Group Policy Settings

Below are descriptions of Silverlight configuration options which can be implemented via administrative templates and enforced in group policy. Learn about the configurable options:

Or go straight to the section to implement the Silverlight ADMX/L files in your environment.

Here are some additional resources on Group policy and Administrative templates if you are not already familiar:

Digital Rights Management

By default on a new install of Silverlight version 2 or later using any method, Silverlight will play content which is protected by digital rights management (DRM). It may be desired to disable the playback of DRM-enabled content for Silverlight. When the Disable DRM Content setting is implemented, it will set the user's account to not play DRM protected content.

This setting is available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting that the administrative template files contain is:

Key path: HKEY_CURRENT_USER\Software\Microsoft\Silverlight
Value Name: DRMEnabled
Value Type: REG_DWORD
Valid Values:
    Disable DRM Content — 0x00000000
    Enable DRM Content — 0x00000001

You can locate this setting in the following policy path for your GPOs:

Category

Description

User Configuration\Administrative Templates\Silverlight

Contains settings to enable or disable playback of DRM protected content in Silverlight.

Silverlight Automatic Update Mechanism

Silverlight's automatic update mechanism is independent of both the Windows Update and Microsoft Update mechanisms. When this built-in self-update mechanism is enabled, every week Silverlight connects externally to a Microsoft Web site and compares itself against the most current Silverlight version that is available for download. If the version on the Web is newer than the version on users' computers then Silverlight will automatically update itself. The Silverlight automatic update mechanism will only function when Silverlight content is viewed by a user logged in with administrative rights. Thus it will never check for updates if users do not have administrative rights and it will check for updates less than every week if Silverlight is not used regularly.

Important Silverlight's Automatic Update registry setting can be implemented per-user and per-machine. Even though entries get automatically written to the user key (HKCU) upon install, the ADMX templates only support writing to the machine key (HKLM) because these settings cannot be overridden by using the Silverlight user interface or by modifying the per-user update mode registry key.

Silverlight can be configured to use one of three automatic update modes:

  1. Auto Updates — Automatically detects, downloads, and installs updates. This is the default setting after an install. The client will attempt to request files from Microsoft at most one time per week to detect if there is a newer version of the Silverlight client. If there is a newer version, it will automatically download and install the update without any user intervention required.
  2. Prompted Updates — Detects when an update is available and prompts if you would like to download and install the update. This uses the same detection location and schedule as the Auto Updates option.
  3. No Updates — Does not check for or automatically download updates using Silverlight's built-in update mechanism, which is separate from Microsoft Update. This option should be used in most corporate environments where users have administrative rights and you wish to control the distribution of Silverlight updates to these users

The No Updates setting is available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: UpdateMode
Value Type: DWORD
Valid Values:
    Auto Update — 0x00000000
    Prompted Updates — 0x00000001
    No Updates — 0x00000002

Note If Auto Updates (00) or Prompted Updates (01) is chosen, this setting will have the capability of being overridden by the user. No Updates (02) is effectively the only setting which makes sense to implement due to the lack of enforceability with the other two settings. The other two settings are listed for your reference.

You can locate this setting in the following policy path for your GPOs:

Category

Description

Computer Configuration\Administrative Templates\Silverlight

Contains settings to enable or disable standard Silverlight configurations for machines. See Important note above

Silverlight Trusted Applications

Silverlight allows users to install out of browser applications via the Install dialog. Silverlight supports two kinds of out of browser applications, sandboxed applications which run with the same security restrictions as in browser, and trusted applications which run with additional permissions. Trusted applications are only available in Silverlight 4 and later. A trusted application can read and write user data, run other programs, and run without cross domain networking restrictions. Much like running a .exe, trusted apps should only be installed if it's from a website you trust.

Silverlight provides settings to disable support for trusted applications, which is particularly useful for locked down environments. To provide additional control, Silverlight provides two different settings, one to control the installation of trusted applications, and the second to control the running of trusted apps that were previously installed. Neither setting affects sandboxed out of browser applications.

