Share via


Configuring client bootstrapping policies in Lync Server 2013

 

Topic Last Modified: 2013-02-21

The Group Policy Management Console (GPMC) and the Group Policy Object Editor are tools that you use to manage Group Policy. Included with the Office Group Policy Administrative Template are Lync 2013.admx (ADMX) and .adml (ADML) Administrative Templates, which contain the registry-based policy settings that you configure for Group Policy objects in the domain. ADML files are language-specific complements to ADMX files. Each ADMX and ADML file contains the policy settings for a single Office application. For more information, see “Office 2013 Administrative Template files (ADMX, ADML)” in the Office 2013 documentation at https://go.microsoft.com/fwlink/p/?linkid=267516.

For Lync 2013, there are several client bootstrapping policies that you should consider configuring before users sign in to the server for the first time. For example, the default servers and security mode that the client should use until sign-in is complete. You can use Group Policy to establish these settings in users’ computer registries before they sign in and begin receiving in-band provisioning settings from the server. The following table lists the Group Policy settings that are available for Lync 2013.

Group Policy Settings for Lync 2013

Group Policy setting Description

Specify Server
(ConfigurationMode)

Specifies how Lync 2013 identifies the transport and server to use during sign-in. Within this setting, you specify the following:

  • ServerAddressExternal: Specifies the server name or IP address used by clients and federated contacts when connecting from outside the external firewall.

  • ServerAddressInternal: Specifies the server name or IP address used when clients connect from inside the organization’s firewall.

  • Transport: Specifies either Transmission Control Protocol (TCP) or Transport Layer Security (TLS).

Additional server versions supported
(ConfiguredServerCheckValues)

Specifies a list of server version names separated by semi-colons that Lync Server 2013 will log on to, in addition to the server versions that are supported by default.

Disable automatic upload of sign-in failure logs (DisableAutomaticSendTracing)

Automatically uploads sign-in failure logs to Lync Server for analysis. No logs are automatically uploaded if sign-in is successful. If this policy is not configured, the following happens:

For Lync Online users: Sign-in failure logs are automatically uploaded.

For Lync on-premises users: A confirmation dialog box is shown to the user before upload.

When this setting is disabled, sign-in logs are automatically uploaded to the Lync Server for both Lync on-premises and Lync Online users. When this setting is enabled, sign-in logs are never uploaded automatically.

Disable HTTP fallback for SIP connection
(DisableHttpConnect)

Prevents Lync Server from trying to connect to the server by using HTTP, if TLS or TCP are unavailable. By default, Lync first attempts to connect to the server by using TLS or TCP and, if neither of these transport methods is successful, Lync tries to connect by using HTTP. Use this policy to disable the fallback HTTP connection attempt.

Require logon credentials
(DisableNTCredentials)

Requires the user to provide logon credentials for Lync rather than automatically using Windows credentials during sign-in to a SIP server.

Disable server version check
(DisableServerCheck)

If you set this policy to 1, prevents Lync from checking the server name and version before signing in. By default, Lync makes these checks before signing in.

Enable using BITS to download Address Book Service files
(EnableBitsForGalDownload)

Enables Lync to use Background Intelligent Transfer Service (BITS) to download the Address Book Services files.

Configure SIP security mode
(EnableSIPHighSecurityMode)

Enables Lync to send and receive instant messages more securely. This policy has no effect on Windows .NET or Microsoft Exchange Server services.

If you do not configure this policy setting, Lync can use any transport. But if it does not use TLS and if the server authenticates users, Lync must use either NTLM or Kerberos authentication.

Global Address Book Download Initial Delay
(GalDownloadInitialDelay)

Specifies the time period before a download of the global address list (GAL) occurs. The default value is 60 minutes, which means the server delays the download of GAL file for a random period of between 0 and 60 minutes.

Prevent users from running Microsoft Lync
(PreventRun)

Prevents users from running Lync. You can configure this policy setting under both Computer Configuration and User Configuration, but the policy setting under Computer Configuration takes precedence.

Allow storage of user passwords
(SavePassword)

Enables Lync to store passwords.

Configure SIP compression mode
(SipCompression)

Specifies when to turn on SIP compression. By default, SIP compression is enabled based on the adapter speed. Note that setting this policy might cause an increase in sign-in time.

Trusted Domain List
(TrustModelData)

Lists the trusted domains that do not match the prefix of the customer SIP domain.

Policies configured on the server take precedence over Group Policy settings and client options configured by the user. The following table summarizes the order in which settings take precedence when a conflict occurs.

Group Policy Precedence

Precedence Location or Method of Setting

1

Lync Server 2013 in-band provisioning

2

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Office\15.0\Lync

3

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Office\15.0\Lync

4

The Lync - Options dialog box in Lync 2013

To define Group Policy settings by using the Lync 2013 administrative template files

  1. Create a root-level folder to contain all language-neutral ADMX files. For example, create the root folder for the central store on your domain controller at this location:

    %systemroot%\sysvol\domain\policies\PolicyDefinitions

    Note

    This procedure assumes that you want to manage multiple computers in your domain. In this case, you store the templates in a central store in the Sysvol folder on the primary domain controller. This provides a replicated central storage location for domain Administrative Templates.

  2. Create a subfolder for each language that you’ll use. These subfolders will contain the language-specific ADML resource files. For example, create a subfolder for United States English (EN-US) at this location:

    %systemroot%\sysvol\domain\policies\PolicyDefinitions\EN-US