What’s New In Windows 8 Consumer Preview Group Policy

With Windows 8 Consumer Preview & Windows Server Beta released I’m preparing to upgrade my proof-of-concept Developer Preview corporate image to the Windows 8 Consumer Preview. Part of this process is to review the new group policies. A real strength of Microsoft Windows, and a major reason for popularity in the enterprise world, is Windows great central management capability. Windows 8 doesn’t disappoint with many exciting new policies.

To make identifying new policies easier I have extracted the data from the ADMX files in C:\Windows\PolicyDefinitions into an Excel file, this is available here: http://www.tiange.com.au/documents/Windows8ConsumerPreviewGroupPolicy.xlsx

(My extraction code is in early stages; so if I made some error let me know! I have not individually cross checked the 4,000+ extracted policies)

To cut down the size a bit of the excel spreadsheet when a policy can apply to both computer and user I’m using the class “Both”

With this method we get 4,560 policies available in the ADMX files.

Of those we see

  • 44 new Internet Explorer policies
  • 218 new Windows 8 policies

Note: OK having now reviewed in detail there seems to be some duplicates in my numbers, but for now I’ve just read every Windows 8 Group Policy item and I think I need to give my head a rest. Also some items which are listed below as new in Windows 8 can be done in Windows 7; but it is not the exact same policy, there may be additional options in the Windows 8 policy. Because I have not memorized every Windows 7 group policy and do not have time to cross check everything I’ll leave it up to you to figure out any inconsistency there.)

Some of the new things we can do with Internet Explorer include:

  • Disable the password reveal button. This applies to all Windows components and applications that use Windows system controls including Metro Apps and IE10. By default in Windows 8 you get a password reveal button after typing a password; this is to make it easier for typing passwords on tablet devices.
  • Turn on Enhanced Protected Mode. Forces 64-bit IE on 64-bit Windows, limits location IE can read from in Registry & File System. (Vista & later IE7/IE8/IE9 protected against writing; but not so much against reading) Be aware forcing 64-bit IE will require you to have all necessary IE add-ons available as 64-bit components.
  • Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled. By default in IE10 a site with ActiveX control incompatible with Enhanced Protected Mode, user is notified and given option to drop site to regular protected mode.
  • Turn off Delete Browsing History on Settings charm. User can still use desktop IE “delete browsing history” (This can also be disabled via separate policy)

image

  • Turn off URL Suggestions
  • Turn off the WebSocket Object. The WebSocket object allows websites to request data across domains from your browser by using the WebSocket protocol. This policy setting allows administrators to enable or disable the WebSocket object. This policy setting does not prevent client-side communication across domains via other features in Internet Explorer 10. Also, this policy setting does not prevent a site from requesting cross-domain data through a server.
  • Set the maximum number of WebSocket connections per server. This policy setting allows you to change the default limit of WebSocket connections per server. The default limit is 6; you can select a value from 2 through 128.
  • Prevent Internet Explorer from sending shared links to an online service. This policy setting prevents Internet Explorer from using webpage information retrieved from an online service when a user shares a hyperlink. Webpage information includes metadata about the link, such as a title, description, and image.
  • Set default storage limits for websites. This policy setting sets data storage limits for indexed database and application caches for individual websites. When you set this policy setting, you provide the cache limit, in MB.
  • Allow websites to store indexed databases on client computers. By default websites can store indexed databases. However enable this policy to prevent users from turning it off; or disable the policy to disallow websites store index databases on client.
  • Set indexed database storage limits for individual domains. The default is 500 MB.
  • Set maximum indexed database storage limit for all domains. The default is 4GB.
  • Allow websites to store application caches on client computers. Enabled by default.
  • Set application cache storage limits for individual domains. Default is 50 MB
  • Set application cache storage limits for individual domains. Default is 1 GB.
  • Set application caches expiration time limit for individual domains. Default is 30 days.
  • Set maximum application cache resource list size. Default 1000 resources.
  • Set maximum application cache individual resource size. Default is 50 MB
  • Start Internet Explorer with tabs from last browsing session. If not configured IE starts with homepage.
  • Open Internet Explorer tiles on the desktop. If not configured users choose.
  • Set how links are opened in Internet Explorer. Let Internet Explorer decide, always in Internet Explorer, or always in Internet Explorer on the desktop.
  • Install new versions of Internet Explorer automatically. Option to always enforce installation of new version of IE; or prevent automatic upgrade of IE.
  •  

    The rest of the new policies include:

    App Package Deployment (These are the new Metro style apps)

    • Allow all trusted apps to install. If you enable this policy setting, you can install any trusted app package. A trusted app package is one that is signed with a certificate chain that can be successfully validated by the local computer. This can include line-of-business app packages signed by the enterprise in addition to app packages that originate from the Windows Store.
    • Allow deployment operations in special profiles. Deployment operation refers to adding, registering, staging, updating or removing an app package. Special profiles refer to profiles with the following types: mandatory, super-mandatory, temporary or system. Local and roaming profiles are not special profiles. When the user is logged in to a guest account, the profile type is temporary.

    App runtime

    • Block launching desktop programs associated with a file. This policy setting allows you to minimize the risk involved when an app launches the default program for a file. Because desktop programs run at a higher integrity level than apps, there is a risk that an app could compromise the system by launching a file in a desktop program. If you enable this policy setting, Windows prevents apps from launching files that would open in a desktop program. When you enable this policy setting, apps may only launch files that can be opened by another app. 
    • Block launching desktop programs associated with a protocol. Same as above; but based on protocol instead i.e. http://

    Background Intelligent Transfer Service (BITS)

    • Set default download behavior for BITS jobs on costed networks

    This policy setting defines the default behavior that the Background Intelligent Transfer Service (BITS) uses for background transfers when the system is connected to a costed network (3G, etc.). Download behavior policies further limit the network usage of background transfers.

              If you enable this policy setting, you can define a default download policy for each BITS job priority. This setting does not override a download policy explicitly configured by the application that created the BITS job, but does apply to jobs that are created by specifying only a priority.