Both of these settings are available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting for trusted application installation that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowInstallOfElevatedTrustApps
Value Type: DWORD
Valid Values:
    Disabled — 0x00000000
    Enabled — 0x00000001

The registry setting for running trusted applications that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowLaunchOfElevatedTrustApps
Value Type: DWORD
Valid Values:
    Disabled — 0x00000000
    Enabled — 0x00000001

You can locate this setting in the following policy path for your GPOs:

Category

Description

Computer Configuration\Administrative Templates\Silverlight

Contains settings to enable or disable installation of Silverlight trusted applications.

Webcam and Microphone

Silverlight allows webpages and applications to access the microphone and webcam. For webpages and sandboxed out of browser applications, Silverlight will display a dialog asking the user's permission to use the microphone/WebCam before allowing the application access to the device. For trusted applications, Silverlight does not display a dialog (however, the application may choose to display its own message).

Silverlight provides settings to disable the use of webcam and microphone. When this setting is disabled, no Silverlight application may access the webcam or microphone, and the dialog asking the user for permission is not shown. This setting is available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting for disabling webcam and microphone that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowWebcam
Value Type: DWORD
Valid Values:
    Disabled — 0x00000000
    Enabled — 0x00000001

You can locate this setting in the following policy path for your GPOs:

Category

Description

Computer Configuration\Administrative Templates\Silverlight

Contains settings to enable or disable use of webcam and microphone by Silverlight applications.

UDP Multicast Networking

Silverlight allows webpages and applications to do UDP multicast networking. Before a Silverlight application may join a multicast group and send messages to/receive messages from that group, another (non-Silverlight) application that's already a member of the group must allow the Silverlight application to join.

Silverlight provides settings to disable access to UDP multicast networking. When this setting is disabled, applications will not be able to use the UDP multicast networking APIs, appearing as if the network they are on does not support multicast. This setting does not affect the Silverlight MediaElement, which can use multicast if the media server and network support it. Unlike the UDP multicast APIs, the MediaElement doesn't allow the application to see the multicast data that's being sent and received.

This setting is available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting for disabling UDP multicast networking that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowUdpMulticastClientApi
Value Type: DWORD
Valid Values:
    Disabled — 0x00000000
    Enabled — 0x00000001

You can locate this setting in the following policy path for your GPOs:

Category

Description

Computer Configuration\Administrative Templates\Silverlight

Contains settings to enable or disable use of UDP multicast networking by Silverlight applications.

Isolated Storage

Silverlight web and out of browser applications are allocated a default amount of isolated storage space. If an application requires more space it can prompt a dialog to the user to approve the requested increase.

Silverlight provides a setting for machine admins to increase the isolated storage to the maximum allowed amount thereby avoiding the prompt.

This setting is available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting for enabling maximum isolated storage that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowMaximumIsolatedStorage
Value Type: DWORD
Valid Values:
    Enabled — 0x00000001

You can locate this setting in the following policy path for your GPOs:

Category

Description

Computer Configuration\Administrative Templates\Silverlight

Contains settings to enable maximum isolated storage allocation for Silverlight applications.

Silverlight ADMX/L Files

ADMX file

Make sure the following ADMX file is saved as Silverlight.admx under the directory:
    %systemroot%\PolicyDefinitions

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions
   
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
   
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   
revision="1.1" schemaVersion="1.0"
   
xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
 
<policyNamespaces>
   
<target prefix="silverlight" namespace="Microsoft.Policies.Silverlight" />
   
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
   
<using prefix="products" namespace="Microsoft.Policies.Products" />
 
</policyNamespaces>
 
<supersededAdm fileName="SL_PARAMS.adm" />
 
<supersededAdm fileName="Silverlight.adm" />
 
<resources minRequiredRevision="1.1" />
   
<supportedOn>
       
<definitions>
          
<definition name="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER"
              
displayName="$(string.SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER)">
             
