Below are descriptions of Silverlight configuration options which can be
implemented via administrative templates and enforced in group policy. Learn
about the configurable options:
Or go straight to the section to implement the Silverlight ADMX/L files in your
environment.
Here are some additional resources on Group policy and Administrative
templates if you are not already familiar:
By default on a new install of Silverlight version 2 or later using any
method, Silverlight will play content which is protected by digital rights
management (DRM). It may be desired to disable the playback of DRM-enabled
content for Silverlight. When the Disable DRM Content setting is implemented,
it will set the user's account to not play DRM protected content.
This setting is available in the custom ADM or ADMX file you create using
the text provided at the bottom of this page. The registry setting that the
administrative template files contain is:
Key path: HKEY_CURRENT_USER\Software\Microsoft\Silverlight
Value Name: DRMEnabled
Value Type: REG_DWORD
Valid Values:
Disable DRM Content — 0x00000000
Enable DRM Content — 0x00000001
You can locate this setting in the following policy path for your GPOs:
|
Category
|
Description
|
|
User
Configuration\Administrative Templates\Silverlight
|
Contains
settings to enable or disable playback of DRM protected content in
Silverlight.
|
Silverlight's automatic update mechanism is independent of both the Windows
Update and Microsoft Update mechanisms. When this built-in self-update
mechanism is enabled, every week Silverlight connects externally to a Microsoft
Web site and compares itself against the most current Silverlight version that
is available for download. If the version on the Web is newer than the version
on users' computers then Silverlight will automatically update itself. The
Silverlight automatic update mechanism will only function when Silverlight
content is viewed by a user logged in with administrative rights. Thus it will
never check for updates if users do not have administrative rights and it will
check for updates less than every week if Silverlight is not used regularly.
Important
Silverlight's Automatic Update registry setting can be implemented per-user and
per-machine. Even though entries get automatically written to the user key
(HKCU) upon install, the ADMX templates only support writing to the machine key
(HKLM) because these settings cannot be overridden by using the Silverlight user
interface or by modifying the per-user update mode registry key.
Silverlight can be configured to use one of three automatic update modes:
- Auto Updates — Automatically
detects, downloads, and installs updates. This is the default setting
after an install. The client will attempt to request files from Microsoft
at most one time per week to detect if there is a newer version of the
Silverlight client. If there is a newer version, it will automatically
download and install the update without any user intervention required.
- Prompted Updates — Detects when
an update is available and prompts if you would like to download and
install the update. This uses the same detection location and schedule as
the Auto Updates option.
- No Updates — Does not
check for or automatically download updates using Silverlight's built-in
update mechanism, which is separate from Microsoft Update. This option
should be used in most corporate environments where users have
administrative rights and you wish to control the distribution of
Silverlight updates to these users
The No Updates setting is available in the custom ADM or ADMX file you
create using the text provided at the bottom of this page. The registry setting
that the administrative template files contain is:
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: UpdateMode
Value Type: DWORD
Valid Values:
Auto Update — 0x00000000
Prompted Updates — 0x00000001
No Updates — 0x00000002
Note
If Auto Updates (00) or Prompted Updates (01) is chosen, this setting will have
the capability of being overridden by the user. No Updates (02) is effectively
the only setting which makes sense to implement due to the lack of
enforceability with the other two settings. The other two settings are listed
for your reference.
You can locate this setting in the following policy path for your GPOs:
|
Category
|
Description
|
|
Computer
Configuration\Administrative Templates\Silverlight
|
Contains
settings to enable or disable standard Silverlight configurations for
machines. See
Important note
above
|
Silverlight allows users to install out of browser applications via the
Install dialog. Silverlight supports two kinds of out of browser applications,
sandboxed applications which run with the same security restrictions as in
browser, and trusted applications which run with additional permissions. Trusted
applications are only available in Silverlight 4 and later. A trusted
application can read and write user data, run other programs, and run without
cross domain networking restrictions. Much like running a .exe, trusted apps
should only be installed if it's from a website you trust.
Silverlight provides settings to disable support for trusted applications,
which is particularly useful for locked down environments. To provide
additional control, Silverlight provides two different settings, one to control
the installation of trusted applications, and the second to control the running
of trusted apps that were previously installed. Neither setting affects
sandboxed out of browser applications.
Both of these settings are available in the custom ADM or ADMX file you
create using the text provided at the bottom of this page. The registry setting
for trusted application installation that the administrative template files
contain is:
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowInstallOfElevatedTrustApps
Value Type: DWORD
Valid Values:
Disabled — 0x00000000
Enabled — 0x00000001
The registry setting for running trusted applications that the
administrative template files contain is:
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowLaunchOfElevatedTrustApps
Value Type: DWORD
Valid Values:
Disabled — 0x00000000
Enabled — 0x00000001
You can locate this setting in the following policy path for your GPOs:
|
Category
|
Description
|
|
Computer
Configuration\Administrative Templates\Silverlight
|
Contains
settings to enable or disable installation of Silverlight trusted
applications.
|
Silverlight allows webpages and applications to access the microphone and
webcam. For webpages and sandboxed out of browser applications, Silverlight
will display a dialog asking the user's permission to use the microphone/WebCam
before allowing the application access to the device. For trusted applications,
Silverlight does not display a dialog (however, the application may choose to
display its own message).