              For example, you can specify that background jobs are by default to transfer only when on uncosted network connections, but foreground jobs should proceed only when not roaming. The values that can be assigned are:

    • Always transfer
    • Transfer unless roaming
    • Transfer unless surcharge applies (when not roaming or overcap)
    • Transfer unless nearing limit (when not roaming or nearing cap)
    • Transfer only if unconstrained
    • Custom–allows you to specify a bitmask, in which the bits describe cost states allowed or disallowed for this priority: (bits described here)
      • 0x1 – The cost is unknown or the connection is unlimited and is considered to be unrestricted of usage charges and capacity constraints.
      • 0x2 – The usage of this connection is unrestricted up to a certain data limi
      • 0x4 – The usage of this connection is unrestricted up to a certain data limit and plan usage is less than 80 percent of the limit
      • 0x8 – Usage of this connection is unrestricted up to a certain data limit and plan usage is between 80 percent and 100 percent of the limit
      • 0x10 – Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. Surcharge applied or unknown.
      • 0x20 – Usage of this connection is unrestricted up to a certain data limit, which has been exceeded. No surcharge applies, but speeds are likely reduced.
      • 0x40 – The connection is costed on a per-byte basis.
      • 0x80 – The connection is roaming.
      • 0x80000000 – Ignore congestion.

    Personalization

    • Do not display the lock screen. If you enable this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see their selected tile after  locking their PC. If you disable or do not configure this policy setting, users that are not required to press CTRL + ALT + DEL before signing in will see a lock screen after locking their PC. They must dismiss the lock screen using touch, the keyboard, or by dragging it with the mouse.
    • Prevent changing lock screen image
    • Prevent changing start menu background

    Logon

    • Turn off PIN logon and picture password logon

    Device and Driver Compatibility

    • Device compatibility settings. Enabled/Disabled/Not Configured. (Currently lacks explanation)
    • Driver compatibility settings. Enabled/Disabled/Not Configured. (Currently lacks explanation)

    DNS Client

    • Turn off smart multi-homed name resolution. Specifies that a multi-homed DNS client should optimize name resolution across networks.  The setting improves performance by issuing parallel DNS, link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT) queries across all networks. In the event that multiple positive responses are received, the network binding order is used to determine which response to accept. If you enable this policy setting, the DNS client will not perform any optimizations.  DNS queries will be issued across all networks first. LLMNR queries will be issued if the DNS queries fail, followed by NetBT queries if LLMNR queries fail. If you disable this policy setting, or if you do not configure this policy setting, name resolution will be optimized when issuing DNS, LLMNR and NetBT queries.

    • Turn off smart protocol reordering. Specifies that the DNS client should prefer responses from link local name resolution protocols on non-domain networks over DNS responses when issuing queries for flat names. Examples of link local name resolution protocols include link local multicast name resolution (LLMNR) and NetBIOS over TCP/IP (NetBT). If you enable this policy setting, the DNS client will prefer DNS responses, followed by LLMNR, followed by NetBT for all networks.  If you disable this policy setting, or if you do not configure this policy setting, the DNS client will prefer link local responses for flat name queries on non-domain networks.
    • Note:  This policy setting is applicable only if the turn off smart multi-homed name resolution policy setting is disabled or not configured.

    • Allow NetBT queries for fully qualified domain names. Specifies that NetBIOS over TCP/IP (NetBT) queries are issued for fully qualified domain names. If you enable this policy setting, NetBT queries will be issued for multi-label and fully qualified domain names such as ‘www.example.com’ in addition to single-label names.  If you disable this policy setting, or if you do not configure this policy setting, NetBT queries will only be issued for single-label names such as ‘example’ and not for multi-label and fully qualified domain names.
    • Turn off IDN encoding. Specifies whether the DNS client should convert internationalized domain names (IDNs) to Punycode when the computer is on non-domain networks with no WINS servers configured. If this policy setting is enabled, IDNs are not converted to Punycode. If this policy setting is disabled, or if this policy setting is not configured, IDNs are converted to Punycode when the computer is on non-domain networks with no WINS servers configured.
    • IDN mapping. Specifies whether the DNS client should convert internationalized domain names (IDNs) to the Nameprep form, a canonical Unicode representation of the string. If this policy setting is enabled, IDNs are converted to the Nameprep form.
    • If this policy setting is disabled, or if this policy setting is not configured, IDNs are not converted to the Nameprep form

      Desktop Window Manager

    • Use solid color for Start background. Note: If this policy setting is enabled, users can continue to select a color in Start Personalization. However, setting the accent will have no effect.

    IME

    • Turn on misconversion logging for misconversion report. By default such logging is off. Applies to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
    • Turn off Internet search integration. If you enable this policy setting, you cannot add a new search integration configuration file.  A search integration configuration file that was installed before enabling this policy setting is not used. Applies to Japanese Microsoft IME, Simplified Chinese Microsoft Pinyin, and Traditional Chinese New Phonetic.
    • Turn off custom dictionary. This policy setting is applied to Japanese Microsoft IME and Simplified Chinese Microsoft Pinyin.
    • Restrict character code range of conversion. If you enable this policy setting, then only the character code ranges specified by this policy setting are used for conversion of IME.  This policy setting applies to Japanese Microsoft IME only. Requires logoff.
    • Do not include Non-Publishing Standard Glyph in the candidate list

    Edge UI

    • Turn off Backstack. If you enable this setting, apps will not be tracked in the Backstack. The Backstack settings in the Modern settings page will be disabled as well. If you disable or do not configure this policy setting, apps will be tracked in the Backstack as configured.
    • Turn off tracking of app usage. This policy setting prevents Windows from keeping track of the apps that are used and searched most frequently. If you enable this policy setting, apps will be sorted alphabetically in:
        • search results
        • the Search and Share panes
        • the drop-down app list in the Picker

      If you disable or don’t configure this policy setting, Windows will keep track of the apps that are used and searched most frequently. Most frequently used apps will appear at the top.

