Group Policy Management
body { font-size:68%;font-family:MS Shell Dlg; margin:0px,0px,0px,0px; border: 1px solid #666666; background:#F6F6F6; width:100%; word-break:normal; word-wrap:break-word; } .head { font-weight:bold; font-size:160%; font-family:MS Shell Dlg; width:100%; color:#6587DC; background:#E3EAF9; border:1px solid #5582D2; padding-left:8px; height:24px; } .path { margin-left: 10px; margin-top: 10px; margin-bottom:5px;width:100%; } .info { padding-left:10px;width:100%; } table { font-size:100%; width:100%; border:1px solid #999999; } th { border-bottom:1px solid #999999; text-align:left; padding-left:10px; height:24px; } td { background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; } .btn { width:100%; text-align:right; margin-top:16px; } .hdr { font-weight:bold; border:1px solid #999999; text-align:left; padding-top: 4px; padding-left:10px; height:24px; margin-bottom:-1px; width:100%; } .bdy { width:100%; height:182px; display:block; overflow:scroll; z-index:2; background:#FFFFFF; padding-left:10px; padding-bottom:10px; padding-top:10px; border:1px solid #999999; } button { width:6.9em; height:2.1em; font-size:100%; font-family:MS Shell Dlg; margin-right:15px; } @media print { .bdy { display:block; overflow:visible; } button { display:none; } .head { color:#000000; background:#FFFFFF; border:1px solid #000000; } }
Setting Path:
Explanation
No explanation is available for this setting.
Supported On:
Not available
MSFT Windows 8.1 Baseline
Data collected on: 9/2/2014 8:18:29 AM
General
Details
DomainSECGUIDE.local
OwnerSECGUIDE\Domain Admins
Created8/6/2014 6:37:44 PM
Modified8/8/2014 6:28:18 PM
User Revisions1 (AD), 1 (SYSVOL)
Computer Revisions14 (AD), 14 (SYSVOL)
Unique ID{F2BEB895-E77C-442A-90DD-BBAAA22B741C}
GPO StatusEnabled
Links
LocationEnforcedLink StatusPath
None

This list only includes links in the domain of the GPO.
Security Filtering
The settings in this GPO can only apply to the following groups, users, and computers:
Name
NT AUTHORITY\Authenticated Users
Delegation
These groups and users have the specified permission for this GPO
NameAllowed PermissionsInherited
NT AUTHORITY\Authenticated UsersRead (from Security Filtering)No
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERSReadNo
NT AUTHORITY\SYSTEMEdit settings, delete, modify securityNo
SECGUIDE\Domain AdminsEdit settings, delete, modify securityNo
SECGUIDE\Enterprise AdminsEdit settings, delete, modify securityNo
Computer Configuration (Enabled)
Policies
Windows Settings
Security Settings
Account Policies/Password Policy
PolicySetting
Enforce password history24 passwords remembered
Maximum password age60 days
Minimum password age1 days
Minimum password length14 characters
Password must meet complexity requirementsEnabled
Store passwords using reversible encryptionDisabled
Account Policies/Account Lockout Policy
PolicySetting
Account lockout duration15 minutes
Account lockout threshold10 invalid logon attempts
Reset account lockout counter after15 minutes
Local Policies/User Rights Assignment
PolicySetting
Access Credential Manager as a trusted caller
Access this computer from the networkBUILTIN\Administrators, NT AUTHORITY\Authenticated Users
Act as part of the operating system
Adjust memory quotas for a processBUILTIN\Administrators, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Allow log on locallyBUILTIN\Administrators, BUILTIN\Users
Back up files and directoriesBUILTIN\Administrators
Change the system timeNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators
Change the time zoneNT AUTHORITY\LOCAL SERVICE, BUILTIN\Administrators, BUILTIN\Users
Create a pagefileBUILTIN\Administrators
Create a token object
Create global objectsBUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Create permanent shared objects
Create symbolic linksBUILTIN\Administrators
Debug programsBUILTIN\Administrators
Deny access to this computer from the networkNT AUTHORITY\Local account, BUILTIN\Guests
Deny log on as a batch jobBUILTIN\Guests
Deny log on as a serviceBUILTIN\Guests
Deny log on locallyBUILTIN\Guests
Deny log on through Terminal ServicesNT AUTHORITY\Local account, BUILTIN\Guests
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote systemBUILTIN\Administrators