<or>
                
<range ref="products:MicrosoftWindows2000" minVersionIndex="4"/>
                
<range ref="products:MicrosoftWindowsXP" minVersionIndex="2"/>
                
<range ref="products:MicrosoftWindows" minVersionIndex="3"/>
             
</or>
          
</definition>
       
</definitions>
   
</supportedOn>
 
<categories>
     
<category name="SL_CAT" displayName="$(string.SL_CAT)" explainText="$(string.SL_CAT_HELP)"/>
 
</categories>
 
<policies>
     
<policy name="SET_AUPDATE" class="Machine" displayName="$(string.SET_AUPDATE)"
         
explainText="$(string.AUPDATE_HELP)" key="Software\Microsoft\Silverlight" valueName="UpdateMode">
         
<parentCategory ref="SL_CAT" />
         
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
         
<enabledValue>
            
<decimal value="2" />
         
</enabledValue>
         
<disabledValue>
            
<decimal value="0" />
         
</disabledValue>
     
</policy>
     
<policy name="SET_DRM" class="User" displayName="$(string.SET_DRM)"
         
explainText="$(string.DRM_HELP)" key="Software\Microsoft\Silverlight" valueName="DRMEnabled">
     
<parentCategory ref="SL_CAT" />
       
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
       
<enabledValue>
         
<decimal value="0" />
       
</enabledValue>
       
<disabledValue>
          
<decimal value="1" />
       
</disabledValue>
     
</policy>
     
<policy name="SET_ALLOW_WEBCAM" class="User" displayName="$(string.SET_ALLOW_WEBCAM)"
         
explainText="$(string.ALLOW_WEBCAM_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowWebcam">
     
<parentCategory ref="SL_CAT" />
       
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
        
<enabledValue>
         
<decimal value="1" />
       
</enabledValue>
       
<disabledValue>
          
<decimal value="0" />
       
</disabledValue>
     
</policy>
   
<policy name="SET_ALLOW_INSTALL_TRUSTED_APPS" class="Machine" displayName="$(string.SET_ALLOW_INSTALL_TRUSTED_APPS)"
       
explainText="$(string.ALLOW_INSTALL_TRUSTED_APPS_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowInstallOfElevatedTrustApps">
     
<parentCategory ref="SL_CAT" />
     
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
     
<enabledValue>
       
<decimal value="1" />
     
</enabledValue>
     
<disabledValue>
       
<decimal value="0" />
     
</disabledValue>
   
</policy>
   
<policy name="SET_ALLOW_LAUNCH_TRUSTED_APPS" class="Machine" displayName="$(string.SET_ALLOW_LAUNCH_TRUSTED_APPS)"
       
explainText="$(string.ALLOW_LAUNCH_TRUSTED_APPS_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowLaunchOfElevatedTrustApps">
     
<parentCategory ref="SL_CAT" />
      
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
     
<enabledValue>
       
<decimal value="1" />
     
</enabledValue>
     
<disabledValue>
       
<decimal value="0" />
     
</disabledValue>
   
</policy>
   
<policy name="SET_ALLOW_UDP_MULTICAST_API" class="Machine" displayName="$(string.SET_ALLOW_UDP_MULTICAST_API)"
       
explainText="$(string.ALLOW_UDP_MULTICAST_API_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowUdpMulticastClientApi">
     
<parentCategory ref="SL_CAT" />
     
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
     
<enabledValue>
       
<decimal value="1" />
     
</enabledValue>
     
<disabledValue>
       
<decimal value="0" />
     
</disabledValue>
   
</policy>
   
<policy name="SET_ALLOW_MAXIMUM_ISOLATED_STORAGE" class="Machine" displayName="$(string.SET_ALLOW_MAXIMUM_ISOLATED_STORAGE)"
       
explainText="$(string.ALLOW_MAXIMUM_ISOLATED_STORAGE_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowMaximumIsolatedStorage ">
     
<parentCategory ref="SL_CAT" />
     
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
     
<enabledValue>
       
<decimal value="1" />
     
</enabledValue>
     
<disabledValue>
       
<decimal value="0" />
     
</disabledValue>
   
</policy>
 
</policies>
</policyDefinitions>

ADML file

Make sure the following ADML file is saved as Silverlight.adml under the directory:
    %systemroot%\PolicyDefinitions\en-US