      Portable Operating System

    • Windows To Go Default Startup Options. This policy setting controls whether the PC will boot to Windows To Go if a USB device containing a Windows To Go workspace is connected, and controls whether users can make changes using the Windows To Go Startup Options Control Panel item. If you enable this setting, booting to Windows To Go when a USB device is connected will be enabled, and users will not be able to make changes using the Windows To Go Startup Options Control Panel item. If you disable this setting, booting to Windows To Go when a USB device is connected will not be enabled unless a user configures the option manually in the BIOS or other boot order configuration. If you do not configure this setting, users who are members of the Administrators group can make changes using the Windows To Go Startup Options Control Panel item.
    • Allow hibernate (S4) when starting from a Windows To Go workspace
    • Allow standby sleep states (S1-S3) when starting from a Windows to Go workspace

    Folder Redirection

    • Do not automatically make specific redirected folders available offline

    This policy setting allows you to control whether redirected shell folders, such as Contacts, Documents, Desktop, Favorites, Music, Pictures, Videos, Start Menu, and AppData\Roaming, are available offline by default. If you enable this policy setting, the folder GUIDs for the specific folders that should not be made available offline must be specified. The folder name to folder GUID mapping is as follows:

    •         AppData(Roaming): {3EB685DB-65F9-4CF6-A03A-E3EF65729F3D}
    •         Desktop: {B4BFCC3A-DB2C-424C-B029-7FE99A87C641}
    •         Start Menu:{625B53C3-AB48-4EC1-BA1F-A1EF4146FC19}
    •         Documents: {FDD39AD0-238F-46AF-ADB4-6C85480369C7}
    •         Pictures: {33E28130-4E1E-4676-835A-98395C3BC3BB}
    •         Music: {4BD8D571-6D19-48D3-BE97-422220080E43}
    •         Videos: {18989B1D-99B5-455B-841C-AB7C74E4DDFC}
    •         Favorites: {1777F761-68AD-4D8A-87BD-30B759FA33DD}
    •         Contacts: {56784854-C6CB-462b-8169-88E350ACB882}
    •         Downloads: {374DE290-123F-4565-9164-39C4925E467B}
    •         Links: {BFB9D5E0-C6A9-404C-B2B2-AE6DB6AF4968}
    •         Searches: {7D1D3A04-DEBB-4115-95CF-2F29DA2920DA}
    •         Saved Games: {4C5C32FF-BB9D-43B0-B5B4-2D72E54EAAA4}

    For the folders affected by this setting, users must manually select the files they wish to make available offline. If you disable or do not configure this policy setting, redirected shell folders are automatically made available offline. All subfolders within the redirected folders are also made available offline.

    Note: This policy setting does not prevent files from being automatically cached if the network share is configured for ‘Automatic Caching’, nor does it affect the availability of the ‘Always available offline’ menu option in the user interface.

    Note: The configuration of any valid folder GUIDs in this policy will override the configured value of ‘Do not automatically make all redirected folders available offline’.

    • Enable optimized move of contents in Offline Files cache on Folder Redirection server path change. This policy setting controls whether the contents of redirected folders is copied from the old location to the new location or simply renamed in the Offline Files cache when a folder is redirected to a new location. If you enable this policy setting, when the path to a redirected folder is changed from one network location to another and Folder Redirection is configured to move the content to the new location, instead of copying the content to the new location, the cached content is renamed in the local cache and not copied to the new location. To use this policy setting, you must move or restore the server content to the new network location using a method that preserves the state of the files, including their timestamps, before updating the Folder Redirection location. If you disable or do not configure this policy setting, when the path to a redirected folder is changed and Folder Redirection is configured to move the content to the new location, Windows copies the contents of the local cache to the new network location, then deleted the content from the old network location.
    • Redirect folders on primary computers only. This policy setting controls whether folders are redirected on a user’s primary computers only. This policy setting is useful to improve logon performance and to increase security for user data on computers where the user might not want to download private data, such as on a meeting room computer or on a computer in a remote office. To designate a user’s primary computers, an administrator must use management software or a script to add primary computer attributes to the user’s account in Active Directory Domain Services (AD DS). This policy setting also requires the Windows Server 8 Beta version of the Active Directory schema to function. If you enable this policy setting and the user has redirected folders, such as the Documents and Pictures folders, the folders are redirected on the user’s primary computer only. If you disable or do not configure this policy setting and the user has redirected folders, the folders are redirected on every computer that the user logs on to. Note: If you enable this policy setting in Computer Configuration and User Configuration, the Computer Configuration policy setting takes precedence

    Group Policy

    • Turn off Group Policy Client Service AOAC optimization.
    • This policy setting prevents the Group Policy Client Service from stopping when idle.

    • Specify workplace connectivity wait time for policy processing.
    • This policy setting specifies how long Group Policy should wait for workplace connectivity notifications during startup policy processing. If the startup policy processing is synchronous, the computer is blocked until workplace connectivity is available or the wait time is reached. If the startup policy processing is asynchronous, the computer is not blocked and policy processing will occur in the background. In either case, configuring this policy setting overrides any system-computed wait times. If you enable this policy setting, Group Policy uses this administratively configured maximum wait time for workplace connectivity, and overrides any default or system-computed wait time. If you disable or do not configure this policy setting, Group Policy will use the default wait time of 60 seconds on computers running Windows operating systems greater than Windows 7 configured for workplace connectivity.

      Internet Management Settings

    • Turn off access to the Store.
    • This policy setting specifies whether to use the Store service for finding an application to open a file with an unhandled file type or protocol association. When a user opens a file type or protocol that is not associated with any applications on the computer, the user is given the choice to select a local application or use the Store service to find an application. If you enable this policy setting, the ‘Look for an app in the Store’ item in the Open With dialog is removed. If you disable or do not configure this policy setting, the user is allowed to use the Store service and the Store item is available in the Open With dialog.