Generate security auditsNT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Impersonate a client after authenticationBUILTIN\Administrators, NT AUTHORITY\SERVICE, NT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Increase scheduling priorityBUILTIN\Administrators
Load and unload device driversBUILTIN\Administrators
Lock pages in memory
Manage auditing and security logBUILTIN\Administrators
Modify an object label
Modify firmware environment valuesBUILTIN\Administrators
Perform volume maintenance tasksBUILTIN\Administrators
Profile single processBUILTIN\Administrators
Profile system performanceNT SERVICE\WdiServiceHost, BUILTIN\Administrators
Replace a process level tokenNT AUTHORITY\LOCAL SERVICE, NT AUTHORITY\NETWORK SERVICE
Restore files and directoriesBUILTIN\Administrators
Shut down the systemBUILTIN\Administrators, BUILTIN\Users
Take ownership of files or other objectsBUILTIN\Administrators
Local Policies/Security Options
Accounts
PolicySetting
Accounts: Administrator account statusDisabled
Accounts: Guest account statusDisabled
Accounts: Limit local account use of blank passwords to console logon onlyEnabled
Audit
PolicySetting
Audit: Shut down system immediately if unable to log security auditsDisabled
Devices
PolicySetting
Devices: Allowed to format and eject removable mediaAdministrators and Interactive Users
Interactive Logon
PolicySetting
Interactive logon: Do not display last user nameEnabled
Interactive logon: Do not require CTRL+ALT+DELDisabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)4 logons
Interactive logon: Prompt user to change password before expiration14 days
Interactive logon: Smart card removal behaviorLock Workstation
Microsoft Network Client
PolicySetting
Microsoft network client: Digitally sign communications (always)Enabled
Microsoft network client: Digitally sign communications (if server agrees)Enabled
Microsoft network client: Send unencrypted password to third-party SMB serversDisabled
Network Access
PolicySetting
Network access: Allow anonymous SID/Name translationDisabled
Network access: Do not allow anonymous enumeration of SAM accountsEnabled
Network access: Do not allow anonymous enumeration of SAM accounts and sharesEnabled
Network access: Let Everyone permissions apply to anonymous usersDisabled
Network access: Remotely accessible registry pathsSystem\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and sub-pathsSystem\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConfig, System\CurrentControlSet\Control\Terminal Server\DefaultUserConfiguration, Software\Microsoft\Windows NT\CurrentVersion\Perflib, System\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and SharesEnabled
Network access: Sharing and security model for local accountsClassic - local users authenticate as themselves
Network Security
PolicySetting
Network security: Do not store LAN Manager hash value on next password changeEnabled
Network security: Force logoff when logon hours expireEnabled
Network security: LAN Manager authentication levelSend NTLMv2 response only. Refuse LM & NTLM
Network security: LDAP client signing requirementsNegotiate signing
Network security: Minimum session security for NTLM SSP based (including secure RPC) clientsEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Network security: Minimum session security for NTLM SSP based (including secure RPC) serversEnabled
Require NTLMv2 session securityEnabled
Require 128-bit encryptionEnabled
Shutdown
PolicySetting
Shutdown: Allow system to be shut down without having to log onEnabled
Shutdown: Clear virtual memory pagefileDisabled
System Objects
PolicySetting
System objects: Require case insensitivity for non-Windows subsystemsEnabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)Enabled
User Account Control
PolicySetting
User Account Control: Admin Approval Mode for the Built-in Administrator accountEnabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktopDisabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval ModePrompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard usersAutomatically deny elevation requests
User Account Control: Detect application installations and prompt for elevationEnabled
User Account Control: Only elevate UIAccess applications that are installed in secure locationsEnabled
User Account Control: Run all administrators in Admin Approval ModeEnabled