<policyDefinitionResources
   
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
   
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   
revision="1.1" schemaVersion="1.0"
   
xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
 
<displayName>Silverlight Settings</displayName>
 
<description>Configuration settings for Microsoft Silverlight.</description>
 
<resources>
   
<stringTable>
       
<string id="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER">At least Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP Service Pack 2 or Microsoft Windows Server 2003 family</string>
       
<string id="SL_CAT">Silverlight</string>
       
<string id="SL_CAT_HELP">These are the settings to configure Silverlight.</string>
       
<string id="SET_AUPDATE">Disable Silverlight Control's Automatic Update</string>
       
<string id="AUPDATE_HELP">When this policy is enabled, it will prevent the Silverlight control from automatically checking for updates.  If the policy is set to not configured or disabled, it will not change the default behavior and the control will automatically check for new updates over the internet. 

The Silverlight control's automatic update mechanism is independent of both the Windows Update and Microsoft Update mechanisms.  This option does not need to be used when Silverlight is deployed using a Microsoft Update method, such as WSUS, because this method automatically disables Silverlight's automatic update control.
</string>
     
<string id="SET_DRM">Disable DRM content playback</string>
     
<string id="DRM_HELP">By default on a new install of Silverlight version 2 or later using any method, Silverlight will play content which is protected by digital rights management (DRM).   When this policy is enabled, it will enforce Silverlight to never play DRM protected content. When this policy is disabled or not configured, Silverlight will play DRM content.</string>
     
<string id="SET_ALLOW_WEBCAM">Allow access to webcam and microphone</string>
     
<string id="ALLOW_WEBCAM_HELP">By default, a website may access the webcam and microphone after showing a dialog asking if the user wishes to allow the site access to the webcam/microphone.  When this policy is disabled, websites may never use the webcam/microphone via Silverlight and no dialog will be shown.</string>
     
<string id="SET_ALLOW_INSTALL_TRUSTED_APPS">Allow user to install trusted apps written in Silverlight</string>
     
<string id="ALLOW_INSTALL_TRUSTED_APPS_HELP">By default, users are allowed to install Silverlight trusted apps. If this policy is disabled, users may not install trusted applications, and the trusted application install dialog is not shown. Sandboxed out of browser applications may still be installed. 
     
A Silverlight trusted app runs with elevated permissions and can access user data much like a .exe can, and should be installed only from web sites which are trusted.
</string>
     
<string id="SET_ALLOW_LAUNCH_TRUSTED_APPS">Allow user to run trusted apps written in Silverlight</string>
     
<string id="ALLOW_LAUNCH_TRUSTED_APPS_HELP">By default, users are allowed to run Silverlight trusted apps that have been previously installed. If this policy is disabled, users may not run Silverlight trusted applications, even if they were previously installed.  Sandboxed out of browser applications are not affected.  Most people that disable this policy will also want to disable installation of Silverlight trusted apps. 

A Silverlight trusted app runs with elevated permissions and can access user data much like a .exe can, and should be installed only from web sites which are trusted.
</string>
     
<string id="SET_ALLOW_UDP_MULTICAST_API">Allow Silverlight applications to use UDP multicast</string>
     
<string id="ALLOW_UDP_MULTICAST_API_HELP">By default, a Silverlight application may use UDP multicast networking APIs.  If this policy is disabled, the application can't directly use multicast. 
     
This setting does not affect the Silverlight MediaElement, which can use multicast if the media server and network support it. Unlike the UDP multicast API, the MediaElement doesn't allow the application to see the multicast data that's being sent and received.
</string>
       
      <string id="SET_ALLOW_MAXIMUM_ISOLATED_STORAGE">Allow Silverlight applications to be allocated the maxmimum amount of isolated storage</string>
      <string id="ALLOW_MAXIMUM_ISOLATED_STORAGE_HELP">By default, a Silverlight application is allocated a predetermined amount of isolated storage based on if it is an in browser or out of browser application. If this policy is enabled the application will be allocated the maximum amount.</string>
 
    </stringTable>
 
</resources>
</policyDefinitionResources>