    KDC

    • Support Dynamic Access Control and Kerberos armoring

    This policy setting allows you to configure a domain controller to support Dynamic Access Control (DAC) and Kerberos armoring using Kerberos authentication. If you enable this policy setting, client computers in the domain that are DAC and Kerberos armor-aware will use this feature for Kerberos authentication messages. This policy should be applied to all domain controllers to ensure consistent application of this policy in the domain. However, to ensure this feature is effective depends on deploying enough DAC and Kerberos armor-aware domain controllers to handle the authentication requests. Insufficient number of domain controllers that support this policy result in authentication failures whenever DAC or Kerberos armoring is required. If you configure ‘Supported’, the domain controller supports claims, compound identity and Kerberos armoring. The domain controller advertises to client computers that the domain is capable of Dynamic Access Control and Kerberos armoring. For the following options, when the domain functional level is set to Windows Server 2008 R2 or earlier then domain controllers behave as if the ‘Supported’ option is selected until the domain functional level is set to Windows Server 8. When the domain functional level is set to Windows Server 8 then:

    • If you set the ‘Always provide claims’ option, then domain controllers will also always return claims for accounts and support the RFC behavior for advertising the flexible authentication secure tunneling (FAST).
    • If you set the ‘Fail unarmored authentication requests’ option, then domain controllers will also reject unarmored Kerberos messages.
    • Warning: When ‘Fail unarmored authentication requests’ is set, then client computers which do not support Kerberos armoring will fail to authenticate.

    Impact on domain controller performance when this policy setting is enabled:

    • Secure domain capability discovery is required resulting in additional message exchanges.
    • Dynamic Access Control increases the size and complexity of the data in the message which results in more processing time and greater Kerberos service ticket size.
    • Kerberos armoring fully encrypts Kerberos messages and signs Kerberos errors which results in increased processing time.

    If you disable or do not configure this policy setting, or enable this setting and configure the ‘Not supported’ option, the domain controller does not support claims, compound identity or armoring.

    • Warning for large Kerberos tickets.
    • This policy setting allows you to monitor tickets issued during Kerberos authentication whose size is close to or greater than a configured threshold value. The ticket size warnings are logged in the System log. If you enable this policy setting, you can set the threshold limit above which warnings will be reported. If set too high, then warnings related to authentication failures might be missed.  If set too low, then you might see too many ticket warnings in the log to be useful for analysis.  If you disable or do not configure this policy setting, the threshold value defaults to 12,000 bytes, which is the default Kerberos MaxTokenSize for Windows 7, Windows Server 2008 R2 and prior versions.

    Kerberos

    • Specify KDC proxy servers for Kerberos clients.
    • This policy setting allows you to specify KDC proxy servers for DNS suffix names.

    • Disable revocation checking for the SSL certificate of KDC proxy servers
    • Fail authentication requests when Kerberos armoring is not available. If you disable or do not configure this policy setting, the client computers in the domain enforce the use of Kerberos armoring when possible as supported by the target domain.
    • Support authorization with client device information

    Lanman Server

    • Hash Version support for BranchCache.
    • This policy setting specifies whether the BranchCache hash generation service supports version 1 (V1) hashes, version 2 (V2) hashes, or both V1 and V2 hashes. Hashes, also called content information, are created based on the data in shared folders where BranchCache is enabled.

    Logon

    • Do not enumerate connected users on domain-joined computers. If you enable this policy setting, the Logon UI will not enumerate any connected users on domain-joined computers. If you disable or do not configure this policy setting, connected users will be enumerated on domain-joined computers.
    • Turn off app notifications on the lock screen

    Network Connectivity Status Indicator

    • Specify passive polling. This Policy setting enables you to specify passive polling behavior. NCSI polls various measurements throughout the network stack on a frequent interval to determine if network connectivity has been lost.  Use the options to control the passive polling behavior.

    DC Locator DNS Records

    • Do not use NetBIOS-based discovery for domain controller location when DNS-based discovery fails

    Network Isolation

    • Internet proxy servers for Metro style apps
    • Intranet proxy servers for Metro style apps
    • Private network ranges for Metro style apps
    • Proxy definitions are authoritative. Turns off Windows Network Isolation’s automatic proxy discovery in the domain corporate environment. If you enable this policy setting, it turns off Windows Network Isolation’s automatic proxy discovery in the domain corporate environment. Only proxies configured with Group Policy are authoritative. This applies to both Internet and intranet proxies. If you disable or do not configure this policy setting, Windows Network Isolation attempts to automatically discover your proxy server addresses.
    • Subnet definitions are authoritative. Turns off  Windows Network Isolation’s automatic discovery of private network hosts in the domain corporate environment.

    Offline Files

    • Enable file synchronization on costed networks

    Application Compatibility Diagnostics

    • Detect compatibility issues for applications and drivers. This policy setting configures the Program Compatibility Assistant (PCA) to diagnose failures with application and driver compatibility. If you enable this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. When failures are detected, the PCA will provide options to run the application in a compatibility mode or get help online through a Microsoft website. If you disable this policy setting, the PCA does not detect compatibility issues for applications and drivers. If you do not configure this policy setting, the PCA is configured to detect failures during application installation, failures during application runtime, and drivers blocked due to compatibility issues. Note: This policy setting has no effect if the ‘Turn off Program Compatibility Assistant’ policy setting is enabled. The Diagnostic Policy Service (DPS) and Program Compatibility Assistant Service must be running for the PCA to run. These services can be configured by using the Services snap-in to the Microsoft Management Console.

    BranchCache

    • Enable Automatic Hosted Cache Discovery by Service Connection Point
    • Configure Hosted Cache Servers
    • Set age for segments in the data cache

      Printers

    • Isolate print drivers from applications. Determines if print driver components are isolated from applications instead of normally loading them into applications. Isolating print drivers greatly reduces the risk of a print driver failure causing an application crash.

    • Not all applications support driver isolation. By default, Microsoft Excel 2007, Excel 2010, Word 2007, Word 2010 and certain other applications are configured to support it. Other applications may also be capable of isolating print drivers, depending on whether they are configured for it.

      If you enable or do not configure this policy setting, then applications that are configured to support driver isolation will be isolated.