User Account Control: Switch to the secure desktop when prompting for elevationEnabled
User Account Control: Virtualize file and registry write failures to per-user locationsEnabled
Other
PolicySetting
Accounts: Block Microsoft accountsUsers can't add or log on with Microsoft accounts
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabled
Domain member: Digitally encrypt or sign secure channel data (always)Enabled
Domain member: Digitally encrypt secure channel data (when possible)Enabled
Domain member: Digitally sign secure channel data (when possible)Enabled
Domain member: Disable machine account password changesDisabled
Domain member: Maximum machine account password age30 days
Domain member: Require strong (Windows 2000 or later) session keyEnabled
Interactive logon: Machine account lockout threshold10 invalid logon attempts
Interactive logon: Machine inactivity limit900 seconds
Microsoft network server: Amount of idle time required before suspending session15 minutes
Microsoft network server: Digitally sign communications (always)Enabled
Microsoft network server: Digitally sign communications (if client agrees)Enabled
Microsoft network server: Disconnect clients when logon hours expireEnabled
Microsoft network server: Server SPN target name validation levelAccept if provided by client
Network security: Allow Local System to use computer identity for NTLMEnabled
Network security: Allow LocalSystem NULL session fallbackDisabled
Network security: Allow PKU2U authentication requests to this computer to use online identities. Disabled
Network security: Configure encryption types allowed for KerberosEnabled
DES_CBC_CRCDisabled
DES_CBC_MD5Disabled
RC4_HMAC_MD5Enabled
AES128_HMAC_SHA1Enabled
AES256_HMAC_SHA1Enabled
Future encryption typesEnabled
Recovery console: Allow automatic administrative logonDisabled
Recovery console: Allow floppy copy and access to all drives and all foldersDisabled
Registry Values
PolicySetting
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\AutoAdminLogon"0"
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ScreenSaverGracePeriod"5"
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode1
MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Security\WarningLevel90
MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting2
MACHINE\System\CurrentControlSet\Services\Tcpip6\Parameters\DisableIPSourceRouting2
Windows Firewall with Advanced Security
Global Settings
PolicySetting
Policy versionNot Configured
Disable stateful FTPNot Configured
Disable stateful PPTPNot Configured
IPsec exemptNot Configured
IPsec through NATNot Configured
Preshared key encodingNot Configured
SA idle timeNot Configured
Strong CRL checkNot Configured
Domain Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesYes
Apply local connection security rulesYes
Display notificationsYes
Allow unicast responsesNo
Log dropped packetsYes
Log successful connectionsYes
Log file path%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
Log file maximum size (KB)16384
Private Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesYes
Apply local connection security rulesYes
Display notificationsYes
Allow unicast responsesNo
Log dropped packetsYes
Log successful connectionsYes
Log file path%SYSTEMROOT%\System32\logfiles\firewall\privatefw.log
Log file maximum size (KB)16384
Public Profile Settings
PolicySetting
Firewall stateOn
Inbound connectionsBlock
Outbound connectionsAllow
Apply local firewall rulesYes
Apply local connection security rulesNo
Display notificationsNo
Allow unicast responsesNo
Log dropped packetsYes
Log successful connectionsYes
Log file path%SYSTEMROOT%\System32\logfiles\firewall\publicfw.log
Log file maximum size (KB)16384
Connection Security Settings
Advanced Audit Configuration
Account Logon
PolicySetting
Audit Credential ValidationSuccess, Failure
Account Management
PolicySetting
Audit Other Account Management EventsSuccess, Failure
Audit Security Group ManagementSuccess, Failure
Audit User Account ManagementSuccess, Failure
Detailed Tracking
PolicySetting
Audit Process CreationSuccess
Logon/Logoff
PolicySetting
Audit Account LockoutSuccess
Audit LogoffSuccess
Audit LogonSuccess, Failure
Audit Special LogonSuccess
Policy Change
PolicySetting
Audit Audit Policy ChangeSuccess, Failure
Audit Authentication Policy ChangeSuccess
Privilege Use