Silverlight provides settings to disable the use of webcam and microphone.
When this setting is disabled, no Silverlight application may access the webcam
or microphone, and the dialog asking the user for permission is not shown. This
setting is available in the custom ADM or ADMX file you create using the text
provided at the bottom of this page. The registry setting for disabling webcam
and microphone that the administrative template files contain is:
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowWebcam
Value Type: DWORD
Valid Values:
Disabled — 0x00000000
Enabled — 0x00000001
You can locate this setting in the following policy path for your GPOs:
|
Category
|
Description
|
|
Computer
Configuration\Administrative Templates\Silverlight
|
Contains
settings to enable or disable use of webcam and microphone by Silverlight
applications.
|
Silverlight allows webpages and applications to do UDP multicast networking.
Before a Silverlight application may join a multicast group and send messages
to/receive messages from that group, another (non-Silverlight) application
that's already a member of the group must allow the Silverlight application to
join.
Silverlight provides settings to disable access to UDP multicast networking.
When this setting is disabled, applications will not be able to use the UDP
multicast networking APIs, appearing as if the network they are on does not
support multicast. This setting does not affect the Silverlight MediaElement,
which can use multicast if the media server and network support it. Unlike the
UDP multicast APIs, the MediaElement doesn't allow the application to see the
multicast data that's being sent and received.
This setting is available in the custom ADM or ADMX file you create using
the text provided at the bottom of this page. The registry setting for
disabling UDP multicast networking that the administrative template files
contain is:
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowUdpMulticastClientApi
Value Type: DWORD
Valid Values:
Disabled — 0x00000000
Enabled — 0x00000001
You can locate this setting in the following policy path for your GPOs:
|
Category
|
Description
|
|
Computer
Configuration\Administrative Templates\Silverlight
|
Contains
settings to enable or disable use of UDP multicast networking by Silverlight
applications.
|
Silverlight web and out of browser applications are allocated a default
amount of isolated storage space. If an application requires more space it can
prompt a dialog to the user to approve the requested increase.
Silverlight provides a setting for machine admins to increase the isolated
storage to the maximum allowed amount thereby avoiding the prompt.
This setting is available in the custom ADM or ADMX file you create using
the text provided at the bottom of this page. The registry setting for enabling
maximum isolated storage that the administrative template files contain is:
Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowMaximumIsolatedStorage
Value Type: DWORD
Valid Values:
Enabled — 0x00000001
You can locate this setting in the following policy path for your GPOs:
|
Category
|
Description
|
|
Computer
Configuration\Administrative Templates\Silverlight
|
Contains
settings to enable maximum isolated storage allocation for Silverlight
applications.
|
ADMX file
Make sure the following ADMX file is saved as Silverlight.admx under the
directory:
%systemroot%\PolicyDefinitions
<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
revision="1.1" schemaVersion="1.0"
xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
<policyNamespaces>
<target prefix="silverlight" namespace="Microsoft.Policies.Silverlight" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
<using prefix="products" namespace="Microsoft.Policies.Products" />
</policyNamespaces>
<supersededAdm fileName="SL_PARAMS.adm" />
<supersededAdm fileName="Silverlight.adm" />
<resources minRequiredRevision="1.1" />
<supportedOn>
<definitions>
<definition name="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER"
displayName="$(string.SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER)">
<or>
<range ref="products:MicrosoftWindows2000" minVersionIndex="4"/>
<range ref="products:MicrosoftWindowsXP" minVersionIndex="2"/>
<range ref="products:MicrosoftWindows" minVersionIndex="3"/>
</or>
</definition>
</definitions>
</supportedOn>
<categories>
<category name="SL_CAT" displayName="$(string.SL_CAT)" explainText="$(string.SL_CAT_HELP)"/>
</categories>
<policies>
<policy name="SET_AUPDATE" class="Machine" displayName="$(string.SET_AUPDATE)"
explainText="$(string.AUPDATE_HELP)" key="Software\Microsoft\Silverlight" valueName="UpdateMode">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="2" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="SET_DRM" class="User" displayName="$(string.SET_DRM)"
explainText="$(string.DRM_HELP)" key="Software\Microsoft\Silverlight" valueName="DRMEnabled">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="0" />
</enabledValue>
<disabledValue>
<decimal value="1" />
</disabledValue>
</policy>
<policy name="SET_ALLOW_WEBCAM" class="User" displayName="$(string.SET_ALLOW_WEBCAM)"
explainText="$(string.ALLOW_WEBCAM_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowWebcam">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="SET_ALLOW_INSTALL_TRUSTED_APPS" class="Machine" displayName="$(string.SET_ALLOW_INSTALL_TRUSTED_APPS)"
explainText="$(string.ALLOW_INSTALL_TRUSTED_APPS_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowInstallOfElevatedTrustApps">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="SET_ALLOW_LAUNCH_TRUSTED_APPS" class="Machine" displayName="$(string.SET_ALLOW_LAUNCH_TRUSTED_APPS)"
