Group Policy Settings

Below are descriptions of Silverlight configuration options which can be implemented via administrative templates and enforced in group policy. Learn about the configurable options:

• Digital Rights Management — enable or disable playback of DRM enabled content
• Silverlight Automatic Update Mechanism — disable the automatic update mechanism which is separate from Microsoft Update

Or go straight to the section to implement the Silverlight ADMX/L files in your environment.

Here are some additional resources on Group policy and Administrative templates if you are not already familiar:

• Overview of the concepts and architecture of the Administrative Templates
• Managing Group Policy ADMX Files Step-by-Step Guide
• How to create a Central Store for Group Policy Administrative Templates in Window Vista

Digital Rights Management

By default on a new install of Silverlight version 2 or later using any method, Silverlight will play content which is protected by digital rights management (DRM). It may be desired to disable the playback of DRM-enabled content for Silverlight. When the Disable DRM Content setting is implemented, it will set the user's account to not play DRM protected content.

These settings are available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting that the administrative template files contain is:

Key path: HKEY_CURRENT_USER\Software\Microsoft\Silverlight
Value Name: DRMEnabled
Value Type: REG_DWORD
Valid Values:
    Disable DRM Content — 0x00000000
    Enable DRM Content — 0x00000001

You can locate this setting in the following policy path for your GPOs:

Category	Description
User Configuration\Administrative Templates\Silverlight	Contains settings to enable or disable playback of DRM protected content in Silverlight.

Silverlight Automatic Update Mechanism

Silverlight's automatic update mechanism is independent of both the Windows Update and Microsoft Update mechanisms. When this built-in self-update mechanism is enabled, every week Silverlight connects externally to a Microsoft website and compares itself against the most current Silverlight version that is available for download. If the version on the web is newer than the version on users' computers then Silverlight will automatically update itself. The Silverlight automatic update mechanism will only function when Silverlight content is viewed by a user logged in with administrative rights. Thus it will never check for updates if users do not have administrative rights and it will check for updates less than every week if Silverlight is not used regularly.

Important Silverlight's Automatic Update registry setting can be implemented per-user and per-machine. Even though entries get automatically written to the user key (HKCU) upon install, the ADMX templates only support writing to the machine key (HKLM) because these settings cannot be overridden by using the Silverlight user interface or by modifying the per-user update mode registry key.

Silverlight can be configured to use one of three automatic update modes:

1. Auto Updates — Automatically detects, downloads, and installs updates. This is the default setting after an install. The client will attempt to request files from Microsoft at most one time per week to detect if there is a newer version of the Silverlight client. If there is a newer version, it will automatically download and install the update without any user intervention required.
2. Prompted Updates — Detects when an update is available and prompts if you would like to download and install the update. This uses the same detection location and schedule as the Auto Updates option.
3. No Updates — Does not check for or automatically download updates using Silverlight's built-in update mechanism, which is separate from Microsoft Update. This option should be used in most corporate environments where users have administrative rights and you wish to control the distribution of Silverlight updates to these users

The no updates setting is available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: UpdateMode
Value Type: DWORD
Valid Values:
    Auto Update — 0x00000000
    Prompted Updates — 0x00000001
    No Updates — 0x00000002

Note If Auto Updates (00) or Prompted Updates (01) is chosen, this setting will have the capability of being overridden by the user. No Updates (02) is effectively the only setting which makes sense to implement due to the lack of enforceability with the other two settings. The other two settings are listed for your reference.