PolicySetting
Audit Sensitive Privilege UseSuccess, Failure
System
PolicySetting
Audit IPsec DriverSuccess, Failure
Audit Other System EventsSuccess, Failure
Audit Security State ChangeSuccess, Failure
Audit Security System ExtensionSuccess, Failure
Audit System IntegritySuccess, Failure
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
PolicySettingComment
Prevent enabling lock screen cameraEnabled
Prevent enabling lock screen slide showEnabled
Network/Network Connections/Windows Firewall/Domain Profile
PolicySettingComment
Windows Firewall: Allow loggingEnabled
Log dropped packetsEnabled
Log successful connectionsEnabled
Log file path and name:%SYSTEMROOT%\System32\logfiles\firewall\domainfw.log
Size limit (KB):16384
PolicySettingComment
Windows Firewall: Prohibit notificationsDisabled
Windows Firewall: Prohibit unicast response to multicast or broadcast requestsEnabled
Windows Firewall: Protect all network connectionsEnabled
SCM: Pass the Hash Mitigations
PolicySettingComment
Apply UAC restrictions to local accounts on network logonsEnabled
WDigest Authentication (disabling may require KB2871997)Disabled
System/Device Installation/Device Installation Restrictions
PolicySettingComment
Prevent installation of devices using drivers that match these device setup classesEnabled
Prevent installation of devices using drivers for these device setup classes:
{d48179be-ec20-11d1-b6b8-00c04fa372a7}
To create a list of device classes, click Show. In the Show Contents dialog box, in the Value column,
type a GUID that represents a device setup class
(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).
Also apply to matching devices that are already installed.Enabled
System/Early Launch Antimalware
PolicySettingComment
Boot-Start Driver Initialization PolicyEnabled
Choose the boot-start drivers that can be initialized:Good, unknown and bad but critical
System/Group Policy
PolicySettingComment
Configure registry policy processingEnabled
Do not apply during periodic background processingDisabled
Process even if the Group Policy objects have not changedEnabled
System/Internet Communication Management/Internet Communication settings
PolicySettingComment
Turn off downloading of print drivers over HTTPEnabled
Turn off Internet download for Web publishing and online ordering wizardsEnabled
Turn off printing over HTTPEnabled
System/Logon
PolicySettingComment
Do not display network selection UIEnabled
Do not enumerate connected users on domain-joined computersEnabled
Enumerate local users on domain-joined computersDisabled
Turn on PIN sign-inDisabled
System/Power Management/Sleep Settings
PolicySettingComment
Allow standby states (S1-S3) when sleeping (on battery)Disabled
Allow standby states (S1-S3) when sleeping (plugged in)Disabled
Require a password when a computer wakes (on battery)Enabled
Require a password when a computer wakes (plugged in)Enabled
System/Remote Assistance
PolicySettingComment
Configure Offer Remote AssistanceDisabled
Configure Solicited Remote AssistanceDisabled
System/Remote Procedure Call
PolicySettingComment
Enable RPC Endpoint Mapper Client AuthenticationDisabled
Restrict Unauthenticated RPC clientsEnabled
RPC Runtime Unauthenticated Client Restriction to Apply:Authenticated
Windows Components/App runtime
PolicySettingComment
Allow Microsoft accounts to be optionalEnabled
Windows Components/AutoPlay Policies
PolicySettingComment
Turn off AutoplayEnabled
Turn off Autoplay on:All drives
Windows Components/BitLocker Drive Encryption
PolicySettingComment
Choose drive encryption method and cipher strengthEnabled
Select the encryption method:AES 256-bit
Windows Components/BitLocker Drive Encryption/Fixed Data Drives
PolicySettingComment
Allow access to BitLocker-protected fixed data drives from earlier versions of WindowsDisabled
Choose how BitLocker-protected fixed drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Allow 48-digit recovery password
Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardEnabled
Save BitLocker recovery information to AD DS for fixed data drivesDisabled
Configure storage of BitLocker recovery information to AD DS:Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drivesDisabled
PolicySettingComment
Configure use of hardware-based encryption for fixed data drivesEnabled