explainText="$(string.ALLOW_LAUNCH_TRUSTED_APPS_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowLaunchOfElevatedTrustApps">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="SET_ALLOW_UDP_MULTICAST_API" class="Machine" displayName="$(string.SET_ALLOW_UDP_MULTICAST_API)"
explainText="$(string.ALLOW_UDP_MULTICAST_API_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowUdpMulticastClientApi">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
<policy name="SET_ALLOW_MAXIMUM_ISOLATED_STORAGE" class="Machine" displayName="$(string.SET_ALLOW_MAXIMUM_ISOLATED_STORAGE)"
explainText="$(string.ALLOW_MAXIMUM_ISOLATED_STORAGE_HELP)" key="Software\Microsoft\Silverlight" valueName="AllowMaximumIsolatedStorage ">
<parentCategory ref="SL_CAT" />
<supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
<enabledValue>
<decimal value="1" />
</enabledValue>
<disabledValue>
<decimal value="0" />
</disabledValue>
</policy>
</policies>
</policyDefinitions>
ADML file
Make sure the following ADML file is saved as Silverlight.adml under the
directory:
%systemroot%\PolicyDefinitions\en-US
<policyDefinitionResources
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
revision="1.1" schemaVersion="1.0"
xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
<displayName>Silverlight Settings</displayName>
<description>Configuration settings for Microsoft Silverlight.</description>
<resources>
<stringTable>
<string id="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER">At least Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP Service Pack 2 or Microsoft Windows Server 2003 family</string>
<string id="SL_CAT">Silverlight</string>
<string id="SL_CAT_HELP">These are the settings to configure Silverlight.</string>
<string id="SET_AUPDATE">Disable Silverlight Control's Automatic Update</string>
<string id="AUPDATE_HELP">When this policy is enabled, it will prevent the Silverlight control from automatically checking for updates. If the policy is set to not configured or disabled, it will not change the default behavior and the control will automatically check for new updates over the internet.
The Silverlight control's automatic update mechanism is independent of both the Windows Update and Microsoft Update mechanisms. This option does not need to be used when Silverlight is deployed using a Microsoft Update method, such as WSUS, because this method automatically disables Silverlight's automatic update control.</string>
<string id="SET_DRM">Disable DRM content playback</string>
<string id="DRM_HELP">By default on a new install of Silverlight version 2 or later using any method, Silverlight will play content which is protected by digital rights management (DRM). When this policy is enabled, it will enforce Silverlight to never play DRM protected content. When this policy is disabled or not configured, Silverlight will play DRM content.</string>
<string id="SET_ALLOW_WEBCAM">Allow access to webcam and microphone</string>
<string id="ALLOW_WEBCAM_HELP">By default, a website may access the webcam and microphone after showing a dialog asking if the user wishes to allow the site access to the webcam/microphone. When this policy is disabled, websites may never use the webcam/microphone via Silverlight and no dialog will be shown.</string>
<string id="SET_ALLOW_INSTALL_TRUSTED_APPS">Allow user to install trusted apps written in Silverlight</string>
<string id="ALLOW_INSTALL_TRUSTED_APPS_HELP">By default, users are allowed to install Silverlight trusted apps. If this policy is disabled, users may not install trusted applications, and the trusted application install dialog is not shown. Sandboxed out of browser applications may still be installed.
A Silverlight trusted app runs with elevated permissions and can access user data much like a .exe can, and should be installed only from web sites which are trusted.</string>
<string id="SET_ALLOW_LAUNCH_TRUSTED_APPS">Allow user to run trusted apps written in Silverlight</string>
<string id="ALLOW_LAUNCH_TRUSTED_APPS_HELP">By default, users are allowed to run Silverlight trusted apps that have been previously installed. If this policy is disabled, users may not run Silverlight trusted applications, even if they were previously installed. Sandboxed out of browser applications are not affected. Most people that disable this policy will also want to disable installation of Silverlight trusted apps.
A Silverlight trusted app runs with elevated permissions and can access user data much like a .exe can, and should be installed only from web sites which are trusted.</string>
<string id="SET_ALLOW_UDP_MULTICAST_API">Allow Silverlight applications to use UDP multicast</string>
<string id="ALLOW_UDP_MULTICAST_API_HELP">By default, a Silverlight application may use UDP multicast networking APIs. If this policy is disabled, the application can't directly use multicast.
This setting does not affect the Silverlight MediaElement, which can use multicast if the media server and network support it. Unlike the UDP multicast API, the MediaElement doesn't allow the application to see the multicast data that's being sent and received.</string>
<string id="SET_ALLOW_MAXIMUM_ISOLATED_STORAGE">Allow Silverlight applications to be allocated the maxmimum amount of isolated storage</string>
<string id="ALLOW_MAXIMUM_ISOLATED_STORAGE_HELP">By default, a Silverlight application is allocated a predetermined amount of isolated storage based on if it is an in browser or out of browser application. If this policy is enabled the application will be allocated the maximum amount.</string>
</stringTable>
</resources>
</policyDefinitionResources>
