6 Appendix A: Product Behavior

  • Article

The information in this specification is applicable to the following Microsoft products or supplemental software. References to product versions include updates to those products.

The terms "earlier" and "later", when used with a product version, refer to either all preceding versions or all subsequent versions, respectively. The term "through" refers to the inclusive range of versions. Applicable Microsoft products are listed chronologically in this section.

  • Windows XP operating system

  • Windows Server 2003 operating system

  • Windows Server 2003 R2 operating system

  • Windows Vista operating system

  • Windows Server 2008 operating system

  • Windows 7 operating system

  • Windows Server 2008 R2 operating system

  • Windows 8 operating system

  • Windows Server 2012 operating system

  • Windows 8.1 operating system

  • Windows Server 2012 R2 operating system

  • Windows 10 operating system

  • Windows Server 2016 operating system

  • Windows Server operating system

  • Windows Server 2019 operating system

  • Windows Server 2022 operating system

  • Windows 11 operating system

  • Windows Server 2025 operating system

Exceptions, if any, are noted in this section. If an update version, service pack or Knowledge Base (KB) number appears with a product name, the behavior changed in that update. The new behavior also applies to subsequent updates unless otherwise specified. If a product edition appears with the product version, behavior is different in that product edition.

Unless otherwise specified, any statement of optional behavior in this specification that is prescribed using the terms "SHOULD" or "SHOULD NOT" implies product behavior in accordance with the SHOULD or SHOULD NOT prescription. Unless otherwise specified, the term "MAY" implies that the product does not follow the prescription.

<1> Section 2.2.1: The preferences policy settings "Drives", "InternetSettings", "Regional Options", "StartMenu" and all "FolderOptions" except for "FileTypes" are not implemented for computer policy mode because these settings are applicable only to the current user. The preferences policy settings "FileTypes", "NetworkShares" and "Services" are not implemented for user policy mode because these settings are generic to the computer and apply to all logged-on users.

<2> Section 2.2.1: ControlPanel.xml is currently not created during any editing sequence. It is documented here for completeness.

<3> Section 2.2.1.1.4: The seed value used to generate the key is the sequence of characters:

 0x71 0x46 0x32 0x0f 0x64 0x10 0x00

The pseudocode for generating the key on Windows (except on Windows XP, Windows Server 2003, and Windows Server 2003 R2), is as follows:

  
 CryptAcquireContext( &amp;hCryptProv, NULL, NULL, 
    PROV_RSA_AES, CRYPT_VERIFYCONTEXT);
  
 CryptCreateHash( hCryptProv, CALG_SHA_256, 0, 0, &hHash );
  
 CryptHashData(hHash, (BYTE *)szKey, strKey.GetLength(), 0);
  
 CryptDeriveKey(hCryptProv, CALG_AES_256, hHash, 
     CRYPT_NO_SALT | CRYPT_EXPORTABLE, &hKey);
      

On Windows XP, Windows Server 2003, and Windows Server 2003 R2, SHA1 is used in place of SHA_256.

<4> Section 2.2.1.1.5: In this case, "Windows" and "Microsoft" are not being used as a reference to the product or the company but as part of a path to a repository location. However, these paths are implementation specific and when implemented on another platform, another path name can be used. The Licensee can implement the repository using another technology but the path and key values, for example "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" and "SystemRoot", are the values that make those environment variables unique within whatever repository is used.

<5> Section 2.2.1.5.1: The PATH environment variable is a semi-colon delimited list of folder paths that is searched when a program is requested that is not in the current location. It first appeared in MS-DOS and is still used by many MS-DOS and Microsoft Windows command line utilities.

<6> Section 2.2.1.7.1: In this case, "Windows" and "Microsoft" are not being used as a reference to the product or the company but as part of a path to a repository location. However, these paths are implementation specific and when implemented on a platform other than Windows, another path name can be used. The Licensee can implement the repository using another technology, but the path and key values, for example "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" and "SystemRoot", are the values that make those environment variables unique within whatever repository is used.

<7> Section 2.2.1.7.2: In this case, "Windows" and "Microsoft" are not being used as a reference to the product or the company but as part of a path to a repository location. However, these paths are implementation specific and when implemented on a platform other than Windows, another path name can be used. The Licensee can implement the repository using another technology, but the path and key values, for example "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" and "SystemRoot", are the values that make those environment variables unique within whatever repository is used.

<8> Section 2.2.1.10: In this case, "Windows" and "Microsoft" are not being used as a reference to the product or the company but as part of a path to a repository location. However, these paths are implementation specific and when implemented on a platform other than Windows, another path name can be used. The Licensee implement the repository using another technology but the path and key values, for example "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" and "SystemRoot", are the values that make those environment variables unique within whatever repository is used.

<9> Section 2.2.1.11.1: Windows assigns each group a security identifier (SID). Windows uses this information to determine if a group is allowed to access a particular resource. Use caution when using the Replace action as the newly created group will have a new SID. This can prevent groups from having access to resources.