Use BitLocker software-based encryption when hardware encryption is not availableEnabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryptionDisabled
Restrict crypto algorithms or cipher suites to the following:2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42
PolicySettingComment
Configure use of passwords for fixed data drivesDisabled
Configure use of smart cards on fixed data drivesEnabled
Require use of smart cards on fixed data drivesEnabled
Windows Components/BitLocker Drive Encryption/Operating System Drives
PolicySettingComment
Allow enhanced PINs for startupEnabled
Allow Secure Boot for integrity validationEnabled
Choose how BitLocker-protected operating system drives can be recoveredEnabled
Allow data recovery agentDisabled
Configure user storage of BitLocker recovery information:
Require 48-digit recovery password
Do not allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardEnabled
Save BitLocker recovery information to AD DS for operating system drivesEnabled
Configure storage of BitLocker recovery information to AD DS:Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drivesEnabled
PolicySettingComment
Configure minimum PIN length for startupEnabled
Minimum characters:7
PolicySettingComment
Configure use of hardware-based encryption for operating system drivesEnabled
Use BitLocker software-based encryption when hardware encryption is not availableEnabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryptionDisabled
Restrict crypto algorithms or cipher suites to the following:2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42
PolicySettingComment
Configure use of passwords for operating system drivesDisabled
Require additional authentication at startupEnabled
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)Disabled
Settings for computers with a TPM:
Configure TPM startup:Do not allow TPM
Configure TPM startup PIN:Require startup PIN with TPM
Configure TPM startup key:Do not allow startup key with TPM
Configure TPM startup key and PIN:Do not allow startup key and PIN with TPM
Windows Components/BitLocker Drive Encryption/Removable Data Drives
PolicySettingComment
Allow access to BitLocker-protected removable data drives from earlier versions of WindowsDisabled
Choose how BitLocker-protected removable drives can be recoveredEnabled
Allow data recovery agentEnabled
Configure user storage of BitLocker recovery information:
Do not allow 48-digit recovery password
Do not allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizardEnabled
Save BitLocker recovery information to AD DS for removable data drivesDisabled
Configure storage of BitLocker recovery information to AD DS:Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for removable data drivesDisabled
PolicySettingComment
Configure use of hardware-based encryption for removable data drivesEnabled
Use BitLocker software-based encryption when hardware encryption is not availableEnabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryptionDisabled
Restrict crypto algorithms or cipher suites to the following:2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42
PolicySettingComment
Configure use of passwords for removable data drivesDisabled
Configure use of smart cards on removable data drivesEnabled
Require use of smart cards on removable data drivesEnabled
PolicySettingComment
Deny write access to removable drives not protected by BitLockerEnabled
Do not allow write access to devices configured in another organizationEnabled
Windows Components/Credential User Interface
PolicySettingComment
Enumerate administrator accounts on elevationDisabled
Windows Components/EMET
PolicySettingComment
Default Protections for Internet ExplorerEnabled
Included products and mitigations:
- Microsoft Internet Explorer - all mitigations
PolicySettingComment
Default Protections for Popular SoftwareEnabled
Included products and mitigations:
- Windows Media Player - all mitigations except MandatoryASLR, SEHOP, EAF
- Skype - all mitigations except EAF
- Microsoft Lync Communicator- all mitigations
- Windows Live Mail - all mitigations
- Microsoft Photo Gallery - all mitigations except Caller
- Microsoft Live Writer - all mitigations
- Microsoft SkyDrive - all mitigations
- Google Chrome - all mitigations except SEHOP
- Google Talk - all mitigations except DEP, SEHOP