    • Always rasterize content to be printed using a software rasterizer
    • Do not allow v4 printer drivers to show printer extensions
    • Change Microsoft XPS Document Writer (MXDW) default output format to the legacy Microsoft XPS format (*.xps)

    SettingSync

    • Do not synchronize user settings. Prevent user settings roaming for this computer.
    • Do not synchronize user application settings
    • Do not synchronize user credentials
    • Do not synchronize user personalization settings
    • Do not synchronize user Windows settings
    • Do not synchronize user desktop themes
    • Do not synchronize user web browser settings

    FCI

    • File Classification Infrastructure: Display Classification tab in Windows Explorer. The Classification tab enables users to manually classify files by selecting properties from a list. Administrators can define the properties for the organization by using Group Policy, and supplement these with properties defined on individual file servers by using File Classification Infrastructure, which is part of the File Server Resource Manager role service. If you enable this policy setting, the Classification tab is displayed. If you disable or do not configure this policy setting, the Classification tab is hidden.
    • File Classification Infrastructure: Specify Classification Properties List

    ADR

    • Access Denied Remediation configuration for Access Denied errors.
    • This policy setting specifies the message that users see when they are denied access  to a file or folder. You can customize the Access Denied message to include additional text and links. You can also provide users with the ability to send an email to request access to the file or folder to which they were denied access.

    Start Menu

    • Clear history of tile notifications on exit
    • Prevent users from uninstalling applications from Start
    • Do not show the Start Menu when the user logs in. (Applied to Windows Server 8 Beta with Desktop Experience installed only)
    • Show ‘Run as different user’ command on Start
    • Do not allow taskbars on more than one display

    Remote Session Environment

    • Configure RemoteFX lossless graphics. Allows the administrator to configure  RemoteFX graphics for Remote Desktop Session Host or Remote Desktop Virtualization Host servers to be lossless.
    • Configure RemoteFX Adaptive Graphics.
    • This policy setting allows the administrator to configure the RemoteFX experience for Remote Desktop Session Host or Remote Desktop Virtualization Host servers. By default, the system will choose the best experience based on available nework bandwidth. If you enable this policy setting, the RemoteFX experience could be set to one of the following options:

    1. Let the system choose the experience for the network condition
    2. Optimize for experience (balanced)
    3. Optimize to use minimum network bandwidth

    RemoteApp and Desktop Connections

    • Specify default connection URL. If you enable this policy setting, the specified URL is configured as the default connection URL for the user and replaces any existing connection URL. The user cannot change the default connection URL. The user’s default logon credentials are used when setting up the default connection URL

    Connections

    • Turn Off UDP On Server. This policy setting specifies whether the UDP protocol will be used for Remote Desktop Protocol access to this server. If you enable this policy setting, Remote Desktop Protocol traffic to this server will only use the TCP protocol. If you disable or do not configure this policy setting, Remote Desktop Protocol traffic to this server will use both the TCP and UDP protocols.
    • Turn Off Network Detection On Server. This policy setting specifies whether the Remote Desktop Protocol will try to detect the network quality (bandwidth and latency). If you enable this policy setting, you must select one of the following: Connect Time Network Detect, Continous Network Detect, or Connect Time Detect and Continous Network Detect. If you select Connect Time Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time, and it will assume all traffic to this server originates from a low speed connection. If you select Continous Network Detect, Remote Desktop Protocol will not try to adopt to changing network quality. If you select Connect Time Detect and Continous Network Detect, Remote Desktop Protocol will not try to determine the network quality at the connect time, it will assume all traffic to this server originates from a low speed connection; and it will not try to adopt to changing network quality. If you disable or do not configure this policy setting, Remote Desktop Protocol will spend up to a few seconds trying to determine the network quality prior to the connection; and it will continuously try to adopt to the network quality.

    Trusted Platform Module Services

    • Configure the level of TPM owner authorization information available to the operating system.

    This policy setting configures how much of the TPM owner authorization information is stored in the registry of the  local computer. Depending on the amount of TPM owner authorization information stored locally, the operating  system and TPM-based applications can perform certain TPM  actions which require TPM owner authorization without  requiring the user to enter the TPM owner password.

    You can choose to have the operating system store either the full TPM owner authorization value, the TPM administrative delegation blob plus the TPM user delegation  blob, or none.

    If you enable this policy setting, Windows will store the  TPM owner authorization in the registry of the local  computer according to the operating system managed TPM  authentication setting you choose.

    Choose the operating system managed TPM authentication setting of ‘Full’ to store the full TPM owner authorization, the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting allows use of the TPM without  requiring remote or external storage of the TPM owner  authorization value. This setting is appropriate for  scenarios which do not depend on preventing reset of the  TPM anti-hammering logic or changing the TPM owner authorization value. Some TPM-based applications may require this setting be changed before features which depend on the TPM anti-hammering logic can be used.

    Choose the operating system managed TPM authentication  setting of ‘Delegated’ to store only  the TPM administrative delegation blob and the TPM user delegation blob in the local registry. This setting is  appropriate for use with TPM-based applications that depend  on the TPM anti-hammering logic. External or remote storage of the full TPM owner authorization value, for example by  backing up the value to Active Directory Domain services  (AD DS), is recommended when using this setting.

    Choose the operating system managed TPM authentication setting of ‘None’ for compatibility with  previous operating systems and applications or for use with scenarios that require TPM owner authorization not be stored locally.  Using this setting might cause issues with some TPM-based  applications.

    If this policy setting is disabled or not configured and  the ‘Turn on TPM backup to Active Directory Domain  Services’ policy setting is also disabled or not  configured, the default setting is to store the full TPM  authorization value in the local registry. If this policy  is disabled or not configured and the ‘Turn on TPM backup  to Active Directory Domain Services’ group policy setting  is enabled, then only the administrative delegation and the  user delegation blobs are stored in the local registry.

