534FAF3917EC0DF36C642BDF1323BC7C05\NetworkNameSECNET
User Configuration (Enabled)
Policies
Windows Settings
Scripts
Logon
For this GPO, Script order: Not configured
NameParameters
Set_Time_Zone.bat