- Mozilla Firefox - all mitigations
- Mozilla Thunderbird - all mitigations
- Adobe Photoshop - all mitigations
- Winamp - all mitigations
- Opera - all mitigations
- WinRAR - all mitigations
- Winzip - all mitigations
- VideoLAN VLC - all mitigations
- RealPlayer - all mitigations
- mIRC - all mitigations
- 7zip - all mitigations except EAF
- Safari - all mitigations
- QuickTime Player - all mitigations
- iTunes - all mitigations except Caller
- Pidgin - all mitigations
- Foxit Reader - all mitigations
PolicySettingComment
Default Protections for Recommended SoftwareEnabled
Included products and mitigations:
- WordPad - all mitigations
- Microsoft Office - all mitigations
- Adobe Acrobat - all mitigations except MemProt
- Adobe Acrobat Reader - all mitigations except MemProt
- Oracle Java - all mitigations except HeapSpray
PolicySettingComment
System ASLREnabled
ASLR Setting:Application Opt-In
PolicySettingComment
System DEPEnabled
DEP Setting:Application Opt-Out
PolicySettingComment
System SEHOPEnabled
SEHOP Setting:Application Opt-Out
Windows Components/Event Log Service/Application
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/Event Log Service/Security
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)196608
Windows Components/Event Log Service/System
PolicySettingComment
Specify the maximum log file size (KB)Enabled
Maximum Log Size (KB)32768
Windows Components/File Explorer
PolicySettingComment
Configure Windows SmartScreenEnabled
Pick one of the following settingsRequire approval from an administrator before running downloaded unknown software
PolicySettingComment
Turn off Data Execution Prevention for ExplorerDisabled
Windows Components/Remote Desktop Services/Remote Desktop Connection Client
PolicySettingComment
Do not allow passwords to be savedEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection
PolicySettingComment
Do not allow drive redirectionEnabled
Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security
PolicySettingComment
Always prompt for password upon connectionEnabled
Set client connection encryption levelEnabled
Encryption LevelHigh Level
Choose the encryption level from the drop-down list.
Windows Components/Search
PolicySettingComment
Allow indexing of encrypted filesDisabled
Windows Components/Windows Installer
PolicySettingComment
Always install with elevated privilegesDisabled
Windows Components/Windows Logon Options
PolicySettingComment
Sign-in last interactive user automatically after a system-initiated restartDisabled
Windows Components/Windows Remote Management (WinRM)/WinRM Client
PolicySettingComment
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow Digest authenticationEnabled
Windows Components/Windows Remote Management (WinRM)/WinRM Service
PolicySettingComment
Allow Basic authenticationDisabled
Allow unencrypted trafficDisabled
Disallow WinRM from storing RunAs credentialsEnabled
Windows Components/Windows Update
PolicySettingComment
Configure Automatic UpdatesEnabled
Configure automatic updating:3 - Auto download and notify for install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance 
Scheduled install day: 0 - Every day
Scheduled install time:03:00
PolicySettingComment
Do not adjust default option to 'Install Updates and Shut Down' in Shut Down Windows dialog boxDisabled
Do not display 'Install Updates and Shut Down' option in Shut Down Windows dialog boxDisabled
No auto-restart with logged on users for scheduled automatic updates installationsDisabled
Reschedule Automatic Updates scheduled installationsEnabled
Wait after system
startup (minutes): 1
User Configuration (Enabled)
Policies
Administrative Templates
Policy definitions (ADMX files) retrieved from the local computer.
Control Panel/Personalization
PolicySettingComment
Enable screen saverEnabled
Force specific screen saverEnabled
Screen saver executable namescrnsave.scr
PolicySettingComment
Password protect the screen saverEnabled
Screen saver timeoutEnabled
Number of seconds to wait to enable the screen saver
Seconds:900
Start Menu and Taskbar/Notifications
PolicySettingComment
Turn off toast notifications on the lock screenEnabled
Windows Components/Attachment Manager
PolicySettingComment
Do not preserve zone information in file attachmentsDisabled
Notify antivirus programs when opening attachmentsEnabled