    Note: If the operating system managed TPM authentication  setting is changed from ‘Full’ to  ‘Delegated’ the full TPM owner authorization  value will be regenerated and any copies of the original TPM owner authorization value will be invalid. If you are  backing up the TPM owner authorization value to AD DS, the new owner authorization value will be automatically backed  up to AD DS when it is changed.

    • Standard User Individual Lockout Threshold

    This policy setting allows you to manage the maximum number of authorization failures for all standard users for the Trusted Platform Module (TPM).  If the total number of authorization failures for all standard users within the duration for Standard User Lockout Duration equals this value, all standard users are prevented from sending commands to the Trusted Platform Module (TPM) that require authorization.

    This setting helps administrators prevent the TPM hardware from entering a lockout mode because it slows the speed standard users can send commands requiring authorization to the TPM. 

    An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred.  Authorization failures older than the duration are ignored.

    For each standard user two thresholds apply.  Exceeding either threshold will prevent the standard user from sending a command to the TPM that requires authorization. 

    The Standard User Individual Lockout value is the maximum number of authorization failures each standard user may have before the user is not allowed to send commands requiring authorization to the TPM. 

    This value is the maximum total number of authorization failures all standard users may have before all standard users are not allowed to send commands requiring authorization to the TPM.

    The TPM is designed to protect itself against password guessing attacks by entering a hardware lockout mode when it receives too many commands with an incorrect authorization value.   When the TPM enters a lockout mode it is global for all users including administrators and Windows features like BitLocker Drive Encryption.  The number of authorization failures a TPM allows and how long it stays locked out vary by TPM manufacturer.  Some TPMs may enter lockout mode for successively longer periods of time with fewer authorization failures depending on past failures.  Some TPMs may require a system restart to exit the lockout mode.    Other TPMs may require the system to be on so enough clock cycles elapse before the TPM exits the lockout mode.

    An administrator with the TPM owner password may fully reset the TPM’s hardware lockout logic using the TPM Management Console (tpm.msc).  Each time an administrator resets the TPM’s hardware lockout logic all prior standard user TPM authorization failures are ignored; allowing standard users to use the TPM normally again immediately.

    If this value is not configured, a default value of 9 is used. 

    A value of zero means the OS will not allow standard users to send commands to the TPM which may cause an authorization failure.

    User Profiles

    • User management of sharing user name, account picture, and domain information with metro-styled apps

    This setting prevents users from managing the ability to allow apps to access the user name, account picture, and domain information.

    If you enable this policy setting, sharing of user name, picture and domain information may be controlled by setting one of the following options:

    ‘Always on’ – users will not be able to change this setting and the user’s name and account picture will be shared with metro-style apps. In addition metro-style apps that have the enterprise authentication capability will also be able to retrieve the user’s UPN, SIP/URI, and DNS.

    ‘Always off’ – users will not be able to change this setting and the user’s name and account picture will not be shared with metro-style apps. In addition metro-style apps that have the enterprise authentication capability will not be able to retrieve the user’s UPN, SIP/URI, and DNS. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources.

    If you do not configure or disable this policy the user will have full control over this setting and can turn it off and on. Selecting this option may have a negative impact on certain enterprise software and/or line of business apps that depend on the domain information protected by this setting to connect with network resources if users choose to turn the setting off.

    BitLocker Drive Encryption

    • Choose drive encryption method and cipher strength. If you disable or do not configure this policy setting, BitLocker will use AES with the same bit strength (128-bit or 256-bit) as the ‘Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)’ policy setting, if it is set. If neither policy is set, BitLocker will use the default encryption method of AES 128-bit or the encryption method specified by the setup script.
    • Configure use of passwords for operating system drives.
    • This policy setting specifies the constraints for passwords used to unlock BitLocker-protected operating system drives. If non-TPM protectors are allowed on operating system drives, you can provision a password, enforce complexity requirements on the password, and configure a minimum length for the password. For the complexity requirement setting to be effective the Group Policy setting ‘Password must meet complexity requirements’ located in Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\ must be also enabled. Note: These settings are enforced when turning on BitLocker, not when unlocking a volume. BitLocker will allow unlocking a drive with any of the protectors available on the drive.

    • Disallow standard users from changing the PIN or password
    • Use enhanced Boot Configuration Data validation profile
    • Enforce drive encryption type on operating system drives.
    • This policy setting is applied when you turn on BitLocker. Changing the encryption type has no effect if the drive is already encrypted or if encryption is in progress. Choose full encryption to require that the entire drive be encrypted when BitLocker is turned on. Choose used space only encryption to require that only the portion of the drive used to store data is encrypted when BitLocker is turned on.

    • Allow network unlock at startup.
    • This policy setting controls whether a BitLocker-protected computer that is connected to a trusted wired Local Area Network (LAN) and joined to a domain can create and use Network Key Protectors on TPM-enabled computers to automatically unlock the operating system drive when the computer is started.

      If you enable this policy, clients configured with a BitLocker Network Unlock certificate will be able to create and use Network Key Protectors.

      To use a Network Key Protector to unlock the computer, both the computer and the BitLocker Drive Encryption Network Unlock server must be provisioned with a Network Unlock certificate. The Network Unlock certificate is used to create Network Key Protectors, and protects the information exchanged with the server to unlock the computer. You can use the group policy setting ‘Computer Configuration\Windows Settings\Security Settings\Public Key Policies\BitLocker Drive Encryption Network Unlock Certificate’ on the domain controller to distribute this certificate to computers in your organization. This unlock method uses the TPM on the computer, so computers that do not have a TPM cannot create Network Key Protectors to automatically unlock with Network Unlock.

      If you disable or do not configure this policy setting, BitLocker clients will not be able to create and use Network Key Protectors.

      Note: For reliability and security, computers should also have a TPM startup PIN that can be used when the computer is disconnected from the wired network or the server at startup.

    • Configure TPM platform validation profile for native UEFI firmware configurations

    This policy setting allows you to configure how the computer’s Trusted Platform Module (TPM) security hardware secures the BitLocker encryption key. This policy setting does not apply if the computer does not have a compatible TPM or if BitLocker has already been turned on with TPM protection.