<10> Section 2.2.1.11.2: Windows assigns each user a security identifier (SID). Windows uses this information to determine if a user is allowed to access a particular resource. Use caution when using the Replace action as the newly created user will have a new SID. This can prevent users from having access to resources.

<11> Section 2.2.1.12: For information on Windows client settings for VPN, see [MSDN-VPN].

<12> Section 2.2.1.12.2: For Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 which use IPv6, the process will not fail but will return "No Match".

<13> Section 2.2.1.12.2:  oldMsChap is set to 1 to connect using CHAP version for Windows 95 operating system.

<14> Section 2.2.1.19: For information on Windows services, see [MSDN-WINSVC].

<15> Section 2.2.1.21.1: In this case, "Windows" and "Microsoft" are not being used as a reference to the product or the company but as part of a path to a repository location. However, these paths are implementation specific and when implemented on any other platform, another path name can be used. The Licensee can implement the repository using a technology other than Windows, but the path and key values, for example "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" and "SystemRoot", are the values that make those environment variables unique within whatever repository is used.

<16> Section 2.2.1.21.2: In this case, "Windows" and "Microsoft" are not being used as a reference to the product or the company but as part of a path to a repository location. However, these paths are implementation specific and when implemented on any other platform, another path name can be used. The Licensee can implement the repository using some a technology other than Windows, but the path and key values, for example "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" and "SystemRoot", are the values that make those environment variables unique within whatever repository is used.

<17> Section 2.2.1.22: The enumerated values are as follows:

  • NT refers to all Windows releases except Windows 95, Windows 98 operating system, and Windows Millennium Edition operating system.

  • 9X refers to Windows 95, Windows 98, and Windows Millennium Edition.

  • NE refers to Any.

<18> Section 2.2.1.22: The enumerated values and corresponding Windows releases are as follows:

Version attribute

Windows release

Version attribute

Windows release

NE

Any

2K8

Windows Server 2008

95

Windows 95

WIN7

Windows 7

98

Windows 98

2K8R2

Windows Server 2008 R2

ME

Windows Millennium Edition

WIN8

Windows 8

NT

Windows NT operating system

WIN8S

Windows Server 2012

2K

Windows 2000 operating system

WINBLUE

Windows 8.1

XP

Windows XP

WINBLUESRV

Windows Server 2012 R2

2K3

Windows Server 2003

WINTHRESHOLD

Windows 10

2K3R2

Windows Server 2003 R2

WINTHRESHOLDSRV

Windows Server 2016 and later

VISTA

Windows Vista

<19> Section 2.2.1.22: The enumerated values R2, SE, PRO, SV, DC, WS, PR, or NE refer to R2, Standard Edition, Professional, Server, Domain Controller, Workstation, Professional or Any. Note that the values PR and PRO are equivalent and both refer to Professional.

<20> Section 2.2.1.22: The enumerated values 64, 64EP, 64DC, AS, DTC, EP, HM, MC, SRV, STD, TPC, TSE, WEB, SBS, PRO, 64STGSTD, 64STGWKGRP, 64MPSTD, 64MPPREM, 64ESSSOL, or NE refer to 64-bit, 64-bit Enterprise, 64-bit Datacenter, Advanced Server, Datacenter, Enterprise, Home, Media Center, Server, Standard, Tablet PC, Terminal Server, Web, Small Business Server, Professional, 64-bit Storage Server Standard, 64-bit Storage Server Premium, 64-bit MultiPoint Server Standard, 64-bit MultiPoint Server Premium, 64-bit Essentials, or Any.

<21> Section 2.2.1.22: The enumerated values NE, TS, or CONSOLE refer to the protocol type being used for the terminal server connection. This information is returned from the Windows API WTSQuerySessionInformation with the WTSInfoClass set to the constant "WTSClientProtocolType". NE equates to a value of 0 (the console session), 1 (retained for legacy purposes), or 2 (the RDP protocol). TS equates to a value of 2. CONSOLE equates to a value of 0. For more information, see [MSDN-WTSQRYSESSINFO].

<22> Section 2.2.1.22: The enumerated values APPLICATION, PROGRAM, CLIENT, SESSION, DIRECTORY, or IP refers to query type being passed to the Windows API WTSQuerySessionInformation with the WTSInfoClass set to the constants WTSApplicationName, WTSInitialProgram, WTSClientProductId, WTSSessionInfo, WTSClientDirectory and WTSClientAddress respectively.

<23> Section 3.2.5.1.1: Windows ignores errors updating the local database and continues to the Group Policy: Preferences Extension sequence even when such failures occur. There is no surfacing of such ignored errors to other protocols, so the Group Policy: Core Protocol as a whole is unaffected by errors in updating the local database.

<24> Section 3.2.5.1.2: Windows ignores errors updating the local database and continues to the Group Policy: Preferences Extension sequence even when such failures occur. There is no surfacing of such ignored errors to other protocols, so the Group Policy: Core Protocol as a whole is unaffected by errors in updating the local database.