You can locate this setting in the following policy path for your GPOs:

Category	Description
Computer Configuration\Administrative Templates\Silverlight	Contains settings to enable or disable standard Silverlight configurations for machines. See Important note above

Silverlight ADMX/L Files

ADMX file

Make sure the following ADMX file is saved as Silverlight.admx under the directory:
    %systemroot%\PolicyDefinitions

<?xml version="1.0" encoding="utf-8"?>
<policyDefinitions
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    revision="1.1" schemaVersion="1.0"
    xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
  <policyNamespaces>
    <target prefix="silverlight" namespace="Microsoft.Policies.Silverlight" />
    <using prefix="windows" namespace="Microsoft.Policies.Windows" />
    <using prefix="products" namespace="Microsoft.Policies.Products" />
  </policyNamespaces>
  <supersededAdm fileName="SL_PARAMS.adm" />
  <supersededAdm fileName="Silverlight.adm" />
  <resources minRequiredRevision="1.1" />
    <supportedOn>
        <definitions>
           <definition name="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER"
               displayName="$(string.SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER)">
              <or>
                 <range ref="products:MicrosoftWindows2000" minVersionIndex="4"/>
                 <range ref="products:MicrosoftWindowsXP" minVersionIndex="2"/>
                 <range ref="products:MicrosoftWindows" minVersionIndex="3"/>
              </or>
           </definition>
        </definitions>
    </supportedOn>
  <categories>
      <category name="SL_CAT" displayName="$(string.SL_CAT)" explainText="$(string.SL_CAT_HELP)"/>
  </categories>
  <policies>
      <policy name="SET_AUPDATE" class="Machine" displayName="$(string.SET_AUPDATE)"
          explainText="$(string.AUPDATE_HELP)" key="Software\Microsoft\Silverlight" valueName="UpdateMode">
          <parentCategory ref="SL_CAT" />
          <supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
          <enabledValue>
             <decimal value="2" />
          </enabledValue>
          <disabledValue>
             <decimal value="0" />
          </disabledValue>
      </policy>
      <policy name="SET_DRM" class="User" displayName="$(string.SET_DRM)"
          explainText="$(string.DRM_HELP)" key="Software\Microsoft\Silverlight" valueName="DRMEnabled">
      <parentCategory ref="SL_CAT" />
        <supportedOn ref="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER" />
        <enabledValue>
          <decimal value="0" />
        </enabledValue>
        <disabledValue>
           <decimal value="1" />
        </disabledValue>
      </policy>
  </policies>
</policyDefinitions>
    

ADML file

Make sure the following ADML file is saved as Silverlight.adml under the directory:
    %systemroot%\PolicyDefinitions\en-US

<policyDefinitionResources
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    revision="1.1" schemaVersion="1.0"
    xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
  <displayName>Silverlight Settings</displayName>
  <description>Configuration settings for Microsoft Silverlight.</description>
  <resources>
    <stringTable>
        <string id="SUPPORTED_WindowsXP_SP2_W2K_SP4_NETSERVER">At least Microsoft Windows 2000 Service Pack 4, Microsoft Windows XP Service Pack 2 or Microsoft Windows Server 2003 family</string>
        <string id="SL_CAT">Silverlight</string>
        <string id="SL_CAT_HELP">These are the settings to configure Silverlight.</string>
        <string id="SET_AUPDATE">Disable Silverlight Control's Automatic Update</string>
        <string id="AUPDATE_HELP">When this policy is enabled, it will prevent the Silverlight control from automatically checking for updates.  If the policy is set to not configured or disabled, it will not change the default behavior and the control will automatically check for new updates over the internet.  

The Silverlight control's automatic update mechanism is independent of both the Windows Update and Microsoft Update mechanisms.  This option does not need to be used when Silverlight is deployed using a Microsoft Update method, such as WSUS, because this method automatically disables Silverlight's automatic update control.</string>
      <string id="SET_DRM">Disable DRM content playback</string>
      <string id="DRM_HELP">By default on a new install of Silverlight version 2 or later using any method, Silverlight will play content which is protected by digital rights management (DRM).   When this policy is enabled, it will enforce Silverlight to never play DRM protected content. When this policy is disabled or not configured, Silverlight will play DRM content.</string>
    </stringTable>
  </resources>
</policyDefinitionResources>