    Important: This group policy only applies to computers with a native UEFI firmware configuration. Computers with BIOS or UEFI firmware with a Compatibility Service Module (CSM) enabled store different values into the Platform Configuration Registers (PCRs). Use the ‘Configure TPM platform validation profile for BIOS-based firmware configurations’ group policy setting to configure the TPM PCR profile for computers with BIOS configurations or computers with UEFI firmware with a CSM enabled.

    If you enable this policy setting before turning on BitLocker, you can configure the boot components that the TPM will validate before unlocking access to the BitLocker-encrypted operating system drive. If any of these components change while BitLocker protection is in effect, the TPM will not release the encryption key to unlock the drive and the computer will instead display the BitLocker Recovery console and require that either the recovery password or recovery key be provided to unlock the drive.

    If you disable or do not configure this policy setting, BitLocker uses the default platform validation profile or the platform validation profile specified by the setup script. A platform validation profile consists of a set of Platform Configuration Register (PCR) indices ranging from 0 to 23. The default platform validation profile secures the encryption key against changes to the core system firmware executable code (PCR 0), extended or pluggable executable code (PCR 2), boot manager (PCR 4), and the BitLocker access control (PCR 11).

    Warning: Changing from the default platform validation profile affects the security and manageability of your computer. BitLocker’s sensitivity to platform modifications (malicious or authorized) is increased or decreased depending upon inclusion or exclusion (respectively) of the PCRs. Specifically, setting this policy with PCR 7 omitted, will override the ‘Allow Secured Boot for integrity validation’ group policy, preventing BitLocker from using Secured Boot for platform or  Boot Configuration Data (BCD) integrity validation.

    • Configure use of hardware-based encryption for operating system drives

    This policy setting allows you to manage BitLocker’s use of hardware-based encryption on operating system drives and specify which encryption algorithms it can use with hardware-based encryption. Using hardware-based encryption can improve performance of drive operations that involve frequent reading or writing of data to the drive.

    If you enable this policy setting, you can specify additional options that control whether BitLocker software-based encryption is used instead of hardware-based encryption on computers that do not support hardware-based encryption and whether you want to restrict the encryption algorithms and cipher suites used with hardware-based encryption.

    If you disable this policy setting, BitLocker cannot use hardware-based encryption with operating system drives and BitLocker software-based encryption will be used by default when the drive is encrypted.

    If you do not configure this policy setting, BitLocker will use hardware-based encryption with the encryption algorithm set for the drive. If hardware-based encryption is not available BitLocker software-based encryption will be used instead.

    Note: The Choose drive encryption method and cipher strength policy setting does not apply to hardware-based encryption. The encryption algorithm used by hardware-based encryption is set when the drive is partitioned. By default, BitLocker uses the algorithm configured on the drive to encrypt the drive. The Restrict encryption algorithms and cipher suites allowed for hardware-based encryption option enables you to restrict the encryption algorithms that BitLocker can use with hardware encryption. If the algorithm set for the drive is not available, BitLocker will disable the use of hardware-based encryption.

    Encryption algorithms are specified by object identifiers (OID). For example:

    – AES 128 in CBC mode OID: 2.16.840.1.101.3.4.1.2

    – AES 256 in CBC mode OID: 2.16.840.1.101.3.4.1.42

    • Enable use of BitLocker authentication requiring preboot keyboard input on slates
    • Allow Secured Boot for integrity validation

    This policy setting allows you to configure whether Secured Boot will be allowed as the platform integrity provider for BitLocker operating system drives. Secured Boot ensures that the PC’s pre-boot environment only loads firmware that is digitally signed by authorized software publishers. Secured Boot also provides more flexibility for managing pre-boot configuration than legacy BitLocker integrity checks. If you enable or do not configure this policy setting, BitLocker will use Secured Boot for platform integrity if the platform is capable of Secured Boot-based integrity validation. If you disable this policy setting, BitLocker will use legacy platform integrity validation, even on systems capable of Secured Boot-based integrity validation. When this policy is enabled and the hardware is capable of using Secured Boot for BitLocker scenarios, the ‘Use enhanced Boot Configuration Data validation profile’ group policy setting is ignored and Secured Boot verifies BCD settings according to the Secured Boot policy setting, which is configured separately from BitLocker.

    Note: If the group policy setting ‘Configure TPM platform validation profile for native UEFI firmware configurations’ is enabled and has PCR 7 omitted, Bitlocker will be prevented from using Secured Boot for platform or Boot Configuration Data (BCD) integrity validation.

     

    Note: Similiar BitLocker policies above that apply to Operating System Drives, can also be applied to fixed system drives in separate policies

    • Enforce drive encryption type on removable data drives
    • Enforce drive encryption type on removable data drives
    • Configure use of hardware-based encryption for removable data drives

    Windows Connection Manager

    • Prohibit connection to non-domain networks when connected to domain authenticated network

    This policy setting prevents computers from connecting to both a domain based network and a non-domain based network at the same time.

                If this policy setting is enabled, the computer responds to automatic and manual network connection attempts based on the following circumstances:

               Automatic connection attempts

    • When the computer is already connected to a domain based network, all automatic connection attempts to non-domain networks are blocked.
    • When the computer is already connected to a non-domain based network, automatic connection attempts to domain based networks are blocked.

          Manual connection attempts

    • When the computer is already connected to either a non-domain based network or a domain based network over media other than Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing network connection is disconnected and the manual connection is allowed.
    • When the computer is already connected to either a non-domain based network or a domain based network over Ethernet, and a user attempts to create a manual connection to an additional network in violation of this policy setting, the existing Ethernet connection is maintained and the manual connection attempt is blocked.

          If this policy setting is not configured or is disabled, computers are allowed to connect simultaneously to both domain and non-domain networks.

    • Minimize the number of simultaneous connections to the Internet or a Windows Domain. If this policy setting is enabled, when the computer has at least one active connection to the Internet, a new automatic connection attempt to the Internet is blocked. When the computer has at least one active connection to a Windows domain, a new automatic connection to the same Windows domain is also blocked. Additional manual connection attempts by users to the Internet or to a Windows domain are not blocked by this policy setting. In circumstances where there are multiple simultaneous connections to either the Internet or to a Windows domain, Windows disconnects the less preferred connection when the amount of network traffic over the less preferred connection drops below a certain threshold. For example, when a computer is connected to Internet using a WiFi connection and the user plugs in to an Ethernet network, network traffic is routed through the faster Ethernet connection, and the WiFi traffic diminishes. Windows detects this circumstance and responds by disconnecting the WiFi connection.
    • Prohibit connection to roaming Mobile Broadband networks
    • Disable power management in connected standby mode. If this policy setting is enabled, Windows Connection Manager does not manage adapter radios to reduce power consumption when the machine enters connected standby mode.
    •  

      Windows Explorer

    • Location where all default Library definition files for users/machines reside. If you enable this policy setting, administrators can specify a path where all default Library definition files for users reside. The user will not be allowed to make changes to these Libraries from the UI. On every logon, the policy settings are verified and Libraries for the user are updated or changed according to the path defined.
    • Configure Windows SmartScreen. This policy setting allows you to manage the behavior of Windows SmartScreen. Windows SmartScreen helps keep PCs safer by warning users before running unrecognized programs downloaded from the Internet. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy setting, Windows SmartScreen behavior may be controlled by setting one of the following options:
    • Require approval from an administrator before running downloaded unknown software
    • Give user a warning before running downloaded unknown software
    • Turn off SmartScreen

    If you disable or do not configure this policy setting, Windows SmartScreen behavior is managed by administrators on the PC by using Windows SmartScreen Settings in Action Center.

    Options:

    • Require approval from an administrator before running downloaded unknown software
    • Give user a warning before running downloaded unknown software
    • Turn off SmartScreen

     

    • Show lock in the user tile menu
    • Show sleep in the power options menu
    • Show hibernate in the power options menu
    • Do not show the ‘new application installed’ notification
    • Start Windows Explorer with ribbon minimized
    • Set a default associations configuration file. This policy specifies the path to a file (e.g. either stored locally or on a network location) that contains file type and protocol default application associations. This file can be created using the DISM tool.
    • For example:

      Dism.exe /Online /Export-DefaultAppAssociations:C:\AppAssoc.txt

      For more information, refer to the DISM documentation on TechNet.

      If this group policy is enabled and the client machine is domain-joined, the file will be processed and default associations will be applied at logon time.

      If the group policy is not configured, disabled, or the client machine is not domain-joined, no default associations will be applied at logon time.

      If the policy is enabled, disabled, or not configured, users will still be able to override default file type and protocol associations.

    • Allow the use of remote paths in file shortcut icons.
    • This policy setting determines whether remote paths can be used for file shortcut (.lnk file) icons. If you enable this policy setting, file shortcut icons are allowed to be obtained from remote paths. If you disable or do not configure this policy setting, file shortcut icons that use remote paths are prevented from being displayed. Note: Allowing the use of remote paths in file shortcut icons can expose users computers to security risks.

    Windows Update

    • Let the service shut down when it is idle. Controls how many minutes the Windows Update service will wait before shutting down when there are no scans, downloads, or installs in progress. Allowing the service to shut down will free memory to be used by other programs and services. If set to 0, the service will remain running at all times. If you disable or do not configure this policy setting, the service will shut down after 10 minutes of inactivity.

    Shutdown Options

    • Require use of hybrid boot. If you enable this policy setting, the system requires hibernate to be enabled.

    Store

    • Turn off the Store application
    • Turn off Automatic Download of updates

    Notifications

    • Turn off all notifications. This policy setting turns off notifications. If you enable this policy setting, applications and system features will not be able to raise toast notifications, update their tile, or receive notifications through the Windows Notification Service (WNS). If you disable or do not configure this policy setting, notifications are enabled and can be turned off by the administrator or user. Note that this policy does not affect taskbar notification balloons. No reboots or service restarts are required for this policy setting to take effect.
    • Turn off toast notifications. If you enable this policy setting, applications and system features will not be able to raise toast notifications.
    • Turn off toast notifications on the lock screen

    WWAN Media Cost

    • Set 3G Cost.
    • This policy setting configures the cost of 3G connections on the local machine.

      If this policy setting is enabled, a drop-down list box presenting possible cost values will be active.  Selecting one of the following values from the list will set the cost of all 3G connections on the local machine:

    • Unrestricted: Use of this connection is unlimited and not restricted by usage charges and capacity constraints.
    • Fixed: Use of this connection is not restricted by usage charges and capacity constraints up to a certain data limit.
    • Variable: This connection is costed on a per byte basis.
    •  

      If this policy setting is disabled or is not configured, the cost of 3G connections is Fixed by default.

    • Set 4G Cost. Save as above, but for 4G connections.

    About chentiangemalc

    specializes in end-user computing technologies. disclaimer 1) use at your own risk. test any solution in your environment. if you do not understand the impact/consequences of what you're doing please stop, and ask advice from somebody who does. 2) views are my own at the time of posting and do not necessarily represent my current view or the view of my employer and family members/relatives. 3) over the years Microsoft/Citrix/VMWare have given me a few free shirts, pens, paper notebooks/etc. despite these gifts i will try to remain unbiased.
    This entry was posted in Group Policy, Windows 8 and tagged . Bookmark the permalink.

    3 Responses to What’s New In Windows 8 Consumer Preview Group Policy

    1. Wow that was unusual. I just wrote an really long comment but after I clicked submit my
      comment didn’t appear. Grrrr… well I’m not writing all that over again.
      Anyway, just wanted to say superb blog!

    2. I’m not sure where you’re getting your info, but great topic.
      I needs to spend some time learning much more or understanding more.
      Thanks for excellent information I was looking for this info for my mission.

      • I extracted the info myself from the ADMX files built into Windows. For the released version of Windows 8 MS now has a downloadable XLSX of the policies available on their website.

    Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s